Business Consultancy Services Ltd

 

 

Rt Hon Dr John Reid MP                                               Your ref. T4450/7

Home Secretary

Home Office

2 Marsham Street
London SW1P 4DF
                                                                                 8 March 2007

Dear Home Secretary

The need to deliver (2001 election) and the need to listen (2005)

This document provides evidence for the belief that the Identity and Passport Service (IPS) are out of control. It calls on you, once again, to grill them to see if they have any good reason to believe that they can deliver the promises made for the National Identity Scheme (NIS). If not, then there would be great benefits to taxpayers in the UK and overseas and great benefits to you if, like TSR2 in 1965, you cancel the project.


 

I refer to my open letter[1] to you dated 28 January 2007 and the response dated 12 February 2007 received from IPS, ref. T4450/7. As with all of the responses received from them, this one fails to address the matters raised in my letter.

In particular, the unnamed[2] writer of T4450/7 says: "A considerable portion of your letter and the points you put forward rest on your assertion that biometrics are inherently unreliable". I do not make this assertion in my letter or anywhere else.

In my eight letters to you – this is the ninth – and in the dematerialised ID proposal I sent you on 24 May 2006 and on my website, http://DematerialisedID.com, I have always been careful to make my position on biometrics clear:

·        DNA and traditional fingerprints work.

·        These are not, however, the biometrics being considered by IPS[3]. IPS are considering or have considered three quite different biometrics[4] – facial geometry, irisprints and fingercopies. "Fingercopies" is my name for the new-style fingerprints, which are arguably nothing more than glorified photocopies of people's fingers.

·        These three biometrics are currently too unreliable to make it worth spending billions of pounds on the NIS.

·        If they become more reliable, then they could usefully be incorporated into dematerialised ID[5].

The case against the current design of the NIS has been made by thousands of people, including me. I have not stopped there, though. I have spent four years[6] working on a well-argued alternative design, dematerialised ID, which I commend to you:

·        The objectives of dematerialised ID are to assist with crime prevention, crime detection and counter-terrorism.

·        In order to achieve those objectives, dematerialised ID is based on mobile phones[7] and not smart cards[8]. Compared with mobile phones, smart cards are old-fashioned, under-powered, pedestrian and of little use to the police in locating suspects and gathering evidence.

·        Biometrics[9] should only be incorporated into dematerialised ID if they are reliable. With reliable biometrics, crimes like illegal working could be prevented with all the simplicity of a stock control system. But that is just wishful thinking in light of the poor reliability demonstrated so far by IPS's chosen biometrics.

·        The rôle of the public key infrastructure[10] (PKI) must be properly understood. IPS repeatedly confuse identification, which is what biometrics are meant to provide, with security, which is what PKI offers.

·        There is no need to build a new National Identity Register[11] (NIR). We already have scores of them, in the public sector and elsewhere.

The evidence in favour of dematerialised ID comprises over 1,200 references to source material, with more being added all the time.

Contrast that with the current NIS. The House of Commons Science and Technology Committee's July 2006 report[12] on Identity Card Technologies: Scientific Advice, Risk and Evidence says:

Para.

Select Committee report

BCSL comment

15

… there are many different types of biometric technology: facial, fingerprint, iris, signature, voice, hand geometry, vascular patterns, retina, DNA, ear recognition, keystroke and gait … it is envisaged that different biometrics would be used for different scenarios. Katherine Courtney, the Executive Director of Business Development and External Affairs at IPS, explained in oral evidence that “In different business applications, a different biometric might be more appropriate than others. You see, for instance, iris being used quite successfully where you have a high volume of people passing through a system, such as the expedited gate clearing at the airports”.

Irisprints have now been dropped from the NIS[13], at least for the time being. Presumably, high volumes of people can now look forward to slow gate clearing at airports.

18

There are no mutually-accepted standards for testing biometric technology and industry claims about performance vary widely ... The Home Office has stated that it expects the following performance levels to be sufficient for its requirements in the identity cards scheme:

Face – failure to acquire rate close to zero, a false accept rate of 1%.

Fingerprint – failure to acquire rate of 0.5-1%, false match rate of 1.3e-10, false nonmatch rate of 0.01.

Iris – failure to acquire rate of 0.5%, false non-match rate of 5% false match rate of 5e- 12.

IPS exclude the false non-match rate from their criteria for biometrics based on facial geometry. In the UKPS biometrics enrolment trial[14], based on facial geometry, 31% of able-bodied participants were told that they were not themselves and that figure rose to 52% for disabled participants.

Far from being 1%, the false non-match rate for fingercopies in the trial was 19% for the able-bodied and 20% for the disabled.

Far from being 0.5%, the failure to acquire rate for irisprints was 10% for the able-bodied and 39% for the disabled.

81

We also note an apparent discrepancy between the advice offered to us during our visit to the United States in March 2006 and the advice subsequently provided to the identity cards programme team. On 6 March 2006, we met informally a group of senior policy advisers from the Department of Homeland Security to discuss the identity cards programme. When questioned about the maturity of biometric technologies, the advisers agreed that currently the technology was probably not as reliable or as accurate as it might need to be for a national identity card scheme. We put these views to Katherine Courtney during an oral evidence session and she declined to comment on what we had been told. The Home Office subsequently wrote saying that during a visit to the US in April 2004, officials put these views to senior advisers responsible for the operation, development and management of the US-Visit programme who rebutted them strongly. Our visit to the US illustrated to us the ground-breaking nature of the UK scheme. In order to build public confidence in the technologies involved, we recommend that the Home Office publishes an overview of the scientific advice and evidence that it receives as a result of international co-operation.

How did senior advisors in April 2004 rebut senior policy advisors' views expressed two years later in March 2006?

The 2006 advisors had two years more experience of US-VISIT than the 2004 advisors, who could only have had a few months' experience – US-VISIT began on 5 January 2004.

As far as I know, IPS have still not published an overview of the scientific advice and evidence that they receive as a result of international co-operation.

What do they do with their time?

Things move slowly in the world of biometrics and we may have to make do with Katherine Courtney's[15] no comment for some time to come. 284 days ago, on 28 May 2006, I published a paper[16] on the European Biometrics Portal – Is the biometrics emperor wearing any clothes? – and I am still waiting for an answer.

The public may well remain confident that the biometrics chosen are reliable. I do not.

Neither do the courts. Unlike traditional fingerprints, fingercopies are not admissible[17] as evidence in court.

Biometrics do not become reliable because people are confident about them. Nor because lots of people use them. And certainly not because IPS just hope they will.

88

... The Home Office has repeatedly asserted that this trial was not an assessment of the technological capabilities of biometrics. The report noted that “testing of the biometric technology itself was not one of the objectives of the Trial, rather the Trial aimed to test and measure the processes around recording and verification of biometrics”. As will be discussed in the chapter on public engagement, the status of the trial caused confusion and there were numerous press reports detailing the apparent problems with the technology (see paragraph 138). This confusion has perhaps been exacerbated by the Home Office’s treatment of the results from the trial and their inconsistent use of it as evidence. When questioned in an oral evidence session about the false non-match rates that resulted from the Atos Origin trial, Katherine Courtney said that “I think it is important to reiterate that the enrolment trial was a trial of process and customer experience. It was not designed as a trial to look at performance of the technology per se”. However, the results of the trial have been used to provide information about technology performance. On 29 June 2005, despite noting that the Atos Origin trial was not intended as a test of technology, the then Parliamentary Under-Secretary for Immigration, Citizenship and Nationality, Andy Burnham used statistics from the trial in order to answer a question relating to the failure to acquire rate of the technology. There is evidence that whilst trial plans were set out clearly the processes with which they were enacted lacked rigor. As a result, the Home Office has selectively used evidence from the biometrics enrolment trial to support its assertions. We believe that the Home Office has been inconsistent regarding the status of this trial and this has caused confusion in relation to the significance of the evidence gathered about biometric technologies. We recommend that the Home Office clarifies whether or not it accepts the validity of the results gained during the trial regarding the performance of biometric technologies.

The trial referred to by the Committee is the biometrics enrolment trial[18] conducted on behalf of UKPS by Atos Origin.

As noted above, the results were far below the acceptance levels set by IPS themselves. The reliability demonstrated by the chosen biometrics was so poor that there is no point proceeding with the NIS as currently designed if that's the best they can do.

Rather than accept that, IPS argue that it wasn't really a reliability test. They advanced that argument to the Select Committee, with the scornful reception recorded opposite. Over six months later, they used the same argument in T4450/7.

If it wasn't a test of the reliability of the chosen biometrics, why does the report list the statistics on the success and failure of biometric registration and verification under the heading Key Findings (para.1.2) in the Management Summary? How can they be key findings if that is not what the trial was meant to measure?

The Select Committee find IPS's argument confusing, selective, inconsistent and lacking in rigour. So do I.

As long as the biometrics chosen remain as unreliable as this, if IPS implement your plan (by 2014) to check people leaving the country as well as people coming in, and if our experience follows the pattern of US-VISIT then, I have calculated[19], Immigration Officers will have to perform about 100,000 secondary inspections a day and you will have to find room for about 8,000 detainees a day.

How feasible do you think that is?

That is one implication of relying on nothing more than optimism to make the chosen biometrics reliable.

91

… we are surprised by the Home Office's unscientific approach and suggest that rather than collating figures merely to provide information regarding performance, the Home Office admits that it cannot release details until it has completed trials.

Yes, IPS are putting the cart before the horse.

Again, the question arises just what they, and their predecessors going back to the Entitlement Cards Unit in July 2002, do with their time.

93

We are surprised and concerned that the Home Office has already chosen the biometrics that it intends to use before finishing the process of gathering evidence. Given that the Identity Cards Act does not specify the biometrics to be used, we encourage the Home Office to be flexible about biometrics and to act on evidence rather than preference. We seek assurance that if there is no evidence that any particular biometric technology will enhance the overall performance of the system it will not be used.

The Select Committee is not just surprised, now, at the cart being put before the horse, but concerned as well.

95

We note the lack of explicit commitment from the Home Office to trialling the ICT solution and strongly recommend that it take advice from the ICT Assurance Committee on trialling. We seek an assurance that time pressure and political demands will not make the Home Office forgo a trial period or change the purpose of the scheme.

Were IPS seriously going to roll out a national system without testing it? It is inconceivable in the IT industry that you release any system without testing. It is instructive that the Select Committee felt it necessary to make this obvious point.

96

In written evidence the Home Office said it was not necessary to embark on publicly funded scientific research to improve the capabilities of biometrics. This claim was subsequently denied in oral evidence and the identity card team asserted that research was being undertaken into fingerprint biometric performance. Katherine Courtney said “I would not say that we have not commissioned research. We have commissioned research. We have a piece of research that the Home Office is funding right now into fingerprint biometric performance”. We regret the confusion at the Home Office regarding the research that it is funding and what research it requires.

Here we are, back to confusion.

And regret.

It's not that the Select Committee don't know whether IPS need to do any research. It is IPS themselves who don't know.

With several years to think about it, IPS should know what their requirements are, whether the resources available meet them and, if not, how to set about closing the gap.

What do IPS do with their time?

97

The Home Office cannot afford to delegate responsibility for horizon scanning to others.

 

99

The Home Office has repeatedly stated that the total year-on-year running costs of the scheme, primarily relating to people and services, would be £584 million. Katherine Courtney said to us that “We are quite confident in our cost estimates”. However, the Home Office has not released meaningful estimates within this figure. In December 2005, the then Minister Andy Burnham said that “the estimates are … commercially sensitive and to release them may prejudice the procurement process and the Department's ability to obtain value for money from potential suppliers”.

The analysis of IPS's cost estimates has never been published and the Select Committee are clearly reluctant to take IPS's word on trust.

100

... in oral evidence Dr Edgar Whitley from the LSE still said that “On the basis of no technology trials or limited technology trials and specifications still being changed I just cannot see how they can be so clear that it is £584 million”. We have no wish to guess the true costs but it is difficult to believe that such a certain figure can be established when there are so many variables.

The Select Committee find it difficult to believe that IPS's cost figure can be known so precisely and that it never changes …

101

The Home Office figures were audited by KPMG. The Home Office has interpreted this audit, which was published in November 2005, positively ... In oral evidence, Katherine Courtney stated that, “our cost assumptions have been independently audited by KPMG and so we can have quite a high degree of confidence in them at this point in the development of the scheme”.

… not least because the KPMG audit report IPS appeal to for proof provides no such assurance …

102

However, the audit highlighted some potential problems with the scheme. Despite Government assertions that a 10-year card life would be feasible, KPMG found that supporting information from suppliers was inconclusive. KPMG stated that “the durability of the cards over the ten year period is questionable” and it recommended that the Home Office revise its cost estimates accordingly. KPMG also noted that: “the performance of the biometric matching drives a significant amount of cost […] the IDCP [identity card programme] team should have further discussion with the USVISIT programme to gain detailed insight into the cost drivers for this area and the UAE [United Arab Emirates] to verify the cost and performance of the fingerprint and iris hardware matchers respectively”. When questioned on 22 March 2006 about whether the identity cards team had followed this suggestion, Katherine Courtney admitted that they had not yet done so.

… indeed, the KPMG audit report recommends that IPS check its figures and – what do they do with their time? – they still hadn't checked at the time of the Select Committee report.

We know some of the things IPS do with their time:

·        They try to convince the Department for Work and Pensions[20] that the NIS will help to improve "customer service".

·        And they make plans to fingercopy[21] everyone over the age of 11, even though the Identity Cards Act[22] clearly specifies at §2(2) that the age limit is 16.

Why?

Surely IPS would do better to get on with the job in hand.

103

We do not share the Home Office’s belief in their costings given that the breakdown of technology costs provided to us in confidence only provided a broad overview and did not include any figures. In the light of this lack of evidence, we can only conclude that the Home Office is not confident in its figures and as a result, we are incredulous that the Home Office is seemingly able to produce firm costings regarding the running costs of the scheme when the costs of the technology are not yet clear.

The idea of a costs breakdown that does not include any figures is novel.

The Select Committee do not share IPS's belief in the costings, they doubt that IPS believe the figures themselves and, in the end, the Select Committee declare themselves incredulous.

Home Secretary, short of saying that IPS are lying to them, the Select Committee could hardly go any further. And if they're worried, I think you should be as well.

 

Remember, Home Secretary, it's not me, these are your colleagues speaking to you, fellow parliamentarians. They are concerned more than 20 times in a 62-page report, surprised four times, regretful three times, sceptical twice and incredulous once. There are 15 or so cases of confusion, four of inconsistency and about 50 cases of lack of clarity.

It's not just parliamentarians who have a message for you. So does the Office of Government Commerce (OGC), who have to recommend to the Chancellor whether to approve funding for the NIS:

Email

OGC/UKPA ID cards scheme correspondence[23]

Foord, David (OGC)

08 June 2006 15:17

This has all the inauspicious signs of a project continuing to be driven by an arbitrary end date rather than reality.

I conclude that we are setting ourselves up to fail.

... the (un)affordability of all the individual programmes ... the very serious shortage of appropriately qualified staff and numbers of staff ... the lack of clear benefits from which to demonstrate a return on investment ...

Smith Peter (UKPA)

08 June 2006 15:44

I wouldn't argue with a lot of this ...

It was a Mr Blair who wanted the 'early variant' card. Not my idea ...

Foord, David (OGC)

09 June 2006 11.38

Just because ministers say do something does not mean we ignore reality - which is what seems to have happened on ID Cards.

I do not have a problem with ministers wanting a face saving solution ... a botched introduction of a descoped early variant ID Card, if it is subject to a media feeding frenzy (queues outside passport offices! and more recently IND) - which it might well be close to a general election, could put back the introduction of ID Cards for a generation and won't do much for IPS credibility nor for the Govt's election chances either (latter not our problem but might play with ministers).

My view based on present experience is that neither the Home Office or IPS should attempt challenging, they should be forced to do safe.

 

Clearly OGC don't think that UKPA/UKPS/IPS are up to the job and, what's more, the latter agree. That is a serious warning to us all.

Can you imagine the Crosby forum on identity management recommending that the banks and retailers should buy identity verification services from IPS?

Do you genuinely believe that Parliament would be wise to grant more data-sharing[24] powers to IPS?

Consider the February 2007 National Audit Office (NAO) report[25], Identity and Passport Service: Introduction of ePassports:

Para.

NAO report

BCSL comment

1.7

There are additional EU requirements specifying that by 2009 ePassports should include fingerprint data which will require personal attendance for fingerprint enrolment. The UK is not obliged to comply with the EU regulations as it is not a signatory of the Schengen Agreement but has decided to do so voluntarily.

Please see comments[26] on my website. IPS are said to have decided "voluntarily". The NAO could just as well have said "secretly".

Not only has this unilateral decision to add fingerprints to ePassports not been debated publicly, it is further unfortunate because ...

3.14

... although there is spare capacity on the chip [in the ePassport] to store two fingerprints, the current model of chip has insufficient capability to accommodate the enhanced operating system and electronic key infrastructure required to protect fingerprint data.

… the chips IPS have put in the ePassports are too small for their growing ambitions. Presumably all ePassports may have to be re-issued as a result. Note that 2.2m had already been issued by September 2006 (para.2.1).

3.1

The impact of using readers to examine ePassports in high volume situations at UK immigration is unknown both in terms of the performance of the readers and potential delays to travellers …

the durability of the ePassport chip unit for the full ten-year lifespan of the passport remains unproven …

the loss of critical staff and institutional memory could threaten the cost-effective delivery of future projects …

We don't know what the effect will be on delays at airports and seaports and stations.

We don't know how well the readers or the ePassports will perform.

And we're relying on temps[27].

3.2

It is not yet clear whether increased security benefits will be delivered at border control.

Which does rather beg the question what is the point.

3.3

Front desk readers are estimated to take around 8 seconds to read chip data. Readers have not been tested in high volume situations and Immigration Officers will, until September 2007, have to leave the front desk to undertake additional checks of the digital signature using the readers located in back offices. This creates the risk that ePassport chips may not be read frequently enough to deliver the full security benefits.

On the one hand, we have the new ePassports, bristling with PKI authentication facilities. On the other hand, for the next six months, the Immigration Officers won't have appropriate readers on the front desk to check that each ePassport is authentic and hasn't been tampered with. Instead, they will have to go to the back office to use the reader there. 300 times for the average Jumbo jetful of passengers?

How long have IPS had to prepare for ePassports? Answer, the Berlin Resolution[28] was "unanimously endorsed" on 28 June 2002.

3.4

Facial recognition software is not reliable enough to use with large databases.

So much for the repeated claims that biometrics will stop people being able to register multiple identities, e.g. this one from IPS's strategic action plan[29]: "Biometrics will tie an individual securely to a single unique identity. They are being used to prevent people using multiple or fraudulent identities" (para.13).

(When are IPS going to understand that biometrics don't even theoretically provide security? That's PKI[30].)

No attempt is being made to use biometric algorithms to compare the image on the ePassport chip with the live image on camera of the passport-holder. What we have got is an expensive new passport and the old system of Immigration Officers comparing the photograph with the person in front of them and making their best guess. How many people know that?

It's just as well, of course, as biometrics based on facial geometry are unreliable, see above. How many people know that?

3.13

Owing to its development of the chip and involvement in the international committees that set technical standards, Philips Semiconductors holds many of the intellectual property rights in the chip unit. The Identity and Passport Service has been aware of this issue since the outset and has sought to pinpoint where intellectual property rights and patents reside given the evolving nature of requirements. The Identity and Passport Service is employing legal advice to assess its position on this issue. In particular, the Identity and Passport Service is seeking to quantify the risk of possible patent infringement and assess any possible costs arising. Security Printing and Systems Limited holds other key intellectual property rights but the Identity and Passport Service has protected its position by inserting a clause in the amended agreement allowing it to use Security Printing and Systems Limited patents under licence after the contract expires.

So we have unknown liabilities to pay licence fees and maybe royalties in respect of ePassports.

Will this be repeated if and when IPS introduce fingercopies[31] to ePassports

Will this be repeated if and when IPS introduce ID cards?

Do IPS have time to prepare budgets?

Which brings us to …

Appendix 6

The cost-benefit analysis considered ... in June 2004 estimated the project would involve a net cost to the UK economy of between £100 million and £344 million ... By October 2005, the net cost was replaced by an estimated net benefit to the UK of £2.0 billion for the period 2003-04 to 2010-11. The final version of the business case, prepared in February 2006 was the most detailed and sought to quantify just one of the benefits ascribed to ePassports – the UK’s continued participation in the US Visa Waiver scheme. This reduced the estimated net benefit to the UK economy to £89 million for the same period ... If US visas are assumed to be valid for an average of five years and other assumptions are held constant, the assumed percentage of trips requiring a visa would fall to 11 per cent and would result in a net cost to the economy between 2003-04 and 2010-11 of £98 million".

… the cost benefit analysis of ePassports.

According to IPS, ePassports could cost the UK between £100m and £344m.

Or they could save us £2bn.

Or perhaps only £89m.

Or they might cost us £98m.

These are the same people who asked the Select Committee to share their confidence in the unchanging budget for the NIS.

 

On the evidence above:

·        The Select Committee found IPS untrustworthy. They are no good at budgeting. It is not clear what they do with their time. They make unilateral decisions without public debate. They keep calling for more powers. But they have nothing to offer. They do not understand PKI. And as far as biometrics are concerned, they seem to be just hoping that reliability will improve. That is not a scientific approach. National security is at stake. Billions of pounds are at stake.

·        The NAO clearly find IPS to be incompetent.

·        So do OGC.

·        And IPS agree.

The recommendation in my last open letter, Home Secretary, was that you grill IPS. Depending on the result of the grilling, you could then consider implementing the stra­tegy described in that letter, beginning with: "… Invitations to tender (ITTs) will be issued before 1 April 2007, following further consultation with biometrics suppliers. The Home Office could announce some time soon after 31 March 2007 that the consultations reveal that there is no point issuing the ITTs as no supplier can offer the near-100% reliability required …".

It is no good attacking David Davis for being soft on crime when he promises to repeal the Identity Cards Act and cancel all related contracts[32]. It just begs the question are IPS doing anything to improve security? By their own lights:

·        Unless they can deliver reliable biometrics, the answer is no.

·        Unless they can follow PKI procedures properly, the answer is no.

·        Unless they can get equipment on desks at airports and seaports and in town halls and police stations and benefits offices and hospitals and schools and universities and banks, the answer is no.

·        Unless they can get the right size chip in ePassports and ID cards and biometric visas and residence permits, the answer is no.

T4450/7 includes the following: "it is also worth remembering that the National Identity Scheme will grow incrementally and we are taking a cautious approach to the introduction of new technology. We are not intending to launch the scheme as a 'big bang'."

They would say that, wouldn't they? They want to keep their jobs.

It is in their interests to extend the timescales as much as possible. How long will it take to achieve 80% adoption of the proposed ID cards? Until the first quarter of 2019, according to the Home Office documents reported in the Sunday Times[33]. We have 80%+ adoption of mobile phones now[34]! IPS are using the wrong technology.

It is not in the public's interest to wait 12 years before getting improvements to crime detection, crime prevention and counter-terrorism.

We do not want to find ourselves in the position where billions of pounds have been spent "incrementally" and, as a result of this "cautious approach", it is only after they have been spent that we discover that the scheme doesn't work. There is nothing cautious about this approach. To be cautious, IPS need to demonstrate to you that they have a viable biometric technology before they go on to spend billions of taxpayers' pounds.

IPS appear to be out of control. In view of which, a response from them saying "we are not out of control" would be unconvincing. It would be a welcome change, therefore, to hear from you this time.

You may have seen the latest edition of Private Eye, no. 1179, with a report on the NHS National Programme for IT (£12bn?). The NIS (£20bn?) could go the same way. There is no need for that, if you listen. You could switch from the NIS to dematerialised ID. Dematerialised ID delivers.

Yours sincerely

 

David Moss

 

 



[2] Letters from IPS are signed "Yours faithfully, On behalf of the Identity and Passport Service". Peculiarly, no name is ever given. Do these people have no identity?

[3] "IPS" is used throughout to denote IPS or UKPS or UKPA, whatever the organisation is called for the time being. It has been repeatedly re-structured. With some organisations this succeeds in imparting new motivation. With others, the only effect is that the same Muppets sit in the same chairs at different points on the same deck.

[8] You may find yourself pushing at an open door with the EU if you adopt this proposal – IDABC say "… Although smart cards were the main focus, it was also recognised that other non-card based solutions for carrying out qualified eServices are being developed. Work on mobile device technology is particularly important, as this medium potentially offers cost, security and functionality benefits over smart cards," see http://ec.europa.eu/idabc/en/document/4484/5584.