Reason to believe

Would you please review the handling of freedom of information request 13728/10 [1]. A request was made for the public to be able to see IBM’s biometrics trial report. Your colleagues have decided that the public interest is better served by non-disclosure.

The Home Office’s long planned National Identity Service (NIS) depends on reliable biometrics. That is its unique selling point [2]. If the biometrics chosen are not reliable enough to do the job, the NIS must fail. Many reports are available in the public domain [3] which undermine faith in the biometrics chosen. The public need a reason to believe in these biometrics. Faith is not enough. We need to see this IBM report, on the basis of which Sagem Sécurité have been awarded the contract to supply biometrics technology to the NIS.

Some representations in favour of disclosure were made on 4 March 2010 [4] in favour of publication. May I make the following additional representations here:

•      The Home Office response concentrates on the national security functions of the NIS. They don’t want to make it too easy for our enemies. Keep them guessing, keep them worried, how good are these biometrics? But the NIS is meant to affect everyone’s everyday life. That’s what the Home Secretary says [5]. It is meant to determine our right to work in the UK, our right to non-emergency state healthcare, our right to state education, and so on. According to Meg Hillier MP, it is even meant to determine our ability to collect parcels from the post office. Non-disclosure will have normal people guessing and worried as though we, too, are enemies of the state.

•      There are already quite enough controversies over the way the Home Office handle scientific evidence [6], [7]. Do you really need another one?

•      The public want, need, deserve and pay for these statistics. According to Sir Michael Scholar [8], Chair of the UK Statistics Authority, “having good statistics is like having clean water and clean air. It’s the fundamental material that we depend on for an honest political debate”. If the IBM report makes a convincing case for the proposed biometrics, the Identity & Passport Service (IPS) will publish it. Non-disclosure seems furtive, as though there is some guilty secret to hide.

•      That suspicion is strengthened when you consider that there has been no Home Office press release about Sagem Sécurité getting the contract for the NIS biometrics. The public only know about it thanks to a press release issued by Sagem in Paris [9].

•      Non-disclosure is inconsistent. The Home Office allowed publication of the report on the UK Passport Service (UKPS) biometrics enrolment trial [10].

•      And not just inconsistent. The House of Commons Science and Technology Committee report [11] on IPS’s plans for the NIS says at para.83: “We welcome the Home Office’s commitment to publicising fully its plans for trialling once the procurement process has begun. In order to continue this move towards transparency and to build public confidence in the scheme, we recommend that the Home Office also makes public the results of these trials”. The Home Office have not published their trial plans. You have broken your promise and you are ignoring the advice of both the Committee and the UK Statistics Authority. You shouldn’t.

•      The Committee also report the March 2006 advice of the US Department of Homeland Security (DHS) “that currently the technology was probably not as reliable or as accurate as it might need to be for a national identity card scheme” (para.81). You are ignoring the DHS as well. Whose advice are you following?

•      Some of the Home Office’s arguments in favour of non-disclosure amount to saying that it would be a bad thing if the public found out that the NIS cannot work and is a waste of money. And a bad thing if the public found out that the products on offer from the biometrics suppliers don’t work. Bad for whom?

•      Others among those arguments suggest that it would be unfair on the suppliers if people discovered that some biometrics products are better than others. The Home Office showed no such concern when the UKPS biometrics enrolment trial report was published and revealed how bad the products of Identix, Inc. [12], are.

•      Identix, now called L-1 Identity Solutions, Inc., continues somehow to do business. Companies compete. The Home Office aren’t used to that, but companies are.

•      Item: the US National Institute for Science and Technology* conducted a competitive trial and anyone can see on p.46 of their report [13], Figure 20, that Cogent Systems’s face recognition technology seems to perform better than Sagem’s. Item: the international fingerprint verification competition was won in 2006 [14] by Suprema Inc. of Korea. Not Sagem. Losing against the competition every now and again doesn’t stop Sagem from doing business. But the question does arise why the Home Office allowed IBM to choose second best – releasing their report might help to answer that question.

•      The Home office are worried that companies might not tender for government business in future if the IBM report is published. In general, there is no such problem. If a government contract for several hundred million pounds is available, the problem is to control the stampede of bidders.

•      In the case of the NIS, there are 32 reasons [15] why bidding for contracts is contra-indicated. That’s because the NIS is a special case. It’s guaranteed to fail. Even so, the Home Office have managed to attract some bidders. But not the pharmacists [16].

•      The suggestion made by the Home Office that releasing the IBM report could lead to terrorism is inventive and good material for a comedy sketch, but unconvincing.

•      The objection that publishing the IBM report would lead “individuals or groups” to assume that biometrics is the UK’s only defence is simply countered – by announcing that it isn’t our only defence. It isn’t our only defence, is it?

One argument advanced by the Home Office concerns the trade-off between false match rates (FMR) and false non-match rates (FNMR). Would you please comment on this in your response. FMR and FNMR are inversely proportional, as one goes up the other goes down. The implication is that a person’s identity, in a biometrics-based ID scheme, is discretionary. His or her identity may be granted or denied depending on the threshold set on the biometrics equipment. That threshold can be altered at any moment by the operator. This fact may come as news to many of your parishioners. It is time they were told.

Disclosure, IPS say, would increase public awareness of the benefits of the NIS, increase public confidence in IPS’s ability to allocate resources properly, and demonstrate openness, transparency and accountability. These considerations are all trumped, in the view of IPS, by rival considerations of national security and commercial confidentiality – it is better, in other words, according to IPS, for a mystified public to continue to guess what are the deliverable benefits of the NIS, the public will somehow just have to remain confident in IPS despite the fact that the organisation is neither open nor transparent nor accountable.

That won’t work. Given IPS’s record, it can’t. Open or not, transparent or not, accountable or not, IPS are already known to be incompetent. They have had four years since the Identity Cards Act 2006 was passed and yet:

•      only 10,000 [17] out of the UK’s prospective 50 million ID cardholders have been registered (0.02%). Compare Pakistan [18], where 96 million people have been registered in 8† years. Compare India [19], where the authorities are allowing themselves 11 months to register 1.2 billion people.

•      it has now been confessed that the cards issued to those 10,000 people in the UK are second best and not the “gold standard” previously advertised by the Home Office, proper ID cards [20] may start to become available in 2012

•      only 34 [21] out of the estimated 2,000 [22] registration centres needed to enrol the population into the NIS are available (1.7%)

•      we still have no reason to believe that the biometrics people register at those centres would work

•      no hospitals, schools, police stations, benefits offices, banks, supermarkets, off licences, etc ... have any of the equipment needed to use the NIS to verify people’s identity

•      there is no national telecommunications network connecting these users with the National Identity Register (NIR)

•      there is no NIR, IPS have spent years assuming [23] that they could use DWP’s CIS database as the basis for the NIR, they now discover that they can’t [24], all those years have been wasted

•      we still have no reason to believe that the NIS can deliver any of the incoherent patchwork of benefits promised, or avoid any of the pitfalls that exist, such as destroying personal privacy and creating a honeypot for fraudsters

Those are the facts. The implications are inescapable. That is an unenviable record for any project. For a project on which our national security depends, according to IPS, it is a disgrace. There could be no clearer indication that it is not worth pursuing the NIS, whoever is in charge of it.

IPS having failed to deliver, the UK Border Agency (UKBA) have had to plough their own furrow. They are using Cogent Systems biometrics [25], not Sagem Sécurité. They are using their own database for registering visa applicants, they can’t use the National Identity Register, it doesn’t exist. And they have issued 100,000 ID cards for non-EEA people, 10 times as many as IPS. Whether UKBA’s biometrics are any more fit for purpose than IPS’s is doubtful. That matter should be addressed, in public.

UKBA and IPS are both executive agencies of the Home Office. After four years, the single ID scheme promised has yet to materialise, instead we have two separate schemes. In the event, that is an advantage. IPS’s “work” on ID cards for UK citizens can be stopped without affecting UKBA’s work on ID cards for non-EEA citizens [26].

It’s too late to rescue IPS’s reputation. But publishing the IBM report might improve the Home Office’s reputation. It might provide some reason to believe in the organisation. Non-disclosure is a mistake which perhaps your review could help to reverse.

Yours faithfully

David Moss

 

cc        

PS Would you please now respond to the appeal on information request 13523/09 [27] submitted on 20 January. Para.3.2 and Dr Duncan Hine’s indefensible claim that “We plan to use all 10 fingerprints and facial biometrics to ensure someone can only enrol on the scheme once, thereby preventing multiple identities being established” are of particular interest. Dr Hine is IPS’s Executive Director, Integrity and Security.

PPS No substantive response has been received to information request 27468 [28] which was submitted on 22 January 2010. Would you please now respond to the appeal submitted on 23 March 2010. This concerns misleading press releases issued by the Home Office, an error brought to their attention over a year ago [29], [30] but which regrettably persists.