|Newcomers and returning visitors, please note that you are welcome to talk to the hermit using this new invention, email.||
The voluntary alternative
to material ID cards
A Proposal by David Moss
of Business Consultancy Services Ltd (BCSL)
The government speak of biometrics as though they are almost 100% reliable. The evidence suggests that they are not.
The government speak of how other countries are using biometrics and of how popular they are. Biometrics may be pervasive and popular but that does not make them reliable.
The government speak as though international obligations are forcing them to introduce biometrics. In fact, their introduction is largely the government's own initiative.
The unreliability of biometrics will create many problems. Such as the need to check the identity of 100,000 international travellers a day by some means other than biometrics. How many staff will be required? How will they perform the checks? How much will it cost? Is it worth it? On these questions, the government are silent.
Loosely, the hope is that a biometric can be found which, throughout his or her life, identifies each person uniquely in a practical way such that, for example, a Jumbo jetful of people can be moved quickly through the arrivals procedures at an airport while confirming each passengers one and only identity.
If no such biometric can be found, if it is just wishful thinking, then the ID voucher scheme would have to be radically altered to proceed as best it can without such a binding, as such schemes always have done in the past. Either that or it should not proceed at all.
The experience of biometrics would not be ideal, there would be exceptions. 100% reliability cannot be achieved. The standard must be relaxed. The question is, how much can we afford to relax the standard?
Either way, the ID voucher scheme would deliver no benefits. It would be a waste of money.
The government have not stated what their relaxed standard is. In that sense, there is no correct answer to the question what level of error or failure is acceptable. If 1% of people cannot register their biometrics, in a scheme with 50m cards in issue, that affects 500,000 cardholders. Is that acceptable? Or too many? If 0.1% of people cannot use their biometrics to verify their identity, that affects 50,000 cardholders. Acceptable? Too many?
Your answers to these questions will inform your reading of the paragraphs below.
Remember, the same biometrics will be used not only for ID cards but also for the new passports. The need for biometrics to be reliable applies to both.
We have 100 years experience of the reliability of fingerprints. Fingerprint evidence is admissible in court and it is trusted worldwide. A single example of a suspected mistake with fingerprint evidence is enough to cause consternation throughout the world forensic establishment. It takes a long time to register all 10 fingerprints using traditional methods, i.e. so-called rolled prints taken by police experts using ink. And it takes a long time for a fingerprint expert to verify a persons prints in the traditional way against the registered set too long, again, to meet the requirements above.
It is the contention of this proposal that the confidence people have, rightly or wrongly, in DNA and fingerprints is being borrowed and exploited for quite different biometrics. Biometrics which, the figures suggest, do not deserve the same confidence. A confidence trick, in fact.
The terms of reference for the NPLs feasibility study were to calculate the probability that any of these biometrics could identify a person uniquely in a population of 50m (para.11, 29), the likely number of UK ID cards in circulation.
The Home Office used a figure of 67.5m cards in their July 2002 consultation document (para.5.39).
67.5m is 35% higher than 50m. That's quite a difference. Which figure is correct?
Given that UK residents travel abroad and overseas residents visit the UK, it might be argued that the real test is to see whether these biometrics can be used to identify a person uniquely in the world population of 6.5bn. If they cant, perhaps we shouldnt rely on them.
They found that verification was unreliable immediately after registration there is one chance in 10 that Person A will be told that he or she is not Person A. Two months after registration, it was useless the probability of a false negative rises to six out of 10. The government have proposed that ID cards should be issued for 10 years at a time. For two months, registration on the basis of facial geometry would be unreliable. For 118 months, it would be useless.
While arguing convincingly that they are too unreliable for registration, the NPL state that biometrics based on facial geometry are nevertheless reliable enough for verification purposes (para.108a, b). It is hard to see how they support this statement if six times out of 10 the computers are going to say that Person A is not Person A. Their claim that these biometrics are adequate for small watchlists seems similarly dubious (para.63).
The more correct conclusion is surely this it may be worth encouraging more research into biometrics based on facial geometry but it cannot be sensible now to spend money deploying a national ID voucher scheme which relies on them in any way.
As a member of the International Civil Aviation Organization (ICAO), the UK is bound by the ICAOs Berlin Resolution (p.15) to incorporate biometrics based on facial geometry into new biometric passports.
If there is any way to amend this resolution, it should be explored.
Otherwise, the sensible option is to abide by it in the cheapest way possible, as Ireland have done, while recognising that there is no benefit to be gained from biometrics based on facial geometry. No other money than for that minimal compliance should be spent on the deployment of biometrics based on facial geometry.
This conclusion is tempered by the fact that the probability of a false negative with two irisprints is one in 10,000. That is, on average, one person in every 10,000 will be told by computers that he is not himself. 5,000 cardholders in the UK scheme would be affected, 0.01% of the population. Could we ignore these 5,000 people? Is 99.99% an acceptably high success rate?
There are three more significant problems:
According to the NPL, the best computerised fingerprint verification systems can reduce the probability of a false positive with one fingerprint to one in 100,000 (105). Given 10 fingerprints, the probability that Person B will be identified as Person A may therefore be as low as one in 1050. Also using all 10 fingerprints, the probability of a false negative could be as low as one in 1020.
Fingerprints, therefore, seem to be even better than irisprints at identifying people.
Facial geometry successfully verified identity a few minutes after registration only 69% of the time for able-bodied participants and only 48% of the time for disabled participants (para.188.8.131.52). In neither case did it achieve the 90% reliability that the NPL feasibility study might lead us to expect.
Irisprints were successful 96% of the time for able-bodied participants and 91% of the time for disabled participants (para.184.108.40.206). These figures are nothing like the 99.99% that we might have expected on the basis of the NPLs feasibility study. And only 90% of the able-bodied could be registered in the first place as far as irisprints are concerned, 10% of able-bodied people do not exist. And that figure rises to 39% for disabled people (para.220.127.116.11).
Fingerprints successfully verified the identity of the able-bodied participants in the trial only 81% of the time (para.18.104.22.168). For those aged 65 and over, the figure drops to between 67% and 71% (pp.249-50). Again, there is a wide gap between theory and practice.
It may be argued that the UKPS trial was not designed to measure the accuracy of biometric registration. Perhaps. But unintended consequences are still consequences.
Suppose that 330 able-bodied people under the age of 65 buy tickets for a long haul flight. Using the statistics above in the strictest way possible, 33 of them will not get as far as the Departures lounge, having been unable to register their irisprints. And what is going to happen at the Arrivals desk? Facial geometry will wrongly require 93 of them to be sent home, fingerprints will wrongly require 60 of them to be sent home and irisprints 12. Up to 198 of the original 330 ticket-holders 60% of them will be victims of the registration problems and the false negatives of biometrics. How many false negatives is it acceptable for there to be? Almost none.
It may be argued that biometrics would never be used in this way. But then, how will they be used? The government have not explained. What are the plans for people who cannot register their biometrics in the first place? How are false negatives going to be dealt with?
Failure rates like this are unacceptable. Biometric verification would instantly become a laughing stock. If they were not trusted, then biometrics would not stop criminals and terrorists from being able to maintain multiple identities any biometric evidence casting doubt on one of their identities would be discounted. Biometrics would, on the other hand, make a lot of innocent people furious when they are told by a computer that they are not themselves.
Biometrics are not ready to be relied on. Any money spent deploying them now would be wasted.
The fingerprinting method chosen for the governments ID cards scheme involves a so-called flat print system (para.30, 72 ). There is no ink involved and no fingerprint expert. You put the four fingers of one hand on what looks like a photocopier, then the four fingers of the other hand and then the two thumbs. These are not the fingerprints the public know and trust after 100 years of experience. They are arguably no more than glorified photocopies of peoples fingers and they are referred to henceforth as fingercopies, to distinguish them from fingerprints.
This is a sleight of hand. There are two different biometrics, fingerprints and fingercopies. By using the same word for both of them ("fingerprints") we are being lead to associate the proven reliability of fingerprints, with something quite different – fingercopies.
Ask most people if they trust biometrics and they say yes, they're fingerprints, aren't they? No, they're not. They're fingercopies.
According to the Home Office themselves, in their July 2002 consultation document, fingercopies are not admissible as evidence in court (para.5.14, 33, 51). If someone is deprived of some entitlement on the basis of his fingercopies and takes the matter to court, what is going to happen? The government have not explained. Over four years later.
there are difficulties with the technology not least with people with brown eyes ... none of these problems are new, but increasingly as biometrics are more and more used ... we think the technology can only get better and better and better .
If todays biometrics cannot verify identity with anything like adequate confidence, then the only prudent and businesslike option is to delay the deployment of biometrics until they can be relied on.
The government point to widespread public support for the introduction of ID cards. That is not the same thing as saying that ID cards would be reliable. The support exists but it is based on the assumption that ID cards would work. If and when they are introduced, if they rely on biometrics, and the biometrics do not work, then the support will evaporate.
At best, the biometrics chosen for the new passport and ID card schemes offer 80% reliability. You are unlikely, when answering the three questions above, to have put forward such a low figure.
Given the confidence you have in biometrics principally fingerprints and DNA you may be surprised to discover that the reliability of the chosen biometrics is so low. But that is what the evidence suggests.
It is only by ignoring the evidence that the government can pursue its plans.
Suppose that the agreed royalty payment is 1p per verification and suppose that 50m cardholders have their identity verified once a year. Then the company owning the IPR will earn royalties of £500,000 p.a. If verification takes place on average once a month, then the company will earn royalties of £6m p.a. Daily verification would take earnings to £182.5m p.a. And that assumes 1p per verification. At 10p per verification, the taxpayer would be paying £1.825bn p.a., etc ... Excluding VAT.
These royalties would be payable in addition to the licence fees to use the algorithms and any associated support costs and equipment sales.
"We are acquiring and fitting out 69 offices throughout the UK. Next year we will progressively introduce interviewing of first time adult passport applicants which will be an important measure to deter and to detect fraud" (p.9).
The NPL used a figure of 2,000 registration centres as a tentative working assumption in their report (para.14, 105). The Home Office used the same figure in their July 2002 consultation paper (Annex 5, para.16).
The UK has over seven times as much land as the Netherlands and over three-and-a-half times as many people, and yet the Netherlands are proposing to have 4,200 registration centres (para.4.1). Italy has about 58m people and issues ID cards from 8,101 comuni nationwide.
69 is clearly just the tip of the iceberg. Establishing this new network of 2,000 or more biometric registration centres is yet another expensive and risk-prone project for the Home Office to take on.
If biometrics are unreliable and useless, then there is no point building and maintaining and staffing a national network of biometric registration centres. There is one less excuse to take up everybodys time with interviews which require attendance in person to get a passport. And there is no need to pay royalties to the suppliers of proprietary biometric technology.
According to the Home Office's October 2006 cost report on the ID cards scheme:
"Currently, employers do not have a reliable means of establishing whether a job applicant has the right to work here or not" (Tackling illegal working, p.5).
Are we employers now absolved from our previous responsibility?
According to the cost report, it is not just employers who have trouble establishing people's identity. So does the criminal justice system:
"It is difficult and resource intensive to ascertain the identity of prisoners suspected of being foreign nationals and those arrested by the police" (Identifying those who present a risk to the public, p.5) .
The problems do not end there:
"It is currently very difficult for Criminal Records Bureau (CRB) Registered Bodies to establish an applicant's identity efficiently ... It is already known that on some occasions, individuals are matched against the wrong criminal record ... this can lead to delays in processing their applications. In a small number of cases, people known to the police have been able to proceed through the system undiscovered" (Protecting the most vulnerable people, p.5).
If employers can't identify people properly and the criminal justice system can't either, despite having several hundred years experience, and the CRB can't, despite that being their job, what reason do we have to believe that the staff of the proposed registration centres will do any better? This question remains unanswered by the government.
it would be possible for you to be issued an ID card on the identity that you had assumed some years ago, he said, but that would be your identity for the rest of your life coming in or going out of the country. You would have adopted by your own actions an identity that you could not change (Q634).
That raises the level of expectations.
The Commissioner of the Metropolitan Police has confirmed that biometric identification needs to be almost foolproof, ... almost perfect if ID cards are to achieve their objectives.
The NPL report states that, far from being foolproof, far from perfection or logical certainty, all that can be delivered by biometrics is a probability that a given person is who he says he is: "biometric methods do not offer 100% certainty of authentication of individuals" (para.4). The evidence of the UKPS biometrics trials suggests that this probability is too low to support conclusive decisions. That is the state of the art. Biometrics do not provide the basis for a reliable ID voucher scheme.
On what basis, therefore, can the Prime Minister state, as he did, in his 6 November 2006 article in the Daily Telegraph newspaper, that:
"by giving certainty in asserting our identity and simplicity in verifying it, biometrics will do away with the need for producing birth certificates, driving licences, NI and NHS numbers, utility bills and bank statements for the simple task of proving who we are"?
How did that word "certainty" get in there?
On what basis can the Identity and Passport Service (IPS) write in their first Section 37 cost report on the ID cards scheme:
"Ultimately this will ensure that everyone who has been given permission to enter the UK ... can be identified securely using their biometrics" (Making the nation's borders more secure, p.4)?
How did that word "everyone" get in there?
And how will it work in practice? When biometric equipment at an airport, say, indicates that a passengers identity is suspect, that passenger will have to be investigated. There is a limit to how many investigations can be carried out by the given number of staff on duty. The tolerance levels on the biometric equipment will have to be set to suit the number of staff. There will be a butchers thumb on the scales. That is a far cry from the offer of conclusive identification. The level of expectations with respect to biometrics needs to be lowered.
The argument advanced by the software houses bidding for UK government contracts for ID cards is that, yes, the biometrics under consideration are not admissible as evidence in court, and yes, they cannot be relied on by themselves to identify people, but biometrics do help, in conjunction with other data, such as biographical details. How? How can data, which is acknowledged to be unreliable, become all of a sudden reliable, because of some other data? It cant. The argument is without merit.
Until now, the State Department and the Department of Homeland Security (DHS) have considered it practical to record a digital photograph and just two fingercopies for each visitor. There isnt time, they said, to take more fingercopies at border crossings and ports.
The NPL recommend registering a minimum of four fingercopies and would prefer to see all 10 registered (para.5, 57). The US National Institute of Standards and Technology (NIST) insist that all 10 are required:
"... the NIST-recommended Technology Standard is for ten flat fingerprints to be taken to add or 'enroll' individuals in databases and to conduct searches of the databases ... Thus, the current US-VISIT fingerprint collection standard (two flat fingerprints for enrollment and database searches) is not consistent with the NIST-recommended Technology Standard".
There is a danger here that a lot of money (between $10bn and $20bn according to Forbes magazine) has been spent on an expensive charade. A danger that the DHS just look as though they are operating a security system.
The requirement for biometrics on travel documents for US-VISITors was established by the Enhanced Border Security and Visa Entry Reform Act of 2002. One US biometrics expert interviewed by New Scientist magazine pointed out: "The act, if you read it carefully, doesn't require that the system actually works, just for it to be there". A charade, in other words, would not actually be illegal.
The Office of the Inspector General (OIG), part of the Department of Justice (DoJ), reviewed the first year of operation of US-VISIT. If the OIG are right, we certainly do not want to get into the same position as the US. The Americans deserve better. So do we. The findings of the OIG report are:
While the money has been spent and the scheme has been deployed, known criminals continue to enter the US. The OIG cite a number of revolting cases to make the point, one involving the rape of two nuns and the death of one of them, another involving a mass murderer who carried out four murders after successfully crossing the border.
How is the UK going to avoid the same problems? Another question the government have not answered.
The same applies to DNA. There are frequently stories in the media of crimes being cleared up by DNA analysis, often decades later. Again, the technology works.
If there were any similar cases of facial geometry or fingercopies or irisprints being used to unmask people, then they, too, would have been well publicised. US-VISIT has been operating for over two years. There are no such success stories in the media. Far from it, the media are awash with stories of failure and doubt.
It is hard to resist the conclusion that the investment in biometrics now is like the bubble investment in the South Sea Company in the 1710s. And that belief in biometrics now is like the tulipmania that afflicted Holland in the 1630s. And that this emperor has no clothes. For the moment, the governments ID voucher scheme is going to have to get by without biometrics.
The Berlin Resolution says:
ICAO TAG-MRTD/NTWG endorses the use of face recognition as the globally interoperable biometric for machine assisted identity confirmation with machine readable travel documents (p.15).
But facial geometry is the least reliable biometric of all, it is a waste of money. Far from forcing the Home Office, as they suggest, to introduce biometric passports and ID cards, the Berlin Resolution surely needs to be reconsidered.
The Berlin Resolution says further:
ICAO TAG-MRTD/NTWG further recognizes that Member States may elect to use fingerprint and/or iris recognition as additional biometric technologies in support of machine assisted identity confirmation.
That is may elect to, not are forced to.
The ICAO list 13 considerations behind their reasoning in favour of the Berlin Resolution, including the following:
The Home Office are certainly not being forced by the ICAO to introduce an expensive system of compulsory attendance at a national network of 2,000 or more biometric registration centres where people will have their fingerprints taken like criminals in order to obtain a UK passport. That is their own initiative.
On that last bullet point, consider the following quotation from the Home Office's own July 2002 consultation document:
"Asylum seekers are now being issued with Application Registration Cards (ARCs) which also include biometric information in the form of fingerprints. Asylum seekers present a particular problem in verifying identity as they often enter the country without any official documents such as passports and those they have may not be genuine. The fingerprinting of asylum seekers to a legal standard of proof (unlike that suggested for the entitlement card [now ID card] scheme) helps to ensure that an individual cannot make more than one application for asylum and that the fingerprint evidence can be used in court" (para.5.14).
ARCs are not comparable to ID cards. Had the Home Office forgotten this fact when they wrote the May 2005 briefing document? Are we expected to have forgotten it? They seem to be prepared to ignore the evidence, even their own evidence, in the bid to convince us that the biometric passport and ID card schemes will work.
This cockeyed reasoning based on marginal costs was used by David Blunkett, when he gave evidence to the Home Affairs Committee, to state that the cost of an ID card would be only £4:
"The vast bulk of the cost will be incurred irrespective of whether we move to the ID card and the clean database. I think once people understand that, that what we are being is transparent about the likely cost over a ten year period as the scheme builds up rather than simply increasing the price of a passport, which is how securer passports have been dealt with previously, then they will understand that the small additional amount for the use of the card and the secure database to be used in that way is worth it. A small amount, our estimate at the moment is an additional £4 over the ten years for those who have the passport and, if we use them in future, driving licences. That is not the case, of course, for people who have got neither, they would obviously be paying the substantive sum of around £35 over the ten year period" (Q673).
He went further, and argued that the cost of ID cards is tiny if you look at it on an annual basis. The Home Offices July 2002 budget covered a 13-year period. Of course if you divide any positive number by 13, you get a smaller number. 13 times smaller.
You still have to pay the whole bill and that is rising fast. In July 2002, the Home Office estimated the budget for ID cards, covering three years of development work and the first 10 years of operation, to be between £1.318bn and £3.145bn (Annex 5, para.33). Their latest estimate is £5.4bn (p.10), down from the previous £5.8bn. The London School of Economics (LSE) at one stage estimated it to be between £10.6bn and £19.2bn (pp.5, 11, 245), more like £157-£286 per card than £4 per card.
Since then, the LSE have been defeated in their attempts to estimate the cost of the scheme. The Home Office's vision of how the scheme will work is so unclear that it is impossible to prepare useful estimates.
The budget for passports is being confused with the budget for ID cards.
One minute the focus is on the whole budget, next it is on the marginal cost.
One minute the focus is on the whole budget, next it is on just one years worth.
These three tricks with budgets cannot disguise the fact that the NPLs findings, the UKPS biometrics trials and the experience of US-VISIT confirm that biometrics based on fingercopies and irisprints are unreliable and biometrics based on facial geometry are useless. ID cards and biometric passports are equally unreliable and useless.
Three different biometrics are being considered. The government may choose to use one, two or all three in the scheme. The budget cannot be the same irrespective of which choice is made. The single figure of £0.7bn must be treated with some scepticism.
The budget figure gives an incomplete picture:
Despite the Home Office publishing their cost report, we have little idea as yet what the cost of biometrics will be.
"Already one million people have bought and use an IBM laptop which uses fingerprint recognition to control access - and for the future, manufacturers are looking at the same fingerpint recognition technology to make mobile phones and MP3 players worthless if stolen".
Do the biometrics on these laptops work for everybody or do 20% of users find that they don't work? The Chancellor doesn't say. If and when security measures incorporating biometrics can make stolen devices useless, well and good, but biometrics are not reliable enough yet. They may be popular and they may be pervasive both, without being reliable.
In view of which, together with the evidence that 20% of the public can't be registered using the biometrics chosen, surely the government would be best advised to watch and wait. Let the private sector perform the biometrics experiment:
That is a litmus test for the ID cards scheme. If the banks feel that they have to continue to use other methods of identification, that the ID card will not alone be sufficient, that they still have to follow all the anti-money-laundering procedures of know-your-customer (KYC), then people will see no difference when it comes to dealing with their banks. They will quite rightly feel cheated, having spent billions of pounds on the biometric passport and ID card schemes, and the government will have to answer the charge that they have wasted taxpayers' money.
The government are in the position of supplicants in this matter. If the banks were to announce that they will rely on the government's ID cards, that would endorse the scheme. But the biometrics involved are unreliable. There is no business case for gratifying the government's wishful thinking. The banks would have to answer to their accountholders and their shareholders for a manifest lack of prudence.
US-VISIT is a scheme for overseas residents only. The US do not put their own citizens through it. By contrast, the UK proposes to check not only overseas visitors but also its own citizens. Based on ONS figures, that makes 92m entries into the UK during the year or 252,055 primary inspections per day on average, more than twice as many as the 118,000 processed through US-VISIT.
The US perform secondary inspections on 19% of all US-VISITors, 22,350 people per day. If our experience is the same as the US, the equivalent figure in the UK will be 47,890.
The Home Secretary has promised that by 2014 everyone will be checked on exit from the UK as well as on entry. That would double the figures and take us to 95,780 secondary inspections per day. More unanswered questions are raised. How long does a secondary inspection take? What do you do with the people who have missed their train or boat or plane as a result? How many staff will be needed? What will it cost? Where do you put the 7,662 (8% of secondary inspections) people per day who will be detained?
This extraordinary figure of roughly 100,000 secondary inspections and 8,000 detentions per day is one measure of the implications of relying on flawed biometrics, of proceeding on the basis of hope alone and of ignoring the evidence.
It is not just airports and seaports that will be affected. Secondary inspections will be required also in banks and hospitals and schools and benefits offices and anywhere else that public or private sector bodies might decide to require verification of people's identity with government ID cards. Who is going to perform these secondary inspections? And is the benefit great enough to warrant the cost?