|Newcomers and returning visitors, please note that you are welcome to talk to the hermit using this new invention, email.||
The voluntary alternative
to material ID cards
A Proposal by David Moss
of Business Consultancy Services Ltd (BCSL)
It is easy to paint a picture of how poor the procurement work has been on the government's ID cards scheme. It is not easy to paint any other picture.
Apart from the replacement of cardboard cards with plastic ones, the government scheme is redolent of the typewriters and rubber stamps of another age. The question arises how they have come to adopt such a pedestrian, old-fashioned, inflexible, give-everyone-a-card-and-keep-a-list scheme.
The answer seems to be that they were advised by Intellect, a UK trade association of 1,000 or so IT suppliers.
The Identity Cards Act received Royal Assent in March 2006. The Home Office released its initial consultation document in July 2002. In the early stages of that roughly four-year period, three members of the Board of Intellect, including the President and the ex-President of the Board, were from Philips Electronics, a company which supplies smart cards, particularly its MIFARE® cards, known in London as "Oyster cards". Philips Electronics for some time also owned 32% of Atos Origin. Atos Origin, in turn, own the old SchlumbergerSema smart card business.
Philips Electronics today supplies only one of Intellect's Board members, in July 2005 it sold its stake in Atos Origin and in 2006 it spun off its semiconductor division to create NXP. But for some time, Philips Electronics would have won whether they got the £2bn contract for ID cards or Atos Origin got it.
It is common to use smart cards to implement mass consumer systems but you do not have to follow convention blindly, there is an alternative, as we have seen – mobile phones. How many of our four mobile phone network operators in the UK are members of Intellect? None.
The following comment, from an informed source, gives an insight into the attitude of the suppliers:
"A national ID card for the UK is overly ambitious, extremely expensive and will not be a panacea against terrorism or fraud, although it will make a company like mine very happy," said Roberto Tavano, a biometrics specialist for Unisys, a US technology company that has worked on national identity schemes in South Africa and Malaysia.
The ID card scheme initially proposed to the Home Office was arguably designed to suit the suppliers, not the client. This is producer capture. The smart card suppliers in this case represent a £2bn threat to the UK taxpayer.
When the US government became anxious about cost and time over-runs on IT projects, they established the Software Engineering Institute (SEI) to try to find a way to overcome the problem. The SEI devised the capability maturity model (CMM), which they use to score IT departments on a scale of 0 (worst) to 5 (best).
Perhaps it would be more appropriate for UKPS (now IPS, the Identity and Passport Service) to choose an excellent CMM-level 5 supplier like Tata, as we taxpayers deserve, rather than a third division team like Atos Origin.
In choosing the Atos Origin consortium to run its 2005 biometrics trial, UKPS acquired Identix Inc. to provide the fingercopying expertise. It is not clear whether Identix entered FVC2004. It certainly didn't enter under its own name. It may have been one of the 19 anonymous entrants. There is no mention of FVC2004 on the Identix website. The highest placed anonymous entrant came 9th.
Again, therefore, the question arises why UKPS do not choose the first division team that we deserve and settle instead for a company which is at best 9th rate. IBM didn't. What is the point of paying royalties to use a 9th rate biometrics algorithm?
(I have been asked to point out that the argument here is poor and detracts from the better arguments. In the experience of my correspondent, winning competitions like FVC2004 tells you little about how the fingercopy kit will work in practice. I am happy to have the point emphasised that it is live use in production that counts. In the UKPS biometrics enrolment trial, the false non-match rate for Identix fingercopies was 19%, in the case of able-bodied participants, and 20% for the disabled. That was a trial. Who knows whether Identix would be more reliable when used for real, or less?)
"The video camera part of the Panasonic BM-ET300 camera unit was used to capture a photo of the participant and also the Facial biometric. This was recorded using the Identix FaceIt software (v5.0) taking a series of images from the video camera" (C1.3).
Visionics used to claim that they wiped crime off the streets of the London Borough of Newham in a trial of their FaceIt system, which matches CCTV images of people in the street to a database of known offenders.
The police have a different memory of the FaceIt trial. They say that "the Newham system ... never even matched the face of a person on the street to a photo in its database of known offenders, let alone led to an arrest".
The NPL describe this facial geometry technology in general, not just FaceIt, as failing even to approach the performance required of an ID voucher scheme (p.15). This is the technology that failed to recognise 31% of the able-bodied and 52% of the disabled participants in the UKPS biometrics trial just a few minutes after registration (para.18.104.22.168).
How many times does the taxpayer have to pay for biometrics based on facial geometry to fail?
DVLA maintain a database of photographs, collected from photocard driving licence applications. In December 2005 they appointed Viisage, another facial geometry biometrics specialist, to conduct a trial to see if these photographs could be used to automate driver identification.
There has been no news of the trial since then. No news of its failure. No news of its success.
New Scientist magazine reported on the problems with Viisage's software, installed at Fresno Yosemite International Airport in California, back in September 2002, in the same article which mentions the Visionics software problems in Newham and also at Palm Beach International Airport in Florida.
In January 2006 it was announced that Identix and Viisage were changing their identity and merging to form L-1 Identity Solutions, Inc. The Identix strategy of cornering the market in biometrics systems that do not work has its problems. According to the press release, the combined operation would have revenues of $220m and EBITDA of at least $40m. Companies which report their earnings before interest, tax, depreciation and amortisation do so because there are no profits left after interest, tax, depreciation and amortisation.
"The pilot is being conducted under the aegis of the BAA and the UK Immigration Service, with self-investment by selected Simplifying Passenger Travel Interest Group members, including Accenture and its research and development arm, Accenture Technology Labs. Accenture is leading the biometrics implementation as well as the business process and change management that is necessary to maximize the positive impact of this technology."
The suppliers are different but standards are being maintained. According to the BBC:
"... Back out in the terminal, emerging from the queue for an Emirates flight to Dubai, was 49-year-old Jackie Colton, a British national who lives in the emirate. She is one of the 400,000 already signed up to the "E Gate" process in Dubai, which is that city's version of the biometric identity system, and she's eager to do the same at Heathrow. However, Mrs Colton explains that the miSense kiosk next to the check-in queue for Dubai is not working ..."
The kiosk is not working but Mrs Colton "remains keen to sign up her biometric measurements anyway, describing biometric-supported travel as 'blissful'".
Will IPS be equally lenient? They may be. Their new Chief Executive is James Hall, a man who spent 30 years with Accenture, rising to Managing Partner of Accenture UK.
Will the Home Office be equally lenient? They may be. The Minister responsible, Liam Byrne, worked for Accenture when it was still Andersen Consulting, before it changed its identity.
Will the Cabinet Office Delivery Unit be equally lenient? They may be. The Unit is headed by Ian Watmore, "another former Accenture partner" (Private Eye, #1169, 13-26 October 2006).
Their point is well made. The involvement of PA Consulting (PA) should not be ignored. Management Consultancy magazine and Accountancy Age reported in July 2005 that PA have been working with the Home Office on the design, feasibility and procurement of the ID cards scheme in a team comprising 43 civil servants and 62 consultants.
Consultants are meant to be independent and objective. PA's considered opinion of biometrics is published in a 24 November 2004 document on the web, Biometrics – Is that really you?, which acknowledges some of the problems associated with biometrics:
"Fingerprint recognition can be fooled by calluses, residual prints on the reader, and even hand cream! Face recognition struggles in certain lighting conditions and can by fooled by disguises; and iris recognition can be confused by contact lenses and watery eyes."
The document clings to the notion that two or three unreliable biometrics taken together become reliable even if no single biometric identifies people reliably. Two or three wrongs make a right?
PA's conclusion is that "despite the problems and objections to biometrics today we will see the technology become increasingly pervasive". We may, indeed, see biometrics becoming pervasive, not only in passports and ID cards but also supposedly one day in car doors and the front doors to our homes but, again, that cannot make them reliable.
The PA document makes the point that the ICAO and the US insist on the use of biometrics, which is true, but those facts cannot make biometrics reliable.
The answer to PA's question is no, biometrics today cannot tell whether that is "really you".
And if biometrics do, one day, become reliable, then PA still won't have solved the civil liberties problems which their document also raises:
"Biometric identification also faces stringent opposition from civil liberties groups who believe that it represents a breach of privacy. There is great concern about the storage of the biometric data and who has access to it. The possibility of storage of personal data on a centralized government database causes greatest concern. There is concern that this data may be misused and even that it may be possible for a person’s stored data ... to fall into the wrong hands."
It is, in short, this document, not a good advertisement for the deployment of logic which we expect from consultants.
It is illustrated with a diagram of what PA call "The Innovation Highway", see below. A car starts at Concept Boulevard, proceeds along Invention Street, goes up Biometrics Mountain, round and round the top, then down Challenge Avenue and Obsolescence Avenue and finally stops in The Car Park of Antiquity. The car is yellow and, according to the legend, that means that the technology is mostly "hype".
Nowhere on this infantile diagram is the Bank of Credulity and Ingenuousness shown but, according to the Management Consultancy and Accountancy Age articles, PA had been paid about £12m for their work by July 2005. The Home Office say that the final cost of PA's assignment is "likely to exceed the estimates quoted" but that this is not an "overrun" because "these costs have never been treated as the 'contract value'".
Consultants are also meant to be experienced and responsible. Experience teaches that computerised systems need to be tested thoroughly before they are released. To release untested code is simply irresponsible. But the House of Commons Science and Technology Committee have been told that:
"It would not be realistic to rigorously test everything before the scheme goes live, to the point where the government can be sure that no further changes need to be made to the design of the scheme. Some parts of the scheme will not be tested, but will use off-the-shelf technology that has been adequately tested elsewhere" (Computing magazine, 26 October 2006).
Would the Audit Commission be lenient about this failue to observe established procedure? They may be. The new chairman of the Audit Commission is Michael O'Higgins, previously Managing Partner of PA Consulting.
Such is the capability of the suppliers the taxpayers are funding and on whom our border controls may depend, access to state benefits, health care and education may depend, and on which the fights against crime and terrorism may rely.
On 11 December 2003 Katherine Courtney, at the time Director of the Identity Cards Programme, gave evidence to the Home Affairs Committe. The following exchange took place:
You can see her problem. Who will review the performance of these suppliers? Who will authorise the deployment of their scheme? Answer, people in senior positions in the government and the civil service. Positions which have now been captured by the suppliers.