Business Consultancy Services Ltd

 

 

28 January 2007

 

Rt Hon Dr John Reid MP

Home Secretary

Home Office

50 Queen Anne’s Gate
London SW1H 9AT                                                                                      

Dear Home Secretary

The need to deliver (2001 election) and the need to listen (2005)

Last week did not help the Home Office’s reputation for competence. At some point soon, commentators will remember that this same Home Office has been entrusted with accurately registering the identities of 50m people in the UK, and maintaining those identities securely, at a cost to the nation of about £20bn. This document suggests an appropriate response to the likely comments.

The unique selling point of the new passports, ID cards and visas (collectively, “ID vouchers”) is the novel use being made of biometrics, specifically biometrics based on fingerprints.

The fingerprint technology being implemented for ID vouchers in the UK and elsewhere is 81% reliable at best. This figure is based on the evidence of the UKPS biometrics trial[1] and on the daily experience of US-VISIT[2]. 19% of people are excluded. That is, in a UK population of 50m cardholders, 9.5m of them would not be able to use their fingerprints to verify their identity.

It might be be nice if this was not the case. Crimes like illegal working could then be prevented with all the simplicity of a stock control system. But it is the case, and it is wishful thinking to proceed as though it isn’t.

That is the state of the art. And yet, repeated government announcements and publications continue to speak of biometrics as though they have near-100% reliability[3]. That is what people have been led to expect but the promise cannot possibly be delivered[4].

It follows that, when the 81% message coming through from reality makes itself heard, there will be an almighty row. The only question is when that row takes place. If you act quickly, the timing will be to some extent under Home Office control. Consider three options. According to the Strategic Action Plan for the National Identity Scheme[5] (SAPNIS):

·        ID vouchers with fingerprints will start to be issued from 2010 onwards. The Home Office could just wait for the bad news to dribble out. But then they would face embarrassing questions why they allowed several billion poundsworth of taxpayers’ money to be invested in a false prospectus for so long, when the facts were known four or five years earlier.

·        Contracts for biometrics are supposed to be let some time after 30 June 2007. The Home Office could at that stage say that no contracts will be awarded and SAPNIS will have to be rethought because no supplier can offer the near-100% reliability required.

·        Invitations to tender (ITTs) will be issued before 1 April 2007, following further consultation with biometrics suppliers. The Home Office could announce some time soon after 31 March 2007 that the consultations reveal that there is no point issuing the ITTs as no supplier can offer the near-100% reliability required and SAPNIS will have to be rethought.

There is a fourth option, a strategy which we recommend, based on two principles:

·        The problems with biometrics are not restricted to the UK. They also affect the plans of other EU countries, and the US, among others.

·        The proper focuses of a Home Office ID card scheme should be crime prevention, crime detection and counter-terrorism.

Our strategy, A-S, is as follows:

A. At a summit of EU interior ministers or at a summit with the US, announce that the UK has evidence-based, scientific, practical reservations[6] about the use of biometrics in ID vouchers. These affect the UK and all its partners worldwide. They imply that, to all intents and purposes, the money spent on biometrics is wasted, the technology is not reliable enough[7].

B. Announce that the UK will stand by its ICAO commitment to the Berlin Resolution[8]. This advocates the use of biometrics based on facial geometry, biometrics which are known to be quite useless[9]. Nevertheless, we are committed. We shall therefore follow the excellent example of Ireland[10], who have implemented the Resolution at a total cost of just €6.1m.

C. Announce that the UK, like Ireland and Denmark, is exempt from EC 2252/2004[11] and will therefore not be adding biometrics based on fingerprints to its ID vouchers.

A-C are for international consumption as much as domestic. The interior ministries of several countries may be expected to be embroiled for some time in devising clarifications for their parishioners. The points below are more for domestic consumption. The idea is that you should announce that:

D. Biometrics do not provide a reliable basis for streamlining public services, ref. DWP’s current plans. Those plans, like SAPNIS, will need to be rethought.

E. There is no need, therefore, to tear up the wisdom of ages which is the UK Constitution – the provisions, enshrined most recently in the Data Protection Act, constraining data-sharing between government departments, will remain in place.

F. And biometrics do not provide a reliable basis for improving the national and international payments systems, ref. the Crosby forum on identity management. The introduction of today’s biometrics into these systems would probably reduce us in short order to a barter economy.

G. There is no point collecting everyone’s biometrics unless and until the technology improves. The Home Office have themselves noted[12] the difficulty that employers often have verifying the identity of potential recruits, the similar identity verification difficulties throughout the criminal justice system and the mistakes made by the Criminal Records Bureau[13]. There is no reason to believe that IPS staff, without the help of reliable biometrics, would be any better at establishing people’s identity[14]. There is therefore no point building the new national network of 69 (or 8,000[15]) registration centres for passports and ID cards.

H. And there is no point building the new national network of ID card readers and biometric verification equipment[16] which the Identity Cards Act requires.

I. There is no need to issue 50m[17] plastic ID cards. Creating a pile of plastic 50km high is, anyway, hardly carbon neutral.

J. The LSE estimated at one point that the total cost of the biometric passport and ID card schemes would be in the range £10.6bn to £19.2bn[18]. This cost, which would have been borne by government departments, the private sector and the voluntary sector[19] will now be saved.

K. There is an abiding need to improve crime prevention, crime detection and counter-terrorism. There are exemptions in the Data Protection Act, precisely for matters of national security and crime[20], which allow for data-sharing between government departments.

L. The sad lesson of the Spanish railway bombings is that ID cards were never going to provide much assistance with those objectives. Great assistance is provided, though, by the global mobile phone network. Mobile phones allow the police and the security services to identify people, locate them and identify their associates. Mobile phones are effectively ID cards[21].

M. Stories of how mobile phones are used to locate people and check alibis are frequently published in the media and have been for years[22]. The civil liberties issues associated with this loss of privacy are thereby arguably neutralised. Everyone knows that they have this function and yet we still voluntarily buy and use mobiles.

N. Most people already have mobile phones[23]. They do not need to pay for a second, inferior, smart ID card. In particular, criminals and terrorists already have mobile phones. We do not need to try to issue them with ID cards. Most people voluntarily take their mobile phone with them wherever they go. This is the way society has evolved. The Home Office now consider it more effective to take advantage of this natural evolutionary development than to try to go against the grain and force the old-fashioned, pedestrian technology of smart cards on people.

O. We already have four mobile phone networks up and running in the UK[24]. We do not need to pay for a new ID card network to be built, as noted, and we do not need to wait several years for it to be built. We can use the existing mobile phone networks and we can get started now on improving crime-fighting and counter-terrorism.

P. The Home Office intend to pursue the initiatives launched by Charles Clarke:

·        Mobile phone network operators in the UK and abroad will be asked to keep records for at least two years and to share them[25].

·        In 2002, the police and HMRC between them submitted 500,000 enquiries to the mobile phone network operators for location and timing data[26]. These days, there are more like 1m enquiries a year. The procedures whereby the authorities obtain location and timing data from the network operators will be streamlined. Sanctioned by the Regulation of Investigatory Powers Act, a portal will be developed to query the operators’ databases in real time, when these queries are raised in connection with a criminal or terrorist investigation[27].

·        All mobiles, including pay-as-you-go phones, will in future need to be registered. This innovation has been requested for years by NCIS/SOCA[28] and the Home Office can no longer ignore it. The pay-as-you-go business will continue to exist. There will still not be an itemised bill turning up on the doorstep once a month. But it will be easier to associate a name or names with each mobile phone, pay-as-you-go phones will be less the “terrorist’s friend” as they are known.

Q. The Home Office will promote this approach to counter-terrorism and crime-fighting, which we call “dematerialised ID”, with our international partners. Dematerialised ID is an ID card scheme with no cards. We expect it to be embraced worldwide, with the same enthusiasm as an earlier invention pioneered in the UK, privatisation.

R. According to our partners in the EU[29]: “Although smart cards were the main focus, it was also recognised that other non-card based solutions for carrying out qualified eServices are being developed. Work on mobile device technology is particularly important, as this medium potentially offers cost, security and functionality benefits over smart cards”. Cost. Security. Functionality. Like us, they clearly regret the unimaginative concentration on smart cards. Like us, they clearly see the benefits of fitting in with the natural evolution of society and using mobile phones instead.

S. mCommerce, if it ever comes, may expand the economy and bring benefits to us all[30]. It is not the Home Office’s job to concern itself with mCommerce but we should at least not stand in the way of its development. Dematerialised ID achieves that, in marked contrast to the previously proposed smart card solution.

There. An entire strategy for you.

There is no doubt that SAPNIS stands or falls on the reliability of biometrics. All the published data we can find on facial geometry, irisprints and the new-style fingerprints[31] suggests that you can’t beat 81%. Unless we have missed something, SAPNIS can only fail. It cannot be delivered.

If the Home Office has a more reliable technology available, it is one of the better kept secrets in the world. We suspect that there is no such technology and that this is a case of wishful thinking. Minority Report, it must be remembered, is a film, a piece of fiction[32], and not reality.

The Permanent Secretary has the reputation of an assassin[33]. Perfect. The two of you together, it is recommended, should grill your officials and consultants. Can they prove to your satisfaction that the 99%+ reliability needed[34] is actually within the Home Office’s grasp?

·        If so, then BCSL will look like fools but there will be no other harm done.

·        Otherwise, if these people just have their fingers crossed[35], we stand by our strategy, A-S above. Dematerialised ID is the result of four years of research and, unlike the Home Office’s smart card scheme, it has survived all peer reviews so far. There are no known wrongs with it. It is a scheme the Home Office could deliver. Not least, because most of it is already here.

This is the eighth letter we have sent you (unasked, to advocate an effective scheme and to save taxpayers’ money) in our delivery and listening series. Is there any reason to believe that it will have any effect, that you are listening?

Yes. Some. It was February 2003[36] when we first wrote to the Home Office suggesting that there is no need to build a new NIR[37]. The government already has dozens of databases which, on their own and/or together, constitute an NIR. We have written several times more in the intervening four years. It is surprising that it has taken the Home Office so long to announce that they will do just that, that they will make use of existing resources[38], but it is nonetheless welcome[39].

That is the first ray of light in four years. It has been quickly followed by a second – we note that biometrics based on irisprints have now been abandoned, at least for the moment[40].

We look forward to further quick breakthroughs. The strategy should be co-ordinated with DWP and should be implemented before the Crosby forum reports, in April 2007, or the minute Assistant Commissioner Yates makes an arrest, if that is earlier.

Yours sincerely

David Moss

 


[28] http://www.ncis.gov.uk/UKTA2002_1.pdf This link to the 2002 Threat Assessment report produced by NCIS (now SOCA) is no longer available on the web. It included the following at para.2.38: "In choosing telecommunications products and services, criminals are guided by the need for security, anonymity and convenience. They remain keenly aware of new products and services and take advantage of any that enhance these three features. Mobile phones, in particular prepays, are particularly popular, since there are no legal requirements for registering them and so no need to reveal any personal details. They are also inexpensive enough to be bought in bulk and regularly changed. Organised criminals also make use of telephone kiosks, foreign roaming mobiles (also available as prepay) and satellite phones".

[36] http://dematerialisedid.com/BCSL/4%20February%202003.pdf, para.1.4-5. It will be noted that in February 2003 BCSL believed the marketing literature put out by the biometrics suppliers. That belief has been undermined by the evidence of the UKPS biometrics trial and US-VISIT. BCSL is now a biometrics apostate, a state recommended here to the Home Office.