Search This Blog

Monday, December 22, 2003

Enemy of Freedom?

Expect light blogging in the next week. I'm on the road and will check in sporadically.

Incidentally, I've just finished spending the weekend with the UK's new Director of the Identity Cards Programme, Katherine Courtney. Note: libertarians might want to avert their eyes.

Though some people know her has an "enemy of freedom," I'm unconvinced. This is from her testimony on December 11 before the Home Affairs Committee:
Q46 Mr Prosser: I want to ask some questions about the National Identity Register. Have you made any firm decisions on what information will go into the Register and, if so, what are they?

Katherine Courtney: The information that is proposed to be held on the National Identity Register is simply that information which is required to establish a person's core identity. So that might include name, date of birth and a record of certain biometric identifiers. However, the decision of exactly what is going to be held on the Register is subject to legislation and, therefore, is really a matter of Parliament. That decision has not been taken yet.

Q47 Mr Prosser: What measures will you take to ensure that some sort of fraud does not take place at that critical moment and therefore undermine the whole issue of an ID card?

Katherine Courtney: At the moment of enrolling an individual into the Register?

Q48 Mr Prosser: Yes.

Katherine Courtney: Quite rigorous security will be built into the system. Just to give some of the examples; first of all, recording the biometric details of an individual will enable us to check against other records held on the Register to ensure that, for instance, a person is not presenting themselves with a second identity and trying to claim that they should be issued with a second ID card; secondly, at the point of first enrolment we will be undertaking a very rigorous background check on the individual based on the information that they supply in the application procedure. So that will include looking at what we call a "biographical footprint" or where that individual has had contact with other Government departments in the past. That is not to capture that data into the Register but simply to verify that individual's existence in the UK. It is very difficult for somebody to invent a biographical footprint and so that is a very effective fraud prevention measure in itself.

Q49 Mr Prosser: Will that registration be linked to the Civil Registration Service? Will there be any linkage between the two?

Katherine Courtney: We hope to have a link in that the Civil Registration Service is working towards electronic records of births, marriages and deaths and it would certainly be an easy way for us to validate information that people are presenting to us about their birth date, for instance, if we were able to check that electronically against the new electronic registration database, as we know the current paper documentation for birth certificates etc. is not particularly secure.

Q50 Mr Prosser: You have been using the expression "biometric footprint" ...

Katherine Courtney: It was "biographical footprint".

Q51 Mr Prosser: "Biographical footprint"? Okay. In regards to the biometrical information stored in the card, are decisions made on that yet?

Katherine Courtney: Again, no decision has been taken on precisely what will be stored on the card or indeed will be recorded on the Register. We have taken quite a long look at the biometric technology and the current state of evolution there and we are now embarking on a process of design, analysis, feasibility testing and technology tests to look at, in particular, three types of biometrics, which I am happy to elaborate on if you would like further information. Would you care for me to speak further about it?

Q52 Mr Prosser: Yes.

Katherine Courtney: The three that we are evaluating are; a facial biometric, which is effectively a digital photograph of an individual's face that can then be matched against other digital photographs in a database; fingerprints, which is a digital record again of a person's fingerprints; and iris, which is a photograph effectively of the shape of a person's iris. These are unique physical identifiers and when captured in a digital format can be quite easily compared with other similar records to see whether there is a match or not. We have the UK Passport Service just about to undertake a pilot of enrolment looking at all three of those types of biometric recording to evaluate the robustness of the technology, the enrolment experience across a sort of representative segment of the UK population to see what that end-user experience is like.

Q53 Mr Prosser: We are told that the facial recognition is not a safe enough system. You have not dismissed that yet?

Katherine Courtney: Facial recognition in and of itself is not as robust as iris or fingerprint, but what is important is that we intend to be using more than one biometric record because that really gives you a very high level of assurance that the individual being held in the Register and presenting themself in front of you not only looks like the picture but also has an identifying physical characteristic that can really only be unique to them.

Q54 Mr Prosser: We are told that one in 10,000 people would not be suitable for iris recognition, but I suppose if you have got two different recognition patterns ...

Katherine Courtney: This is why we are undertaking this stage of intensive testing and analysis. We have no intention of launching a technology that is not fit for the purpose and certainly over the coming year we will be doing feasibility testing and then over the three years set up of the programme. We will be doing rigorous end to end testing of the whole system to ensure that it is robust and ready for launch for the first ID cards are introduced.

Q55 Mr Prosser: How will you break down the possible public resistance to people having their fingerprints taken and all the connotations and connections with the criminal world?

Katherine Courtney: I think this is a matter for public education because the fingerprints are not being recorded for the purpose of checking them against any criminal database or any other policing sort of purpose. The purpose of taking a picture of your fingerprints, taking a picture of your iris, taking a picture of your face is to record in your record in the register unique characteristics that if somebody were to steal your ID card or if you were to lose it, it would make it virtually impossible for somebody to pass themselves off as you.

Q56 Mr Prosser: Have you considered taking samples of DNA?

Katherine Courtney: No, we have not considered taking samples of DNA.

Q98 Janet Anderson: How many cards of each sort do you expect to be issued per year?

Katherine Courtney: In total, when the system is up and running, we would expect to be issuing somewhere between 10 and 17 million of these cards per year. That is roughly similar to the volume of passports, drivers licences and other identity type documents that are being issued in the UK currently. I do not have the specific breakdown of how many of those would be through new and renewal passports or drivers licences.

Q99 Janet Anderson: When do you think you would be able to cover the whole of the economically active population?

Katherine Courtney: Our estimates show that on a sort of phased incremental approach we should reach about 80% of the economically active population within five years after the launch of the scheme.

Q100 Janet Anderson: When the whole population, do you think?

Katherine Courtney: To reach the whole of the population would probably require a move to compulsion, so I cannot give an estimate of when that would happen.

Q101 Janet Anderson: You do have some proposals for a combined passport identity card, I think that is mentioned, and a combined driving licence identity card.

Katherine Courtney: Yes.

Q102 Janet Anderson: Presumably for passports, driving licences and identity cards you would have three different databases? Is that right?

Katherine Courtney: Yes.

Q103 Janet Anderson: Will they be able to talk to each other and do you ever see a point where you may want to combine the whole lot into one IT database?

Katherine Courtney: Passports and drivers licences have already, as those two agencies have been doing quite a lot of work together, working very closely, on both the initial checking of applicants and also verifying documentation against each other's databases already. We are effectively looking to build on the good practice that they have already been working on.

Q104 Janet Anderson: And that is working, is it?

Katherine Courtney: Yes. In terms of whether those agencies might ever be combined into a single agency, really the structure and function of agencies is a decision for the Government of the day, so I am not able to comment on that.

Q105 Chairman: We have a number of elements to the system; we have the database, we have the physical job of collecting the biometrics, we have the production of the cards, we have the administration system and so on. Which of those different functions, potentially, could be carried out by private sector companies rather than by public sector institutions?

Katherine Courtney: As you know, we are now entering into what we call the "project definition stage" of this project and the design of the solutions, both from the business process and technology perspective, is exactly what we are looking at over the coming year. So it is premature for me to be able to give you any idea of how private sector companies might be involved in the eventual delivery of that solution.

Q106 Chairman: Are there any areas that have been excluded at the moment from being delivered by the private sector?

Katherine Courtney: I do not believe that any firm decisions have been taken on any of the designs.

Q107 Chairman: So the database itself could potentially be run by a private sector organisation?

Katherine Courtney: I think you would want to distinguish between who has authority over the database and which entity actually does the operational day to day technical maintenance of the database and again no decisions have been taken.

Q108 Chairman: Is that a clear distinction in your mind?

Katherine Courtney: It is a clear distinction in my mind, yes.

Q109 Chairman: Right, but I mean the police national computer, for example, is maintained by the police. The Criminal Records Bureau has access to it. That is not the same as saying that the Criminal Records Bureau, God help us, should run the police national computer.

Katherine Courtney: Yes, but I think the specific question was about private sector organisations' involvement in this scheme.

Q110 Chairman: Yes, I am just trying to be clear; in principle, have you excluded the idea that the database could be run and managed and effectively controlled by, not necessarily owned by, controlled by a private sector organisation?

Katherine Courtney: Again, I can only say that these are all issues that are being explored during the design phase.

Q115 Chairman: In terms of the private sector, you have talked about banks, financial institutions, solicitors or whatever who might wish to use the card; to what extent will you be designing the card and its content around the requirements of private sector users as opposed to public sector users like Benefits or Health?

Katherine Courtney: The design of the scheme throughout the consultation period to date, coming up with the initial concepts, etc., has been in consultation with private sector organisations as well as public sector. The financial services sector, for instance, has expressed quite a lot of interest in the possibility of using this scheme to prove identity in the future. So the design of the scheme is meant to be putting in place capabilities that are effective and cost effective for a whole range of situations. That runs from potentially a small retailer wanting simply to, if date of birth, for instance, is reflected on the face of these cards, maybe just wanting to be able to use a very simple check for proof of age. On the opposite end of the spectrum you may find that for major financial transactions, a bank may want to be able to perform a verification check of that identity against the database and will be exploring possibilities to make that feasible for them.

Q116 Chairman: Suppose a financial institution came and said what would be really useful would be for the card to carry details of major criminal convictions?

Katherine Courtney: I think we have been quite clear that the function and the purpose of the scheme and the function of the card and the system itself is to verify identity. There is no intention to hold any other information about individuals.

Q117 Chairman: So that would be a straight no to any institution that asked for extra information to be carried in other than the identity information you have already told us about?

Katherine Courtney: Absolutely.

Q118 Chairman: What other departments and agencies are being involved alongside the Home Office in developing the biometric and other technologies?

Katherine Courtney: We have been working very closely not only with colleagues in other Government departments here and across the Home Office, both with the DVLA, who have been looking at this issue, with UK Passport Service, who have done quite a lot of work due to the requirements that are placed upon them now by evolving standards in the international community and also the Immigration Service has done quite a lot of work in this area. But in addition to that, we have been working closely with other countries, with EU partners, with the US and, for instance, taking a very active role in the G8 Working Group on Biometrics.

Q119 Chairman: How much is the technology going to change? At the moment when you have your iris scan, you have to sit down, I think, in the special booth or in front of a camera. I presume, given I was hoping to get this wonderful mobile phone camera for Christmas, that in ten years' time a police officer will probably be able to carry a camera capable of doing an iris scan in the street and checking it against a card. Have you looked at how the technologies will change over the next ten years and what the circumstances are likely to be when the new card is brought into force?

Katherine Courtney: Certainly the work that has gone before with the National Physical Laboratory study and the consultations that we have taken with the industry sector through, for instance, Intellact, has informed the decisions that have been made to date in designing the preliminary concept for this scheme in terms of how we are going forward. We are looking at future proofing the scheme. Obviously there is no point in building something that is obsolete before we launch it. I cannot predict for you how the technology will change.

Q139 Janet Anderson: How will you decide whether the technology is working? Will you set certain tests against which you will measure whether it is being effective or not.

Katherine Courtney: I think it would be obvious if the technology were not working, but the testing that we will be going through, not only now in the feasibility analysis stage of this programme, but throughout the set up, and then conducting very rigorous end to end testing of the whole system which includes testing the business processes behind the technology and not just the technology itself, will put us in a position to be clear that it is working as designed, that it is meeting the specifications before we go live with the system and launch cards and make them available to the public. And then, once it is live and operational, you would be conducting the same performance measurement that you would on any major technological system on an ongoing basis to ensure that it continued to performance up to the required standards.

Q140 Janet Anderson: Do you think you have learnt any lessons from some of the things that have happened in this past? I was just thinking about passports and when the asylum databases were combined, the three databases, have you learnt lessons from what went wrong there, you think, which will inform what you are doing here?

Katherine Courtney: Certainly we are drawing lessons not only from projects that have gone wrong but also from projects that have gone well, in the public sector and in the private sector. Quite importantly, the team that has been brought together to manage this programme bring a wealth of expertise from the private sector, which is where I myself have come from, as well as across Government and having been involved in other major Government initiatives in the past. And then finally, I should say that the Office of Government Commerce oversight that we have invited in is providing us again with access to best practice, information and learning from other Government initiatives.

Q141 Janet Anderson: Do you think that there will be a need for an independent assessment at some point, or do you think that you will have built sufficient safeguards in place?

Katherine Courtney: I am not sure I understand what an independent assessment is?

Q142 Janet Anderson: At some point would you perhaps commission an independent assessment, an outside assessment, to assess whether it was, in fact, working as you had intended?

Katherine Courtney: Certainly we have, within the proposed governance framework for this programme, a whole raft of oversight both within the Home Office and independent advice from outside. No decision has been made whether we would commission a particular independent.

Q143 Chairman: You noted earlier that the OGC Gateways go from 0 to 5, that is because it is Gateway 6 would tell you the system was really going to work, is it not, and we never quite get there? I mean this is the same OGC framework that signed off the Criminal Records Bureau, I think, was ready to run. So do you have complete confidence that the OGC Gateways are sufficiently robust to say "Yes, we can push the button on this one and it is ready to go"?

Katherine Courtney: I know that OGC Gateway system is a fairly new process. It has only been in operation for the last couple of years and I, coming in from outside of Government, cannot really speak on how effective the process is. What I do know is that, from my own background, I have confidence that a programme like this, it is possible to deliver a programme of this size and complexity within plan and effectively and successfully.

Q144 Chairman: Have a look at the advice we got on the Criminal Records Bureau. Could you just tell us what your background is?

Katherine Courtney: Certainly. I have spent the last 12 years in the technology sector leading major development programmes both for major companies like Cable and Wireless and BT and also have been involved in the start up of several new technology ventures. Most of those were rolling out new businesses on an international basis which requires a great deal of not just complexity in terms of the technical systems, but also in terms of the cultural and business process issues there.

Q145 David Winnick: How were you brought into the Home Office? Was it an advertisement or other contacts?

Katherine Courtney: Yes, there was a recruitment process and I saw an ad in the Sunday Times and applied for the job.
Katherine is my wife's sister.

No comments:

Post a Comment