The Home Affairs Committee Inquiry into ID Cards met at 2.30 pm on Tuesday 24 February They heard evidence from Professor Ross Anderson, the Foundation for Information Policy Research; Professor Martyn Thomas, the UK Computing and Research Committee; and Nick Kalisperas, Senior Programme Manager, Intellect, and Geoff Llewellyn, Member, Intellect ID Card Working Group on Identity Cards.
This session was broadcast by the BBC Parliament television channel on Sunday 29th February 2004 at 18:00.
Our general impression was that Professor Ross Anderson (Professor of Security Engineering at Cambridge University) and Professor Martyn Thomas, both with vast academic and commercial experience of IT computer systems, and security mechanisms considered the Government's Compulsory Biometric ID Card proposals as unworkably complicated.
It was surprising to hear Geoff Llewellyn talking about how difficult it was to tamper with Smart Cards, when sitting on the same table was Professor Ross Anderson, whose book (which was referred to a couple of times): "Security Engineering: A Guide to Building Dependable Distributed Systems" demonstrates how any moderately well equipped university or commercial laboratory could do so, and is illustrated with photos of such experiments.
Both of the Professors seemed to agree that the Centralised Biometric Database approach was a case of "putting all of one's eggs in one basket", providing an extremely vulnerable Single Point of Failure which currently does not exist in our Critical National Infrastructure.
The representatives from IT and Electronics company trade body Intellect, were much more optimistic that the practical technical problems could be overcome.
There was a certain amount of controversy between the witnesses. Professor Thomas denounced the lack of use of rigourous software engineering programming and quality assurance techniques by the commercial IT supply industry as a whole. and Nick Kalisperas then commented that Professor Thomas "was on the outside, looking in", implying that somehow the technology which Intellect members who had been "working with the Home Office for 2 years" was in some way immune to the security and reliability problems mentioned by Professors Thomas and Professor Anderson.
Nick Kalisperas promoted Intellect as a forum for the Government to use as a sounding board to help prevent poorly specified and scoped Government IT projects (of which there have been far too many). He did admit, that this was a relatively new initiative since the end of last year, and that Intellect had, therefore not yet ever had to say to the Government "no you cannot possibly do this with current or forseeable technology". He also seemed to have faith in the the Office of Government Commerce Gateway Review process.
It will be interesting to see if the Committee takes oral evidence from those OGC project managers and accountants who have supposedly already conducted two "pre-zero" reviews and who should have conducted their "phase 0" review of the ID Cards project by the end of January.
Professor Anderson was more sceptical about Government IT procurement, and noted how often in the past, suppliers were willing to exaggerate their own capabilities, knowing that once they had secured the contract, the Government was effectively locked in, and had no option but to pay them more money to fix the problems which they had not originally budgeted for. This scepticism of the commercial IT sectors' sales and marketing methods seemed to be shared by David Cameron MP, (Conservative, Witney).
When asked about acceptance of ID cards, Professor Anderson did mention the unfairness of the way that the over 5000 negative individual responses to the Home Office Entitlement Card consultation via the STAND website were lumped together as if they were one, which as he pointed out, also did a disservice to the relatively few people who supported the idea of an ID Card, since their response was now being treated as "one five thousandth of a negative response" instead of a whole positive one. David Winnick MP (Labour, Walsall North), who had posed the question said that they might ask the Home Secretary about this.
All of the witnesses agreed that there needs to be much more detailed clarification from the Home Office of exactly what the ID Card system is supposed to achieve and what it is not expected to do.
Mention was made of the German ID card system, which does not use Biometrics and which has a card serial number which changes when the card is re-issued periodically, and which, by law, it is forbidden to use this card serial number as a key to central government databases.
This was contrasted with the Identity Theft problems in the USA, caused by the Social Security number being widely used for all kinds of purposes for which it was not designed for.
Mention was made of the Passport Office 10,000 user trial currently underway, which seems to be the only Home Office pilot project that is being contemplated before rolling out their ID card project to 60 million people.
N.B. it was not made clear that Geoff Llewellyn, of Intellect, apparently works for SchlumbergerSema, which is the company which is financially involved in running the Passport Office pilot scheme.
Kablenet have published a view of this oral session. "Cards split the table Witnesses to a Parliamentary committee have argued over the credibility of the Government's proposal for a national identity card"