Several eminent academics who do actually know about information security, cryptography, software engineering etc.. have written a letter, published by one of the signatories Dr. Ian Brown on his Blogzilla blog.
Mr Andrew Dismore MP
Chair, Joint Committee on Human Rights
House of Commons
London SW1P 3JA
cc: Committee members; David Smith, Deputy Information Commissioner
26 November 2007
Dear Mr Dismore,
The government, in response to the recent HMRC Child Benefit data breach, has asserted that personal information on the proposed National Identity Register (NIR) will be 'biometrically secured':
"The key thing about identity cards is, of course, that information is protected by personal biometric information. The problem at present is that, because we do not have that protection, information is much more vulnerable than it should be." - The Chancellor, Hansard Column 1106, 20/11/07
"What we must ensure is that identity fraud is avoided, and the way to avoid identity fraud is to say that for passport information we will have the biometric support that is necessary, so that people can feel confident that their identity is protected." - The Prime Minister, Hansard Column 1181, 21/11/07
These assertions are based on a fairy-tale view of the capabilities of the technology, and in addition, only deal with one aspect of the problems that this type of data breach causes.
Ministers assert that people's information will be 'protected' because it will be much harder for someone to pass themselves off as another individual if a biometric check is made. This presupposes that:
(a) the entire population can be successfully biometrically enrolled onto the National Identity Register, and successfully matched on every occasion thereafter - which is highly unlikely, given the performance of biometrics across mass populations generally and especially their poor performance in the only, relatively small-scale, trial to date (UKPS enrolment trial, 2004). Groups found to have particular problems with biometric checks include the elderly, the disabled and some ethnic groups such as Asian women;
(b) biometrics are 'unforgeable' - which is demonstrably untrue. Biometric systems have been compromised by 'spoofing' and other means on numerous occasions and, as the technology develops, techniques for subverting the systems evolve too;
(c) every ID check will be authenticated by a live biometric check against the biometric stored on the NIR or at the very least against the biometric stored on the chip on the ID card which is itself verified against the NIR. [N.B. This would represent a huge leap in the cost of the scheme which at present proposes only to check biometrics for 'high value' transactions. The network of secure biometric readers alone (each far more complex and expensive than, e.g. a Chip & PIN card reader) would add billions to the cost of rollout and maintenance.]
Even if, in this fairy-tale land, it came to pass that (a) (b) and (c) were true after all (which we consider most unlikely), the proposed roll-out of the National Identity Scheme would mean that this level of 'protection' would not - on the Home Office's own highly optimistic projections - be extended to the entire population before the end of the next decade (i.e. 2020) at the earliest.
Furthermore, biometric checks at the time of usage do not of themselves make any difference whatsoever to the possibility of the type of disaster that has just occurred at HMRC. This type of data leakage, which occurs regularly across Government, will continue to occur until there is a radical change in the culture both of system designer and system users. The safety, security and privacy of personal data has to become the primary requirement in the design, implementation, operation and auditing of systems of this kind.
The inclusion of biometric data in one's NIR record would make such a record even more valuable to fraudsters and thieves as it would - if leaked or stolen - provide the 'key' to all uses of that individual's biometrics (e.g. accessing personal or business information on a laptop, biometric access to bank accounts, etc.) for the rest of his or her life. Once lost, it would be impossible to issue a person with new fingerprints. One cannot change one's fingers as one can a bank account.
However, this concentration on citizens 'verifying' their identity when making transactions is only one issue amongst many when considering the leakage of personal data. Large-scale losses of personal data can have consequences well beyond an increase in identity fraud. For example, they could be potentially fatal to individuals such as the directors of Huntingdon Life Sciences, victims of domestic violence or former Northern Ireland ministers.
It is therefore our strongest recommendation that further development of a National Identity Register or National Identity Scheme (including biometric visas and ePassports) should be suspended until such time that research and development work has established beyond reasonable doubt that these are capable of operating securely, effectively and economically on the scale envisaged.
Government systems have so far paid little attention to privacy. Last week's events have very significant implications indeed for future government information systems development.
We would be pleased to clarify any of these points or provide further information if useful to the Committee.
Professor Ross Anderson
Dr Richard Clayton
University of Cambridge Computer Laboratory
Dr Ian Brown
Oxford Internet Institute, University of Oxford
Dr Brian Gladman
Ministry of Defence and NATO (retired)
Professor Angela Sasse
University College London Department of Computer Science
Martyn Thomas CBE FREng
Compare and contrast this with the Labour Government / Home Office clueless "fairy tale" view given so embarrassingly evasively by Home Secretary Jacqui Smith in reply to her Conservative Opposition counterpart David Davis, during the Topical Questions section of Oral Home Office Questions on Monday (26 Nov 2007 : Column 18)
David Davis (Haltemprice and Howden) (Con): May I ask the Home Secretary about the subject of identity cards? If the Government give away someone’s bank account details, that is a disaster, but at least they can change their bank account. What, precisely, does someone do if the Government give away their biometric details?
The Secretary of State for the Home Department (Jacqui Smith): There is of course an important protection in an identity card system, through the use of biometrics. Biometrics will link a person securely and reliably to his or her unique identity. It will therefore become much more difficult for people to misuse other people’s identity, even if full details of their biographical information are already known. The current plan for the national identity register is for biometric information to be held separately from biographical information, thereby safeguarding against the sort of eventuality that the right hon. Gentleman described.
David Davis: I do not look forward to the day when the National Audit Office or anybody else asks for that information and is sent it. Let us look at the other aspect of identity cards: the question of protection. The Home Office is currently prototyping a European-wide identity card project called Project Stork. How will it prevent a repetition of the disaster of the past few weeks when sensitive personal data are held not by one Government but by 27?
Jacqui Smith: If the right hon. Gentleman wants to give me more information about the particular allegation that he is making, I will of course be willing to follow it up, but the point that I made remains. The advantage of a national identity register is that it enables the linking of biometric information, maintained on one database, with biographic data, maintained on another, thereby strengthening the protection for individuals in circumstances where, for example, biographic data were stolen or went missing. That is a strengthening of the current position, which is why any Government or
26 Nov 2007 : Column 18
Opposition who are serious about public protection and identity fraud should be thinking seriously about how we address those issues, instead of making hay.
These Labour Ministers still keep clinging on to their self deluded, irrational belief, that somehow "biometrics" are a technological magic fix to their problems.
Why do they not take the opportunity of the HMRC data security and privacy disaster reviews. to save political face, and to admit that, after due consideration, the centalised compulsory biometric database National Identity Register is too risky,
If biometrics details are to be used to enhance anti-forgery techniques, they should only be stored securely in the Smart Card chips used in individual, widely distributed, ID Cards or Passports, and not in an inherently vulnerable centralised database.