Image problem

David Blunkett’s plan for a national ID card has sparked a furious row. But will it work? And how? SA Mathieson investigates

This was written based on a relatively early version of the plans for ID cards in 2003. I wrote about the identity card scheme from 2002 through to its destruction in February 2011. All articles on ID cards.

Powered by article titled “Image problem” was written by SA Mathieson, for The Guardian on Thursday 20th November 2003 16.09 UTC

If you are planning to renew your passport, change the address on your driving licence or even turn 16 in 2006, you may be in for a shock. Home secretary David Blunkett said last week that mandatory national identity cards would not be introduced for a decade – and only then with parliament’s agreement.

But his first phase plans, effective from 2005 or 2006, will mean tens of thousands of us will have to report to a government station and have a biometric measurement taken.

Included will be anyone updating either a passport and probably also a driving licence, all foreign nationals here for more than three months, and anyone turning 16.

What will the process involve? A biometric is a measurement of part of the human body, and the Home Office is testing three options: face recognition, fingerprints and iris scans.

A one-off fee of around £35 will be charged, on top of any usual passport or licence renewal fee, falling to £10 for those on low incomes and nothing for 16-year-olds. In return, you will get a national identity card, which will replace the National Insurance card. The Home Office says there would be financial penalties for non-compliance – although these are not expected to apply until the scheme is fully rolled out.

Several countries are moving in this direction. However, the UK, along with 20 other countries in the United States’ visa waiver scheme, has effectively been bounced into it. The US set a deadline of late 2003 for visa-waiver countries (from which you can travel to the States without a visa) to start a scheme adding secure biometrics to passports, although this was pushed back by a year. The alternative was for Britons to apply for entry visas.

However, passports already carry a biometric: a photo. In May, the International Civil Aviation Organisation agreed that encrypted digitised photos, held on a microchip in the passport – using a technology such as Radio Frequency Identification (RFID) – would be its new standard.

Digitised photos are better than printed ones, but they still rely on those checking the photos. “Humans are incredibly good at recognising faces they are familiar with, but not very good at matching ones they are not familiar with,” says Markus Kuhn, a lecturer in computer security at Cambridge University.

There is face-matching software, but it is not reliable, and it has to deal with the problem that, unlike fingerprints and irises, faces change.

Fingerprint recognition is relatively cheap: Graham Titterington, a principal analyst for Ovum, a consultancy, says readers cost as little as £20. A fingerprint scheme would provide the police and security services with a comprehensive library of the population’s fingerprints.

“It wouldn’t in itself prove a certain person was there, but it could narrow down the field,” says Titterington. “It does give them power, for good or for ill.”

There is one massive drawback with any identity system that covers a large population. Although biometrics can produce much better verification of someone’s identity, campaigners say they are inherently flawed for large-scale identification. To add someone to a register, you should check they are not already on it, and this problem multiplies with every single person added.

A system with 0.999999 reliability would make a false match, on average, once every million times – great for verification. But for identification, the chances of the system correctly comparing someone with its entire database can be calculated by its success rate to the power of the database size.

If that is two, with the example above it would be 0.999999 squared, or 0.999998. That means 100 people would produce a 0.9999 success rate, 100,000 a 0.9048 success rate. A database holding the whole UK population – 50 million – leads to less than one in five thousand billion billion – in other words, useless.

Dr John Daugman, a lecturer at Cambridge University, took out the patent on algorithms which compare codes derived from the random patterns of the iris – which he says can cope with such unforgiving calculations. The system, which filters out the effect of contact lenses, glasses and eyelashes, has made more than 1bn comparisons on lab images, and some 50bn live comparisons in the United Arab Emirates, where it is used to check all visitors against 280,000 people barred from re-entering the country. It has also been used in airports including Heathrow, Narita and Schiphol, and has so far recorded no false matches.

This may have been behind David Blunkett’s insistance on Radio 4’s Today programme last week that biometrics would make identity theft “not nearly impossible, but impossible”. But Daugman does not go that far. “I would never say infallible,” he says. However, his statistical analysis suggests that, even against a 50 million-strong database, his system will produce a false identification just one time in a million.

Iris scans can only be collected when the individual is a few feet from the camera – unlike faces and fingerprints. “I used to think that was a disadvantage,” says Daugman. “But it’s an advantage that this can’t be used without cooperation.”

It is expensive, however. A simple camera costs around £100, but could not be used by people unable to direct their eyes – such as David Blunkett. The newest motorised cameras can pan and tilt to track irises, but cost around £3,000. Even then, people without irises and those with opaque corneas cannot use the system.

But Simon Davies, director of Privacy International, says there are many more who would not be successfully iris-scanned. Dissenters could refuse to comply by squinting, and others may object to being photographed on religious grounds, with the support of the Human Rights Act. “You cannot treat individuals as machine-like. Many would fail to register properly, and that margin of error has to be taken into account,” he says.

The financial industry has chosen to reject biometrics, by introducing Chip and Pin (personal identification numbers) worldwide to re place signatures on card payments. “The global nature of what we were doing guided us towards Pins,” says Sandra Quinn, spokesperson for banking association Apacs. Americans would accept fingerprinting, whereas many Europeans would not. But many would be wary about giving a retailer they don’t know access to their iris or fingerprint, she says. A Pin, if compromised, can be cancelled and replaced. A compromised biometric stays compromised.

But can it be used? Daugman says his system detects photos or contact lenses overprinted with someone else’s iris, by looking for the dot- patterns found in printing, the eye’s natural rhythmic dilation, or by changing light levels and checking the pupil’s changes in size.

As for fingerprints, a writer in security newsletter Cryptogram says that he can produce dummy fingers that will fool fingerprint readers with materials from do-it-yourself shops.

But banks have other reasons to avoid biometrics. “There are no biometrics that have the speed of throughput that we need for card payments,” says Quinn. “The level of rejection would be too high, and too risky, for a retail environment.”

Some fear what a government could do with an effective identity scheme, particularly if it is linked to other databases. Since a Cabinet Office report last year on the desirability of data-sharing in the name of joined-up government, several linking projects have already been announced.

In July, National Statistics consulted on plans to ditch the paper registers of births, marriages and deaths, in favour of a paperless database of linked-up “through-life records”. And last month, it proposed an integrated population statistics system, which would link individuals’ data from the 2011 census to that held on other government databases.

Several local councils are creating systems that allow a single “view” of their citizens, in some cases revolving around a smart card.

September’s green paper responding to the death of Victoria Climbié called for electronic links between the different organisations that deal with children, including education, social services, police and education.

And the NHS’s National Programme for IT is close to choosing the supplier of the NHS Spine, which will hold health records for everyone in England.

Ian Brown, director of the Foundation for Information Policy Research, says that governments will find it hard to resist linking data, for example, to tackle obesity by monitoring attendance at leisure centres. “It gives government so many more ways of interfering in people’s day-to-day lives,” he says. “They say we’re not building a big central database. But they don’t need to.” A series of linked databases will do the job just as well.

And, of course, government IT projects are best known for incompetence. Failures have resulted in delaying citizens’ passports, employees’ ability to work with children and benefit payments. The government says it has changed the monitoring procedures for such projects, but the effectiveness of these changes remains unproven. © Guardian News & Media Limited 2010

Published via the Guardian News Feed plugin for WordPress.