EURIM Working Group Minutes
|
Working Party: |
Theme 2/3 - Entitlement Working Group |
|
|
Ref: |
02-T02-Min04 |
|
|
Minuter: |
Emma Fryer |
|
|
Date: |
5/12/02 |
|
|
Circulation: |
Attendees and Apologies |
|
|
Queries to: |
Emma Fryer, Tel: 0191 384 0282 Mob: 07714 803 650 |
|
Minutes of the EURIM Meeting on Entitlement Cards 5th
December 2002, Conference room C, 1 Parliament Street |
|
Summary |
|
|
|
Purpose of Meeting |
|
|
|
|
Meeting
outline |
|
1. The BCS
response was reviewed. It did not
attempt to cover government or political issues and focused on the practical
issues. Main concerns were the lack
of clear objectives, liability issues, the failure to take into account other
initiatives, overall management, and issues of circularity. 2. The issues
raised by the consultation paper were scoped. These included the need for clear objectives, existing
alternatives and initiatives, technical considerations and the relationship
between citizen and state. 3. The chairman
presented these issues as a set of questions for government (see section 7) 4. Further
issues were raised which included special considerations for high risk areas,
applicable age, constitutional implications and security standards. 5. The chairman
summarised these points in the form of additional questions (see section 9) 6. Volunteers
agreed to produce summaries succinctly setting out selected issues. (see section 10) |
|
|
|
Actions
Agreed |
|
|
|
|
Tabled
Documents |
|
1. Agenda 2. Response
from the BCS to the Government consultation paper on entitlement cards and
identity fraud |
|
|
References
|
|
Full Meeting Notes
|
|
|
|
Action |
|
1 |
|
Chairman’s introduction
|
|
|
|
1.1 |
GL welcomed everyone
and outlined the objectives of the meeting;- to review existing responses to
the Home Office consultation on Entitlement cards and identify whether there
were other issues not covered by
these responses that EURIM should raise.
|
Ref 1 |
|
|
|
|
|
|
2 |
|
Existing responses to the consultation
- BCS response
|
|
|
|
2.1 |
GL suggested that the BCS response
would be a good place to start. David
Rippon kindly agreed to give a quick overview and raise a few key points for
debate. |
Ref 2 |
|
|
2.2 |
DR
reported that the BCS response approached the problem from a pragmatic
perspective – the practical issue of making this work as an IT project, based
on programme management experience.
It did not address political or government aspects. |
|
|
|
2.3 |
The key concern was that the document
did not clearly identify project scope – there was a whole raft of problems
that the consultation was trying to solve. The paper mentioned savings of
£3bn a year but did not specify how they might be achieved. In effect, there was a project with no
clear objectives, no clear scope and unspecified potential for budget
overrun. |
|
|
|
2.4 |
An updated version of the BCS response was now
available, which raised a raft of additional concerns. Essentially, the e-government agenda was
moving forward on a number of fronts, many of which envisaged delivery
systems recognising individual citizens, facilitated by some kind of
electronic ID or the proposed entitlement card. There was no overview and
many different cards were already being produced by local governments so
there were issues on how these could be integrated, standards of security
they needed to attain, and management of the whole process. There were also issues of circularity that
were not being addressed. |
|
|
|
2.5 |
The other issue was liability. If an entitlement card was to be used as
proof of identity by commercial organisations and was then shown to be fraudulent,
who should bear responsibility for the costs of the transaction? For success in IT project terms,
objectives must be clearly defined and responsibility delegated to those who
could achieve the savings. |
|
|
|
2.6 |
PM supported the BCS response and agreed
that the consultation did not state clearly the problem it was trying to
address. Without that it was not
possible to state the benefits and without stating the benefits it was not
possible to “sell” it to citizens. |
|
|
|
2.7 |
GL observed that the document was
seeking to find a way of associating an individual unequivocably with a
specific identity. Once that was
achieved it might be used for a whole range of transactions over time. It was important not to close off avenues
for development, which might account for the open-ended scope. |
|
|
|
2.8 |
DR agreed – this was exactly
the thrust of the BCS report – that the project should focus on one objective
for the entitlement card, and then progress to other objectives later. The initial objectives had to be limited
to reduce scope creep and the associated risk of failure. |
|
|
|
|
|
|
|
3 |
|
Setting
clear objectives |
|
|
|
3.1 |
AN remarked
that if you do not know what you are trying to do you are unlikely to be
successful in delivering it. Even
with clear objectives this project would be difficult to achieve. The first
task was to define objectives. Was
the consultation paper only designed to address the specific needs of the
Home Office was it envisaged that the entitlement card would fit into a wide
range of ID systems, cards and services that were currently being developed?
Was it government’s intention to encourage different ID cards and related
services or would identity cards be centralised? |
|
|
|
3.2 |
CW
noted that the Home Office paper had been written without adequate reference
to other initiatives or to the cultural concept of identity in the UK. It referred to other models but did not
look at the implications of using them, or what was offered, and did not
explore the disparate nature of what constituted identity. |
|
|
|
3.3 |
GL
asked whether these considerations would prevent the UK government making
progress with an entitlement card. CW
replied that they were complicating factors
and represented areas of debate that needed to be addressed. If the
entitlement card was designed to overcome the problem that some people did
not have driving licence or passport, there was no reason why local identity
cards would not suffice. So why were they proposing a new card? |
|
|
|
3.4 |
GL agreed that these were important
issues but asked whether by raising them they risked slowing down the whole
exercise to the extent that no practical progress could be made on the
fundamental objectives. CW replied that the Home Office seemed to have no
fundamental objectives and had not defined what they wished to achieve, how
and why. |
|
|
|
3.5 |
DR noted
that the real objective of the scheme was to save money from entitlement
fraud. As such the scheme should not
be handled by the Home Office but by DWP or DSS. The document appeared to be about national identity cards, so
the title was disingenuous. |
|
|
|
|
|
|
|
4 |
|
Existing
initiatives / alternative delivery methods |
|
|
|
4.1 |
AN noted
that the environment at social, political, technological, economic and
ethical levels was changing and many other initiatives were already underway.
TP agreed - even government organisations were issuing cards
independently. All these could
mitigate the need for a national scheme. |
|
|
|
4.2 |
GL deduced
from the discussion that if government wanted unequivocal association of
person, documentation and card it was reasonable to have islands of ID
issuers assembled or joined through a national register but this did not
necessarily require a national system.
It was agreed that a national register was essential as a standard and
to judge the efficacy of the systems and to ensure that individuals did not
have different cards under different authorities. |
|
|
|
4.3 |
GL observed
that this implied that, provided identifying authorities were adequately
policed, it would be entirely possible for local authority or corporate
identities to be used. This was
agreed. |
|
|
|
4.4 |
TP remarked that the consultation paper did not mention the existing
government guidance on authentication nor refer to the whole range of options
between a card with no value or identity and one that builds up credits
capability, and benefits. Different
organisations wanted to know different things, ID was not a fixed concept. |
|
|
|
4.5 |
PM noted
that central government envisaged most benefits being manifested at local
authority level but had not recognised that many authorities were already
issuing local benefit cards. Once the
problems had been defined, then the existing solutions could be assessed and
then work could focus on bringing them up to a common standard rather than
starting a whole new system. |
|
|
|
4.6 |
GL saw
advantages in a single multi use card over a proliferation of cards, and
mentioned the Smart Cities pilot in Southampton where the issuance of a local
authority card appeared to be delivering real benefits to citizens. That suggested that identity systems could
grow up naturally from the bottom rather than being imposed from the
top. The critical issue was providing
a standard for interoperability and the OeE had been working on formulating
such standards. |
Ref 3 |
|
|
4.7 |
CW noted
that OeE work on smart cards was very delayed, and AN noted that their remit
had changed to focus more on central government. Other work was progressing
through IDEA and other groups. Government’s proposal to produce identity
cards for everyone was preventing the emergence of these services from the
private sector and local authorities.
|
|
|
|
4.8 |
SM asked whether figures for fraud
were available in countries with mandatory identity cards. CW noted that crime patterns differed
between countries because of cultural values so there was no causal
relationship. Targeted schemes
restricted to benefits claimants and asylum seekers were alternatives. |
|
|
|
4.9 |
SD noted that if
different cards were used for different purposes they offered no advantage
over existing forms of identification that were already separate, like
passports and driving licences.
|
|
|
|
4.10 |
PM observed
that there was really a whole basket of problems and separate solutions. Was it appropriate to have DNA information
and bus pass information on the same card?
|
|
|
|
4.11 |
GL proposed
one recommendation to government – they must decide whether to produce
identity card and not leave the question open or it would leave a planning
blight over all other initiatives.
This was agreed. |
|
|
|
|
|
|
|
5 |
|
Technical considerations
|
|
|
|
5.1 |
ML asked whether it would be possible to have duplicates of the same
card. GL noted that, provided the ID
between the individual and the card was robust, there was no reason why not
since the purpose of the card was to authenticate the holder. Different cards
might hold different levels of
information. CW noted that this was
not normal practice and could be fraught with difficulty. TP noted that at least
the information on the card was not visible. ML noted that the failure rate of plastic cards made a back-up
pragmatic.
|
|
|
|
5.2 |
PM asked what the
benefits to citizens were from moving to an electronic ID. GL suggested that there were many benefits
to the taxpayer firstly by cost saving through more efficient
joined-up-government and secondly in preventing or limiting benefit fraud
which was estimated at up to £7bn.
The benefit for an unemployed person was the receipt of money. A
system that limited fraud without being oppressive could be a popular choice
in times when citizenship was devalued and people made careers out of
exploiting the state. Another benefit
to the citizen might be to simplify transactions with the state by the use of
an individual electronic key. An
identity that moved with you would be very useful if you were socially
excluded and moved house, or had no home.
|
|
|
|
5.3 |
It was
agreed that the central question was the ability to secure the technical
methods of associating a physical body with a card. |
|
|
|
5.4 |
TP
noted that any system must be designed around failure modes – having one card
could be a major disadvantage under some circumstances if you were unable to
partition the risk. |
|
|
|
5.5 |
CW
observed that the implications of a reliable recognition system depended on
reliable biometrics being used on a large scale, but the technology was not
mature enough to give any guarantees. |
|
|
|
5.6 |
GL noted that biometrics was really
the only way to associate an individual with a card and limit identity fraud.
|
|
|
|
5.7 |
It
was agreed that there were two stages of identification - the point of issue and the point of
use. The point of issue was the key
point, where the identifier had to be rigorous. A cheap biometric or other identity check would be satisfactory
at point of use. The registration
process was the key. |
|
|
|
5.8 |
SW agreed this was the crux but noted
that there was still scope for fraud, simply within the time it took to
register a person he could register again.
The system would have to be able to self-check. |
|
|
|
5.9 |
WH noted that technology was
irrelevant to the real risk, which was related to the systems surrounding the
transactions, such as people being bribed to release data or commit back
office crimes. DC agreed – even when
technology was perfect, system failure was a risk:– eg the lack of card
readers on the Mexican/ US border forced border staff to resort to facial
checks. Immigrants then posted the
cards back across the border to be used again. |
|
|
|
5.10 |
SM
agreed. The implication of the
consultation paper was that technology would solve problems. It would not. Technology would, however, enable all sorts of new kinds
of fraud that had not been feasible
before. The problems would change. GL
agreed - technology was a means of delivery and could add benefit in terms of
efficiency – it was not inherently a solution. |
|
|
|
|
|
|
|
6 |
|
Citizen and state |
|
|
|
6.1 |
The relationship between citizen and
state had evolved with new technology.
Paper chains were no longer acceptable for handling data. The question of validating identity had to
be addressed or many opportunities offered by new technology would be wasted. |
|
|
|
6.2 |
AN noted that this made the case
against one single system under a state monopoly. If government installed a system and it did not work, major
changes would be cumbersome, expensive and slow to achieve. If there were many competitive schemes,
the better methods would be taken up at the expense of the others and rapid
evolution would be the result. A
competitive marketplace was the best place to ensure a good solution.
Technology now presented opportunities that had not been available to
countries issuing cards even a decade ago. SW agreed:- solutions that were
not provided by central government would be much more credible, particularly
as the cards spanned different governments. |
|
|
|
|
|
|
|
7 |
|
Chairman’s Summary |
|
|
|
7.1 |
GL noted
that this meeting presented an opportunity to identify issues that should be
raised with parliamentarians and other government decisions makers on behalf
of EURIM. Some such issues were
emerging:- |
|
|
|
7.2 |
The need to
press government to clearly outline the real purpose of this exercise. The question needed to be asked of the
home office but must be phrased so that it had to be answered from a
cross-government perspective. |
|
|
|
7.3 |
The set of
issues around looking at other countries’ experience of managing their
relationship between citizens’ identity and their rights. Despite cultural differences, government
should look closely at the experience of other countries before acting. |
|
|
|
7.4 |
The need to
ask the Home Office for their reaction to the concept of a diversity of
issuing authorities, the possibility of linking the islands of activity to
create overlapping sets of jurisdiction for card issuance that covered the
country. |
|
|
|
7.5 |
The apparent
lack of consideration in the consultation paper of the existing initiatives
in government and the OeE. The
current security standard was not properly reflected in the document and
government guidelines on citizen authentication had already been produced but
were not referred to. |
Ref 4 |
|
|
7.6 |
The
fundamental question of Quis custodiet ipsos custodes? – it was no
good taking extensive steps to reduce the risk of fraud in the technology
area if elements of the issuing system were corruptible in some way. |
|
|
|
|
|
|
|
8 |
|
Further
points from the floor. |
|
|
|
8.1 |
GL invited
further comment and points to add to his summary. |
|
|
|
8.2 |
High Risk
Areas AN noted
that in some communities – particularly those with large proportions of
immigrants and high turnover - there was a problem of establishing whether people
really belonged to families that they stated they were part of. DNA was the only biometric to test this
reliably, which was rather an extreme
solution. |
|
|
|
|
MJ noted
that the Home Office fingerprinted all asylum applicants. Everyone had to recognise that human
trafficking was now one of the most lucrative forms of organised crime and
whilst no-one would pretend that any
card could eliminate all scope for fraud, if legitimate residents were
captured by a biometric associated with a card, it would help to reduce
it. Certain areas could be subject to
more detailed scrutiny than others. |
|
|
|
8.3 |
Applicable
age IN asked why
the card was proposed to start at 16, instead of at birth, despite the many
obvious advantages such as obtaining child benefits. |
|
|
|
8.4 |
Constitutional
implications GL noted
that the issuance and control of identity cards by central government had
constitutional implications. The diversity inherent in multiple authorising
agencies with separate databases, independently policed by entities that held
public trust was safer than a single national system. As the PIU report on using data more
efficiently in government noted, government must address the need to set up
supervising authorities in a way that constitutionally separated powers in order
to gain public confidence. TP
agreed. The system had to pass the
“Malicious Regime Test”. GL observed
that issuing authorities and systems needed to hold the same public
confidence in their independence as the judiciary. |
Ref 5 |
|
|
|
It was
agreed that constitutional and technical landscapes were changing all the
time and any system had to accommodate this kind of uncertainty. The fundamental question was whether there
was public trust in the state apparatus. This raised the notion that there
was an implicit contract between the state and the individual, which had to
be addressed explicitly. |
|
|
|
8.6 |
Setting
Standards It was
agreed that the key starting point for any system was a positive
identity. Different levels of
functionality could then be accommodated.
The problem was that no “gold” standard of authenticating identity
existed. Passports and driving
licenses fell short. |
|
|
|
|
TP noted
that the question was whether the technology could deliver that necessary
level of security. Biometrics appeared to be the only answer but feasibility
had not been explored and there had been no adequate risk analysis. |
Ref 4 |
|
|
|
CW noted
that different standards might be appropriate for different areas depending
on the risk. GL observed that the
desire to issue everyone with a card
in order to bring a very small minority under control was effectively a
political issue. This related to the three levels of authentication proposed
by the OeE. The debate concerned the
uniform level of identification that was an appropriate standard for a
national card. |
Ref 4 |
|
|
|
TP noted
that the appropriate level had not been identified for generic use as opposed
to different services, and would depend on the application. Multiple levels
of authority were not a new concept. |
|
|
|
|
|
|
|
9 |
|
Chairman’s
Summary |
|
|
|
9.1 |
GL
summarised the additional points that were raised |
|
|
|
9.2 |
The question
of the age at which young people were incorporated into the identity scheme. |
|
|
|
9.3 |
The set of
constitutional and institutional issues: - what did government need to
consider in order to give citizens confidence that they were protected
against potential abuse by a malicious regime? |
|
|
|
9.4 |
The question
of how the registration process could be made robust enough to resist all but
the tiniest proportion - say 1 in 5
million – of attempted breaches. Iris
recognition was probably strong enough but there were technology issues to
overcome. |
|
|
|
9.5 |
The
confusion between absolute recognition vital for registration and “beyond
reasonable doubt” recognition necessary for everyday use. |
|
|
|
9.6 |
The
fundamental need for online and offline checks for duplication – e.g. on
first use to combat multiple registrations and ensure the biometric
associated with the card had not been used before. The consultation paper accepted that a solution had yet to be
identified. |
|
|
|
9.7 |
The question of the level of registration the Home Office believed was
essential for the card to meet (under the OeE’s four categories). Each
category implied a different level of investment in technical processes and
people and associated cost/benefit analyses.
There was a spectrum of certification requirements for registration to
be considered. |
|
|
|
9.8 |
The question
of whether a person would effectively lose their identity on losing the card. |
|
|
|
|
|
|
|
10 |
|
Allocating
Actions and areas of responsibility |
|
|
|
10.1 |
The
following issues were identified for action and individual volunteers each
agreed to submit a one pager setting out the issues succinctly. |
|
|
|
10.2 |
Failure
Mode ·
Deliberate – Mark
Lomas ·
Accidental – Tom Parker |
ML, TP |
|
|
10.3 |
Government's
Real Purpose – what issue is being addressed? - Paul McKeown, Adrian
Norman |
PM, AN |
|
|
10.4 |
European/International
Comparisons - Dave Clancy |
DC |
|
|
10.5 |
Multiple
Issuing Authorities "Islands" - Adrian Norman, Colin
Whittaker |
AN, CW |
|
|
10.6 |
Registration
Gold Standard Back
Offices – Cost - Tom Parker - Risks - Colin Whitaker |
TP, CW |
|
|
10.7 |
Young
Persons Issuance - Ian Nayler |
IN |
|
|
10.8 |
Malicious
Regime/Constitutional/Trust - Steven Mason |
SM |
|
|
10.9 |
Biometrics
Technical State of Play/Business Usability - Mike Jenkins |
MJ |
|
|
|
|
|
Attendance – 5th
December 2002
|
David |
Clancy |
Office of the Information Commissioner |
|
Susan |
Daley |
CBI |
|
Emma |
Fryer |
EURIM |
|
Margaret |
Graham |
Fujitsu Services |
|
William |
Harbison |
Nortel Networks |
|
Mike |
Jenkins |
Fujitsu Services |
|
Martin |
Lewis |
APACS |
|
Geoffrey |
Llewellyn |
Schlumberger Sema |
|
Mark |
Lomas |
Reuters |
|
Stephen |
Mason |
e-centre UK |
|
Paul |
McKeown |
IBM UK Ltd |
|
Richard |
Muddle |
Accenture |
|
Ian |
Nayler |
Retail Systems Consultancy |
|
Adrian |
Norman |
BCS |
|
Tom |
Parker |
t-Scheme / BCS |
|
Verner |
Parke |
CMG |
|
Julian |
Pitt |
BT |
|
Lord |
Renwick |
EURIM President |
|
David |
Rippon |
BCS |
|
Colin |
Whittaker |
APACS |
Apologies
|
Alastair |
Bellingham |
NHS Information Authority |
|
Bob |
Conway |
Schlumberger Sema |
|
Paul |
Crook |
Accenture |
|
Earl of |
Erroll |
House of Lords |
|
Andrew |
Hardie |
IMIS |
|
David |
Harrington |
CMA |
|
Colin |
Hebden |
EDS |
|
Jonathon |
Inskip |
De La Rue |
|
Guy |
Lodge |
EURIM |
|
Keith |
Mayhew |
APACS |
|
Will |
Roebuck |
e-centre UK |
|
Philip |
Virgo |
EURIM |
|
Dorota |
Warren |
Individual Observer |