Spy Blog - SpyBlog.org.uk

'44,000 private sector organisations which need to be "accredited" to use the NIR.'

44,000 private sector organisations.
Think about that number for a second. 44,000.
Organisations motivated by greed.

These 44,000 organisations are going to get access to the personal data held on this database, and we really believe that this is going to be secure and not abused?

Words fail me.

All these fundamental assumptions about the scope and size of the scheme should have been thought of and investigated *before* the ID card Bill was published.

They should have been considered by the high level review, before any commercial confidentiality due to detailed prices or profit margins can apply, in the Office of Government Commerce Gateway Stage Zero Reviews .

How do we the public know what these assumptions are ? How do we know what important factors have been forgotten or deliberately ignored by th vested interests and limited experience of the Home Office design team ?

Remember that this system will have failed if it is only as good as the exisiting systems which we use already, it has to be significantly and demonstrably better and more secure, otherwise what is the advantage to the individual citizen taxpayer voter ?

How is the IT industry meant to be able to quote prices and timescales, or to assess the security and privacy risks, when there is no detailed plan of what the Government is actually trying to achieve ?

However, the OGC Gateway Reviews are being kept secret even from the Home Affairs or Public Accounts Select Committees, even on a private basis.

Our Freedom of information Act request is currently under appeal to the information Commissioner, and is awaitinga Preliminary Decision Notice.

http://www.spy.org.uk/foia/archives/foia_requests_in_progress/ogc_gateway_reviews_of_the_identity_cards_programme/index.html

I've been following the ID card developments in recent times because I've worked in IT for over a decade and am also interested in biometrics. At my last company they did have a fingerprint based time and attendance system used by about 20 workers. Of these the recognition would not work for one chap, whose fingerprints were not easily distinguishable. He was a labourer, and after years of sanding and other hard manual work the system couldn't identify him from any of his fingers. Of course if a 1 in 20 figure is representitive of the general population then there's going to be a big problem if you try to use it on everyone in the UK.

I'm sure that there will be unforseen technical problems with the biometrics, and they won't initially be as effective as the marketing people claim. Bearing in mind the success rate of previous government IT projects I'll be absolutely astonished if the ID card scheme is implemented on time and on budget. As a rule of thumb usually you can double the initial budget estimate and then add some, and that's usually a more realistic cost.

I can predict newspaper headlines such as "ID card doesn't work for Mrs Jones" or "ID fiasco costs taxpayer millions" or "Who's identity is it anyway?" (someone missidentified as the wrong person) or "WW2 veteran says 'no' to ID".

The link you claim was missing is now present (under "commercial" on the left-hand menu). I recollect that it has been present there for a long time. I don't know if it went missing for a period and has been re-instated.

Best regards

Why do you think the figure of around 4 on-line verifications per year is astonishing (astonishingly low that is)? Personally, I think it is a bit on the high side, but perhaps my life and that of people I know is less frenetic than average. Currently, I see on-line verification as appropriate only on opening a new bank account (or similar), notifying the NIdS Registrar of a change of permanent address (at the same time obtaining a new ID card and driving licence), on passport re-issue and on being charged with a serious criminal offence.

In your estimate of £3.50 per on-line verification, have you not forgotten that there will, very likely, be a greater number of uses in which off-line verification will be adequate, and an even greater number when perhaps manual inspection will be sufficient; then there are the benefits, on registration, of checking for multiple applications (as a precursor to fraud and other criminal activity). This spreads the cost more thinly.

Is the CSA Sir Alan King, or is it still Sir David?

The big question in my mind is who are these 44,000 companies who need to have on-line access, and what services are they providing to us (the registered people) for which such identity checks (previously not available) will now be sufficiently commonplace for them to invest in the necessary computer equipment and on-line access?

Best regards

@ Nigel - Thanks for the corrections - I would be rich, if I had a pound for every time that I could not easily find something I was looking for on the Home Office website.

The use of an ID card in offline mode or manual inspection is no longer the "gold standard" of identity verification which the Government claims - it becomes no more secure than say a credit card or utility bill. I cannot see how any of the costs of the ID Card scheme can be spread out to cover such existing situations, which someone else is already paying for, except through "creative accounting".

Unless and until the ID Card *entirely replaces* another form of identification, then there are no possible infrastructure or personnel, or training savings, only extra added complexity, expense and the increased likelyhood of poorer service and error.

I am still trying to think of the 265 Government Departments which the document seems to claim might need to have access to my private data - my list is nearer to 5 than than to 265 !

The snippet of "volumetric" information also manages to ignore the over 400 Local Government Authorities, not all of which are "accredited" for connection to, say, the Government Secure Intranet, even after all these years.

My question about whether the "165 million verifications a year" was really just for Passport / ID Card used as an EU travel document type use of the NIR is based on how many times you are asked to present your Passport during every holiday or business trip abroad e.g.

UK airline check in desk, security barrier, gate lounge just before boarding an airliner, foreign country passport entry control, foreign country airline check in desk, foreign country exit control, gate lounge just before boarding an airliner back to the UK, UK Passport control.

Especially if you are travelling to/from other G8 or EU countries, which will be sharing biometric data, or will provide a verification lookup facility to th NIR, surely each round trip abroad will involve at least 2 or 3 NIR verifications ? This could translate into over 100 million NIR verifications a year, just for Passport type use.

There will be about 10 million Passport/ID card renewals a year (an extremely tough target given the need for face to face interviews for assured biometric capture) , each of which, will, presumably require an NIR check of the existing records and a confirmation check of the new ones, especially as biometrics have to be taken again i.e. 20 million NIR verifications. This assumes a 10 year lifetime of an ID Card. If more, realistically this has to be done every 5 years, for biometric ageing and plastic chip card wear and tear reasons, then, after 5 years of steady state running once all the population has been registered, this will just about double the number of NIR verifications a year i.e. 40 million a year (and double the overall cost of the process, although not necessarily the fee income from the public), just through the process of issuing and renewing ID cards, even if they are never used for any other purpose.

"on being charged with a serious criminal offence." will not be the only time that the NIR is used by the Police and judicial system.

Under the Serious Organised Crime and Police Act 2005, with the aim of reducing the number of round trips between the police station and the "on the street" patrol areas, a policeman can use his Airwave connected mobile fingerprint scanner for ID purposes, even *before* he has *arrested* you, let alone charged you with anything.

The same Act has now also made *every* offence into an arrestable one, not just serious ones.

When you are arrested the NIR will probably be checked again (full set of 10 fingerprints and two palm prints), and probably yet again when you are actually charged.

None of this require you to be carrying your ID Card at all.

If then Police or other security services attempt to use the Facial Recognition CCTV cameras systems, then there could easily be millions of mostly false, NIR "verifications" a day. The technology is too slow to do this at the moment, but the Identity Cards Bill would permit this in the future, without further debate in Parliament.

I agree about the 44,000 private sector organisations - how are these going to be "accredited" to the same standard ?

If it takes, say a man week to "accredit" a private sector organisation, how long will the queue be ? Who will be doing this "accreditation" ?

Note that none of the "accreditation" costs, or the costs of the private sector infrastructure are included in the Government's cost estimates for the scheme.

If they are not "accredited" to the same "gold standard" security and privacy protection standards, then the whole scheme cannot be trusted to fulfill one of its alleged aims of protecting the individual against "identity theft".

The Government should have aqlready published the detailed basis for these figures and the business case for the scheme as a whole, but they seem intent on pretending that only they know best, and that these fundamental scope and sizing assumptions are somehow merely details to be worked out later.

I wouldn't worry at all about CCTV camera facial recognition. Face recognition is really only possible under controlled conditions (good lighting/no shadows/person looking directly at the camera). A successful face recognition application typically involves going into a specially built booth or checkpoint. In tests done at airports or in other "open air" installations face recognition failed to work with any level of reliability, and this is likely to remain the case for the forseeable future. Don't believe the hype put out by some companies. I've done a lot of stuff with face recognition, and if someone isn't looking at the camera, if there is high or low contrast, or shadows occluding parts of the face then no amount of computing power will get around those problems.

It may be possible to reconstruct a face from a video sequence over a period of time, if the person can be tracked, but I'm not aware of any companies trying to do that.