A case of mistaken identity

A case of mistaken identity

The UK government has embarked on the world’s most ambitious national identity project. During its 3-year progress towards Royal Assent the scheme has variously been proclaimed as a key solution to identity theft, illegal immigration, administrative inefficiency, benefit fraud, VAT fraud, illegal working, terrorism, healthcare tourism, national security, telecom munications fraud and organised

crime. Can it actually work? Simon Davies has his doubts.

Despite its name, the Identity Cards Act, 2006 contains provisions for much more than a mere identity card. Th e Act outlines a national identity system that has no fewer than eight interconnected components: the Na-tional Identity Register (a central computer system); a National Identity Registration Number (the number that will be used as the basis of the whole system); the col-lection of a range of biometrics such as fi ngerprints and iris scans; the National Identity Card itself; provision for convergence of information systems throughout the private and public sectors; establishment of legal obliga-tions on individuals to disclose personal data; cross-no-tifi cation requirements, obliging departments to pass on relevant data to other departments; and the creation of new crimes and penalties to enforce compliance with the legislation. Clearly this will be rather more than a piece of plastic with our name and photograph on it.

Th e government has estimated that the cost of the scheme over 10 years will be £5.8 billion. A con-troversial landmark study by the London School of Economics (LSE) put the fi gure at between £10 billion and £19 billion1.

Th e entire point of an ID system is that it be ac-curate. It loses its entire reason for existence if it is not. Th e government proposes to eliminate the risk of for-gery and multiple identities in the system by establishing a “clean” database of identities. Entry onto the database will require multiple biometric capture (of fi ngerprints, iris and face), biographical footprint checking (rigorous checking of an applicant’s history) and the production of a range of primary documentation such as a passport or bank accounts. Th e Home Offi ce believes that the data-Cr

edit

: Ka

ren

Skin

ner

114 september2006

3(3)_06 Davies_IDCards.indd 1143(3)_06 Davies_IDCards.indd 114 10/08/2006 11:54:1810/08/2006 11:54:18

115september2006

base will contain no multiple identities because a “one-to-many” check against the entire coun-try will be used before a person is enrolled.

Biometrics would be taken on application for a card and for entry on the National Iden-tity Register, and would be verifi ed thereafter for major “events” such as obtaining a driving licence, passport, bank account, benefi ts or em-ployment.

Th e government understood from the outset that introducing a national ID card to the British population would be no sim-ple matter. No English speaking country, and hardly any “common law” country, has ever persuaded its population to accept one. Indeed no European country has managed to adopt an ID card from scratch in the past 50 years. Most, such as Italy and Spain, received theirs during dark eras of dictatorship.

Proposing an ID card in a democratic environment is fraught with political peril. In 1987 the Australian government nearly fell after massive public revolt over the “Australia card” proposals. No US administration would dare to propose one. New Zealand dropped its “Kiwi card” project after only 2 weeks of con-troversy. Th e Canadian government wants one, but is terrifi ed of calling it an ID card.

Little wonder that when former Home Secretary David Blunkett announced the scheme in 2002 he did so with the greatest caution. Launching the proposal, he gave the assurance that the government would promote the most rigorous national debate coupled with an exhaustive consultation that would take all views into account and which would consider all available evidence.

Since then there have been three formal consultations, including an inquiry by the Home Aff airs Select Committee. Th ousands of submissions have been made, hundreds of experts have made their views public, and an unprecedented research eff ort was undertaken by the LSE.

What eff ects have these eff orts had on the nature, objectives and viability of the original scheme proposed in 2002?

Biometrics

Th e government has repeatedly expressed its intention to develop the ID scheme along two lines: broad consultation and rigorous scien-tifi c evaluation. Th e scientifi c evaluation must tell us, amongst other things whether or not the biometrics will actually work with the ex-traordinary degree of accuracy and reliability that a national ID card system will require.

A biometric is a measure of identity based on a body part or behaviour of an individual.

Th e best-known biometrics are fi ngerprints, iris scans, facial images, and signatures. Voice-prints and even DNA from blood-samples have also been touted—the former, bizarrely, to track illegal immigrants, the latter to safeguard children entering the country with adults who claim to be their parents or close blood rela-tives. Th e position taken by the UK govern-ment is that some biometrics are extremely se-cure and reliable forms of ID; it promotes the use of fi ngerprints and iris scans to establish one’s identity or, at least, one’s uniqueness in the future ID card scheme. Th e theory behind this approach is that a biometric is less likely to be spoofed or forged than might a simple photo identity card.

It is a faith in biometrics that has driven the ID card scheme. In October 2004, Prime Minister Tony Blair announced that ID cards would be in the Queen’s speech; and on the topic of the related technology he said: “Over-all, progress is very encouraging and I’m con-fi dent we can successfully develop a secure ID card for the whole country. (…)2.”

Former Home Secretary David Blunkett went even further, assuring a television audi-ence that biometric identifi ers on ID “will make identity theft and multiple identity im-possible—not nearly impossible, impossible3.”

Can that really be so? Any statistician would treat such a statement with caution, and would want to examine it. Even fi ngerprint evidence, so long assumed by the public to be incapable of error, has recently been shown in a high-profi le court case to be far from infal-lible. A policewoman was falsely accused, on the basis of her fi ngerprints, of being present at a crime scene. Other evidence showed the accusation to be untrue.

Th is is not to deny that every individual may well have a diff erent and unique fi nger-print. But impressions, taken from a crime scene or at a police station, may be far from perfect; they are analysed and categorised by fallible human beings, and then various mark-ers and statistical techniques are brought to bear to prove or disprove a match. At every stage the possibility of error is present; it is the system as a whole which has to be infallible, not just the biometric marker.

Similar problems will beset any other bio-metric marker. Strong evidence, therefore, will be required for iris recognition to become the basis for a national identity system. Certainly any system as infallible as claimed would be a remarkable technical advance.

Th ere are two distinct problems that can result from failure to interface adequately with a biometric device. Th e fi rst is described as the failure to enrol rate (FTER). Th is occurs when

a person’s biometric is either unrecognisable, or when it is not of a suffi ciently high standard for the machine to make a judgement. A per-son with fi ngers damaged by scar-tissue after burns, for example, might not be able to supply a machine-readable fi ngerprint; someone with a hand missing will obviously not be able to supply one at all. Th e second crucial indica-tor is the false non-match rate (FNMR) that occurs when a subsequent reading does not match the properly enrolled biometric relating to that individual.

Th e fi rst problem would result in a per-son not being enrolled in an identity system. Th e second can result in denial of access to services—potentially disastrous for the indi-vidual concerned. Iris recognition appears to perform better than other biometrics in both these fi gures. In FTER studies, for example, iris recognition achieved a 0.5% failure rate, while fi ngerprinting varied from 1% to 2%4.

However, there are still substantial problems with enrolment, and these are likely to aff ect disproportionately, for example, some visually disabled people.

A 2002 technology assessment report by the US General Accounting Offi ce (GAO) highlighted a number of problems with the ac-curacy of iris recognition5. Although acknowl-edging that the mathematics of the technique appeared sound, the enrolment and verifi cation elements of iris recognition were far from per-fect. Th e FTER was around 0.5%, while the FNMR ranged from 1.9% to 6%. Th is means that around 1 in 200 of the research population could not enrol at all, while a further 1 in 18 to 1 in 50 could not match their enrolled iris.

Th is is among a co-operating population. Identity schemes also have to contend with those who would try to subvert them, from mi-nor benefi t fraudsters to international terror-ists. Th e government has repeatedly claimed that the use of biometrics will prevent any fraudulent use of the system. Th e very exist-ence of the National Identity Register hinges on the verifi cation and accuracy (or otherwise) of biometrics in a central register on a scale of 50 million records; the verifi cation process would therefore have to involve high integrity

Iris recognition failed to make a match in up to 6% of cases among a co-operating population


116 september2006

devices. To operate at a national scale the tech-nology would have to be close to perfect. Fail-ure of the biometrics and the register cannot be an option1.

Here again, any claim of infallibility is in-correct. All biometrics have successfully been spoofed or attacked by researchers. (For obvi-ous reasons, we do not know what work has been done by criminals in this area.) Substan-tial legitimate work has been undertaken to establish the techniques of forging or counter-feiting fi ngerprints, often by means as simple as using latex or household glue to replicate the print6. Th is activity is not just in the domain of Hollywood movies. Researchers in Germany have established7 that iris recognition is vul-nerable to forgery simply by using a high qual-ity photo of an imposter iris8.

Th ere is also the issue of consumer resist-ance to submitting to some of the more inva-

sive biometrics. Iris recognition requires the user to put his or her eye close to a camera. A recent trial conducted by the UK Passport Service revealed a high degree of reluctance to do this; concerns among some ethnic and disa-bled groups were real, whether these concerns were scientifi cally justifi ed or not.

A 2002 report from the US GAO5 states: “Biometric technologies are maturing but are still not widespread or pervasive because of performance issues, including accuracy, the lack of application-dependent evaluations, their po-tential susceptibility to deception, the lack of standards, and questions of users’ acceptance”.

It also warns against making assumptions about the ability of the technology to perform across large populations:

“Th e performance of facial, fi ngerprint, and iris recognition is unknown for systems as large as a biometric visa system…”.

Despite these and many other warnings, former Home Offi ce Minister Tony McNulty announced: “Once we get onto the procurement process and delivery neither the government nor the IT sector will be found wanting9”. One trusts that the Home Offi ce has more than simply blind faith to justify such statements.

Th e evidence, such as it is, contradicts this view. We have heard little of unstable facets of the technology. One would want some statisti-cal evidence of the accuracy of the biometrics before accepting them at face value, or before accepting an ID card system based on them. Reliable fi gures are, however, lacking.

Government may be basing its faith in the perfection of biometrics, and specifi cally on iris recognition, on the mathematics of Dr John Daugman, inventor of the iris recognition algorithm, and one of the government’s scien-tifi c advisers.

Daugman is perhaps iris recognition’s most enthusiastic promoter. His presentations are eloquent expositions of the robustness of the mathematics. New Scientist summarised his work in glowing terms that makes a compelling case for near infallibility:

“Daugman has now used this system to make 2.3 million random comparisons between images of over 2000 diff erent irises from people in Britain, the US and Japan. Th e study shows that if two codes match by 75% or more, there’s only a one in 1000 billion chance that the match is wrong. With just 12 billion human eyes on the planet, that is quite secure10.”

Impressive claims: yet the issue of poor FTER and FNMR—crucial to the success of the ID scheme—is rarely discussed. An analysis of the nearly 30 sections of material on Daug-man’s university website reveals that these less impressive elements of iris recognition are only occasionally addressed. Instead, both Daug-man and the Home Offi ce focus on the ex-cellent match rate in between—statistics that relate only to those individuals who have suc-cessfully navigated the technology.

Th e biometrics industry divides the world into “sheep” and “goats”. Sheep are those on whom the system works. Goats are those who “fail” the system—or, perhaps more accurately, they are those whom the system fails. In some biometric trials goats are excluded. In others, failure of the technology and the operatives is also excluded from the result. At best, these failures are separately documented, leaving a “clean” statistical outcome11.


117september2006

Identity theft

Since the inception of the proposal in 2002 the government has argued that a national identity scheme will reduce identity theft. So much so, that its original consultation document was titled Entitlement Cards and Identity Fraud: a Consultation Paper.

Identity theft is generally defi ned as the systematic exploitation and subversion of a person’s identity. Th e crime can have devastat-ing consequences for the individual. Th e main issue in question is the extent of the problem.

Th is scope and nature of identity theft is not without controversy. Th e defi nition of the term is unclear. It may be an assortment of forms of fraud that are unrelated to problems of iden-tity. All the same, the most credible defi nition of identity theft is contained in a succinctly titled 2002 Cabinet Offi ce report, Identity Fraud: a study. Th is report has been the foundation for subsequent studies in the fi eld, and remains the most comprehensive assessment.

For almost 3 years from the inception of the ID card proposals the government had relied on the £1.3 billion per annum identity theft estimate in the Cabinet Offi ce report (http://www.identitycards.gov.uk/downloads/id_fraud-report.pdf). By 2005 it had become clear that a new estimate was needed. Early in 2006, on the eve of the fi nal Commons vote on the legislation, the Home Offi ce published a new and higher set of fi gures. But rather than using the ac-cepted Cabinet Offi ce defi nition for its esti-mate, the Home Offi ce chose to ignore that defi nition, adopting instead a much wider set of limits and assumptions that were never set out in print.

Th e result was a rather skeletal piece of work of invisible authorship and with few source references12. No common criteria were set out. Indeed, the criteria diff ered radi-cally between the two reports. £400 million was simply added in to the 2006 report from sources and sectors not included in the origi-nal Cabinet Offi ce study: Audit Commission, (£15 million per annum), Finance and Leasing Association (£14 million) and telecommuni-cations (£372 million).

Parliamentary Undersecretary of State Andy Burnham then confusingly explained to Parliament:

“Th e new fi gure has been produced us-ing the same methodology as the 2002 Cabinet Offi ce Study, but with more up-to-date fi gures where these are available13”.

Th e lack of scope and defi nition was made clear when the Association of Payment and Clearing Services (APACS) publicly chastised the government for claiming in the report that identity theft in the card sector was £504 mil-lion when APACS’ own estimate was less than £37 million14. A spokeswoman for APACS explained the discrepancy: “Th e £504 million is the total losses for plastic cards. It is not just identity fraud on cards. Within that overall fi g-ure there will be some cards stolen in the post, some skimmed or cloned, some lost or stolen.”

Th e result of these shortcomings is a dis-parity of almost £1 billion per annum.

Conclusion

Th e root cause of some of these issues stems from a poor and distorted consultation process. All of the consultations to date have produced concerns and observations regarding law, social exclusion and technology. A large number of fi rms, experts, and individuals have raised con-cerns. Few of these have been refl ected in the fi nal legislation. Indeed, the fi nal shape of the Identity Cards Act is identical in almost every respect to the structure proposed in the 2002 consultation paper. It seems a 4-year process of consultation has had negligible eff ect on gov-ernment thinking.

A Home Aff airs Committee report in July 2004 off ered a view of the ID card consul-tation that diff ered radically from the govern-ment’s claimed objective of “broad consultation and logic”:

“Th e Home Offi ce is taking decisions about the nature of the card without external assessment or public debate15”.

Whether the scheme can defy expert opinion and achieve its stated aims is yet to be seen. But whatever the result, historical ac-counts of this undertaking may show that in the zeal to sell the proposal to a sceptical par-liament, scientifi c evidence, mathematics and statistics have all been casualties.

Various quarters of government have stressed that the project’s development would be based on rigorous research and respect for

evidence. In key respects, neither of these com-mitments has seen the light of day.

(Stop press: since the above was written, the House of Commons Science and Technology Committee has called on the government to recon-sider the technology behind biometric ID schemes – Ed.)

References1. Davies, S., Hosen, G. and Angell, I.

(2005) Th e Identity Project. London School of Economics, London.

2. PM Press Conference, Downing Street. 25th Oct., 2004.

3. Quoted in theregister.co.uk, Nov. 11th, 2003

4. Mansfi eld, T., Kelly, G., Chandler, D. and Kane, J. (2001) Biometric Product Testing Fi-nal Report, Issue 1.0, Biometric Working Group, National Physical Laboratories.

5. General Accounting Offi ce (2002) Using Biometrics for Border Security. US Gen-eral Accounting Offi ce, Washington DC. (Avail-able from http://www.gao.gov/new.items/d03174.pdf.)

6. Matsumoto, T., Matsumoto, H., Ya-mada, K. and Hoshino, S. (2002) Impact of Ar-tifi cial ‘Gummy’ Fingers on Fingerprint Systems, May 15, 2002. (Available from http://www. cryptome.org/gummy.htm.)

7. Th alheim, L., Krissler, J. and Ziegler, P.-M. (2002) Body Check. CT Magazine, Yokoha-ma National University. November 2002. (Avail-able from http://www.heise.de/ct/ english/02/11/114/.)

8. Liveness Detection in Biometric Systems. (Available from http://www. biometricsinfo.org/whitepaper1.htm.)

9. McCue, A. (2005) ID Cards on Trial: Minister defends ‘robust’ biometrics. Silicon.com, June 7, 2005.

10. Eye-opening success for iris scans. New Scientist, 08 August 2001.

11. UK Biometrics Enrolment Trial, May 2005

12. Th e Home Offi ce (2006) Updated esti-mate of the cost of identity fraud to the UK economy, 2 February 2006. Th e Home Offi ce, London. (Avail-able from http://www.identity-theft.org.uk/ID%20fraud%20table.pdf.)

13. Hansard, Feb. 2nd, 2006: Column 30WS.

14. ID fraud fi gures ‘infl ated to play on pub-lic fears’. Th e Times, 3rd Feb., 2006.

15. Home Aff airs Committee, Fourth Re-port of Session 2003–2004, Volume 1, July 20th, 2004.

Simon Davies is a Visiting Fellow in the Department of Information Systems of the LSE. He is co-mentor of the LSE’s Identity Project and is also director of Privacy International.

All consultations have produced concerns about law, social exclusion and technology. Statistical

evidence of the reliability of the system is lacking


A case of mistaken identity

Documents

Transcript of A case of mistaken identity