Thursday 31 May 2012

Some food for the thoughts of Jon Ungoed-Thomas and Philip Johnston – IdA/DWP

You weren't invited to Ovum's Industry Congress on 24 May 2011, were you, so you didn't hear Phil Pavitt's talk on the "frictionless services" that he says the public is demanding from HMRC.

Still, you can read about it in Computer World UK, where you will discover that Phil is the Chief Information Officer (CIO, i.e. what we used to call the "DP Manager") at HMRC and he says frictionless services require identity assurance (IdA).

He may be right about that, after all we don't know what a frictionless service is, but he must be wrong when he says: "We don't currently have ID authentication in UK government".

That's just not true. Some of us small businesses have been submitting our VAT returns online using the UK Government Gateway every three months for several years now and that requires ID authentication by the UK government. And millions of people use HMRC's self-assessment website for income tax, again via the Government Gateway.

Why does Phil make this false statement?

Because no-one in Whitehall likes the Government Gateway. It doesn't look anything like the front end of Amazon or eBay or Facebook or Google. They want the Government Gateway to go away, it's old and ugly and not the sort of accessory a hip young CIO wants to be seen dead wearing. It cost millions. It works. It seems to be secure. But it's got to go.

What will the IdA replacement look like? Not long to wait to find out now, says Phil, "in March of this year the Department for Work and Pensions (DWP) revealed plans that will see it be the first central government department to roll out identity assurance services, in a project that is set to cost £25 million".

£25 million? What's the betting that there's a 1 in front of that by the time the National Audit Office get to take a look? If we're lucky. Otherwise a 4. While even Oxfam won't want the old Government Gateway, already paid for, years of successful use behind it, but pensioned off in its prime.

What do we foresee? All together now – friction!




Some food for the thoughts of Jon Ungoed-Thomas and Philip Johnston – IdA/DWP

You weren't invited to Ovum's Industry Congress on 24 May 2011, were you, so you didn't hear Phil Pavitt's talk on the "frictionless services" that he says the public is demanding from HMRC.

Still, you can read about it in Computer World UK, where you will discover that Phil is the Chief Information Officer (CIO, i.e. what we used to call the "DP Manager") at HMRC and he says frictionless services require identity assurance (IdA).

He may be right about that, after all we don't know what a frictionless service is, but he must be wrong when he says: "We don't currently have ID authentication in UK government".

That's just not true. Some of us small businesses have been submitting our VAT returns online using the UK Government Gateway every three months for several years now and that requires ID authentication by the UK government. And millions of people use HMRC's self-assessment website for income tax, again via the Government Gateway.

Why does Phil make this false statement?

Because no-one in Whitehall likes the Government Gateway. It doesn't look anything like the front end of Amazon or eBay or Facebook or Google. They want the Government Gateway to go away, it's old and ugly and not the sort of accessory a hip young CIO wants to be seen dead wearing. It cost millions. It works. It seems to be secure. But it's got to go.

What will the IdA replacement look like? Not long to wait to find out now, says Phil, "in March of this year the Department for Work and Pensions (DWP) revealed plans that will see it be the first central government department to roll out identity assurance services, in a project that is set to cost £25 million".

£25 million? What's the betting that there's a 1 in front of that by the time the National Audit Office get to take a look? If we're lucky. Otherwise a 4. While even Oxfam won't want the old Government Gateway, already paid for, years of successful use behind it, but pensioned off in its prime.

What do we foresee? All together now – friction!




Some food for the thoughts of Jon Ungoed-Thomas and Philip Johnston – IdA/GDS

Those chaps in the Government Digital Service (GDS) get about a bit. California. Estonia. And now the White House.

GDS's job is to do Martha Lane Fox's bidding and make public services digital by default. In order to achieve that, they need to deliver an identity assurance service (IdA) and they were in Washington "to share, learn and collaborate with some of the key individuals and organisations in the US wrestling with the challenges of identity in cyberspace" including Senator Barbara Mikulski.

The encounter between these wrestlers "focused on the economic necessity of creating an ecosystem of trust both for individual users of the internet, who are overwhelmed by usernames and passwords, and for businesses where the increasing cost of fraud is offsetting the efficiency benefits from digital channels".

The notion that Whitehall could create an ecosystem of trust needs to be compared with the markets they have created to date, e.g. PFI.

Far from being overwhelmed by usernames and passwords, individuals worldwide appear to be using the web more and more. Of course what GDS are offering is yet more usernames and passwords. But with this difference. Theirs will be the only usernames and passwords we have to remember. They will act as gateways to all the other services we use. We will become entirely dependent on GDS and its various unicorn-hustler agents (Facebook, Google, ..., Mydex) to conduct any transactions with anyone. Can they be trusted in this rôle?

And the cost of fraud appears to be shrinking, not increasing. The only cloud on the horizon is DWP's Universal Credit scheme which, if it follows the government's independent learning accounts and tax credits, promises to be the locus of a fraud feeding frenzy.

But apart from that – three false propositions in one sentence, a record? – after a long bout, there was one result: "the Senator made it clear that volunteers are needed if the voluntary approach in the US is to be successful".

Gluttons for punishment, our GDS delegates went on from the White House to OIX, the Open Identity Exchange, where "there was great interest in what the UK Identity Assurance Programme is doing and an offer from OIX to help us achieve our goals – which we readily accepted".

Hands up everyone who remembers voting to have their identity traded on a US exchange?

Some food for the thoughts of Jon Ungoed-Thomas and Philip Johnston – IdA/GDS

Those chaps in the Government Digital Service (GDS) get about a bit. California. Estonia. And now the White House.

GDS's job is to do Martha Lane Fox's bidding and make public services digital by default. In order to achieve that, they need to deliver an identity assurance service (IdA) and they were in Washington "to share, learn and collaborate with some of the key individuals and organisations in the US wrestling with the challenges of identity in cyberspace" including Senator Barbara Mikulski.

The encounter between these wrestlers "focused on the economic necessity of creating an ecosystem of trust both for individual users of the internet, who are overwhelmed by usernames and passwords, and for businesses where the increasing cost of fraud is offsetting the efficiency benefits from digital channels".

The notion that Whitehall could create an ecosystem of trust needs to be compared with the markets they have created to date, e.g. PFI.

Far from being overwhelmed by usernames and passwords, individuals worldwide appear to be using the web more and more. Of course what GDS are offering is yet more usernames and passwords. But with this difference. Theirs will be the only usernames and passwords we have to remember. They will act as gateways to all the other services we use. We will become entirely dependent on GDS and its various unicorn-hustler agents (Facebook, Google, ..., Mydex) to conduct any transactions with anyone. Can they be trusted in this rôle?

And the cost of fraud appears to be shrinking, not increasing. The only cloud on the horizon is DWP's Universal Credit scheme which, if it follows the government's independent learning accounts and tax credits, promises to be the locus of a fraud feeding frenzy.

But apart from that – three false propositions in one sentence, a record? – after a long bout, there was one result: "the Senator made it clear that volunteers are needed if the voluntary approach in the US is to be successful".

Gluttons for punishment, our GDS delegates went on from the White House to OIX, the Open Identity Exchange, where "there was great interest in what the UK Identity Assurance Programme is doing and an offer from OIX to help us achieve our goals – which we readily accepted".

Hands up everyone who remembers voting to have their identity traded on a US exchange?

Some food for the thoughts of Jon Ungoed-Thomas and Philip Johnston – midata/BIS

Wired magazine carried an article yesterday by Alan Mitchell promising that Personal data stores will liberate us from a toxic privacy battleground.

Alan Mitchell, you will remember, is the strategy director of Ctrl-Shift, a consultancy retained by the UK Department for Business Innovation and Skills (BIS) to work on their midata initiative. William Heath is a non-executive director of Ctrl-Shift. Alan Mitchell and William Heath are the founders of Mydex, a company bidding to supply personal data stores in the UK, thereby supposedly liberating us from a toxic privacy battleground.

Mr Mitchell did not find space in his article to mention any of that background but he did, quite properly, emphasise that personal data stores are only recommended if the individuals who use them to disseminate their personal data are guaranteed to have control over how that data is used.

We do not currently have that control. It doesn't exist. It might do in the future but it doesn't exist now. Ctrl-Shift's strategy therefore depends on something indistinguishable from unicorns, which also don't exist. From that point of view, Ctrl-Shift has a strategy problem.

Wired magazine describe Mr Mitchell as "a strategic advisor to the UK Government's Midata project". By the same token, the UK Government therefore has a strategy problem. midata can't work. It depends on something which doesn't exist.

Given which, why do BIS continue to pursue it?

Some food for the thoughts of Jon Ungoed-Thomas and Philip Johnston – midata/BIS

Wired magazine carried an article yesterday by Alan Mitchell promising that Personal data stores will liberate us from a toxic privacy battleground.

Alan Mitchell, you will remember, is the strategy director of Ctrl-Shift, a consultancy retained by the UK Department for Business Innovation and Skills (BIS) to work on their midata initiative. William Heath is a non-executive director of Ctrl-Shift. Alan Mitchell and William Heath are the founders of Mydex, a company bidding to supply personal data stores in the UK, thereby supposedly liberating us from a toxic privacy battleground.

Mr Mitchell did not find space in his article to mention any of that background but he did, quite properly, emphasise that personal data stores are only recommended if the individuals who use them to disseminate their personal data are guaranteed to have control over how that data is used.

We do not currently have that control. It doesn't exist. It might do in the future but it doesn't exist now. Ctrl-Shift's strategy therefore depends on something indistinguishable from unicorns, which also don't exist. From that point of view, Ctrl-Shift has a strategy problem.

Wired magazine describe Mr Mitchell as "a strategic advisor to the UK Government's Midata project". By the same token, the UK Government therefore has a strategy problem. midata can't work. It depends on something which doesn't exist.

Given which, why do BIS continue to pursue it?

A suggestion for Jon Ungoed-Thomas and Philip Johnston, published on a blog provided "free" by Google

Two articles in the Sunday Times by Jon Ungoed-Thomas – Your emails, sex secrets and health details – all harvested by Google and Google grabs secrets of private lives – and one in the Telegraph next day by Philip Johnston – That car in your street was a Google Street View search engine.

While Google was filming our streets it was also collecting information about our WiFi networks. Without permission and without telling anyone. That was a mistake, said Google when they were found out, which is an odd thing for Google to say. The whole point about Google is that they don't make mistakes.

The US Federal Communications Commission are fining Google $25,000 for impeding their investigation of the matter. Google had revenues in 2011 of $37.905 billion on which it made profits of $9.737 billion. The fine amounts to 81 seconds of profits and is thought not to have dealt a mortal blow to the company's share price.

According to Jon Ungoed-Thomas, Google's telecommunications interception system was designed by Mr Marius Milner, a Trinity College Cambridge maths graduate, who handed it over to Google recommending that they'd better get a ruling from a privacy lawyer before using it.

At which point the claim that Google's Street View cars used Mr Milner's system by mistake all over the world for several years starts to look a bit threadbare.

We all know that Google record our web searches and read our email and do something with the information they glean there about our preferences and interests. We never pay them for the use of any of their excellent services. We know there's something odd there. Where does the $38 billion annual revenue come from? We latter-day Dr Faustuses prefer not to ask.

Mr Johnston muses in his article about the attitude of the young today, incontinently spraying their personal information all over the web, no sense of decency, or privacy, no dignity. Or words to that effect. He is rewarded for this perfectly sensible observation by being called an "old fart" by one of Google's astrosurfers commenting below the line.

DMossEsq made a much politer comment but it was deleted. Several times. Every time it was submitted. So quickly that it must have been deleted by an automated old fart.

No such indignity on the Sunday Times website (a website readers pay for, incidentally), where the comment was published and is still there:
... Note that the Department of Business Innovation and Skills want Google to help provide us all with "personal data stores" as part of the department's midata project.

And that the Cabinet Office look to Google to provide us with electronic identities so that public services can all become "digital by default".

And that Whitehall's plans for a G-Cloud – a government cloud – rely on Google and others storing our data on their servers in a gigantic leap of faith in so-called "cloud computing".

HMG seems to be desperate to invite Google into our lives and to hand over the responsibility for public administration to Google in a re-run of the Pied Piper of Hamelin, http://www.dmossesq.com/2012/04/amazon-google-facebook-et-al-latter-day.html

Why? Have they given up? Is government too difficult for them?
There's the story Messrs Ungoed-Thomas and Johnston should be writing, surely – in the name of modernisation and transformational government, the middle-aged delinquents of Whitehall are openly planning to hand over our personal data en masse to Google and others. How much will that free lunch cost us?

A suggestion for Jon Ungoed-Thomas and Philip Johnston, published on a blog provided "free" by Google

Two articles in the Sunday Times by Jon Ungoed-Thomas – Your emails, sex secrets and health details – all harvested by Google and Google grabs secrets of private lives – and one in the Telegraph next day by Philip Johnston – That car in your street was a Google Street View search engine.

While Google was filming our streets it was also collecting information about our WiFi networks. Without permission and without telling anyone. That was a mistake, said Google when they were found out, which is an odd thing for Google to say. The whole point about Google is that they don't make mistakes.

The US Federal Communications Commission are fining Google $25,000 for impeding their investigation of the matter. Google had revenues in 2011 of $37.905 billion on which it made profits of $9.737 billion. The fine amounts to 81 seconds of profits and is thought not to have dealt a mortal blow to the company's share price.

Tuesday 29 May 2012

Protecting civilisation from the fingers of terror

Here's a quotation from an article in New Scientist magazine. You need to know that Visionics is a biometrics company that specialises in face recognition. Now you're an expert:
Airport security isn't the only use for face-recognition software: it has been put through its paces in other settings, too. One example is "face in the crowd" on-street surveillance, made notorious by a trial in the London Borough of Newham. Since 1998, some of the borough's CCTV cameras have been feeding images to a face-recognition system supplied by Visionics, and Newham has been cited by the company as a success and a vision of the future of policing. But in June this year, the police admitted to The Guardian newspaper that the Newham system had never even matched the face of a person on the street to a photo in its database of known offenders, let alone led to an arrest.
Admitted ... the police admitted ...

Clearly, the Newham police, for all sorts of human reasons, somehow entrapped themselves in a deception perpetrated on the public at public expense. Has it happened again?

Last week, Assistant Commissioner Mark Rowley was singing the praises of the mobile fingerprint readers now issued to policemen patrolling in 28 of the UK's 56 police forces. Home Office figures suggest that the flat print fingerprint technology used in these devices fails about 20% of the time.

Equally clearly, and to the credit of the Newham police, they finally extricated themselves from this fraud with their admission. Will that happen again?

How long before we read in New Scientist that:
... Assistant Commissioner Mark Rowley admitted to __________ that the MobileID initiative had never even matched the fingerprints of a person on the street to a set of dabs in its database of known offenders, let alone led to an arrest. In fact all it had achieved was to reduce the chances of a felon being taken down to the nick by a straight 20% at a stroke.
For anyone interested in the history of biometrics companies, i.e. how we got into this mess, please note that:
Please note also that the New Scientist article quoted above appeared in the 7 September 2002 issue of the magazine, nearly 10 years ago. The article is so full of important observations of mendacity, opportunism and technological incompetence still relevant today that it is further quoted with grateful acknowledgement below:
Face-off
I CAME here looking for an argument but I can't find one. All round this lofty exhibition hall - billed as the world's biggest market for security equipment - the people selling face-recognition systems are being disarmingly, infuriatingly honest ... I thought they'd at least attempt to defend the technology. When they don't, it's me who's caught off guard. Is it true that the systems can't recognise someone wearing sunglasses? Yes, they say. Is it true that if you turn your head and look to one side of the camera, it can't pick you out? Again, yes. What about if you simply don't keep your head still? They nod.

Maybe nine or ten months ago they would have risen to the bait. In those days the face-recognition industry was on a high. In the wake of 11 September, Visionics, a leading manufacturer, issued a fact sheet explaining how its technology could enhance airport security. They called it "Protecting civilization from the faces of terror". The company's share price skyrocketed, as did the stocks of other face-recognition companies, and airports across the globe began installing the software and running trials. As the results start to come in, however, the gloss is wearing off. No matter what you might have heard about face-recognition software, Big Brother it ain't ...

Image Metrics, a British company that develops image-recognition software, ... warned of the danger of exaggerated claims, saying that "an ineffective or poorly applied security technology is as dangerous as a poorly tested or inappropriately prescribed drug" ... to catch 90 per cent of suspects at an airport, face-recognition software would have to raise a huge number of false alarms. One in three people would end up being dragged out of the line - and that's assuming everyone looks straight at the camera and makes no effort to disguise themselves ...

Palm Beach International Airport in Florida released the initial results of a trial using a Visionics face-recognition system. The airport authorities loaded the system with photographs of 250 people, 15 of whom were airport employees. The idea was that the system would recognise these employees every time they passed in front of a camera. But, the airport authorities admitted, the system only recognised the volunteers 47 per cent of the time while raising two or three false alarms per hour ...

To give themselves the best chance of picking up suspects, operators can set the software so that it doesn't have to make an exact match before it raises the alarm. But there's a price to pay: the more potential suspects you pick up, the more false alarms you get. You have to get the balance just right. Visionics - now called Identix after merging with a fingerprint-scanning company in June - is quick to blame its system's lacklustre performance on operators getting these settings wrong ...

Numerous studies have shown that people are surprisingly bad at matching photos to real faces. A 1997 experiment to investigate the value of photo IDs on credit cards concluded that cashiers were unable to tell whether or not photographs matched the faces of the people holding them. The test, published in Applied Cognitive Psychology (vol 11, p 211), found that around 66 per cent of cashiers wrongly rejected a transaction and more than 50 per cent accepted a transaction they should have turned down. The report concluded that people's ability to match faces to photographs was so poor that introducing photo IDs on credit cards could actually increase fraud.

The way people change as they age could also be a problem. A study by the US National Institute of Standards and Technology investigated what happens when a face-recognition system tries to match up two sets of mugshots taken 18 months apart. It failed dismally, with a success rate of only 57 per cent.

There's another fundamental problem with using face-recognition software to spot terrorists: good pictures of suspects are hard to come by ...

Very few security personnel at American airports have CIA clearance, so they aren't allowed to see the images. "Until they've got cleared personnel in each of those airports they can't stop terrorists getting on planes," says Iain Drummond, chief executive of Imagis technologies, a biometrics company based in Vancouver, Canada ...

Airport security isn't the only use for face-recognition software: it has been put through its paces in other settings, too. One example is "face in the crowd" on-street surveillance, made notorious by a trial in the London Borough of Newham. Since 1998, some of the borough's CCTV cameras have been feeding images to a face-recognition system supplied by Visionics, and Newham has been cited by the company as a success and a vision of the future of policing. But in June this year, the police admitted to The Guardian newspaper that the Newham system had never even matched the face of a person on the street to a photo in its database of known offenders, let alone led to an arrest.
There are more of these gems available in the DMossEsq treasure trove of mendacity, Biometrics: guilty until proven innocent.

Look at the Image Metrics quotation above, "an ineffective or poorly applied security technology is as dangerous as a poorly tested or inappropriately prescribed drug". Prescription drugs are subject to extensive testing before the regulators will sanction their release to the public. Without that, we'd all be dead. The same goes for aircraft design. Without the Civil Aviation Authority, a lot more of us would be dead.

There is none of that open, public, peer-reviewed testing regime when it comes to the government wasting our money on biometrics. Try to find out what justification there is for Whitehall's decision to invest in biometrics and you get a two-year court case and no information.

There is no good reason for this peculiar asymmetry.

How do we avoid the recurrence of Newham-style embarrassments?

It's about time the Office for National Statistics was involved in Whitehall technology decisions and that initiatives which depend on reliable technology should not be allowed to incur substantial public expenditure before and unless the ONS has agreed and published official statistics supporting the business case.

Protecting civilisation from the fingers of terror

Here's a quotation from an article in New Scientist magazine. You need to know that Visionics is a biometrics company that specialises in face recognition. Now you're an expert:
Airport security isn't the only use for face-recognition software: it has been put through its paces in other settings, too. One example is "face in the crowd" on-street surveillance, made notorious by a trial in the London Borough of Newham. Since 1998, some of the borough's CCTV cameras have been feeding images to a face-recognition system supplied by Visionics, and Newham has been cited by the company as a success and a vision of the future of policing. But in June this year, the police admitted to The Guardian newspaper that the Newham system had never even matched the face of a person on the street to a photo in its database of known offenders, let alone led to an arrest.
Admitted ... the police admitted ...

Clearly, the Newham police, for all sorts of human reasons, somehow entrapped themselves in a deception perpetrated on the public at public expense. Has it happened again?

Last week, Assistant Commissioner Mark Rowley was singing the praises of the mobile fingerprint readers now issued to policemen patrolling in 28 of the UK's 56 police forces. Home Office figures suggest that the flat print fingerprint technology used in these devices fails about 20% of the time.

Equally clearly, and to the credit of the Newham police, they finally extricated themselves from this fraud with their admission. Will that happen again?

How long before we read in New Scientist that:
... Assistant Commissioner Mark Rowley admitted to __________ that the MobileID initiative had never even matched the fingerprints of a person on the street to a set of dabs in its database of known offenders, let alone led to an arrest. In fact all it had achieved was to reduce the chances of a felon being taken down to the nick by a straight 20% at a stroke.

Monday 28 May 2012

GreenInk 7 – A good day for criminals

Let's see if the Telegraph publish this:
From: David Moss
Sent: 28 May 2012 12:18
To: 'dtletters@telegraph.co.uk'
Subject: A good day for criminals

Sir

On 23 May 2012 the Metropolitan Police issued a press release announcing that they are now using mobile fingerprint equipment. Patrolling policemen will check the fingerprints of suspects they have stopped in the street and let them go if their prints are not on file, thereby saving time.

The only figures published by the Home Office suggest that this fingerprinting technology fails about 20 percent of the time – in about 20 percent of cases no match will be made even if the subject's prints are on file. Which suggests that the chances of guilty people being taken down to the station and arrested have just dropped by about 20 percent. Not only in the Met but in 27 other police forces.


Perhaps Nick Herbert, the policing minister at the Home Office, would like to comment on this new way of saving police time.

Yours
David Moss

GreenInk 7 – A good day for criminals

Let's see if the Telegraph publish this:
From: David Moss
Sent: 28 May 2012 12:18
To: 'dtletters@telegraph.co.uk'
Subject: A good day for criminals

Sir

On 23 May 2012 the Metropolitan Police issued a press release announcing that they are now using mobile fingerprint equipment. Patrolling policemen will check the fingerprints of suspects they have stopped in the street and let them go if their prints are not on file, thereby saving time.

The only figures published by the Home Office suggest that this fingerprinting technology fails about 20 percent of the time – in about 20 percent of cases no match will be made even if the subject's prints are on file. Which suggests that the chances of guilty people being taken down to the station and arrested have just dropped by about 20 percent. Not only in the Met but in 27 other police forces.


Perhaps Nick Herbert, the policing minister at the Home Office, would like to comment on this new way of saving police time.

Yours
David Moss

Thursday 24 May 2012

Police forces all over the UK are introducing mobile fingerprint equipment. Result? Approximately 20% of the criminals who would otherwise have been taken down to the station will now be asked politely to go on their way


The Guardian tell us today that the Metropolitan Police have bought themselves some new equipment – mobile fingerprint readers. They are the 25th UK force to do so.

It all seems very sensible:
One of the aims of the technology is to cut the number of trips police make to the police station, so that officers can spend more time on the frontline.

Mark Rowley, assistant commissioner at the Met, said: "Evidence has shown that a full identification arrest can tie-up both the subject and the police officer for several hours. Even a traditional identity check conducted on the street can take an extended period of time to complete.

"It is effective particularly in revealing serious and violent offenders who will do everything they can to prevent the police from knowing their true identities."
It isn't.

Because the failure rate on this technology is about 20%*.

In the case of people whose fingerprints are on file, about 20%* of the time that fact will not be discovered using this technology.

To be slightly more technical:
  • When the Home Office tested flat print fingerprinting in the UKPS biometrics enrolment trial back in 2004 they found that the false non-match rate was 19 or 20 percent*. Nick Herbert, say, would be told by the system that he was not Nick Herbert. His prints didn't match anything on the database. A non-match. A false non-match, as it happens, as Nick Herbert had just registered his prints on the database five minutes before.
  • That's how the trial was conducted. 10,000 of us registered our faces and our fingerprints and our irisprints and five minutes later we tested to see if we could have our identity verified using one or other of those biometrics. Flat print fingerprints failed 19-20 percent of the time. Face recognition failed between 31 and 52 percent of the time which is why the smart gates at our airports and every other instance of automated face recognition are guaranteed to be a waste of time and money.
Nick Herbert is the policing minister. He and the Home Office have not published the results of any flat print fingerprint trials since then. At least one trial has been performed:
The NPIA signed a contract with 3M Cogent in 2010 for mobile fingerprint identification devices. The deal followed field trials involving 28 police forces using Lantern devices to test how mobile fingerprinting performed in an operational environment.
But the Home Office refuse to publish the results. So as far as we know – we, the public – the false non-match rate remains approximately 20%.

Which means that out of all the wanted criminals who are stopped and whose prints are on IDENT1 – the national fingerprint database – 20% will falsely not match and be allowed to go on their way.

There's a question for Mr Herbert forming at the back of your mind, isn't there – do you know what you're doing?

If he wants to prove that the answer is yes, and that he's not undermining the fight against crime and wasting our money at the same time, then Mr Herbert must publish the Lantern trial results. Nothing else will be convincing.

The chances of the Home Office publishing those results? See yesterday's hell-freezes-over press release.

It's not just DMossEsq:
----------

* Please see UK Passport Service Biometrics Enrolment Trial Report May 2005, Management Summary, Key Findings, para.1.2.1.4, p.10:
Fingerprint verification success

• The majority of participants achieved successful verification on fingerprint, with rates of 81% for Quota participants and 80% for Disabled participants. One of the factors influencing failure was that the single fingerprint device used for verification occasionally did not record sufficient detail from the fingers.

• Younger participants had a higher fingerprint verification success rate than older participants.

Updated 20.2.18

It's nearly four years since the blog post above was published. Not a single success story for mobile fingerprinting has been told. Four years. Zero results.

Unabashed, Yorkshire cops have begun using on-the-spot fingerprint scanners.

The difference this time is that the policemen on the street will be able to interrogate not just IDENT1 – the national criminal fingerprint database – but also IABS, the Immigration and Asylum Biometrics System: "The scanners link up to an app on cops' smartphones – which is already available to all 5,500 frontline officers – and run the prints against the UK's criminal fingerprint and biometrics database (IDENT1) and the Immigration and Asylum Biometrics System (IABS)".

What is unchanged is the 20% figure. It remains the case that 20% of those stopped by the police will be falsely not matched. Thanks to this flaky biometrics technology, wanted criminals will be asked to move along when actually they should be detained.

Police forces all over the UK are introducing mobile fingerprint equipment. Result? Approximately 20% of the criminals who would otherwise have been taken down to the station will now be asked politely to go on their way


The Guardian tell us today that the Metropolitan Police have bought themselves some new equipment – mobile fingerprint readers. They are the 25th UK force to do so.

It all seems very sensible:
One of the aims of the technology is to cut the number of trips police make to the police station, so that officers can spend more time on the frontline.

Mark Rowley, assistant commissioner at the Met, said: "Evidence has shown that a full identification arrest can tie-up both the subject and the police officer for several hours. Even a traditional identity check conducted on the street can take an extended period of time to complete.

"It is effective particularly in revealing serious and violent offenders who will do everything they can to prevent the police from knowing their true identities."
It isn't.

Wednesday 23 May 2012

The Home Office, Heathrow Airport, the security of the UK border and the safety of the Olympics

Here's a copy of a press release that's just been issued. Forgot to mention the French. Zut. They're lapping it up, too, just like the Indians.




PRESS RELEASE

To:

Home Office

OIG (re US-VISIT)

IDABC (re OSCIE)

China (re Golden Shield)

Pakistan (re NADRA)

FBI (re NGI)

UIDAI (re Aadhaar)

Agencies

The Home Office – Misfeasance in public office
23 May 2012
Six questions for editors to ponder:
  • The Home Office have been asked to reassure the public by publishing a justification for spending public money on biometrics technology they've previously proved to be useless. For 2½ years they've refused. Nor did they present any evidence as to the reliability of their chosen biometrics to the court. Why? Is it because they can't? Is it because there is no justification and our money is, indeed, being wasted?
  • The court sees no iniquity in that potential waste of money and describes it as not "in itself or in any way material". If this isn't an iniquity, what is?
  • We are assured by the Home Office and the court that the procurement of IABS didn't break any UK or EU rules. That finding of the court is accepted but so what? The Home Office are still refusing to release the IBM trial report to the public. They go further. The Home Office say the trial was conducted under such specific constraints that reading the report wouldn’t tell the public much. In other words they admit that they have no justification whatever for spending our money on biometrics. The procurement complies with the rules but it could still be iniquitous and the Home Office could still be guilty of misfeasance in public office.
  • Dame Helen Ghosh, Permanent Secretary at the Home Office, told the Home Affairs Committee that "... there are plans ... to reduce the staff of the Border Force by around 900 people ... that is driven as much by technological introductions like e-gates, as well as a risk-based approach. Border Force will be getting smaller". Is it wise to replace human beings with technology that costs more and doesn't work?
  • Rob Whiteman, Chief Executive of what's left of the UK Border Agency, says of IABS in the March 2012 issue of the staff magazine that "the system, delivered by the agency in partnership with Suppliers IBM, Morpho, Fujitsu, Atos Origin and Software AG, is the first multi-modal biometric matching system. It provides greater accuracy in fingerprint matching together with an integrated facial matching element. It delivers a more comprehensive service, underpinning the agency’s objective to secure our border and reduce immigration". It isn't the first. Pakistan's was the first, and much good it's done that unfortunate country. The IABS biometrics provided by Morpho could be more reliable than the previous system but still useless. Just a little less useless. Is Mr Whiteman misleading his staff as to the history and the reliability of UKBA's biometrics?
  • Sir David Normington, Dame Helen's predecessor, caused Lin Homer and Brodie Clark to write to David Moss asserting that smart gates were being installed at UK airports on the basis of a trial at Manchester Airport. When John Vine, the Independent Chief Inspector of the UK Border Agency, as he then was, reported on his May 2010 inspection of Manchester Airport, he said "we could find no overall plan to evaluate the success or otherwise of the facial recognition gates at Manchester Airport and would urge the Agency to do so [as] soon as possible". This evidence of the Home Office consistently misleading the public, Parliament, ministers, the media and its staff was put before the court. The Home Office made no response. Neither did the court in its decision. The allegation is a serious one. Why doesn't it warrant a response?
At the oral hearing in the matter of David Moss v Information Commissioner and the Home Office held on 24 February 2012, David Moss turned up in court and so did the Information Commissioner's staff and his barrister, but the Home Office didn't.
Why not?
The hearing concerned the Home Office's Immigration and Asylum Biometric System. IABS was due to go live at the border by the end of 2011 under the direction of Ms Jackie Keane, a senior civil servant at the UK Border Agency. She missed that date but bits of IABS went live at the end of February, with the results we all saw in the ensuing weeks, Heathrow at 'breaking' point as Border Force struggles to cope, leaked memos warn, ‘Minister lying over Heathrow queues’ says BA chief, and so on. We may surmise that the Home Office were too busy to attend.
On the other hand, the barrister who has represented the Home Office since the case began a year ago was there in court, except that this time he was representing IBM.
Why?
Because IABS is an IBM contract. It was awarded to them in 2009.
Stacked to the rafters with Nobel prize-winners in most disciplines, nevertheless IBM had no particular expertise in biometrics and no products of their own. They arranged a competition between six biometrics companies and chose Sagem Sécurité (now Morpho) as the best. In the process, they also made good their lack of biometrics expertise – in fact, IBM played a blinder there.
IABS was initially estimated to be worth £265 million and a lot of that money – public money, your money and mine – is being wasted according to David Moss because the biometrics chosen by the Home Office don't work. That's what the case is about.
You know they don't work. You read the BBC's report on the year-long trial of biometrics, ID cards scheme dubbed 'a farce'. You read the Telegraph's report on the smart gates installed at UK airports, Airport face scanners 'cannot tell the difference between Osama bin Laden and Winona Ryder'. You watched Brodie Clark tell the Home Affairs Committee that fingerprint checks are the least reliable identity/security checks made at the border, the ninth and bottom priority for his (now ex-)Border Force officers and the most sensible check to drop when the queues build up and threaten to get out of control.
David Moss lost the case anyway. It was a 2-to-1 majority decision against, a sort of a Minority Report 2 – they may not work at Heathrow or anywhere else in the real world but biometrics are the bee's knees in Hollywood films.
With the explicit permission of the court and the Home Office and the Information Commissioner you can read IBM's evidence in the case, please see attached. IBM's Commercial Director on IABS, Mr Nicholas Swain, explains that all the testing on biometrics was done by IBM and the results belong to IBM and that's why the public aren't allowed to see them despite paying for IABS. We're just meant to suppose that IABS will help to make the border secure and keep the Olympics safe despite all the respectable published evidence to the contrary. You can read Jackie Keane's evidence, too. She agrees with Nick.
It was all IBM's idea according to Ms Keane. OK, the Home Office gave IBM five million pairs of fingerprints to use as test data. And the Home Office specified the acceptance tests that had to be passed. And the Home Office agreed to pay IBM £265 million. But that's all.
It's been a long haul. It goes back 2½ years to a Freedom of Information request submitted on 6 January 2010. And it's not over yet because the other day David Moss submitted an application for permission to appeal. This could go on for years more.
While we're waiting for closure, we have those six questions above to ponder. And this one – what's IABS really about? It's obviously nothing to do with biometrics, as the court effectively acknowledges at paragraph 8 of its decision.
All relevant documents can be discovered at:




Notes to editors

1. As the Treasury Solicitors say (30 April 2012), "the submissions and open evidence lodged with the Tribunal in this case were relied upon and put in evidence at a hearing held in public". We really do all have permission to quote from this material and to comment on it.

2. Without wishing in any way to "lead" you, it is suggested that it will be most fruitful to start with the evidence submitted by the Home Office and IBM. And the evidence of Professor Ross Anderson at the University of Cambridge Computer Laboratory who points out that the banks have rejected biometrics as being too unreliable and asks why in that case do the Home Office trust them?

3. The background to this case is set out in the first few pages of the appeal document and centres on Whitehall’s competence and its duty to acknowledge the supremacy of Parliament, a subject which you will see there exercises the Home Affairs Committee.

4. Where does this story fit in the newspaper or on the radio/TV current affairs programme? Not on the fashion pages perhaps, but certainly in horoscopes and probably almost anywhere else – UK news, international news (they're all at it, look at India), EU news (the European Commission love biometrics and "eIDs", electronic identities), Westminster/politics, Whitehall/governance, the business pages, law reports/the Constitution, travel, sport (c.f. security at the Olympics generally and specifically UKBA's trip to Istanbul for the world wrestling championships to collect biometrics), the technology pages, cartoons, the crossword, ...




About David Moss
David Moss has worked as an IT consultant since 1981. The past 9 years have been spent campaigning against the Home Office's plans to introduce government ID cards into the UK. It must now be admitted that the Home Office are much better at convincing people that these plans are a bad idea than anyone else, including David Moss.

----------

Updated 21.2.18

It's getting on for six years since the blog post above was published.

Nothing has changed as far as the Home Office are concerned:
  • Despite their record, the Home Office are still in charge of UK border control and they still find it a challenge, to put it politely, please see Border Force not ready for extra checks, claim MPs and Time has run out for May’s Brexit immigration plan.
  • The director of strategy and transformation at the UK Border Force is Mr Christophe Prince according to his LinkedIn entry, the same man who was a deputy director of the UK Border Agency (RIP) for the three years 2006-09.
  • And the UK Border Force still relies on IABS, the Immigration and Asylum Biometrics System, run for the moment by IBM and still relying on Morpho biometrics technology.
In the outside world things have moved on a little:
  • The UK Government Digital Service (GDS) have contracted with Morpho to supply "identity provider" services to GOV.UK Verify (RIP), the failed identity assurance scheme.
  • GDS have stated it as a strategic objective of theirs to incorporate more biometrics into public services on the basis that it's innovative to do so.
  • And Safran have sold Morpho to private equity investors, who have changed its name to Idemia.
Idemia gets about a bit. It always has, whatever it was called at the time.

In 2012 they were found guilty of bribery to win business in Nigeria. The bribery of which they were found guilty took place between 2000 and 2003. They appealed and had the verdict overturned in 2015.

There was a spot of bother in Kenya when the opposition party claimed that Idemia had cost them the August 2017 general election. It was the devil's own job for the Kenyan authorities to have the October re-run conducted the way they wanted, and not Idemia.

There was the earlier problem revealed by Naomi Klein in 2008 when she discovered that face recognition technology being used in Operation Golden Shield had been sold to China by L-1 Identity Solutions, Inc., a company subsequently bought by Idemia. That trade is against the law in the US. It is barred by the US Commerce Department's Bureau of Industry and Security post-Tiananmen export controls.

Everything seemed to be going profitably enough for Idemia in India, where their products are used for biometric registration under Aadhaar, the identity assurance scheme for 1.2 billion Indians, until ...

... enter Russia. Idemia allegedly bought some Russian software and inserted it into its own products to improve performance but didn't tell anyone.

Now that some disaffected Idemia ex-employees have made this allegation, the Indians are a little non-plussed. Rather as the Americans may be, also: "The company, now named Idemia, has provided fingerprint-recognition software to the Department of Defense and agencies in 28 states and 36 cities or counties across the US — from the Orange County Sheriff’s Department to the New York Police Department", not to mention the FBI. Cue fears of cyber-espionage being carried out by software buried deep in the security, military and justice systems.

What goes around comes around. The Indians are also worried about allegations that some other software they use in Aadhaar has CIA tools hidden in it but that's another story.

The question here is, do GDS and the Home Office want anything to do with Idemia? How well-prepared are they? Why take the risk? What's the point? After all, it's not as though the biometrics works.

The Home Office, Heathrow Airport, the security of the UK border and the safety of the Olympics

Here's a copy of a press release that's just been issued. Forgot to mention the French. Zut. They're lapping it up, too, just like the Indians.




PRESS RELEASE

To:

Home Office

OIG (re US-VISIT)

IDABC (re OSCIE)

China (re Golden Shield)

Pakistan (re NADRA)

FBI (re NGI)

UIDAI (re Aadhaar)

Agencies

The Home Office – Misfeasance in public office
23 May 2012
Six questions for editors to ponder:
  • The Home Office have been asked to reassure the public by publishing a justification for spending public money on biometrics technology they've previously proved to be useless. For 2½ years they've refused. Nor did they present any evidence as to the reliability of their chosen biometrics to the court. Why? Is it because they can't? Is it because there is no justification and our money is, indeed, being wasted?
  • The court sees no iniquity in that potential waste of money and describes it as not "in itself or in any way material". If this isn't an iniquity, what is?
  • We are assured by the Home Office and the court that the procurement of IABS didn't break any UK or EU rules. That finding of the court is accepted but so what? The Home Office are still refusing to release the IBM trial report to the public. They go further. The Home Office say the trial was conducted under such specific constraints that reading the report wouldn’t tell the public much. In other words they admit that they have no justification whatever for spending our money on biometrics. The procurement complies with the rules but it could still be iniquitous and the Home Office could still be guilty of misfeasance in public office.
  • Dame Helen Ghosh, Permanent Secretary at the Home Office, told the Home Affairs Committee that "... there are plans ... to reduce the staff of the Border Force by around 900 people ... that is driven as much by technological introductions like e-gates, as well as a risk-based approach. Border Force will be getting smaller". Is it wise to replace human beings with technology that costs more and doesn't work?
  • Rob Whiteman, Chief Executive of what's left of the UK Border Agency, says of IABS in the March 2012 issue of the staff magazine that "the system, delivered by the agency in partnership with Suppliers IBM, Morpho, Fujitsu, Atos Origin and Software AG, is the first multi-modal biometric matching system. It provides greater accuracy in fingerprint matching together with an integrated facial matching element. It delivers a more comprehensive service, underpinning the agency’s objective to secure our border and reduce immigration". It isn't the first. Pakistan's was the first, and much good it's done that unfortunate country. The IABS biometrics provided by Morpho could be more reliable than the previous system but still useless. Just a little less useless. Is Mr Whiteman misleading his staff as to the history and the reliability of UKBA's biometrics?
  • Sir David Normington, Dame Helen's predecessor, caused Lin Homer and Brodie Clark to write to David Moss asserting that smart gates were being installed at UK airports on the basis of a trial at Manchester Airport. When John Vine, the Independent Chief Inspector of the UK Border Agency, as he then was, reported on his May 2010 inspection of Manchester Airport, he said "we could find no overall plan to evaluate the success or otherwise of the facial recognition gates at Manchester Airport and would urge the Agency to do so [as] soon as possible". This evidence of the Home Office consistently misleading the public, Parliament, ministers, the media and its staff was put before the court. The Home Office made no response. Neither did the court in its decision. The allegation is a serious one. Why doesn't it warrant a response?
At the oral hearing in the matter of David Moss v Information Commissioner and the Home Office held on 24 February 2012, David Moss turned up in court and so did the Information Commissioner's staff and his barrister, but the Home Office didn't.
Why not?
The hearing concerned the Home Office's Immigration and Asylum Biometric System. IABS was due to go live at the border by the end of 2011 under the direction of Ms Jackie Keane, a senior civil servant at the UK Border Agency. She missed that date but bits of IABS went live at the end of February, with the results we all saw in the ensuing weeks, Heathrow at 'breaking' point as Border Force struggles to cope, leaked memos warn, ‘Minister lying over Heathrow queues’ says BA chief, and so on. We may surmise that the Home Office were too busy to attend.
On the other hand, the barrister who has represented the Home Office since the case began a year ago was there in court, except that this time he was representing IBM.
Why?
Because IABS is an IBM contract. It was awarded to them in 2009.
Stacked to the rafters with Nobel prize-winners in most disciplines, nevertheless IBM had no particular expertise in biometrics and no products of their own. They arranged a competition between six biometrics companies and chose Sagem Sécurité (now Morpho) as the best. In the process, they also made good their lack of biometrics expertise – in fact, IBM played a blinder there.
IABS was initially estimated to be worth £265 million and a lot of that money – public money, your money and mine – is being wasted according to David Moss because the biometrics chosen by the Home Office don't work. That's what the case is about.
You know they don't work. You read the BBC's report on the year-long trial of biometrics, ID cards scheme dubbed 'a farce'. You read the Telegraph's report on the smart gates installed at UK airports, Airport face scanners 'cannot tell the difference between Osama bin Laden and Winona Ryder'. You watched Brodie Clark tell the Home Affairs Committee that fingerprint checks are the least reliable identity/security checks made at the border, the ninth and bottom priority for his (now ex-)Border Force officers and the most sensible check to drop when the queues build up and threaten to get out of control.
David Moss lost the case anyway. It was a 2-to-1 majority decision against, a sort of a Minority Report 2 – they may not work at Heathrow or anywhere else in the real world but biometrics are the bee's knees in Hollywood films.
With the explicit permission of the court and the Home Office and the Information Commissioner you can read IBM's evidence in the case, please see attached. IBM's Commercial Director on IABS, Mr Nicholas Swain, explains that all the testing on biometrics was done by IBM and the results belong to IBM and that's why the public aren't allowed to see them despite paying for IABS. We're just meant to suppose that IABS will help to make the border secure and keep the Olympics safe despite all the respectable published evidence to the contrary. You can read Jackie Keane's evidence, too. She agrees with Nick.
It was all IBM's idea according to Ms Keane. OK, the Home Office gave IBM five million pairs of fingerprints to use as test data. And the Home Office specified the acceptance tests that had to be passed. And the Home Office agreed to pay IBM £265 million. But that's all.
It's been a long haul. It goes back 2½ years to a Freedom of Information request submitted on 6 January 2010. And it's not over yet because the other day David Moss submitted an application for permission to appeal. This could go on for years more.
While we're waiting for closure, we have those six questions above to ponder. And this one – what's IABS really about? It's obviously nothing to do with biometrics, as the court effectively acknowledges at paragraph 8 of its decision.
All relevant documents can be discovered at:




Notes to editors

1. As the Treasury Solicitors say (30 April 2012), "the submissions and open evidence lodged with the Tribunal in this case were relied upon and put in evidence at a hearing held in public". We really do all have permission to quote from this material and to comment on it.

2. Without wishing in any way to "lead" you, it is suggested that it will be most fruitful to start with the evidence submitted by the Home Office and IBM. And the evidence of Professor Ross Anderson at the University of Cambridge Computer Laboratory who points out that the banks have rejected biometrics as being too unreliable and asks why in that case do the Home Office trust them?

3. The background to this case is set out in the first few pages of the appeal document and centres on Whitehall’s competence and its duty to acknowledge the supremacy of Parliament, a subject which you will see there exercises the Home Affairs Committee.

4. Where does this story fit in the newspaper or on the radio/TV current affairs programme? Not on the fashion pages perhaps, but certainly in horoscopes and probably almost anywhere else – UK news, international news (they're all at it, look at India), EU news (the European Commission love biometrics and "eIDs", electronic identities), Westminster/politics, Whitehall/governance, the business pages, law reports/the Constitution, travel, sport (c.f. security at the Olympics generally and specifically UKBA's trip to Istanbul for the world wrestling championships to collect biometrics), the technology pages, cartoons, the crossword, ...




About David Moss
David Moss has worked as an IT consultant since 1981. The past 9 years have been spent campaigning against the Home Office's plans to introduce government ID cards into the UK. It must now be admitted that the Home Office are much better at convincing people that these plans are a bad idea than anyone else, including David Moss.

----------

Updated 21.2.18

It's getting on for six years since the blog post above was published.

Nothing has changed as far as the Home Office are concerned:
  • Despite their record, the Home Office are still in charge of UK border control and they still find it a challenge, to put it politely, please see Border Force not ready for extra checks, claim MPs and Time has run out for May’s Brexit immigration plan.
  • The director of strategy and transformation at the UK Border Force is Mr Christophe Prince according to his LinkedIn entry, the same man who was a deputy director of the UK Border Agency (RIP) for the three years 2006-09.
  • And the UK Border Force still relies on IABS, the Immigration and Asylum Biometrics System, run for the moment by IBM and still relying on Morpho biometrics technology.
In the outside world things have moved on a little:
  • The UK Government Digital Service (GDS) have contracted with Morpho to supply "identity provider" services to GOV.UK Verify (RIP), the failed identity assurance scheme.
  • GDS have stated it as a strategic objective of theirs to incorporate more biometrics into public services on the basis that it's innovative to do so.
  • And Safran have sold Morpho to private equity investors, who have changed its name to Idemia.
Idemia gets about a bit. It always has, whatever it was called at the time.

In 2012 they were found guilty of bribery to win business in Nigeria. The bribery of which they were found guilty took place between 2000 and 2003. They appealed and had the verdict overturned in 2015.

There was a spot of bother in Kenya when the opposition party claimed that Idemia had cost them the August 2017 general election. It was the devil's own job for the Kenyan authorities to have the October re-run conducted the way they wanted, and not Idemia.

There was the earlier problem revealed by Naomi Klein in 2008 when she discovered that face recognition technology being used in Operation Golden Shield had been sold to China by L-1 Identity Solutions, Inc., a company subsequently bought by Idemia. That trade is against the law in the US. It is barred by the US Commerce Department's Bureau of Industry and Security post-Tiananmen export controls.

Everything seemed to be going profitably enough for Idemia in India, where their products are used for biometric registration under Aadhaar, the identity assurance scheme for 1.2 billion Indians, until ...

... enter Russia. Idemia allegedly bought some Russian software and inserted it into its own products to improve performance but didn't tell anyone.

Now that some disaffected Idemia ex-employees have made this allegation, the Indians are a little non-plussed. Rather as the Americans may be, also: "The company, now named Idemia, has provided fingerprint-recognition software to the Department of Defense and agencies in 28 states and 36 cities or counties across the US — from the Orange County Sheriff’s Department to the New York Police Department", not to mention the FBI. Cue fears of cyber-espionage being carried out by software buried deep in the security, military and justice systems.

What goes around comes around. The Indians are also worried about allegations that some other software they use in Aadhaar has CIA tools hidden in it but that's another story.

The question here is, do GDS and the Home Office want anything to do with Idemia? How well-prepared are they? Why take the risk? What's the point? After all, it's not as though the biometrics works.