RIP IDA – 12 years after promising a way for employers to check the right of a prospective recruit to work in the UK, the Home Office introduces a partial service based on unproven technology

No need to say it, it goes without saying, it should be obvious to all but,

just in case it isn't obvious to all,

IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",

is the Cabinet Office Identity Assurance programme.

And it's dead.

"If Verify is the answer, what was the question?"

The Law Commission: "Verify does not currently ensure that the person entering the information
is in fact the person he or she is purporting to be;
rather it focuses on verifying that the person exists" (para.6.67/p.119)

Online right to work checks – that's a press release, by the Home Office, 14 December 2018: "Employers will be able to rely on an online Right to Work Checking Service to demonstrate compliance with illegal working legislation".

Pretty good, you may say, well done the Home Office, very 21st century, faced with a prospective recruit how does an employer establish their right to work in the UK? Answer, on-line.

Modern. Quick. Efficient. Definitive.

Or is it?

Cast your mind back. Cast it back before yesterday. And even before 14 December 2018. Cast it back exactly 12 years, all the way back to 14 December 2006, when the Home Office published their first so-called Strategic Action Plan for the National Identity Scheme.

Turn to Annex 1 on p.25 and you'll see that the Home Office planned strategically for the Immigration and Nationality Directorate to have an "enhanced employee checking service available for employers" six months later, in June 2007.

In the event it took 12 years. Not six months. 12 years.

It's 11 years since DMossEsq wrote about this matter, Not working in the UK. "Why hasn't this strategic action been performed by IPS [the Identity and Passport Service as was, now Her Majesty's Passport Office]?", he asked in January 2008, and "Is there perhaps a problem with the biometrics?".

The Home Office have given us no reason in the interim to believe that the biometrics their employee checking service depends on are reliable ...

... but rely on them they do, as they told us in last month's press release: "The online Right to Work Checking Service can be used by non-EEA nationals who hold biometric residence permits or biometric residence cards ...".

Even after 12 years that little matter remains outstanding, we're not quite there yet, there's an on-line service but we can't be sure that it identifies prospective employees reliably.

And the service isn't universal.

It doesn't handle any non-EEA nationals who don't have these cards, it doesn't handle all EEA nationals and UK nationals without a passport can supposedly demonstrate their right to work by producing "short birth or adoption certificates, which they can get for free, instead of the long versions".

Surely GOV.UK Verify (RIP) could help to assure employers that the person in front of them is who the birth certificate or plastic card says they are and has the right to work in the UK?

Apparently not.

Maybe in another 12 years.

Good job (sic) there's no hurry.

RIP IDA – 12 years after promising an on-line way for employers to check the right of a prospective recruit to work in the UK, the Home Office introduces a partial service based on unproven technology

No need to say it, it goes without saying, it should be obvious to all but,

just in case it isn't obvious to all,

IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",

is the Cabinet Office Identity Assurance programme.

And it's dead.

"If Verify is the answer, what was the question?"

The Law Commission: "Verify does not currently ensure that the person entering the information
is in fact the person he or she is purporting to be;
rather it focuses on verifying that the person exists" (para.6.67/p.119)

Online right to work checks – that's a press release, by the Home Office, 14 December 2018: "Employers will be able to rely on an online Right to Work Checking Service to demonstrate compliance with illegal working legislation".

Pretty good, you may say, well done the Home Office, very 21st century, faced with a prospective recruit how does an employer establish their right to work in the UK? Answer, on-line.

Modern. Quick. Efficient. Definitive.

Or is it?

Police forces all over the UK are introducing mobile fingerprint equipment. Result? Approximately 20% of the criminals who would otherwise have been taken down to the station will now be asked politely to go on their way

The Guardian tell us today that the Metropolitan Police have bought themselves some new equipment – mobile fingerprint readers. They are the 25th UK force to do so.

It all seems very sensible:

One of the aims of the technology is to cut the number of trips police make to the police station, so that officers can spend more time on the frontline. Mark Rowley, assistant commissioner at the Met, said: "Evidence has shown that a full identification arrest can tie-up both the subject and the police officer for several hours. Even a traditional identity check conducted on the street can take an extended period of time to complete. "It is effective particularly in revealing serious and violent offenders who will do everything they can to prevent the police from knowing their true identities."

It isn't.

Because the failure rate on this technology is about 20%*.

In the case of people whose fingerprints are on file, about 20%* of the time that fact will not be discovered using this technology.

To be slightly more technical:

• When the Home Office tested flat print fingerprinting in the UKPS biometrics enrolment trial back in 2004 they found that the false non-match rate was 19 or 20 percent*. Nick Herbert, say, would be told by the system that he was not Nick Herbert. His prints didn't match anything on the database. A non-match. A false non-match, as it happens, as Nick Herbert had just registered his prints on the database five minutes before.
• That's how the trial was conducted. 10,000 of us registered our faces and our fingerprints and our irisprints and five minutes later we tested to see if we could have our identity verified using one or other of those biometrics. Flat print fingerprints failed 19-20 percent of the time. Face recognition failed between 31 and 52 percent of the time which is why the smart gates at our airports and every other instance of automated face recognition are guaranteed to be a waste of time and money.

Nick Herbert is the policing minister. He and the Home Office have not published the results of any flat print fingerprint trials since then. At least one trial has been performed:

The NPIA signed a contract with 3M Cogent in 2010 for mobile fingerprint identification devices. The deal followed field trials involving 28 police forces using Lantern devices to test how mobile fingerprinting performed in an operational environment.

But the Home Office refuse to publish the results. So as far as we know – we, the public – the false non-match rate remains approximately 20%.

Which means that out of all the wanted criminals who are stopped and whose prints are on IDENT1 – the national fingerprint database – 20% will falsely not match and be allowed to go on their way.

There's a question for Mr Herbert forming at the back of your mind, isn't there – do you know what you're doing?

If he wants to prove that the answer is yes, and that he's not undermining the fight against crime and wasting our money at the same time, then Mr Herbert must publish the Lantern trial results. Nothing else will be convincing.

The chances of the Home Office publishing those results? See yesterday's hell-freezes-over press release.

It's not just DMossEsq:

• See also for example the Freedom of Information work being done on Project Lantern by the indefatigable Andrew Watson.
• John Vine, the Independent Chief Inspector of the UK Border Agency has revealed the mendacity behind the use of face recognition biometrics and flat print fingerprints – see his report on the Brodie Clark affair, para.3.13, the UK Border Force have had just seven hits in over two years of using this technology on visa nationals.
• Brodie Clark told the Home Affairs Committee that fingerprint checks are the least reliable identity/security checks made by Border Force staff, their ninth and bottom priority.
• And the Home Affairs Committee are getting ever more outspoken about the recalcitrance of the Home Office, unconstitutionally refusing to disclose information to Parliament.

----------

* Please see UK Passport Service Biometrics Enrolment Trial Report May 2005, Management Summary, Key Findings, para.1.2.1.4, p.10:

Fingerprint verification success • The majority of participants achieved successful verification on fingerprint, with rates of 81% for Quota participants and 80% for Disabled participants. One of the factors influencing failure was that the single fingerprint device used for verification occasionally did not record sufficient detail from the fingers. • Younger participants had a higher fingerprint verification success rate than older participants.

Updated 20.2.18

It's nearly four years since the blog post above was published. Not a single success story for mobile fingerprinting has been told. Four years. Zero results.

Unabashed, Yorkshire cops have begun using on-the-spot fingerprint scanners.

The difference this time is that the policemen on the street will be able to interrogate not just IDENT1 – the national criminal fingerprint database – but also IABS, the Immigration and Asylum Biometrics System: "The scanners link up to an app on cops' smartphones – which is already available to all 5,500 frontline officers – and run the prints against the UK's criminal fingerprint and biometrics database (IDENT1) and the Immigration and Asylum Biometrics System (IABS)".

What is unchanged is the 20% figure. It remains the case that 20% of those stopped by the police will be falsely not matched. Thanks to this flaky biometrics technology, wanted criminals will be asked to move along when actually they should be detained.

Police forces all over the UK are introducing mobile fingerprint equipment. Result? Approximately 20% of the criminals who would otherwise have been taken down to the station will now be asked politely to go on their way

The Guardian tell us today that the Metropolitan Police have bought themselves some new equipment – mobile fingerprint readers. They are the 25th UK force to do so.

It all seems very sensible:

One of the aims of the technology is to cut the number of trips police make to the police station, so that officers can spend more time on the frontline. Mark Rowley, assistant commissioner at the Met, said: "Evidence has shown that a full identification arrest can tie-up both the subject and the police officer for several hours. Even a traditional identity check conducted on the street can take an extended period of time to complete. "It is effective particularly in revealing serious and violent offenders who will do everything they can to prevent the police from knowing their true identities."

It isn't.

The Home Office, Heathrow Airport, the security of the UK border and the safety of the Olympics

Here's a copy of a press release that's just been issued. Forgot to mention the French. Zut. They're lapping it up, too, just like the Indians.

PRESS RELEASE

To:

Home Office

OIG (re US-VISIT)

IDABC (re OSCIE)

China (re Golden Shield)

Pakistan (re NADRA)

FBI (re NGI)

UIDAI (re Aadhaar)

Agencies

The Home Office – Misfeasance in public office

23 May 2012

Six questions for editors to ponder:

• The Home Office have been asked to reassure the public by publishing a justification for spending public money on biometrics technology they've previously proved to be useless. For 2½ years they've refused. Nor did they present any evidence as to the reliability of their chosen biometrics to the court. Why? Is it because they can't? Is it because there is no justification and our money is, indeed, being wasted?
• The court sees no iniquity in that potential waste of money and describes it as not "in itself or in any way material". If this isn't an iniquity, what is?
• We are assured by the Home Office and the court that the procurement of IABS didn't break any UK or EU rules. That finding of the court is accepted but so what? The Home Office are still refusing to release the IBM trial report to the public. They go further. The Home Office say the trial was conducted under such specific constraints that reading the report wouldn’t tell the public much. In other words they admit that they have no justification whatever for spending our money on biometrics. The procurement complies with the rules but it could still be iniquitous and the Home Office could still be guilty of misfeasance in public office.
• Dame Helen Ghosh, Permanent Secretary at the Home Office, told the Home Affairs Committee that "... there are plans ... to reduce the staff of the Border Force by around 900 people ... that is driven as much by technological introductions like e-gates, as well as a risk-based approach. Border Force will be getting smaller". Is it wise to replace human beings with technology that costs more and doesn't work?
• Rob Whiteman, Chief Executive of what's left of the UK Border Agency, says of IABS in the March 2012 issue of the staff magazine that "the system, delivered by the agency in partnership with Suppliers IBM, Morpho, Fujitsu, Atos Origin and Software AG, is the first multi-modal biometric matching system. It provides greater accuracy in fingerprint matching together with an integrated facial matching element. It delivers a more comprehensive service, underpinning the agency’s objective to secure our border and reduce immigration". It isn't the first. Pakistan's was the first, and much good it's done that unfortunate country. The IABS biometrics provided by Morpho could be more reliable than the previous system but still useless. Just a little less useless. Is Mr Whiteman misleading his staff as to the history and the reliability of UKBA's biometrics?
• Sir David Normington, Dame Helen's predecessor, caused Lin Homer and Brodie Clark to write to David Moss asserting that smart gates were being installed at UK airports on the basis of a trial at Manchester Airport. When John Vine, the Independent Chief Inspector of the UK Border Agency, as he then was, reported on his May 2010 inspection of Manchester Airport, he said "we could find no overall plan to evaluate the success or otherwise of the facial recognition gates at Manchester Airport and would urge the Agency to do so [as] soon as possible". This evidence of the Home Office consistently misleading the public, Parliament, ministers, the media and its staff was put before the court. The Home Office made no response. Neither did the court in its decision. The allegation is a serious one. Why doesn't it warrant a response?

At the oral hearing in the matter of David Moss v Information Commissioner and the Home Office held on 24 February 2012, David Moss turned up in court and so did the Information Commissioner's staff and his barrister, but the Home Office didn't.

Why not?

The hearing concerned the Home Office's Immigration and Asylum Biometric System. IABS was due to go live at the border by the end of 2011 under the direction of Ms Jackie Keane, a senior civil servant at the UK Border Agency. She missed that date but bits of IABS went live at the end of February, with the results we all saw in the ensuing weeks, Heathrow at 'breaking' point as Border Force struggles to cope, leaked memos warn, ‘Minister lying over Heathrow queues’ says BA chief, and so on. We may surmise that the Home Office were too busy to attend.

On the other hand, the barrister who has represented the Home Office since the case began a year ago was there in court, except that this time he was representing IBM.

Why?

Because IABS is an IBM contract. It was awarded to them in 2009.

Stacked to the rafters with Nobel prize-winners in most disciplines, nevertheless IBM had no particular expertise in biometrics and no products of their own. They arranged a competition between six biometrics companies and chose Sagem Sécurité (now Morpho) as the best. In the process, they also made good their lack of biometrics expertise – in fact, IBM played a blinder there.

IABS was initially estimated to be worth £265 million and a lot of that money – public money, your money and mine – is being wasted according to David Moss because the biometrics chosen by the Home Office don't work. That's what the case is about.

You know they don't work. You read the BBC's report on the year-long trial of biometrics, ID cards scheme dubbed 'a farce'. You read the Telegraph's report on the smart gates installed at UK airports, Airport face scanners 'cannot tell the difference between Osama bin Laden and Winona Ryder'. You watched Brodie Clark tell the Home Affairs Committee that fingerprint checks are the least reliable identity/security checks made at the border, the ninth and bottom priority for his (now ex-)Border Force officers and the most sensible check to drop when the queues build up and threaten to get out of control.

David Moss lost the case anyway. It was a 2-to-1 majority decision against, a sort of a Minority Report 2 – they may not work at Heathrow or anywhere else in the real world but biometrics are the bee's knees in Hollywood films.

With the explicit permission of the court and the Home Office and the Information Commissioner you can read IBM's evidence in the case, please see attached. IBM's Commercial Director on IABS, Mr Nicholas Swain, explains that all the testing on biometrics was done by IBM and the results belong to IBM and that's why the public aren't allowed to see them despite paying for IABS. We're just meant to suppose that IABS will help to make the border secure and keep the Olympics safe despite all the respectable published evidence to the contrary. You can read Jackie Keane's evidence, too. She agrees with Nick.

It was all IBM's idea according to Ms Keane. OK, the Home Office gave IBM five million pairs of fingerprints to use as test data. And the Home Office specified the acceptance tests that had to be passed. And the Home Office agreed to pay IBM £265 million. But that's all.

It's been a long haul. It goes back 2½ years to a Freedom of Information request submitted on 6 January 2010. And it's not over yet because the other day David Moss submitted an application for permission to appeal. This could go on for years more.

While we're waiting for closure, we have those six questions above to ponder. And this one – what's IABS really about? It's obviously nothing to do with biometrics, as the court effectively acknowledges at paragraph 8 of its decision.

All relevant documents can be discovered at:

http://dematerialisedid.com/bcsl/foi.html

---

Notes to editors

1. As the Treasury Solicitors say (30 April 2012), "the submissions and open evidence lodged with the Tribunal in this case were relied upon and put in evidence at a hearing held in public". We really do all have permission to quote from this material and to comment on it.

2. Without wishing in any way to "lead" you, it is suggested that it will be most fruitful to start with the evidence submitted by the Home Office and IBM. And the evidence of Professor Ross Anderson at the University of Cambridge Computer Laboratory who points out that the banks have rejected biometrics as being too unreliable and asks why in that case do the Home Office trust them?

3. The background to this case is set out in the first few pages of the appeal document and centres on Whitehall’s competence and its duty to acknowledge the supremacy of Parliament, a subject which you will see there exercises the Home Affairs Committee.

4. Where does this story fit in the newspaper or on the radio/TV current affairs programme? Not on the fashion pages perhaps, but certainly in horoscopes and probably almost anywhere else – UK news, international news (they're all at it, look at India), EU news (the European Commission love biometrics and "eIDs", electronic identities), Westminster/politics, Whitehall/governance, the business pages, law reports/the Constitution, travel, sport (c.f. security at the Olympics generally and specifically UKBA's trip to Istanbul for the world wrestling championships to collect biometrics), the technology pages, cartoons, the crossword, ...

---

About David Moss
David Moss has worked as an IT consultant since 1981. The past 9 years have been spent campaigning against the Home Office's plans to introduce government ID cards into the UK. It must now be admitted that the Home Office are much better at convincing people that these plans are a bad idea than anyone else, including David Moss.

----------

Updated 21.2.18

It's getting on for six years since the blog post above was published.

Nothing has changed as far as the Home Office are concerned:

• Despite their record, the Home Office are still in charge of UK border control and they still find it a challenge, to put it politely, please see Border Force not ready for extra checks, claim MPs and Time has run out for May’s Brexit immigration plan.
• The director of strategy and transformation at the UK Border Force is Mr Christophe Prince according to his LinkedIn entry, the same man who was a deputy director of the UK Border Agency (RIP) for the three years 2006-09.
• And the UK Border Force still relies on IABS, the Immigration and Asylum Biometrics System, run for the moment by IBM and still relying on Morpho biometrics technology.

In the outside world things have moved on a little:

• The UK Government Digital Service (GDS) have contracted with Morpho to supply "identity provider" services to GOV.UK Verify (RIP), the failed identity assurance scheme.
• GDS have stated it as a strategic objective of theirs to incorporate more biometrics into public services on the basis that it's innovative to do so.
• And Safran have sold Morpho to private equity investors, who have changed its name to Idemia.

Idemia gets about a bit. It always has, whatever it was called at the time.

In 2012 they were found guilty of bribery to win business in Nigeria. The bribery of which they were found guilty took place between 2000 and 2003. They appealed and had the verdict overturned in 2015.

There was a spot of bother in Kenya when the opposition party claimed that Idemia had cost them the August 2017 general election. It was the devil's own job for the Kenyan authorities to have the October re-run conducted the way they wanted, and not Idemia.

There was the earlier problem revealed by Naomi Klein in 2008 when she discovered that face recognition technology being used in Operation Golden Shield had been sold to China by L-1 Identity Solutions, Inc., a company subsequently bought by Idemia. That trade is against the law in the US. It is barred by the US Commerce Department's Bureau of Industry and Security post-Tiananmen export controls.

Everything seemed to be going profitably enough for Idemia in India, where their products are used for biometric registration under Aadhaar, the identity assurance scheme for 1.2 billion Indians, until ...

... enter Russia. Idemia allegedly bought some Russian software and inserted it into its own products to improve performance but didn't tell anyone.

Now that some disaffected Idemia ex-employees have made this allegation, the Indians are a little non-plussed. Rather as the Americans may be, also: "The company, now named Idemia, has provided fingerprint-recognition software to the Department of Defense and agencies in 28 states and 36 cities or counties across the US — from the Orange County Sheriff’s Department to the New York Police Department", not to mention the FBI. Cue fears of cyber-espionage being carried out by software buried deep in the security, military and justice systems.

What goes around comes around. The Indians are also worried about allegations that some other software they use in Aadhaar has CIA tools hidden in it but that's another story.

The question here is, do GDS and the Home Office want anything to do with Idemia? How well-prepared are they? Why take the risk? What's the point? After all, it's not as though the biometrics works.

The Home Office, Heathrow Airport, the security of the UK border and the safety of the Olympics

Here's a copy of a press release that's just been issued. Forgot to mention the French. Zut. They're lapping it up, too, just like the Indians.

PRESS RELEASE

To:

Home Office

OIG (re US-VISIT)

IDABC (re OSCIE)

China (re Golden Shield)

Pakistan (re NADRA)

FBI (re NGI)

UIDAI (re Aadhaar)

Agencies

The Home Office – Misfeasance in public office

23 May 2012

Six questions for editors to ponder:

• The Home Office have been asked to reassure the public by publishing a justification for spending public money on biometrics technology they've previously proved to be useless. For 2½ years they've refused. Nor did they present any evidence as to the reliability of their chosen biometrics to the court. Why? Is it because they can't? Is it because there is no justification and our money is, indeed, being wasted?
• The court sees no iniquity in that potential waste of money and describes it as not "in itself or in any way material". If this isn't an iniquity, what is?
• We are assured by the Home Office and the court that the procurement of IABS didn't break any UK or EU rules. That finding of the court is accepted but so what? The Home Office are still refusing to release the IBM trial report to the public. They go further. The Home Office say the trial was conducted under such specific constraints that reading the report wouldn’t tell the public much. In other words they admit that they have no justification whatever for spending our money on biometrics. The procurement complies with the rules but it could still be iniquitous and the Home Office could still be guilty of misfeasance in public office.
• Dame Helen Ghosh, Permanent Secretary at the Home Office, told the Home Affairs Committee that "... there are plans ... to reduce the staff of the Border Force by around 900 people ... that is driven as much by technological introductions like e-gates, as well as a risk-based approach. Border Force will be getting smaller". Is it wise to replace human beings with technology that costs more and doesn't work?
• Rob Whiteman, Chief Executive of what's left of the UK Border Agency, says of IABS in the March 2012 issue of the staff magazine that "the system, delivered by the agency in partnership with Suppliers IBM, Morpho, Fujitsu, Atos Origin and Software AG, is the first multi-modal biometric matching system. It provides greater accuracy in fingerprint matching together with an integrated facial matching element. It delivers a more comprehensive service, underpinning the agency’s objective to secure our border and reduce immigration". It isn't the first. Pakistan's was the first, and much good it's done that unfortunate country. The IABS biometrics provided by Morpho could be more reliable than the previous system but still useless. Just a little less useless. Is Mr Whiteman misleading his staff as to the history and the reliability of UKBA's biometrics?
• Sir David Normington, Dame Helen's predecessor, caused Lin Homer and Brodie Clark to write to David Moss asserting that smart gates were being installed at UK airports on the basis of a trial at Manchester Airport. When John Vine, the Independent Chief Inspector of the UK Border Agency, as he then was, reported on his May 2010 inspection of Manchester Airport, he said "we could find no overall plan to evaluate the success or otherwise of the facial recognition gates at Manchester Airport and would urge the Agency to do so [as] soon as possible". This evidence of the Home Office consistently misleading the public, Parliament, ministers, the media and its staff was put before the court. The Home Office made no response. Neither did the court in its decision. The allegation is a serious one. Why doesn't it warrant a response?

At the oral hearing in the matter of David Moss v Information Commissioner and the Home Office held on 24 February 2012, David Moss turned up in court and so did the Information Commissioner's staff and his barrister, but the Home Office didn't.

Why not?

The hearing concerned the Home Office's Immigration and Asylum Biometric System. IABS was due to go live at the border by the end of 2011 under the direction of Ms Jackie Keane, a senior civil servant at the UK Border Agency. She missed that date but bits of IABS went live at the end of February, with the results we all saw in the ensuing weeks, Heathrow at 'breaking' point as Border Force struggles to cope, leaked memos warn, ‘Minister lying over Heathrow queues’ says BA chief, and so on. We may surmise that the Home Office were too busy to attend.

On the other hand, the barrister who has represented the Home Office since the case began a year ago was there in court, except that this time he was representing IBM.

Why?

Because IABS is an IBM contract. It was awarded to them in 2009.

Stacked to the rafters with Nobel prize-winners in most disciplines, nevertheless IBM had no particular expertise in biometrics and no products of their own. They arranged a competition between six biometrics companies and chose Sagem Sécurité (now Morpho) as the best. In the process, they also made good their lack of biometrics expertise – in fact, IBM played a blinder there.

IABS was initially estimated to be worth £265 million and a lot of that money – public money, your money and mine – is being wasted according to David Moss because the biometrics chosen by the Home Office don't work. That's what the case is about.

You know they don't work. You read the BBC's report on the year-long trial of biometrics, ID cards scheme dubbed 'a farce'. You read the Telegraph's report on the smart gates installed at UK airports, Airport face scanners 'cannot tell the difference between Osama bin Laden and Winona Ryder'. You watched Brodie Clark tell the Home Affairs Committee that fingerprint checks are the least reliable identity/security checks made at the border, the ninth and bottom priority for his (now ex-)Border Force officers and the most sensible check to drop when the queues build up and threaten to get out of control.

David Moss lost the case anyway. It was a 2-to-1 majority decision against, a sort of a Minority Report 2 – they may not work at Heathrow or anywhere else in the real world but biometrics are the bee's knees in Hollywood films.

With the explicit permission of the court and the Home Office and the Information Commissioner you can read IBM's evidence in the case, please see attached. IBM's Commercial Director on IABS, Mr Nicholas Swain, explains that all the testing on biometrics was done by IBM and the results belong to IBM and that's why the public aren't allowed to see them despite paying for IABS. We're just meant to suppose that IABS will help to make the border secure and keep the Olympics safe despite all the respectable published evidence to the contrary. You can read Jackie Keane's evidence, too. She agrees with Nick.

It was all IBM's idea according to Ms Keane. OK, the Home Office gave IBM five million pairs of fingerprints to use as test data. And the Home Office specified the acceptance tests that had to be passed. And the Home Office agreed to pay IBM £265 million. But that's all.

It's been a long haul. It goes back 2½ years to a Freedom of Information request submitted on 6 January 2010. And it's not over yet because the other day David Moss submitted an application for permission to appeal. This could go on for years more.

While we're waiting for closure, we have those six questions above to ponder. And this one – what's IABS really about? It's obviously nothing to do with biometrics, as the court effectively acknowledges at paragraph 8 of its decision.

All relevant documents can be discovered at:

http://dematerialisedid.com/bcsl/foi.html

---

Notes to editors

1. As the Treasury Solicitors say (30 April 2012), "the submissions and open evidence lodged with the Tribunal in this case were relied upon and put in evidence at a hearing held in public". We really do all have permission to quote from this material and to comment on it.

2. Without wishing in any way to "lead" you, it is suggested that it will be most fruitful to start with the evidence submitted by the Home Office and IBM. And the evidence of Professor Ross Anderson at the University of Cambridge Computer Laboratory who points out that the banks have rejected biometrics as being too unreliable and asks why in that case do the Home Office trust them?

3. The background to this case is set out in the first few pages of the appeal document and centres on Whitehall’s competence and its duty to acknowledge the supremacy of Parliament, a subject which you will see there exercises the Home Affairs Committee.

4. Where does this story fit in the newspaper or on the radio/TV current affairs programme? Not on the fashion pages perhaps, but certainly in horoscopes and probably almost anywhere else – UK news, international news (they're all at it, look at India), EU news (the European Commission love biometrics and "eIDs", electronic identities), Westminster/politics, Whitehall/governance, the business pages, law reports/the Constitution, travel, sport (c.f. security at the Olympics generally and specifically UKBA's trip to Istanbul for the world wrestling championships to collect biometrics), the technology pages, cartoons, the crossword, ...

---

About David Moss
David Moss has worked as an IT consultant since 1981. The past 9 years have been spent campaigning against the Home Office's plans to introduce government ID cards into the UK. It must now be admitted that the Home Office are much better at convincing people that these plans are a bad idea than anyone else, including David Moss.

----------

Updated 21.2.18

It's getting on for six years since the blog post above was published.

Nothing has changed as far as the Home Office are concerned:

• Despite their record, the Home Office are still in charge of UK border control and they still find it a challenge, to put it politely, please see Border Force not ready for extra checks, claim MPs and Time has run out for May’s Brexit immigration plan.
• The director of strategy and transformation at the UK Border Force is Mr Christophe Prince according to his LinkedIn entry, the same man who was a deputy director of the UK Border Agency (RIP) for the three years 2006-09.
• And the UK Border Force still relies on IABS, the Immigration and Asylum Biometrics System, run for the moment by IBM and still relying on Morpho biometrics technology.

In the outside world things have moved on a little:

• The UK Government Digital Service (GDS) have contracted with Morpho to supply "identity provider" services to GOV.UK Verify (RIP), the failed identity assurance scheme.
• GDS have stated it as a strategic objective of theirs to incorporate more biometrics into public services on the basis that it's innovative to do so.
• And Safran have sold Morpho to private equity investors, who have changed its name to Idemia.

Idemia gets about a bit. It always has, whatever it was called at the time.

In 2012 they were found guilty of bribery to win business in Nigeria. The bribery of which they were found guilty took place between 2000 and 2003. They appealed and had the verdict overturned in 2015.

There was a spot of bother in Kenya when the opposition party claimed that Idemia had cost them the August 2017 general election. It was the devil's own job for the Kenyan authorities to have the October re-run conducted the way they wanted, and not Idemia.

There was the earlier problem revealed by Naomi Klein in 2008 when she discovered that face recognition technology being used in Operation Golden Shield had been sold to China by L-1 Identity Solutions, Inc., a company subsequently bought by Idemia. That trade is against the law in the US. It is barred by the US Commerce Department's Bureau of Industry and Security post-Tiananmen export controls.

Everything seemed to be going profitably enough for Idemia in India, where their products are used for biometric registration under Aadhaar, the identity assurance scheme for 1.2 billion Indians, until ...

... enter Russia. Idemia allegedly bought some Russian software and inserted it into its own products to improve performance but didn't tell anyone.

Now that some disaffected Idemia ex-employees have made this allegation, the Indians are a little non-plussed. Rather as the Americans may be, also: "The company, now named Idemia, has provided fingerprint-recognition software to the Department of Defense and agencies in 28 states and 36 cities or counties across the US — from the Orange County Sheriff’s Department to the New York Police Department", not to mention the FBI. Cue fears of cyber-espionage being carried out by software buried deep in the security, military and justice systems.

What goes around comes around. The Indians are also worried about allegations that some other software they use in Aadhaar has CIA tools hidden in it but that's another story.

The question here is, do GDS and the Home Office want anything to do with Idemia? How well-prepared are they? Why take the risk? What's the point? After all, it's not as though the biometrics works.

UKBA – what do the Board do for £1 million p.a.?

They're a busy lot on the Home Affairs Committee. On 11 April 2012, they published their 21st report since September 2010, Work of the UK Border Agency (August - December 2011).

No advance on their 17th report back in January, Inquiry into the provision of UK Border Controls, the Committee draw attention to the UK Border Agency's contemptuous lack of co-operation with parliament (para.79-81). Parliament is meant to be supreme. The Executive, in the form of UKBA, continues to behave as though it is supreme.

As with the 17th report, the Committee make the obvious point that the UK Border Agency is not an agency of the Home office at all, it is an integral part of the Home Office. The word "Agency" appears accordingly in inverted commas throughout the report.

The failings of UKBA do not stop at the Board of UKBA, they go to the top of the Home Office, to Dame Helen Ghosh, the permanent secretary. And they did not start with her, they go back to the incumbency of her predecessor, Sir David Normington.

The Committee expect not only the chief executive of UKBA to co-operate with them but also the permanent secretary (para.12, 37, 73). UKBA's failings are her failings as much as Rob Whiteman's.

And what are those failings?

The Committee list them under 23 headings in this report.

They start by listing the salaries of eight executive members of the UKBA Board, roughly £1 million per annum. £1 million should buy any organisation a lot of management and direction. Especially when, as in this case, it doesn't stop there, there is further input from the top levels of the Home Office.

In the event, with failings in 23 areas reported here, and more being signalled for upcoming Committee enquiries, the expected management and direction are not being delivered.

John Vine, the Independent Chief Inspector of UKBA, made the point in his report on the Brodie Clark affair that (p.6):

There is nothing I have discovered which could not have been identified and addressed by senior managers exercising proper oversight.

The question arises, if they're not exercising proper oversight, what are Dame Helen and Rob Whiteman and the other senior civil servants doing?

UKBA – what do the Board do for £1 million p.a.?

They're a busy lot on the Home Affairs Committee. On 11 April 2012, they published their 21st report since September 2010, Work of the UK Border Agency (August - December 2011).

No advance on their 17th report back in January, Inquiry into the provision of UK Border Controls, the Committee draw attention to the UK Border Agency's contemptuous lack of co-operation with parliament (para.79-81). Parliament is meant to be supreme. The Executive, in the form of UKBA, continues to behave as though it is supreme.

What's the matter with our leaders, that they can imagine we welcome mass surveillance? A blogger suggests the answer

To the Cabinet Office, it is quite unremarkable to suggest that we should all apply to private sector companies for an electronic ID so that we can transact with the government, see for example this post by ex-Guardian man Mike Bracken – Establishing trust in digital services. Given that there are 60 million of us here in the UK, those private sector companies would have to be pretty big to manage the volumes. As big as Facebook, for example, who already have 30 million active users in the UK. Or Google, the company that "walked Francis Maude through the identity ecosystem". At least that's what ex-Guardian man Mike Bracken says in Thoughts on my recent trip to the West Coast with Francis Maude, Minister for the Cabinet Office.

To ordinary human beings, the idea is utterly inept.

To the Department of Business, Innovation and Skills, it is quite unremarkable to suggest that we should all collect together our personal data in a file and give it to suppliers so that they know what we want to buy from them, please see for example Ed Davey, problem-solver – midata. Only a mooncalf could possibly agree (The case for midata – the answer is a mooncalf).

To ordinary human beings, the idea is utterly inept.

To the civil service all across Whitehall, it is quite unremarkable to suggest that all the personal data about us held by the government should be stored on computers operated by the likes of Google and Amazon. Whereas the suggestion is of course actually bonkers – Cloud computing is bonkers or, as HMG put it, a "no-brainer".

To ordinary human beings, the idea is utterly inept.

To the Home Office, it is quite unremarkable to suggest that all our phone calls, emails, web browsing etc ... should be monitored by GCHQ.

To ordinary human beings, the idea is utterly inept.

Whitehall and the senior politicians put in to bat for Whitehall clearly have a very odd idea of human nature. It's worth trying to work out what's odd about it. It doesn't help simply to keep saying that it's odd. We need to make a bit of progress. And in that endeavour the blogger Scott Grønmark has taken the first important step.

Mr Grønmark says that in 2005 it occurred to him that the government has many of the symptoms of autism – Talk to the hand! - why all organisations turn autistic – and that he is thinking of writing a book about it. He has returned to the subject about 10 times over the years (according to Google). Let's hope that he does finally write that book.

What's the matter with our leaders, that they can imagine we welcome mass surveillance? A blogger suggests the answer

To the Cabinet Office, it is quite unremarkable to suggest that we should all apply to private sector companies for an electronic ID so that we can transact with the government, see for example this post by ex-Guardian man Mike Bracken – Establishing trust in digital services. Given that there are 60 million of us here in the UK, those private sector companies would have to be pretty big to manage the volumes. As big as Facebook, for example, who already have 30 million active users in the UK. Or Google, the company that "walked Francis Maude through the identity ecosystem". At least that's what ex-Guardian man Mike Bracken says in Thoughts on my recent trip to the West Coast with Francis Maude, Minister for the Cabinet Office.

To ordinary human beings, the idea is utterly inept.

Lin Homer, Brodie Clark and Ron Noble

Ron Noble, Secretary General of Interpol, is in London to discuss security arrangements for the Olympics.

He gave an interview to the Independent. Interpol maintains a database of lost and stolen passports, and:

Britain is the only EU country to systematically check passports against those registered as missing worldwide. Last year more than 11,000 people were caught trying to enter the UK using lost or stolen passports. Britain carries out more checks against the database than the rest of Europe combined – 140 million last year. France carried out the second highest number, at 10 million. The UK Border Agency acknowledged the importance of the Interpol system, saying its high usage of the database was "indicative of the seriousness and priority we place on border security".

This is quite a turnaround.

In December 2004, Ron Noble lambasted the UK when he flew in and wasn't even asked for his passport number:

Interpol concern over UK borders The head of Interpol has told of his "surprise" at shortcomings in the passport controls at UK borders. Ron Noble, an American, said he was not asked for his passport serial number when he entered the UK.

The situation didn't improve and in July 2007 Ron Noble returned to the fray:

Interpol said last night that the UK makes just 50 checks a month of the database; France by comparison makes 700,000 checks and Switzerland makes 300,000 ... Mr Noble said that Gordon Brown's promise last week to share a list of potential terrorists with other countries had yet to materialize. "British citizens might be surprised to find that this watch list announced by your prime minister last week has not been sent to Interpol," he said. "Why is it that some countries make sure passengers do not carry a bottle of spring water on to a plane, yet aren't careful to ensure convicted felons aren't entering their borders with stolen passports?"

Someone took up the matter with Lin Homer, Chief Executive of the UK Border Agency at the time. Ms Homer kindly wrote back and said that UKBA had started to use the Interpol database more frequently in 2007 and, by 2010:

Around 70 million checks are made against the database per year and to date there have been 13346 hits and 5108 documents seized.

The UK has gone from 600 checks p.a. against the Interpol database to 70 million and, now, to 140 million. You don't get a turnaround like that unless someone makes a determined effort. Who? Lin Homer. Well done, Lin Homer, and thank you. And thank you, Brodie Clark, sometime head of the UK Border Force.

After their Ron Noble interview, the Independent published a leading article on 30 December 2011. Does Lin Homer get a mention? No.

Brodie Clark does. Happy New Year to you, too:

Equally, although Mr Noble may have praised UK immigration controls compared with those of our neighbours, the British system is far from perfect. Only last month, the head of the border force quit in a row over a relaxation of security which the Home Secretary claimed had been done without her knowledge. That Brodie Clark is now suing for constructive dismissal only adds to the alarming sense of confusion and buck-passing in this vital area of national security.

The Independent regards the actions of UKBA and Interpol together as praiseworthy but Brodie Clark gets no recognition from the newspaper for his part in protecting the border by making use of the Interpol database.

Certain allegations have been made against Brodie Clark and he disputes them all. The matter is being investigated by the Home Affairs Committee, the Home Office has launched three internal investigations and, at some point, an employment tribunal will be convened. What are the results of all those quasi-judicial investigations? No-one knows but the Independent feels itself already justified in pointing the finger at Brodie Clark.

There is "confusion and buck-passing" there. But in their unbalanced coverage, the Independent have not identified the seat of that confusion.

---

Update 8 January 2011
Mazher Mahmood, 8 January 2011, Sunday Times, Illegals enter the UK on ‘passports for hire’:

• Mr Mahmood identifies two people who got into the UK using other people's lost or stolen ID – a Sunday Times reporter and a lady who was sent to jail by Wood Green Crown Court in 2010. All the other illegal immigrants referred to in his article are in Greece, and not the UK. It looks as though UKBA are doing rather well, checking travel documents against the Interpol database.
• Mr Mahmood's article includes a quotation from an unnamed senior police source asserting that biometric checks would be more effective – no evidence for that assertion is given. Has Mr Mahmood perhaps been deceived by an impostor, a biometrics technology salesman posing as a policeman?

Lin Homer, Brodie Clark and Ron Noble

Ron Noble, Secretary General of Interpol, is in London to discuss security arrangements for the Olympics.

He gave an interview to the Independent. Interpol maintains a database of lost and stolen passports, and:

Britain is the only EU country to systematically check passports against those registered as missing worldwide. Last year more than 11,000 people were caught trying to enter the UK using lost or stolen passports. Britain carries out more checks against the database than the rest of Europe combined – 140 million last year. France carried out the second highest number, at 10 million. The UK Border Agency acknowledged the importance of the Interpol system, saying its high usage of the database was "indicative of the seriousness and priority we place on border security".

This is quite a turnaround.

The on the spot answer

This is the (draft and subject to change) answer to a comment posted by one Mr Reader:

Dear Mr Reader

Thank you for trying to put me on the spot. I’ve been trying to put myself on the spot for years. And failing.

Assuming that that continues, when the final enquiry report is in at the end of next month, the most likely outcome is that everyone’s reputation will be tarnished – Brodie Clark, Theresa May and Helen Ghosh – but the daily round will revert to its pre-4 November 2011 pattern, the usual dismal calm will prevail in the Dark Department, there will be no more sense of sudden explosions, nasty surprises and unexpected eruptions.

That’s the 98%+ likely scenario. A dirty taste in the mouth, business as usual re-established.

The outcome with the 2%- probability of happening?

Consider the following Economist article, Friday 11 May 2012:

Brodie Clark speaks quietly and at first no-one heard him say that fingerprint verification is the ninth and lowest priority security/identity check at the border, the least reliable check and the most sensible check to suspend when the disorderly queues in Arrivals begin to threaten safety.

Well everyone’s heard him now, thanks to the alliance between Theresa May, the UK’s Home Secretary, and Helen Ghosh, Permanent Secretary at the Home Office. Their careers both shipped a lot of water in the days following 4 November 2011 and they were determined to find out why.

Clark was supposed to have endangered UK border security by suspending fingerprint checks. But May and Ghosh could find no evidence that fingerprint checks promote border security. There is none. So he hadn’t endangered anything.

True, he had arguably disobeyed his minister. She had specifically instructed that fingerprint checks were not to be relaxed for non-EEA nationals. But did that instruction refer exclusively to the new intelligence-led border security scheme being piloted? Was the suspension of fingerprint checks covered by the 2007 HOWI procedures?

Pure noise. The real question was: why did the Home Secretary instruct that fingerprint checks should not be suspended, given that they’re no use? Answer, because she had been told by her officials that the technology is reliable. Who told her that? And why?

As May and Ghosh looked deeper and deeper into the affair, the tangled web of today’s mass consumer biometrics industry began to unravel. First in the UK Border Agency, where IBM’s National Identity Assurance Service contract was cancelled. That took out Morpho at the same time. (Morpho is a subsidiary of France’s Safran Group, their answer to our BAE Systems.) And Computer Sciences Corporation and VFS Global.

The damage spread to the National Policing Improvement Agency, where they were using Morpho’s products for mobile fingerprinting by police patrols – not any more they’re not. And to the Identity & Passport Service, where they use Morpho for biometrics in ePassports. For the moment. And to DWP, who were going to use voice biometrics for their Universal Credit system, but can only be described now as tight-lipped about their plans.

Who advised the Home office on biometrics? They got internal advice from the Home Office Scientific Development Branch and external consultancy advice from PA Consulting. Not any more they don’t.

How did this fiasco persist, the Prime Minister wants to know, under the leadership of Lord O'Donnell, until last years head of the home civil service, and Sir David Normington, Dame Helen's predecessor? We await the answer with interest.

Projects that depend on these biometrics being reliable were being cancelled all over Whitehall. The taxpayer didn’t know whether to be furious about being deceived for so long by the Home Office or deliriously happy when the savings from all these cancelled projects over the next 10 years topped £20 billion.

This sort of news doesn’t respect borders. Safran Group were relying on Morpho for 20% of their turnover. Once the news had rowed across the channel, their turnover was down by 20%. Former President Sarkozy tried to blame the Anglo-Saxons but then turned on the European Commission, blaming their 2003 OSCIE specification for a pan-European biometric ID card. The European Commission blamed the US Department of Homeland Security and the DHS blamed NIST, the US National Institute of Standards and Technology.

Which was too much for Prime Minister Manmohan Singh in India, where they’re spending billions on Aadhaar, a biometrics-based identity management scheme for 1.2 billion people. At least they were.

And so the truth rolls on, bowling around the world, knocking over civil servants like ninepins wherever it fetches up. In China,  one day Dr Tieniu Tan was a research professor with dozens of successful spin-off companies and, next day, he wasn’t. In Pakistan, first Brigadier Saleem Ahmed Moeen (Retd) was Chairman of NADRA, then there was no NADRA and now the Brigadier really is retired.

And all because of a quietly-spoken Glaswegian, speaking quietly on 15 November 2011, giving evidence to the Home Affairs Committee. Listen to him here. The good bit starts at 12:18.