The Home Office, Heathrow Airport, the security of the UK border and the safety of the Olympics

Here's a copy of a press release that's just been issued. Forgot to mention the French. Zut. They're lapping it up, too, just like the Indians.

PRESS RELEASE

To:

Home Office

OIG (re US-VISIT)

IDABC (re OSCIE)

China (re Golden Shield)

Pakistan (re NADRA)

FBI (re NGI)

UIDAI (re Aadhaar)

Agencies

The Home Office – Misfeasance in public office

23 May 2012

Six questions for editors to ponder:

• The Home Office have been asked to reassure the public by publishing a justification for spending public money on biometrics technology they've previously proved to be useless. For 2½ years they've refused. Nor did they present any evidence as to the reliability of their chosen biometrics to the court. Why? Is it because they can't? Is it because there is no justification and our money is, indeed, being wasted?
• The court sees no iniquity in that potential waste of money and describes it as not "in itself or in any way material". If this isn't an iniquity, what is?
• We are assured by the Home Office and the court that the procurement of IABS didn't break any UK or EU rules. That finding of the court is accepted but so what? The Home Office are still refusing to release the IBM trial report to the public. They go further. The Home Office say the trial was conducted under such specific constraints that reading the report wouldn’t tell the public much. In other words they admit that they have no justification whatever for spending our money on biometrics. The procurement complies with the rules but it could still be iniquitous and the Home Office could still be guilty of misfeasance in public office.
• Dame Helen Ghosh, Permanent Secretary at the Home Office, told the Home Affairs Committee that "... there are plans ... to reduce the staff of the Border Force by around 900 people ... that is driven as much by technological introductions like e-gates, as well as a risk-based approach. Border Force will be getting smaller". Is it wise to replace human beings with technology that costs more and doesn't work?
• Rob Whiteman, Chief Executive of what's left of the UK Border Agency, says of IABS in the March 2012 issue of the staff magazine that "the system, delivered by the agency in partnership with Suppliers IBM, Morpho, Fujitsu, Atos Origin and Software AG, is the first multi-modal biometric matching system. It provides greater accuracy in fingerprint matching together with an integrated facial matching element. It delivers a more comprehensive service, underpinning the agency’s objective to secure our border and reduce immigration". It isn't the first. Pakistan's was the first, and much good it's done that unfortunate country. The IABS biometrics provided by Morpho could be more reliable than the previous system but still useless. Just a little less useless. Is Mr Whiteman misleading his staff as to the history and the reliability of UKBA's biometrics?
• Sir David Normington, Dame Helen's predecessor, caused Lin Homer and Brodie Clark to write to David Moss asserting that smart gates were being installed at UK airports on the basis of a trial at Manchester Airport. When John Vine, the Independent Chief Inspector of the UK Border Agency, as he then was, reported on his May 2010 inspection of Manchester Airport, he said "we could find no overall plan to evaluate the success or otherwise of the facial recognition gates at Manchester Airport and would urge the Agency to do so [as] soon as possible". This evidence of the Home Office consistently misleading the public, Parliament, ministers, the media and its staff was put before the court. The Home Office made no response. Neither did the court in its decision. The allegation is a serious one. Why doesn't it warrant a response?

At the oral hearing in the matter of David Moss v Information Commissioner and the Home Office held on 24 February 2012, David Moss turned up in court and so did the Information Commissioner's staff and his barrister, but the Home Office didn't.

Why not?

The hearing concerned the Home Office's Immigration and Asylum Biometric System. IABS was due to go live at the border by the end of 2011 under the direction of Ms Jackie Keane, a senior civil servant at the UK Border Agency. She missed that date but bits of IABS went live at the end of February, with the results we all saw in the ensuing weeks, Heathrow at 'breaking' point as Border Force struggles to cope, leaked memos warn, ‘Minister lying over Heathrow queues’ says BA chief, and so on. We may surmise that the Home Office were too busy to attend.

On the other hand, the barrister who has represented the Home Office since the case began a year ago was there in court, except that this time he was representing IBM.

Why?

Because IABS is an IBM contract. It was awarded to them in 2009.

Stacked to the rafters with Nobel prize-winners in most disciplines, nevertheless IBM had no particular expertise in biometrics and no products of their own. They arranged a competition between six biometrics companies and chose Sagem Sécurité (now Morpho) as the best. In the process, they also made good their lack of biometrics expertise – in fact, IBM played a blinder there.

IABS was initially estimated to be worth £265 million and a lot of that money – public money, your money and mine – is being wasted according to David Moss because the biometrics chosen by the Home Office don't work. That's what the case is about.

You know they don't work. You read the BBC's report on the year-long trial of biometrics, ID cards scheme dubbed 'a farce'. You read the Telegraph's report on the smart gates installed at UK airports, Airport face scanners 'cannot tell the difference between Osama bin Laden and Winona Ryder'. You watched Brodie Clark tell the Home Affairs Committee that fingerprint checks are the least reliable identity/security checks made at the border, the ninth and bottom priority for his (now ex-)Border Force officers and the most sensible check to drop when the queues build up and threaten to get out of control.

David Moss lost the case anyway. It was a 2-to-1 majority decision against, a sort of a Minority Report 2 – they may not work at Heathrow or anywhere else in the real world but biometrics are the bee's knees in Hollywood films.

With the explicit permission of the court and the Home Office and the Information Commissioner you can read IBM's evidence in the case, please see attached. IBM's Commercial Director on IABS, Mr Nicholas Swain, explains that all the testing on biometrics was done by IBM and the results belong to IBM and that's why the public aren't allowed to see them despite paying for IABS. We're just meant to suppose that IABS will help to make the border secure and keep the Olympics safe despite all the respectable published evidence to the contrary. You can read Jackie Keane's evidence, too. She agrees with Nick.

It was all IBM's idea according to Ms Keane. OK, the Home Office gave IBM five million pairs of fingerprints to use as test data. And the Home Office specified the acceptance tests that had to be passed. And the Home Office agreed to pay IBM £265 million. But that's all.

It's been a long haul. It goes back 2½ years to a Freedom of Information request submitted on 6 January 2010. And it's not over yet because the other day David Moss submitted an application for permission to appeal. This could go on for years more.

While we're waiting for closure, we have those six questions above to ponder. And this one – what's IABS really about? It's obviously nothing to do with biometrics, as the court effectively acknowledges at paragraph 8 of its decision.

All relevant documents can be discovered at:

http://dematerialisedid.com/bcsl/foi.html

---

Notes to editors

1. As the Treasury Solicitors say (30 April 2012), "the submissions and open evidence lodged with the Tribunal in this case were relied upon and put in evidence at a hearing held in public". We really do all have permission to quote from this material and to comment on it.

2. Without wishing in any way to "lead" you, it is suggested that it will be most fruitful to start with the evidence submitted by the Home Office and IBM. And the evidence of Professor Ross Anderson at the University of Cambridge Computer Laboratory who points out that the banks have rejected biometrics as being too unreliable and asks why in that case do the Home Office trust them?

3. The background to this case is set out in the first few pages of the appeal document and centres on Whitehall’s competence and its duty to acknowledge the supremacy of Parliament, a subject which you will see there exercises the Home Affairs Committee.

4. Where does this story fit in the newspaper or on the radio/TV current affairs programme? Not on the fashion pages perhaps, but certainly in horoscopes and probably almost anywhere else – UK news, international news (they're all at it, look at India), EU news (the European Commission love biometrics and "eIDs", electronic identities), Westminster/politics, Whitehall/governance, the business pages, law reports/the Constitution, travel, sport (c.f. security at the Olympics generally and specifically UKBA's trip to Istanbul for the world wrestling championships to collect biometrics), the technology pages, cartoons, the crossword, ...

---

About David Moss
David Moss has worked as an IT consultant since 1981. The past 9 years have been spent campaigning against the Home Office's plans to introduce government ID cards into the UK. It must now be admitted that the Home Office are much better at convincing people that these plans are a bad idea than anyone else, including David Moss.

----------

Updated 21.2.18

It's getting on for six years since the blog post above was published.

Nothing has changed as far as the Home Office are concerned:

• Despite their record, the Home Office are still in charge of UK border control and they still find it a challenge, to put it politely, please see Border Force not ready for extra checks, claim MPs and Time has run out for May’s Brexit immigration plan.
• The director of strategy and transformation at the UK Border Force is Mr Christophe Prince according to his LinkedIn entry, the same man who was a deputy director of the UK Border Agency (RIP) for the three years 2006-09.
• And the UK Border Force still relies on IABS, the Immigration and Asylum Biometrics System, run for the moment by IBM and still relying on Morpho biometrics technology.

In the outside world things have moved on a little:

• The UK Government Digital Service (GDS) have contracted with Morpho to supply "identity provider" services to GOV.UK Verify (RIP), the failed identity assurance scheme.
• GDS have stated it as a strategic objective of theirs to incorporate more biometrics into public services on the basis that it's innovative to do so.
• And Safran have sold Morpho to private equity investors, who have changed its name to Idemia.

Idemia gets about a bit. It always has, whatever it was called at the time.

In 2012 they were found guilty of bribery to win business in Nigeria. The bribery of which they were found guilty took place between 2000 and 2003. They appealed and had the verdict overturned in 2015.

There was a spot of bother in Kenya when the opposition party claimed that Idemia had cost them the August 2017 general election. It was the devil's own job for the Kenyan authorities to have the October re-run conducted the way they wanted, and not Idemia.

There was the earlier problem revealed by Naomi Klein in 2008 when she discovered that face recognition technology being used in Operation Golden Shield had been sold to China by L-1 Identity Solutions, Inc., a company subsequently bought by Idemia. That trade is against the law in the US. It is barred by the US Commerce Department's Bureau of Industry and Security post-Tiananmen export controls.

Everything seemed to be going profitably enough for Idemia in India, where their products are used for biometric registration under Aadhaar, the identity assurance scheme for 1.2 billion Indians, until ...

... enter Russia. Idemia allegedly bought some Russian software and inserted it into its own products to improve performance but didn't tell anyone.

Now that some disaffected Idemia ex-employees have made this allegation, the Indians are a little non-plussed. Rather as the Americans may be, also: "The company, now named Idemia, has provided fingerprint-recognition software to the Department of Defense and agencies in 28 states and 36 cities or counties across the US — from the Orange County Sheriff’s Department to the New York Police Department", not to mention the FBI. Cue fears of cyber-espionage being carried out by software buried deep in the security, military and justice systems.

What goes around comes around. The Indians are also worried about allegations that some other software they use in Aadhaar has CIA tools hidden in it but that's another story.

The question here is, do GDS and the Home Office want anything to do with Idemia? How well-prepared are they? Why take the risk? What's the point? After all, it's not as though the biometrics works.