One purpose for the planned UK National ID Card is that it is to be used to help banks confirm identity when individuals open new accounts or undertake certain higher risk transactions. The plan is for banks to have fingerprint scanners and to compare new
fingerprints with templates held on or with the ID cards of customers (see for example
Transferring money on the Identity and Passport Service website).
Given the foibles and vulnerabilities of fingerprint biometrics, I wonder if the following points are being debated as yet amongst British banks and the government?
- What error rates are going to be specified for biometric matching undertaken by a bank against the National ID Card? If the government is promoting biometric security, then what claims will it be willing to make for the accuracy of the method?
- Will error rate specifications be vendor-specific? Performance tends to suffer when a fresh biometric scan taken with a given make of equipment is compared with the reference template captured using different equipment. So, if a bank chooses a fingerprint
vendor that is different from that used to register users for their ID cards in the first place, what degradation in accuracy will be permissible? Or will the National ID scheme select one biometric vendor for all installations, even across the private sector?
- In the event of a false match when someone uses the National ID card to effect a financial transaction, even with all systems working to specification (say a 3% False Match Rate, which represents the state of the art), who will be liable for the consequences?
- The banks’ predominant interests in customer convenience and keeping queue lengths down may be in conflict somewhat with the government’s primary interest in national security. Historically banks have employed a range of means to detect and manage fraud,
and operating within their own controlled business environment, they have been able to juggle customer convenience and security. Often it is better for a bank to absorb some level of loss by fraud than it is to arbitrarily increase security and put customers
through pain. Therefore, left to their own devices, banks may prefer to tune their biometric systems toward lower false reject rates. But government can be expected to prefer lower false match rates. How will this tension be resolved? Will banks be allowed
a degree of control over the tuning of the detectors in their businesses? If so, within what bounds, and to what standards?