In asking whether the government has got the business case for ID cards right, we need to understand precisely what that business case is. Plenty has been written on how the government has been changing its mind on what benefits the ID cards provide since the inception of the programme. If we look at the speech made by the Home Secretary Jacqui Smith to Demos on the 6th of March 2008 giving an update on the identity card scheme, the justifications are broadly split into two areas.

Firstly, there are a number of preventative measures which have been previously touted as reasons for the scheme’s implementation: illegal immigration, illegal working, benefit fraud; fighting terrorism. Secondly, and what seems to be particularly emphasised this time round, is the perceived “added convenience” to the citizen.

This change of tack would appear to tie in directly with the change of the roll-out plans by the government. In these revised plans only foreign nationals and those working in “sensitive” positions will, initially, be required to register. UK nationals will then be “encouraged” to register from 2010, and all new passport details entered on the National Identity Register from 2011/12.

The government anticipates that the perceived benefits will convince individuals to register for the scheme leading to a “market driven” uptake of the cards. Many people feel this would appear to be a reaction to the recent embarrassing losses of data by several different government departments over the past 6 months.

Given that there are a number of ways in which the government could spend the estimated £5.4bn to act preventatively (in tackling illegal working, terrorism, etc), we focus our attention here on how the perceived benefits for the average citizen measure up.

The Home Secretary’s speech contains a number of facts and figures intended to provide evidential weight to strengthen the argument for the ID cards’ benefit to the individual. However some of these reasons – a reduction in identity fraud and ease of identity verification in particular – are difficult to justify, as we argue next.

In terms of reduction of identify fraud, a figure of £1.7bn is quoted as being the sum lost every year in the UK. However, the estimates on identity fraud include all frauds, where existing accounts are misused. ID cards would do very little to help in this scenario. In addition, many instances of opening an account these days happen remotely. As can be seen in the following piece from the BBC series “The Real Hustle” tens of thousands of pounds worth of debt can be racked up against an individual without the perpetrator having to ever transact with the financial institution face-to-face. Again, ID Cards would do nothing to prevent this type of fraud.

In terms of ease of identity verification, the government’s argument that the citizen will benefit relies strongly on the ability of a third party to be able to verify the citizen’s identity based on their fingerprints. To quote the Home Secretary from her recent speech:

“Because your name will be linked by your fingerprints to a unique entry on the National Identity Register, you will have much greater protection from identity theft – no-one will be able to impersonate you, like they can now, just by finding out your name and address and personal details.”

In which case, how many institutions are going to have the wherewithal to implement a robust and reliable mechanism for verifying a user’s fingerprint? This requires additional equipment, training for staff, increased transaction cost, physical presence of the customer, etc.

How will a third party be able to securely query the National Identity Register? If, as stated by the Home Secretary, the database will not be online, how will organisations of all sizes and types get access to this information?

How many types of transactions can have their security augmented in this way? Not those transactions which can happen remotely. Even those where the citizen is physically present, it is unclear how many would be suitable for a fingerprint to be used as part of the authentication process.

In addition, the known failure-rates for biometric technology are not insignificant. The non-match rates, where an authentic user cannot be verified, are of the order of 1-2%. When these percentages are applied to a user population the size of country, the numbers of errors expected are huge. What happens when someone tries to verify their fingerprint and the match is rejected? These are going to be very real concerns when someone comes to open a bank account or start a new job. There are two very real knock-on effects from this. Firstly, there will need to be processes to deal with these errors, which themselves open up the system to new weaknesses. Secondly, if people frequently encounter errors in the system, the perception of its benefit and reliability are likely to drop significantly.

In addition, the arguments put forward to support the practicality of the scheme – using the examples of how encryption is used on the new biometric passports and how more than one million biometric visas have been issued – have weaknesses in their assumptions, as we will now argue.

In terms of the encryption of information used on passports, the Basic Access Control implemented under the International Civil Aviation Organization (ICAO) regulations is known to have existing weaknesses in it. In addition, from the consumer’s perspective, it is ultimately the integrity of the data (both in terms of the verifiability of the data by a third party, and how that data is verified at registration) which is key.

In our view, the comparison to the biometric visa system is not valid because the visas are only processed in a small number of dedicated, government-run centres, with carefully vetted and trained members of staff. It is unclear how a similar system would scale to the population of the UK where the verifying party is likely to be any one of a disparate and large number of commercial entities.

Further issues which appear to have been given little attention, but will undoubtedly have a large effect on the effectiveness of the resulting scheme include: reliability of the registration process; liability; the insider threat; how to deal with errors in the database.

All in all, it would appear that the government is determined to pursue the implementation of the ID card scheme. In fact the Home Secretary herself has, on a number of occasions, identified how the government see this as a necessity in achieving their stated goals.

We do not disagree with the premise that a more robust way of asserting identity would be useful for the citizen. However, a person’s belief that a given course of action provides a particular benefit should be backed up by reasoned argument. If we leave the questions related to immigration and national security aside (and how the money might be better spent there), we are still to be convinced that the proposal, as it stands, can deliver the perceived benefit to the consumer in a cost effective manner, and without introducing a number of new threats and vulnerabilities.

Dr. Geraint Price

It is still too early to offer a definitive opinion on what went wrong at Société Générale and how to prevent it in future, but given the rumours swirling around, let’s focus instead on the established facts.

Société Générale’s own interim report is a veritable goldmine of information. At 27 pages, it’s not an easy document to digest, but it makes for fascinating reading. It explains that the trader at the centre of the storm, Jerome Kerviel, was able to disguise extreme trading positions by creating false trades in the reverse direction, using undetermined, internal or even non-existent counterparties.

The report also reveals that a total of 75 separate internal alerts were raised on Kerviel’s trading activities between 2005 and 2008, but that none led to a robust internal investigation. Several externally generated alarms seem to have been ignored too.

The interim report indicates that Kerviel was not some new breed of super-hacker, and did not appear to have accomplices in other parts of the bank. Instead, he understood how to create layers of obfuscation to disguise his trading activities, and how to throw internal investigations off the scent.

It may be that the time Kerviel spent in the bank’s back-office gave him an insight into exactly how to achieve this. Sometimes, his techniques were laughably simple: bamboozling colleagues in the middle- and back-offices with phoney explanations for odd-looking trades, and even sending spoof-forwarded e-mails from alleged counterparties to persuade internal auditors that all was well.

The interim report shows Kerviel made a profit of 1.5 billion euros for Société Générale from these kinds of activities in 2007, and was apparently an overnight star performer. But Kerviel’s luck could not last, and in early 2008 his activities were uncovered. But only just.

The first sign came on 2 January, when a daily report passed to Société Générale’s group risk department failed because it did not contain up-to-date information on eight of Kerviel’s transactions. When Kerviel supplied the missing data, the risk team’s calculations revealed an unacceptably high level of risk associated with “Bank E”‘, the counterparty to these trades.

It then took the best part of three weeks of to-ing and fro-ing between various Société Générale departments before the full picture emerged. Société Générale discovered it had an exposure of around 49 billion euros on index futures that was offset only by fictitious trades in the reverse direction. Société Générale was then forced to unwind Kerviel’s positions under unfavourable market conditions, resulting in a loss of 6.4 billion euros.

A key issue is whether Société Générale’s internal controls were sufficiently robust to detect Kerviel’s trading patterns. It is surprising that the bank’s trading platform allowed Kerviel to initiate trades with bogus and non-existent counterparties. What controls, if any, were in place at the level of application software to detect or even prevent this from happening?

Of the 75 separate alerts concerning Kerviel’s fraudulent activities, only one led to the discovery of the rogue trades. This alert was raised because a set of eight Kerviel trades were not compliant with the Basel II risk standards. An almost comical chain of e-mails and telephone calls involving some 30 employees in various bank departments followed before a full appreciation of the situation was realised. Société Générale’s incident response procedures seems sorely lacking.

And what of the other 74 alerts? Each was acted on by bank staff in full accordance with the bank’s recommended controls. But these were simply ineffective. For example, in one case anomalies in Kerviel’s accounts were attributed to recurring problems with the bank’s IT systems. In another case, staff in the accounting department sought explanation for discrepancies, but did not alert their immediate superiors even though the amounts involved were high (in some cases, more than 1 billion euros). In yet other cases, the middle-office was fobbed off with explanations that would not have stood up to any serious scrutiny.

The Société Générale report repeatedly highlights that audit and accounting rules were followed to the letter, but that staff did not go beyond the rules to ask hard questions of Kerviel or his office. Kerviel’s activities were also spread across different financial instruments, and the bank lacked an integrated view of each trader’s activities.

To summarise: the back- and middle-office information security culture was not as it should have been, and lacked an appropriately cynical, hard-nosed and joined-up view of front-office activities.

Finally, we close with what would be the most amusing point of all, if it were not so startling. Société Générale’s interim report opens with a statement from the special investigation committee, composed of directors of the bank. It identifies the need to strengthen the bank’s control systems. And the number one control listed? The development of biometric identification solutions.

This seems to be a singularly inappropriate response to the problem, unless there are significant factors involved in Kerviel’s activities which are not covered in the interim report. Nothing in this case has anything to do with the bank’s inability to identify its employees. If biometrics are the answer, then what exactly was the question?

Prof. Kenny Paterson