Feeds

IPS finds no nuggets in ID checking goldmine

Claims targets exceeded, but fee income tiny

3 Big data security analytics techniques

Government plans to position the Identity & Passport Service as the UK's de facto identity services broker seem not to have entirely caught the imagination of the private sector, figures in IPS' annual report and accounts suggest. Although IPS recruited 44 new customers for its Passport Validation Service (PVS), income from this for the year ending March 2008 was only £357,000.

The PVS could be viewed as a kind of blueprint for the future identity verification regime envisaged by the government, and stems from IPS' strategic switch from a document-centric to a person-centric organisation. Previously, the UK Passport Service issued passports and kept track of them, now the new-look IPS keeps track of individuals and issues identity documents to them. It accesses government and commercial databases in order to help build 'biographical footprints' for them, and sells ID verification services in the shape, currently, of the Passport Validation Service.

But from the point of view of verification, it's a mouse. The PVS can be used by financial service companies or employers to confirm that a passport is genuine and valid, but that's all they can do with it. In early 2007 the then home secretary, John Reid, claimed 18 customers for the PVS as of January 2007, and shortly afterwards told Parliament that "seven financial services organisations" - which he declined to name - used the PVS.

In its business plan, published in April 2007, IPS claimed 80 customers in total, which with the 44 subsequent recruits ought to have meant a total of 124 by March 2008. According to the Home Office, however, the service currently has 43 private sector customers and 20 public sector ones, fewer than it had in March 2007, apparently. Rather than this meaning customers have fled in terror over the past 12 months, however, it seems more likely that that the business plan was over-enthusiastic in tallying up the public sector customers - the leap from Reid's 18 to 80 in a matter of weeks seems, well, implausible.

To put the £357,000 into perspective, the Foreign & Commonwealth Office paid IPS over £3 million for use of passport equipment, while IPS' total income was just under £380 million. Assuming there really are 63 customers now, that would give us an average spend per customer of around £2,000 - not all the customers would have been signed up (it's a subscription service) for the whole year, of course. Income from the service for 2006-7 wasn't, at £312,000, spectacularly different from the 2007-8 figure - oddly, considering that it didn't actually go into operation until the second half of 2006. So are customers using it less, or have the goalposts been moved there too?

Potential private sector partners might well question what the PVS brings to the table apart box-ticking and arse-covering. Once you're signed up for the service you have access to a call centre - you pass on the passport details, then you're told either that it's valid, it's not valid, or it's not valid and you're to hang on to it and forward it to IPS.

It's worth noting here that with this service our person-centric organisation is offering us a fairly limited document-centric service that tells you nothing about the person. It'll detect a forgery because there won't be a record of the passport, it'll detect alterations in the data (e.g. date of birth), and it'll detect lost or stolen passports provided they've been reported. But it won't spot copies, it won't guarantee the person presenting the passport is the owner, and it won't tell you anything about right to work or criminal record.

So the gains for the subscribing organisation are fairly small, and could easily turn into losses if - as seems likely - having a passport validated starts to be viewed as the only proof needed to, say, open a bank account or sign on with an employment agency.

More perspective on the PVS can be had by looking at the way its major public sector customers use it, via the OmniBase system. OmniBase gives government departments access to IPS passport data in order to check details directly via a browser. Departments using the system in this way include the FCO, DWP, HMRC and the Criminal Records Bureau. The FCO doesn't pay for access (it's a special case because it issues overseas passports) while the others pay a flat fee per access. Aside from the ability to access the data directly rather than going through a call centre, however, the system seems similar to that offered to private sector companies, and has similar vulnerabilities.

Potentially all of these departments could be bulk users of the system, but according to IPS they check "when they are suspicious", and the pay per access pricing model means they're unlikely to run checks as a matter of course. That's what's supposed to happen in the government's vision of the ID card future, but clearly its own departments haven't received the message yet. Might we suggest to IPS that it switch to a flat fee, issue passport chip readers to all subscribers and charge annual rental for them? If you're going to build a database state you really ought to have a coherent business plan for it.

The DVLA is likely to be one of the heavier users of OmniBase, in its OmniBase Autocheck form. Autocheck links the DVLA to the IPS systems so that when driving licence applicants fill in their passport number online, the passport can be validated and - so long as it's a new model chipped passport - the picture and signature picked up and used for the driving licence. The IPS accounts don't break out numbers for validation payments from other government departments, but total transactions are in tens of millions. It seems safe to assume that the major ones aren't counted as part of the declared PVS income, and to speculate that income from government checking transactions far outstrips private sector income. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
EU: Let's cost financial traders $400m a day, because EVIL BANKERS. Right?
Wait 'til this one hits your pension fund where it hurts
Systems meltdown plunges US immigration courts into pen-and-paper stone age
Massive outage could last four weeks, sources claim
Lavabit loses contempt of court appeal over protecting Snowden, customers
Judges rule complaints about government power are too little, too late
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
Record labels sue Pandora over vintage song royalties
Companies want payout on recordings made before 1972
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Edward Snowden on his Putin TV appearance: 'Why all the criticism?'
Denies Q&A cameo was meant to slam US, big-up Russia
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Judge halts spread of zombie Nortel patents to Texas in Google trial
Epic Rockstar patent war to be waged in California
prev story

Whitepapers

Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.