Friday, March 25, 2005

ID’s going to cost how much?

Last weekend whilst relaxing in Paris, I flicked through the Independent newspaper to see a headline announcing that ID cards were going to cost over £5 billion. Last time I looked, I’m pretty sure that it was going to be less than £3.5 billion – and even then the cost of passports and driving licences was going to go up by something like 50% - to over £80 for passports. If the project costs are getting close to double the original estimate, does that mean my passport in 2012 will cost £200 or £300 or more? I am broadly pro ID. Not necessarily ID cards, but definitely ID. By ID I mean the ability to assign a single identifier to me as a person interacting with government. That number would link me into tax systems, benefits assessments, pension information and, even, local council service provision. Today, there would be more than one identifier for those, likely one for each and quite often more than one for several. I think it reasonable that government should be able to figure out who I am across all of these services so that they can ensure that I get what I deserve and only what I deserve and not more than that. There are folks out there, I know, who think that government being able to link services together like that will only result in them knowing ever more and more about someone and pursuing them for the slightest infraction of a law, even arbitrary laws or perhaps even non-laws. That's something that I should explore, but not in this post. One of the problems that stems from having this ID number is that, just like now, there’s nothing to stop me getting an extra one – maybe in my name, maybe in someone else’s. And that, for me, is where biometrics come in. If you can uniquely identify someone that has presented themselves to the system, then if they come back again and try and get access via a different path, you can find that out. This has more to do with stopping benefit fraud – multiple claims, claiming for dead relatives and so on – than it has prevention of terrorism. Someone's going to shoot me down about that "dead relatives" thing on the basis that we'll need to be collecting biometrics for the next 100 years to properly prevent such an occurrence, and we'd still have the "day of the jackal"problem unless we collected baby information at birth. What I don’t get – and perhaps this is where the £5 billion comes in – is how to collect, store and index 60 million (plus new residents and new births etc over time and recognising that all previously collected records must be maintained forever to ensure no-one can reuse them) biometric profiles. Let’s suppose that the process is reliable – that’s a stretch, but let’s suppose – and that every time I wave my finger/face/eye/hand over an appropriate scanner, the machine is not going to confuse me with someone else. That means scanning, in real time, through 60 million or more records and finding the one that matches me. It’s kind of a super Shazam service – that’s the clever device where you ring a number, hold your mobile phone up to a speaker in a store and 2 minutes later the machine texts you with the song, the artist and the album it’s from. Pretty neat. I guess each track in the Shazam data store is perhaps 4 minutes long (on average) and that it’s then hugely compressed using a clever algorithm. I can test it with a sample from any part of a track and it should still find the right one (assuming you’re not listening to anything too obscure or, dare I say it, classical music). But, there aren’t 60 million tracks to search and 2 minutes would be a long time to stand in a passport checking queue. A Shazam for biometrics, though, would really be something. Maybe it’s another use for Sony’s new Cell chip, debuting in a Playstation 3 near you sometime next year. That's a great place to start spending £5 billion although what the wider purpose would be I have no idea. Back to my supposition – that scanning fingers and eyes and whatever is reliable. Personal experience so far says it’s not. I used to use the INSPass travelling to the USA – a great system and it worked, kind of, if you put your hand just show and inserted the card in just a certain way. How many people used that? A few thousand at most? Twenty thousand maybe? You had to be travelling to the USA 2-3 times a month for them to let you into the system and, of course, you had to be an “alien”. The finger scanner on my HP Ipaq worked, kind of, too. You rolled your finger down the gadget and 1 time in 3, it would let you use your PDA. More hassle than it’s worth? Probably. Reports on the pilot programmes for ID cards were that the process wasn’t too reliable either. I tried to sign up for the pilot and got a long and complicated email back telling me that if I signed up to certain conditions I could indeed participate. One of the conditions I wanted was that I wanted to know more about how and where they were going to store the data. They never came back to me. But maybe perfecting accuracy of recognition is going to consume a big chunk of the £5 billion? Now, if I were the project manager for ID cards, I would be stuffing every possible cost into the project to make sure that the cost was as loaded as it could be. Government projects have an all too familiar record of going wrong, and going wrong spectacularly at that – which means they cost far more than budgeted, don’t do what they said they would and take longer than planned. So, the more cash you can get in the budget, the better your odds – in a perverse sort of way – of coming in on budget. The cynic in me says that spending money is hard and that spending a lot of money is really hard, so adding too much to the budget virtually guarantees you’ll fail as you’ll probably spend it on more people, more suppliers and more complicated technology that has a lower chance of success. But still, feathering the budget with as much as you can at this stage makes sense – who know, the project manager could be seen as a hero later for managing to deliver for half the originally forecast price, although I’m pretty sure we wouldn’t then see a reduction in our cost of passports. The other thing that I’d be doing if I were the project manager would be not talking about money and, instead, going to see everyone I could possibly think of – including the people that would doubtless be sending me abusive emails about civil liberties – and seeing what issues, objections and worries they have about the project. The NHS projects, whilst spending a little more than current estimates on ID cards, have succeeded in many areas but one place they’re losing is in engaging stakeholders across the medical community – and the battle is being fought more in the press than it is in the meeting rooms. This is something that Nicholas Timmins seems to enjoy raising in his occasional pieces in the Financial Times – the most recent on March 11th. He notes that
Some heavy lifting is needed if staff are to be convinced that the programme is to succeed.
And he doesn’t just mean NHS staff, but the doctors and others who have to be persuaded to sign up to using all of the new systems when, for the most part, they’re perfectly happy with the ones that they’ve got and are entirely unwilling to learn about any new systems. Whilst there are exceptions, most doctors don’t appear to be great embracers of technology. I think, looking from the outside, that Richard Granger has done well to get as far as he has – he has put hugely complicated deals in place in record time; implementation is progressing, although there are endless rumours of delays, penalty payments for suppliers and problems with scope between the national providers, the local integrators and, still lower down, the systems that remain in use. The battle to engage all the stakeholders in ID cards is not, sadly, one that can be definitively won. There will always be people who don’t want ID cards, for good and valid reasons – but there is, at least, a chance to build safeguards and controls into the programme that will address the key weaknesses and, mostly, make people feel engaged. ID cards aren’t something that can just emerge from within a £5 billion project – a project that appears to be a submarine of epic proportions. £5 billion could also easily turn into £10 billion by the time it’s done – notwithstanding the fact that so much work has to be done on technology to make it work. Michael Cross, writing in the Guardian on March 3rd, lamented (perhaps not for the first or last time) our tendency to fail in delivering large IT projects. He was looking ahead to the probably signing (at the time) of the MoD contract for the Defence Information Infrastructure (or DII). He notes
Only a handful of firms can take on these mega contracts and most are already over committed … EDS has spare capacity following the loss of its Inland Revenue business. Was there really a choice?
That’s kind of true – there aren’t many that could take on a project of this size – but I’d also like to think that the decision didn’t end up as a coin flip on who had spare capacity versus who didn’t. I am sure that the other behemoth suppliers (CSC and BT) were mounting a credible bid based on a desire to win. And EDS I hope stayed in it to the end and won because they made the right commitments and delivered a proposal that was believable. Mike goes on
… the UK has the highest scrap rate of government IT projects among the 7 [countries in a survey] ... In the Netherlands, the top five IT suppliers have [only] 20% of the government market, as against 80% in the UK … and that EDS was unique in having 51% of the UK government market …
QED? Perhaps not – at least not just because of suppliers – government has got to get its end together too; after all, suppliers attract the best and brightest people in specific fields such as delivery, integration and testing whereas government attracts the same in policy formulation. The gap between writing a policy and making it happen is enormous – and doing the former does nothing to increase the odds of the latter. Indeed, with the big 6 contract winners in the UK (Accenture, ACS, CSC, EDS, HP and IBM – according to the Econmist on March 5th) all being American, maybe it’s even a wonder how the curse of failure to deliver can be laid at the foot of the British at all. I note, with great interest, that staff from the US Navy worked with the MoD whilst they were negotiating with EDS to reduce the chances of the DII project failing through similar issues as affected them. Of course, projects often fail for whole new and creative reasons, so I hope someone is having a think about those too. Perhaps too, though, government is making it too hard for anyone else to get into the game, with onerous contracts (in the view of vendors), high or indeed unlimited liability requirements, get-out clauses and so on being part of the price of entry. One of the NAO’s list of 8 reasons why projects fail is that too often, a “big bang” project is attempted. ID cards seem to have the hallmarks of one of those – I don’t buy that phasing them in through passport renewals is a staged approach. The technology must work flawlessly, the readers must be widely deployed, government systems must all point to the ID number and data must be clean. And then there’s the issuance process – the gold standard approach to identity. But that’s for another day. ID cards will be a mixed deal for suppliers that choose to bid. Just being involved in the bid process will generate negative PR from the anti-campaigners. Wining will generate even more such PR – with possible consequences on other parts of their business. But delays, cost over-runs and failures will hurt far more should they occur – and certainly hurt other parts of the business and, at some point, the bottom line. If I was a vendor, I’d want to analyse those risks and cover them off through active stakeholder (and, very possibly, shareholder) engagement. As apparently Lockheed Martin concluded (noted in the Economist on March 12th) before pulling out of an NHS contract process, perhaps the tough new performance measures, the potential for angry headlines and the fines if delivery didn’t happen were too big a risk to take? For sure £5.5 billion is a lot of money to spend. It’s an awful lot more to spend in the hope that the ideas laid out in the requirements will turn out to be deliverable. It could be seen as a “man on the moon” project – one that will stimulate so much creativity and innovation that difficult problems will be solved through suppliers that harness their best ideas, with their smartest people and work together. And, just like that project, there are likely to be Apollo 1s and Apollo 13s along the way. Failure in a project like this must be built in – and very public failure at that. To try and get past such failures without a population that is bought into the dream and the vision may be just too challenging. People are going to have to want an ID card - just like I wanted an Oyster card to get around the tube and bus network because it was quicker, cheaper and simpler than using paper tickets. Getting to go to America may be enough motivation for some to give a biometric but it's hardly the only thing needed as a reason.


  1. Anonymous1:08 pm

    Given all the doubts and the likelihood of a poor implmentation, my vote is sit on the money and don't start the project.

    Even the benefits seem vague. There are more deserving cases to receive £3-5B if the ex-Chancellor is still up for it in his new job.

    A new PM would be mad to want this to go on their scorecard.

  2. Waiting for you finger-print to be run against a database of 60m every time you need to authenticate is a pipe-dream.

    Instead, wouldn't it be better to have a dual-key approach. Everyone is issued with a number, and they already have a fingerprint. First, they enter the number. This is sent to the database and the relevant finger-print is returned. On presenting their finger, it merely checks that their finger is the same as the print returned.

  3. Anonymous8:07 am

    Absolute nonsense that searching through 60 million records is a mammoth task. 60 million records is nothing to search through in the slightest. An ordinary high end computer could do that in near real time results.

    Using fingerprints can be converted into digital values and then an algorythm applied, the project costs are huge because of the huge consultanty that has gone into it without any real need.

    Over ambitious programmers wanting to show off their technicall perfect skills, the job of searching through 60 million records in real time with proper network and database planning is a doddle.

    Google can index and match billions of web pages against a vague set of datas, this only has to search against 60 million records all perfectly documented in the way they need to be searched for to begin with. DOH!