It's October, the time of year when another intake of students are released from school into the adult world of university, and fill the pubs and clubs of university towns. These establishments are legally bound to verify that their customers are old enough to enter, and risk losing their license for failure to do so. Under 'Challenge 25' guidelines (in Scotland these are legal requirements), licensees are expected to verify the age of any customer who appears to be 25 years old or younger. In practice, Home Office guidelines mean that to date the only 'acceptable' proofs of age young people have been either a passport, a driving licence, or a PASS card.
However, passports and driving licences are far from ideal; from the licensee's perspective, their staff have to confirm that the photo matches the bearer, and that the date of birth is old enough, and this often has to happen in a noisy, poorly-lit environment. The PASS card removes the need to confirm the date of birth, but has long been subject to criticism that it is vulnerable to forgery (although PASS assert that no fakes have been found), is not accepted everywhere, and certainly suffers from potential transferability between holders, particularly if licensees fail to check the details properly.
From the young person's perspective, passports and driving licences can be a real problem. Many young people don't drive or have a passport, but end up having buy one just to be able to go out with their friends. Passports and driving licences are easily lost or damaged, resulting in a risk of identity-related fraud, potential safety concerns, and a nasty bill to obtain a replacement (a new passport costs £72.50). Young women can be particularly vulnerable if they have to carry and offer proof of ID that includes their name and home address, and in discussion with the NUS in Northern Ireland a few years ago I heard anecdotal stories of students being attacked after unwittingly offering up proof of ID that identified them as living in a predominantly Protestant/Catholic area.
This is a societal problem whose current solutions fail to properly address the needs of any of the stakeholders. Indeed, ACPO advises against carrying valuable ID such as passports for alcohol-related purchases. Yet the Home Office now acknowledges that the problem of fake ID is in fact dwarfed by genuine ID being passed down, or sold on when expired, which ends up as a valuable commodity doing the rounds amongst the underage.
It's therefore been fascinating to be part of a new initiative that seeks to address proof of age using a Privacy by Design approach to biometric technologies. Touch2id is an anonymous proof of age system that uses fingerprint biometrics and NFC to allow young people to prove that they are 18 years or over at licensed premises (e.g. bars, clubs).
The principle is simple: a young person brings their proof of age document (Home Office rules stipulate this must be a passport or driving licence) to a participating Post Office branch. The Post Office staff member checks document using a scanner, and confirms that the young person is the bearer. They then capture a fingerprint from the customer, which is converted into a hash and used to encrypt the customer's date of birth on a small NFC sticker, which can be affixed to the back of a phone or wallet. No personal record of the customer's details, document or fingerprint is retained either on the touch2id enrolment system or in the NFC sticker - the service is completely anonymous.
At the licensed establishment, the staff member has a handheld reader which comprises a fingerprint scanner, NFC reader and red/green indicator lights. The customer presents their sticker and places their finger on the reader; the scanner generates a hash from the fingerprint, uses it to unlock the date of birth, and then provides a red/green light to the operator to indicate success or failure. Again, no record of the transaction is retained (beyond statistical data so that the licensee can prove how many checks were done and at what times), and in the event of a failure the operator is not told the reason. Privacy is preserved at all stages of the process.
Touch2id is working with the licensing authorities in Bath and Trowbridge to roll out the service (the launch needs to be regional to ensure that a critical mass of stickers and readers exist in a given area). I was invited down to the Bath University Fresher's Fair to help to promote the service to the new intake, and to get a first-hand feel for their reactions to biometric ID. Clearly the audience was subjective - we only got to speak with students who were interested in the service - but the response was overwhelmingly positive. In approximate order of popularity, their reactions were:
- "Oh wow, a free USB memory card, how big is it?" (these are students we're talking about, so always quick to spot a freebie);
- "Does that mean I don't need to carry my passport around?" (correct!);
- "Can I use it in all the pubs in town?" (not all of them yet, but nearly all);
- "Where can I get it?" (participating local Post Offices);
- "Can I use it in the campus library?" (no, but not through any limitation of the technology);
- "Do you get to store my fingerprints?" (no);
- "What happens if I lose it?" (if you get a spare sticker then you'll have a backup, otherwise you have to re-enrol from scratch);
- "What happens if someone steals my sticker?" (some of these students were very hung over so it took a few seconds for the coin to drop that the biometric credential is non-transferrable).
What we didn't hear - and this surprised me - was any adverse reaction. A few students were initially sceptical, but after asking a few of the above questions, they were quickly won over. I had anticipated vocal objections to the very concept of a fingerprint proof of attributes scheme, but that simply didn't happen. This might be because some have become accustomed to fingerprints in schools, but I suspect it is much more likely that they see clear value in the proposition, without any risk for themselves - unlike other ID schemes touch2id is built around user needs rather than an underlying desire to amass data.
We were fortunate enough to have coverage from a regional ITV News team, who also interviewed Don Foster MP - he's been very supportive of the programme. You can see their footage here.
What next for touch2id? The team is hoping to expand the West of England coverage, and kick off another region elsewhere in the UK. I'm hoping we'll see the same minimal-disclosure proof of attributes ideas brought into play in other ID arenas - including the government's new Identity Assurance programme - but more on that shortly...
Declaration of interest: One of my duties for Post Office Ltd is to provide support for the roll out of touch2id.