Microsoft lines up with the good guys on identity tech

Brands and Cameron pitch the fix for government's Big ID problem

Dr Brands is evidently delighted about the U-Prove sale, which had been under discussion for two years. "There is no industry player around I believe in as much as Microsoft with regard to its commitment to build security and privacy into IT systems and applications," he says. He points to Microsoft's existing presence throughout the target markets for ID and access management, and its influence both on the client and server side of the application. "It is easy to say why this is a perfect match."

Mr Cameron sees U-Prove's minimal disclosure tokens as base features of emerging identity platforms which will lead to the safest possible Internet: "I don't think the point here is ultimately to make a dollar. It's about building a system of identity that can withstand the ravages that the Internet will unleash. That will be worth billions." He looks forward to good privacy practice becoming one of the norms of e-commerce.

The prospect is that Brands' minimal disclosure tokens, with their properties of selective disclosure, unlinkability, and powerful revocation capabilities, will be built with half a dozen man-years' development effort into the Windows Cardspace user interface arising from Mr Cameron's work, and also into the underlying Windows Communication Foundation.

If U-Prove is available in WCF that makes it available to any applications on the Windows platform. U-Prove is also covered by Microsoft's (not wholly uncontroversial) Open Specification Promise.

MS as ID standards hero?

Now that the world knows it is Microsoft – instead of a Nokia, Google or IBM – that has acquired Dr Brands' patents there is concern on just how U-Prove will be used competitively. A statesmanlike market leader can afford the view that a safe online world for all is prerequisite for the health of their future market. But Microsoft has a history as an inveterate playground bully that rivals don't easily forget.

Mr Cameron protests that times have changed: "I can guarantee everyone that I have zero intention of hoarding minimal disclosure tokens or turning U-Prove into a proprietary Microsoft technology silo. Like, it's 2008, right? Give me a break, guys!" Dr Brands echoes the point: "It's very clear to me that's not why the people who pushed for the deal wanted to do this."

The outstanding question is how well the undoubted intentions and integrity of both men will stand up to the residual primitive and exploitative tendencies that still reside in large parts of Microsoft.

So, why is this acquisition so important for us in the UK?

It's not just about general cybercrime and data losses, although the UK suffers from that as much as anywhere. It's about the broad thrust of government IT plans. The UK's "Transformational Government" public-sector IT strategy is written and implemented by people who have yet to take a privacy-friendly approach to single sign-on and data sharing. And they've managed to marginalise the very small number of people inside government who appreciate Dr Brands' work.

To say the acquisition is important to UK government is not to say that Whitehall should now buy more Microsoft products – indeed part of the problem was that Tony Blair was seduced by Bill Gates, and Whitehall was locked by Microsoft into a Hailstorm-era way of thinking with its central authentication and health services. When Scott McNealy pointed out the dangers of Hailstorm UK e-Envoy Andrew Pinder scornfully and publicly retorted that the Sun boss was simply jealous that Bill Gates' firm was bigger and more successful than his.

Sponsored: Today’s most dangerous security threats