Can the UK have its identity strategy back, Mr President?

US gov dusts off abandoned nine-year-old UK ID plan

Top three mobile application threats

There was a lot of razzmatazz and back-slapping in the US in early September as President Obama's team announced a partnership with ten leading companies to provide federated digital identities acceptable for use with online government services.

All part of the big push towards better, more open government, as set out in Obama's technology plan of October 2007, and his memo from his first day in office.

The President's cunning plan is that by using OpenID and Information Card technologies, US citizens will be able to use their existing online digital identities rather than having to register yet another ID and password to make use of online public services (as is the case with the UK government's online registration and enrolment service, the Government Gateway).

Equally important is that citizens will be able to have full control over how much (or how little) personal information they share with the government. The use of the combination of Open ID and Information Cards offers strong privacy and security safeguards, including being able to use pseudononymous IDs with government sites when needed. Smart thinking. As a result, lots of envious eyes are looking to the US and wondering why we can't do something savvy like that here, instead of flapping around in the embarrassing death spasms of the UK's national ID card fiasco.

UK Citizens' ID card

Cheer up love, it might never happen

But hold on a moment. Something about these 'new' US proposals seems very familiar. Federated identity? Trusted third parties being able to deliver online public services? It doesn't take long to find out why: a quick Google finds the excitingly named e-government authentication framework from, er, December 2000.

Yes, you did read that right.

It's a nine year old document.

And more than that, it's a UK document. Which contains nuggets such as:

For most electronic transactions, government will accept authentication provided by accredited third parties, which will register individuals and organisations and issue them with credentials enabling them to authenticate themselves in subsequent transactions.


The Framework provides for those cases where anonymous or psuedonymous access is also acceptable.


Government will encourage the provision of authentication services by a variety of bodies, including local authorities and the private sector, and will seek to make use of these services wherever possible... The Modernising Government white paper makes clear government's intention to work in partnership with local authorities, the voluntary sector, and with third-party delivery channels such as the Post Office and private sector companies. Where third-party service providers are conducting transactions on government's behalf, they will be required to authenticate the citizens and businesses they deal with to the same standards as government itself would. Government will in turn accept transaction data from those service providers, who will certify that they have carried out the authentication transaction to the agreed standard.

Hmm. All of which sounds refreshingly modern and enlightened. But also very similar to the ideas and principles recently announced in the US. Indeed, a quick look at the US Trust Framework Provider Adoption Process (TFPAP) reveals a set of authentication levels and processes that seem remarkably like those set out back in 2000 for the UK, varying from a low level of trust (no authentication required) through to the top level, where you need to deposit your grandmother and a test tube of your best DNA. Well, nearly.

To be fair, the Americans have been heard openly admitting that they found the UK policy documents useful. And after all, they haven't just done a straight lift, but have updated them in the light of nearly ten years of change, particularly on the technology front.

It may seem foolish now, but when the UK government developed its original trust framework it thought that smartcards and PKI were going to be the answer. Those were, of course, the heady days of the dotcom boom, when Royal Mail had told the government it was going to issue 4 million or more smartcards free to UK citizens (remember ViaCode anyone?). Barclays, Natwest and others were equally optimistic about the new age of smartcards, which government saw as a great way to bootstrap federated, third-party identities for its own online services.

Then reality intervened and the dotcom implosion took out a lot of things, including smartcards and their backers. But in its recent announcement, the US has recognised the pragmatic reality that today digital identity technologies such as OpenID and InfoCards are where the action is.

All of which is fine, but leaves a nagging question about if or when the UK might follow the US lead on identity and authentication, in much the same way that the UK has been outsourcing its IT strategy to the US and copying whatever is done there, such as with data.gov (data.gov.uk) and soon apps.gov.

Equally, there are hard questions to be asked about why the UK went from having a well-thought-through model of federated identity and trust back in 2000, only to have wasted so much of the last decade on trying to impose the discredited and flawed monolithic thinking of the national ID cards programme instead?

Let's just hope that we do copy the Americans, and re-import another of our best exports, as we seem to have done with coffee shops and so much else. It's a shame the best part of ten years has been wasted, but at least we have the chance now to get back on track, even if it is courtesy of our transatlantic cousins.

If an incoming administration after the next general election wanted to do just one thing to finally sort out the UK's identity strategy, it could do worse than cough politely and ask: "Mr President: would you be an awfully nice chap and kindly let us have our identity strategy back... please?" ®

Until earlier this year, Jerry Fishenden was National Technology Officer for Microsoft UK. He is currently a Visiting Senior Fellow at the London School of Economics. Previously, he was involved in the development of the UK Government Gateway.

SANS - Survey on application security programs

More from The Register

next story
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Whoever you vote for, Google gets in
Report uncovers giant octopus squid of lobbying influence
Lavabit loses contempt of court appeal over protecting Snowden, customers
Judges rule complaints about government power are too little, too late
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Alphadex fires back at British Gas with overcharging allegation
Brit colo outfit says it paid for 347KVA, has been charged for 1940KVA
prev story


Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.