Feeds

Can the UK have its identity strategy back, Mr President?

US gov dusts off abandoned nine-year-old UK ID plan

Mobile application security vulnerability report

There was a lot of razzmatazz and back-slapping in the US in early September as President Obama's team announced a partnership with ten leading companies to provide federated digital identities acceptable for use with online government services.

All part of the big push towards better, more open government, as set out in Obama's technology plan of October 2007, and his memo from his first day in office.

The President's cunning plan is that by using OpenID and Information Card technologies, US citizens will be able to use their existing online digital identities rather than having to register yet another ID and password to make use of online public services (as is the case with the UK government's online registration and enrolment service, the Government Gateway).

Equally important is that citizens will be able to have full control over how much (or how little) personal information they share with the government. The use of the combination of Open ID and Information Cards offers strong privacy and security safeguards, including being able to use pseudononymous IDs with government sites when needed. Smart thinking. As a result, lots of envious eyes are looking to the US and wondering why we can't do something savvy like that here, instead of flapping around in the embarrassing death spasms of the UK's national ID card fiasco.

UK Citizens' ID card

Cheer up love, it might never happen

But hold on a moment. Something about these 'new' US proposals seems very familiar. Federated identity? Trusted third parties being able to deliver online public services? It doesn't take long to find out why: a quick Google finds the excitingly named e-government authentication framework from, er, December 2000.

Yes, you did read that right.

It's a nine year old document.

And more than that, it's a UK document. Which contains nuggets such as:

For most electronic transactions, government will accept authentication provided by accredited third parties, which will register individuals and organisations and issue them with credentials enabling them to authenticate themselves in subsequent transactions.

Also:

The Framework provides for those cases where anonymous or psuedonymous access is also acceptable.

And:

Government will encourage the provision of authentication services by a variety of bodies, including local authorities and the private sector, and will seek to make use of these services wherever possible... The Modernising Government white paper makes clear government's intention to work in partnership with local authorities, the voluntary sector, and with third-party delivery channels such as the Post Office and private sector companies. Where third-party service providers are conducting transactions on government's behalf, they will be required to authenticate the citizens and businesses they deal with to the same standards as government itself would. Government will in turn accept transaction data from those service providers, who will certify that they have carried out the authentication transaction to the agreed standard.

Hmm. All of which sounds refreshingly modern and enlightened. But also very similar to the ideas and principles recently announced in the US. Indeed, a quick look at the US Trust Framework Provider Adoption Process (TFPAP) reveals a set of authentication levels and processes that seem remarkably like those set out back in 2000 for the UK, varying from a low level of trust (no authentication required) through to the top level, where you need to deposit your grandmother and a test tube of your best DNA. Well, nearly.

To be fair, the Americans have been heard openly admitting that they found the UK policy documents useful. And after all, they haven't just done a straight lift, but have updated them in the light of nearly ten years of change, particularly on the technology front.

It may seem foolish now, but when the UK government developed its original trust framework it thought that smartcards and PKI were going to be the answer. Those were, of course, the heady days of the dotcom boom, when Royal Mail had told the government it was going to issue 4 million or more smartcards free to UK citizens (remember ViaCode anyone?). Barclays, Natwest and others were equally optimistic about the new age of smartcards, which government saw as a great way to bootstrap federated, third-party identities for its own online services.

Then reality intervened and the dotcom implosion took out a lot of things, including smartcards and their backers. But in its recent announcement, the US has recognised the pragmatic reality that today digital identity technologies such as OpenID and InfoCards are where the action is.

All of which is fine, but leaves a nagging question about if or when the UK might follow the US lead on identity and authentication, in much the same way that the UK has been outsourcing its IT strategy to the US and copying whatever is done there, such as with data.gov (data.gov.uk) and soon apps.gov.

Equally, there are hard questions to be asked about why the UK went from having a well-thought-through model of federated identity and trust back in 2000, only to have wasted so much of the last decade on trying to impose the discredited and flawed monolithic thinking of the national ID cards programme instead?

Let's just hope that we do copy the Americans, and re-import another of our best exports, as we seem to have done with coffee shops and so much else. It's a shame the best part of ten years has been wasted, but at least we have the chance now to get back on track, even if it is courtesy of our transatlantic cousins.

If an incoming administration after the next general election wanted to do just one thing to finally sort out the UK's identity strategy, it could do worse than cough politely and ask: "Mr President: would you be an awfully nice chap and kindly let us have our identity strategy back... please?" ®

Until earlier this year, Jerry Fishenden was National Technology Officer for Microsoft UK. He is currently a Visiting Senior Fellow at the London School of Economics. Previously, he was involved in the development of the UK Government Gateway.

Bridging the IT gap between rising business demands and ageing tools

More from The Register

next story
Arrr: Freetard-bothering Digital Economy Act tied up, thrown in the hold
Ministry of Fun confirms: Yes, we're busy doing nothing
ONE EMAIL costs mining company $300 MEEELION
Environmental activist walks free after hoax sent share price over a cliff
'Blow it up': Plods pop round for chat with Commonwealth Games tweeter
You'd better not be talking about the council's housing plans
Help yourself to anyone's photos FOR FREE, suggests UK.gov
Copyright law reforms will keep m'learned friends busy
Apple smacked with privacy sueball over Location Services
Class action launched on behalf of 100 million iPhone owners
UK government officially adopts Open Document Format
Microsoft insurgency fails, earns snarky remark from UK digital services head
You! Pirate! Stop pirating, or we shall admonish you politely. Repeatedly, if necessary
And we shall go about telling people you smell. No, not really
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.