Can the UK have its identity strategy back, Mr President?
US gov dusts off abandoned nine-year-old UK ID plan
There was a lot of razzmatazz and back-slapping in the US in early September as President Obama's team announced a partnership with ten leading companies to provide federated digital identities acceptable for use with online government services.
The President's cunning plan is that by using OpenID and Information Card technologies, US citizens will be able to use their existing online digital identities rather than having to register yet another ID and password to make use of online public services (as is the case with the UK government's online registration and enrolment service, the Government Gateway).
Equally important is that citizens will be able to have full control over how much (or how little) personal information they share with the government. The use of the combination of Open ID and Information Cards offers strong privacy and security safeguards, including being able to use pseudononymous IDs with government sites when needed. Smart thinking. As a result, lots of envious eyes are looking to the US and wondering why we can't do something savvy like that here, instead of flapping around in the embarrassing death spasms of the UK's national ID card fiasco.
Cheer up love, it might never happen
But hold on a moment. Something about these 'new' US proposals seems very familiar. Federated identity? Trusted third parties being able to deliver online public services? It doesn't take long to find out why: a quick Google finds the excitingly named e-government authentication framework from, er, December 2000.
Yes, you did read that right.
It's a nine year old document.
And more than that, it's a UK document. Which contains nuggets such as:
For most electronic transactions, government will accept authentication provided by accredited third parties, which will register individuals and organisations and issue them with credentials enabling them to authenticate themselves in subsequent transactions.
The Framework provides for those cases where anonymous or psuedonymous access is also acceptable.
Government will encourage the provision of authentication services by a variety of bodies, including local authorities and the private sector, and will seek to make use of these services wherever possible... The Modernising Government white paper makes clear government's intention to work in partnership with local authorities, the voluntary sector, and with third-party delivery channels such as the Post Office and private sector companies. Where third-party service providers are conducting transactions on government's behalf, they will be required to authenticate the citizens and businesses they deal with to the same standards as government itself would. Government will in turn accept transaction data from those service providers, who will certify that they have carried out the authentication transaction to the agreed standard.
Hmm. All of which sounds refreshingly modern and enlightened. But also very similar to the ideas and principles recently announced in the US. Indeed, a quick look at the US Trust Framework Provider Adoption Process (TFPAP) reveals a set of authentication levels and processes that seem remarkably like those set out back in 2000 for the UK, varying from a low level of trust (no authentication required) through to the top level, where you need to deposit your grandmother and a test tube of your best DNA. Well, nearly.
To be fair, the Americans have been heard openly admitting that they found the UK policy documents useful. And after all, they haven't just done a straight lift, but have updated them in the light of nearly ten years of change, particularly on the technology front.
It may seem foolish now, but when the UK government developed its original trust framework it thought that smartcards and PKI were going to be the answer. Those were, of course, the heady days of the dotcom boom, when Royal Mail had told the government it was going to issue 4 million or more smartcards free to UK citizens (remember ViaCode anyone?). Barclays, Natwest and others were equally optimistic about the new age of smartcards, which government saw as a great way to bootstrap federated, third-party identities for its own online services.
Then reality intervened and the dotcom implosion took out a lot of things, including smartcards and their backers. But in its recent announcement, the US has recognised the pragmatic reality that today digital identity technologies such as OpenID and InfoCards are where the action is.
All of which is fine, but leaves a nagging question about if or when the UK might follow the US lead on identity and authentication, in much the same way that the UK has been outsourcing its IT strategy to the US and copying whatever is done there, such as with data.gov (data.gov.uk) and soon apps.gov.
Equally, there are hard questions to be asked about why the UK went from having a well-thought-through model of federated identity and trust back in 2000, only to have wasted so much of the last decade on trying to impose the discredited and flawed monolithic thinking of the national ID cards programme instead?
Let's just hope that we do copy the Americans, and re-import another of our best exports, as we seem to have done with coffee shops and so much else. It's a shame the best part of ten years has been wasted, but at least we have the chance now to get back on track, even if it is courtesy of our transatlantic cousins.
If an incoming administration after the next general election wanted to do just one thing to finally sort out the UK's identity strategy, it could do worse than cough politely and ask: "Mr President: would you be an awfully nice chap and kindly let us have our identity strategy back... please?" ®
Until earlier this year, Jerry Fishenden was National Technology Officer for Microsoft UK. He is currently a Visiting Senior Fellow at the London School of Economics. Previously, he was involved in the development of the UK Government Gateway.
Re: Are we really in a position to decide?
"The ID database and ID card is a European project and not a British one. I doubt we are in a position to decide which system to pick. The database will be EU-wide and therefore it'll be a single system."
The best lies always have some element of the truth in them and that's why the one above, which I have no doubt you honestly believe, is swallowed by so many.
Yes the EU has put forward directives on the standards for any such databases and cards, but at no point has it ever said "you must have one". Most of the directives are more akin to technical standards documents than they are to policy ones. i.e. "all travel documents must be readable by this system" not "all travel documents must include DNA and a photo of the traveller bending over".
The British government has chosen to enforce these directives in the most draconian way possible then blamed the EU, they do this a lot (it beats telling your electorate "we have decided we own you"). Another example of this sort of thing would be the EU Directive to spy on citizens internet traffic, while our politicians tell us "it's all the evil EU", guess whose presidency it was introduced under and which government pressed for it to be passed? Our lapdog in chief Mr Tony Blair's that's who.
Don't get me wrong, I have no particular love of the EU and it's bureaucracy either - the simple fact remains that this sort of crap should not be *able* to make it into EU law, but it pisses me off that out leaders use it to push unpopular policy down our throats all the time and no one calls them out for it.
Re: Let's be honest here
No, let's be accurate. The bank does not care who you are. It only needs to know that the person authorising each transaction (despodit or withdrawal) is the same as the person who opened the account. Now, if it gets this wrong, it could lose an *unlimited* amount of money. Banks will not use an authentication system that is controlled by a third party with the track record of gov.uk.
You suggest a photograph and biometric coding, but a fundamental requirement of a real world ID system is that when (not if) the system fails it must be possible to revoke credentials and re-issue new ones. Have you tried "revoking" your face recently?
You are correct in one respect. Most of us do already have several forms of ID. However, "strength in depth" beats "all eggs in one basket" every time. Keep them separate.
"So the choice is have hardware based ID and risk big brother showing the slightest bit of interest in you [...] or stay as we are and risk a bunch of Russians/Chinese/Nigerians taking an interest in your online banking"
Er no. That's not the choice. The security between me and my bank can be arranged, would you believe it, between me and my bank. The Sith Lords don't need to get involved. Indeed, my bank doesn't give a toss about who I am, as long as I am the same person who opened this particular account. A unified ID benefits neither me nor my bank. Indeed, by making it easier to collate personal information, it probably makes it easier for third parties (like the crook who picked up the USB stick on the train) to impersonate us, which makes it a net loss for me and the bank.