Can the UK have its identity strategy back, Mr President?

US gov dusts off abandoned nine-year-old UK ID plan

The essential guide to IT transformation

There was a lot of razzmatazz and back-slapping in the US in early September as President Obama's team announced a partnership with ten leading companies to provide federated digital identities acceptable for use with online government services.

All part of the big push towards better, more open government, as set out in Obama's technology plan of October 2007, and his memo from his first day in office.

The President's cunning plan is that by using OpenID and Information Card technologies, US citizens will be able to use their existing online digital identities rather than having to register yet another ID and password to make use of online public services (as is the case with the UK government's online registration and enrolment service, the Government Gateway).

Equally important is that citizens will be able to have full control over how much (or how little) personal information they share with the government. The use of the combination of Open ID and Information Cards offers strong privacy and security safeguards, including being able to use pseudononymous IDs with government sites when needed. Smart thinking. As a result, lots of envious eyes are looking to the US and wondering why we can't do something savvy like that here, instead of flapping around in the embarrassing death spasms of the UK's national ID card fiasco.

UK Citizens' ID card

Cheer up love, it might never happen

But hold on a moment. Something about these 'new' US proposals seems very familiar. Federated identity? Trusted third parties being able to deliver online public services? It doesn't take long to find out why: a quick Google finds the excitingly named e-government authentication framework from, er, December 2000.

Yes, you did read that right.

It's a nine year old document.

And more than that, it's a UK document. Which contains nuggets such as:

For most electronic transactions, government will accept authentication provided by accredited third parties, which will register individuals and organisations and issue them with credentials enabling them to authenticate themselves in subsequent transactions.


The Framework provides for those cases where anonymous or psuedonymous access is also acceptable.


Government will encourage the provision of authentication services by a variety of bodies, including local authorities and the private sector, and will seek to make use of these services wherever possible... The Modernising Government white paper makes clear government's intention to work in partnership with local authorities, the voluntary sector, and with third-party delivery channels such as the Post Office and private sector companies. Where third-party service providers are conducting transactions on government's behalf, they will be required to authenticate the citizens and businesses they deal with to the same standards as government itself would. Government will in turn accept transaction data from those service providers, who will certify that they have carried out the authentication transaction to the agreed standard.

Hmm. All of which sounds refreshingly modern and enlightened. But also very similar to the ideas and principles recently announced in the US. Indeed, a quick look at the US Trust Framework Provider Adoption Process (TFPAP) reveals a set of authentication levels and processes that seem remarkably like those set out back in 2000 for the UK, varying from a low level of trust (no authentication required) through to the top level, where you need to deposit your grandmother and a test tube of your best DNA. Well, nearly.

To be fair, the Americans have been heard openly admitting that they found the UK policy documents useful. And after all, they haven't just done a straight lift, but have updated them in the light of nearly ten years of change, particularly on the technology front.

It may seem foolish now, but when the UK government developed its original trust framework it thought that smartcards and PKI were going to be the answer. Those were, of course, the heady days of the dotcom boom, when Royal Mail had told the government it was going to issue 4 million or more smartcards free to UK citizens (remember ViaCode anyone?). Barclays, Natwest and others were equally optimistic about the new age of smartcards, which government saw as a great way to bootstrap federated, third-party identities for its own online services.

Then reality intervened and the dotcom implosion took out a lot of things, including smartcards and their backers. But in its recent announcement, the US has recognised the pragmatic reality that today digital identity technologies such as OpenID and InfoCards are where the action is.

All of which is fine, but leaves a nagging question about if or when the UK might follow the US lead on identity and authentication, in much the same way that the UK has been outsourcing its IT strategy to the US and copying whatever is done there, such as with data.gov (data.gov.uk) and soon apps.gov.

Equally, there are hard questions to be asked about why the UK went from having a well-thought-through model of federated identity and trust back in 2000, only to have wasted so much of the last decade on trying to impose the discredited and flawed monolithic thinking of the national ID cards programme instead?

Let's just hope that we do copy the Americans, and re-import another of our best exports, as we seem to have done with coffee shops and so much else. It's a shame the best part of ten years has been wasted, but at least we have the chance now to get back on track, even if it is courtesy of our transatlantic cousins.

If an incoming administration after the next general election wanted to do just one thing to finally sort out the UK's identity strategy, it could do worse than cough politely and ask: "Mr President: would you be an awfully nice chap and kindly let us have our identity strategy back... please?" ®

Until earlier this year, Jerry Fishenden was National Technology Officer for Microsoft UK. He is currently a Visiting Senior Fellow at the London School of Economics. Previously, he was involved in the development of the UK Government Gateway.

5 things you didn’t know about cloud backup

More from The Register

next story
Munich considers dumping Linux for ... GULP ... Windows!
Give a penguinista a hug, the Outlook's not good for open source's poster child
UK fuzz want PINCODES on ALL mobile phones
Met Police calls for mandatory passwords on all new mobes
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
EU justice chief blasts Google on 'right to be forgotten'
Don't pretend it's a freedom of speech issue – interim commish
Detroit losing MILLIONS because it buys CHEAP BATTERIES – report
Man at hardware store was right: name brands DO last longer
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
UK government accused of hiding TRUTH about Universal Credit fiasco
'Reset rating keeps secrets on one-dole-to-rule-them-all plan', say MPs
Caught red-handed: UK cops, PCSOs, specials behaving badly… on social media
No Mr Fuzz, don't ask a crime victim to be your pal on Facebook
Yes, but what are your plans if a DRAGON attacks?
Local UK gov outs most ridiculous FoI requests...
This'll end well: US govt says car-to-car jibber-jabber will SAVE lives
Department of Transportation starts cogs turning for another wireless comms standard
prev story


5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.