Original URL: http://www.theregister.co.uk/2009/06/19/identity_two_dot_oh/

So what we do when ID Cards 1.0 finally dies?

Jerry Fishenden argues the case for making next time non-evil

By Jerry Fishenden

Posted in Government, 19th June 2009 11:39 GMT

UK Identity Card 1.0 is in deep trouble. It's running late, and if the Conservative Party wins next year's election it'll be scrapped. Its original architect has changed his mind, and even some Cabinet members are starting to see it as a needless expense. But if we pull the plug, what then?

The cards may go away, but the issue won't. Problems associated with identity, privacy and security will remain burning issues facing both the technology industry and wider society. But the irony is that the UK is well placed to develop a model identity framework for the 21st Century. Unlike many other countries, we don’t have the problems of any existing, legacy national identity scheme to encumber us. We have a clean slate. We could have got this right and shown the art of the possible.

All the more reason to be dispirited then with the current identity plan, which seems to be rooted in a 1960s view of computing, with everyone's personal information stored in some monolithic central system and proposed identity cards that seem to be little more than plastic copies of the cardboard identity documents the UK population was forced to use during the second world war.

It is as if someone has dusted off a document for a state-centric identity scheme from another era, one before the digital, Internet, consumer-driven age. But I won’t dwell on this as the failings of the current scheme have been the topic of endless well-informed analysis and comment already.

Of course, some of the other documents and cards we typically have in our wallets or purses aren't exactly model examples either. Take a typical bank card. Right there on its front it proudly displays your name, your bank account number and your bank sorting code. And on the back? Ah, your signature and the so-called 'security code' (printed for all to see). On the back too is a magnetic stripe that makes it easy to copy much of this data automatically. Other cards and documents are little better.

The mentality of the old, paper-based age in which such information had to be physically printed on documents has persisted into the digital age. We have all the downsides of the paper-based age and little upside from the digital age, in large part because of issues such as legacy, backward compatibility and interoperability (it's useful, for example, that our bank cards work abroad, including in countries that do not use chip and PIN – but the price for that is their lowest common denominator vulnerable design).

Why not blank? Or, why a card?

If you were designing a bank card today, it would have none of these flaws - it could even be blank if we wanted to take it to extremes. We could then decide what information we need to reveal, and to whom, by using our PIN to selectively disclose that information from a secure on-card chip when required. There would be nothing on the face of the card to copy or skim.

But talk of cards and identity cards is to miss the point. To lumber a modern identity policy with mandates about its delivery technology ("thou shalt have a card", enshrined in the very name of the 2006 Identity Cards Act) makes little sense. After all, why bother with cards at all? Although it may have escaped some policymakers' attention, we are living in a digital age. The majority of the population already carries or has access to technology that could be used as part of an effective identity strategy, mobile phones being an obvious example. Why not incorporate them into any national scale identity framework?

Stefan Brands' minimal disclosure tokens

In the work of leading identity, security and privacy thinkers such as Stefan Brands and Kim Cameron,* it is possible to see the art of the possible (Cameron's laws of identity can be found here). Stefan’s work on minimal disclosure, for example, makes it possible to prove information about ourselves ("I am over 18", "I am over 65", "I am a UK citizen", etc) without disclosing any personal information, such as our full name, place and date of birth, age or address. Neither would the technology leave an audit trail of where we have been and whom we have interacted with. It would leave our private lives private. Indeed, it would enable us to have better privacy in our private lives than we do today, when we are often forced to disclose personal information to a whole host of people and organisations.

The technology to build a secure, privacy-aware identity scheme certainly exists. But what remains largely absent at the moment is an understanding at the policymaking level of the art of the possible. This only goes to illustrate, once again, that technology is not being appropriately incorporated into the policymaking process both prior to and during the formulation of policy and the resulting Bills placed before Parliament. This is part of a wider failing that a future administration needs to fix unless it too wants to find itself reliving the recent history of major IT programmes beset with problems.

Planning for the death of the Act

With even the former Home Secretary David Blunkett apparently calling for the current UK product, identity 1.0 (the Identity Cards Act, 2006), to be withdrawn, we need an informed consultation on what a new identity 2.0 could look like. Well, for a starter I’d expect it to ensure:
- proof of entitlement and authorisation to access a service, without necessarily even identifying the user that is, the disclosure of only the bare minimum of information necessary for a transaction (for example, providing a proof that a person is over or under a certain age threshold, without disclosing their actual date of birth or their age)
- using a choice of devices that makes sense not only to government, but also to us as citizens and to the commercial sector
- the management of electronic credentials throughout the lifecycle between issuance and revocation, in a privacy-friendly way
- decentralised governance of identity infrastructure across the private and public sectors, without the need for anyone to sit in the middle and log and monitor everything we do

The technology exists to make this happen. But policymakers to date have lacked the technical understanding and vision to see the art of the possible and the agreed mechanism to deliver it. The good news is that there is still time for a reboot. Time for a twenty-first century identity framework that puts citizens in control, ensures there is a clear commercial value to the business community and sees government’s role limited to ensuring overall governance and compliance, providing an Identity Protection Service (IPS).

Now is a good time to be thinking about what such an identity framework might look like. If the current Act is repealed, we need an alternative, sensible set of ideas waiting in the wings. An alternative that is designed to strengthen our privacy and security, not undermine it. One that places us, as citizens, at the centre and in control – not at the centre under permanent and routine surveillance. And one that empowers us with additional safeguards and protections well beyond those that the current conman-friendly plastic cards in our wallets and purses provide.

The UK government can help raise the game for everyone here. So let’s hit Control-Alt-Delete on the current system and get that reboot started. I suspect it’s going to take a long time to reach agreement, so the sooner we start the better... ®

* Stefan Brands' U-Prove technology was bought by Microsoft last year. Kim Cameron is Microsoft's Chief Architect of Identity.

Until this month, Jerry Fishenden was National Technology Officer for Microsoft UK. He is currently a Visiting Senior Fellow at the London School of Economics.