Can the UK have its identity strategy back, Mr President?
US gov dusts off abandoned nine-year-old UK ID plan
There was a lot of razzmatazz and back-slapping in the US in early September as President Obama's team announced a partnership with ten leading companies to provide federated digital identities acceptable for use with online government services.
The President's cunning plan is that by using OpenID and Information Card technologies, US citizens will be able to use their existing online digital identities rather than having to register yet another ID and password to make use of online public services (as is the case with the UK government's online registration and enrolment service, the Government Gateway).
Equally important is that citizens will be able to have full control over how much (or how little) personal information they share with the government. The use of the combination of Open ID and Information Cards offers strong privacy and security safeguards, including being able to use pseudononymous IDs with government sites when needed. Smart thinking. As a result, lots of envious eyes are looking to the US and wondering why we can't do something savvy like that here, instead of flapping around in the embarrassing death spasms of the UK's national ID card fiasco.
Cheer up love, it might never happen
But hold on a moment. Something about these 'new' US proposals seems very familiar. Federated identity? Trusted third parties being able to deliver online public services? It doesn't take long to find out why: a quick Google finds the excitingly named e-government authentication framework from, er, December 2000.
Yes, you did read that right.
It's a nine year old document.
And more than that, it's a UK document. Which contains nuggets such as:
For most electronic transactions, government will accept authentication provided by accredited third parties, which will register individuals and organisations and issue them with credentials enabling them to authenticate themselves in subsequent transactions.
The Framework provides for those cases where anonymous or psuedonymous access is also acceptable.
Government will encourage the provision of authentication services by a variety of bodies, including local authorities and the private sector, and will seek to make use of these services wherever possible... The Modernising Government white paper makes clear government's intention to work in partnership with local authorities, the voluntary sector, and with third-party delivery channels such as the Post Office and private sector companies. Where third-party service providers are conducting transactions on government's behalf, they will be required to authenticate the citizens and businesses they deal with to the same standards as government itself would. Government will in turn accept transaction data from those service providers, who will certify that they have carried out the authentication transaction to the agreed standard.
Hmm. All of which sounds refreshingly modern and enlightened. But also very similar to the ideas and principles recently announced in the US. Indeed, a quick look at the US Trust Framework Provider Adoption Process (TFPAP) reveals a set of authentication levels and processes that seem remarkably like those set out back in 2000 for the UK, varying from a low level of trust (no authentication required) through to the top level, where you need to deposit your grandmother and a test tube of your best DNA. Well, nearly.
To be fair, the Americans have been heard openly admitting that they found the UK policy documents useful. And after all, they haven't just done a straight lift, but have updated them in the light of nearly ten years of change, particularly on the technology front.
It may seem foolish now, but when the UK government developed its original trust framework it thought that smartcards and PKI were going to be the answer. Those were, of course, the heady days of the dotcom boom, when Royal Mail had told the government it was going to issue 4 million or more smartcards free to UK citizens (remember ViaCode anyone?). Barclays, Natwest and others were equally optimistic about the new age of smartcards, which government saw as a great way to bootstrap federated, third-party identities for its own online services.
Then reality intervened and the dotcom implosion took out a lot of things, including smartcards and their backers. But in its recent announcement, the US has recognised the pragmatic reality that today digital identity technologies such as OpenID and InfoCards are where the action is.
All of which is fine, but leaves a nagging question about if or when the UK might follow the US lead on identity and authentication, in much the same way that the UK has been outsourcing its IT strategy to the US and copying whatever is done there, such as with data.gov (data.gov.uk) and soon apps.gov.
Equally, there are hard questions to be asked about why the UK went from having a well-thought-through model of federated identity and trust back in 2000, only to have wasted so much of the last decade on trying to impose the discredited and flawed monolithic thinking of the national ID cards programme instead?
Let's just hope that we do copy the Americans, and re-import another of our best exports, as we seem to have done with coffee shops and so much else. It's a shame the best part of ten years has been wasted, but at least we have the chance now to get back on track, even if it is courtesy of our transatlantic cousins.
If an incoming administration after the next general election wanted to do just one thing to finally sort out the UK's identity strategy, it could do worse than cough politely and ask: "Mr President: would you be an awfully nice chap and kindly let us have our identity strategy back... please?" ®
Until earlier this year, Jerry Fishenden was National Technology Officer for Microsoft UK. He is currently a Visiting Senior Fellow at the London School of Economics. Previously, he was involved in the development of the UK Government Gateway.