Sir Bonar Neville-Kingdom, Technology Outreach Czar

[Dave Birch] Sir Bonar Neville-Kingdom is Permanent Secretary at Large with especial responsibility for efficiency, globalisation and customer insight throughout Whitehall and beyond. He reports directly to the Prime Minister Gordon Brown, and was recently appointed the PM's Technology Outreach Czar. He is acknowledged among the senior Civil Service as a moderniser and one of the most articulate proponents of technology in its various forms and ramifications. He has gained vast experience in a widely varied career across the Cabinet Office, including a secondment in the Ministry of Defence. He is generally credited with authorship of the seminal "Nodiss" memo. He's also a keen gardener and occasional author. In this podcast, the 100th in the Consult Hyperion series, he describes his vision for identity management in the context of transformational government.

No more PETs win prizes puns, please

[Dave Birch] Microsoft has been sponsoring the annual privacy-enhancing technology awards at the PETS Symposium for a few years now. This year the winning paper was written by Arvind Narayanan and Vitaly Shmatikov, researchers at The University of Texas, who looked into large publicly available anonymised data sets – and very quickly discovered a major privacy risk, as their experiments showed that such data sets could be used to re-identify individuals using efficient algorithms. All of which means that companies should be careful about storing masses of data on customer choices because, even if customers aren't explicitly identified in the individual records, it doesn't take much effort to identify them from the pool. Interesting stuff.

Runners-up, Cambridge University researchers Steven J. Murdoch and Piotr Zieliński, also focused on online anonymity. Their paper discusses and analyses, for the first time, the possibility of surveillance at internet exchanges (IXes) where Internet traffic crosses from one network to another. Because so much traffic passes through these, the research seems to indicate that a relatively small snapshot of the data in transit contains a lot of information about what is moving between which nodes.

I found the other runner-up paper especially fascinating because of my focus on the intersection of the digital money and digital identity worlds. The paper "Making P2P Accountable without Losing Privacy" (by Belenkiy et al, Brown University) posits the use of e-cash (that is, the original Chaumian e-cash) to add accountability to file sharing networks without giving up privacy. The idea is to balance between selfish users in a transparent way (and money is the most transparent of all ways) without sacrificing anonymity. Given some of the discussions about anonymity over on Digital Money, this is a timely addition to the debate and shows the accountability and privacy are not mutually exclusive.

Incidentally, their premise that fairness is essential to providing scalable incentives for greater participation seems right to me, as does there characterisation of "selfish peers" as agents in a virtual economy, but I'm not sure if e-cash is a necessary grease to make that work. The authors suggest that the money used in their scheme has five essential characteristics:

• It should be fungible (ie, no "different strokes" and everyone's money can be used for everything in any combination).
• It should be integral to the fair exchange of money for goods/services. Because of my history in this space, I'm particularly interested in "shopping" protocols that include all of the steps in a transaction.
• The money must be unforgeable, obviously.
• The payment system must be efficiently implementable.
• Finally, users should be able to spend anonymously.

This is an axiom I think: it's not clear to me from the paper whether they have some reason for thinking that anonymity will or will not make any difference to the performance of the scheme. Would anyone care?

As an aside, when discussing the economic issues raised by the paper, the authors say that under limiting conditions they can demonstrate the knowledge of bank balances (M1) can predict how much money can be added to the network without causing a crash. I hope the Chancellor reads up on their model!

By the way, a big thanks to the guys at Microsoft for sponsoring this valuable award.

Technology lessons

[Dave Birch] It must make me sound like some sort of snob, but I genuinely feel that one of the problems with the discussion of identity, privacy and related issues in the public sphere is that, ultimately, the policymakers, regulators and politicians just do not understand either technology as part of the problem or technology as part of the solution. Ian Brown's review of the Thomas/Walport report about data sharing touches on this:

While it makes a brief mention of credentials (r. 5), the report is extremely backward-looking on technology,

[From Blogzilla: Thomas/Walport data sharing review published]

The problem, I think, is more insidious than it seems at first. It isn't just that the people writing the report don't understand the technology, it's that they don't even appear to think that the technology is important. As I noted at the time of the review...

Pete Bramhall from HP sagely noted that the consultation document began with the statement that it assumed a familiarity with the Data Protection Act and other relevant legislation. How come, he pointed out, it did not assume a familiarity with rudimentary information technology, basic data security, elementary cryptography or, indeed, anything else that might help to develop a privacy-enhancing infrastructure for the modern world. Quite.

[From Digital Identity Forum: Another thing invented by lawyers]

How are we going to get a genuine breakthrough in identity management when the gap between the "two cultures" appears to be widening. No, not those two cultures but the cultures of information and communications technology one the one hand and lawyers (particularly the ones that end up in the government).

Fingers in the dyke

[Dave Birch] Over on the Digital Money Blog, we've been talking about the well-known MiFare security issue. We're interested in it over there because MiFare is used for things such as Oyster cards and there's an overlap between contactless cash replacement and contactless transit systems. From this frame of reference, the security issue is interesting and it needs to be factored in to system procurement, card updates and that kind of thing. No-one is going to implement an electronic purse system using MiFare Classic, so the sky isn't falling in. So, the guys are saying, well, next time we buy some cards we'll buy MiFare Plus instead, but other than that, what's the worry. But now it turns out that the problem may be far more troublesome than at first realised, because it turns out that the same technology (designed for mass transit) is being used by the Dutch government to secure access to important facilities:

...the Dutch Interior Ministry's spokesman said this is "a national security issue," since several government agencies there use the same technology to restrict access to their facilities.

It looks as if the researchers behind the MiFare crack have done Dutch citizens a big favour by alerting them to the inappropriate use of technology -- MiFare Classic was designed for mass transit, not for identity cards and access control for sensitive facilities -- before some bad guys do.

John Letizia, BBA

[Dave Birch] John Letizia is the Director of Government Affairs and Special Assistant to the Chief Executive at the British Bankers Association (BBA). He joined the BBA in July 2005. He is responsible for building strong relations with key people at all levels across UK Government, Parliament and other key stakeholders, and to build and maintain a pro-active representation programme. Prior to joining the BBA, John was Political and Regional Affairs Adviser at a leading manufacturing employers' organisation. John has also worked for a number of consultancies and has been an Adviser to a Government Minister. In this podcast, John reflects on the BBA's views of the proposed UK national identity card. Since banks are seen as being key users of such a scheme, these views are important.

RUSI and all that

[Dave Birch] One (!) of the conferences I spoke at last week was the Royal United Service's Institute's conference on Science and Technology for Homeland Security and Resilience. I decided to put my original presentation about ID card technology to one side and go with my new psychic ID card slides. If you're at all curious, the slides are here...

| View | Upload your own

There were a couple of tough questions -- mostly around "why bother with an ID card at all" -- but on the whole the people there were very nice to me, and prepared to listen to what I suppose must seem like a fairly radical idea if you are from a conventional security background.

As the comments on the original blog post seem to indicate, I think I've stumbled on a useful way of describing an alternative form of identity card. I've been writing it up in more detail for a journal, so hopefully I can address some of those issues as I go along with the "psychic rewrite", by which I mean that I'd already prepared a paper on how to use smart cards, mobile phones and so on to create new kind of identity card, but I'm currently rewriting it to use the Dr. Who framing as it does seem to speak to people far more effectively than any of my previous attempts.

Meet the people

[Dave Birch] Preparing my notes for RUSI, I was thinking about what it would take to get the public to have confidence in a national identity management scheme, and it reminded me that I took part in a very good public debate about privacy and surveillance recently. I was on a panel that included the assistant Information Commissioner Jonathan Bamford and Tom Ilube of Garlik as well as fellow Royal Academy of Engineering Working Group member Martin Thomas. It was a little unusual (for me) in that many of the audience were genuine members of the public rather than technology or sector specialists, so I thought it might be a useful service to bring some of their questions to your attention. They were a timely reminder to me about the kind of concerns that our customers will have to address to formulate successfull consumer propositions with an identity component. For example, there were a couple of questions about vehicle tracking. I'm certainly guilty of spending most of my time thinking about personal data in too few dimensions: vehicle tracking was as much a concern the the audience as people tracking. But the subtext should be noted: many of the anecdotes were about how wrong the DVLA database is, which clearly informed opinions about the people database (aka national identity register): there's a clear distinction, as far as I can see, between the small number of people who are against government identity management because it's just plain wrong and the much larger number of people (I might go so far as to venture, the majority) who are against it because they think the government will lose, delete, corrupt or spy on their data if they ever get the system working in the first place.

It's crazy, but it might just work

[Dave Birch] Let’s create a vision for a 21^st-century identity card. Let’s create a vision that we can communicate effectively. Let’s create a vision that is founded on minimising the storage of personal data. Let’s create a vision that the public and the government can understand. Let’s create a vision that contains some genuine innovation, some excitement, some potential. But most of all, let’s create a vision that is founded in mass media, because that’s where the British public get their science and technology education from. I would suggest that, as in so many things, Dr. Who should be our guide.

You’ll be familiar, of course, with Dr. Who’s psychic paper. As any devotee of the BBC’s wonderful series knows, the psychic paper shows the “inspector” whatever it is that they need to see. If the border guard is looking for a British passport, the psychic paper looks like a British passport. If the customs officer on Alpha Centuri wants to see a Betelguesian quarantine certificate, the psychic paper looks like a Betelguesian quarantine certificate.

Now that is what I call a vision for an ID card. And what's more, it will work.

Next generation platform

[Dave Birch] With the U.K. newspapers focussing on ID cards again, now that the shortlist of the only suppliers who wanted to be on a shortlist has been announced, I wonder if it isn't time to abandon even talking about ID cards, when the practical implementation of identity for the foreseeable future is going to be centred on mobile phones. Since mobile phones can do a great many things that cards cannot, they provide an obvious means to deliver some useful identity services to both individuals and to organisations. Examples might be simple, secure authentication for online services.

 

Forrester Research analyst Bill Nagel claimed that mobile authentication has taken hold in many countries, and that mobile signatures are a "logical extension... Nearly all of the banks and operators we spoke to said that the technology operates flawlessly and that the experiences of customers who use the system are very good," he said.

[From Mobile signatures given the thumbs up - WhatPC?]

This is an attractive vision. The idea of making the Internet more secure sounds promising at first, but it has many negatives as well. If we make the Internet more difficult to connect to and harder to use, we lose the creative dynamic around it. Therefore, it kind of makes sense to leave the Internet cheap, flexible and insecure and kick the security layer off the end of the Internet and into the phones. Phones start off from a more secure base, because they already have tamper-resistant hardware (ie, the SIM) in place and since this hardware is a general-purpose computer, there is plenty more it can do. This idea fits rather well with the identity-as-utility view that we have been putting forward for some time. The mobile phones works perfectly as the "identity gadget", the universal faucet that we will all use to turn identity on and off (emergency stop: bad analogy detected). We're hardly the only people working along this line of thought.

 

From Marco, a great HP paper on Identity-Aware Devices, describing some PoC work HP did with Intel around the Liberty Alliance's Advanced Client specifications.

[From ConnectID: Identity-Aware Devices]

In the HP paper, they talk about "identity-aware devices", which I rather like as a way of thinking about practical solutions. They point out that in order to function in a sophisticated environment (in this case, a federated identity environment) the identity-aware device needs some kind of trusted module that can function as an identity provider. This is exactly how I see the SIM: there's no need to invent anything new, just use find a way to get the mobile operators and others to co-operate to implement the kind of ideas that we can all already see are the way forward.

e-Dictum meum pactum

[Dave Birch] There's a story about identity in The Economist magazine that I read on the plane to Washington ("My bow is my bond", p.98, 26th April 2008) that connects directly with something I'm working on for a client at the moment. Naturally, neither the client or the assignment will be discussed here, except to note that I've been playing around with some ideas on value-adding identity services for the mass market. I'd also recently received an e-mail from an august body, which won't be discussed here either, asking if I'd like to provide (for free!) some ideas on how to get private companies to use the U.K. identity card: I ignored the request, of course, but I did jot down a few notes. For both of these reasons, the story caught my eye.

The story concerns a fraud against Lehman Brothers in Japan. They lent a Japanese company $350 million, The load was guaranteed by a well-established Japanese trading house. Bankers from Lehman met an executvie from the trading house -- at the trading house's office -- to sign the contract. When the firm in question defaulted, Lehman went to the trading house to get their money, but the trading house claimed no knowledge of the deal. The executive had been an imposter and the contract was fake. When someone gives you their business card, you assume that it is true (by custom and practice -- you don't explicitly validate it) and when they put a letterhead in front of you, you take it to be real. Oops.

Engineering principles

[Dave Birch] Privacy and security aren't additional extras, costly options for new system. They are (or should be) part of the fabric. You can choose how to implement systems in either a privacy-enhancing or privacy-reducing way. Take, for example, congestion charging. There are a couple of ways to do this: you could do it the way they do in Singapore, where you have a prepaid card that communicates via RF with an overhead gantry. When you go through a gantry, the system attempts to take a fee from the card. If the transaction goes through (it's an offline purse transaction) then you're on your way. If you borrow a mate's car, you can take your card and put it in his car, no problem. But if you don't have a card, or you don't have any money on your card, then you get photographed. Alternatively, you can do it the British way. In London, all cars get photographed and then automatic numberplate recognition is used to try and work out who to charge. In many cases, it works and the correct account of a poor person is charged. I say poor person, because rich people register their Lambourghinis as taxis and avoid the charge

 

Cleangreencars has discovered that there are an unusually high number of luxury cars that have been granted the private hire designation, including two Maserati Quattroportes, three Maybach 62 and eight Rolls Royce Phantoms.

[From Taxi!? London luxury car owners register Maseratis, Rolls Royces as C-charge-free private hire vehicles - AutoblogGreen]

Incidentally, if you can't be bothered to send your chauffeur round to register the Porsche as a private hire, you can always just leave the Belgian plates on it, because the supercomputer running the system is not connected to other supercomputers in other European countries...

 

I drove for 4 years in london with a german plate, many times in the zone (once it was introduced), never paying and my ex never got a ticket sent to her place in HH where the car was registered.

[From London congestion charge for foreign cars]

In fact, as that tax-avoiders' handbook The Independent notes,

 

there are a number of ways to exploit the loopholes in this system as a private, law-abiding motorist if you are willing to be a little inventive.

[From Congestion charge loopholes: Now just learn the Knowlege... - Features, Motoring - The Independent]

Bit I digress. My point is that we have choices, and not building privacy-enhancing technology into a system is making a positive choice to have a data catastrophe at some point downstream.

Ulrich Senderslachts,

[Dave Birch] Ulrich Seldeslachts is the CEO of LSEC, an independent not-for-profit nerwork organisation of IT security experts, hardware vendors, service and knowledge providers, advisors, research institutions and government and business on IT security issues and to provide a portal to Belgian exepertise in the field. This is rather interesting, as these companies are creating an ecosystem around the Belgian smart ID card. In this podcast, I chatted to Ulrich about that ecosystem and how it is evolving.

ID cards, podcast, smart cards

Now, who's smart and who's dumb?

[Dave Birch] There are a great many advantages to smart cards as a platform for digital identity -- they're smart (ie, they have a microprocessor in them) for one thing -- but there's one huge drawback. They need readers. Now you might reasonably assume that no-one would countenance launching a smart card scheme with no readers, but that's precisely what has just happened in the U.K.

 

Eleven million free travel smart cards have been issued but many buses are not equipped to read them, a report by MPs claims. The report, by the House of Commons Transport Committee, entitled Ticketing and Concessionary Travel on Public Transport, said the situation was "daft". Ten years after committing to integrated bus ticketing, the Government has "achieved too little of practical value", the report said.

[From The Press Association: £1bn bus pass scheme 'stalling']

When they say "not many" buses have been equipped to use the cards, what they actually mean is "virtually no" buses have been equipped to read the cards. The cards are simply being used as "flash passes" so as long as you wave something that looks like a valid card then the bus driver will let you on board since he/she has no way of verifying that the card is valid. Since the cards have a two-year lifetime, and since the readers won't be in place for two years, it's hard to see what the use of them is. It seems like a huge waste of money to me, but then I am not well-versed in government smart card policy...

 

The first nationwide smartcard-based travel scheme launches next month, but the majority of passengers outside London will not be able to use the advanced functions.

[From Free smartcard travel arrives - 20 Mar 2008 - Computing]

Nor will the majority -- in fact, all -- of the passengers in London since (as the article makes clear) Transport for London won't even begin trialing the readers for these cards until mid-2009 and won't be installing them until 2010.

identity, pseudonym

Addressing a real problem

[Dave Birch] There's a general class of problem whereby one party to a transaction needs the other party's address to proceed, but the other party doesn't want to proceed with the transaction if they have to give up their address. Here are a couple of examples.

Over on the Digital Money Blog we decided to mark the launch of the Single European Payments Area (SEPA) by making a celebratory SEPA Credit Transfer (SCT) to a friend in the Netherlands. In order to do this, we had to obtain his bank account details: his IBAN. Now I think that in many circumstances, people will be reluctant to give this sort of information out, lest they suffer a Jeremy Clarkson-style incursion. So why can't the bank give me a pseudonym to use in transactions: if someone wants to send me money, they can send it to leadbelly.gutbucket@barclays.co.uk, or whatever. I don't mind giving out this pseudonym, since only the banks knows that it's mean. So when an SCT for leadbelly arrives, the money can be routed to my account. I can publish the pseudonym on my web page if I want, just as I can happily give out my PayPal address, since only I know that it's mine (well, PayPal know as well, of course).

Another example comes from the retail space. A retailer wants me to give him my mobile phone number so that he can let me know when a relevant special offer is on. I want to know that the relevant special offer is on. But I'm not giving my mobile phone number to a retailer: I don't want them ringing me up until Kingdom Come. I want control over the link between the retailer and me. Once again, why doesn't the phone company allow me to create arbitrary pseudonyms, so I can tell the retailer that I'm leadbelly@O2: the retailer (and any else) can text to leadbelly@O2 and the O2 SMS centre will route it to the correct phone number. If I don't want to do business any more, I can just junk the pseudonym.

Hey presto, an addressing scheme that provides both convenience and privacy.

identity, pseudonym

National identity scheme is about reducing crime

[Dave Birch] In a meeting a couple of days ago, I was asked to explain the key purpose of the U.K. national identity card scheme. I wasn't entirely sure, so I thought I would have a google around. PA Consulting, who were the Development Partners to the Home Office for the identity card scheme, should know and they say that the scheme is about reducing crime...

The biographic information recorded on the NIR is limited by law to basic identity information such as name, address, gender and date of birth. However, crucially, any attempt to steal an identity would need to be backed up by a matching identity card with associated biometric information (eg, fingerprints).

[From PA Consulting Group - 2007 - National identity scheme is about reducing crime]

This is correct, although the

Information that may be recorded in Register

[From Identity Cards Bill]

about a person actually includes his full name; other names by which he is or has been known; his date of birth; his place of birth; his gender; the address of his principal place of residence in the United Kingdom; the address of every other place in the United Kingdom where he has a place of residence; a photograph of his head and shoulders; his signature; his fingerprints; other biometric information about him; his nationality; his entitlement to remain in the United Kingdom; where that entitlement derives from a grant of leave to enter or remain in the United Kingdom, the terms and conditions of that leave; his National Identity Registration Number; the number of any ID card issued to him; any national insurance number allocated to him; the number of any immigration document relating to him; the number of any United Kingdom passport that has been issued to him; the number of any passport issued to him by or on behalf of the authorities of a country or territory outside the United Kingdom or by or on behalf of an international organisation; the number of any document that can be used by him (in some or all circumstances) instead of a passport; the number of any identity card issued to him by the authorities of a country or territory outside the United Kingdom; any reference number allocated to him by the Secretary of State in connection with an application made by him for permission to enter or to remain in the United Kingdom; the number of any work permit relating to him; any driver number given to him by a driving licence; the number of any designated document which is held by him and is a document the number of which does not fall within any of the preceding sub-paragraphs; the date of expiry or period of validity of a document the number of which is recorded by virtue of this paragraph; particulars of changes affecting information in the register and of changes made to his entry in the Register; his date of death; the date of every application for registration made by him; the date of every application by him for a modification of the contents of his entry; the date of every application by him confirming the contents of his entry (with or without changes); the reason for any omission from the information recorded in his entry; particulars (in addition to its number) of every ID card issued to him; particulars of every person who has countersigned an application by him for an ID card or a designated document, so far as those particulars were included on the application; particulars of every notification given by him for the purposes of (lost, stolen and damaged ID cards etc.); particulars of every requirement by the Secretary of State for the individual to surrender an ID card issued to him; the information provided in connection with every application by him to be entered in the Register, for a modification of the contents of his entry or for the issue of an ID card; the information provided in connection with every application by him confirming his entry in the Register (with or without changes); particulars of the steps taken, in connection with an application, for identifying the applicant or for verifying the information provided in connection with the application; particulars of any other steps taken or information obtained for ensuring that there is a complete, up-to-date and accurate entry about that individual in the Register; a personal identification number to be used for facilitating the making of applications for information recorded in his entry, and for facilitating the provision of the information; a password or other code to be used for that purpose or particulars of a method of generating such a password or code; questions and answers to be used for identifying a person seeking to make such an application or to apply for or to make a modification of that entry; particulars of every occasion on which information contained in the individual’s entry has been provided to a person; particulars of every person to whom such information has been provided on such an occasion; other particulars, in relation to each such occasion, of the provision of the information.

government, ID cards

Privacy TV

[Dave Birch] I've been watching ever since the BBC launched it's new drama series about the surveillance state. It's called The Last Enemy, and I was quite looking forward to watching it, as were others, since it touches on a lot of the issues that I spend a lot of time thinking about. Given my conviction that sometime you need to turn to art to help you to understand change, I thought it might deliver some insight into the balance between privacy and security in the modern world. Actually, it's turned out to be a bit dull, and I've been a little disappointed.

It's just occurred to me why.

It's because the BBC, like the Government, is a vast hierarchical beauracracy that it is essentially backward-looking, group-thinking and inward-focused. Just as the government can only envisage things like ID cards in a kind of 1960s frame of reference, of centralised databases and giant computers, so the BBC can only construct a discussion around them in that same frame of reference, a cross between George Orwell and Groundhog Day, endlessly retreading the same tired version of the future.

Hence the event stream seems a bit ridiculous: why on earth would people be lurking around looking for anyone in a world where there appears to be camera in every room? In one episode there's a bit of road rage and one motorist shoots two others, but nothing happens. I guess the cameras are only looking out for dangerous double-parkers or congestion charge-evaders. As far as I can see, the scriptwriters are just producing a standard cowboys-and-indians story with ID technology as a plot backdrop, not even a maguffin to keep things moving (although I'm sure that, at some point, there will be a chase involving a CD containing important data that could just as easily be e-mailed). And as in all TV shows that involve computers, it was rife with stereotypes:

 

People type furiously on a keyboard to open up a new window - check
  People have multiple screens open with photos on, but never seem to pick a screen to put stuff onto - check
  Fonts are big enough to be seen from miles away - check
  Interface is in its own basement room - check.

[From Tech & Gadgets Editor's Blog]

And, of course, the computer spoke, which in "real life" would drive you mad. What was funniest of all was the central icon of the near-future state, the pillar of the technologically omnipotent surveillance state: the ID card that the characters had to use to get into buildings and so forth. It was a trivially-counterfeitable magnetic stripe card, circa 1971.

ID cards, privacy, technology

ID-Day

[Dave Birch] In any discussion about identity in the U.K. recently, the big unknown has been the government's proposed national identity card scheme. There was a lot of uncertainty about how exactly the scheme might work, what the timetable might, what the vision for the scheme was. I was therefore very excited to have been invited to come along in person to the think tank DEMOS this morning to hear the Home Secretary, Jacqui Smith, set out the government's plan. I was thinking that I don't often get the chance to talk to someone like Jacqui (ie, an incumbent in one of the great offices of state) and that she probably doesn't often get the chance to talk to someone like me (ie, someone who knows about national ID card schemes), so it would be an interesting exchange. The government published both a plan to deliver the ID scheme (well, most of) by 2017 and the Crosby report.

When I took my seat, it turned out I was next to Meg Hillier, the Minister for ID Cards, who was kind enough to introduce herself. She turned out to be a good sport...

Meg Hillier: Pleased to meet you, I'm Meg Hillier.

Me: Hello, I'm Dave Birch from the Digital Identity Forum, pleased to meet you. Oh, was it you who said that ID cards were a bit like internal passports?

Meg Hillier: Yes, it was an unfortunate turn of phrase. They're not, of course. There'll be no legal requirement to produce them.

Me: What, not even if you're buying a second home?

She was polite enough not have me thrown out so I was able to stay and listen to Jacqui. Anyway, the event was being recorded and broadcast so I thought I would add to the sum total of understanding by doing the same. I've taken Jacqui's speech as well as the question and answer session and made them into a special edition of the Digital Identity podcast that will be posted on our feed shortly. Have a listen to what she says and make up your own mind about it (alternatively, you can read the speech online).

By the way, it wasn't an idle boast inserted above (about knowing about national identity card schemes). Consult Hyperion is currently advising on its fourth national identity card scheme at the moment (or a European government) so I'd like to think that our opinions might count for something.

government, ID cards

Still practising

[Dave Birch] I went to a European Commission "epractice" seminar to share best practice about electronic identity -- and in particular the interoperability thereof -- in Europe. Consult Hyperion have been doing a lot of work in this area -- we were commissioned by the EU to study identity interoperability last year -- and so I thought it would be very useful to come along and exchange ideas. It was gratifying to discover that the conclusion of our work for the Commissin was congruent with the findings of all of the other studies for the Commission: not only is there no interoperability whatsoever at a European level, there's precious little of it at the local level either (ie, you can't use your HMRC login to log on to DVLA and so on). There were some studies that have gone down another level, and they discovered that one of the reasons for the lack of interoperability is that none of the European identity schemes are using a standard-based approach (with the except of SAML that is being used in a small number of schemes).

It was quite well-attended (there must have been more than 40 people there) and while there were a few familiar faces, I enjoyed the opportunity to listen to some new(to me) perspectives. One of the points made at the beginning was, I think, key not only at the international level but at the national level too. It was that the focus should be on interoperability rather than harmonisation. There is no need for everyone to use the same identity management scheme, identity cards, identifiers and all the rest of it. Hence one of the ways forward is to imagine a set of technology-neutral national gateways and interconnect through those gateways.

In the afternoon I went into the breakout to discuss mobile e-identity, which I'm becoming increasingly enthusiastic about. The reasoning is that in order to make some form of electronic identity useful to citizens, it has to do some interesting things. But a card can't do anything interesting things, whereas mobile phones can and --- and I think this is central to the discussion looking forward two or three years -- what's the point in issuing another smart card when the entire population has a mobile phone already.

ID cards, management, PKI

The role of identity cards

[Dave Birch] Writing in a recent Spectator, Hugo Rifkind of The Times explains just how shocked he was when what used to quaintly refer to as e-government actually worked. In this case, he was applying for a replacement driving licence online...

I didn’t need to register, as I had apparently done so already, by creating something called a Government Gateway account when filing my tax return. I didn’t need to send them a photograph, as they still had my old one on file. I didn’t need to prove my address, as they had the electoral roll. I didn’t need to send them proof of identity, as they could look up my passport, just from the number. Seriously. Twenty minutes.

[From Shared Opinions | The Spectator]

He mentions this to support the idea that there's no point being against a identity card because, in essence, we already have one. But this is wrong: this is an argument in favour of an effective national identity register (which I am in favour of too) not an argument in favour of an effective national identity card which, had it existed and been designed properly, would have been used to authenticate Mr. Rifkind in this transaction. His experience illustrates precisely why the government should focus on the issuing of national identity numbers and not on storing data -- any data -- in the register. Adding a national identity number to the DVLA database makes sense: adding the DVLA number to the register doesn't deliver anything beyond what is already place and makes the system potentially more vulnerable. What should happen is this: Mr. Rifkind logs in to the government gateway -- initially using usernames and passwords but using 2FA once the cards have been rolled out in the future -- and from then on seamlessly moves around government departments and gets stuff done using standard federated identity products. No spending half an hour searching for the piece of paper that you haven't seen since last year that has your government gateway log in details on it, as I did when sorting out my tax last month (unluckily just before the whole system crashed).

contactless, ID cards

Identity and incentives

[Dave Birch] Now, I don't want to blow my own trumpet (well, not strictly true I suppose) but it's only taken me five minutes to come up with a better idea of an incentive for identity card use in the U.K. than any I've heard so far from the government's management consultants. Does anyone remember the story of Geldkarte in Germany? It was a barely-used electronic purse added to German bank cards some years ago. It was moribund until the big bankers came up with an excellent (and I use the word deliberately) wheeze. They persuaded the German government to pass a law requiring the use of bank cards (that could verify age) to buy cigarettes. Naturally, Geldkarte complied with the relevant standards, and away they went. Now I notice that Japan is going down a similar route:

The Tobacco Institute of Japan has started accepting applications for taspo age-verification cards to be used at cigarette-vending machines starting in March... To obtain the card, an application form with a mugshot and a copy of a document that shows the applicant's age, such as a driver's license, must be mailed to the institute... From July, all 520,000 cigarette-vending machines in the nation will require the card, which also can be used as an electronic money card to buy cigarettes from vending machines.

[From Smart card for cigarette machines introduced : Business : DAILY YOMIURI ONLINE (The Daily Yomiuri)]

Now there's an idea. You could bring in a quarter of the population at a stroke (bad choice of language, I know) and build from there.

ID cards, smart cards

Katie Davis, Identity and Passport Service

[Dave Birch] Given the importance of the U.K.'s national identity card plans in the world of digital identity here, it's important to have clear understanding of where the U.K. is and where it is going. I wanted to find out from the IPS, not from newspaper comment. Hence this discussion with Katie Davis. Katie joined IPS as the Executive Director of Strategy in June 2007. Prior to this, she was the Director of the Government IT Profession at the Cabinet Office. In this role, she worked as part of the Delivery and Transformation Group (formerly e-Government Unit) to increase the capacity and capability of government to deliver large-scale IT-enabled change. She had responsibility for formalising the IT Profession across central and local government, with the aim of providing IT professionals with the opportunity to reach the highest levels of public service. She also had responsibility for managing the Delivery and Transformation Group’s role in mission-critical projects. In this podcast she explains the goals of the IPS and explains where the programme is right now.

ID cards, podcast

Some best practices

[Dave Birch] The European Commission's ePractice.eu is hosting a free workshop on electronic identity in Brussels on February 14th. I'll be going along to hear three best practice presentations -- from Spain, Belgium and Estonia -- and to join in the discussion about how to learn from and build on them. See below for more details if you want to come along too.

ID cards, identity, management, PKI

1% of the way

[Dave Birch] Things haven't been going terribly well for America's ambitious Real ID scheme. Government agencies missed the end of October deadline to complete background checks for employees and contractors who have worked for the federal government for 15 years or less and to begin issuing the new identity cards that include employees' fingerprints as required under Homeland Security Presidential Directive 12, which President Bush issued in 2004. In all, about 1.9 million federal employees and 591,358 contractors require credentials. As of that deadline, 97 percent of federal employees and 79 percent of contractors had completed the required background checks, but federal agencies had issued only 1 percent of the new cards. Now it turns out that some of the other deadlines around driving licenses are being rolled back as well.

Day of the serigala

[Dave Birch] I can't help but keep returning to the MyKad smart identity in Malaysia because it's such a fascinating, and valuable, case study of the transition to a smart identity card. And because it happened a few years ago, it provides useful data (gathered over time) on the evolution of such a scheme. Now, the Sabah Law Association (SLA) has said that the authorities should look into provisions of the Sabah Ordinance on Registration of Births and Deaths 1948 to assist them eradicate the problem of fake MyKads in the State. The association's president said that the provisions provide for a procedure for late registration of birth certificates and would address the problem of fake MyKad being issued to foreigners who makes application for such document supported only by statutory declarations. In other words, people can claim that they are only now registering their birth, without supporting documentation, and get an identity card. He pointed out a report carried by the newspapers regarding a Member of Parliament from Sabah whose name had been used to obtain a fake MyKad, saying the case was only "the tip of the iceberg".

Technorati Tags: fraud, ID cards, security

Making digital identity solve real-world problems

[Dave Birch] Solving the real-world problem of identification and authentication is, as we know, difficult. Not simply because we need to find mechanisms for implementing these concepts that are both convenient and cost-effective but because their real-world use is messy. Digital identity has to be able to deliver more than workable home banking login for people like me. In the real world, demands are more complicated. Here's a good example, put forward by Chris Skinner. He was trying to help is elderly father-in-law sort something out with his bank, so he phoned and told the bank just that. They refused to deal with him on the phone and insisted that his father-in-law write a letter to change the repayments or whatever it was he wanted. So Chris just called back and told them that he was his father-in-law. He was easily able to answer the "security" questions and so got things sorted out quickly. But how will this work in the world of identity cards and biometrics? Or consider a similar, more prosaic case. I'm sure many people use their partner's ATM card from time to time. Not for any illegal withdrawals, but because they are lazy, or can't find their own card, or they left it at work or whatever. I'd hate to run round the to ATM at the supermarket because we need some cash only to be told by the machine, "Sorry Mrs. Birch, face recognition failed" (which it would do, by the way).

Technorati Tags: identity

Giving identity cards a bad name

[Dave Birch] As I've constantly complained, what should one do if one is (broadly speaking) in favour of some form of smart identity card to bridge the worlds of physical and virtual identity, but one is (broadly speaking) against the government's proposed system? Well, one policy might be to stop reading the newspapers and hope it will all get better. Consider, for example, the Department of Work and Pensions' attempt to salvage a viable system from the Child Support Agency catastrophe, the Child Maintenance and Enforcement Commission (CMEC), which adds several sticks to beat recalcitrant parents with. There is going to be a 'name and shame' web site, credit blacklisting, monitored curfews (possible including electronic tagging) and the confiscation of passport and/or ID card. That's joined-up government at work, presumably. The Child Maintenance & Other Payments Bill includes powers for the CMEC to disqualify an individual from "holding or obtaining travel authorisation", with a travel authorisation being defined as a UK passport or as "an ID card... that... has been issued to a British citizen." This kind of predictable -- and tragic (in the sense of inevitable) -- mission creep is an consequence of an ill-thought out identity infrastructure that is not up to the demands of a modern society or modern economy. And even if you think that taking away some ID-related privilege is the right thing to do to a deadbeat Dad, the use of the word "confiscation" reveals the basic mindset problem: "they" won't stop you from renewing a public key certificate, delete an application from the card, change a security level or anything else that might smack of the 21st century, "they" will confiscate the card. Hey, Parliament, I've got 1952 on the line and they want their ID card back...

Technorati Tags: ID cards, management

Security on a grand scale

[Dave Birch] It's really difficult to keep big systems secure when they have lots of users. Especially when those users don't really care about security. And worse when there's no identity infrastructure. The textbook case study for years to come will be the "troubled" $25 billion-ish National Health Service "Connecting for Health" (CfH) system. It's travelling a predictably rocky road. NHS staff (which, from a risk analysis perspective, means everyone in the world -- the NHS employs over a million people) have complained they have not been properly consulted, system designers have argued it is foolhardy to keep patient records in one central database and security experts have warned that the system might (!) be vulnerable to unauthorised users. Some of the most stringent security measures in the IT industry have been devised to protect confidential information: staff have been issued with smart cards, for example. Of course, they don't actually use them to log in: they find the person with the highest level of authorisation, put their smart card into the system and then leave the card in until the end of the shift.

Technorati Tags: health, identity, security

Will they have to write to everyone in the entire country?

[Dave Birch] Some people think that data breach legislation is a useful way to force companies to take their data protection responsibilities seriously. Personally, I'm not entirely convinced but I'd be very happy to hear the arguments from either side. If I got a letter from, say, Tesco saying that one of their systems had been compromised and some people's personal details had been stolen, then I'd just chuck it in the recycling since -- like most other people, I imagine -- I don't really care and I've no idea what to do with the information if I did. As it happens, my Tesco loyalty card isn't in my real name anyway. But suppose -- just suppose -- that it is the government itself that is compromised? Do then they have to write to every single person in the country?

Technorati Tags: government, identity, privacy

Alternative thinking

[Dave Birch] When you're discussing the future of identity in the U.K., it's impossible to avoid talking about the national identity card scheme. What individuals, organisations, companies decide to do about identity depends to a great degree on what the national scheme looks like. So what should it look like? Should we even have one? My personal view is that the government should not scrap the proposed scheme but that it should radically rethink it. It should postpone introducing the physical ID card and focus instead on allocating a unique national identity number, backed by biometrics, to each citizen—that is all that needs to be held in a national register. I'm also in favour of using the "Austro-Canadian" idea of sector-specific numbers, with one-way cryptographic mapping from the national identity number stored on the register to the sector identity numbers stored in databases.

Technorati Tags: ID cards

Rushing in

[Dave Birch] There's an identity-related debate going on about data sharing by government. I don't mean to take sides on it, except to note that I would prefer to see a more technologically-informed debate, especially around the sharing of biometric data. I was making some notes about this in a data protection context and thought I would mention that the EU's Data Protection Supervisor (a Mr. Peter Hustinx) has been saying that EU governments risk violating the protection of their citizen's personal data by acting hastily in approving the use of biometrics because it was "rushing in a new era" of using biometric identifiers for security checks while standards for data protection were still not clear. In particular, he warned against cross-linking national biometric databases and he said that Europe needs standardised procedures for collecting biometric data as well as common rules and safeguards for the use of the sensitive information.

Technorati Tags: government, identity, passport