About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion

Advertisers

Technorati

  • Add to
Technorati Favorites

License

  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« Antisocial networking | Main | The Tr* scheme »

Giving identity cards a bad name

By davebirch posted Nov 16 2007 at 8:00 AM

[Dave Birch] As I've constantly complained, what should one do if one is (broadly speaking) in favour of some form of smart identity card to bridge the worlds of physical and virtual identity, but one is (broadly speaking) against the government's proposed system? Well, one policy might be to stop reading the newspapers and hope it will all get better. Consider, for example, the Department of Work and Pensions' attempt to salvage a viable system from the Child Support Agency catastrophe, the Child Maintenance and Enforcement Commission (CMEC), which adds several sticks to beat recalcitrant parents with. There is going to be a 'name and shame' web site, credit blacklisting, monitored curfews (possible including electronic tagging) and the confiscation of passport and/or ID card. That's joined-up government at work, presumably. The Child Maintenance & Other Payments Bill includes powers for the CMEC to disqualify an individual from "holding or obtaining travel authorisation", with a travel authorisation being defined as a UK passport or as "an ID card... that... has been issued to a British citizen." This kind of predictable -- and tragic (in the sense of inevitable) -- mission creep is an consequence of an ill-thought out identity infrastructure that is not up to the demands of a modern society or modern economy. And even if you think that taking away some ID-related privilege is the right thing to do to a deadbeat Dad, the use of the word "confiscation" reveals the basic mindset problem: "they" won't stop you from renewing a public key certificate, delete an application from the card, change a security level or anything else that might smack of the 21st century, "they" will confiscate the card. Hey, Parliament, I've got 1952 on the line and they want their ID card back...

Technorati Tags: ,

There's another side to this story as well. Punishing people by taking away their ID card will only work if you come up with myriad things that they need an ID card to do. And then you annoy every other law-abiding citizen by inconveniencing them. For example: if I need an ID card to do absolutely everything, then what happens if I lose my card? In Malaysia, where the smart ID card ("MyKad") has been around for a while, 1,000 ID cards are lost every day and the government has just raised the fine for losing the card tenfold (and it goes up every time you lose it). Home Affairs Ministry parliamentary secretary Datuk Abdul Rahman Ibrahim said the new fines, expected to take effect later this year, are to make the people more responsible because

Since MyKad was introduced seven years ago, 2,123,611 people have lost the cards.

Where could the government make ID cards compulsory then? What about voting? That's a simple example -- and by "simple" I mean conceptually simple in this thought-piece, I don't mean to imply that getting electronic voting working is simple, which is why I've invited James Heather from the University of Surrey to give a talk on the topic at this year's Digital Identity Forum -- and the chairman of the Electoral Commission in the U.K., Sam Younger, has already said that photo ID should be required at polling stations and that if (or, indeed, when) ID cards become compulsory they would "undoubtedly" be applied in elections. So let's pretend that deadbeat Dads might be brought to heel by withdrawing their vote: why would you need to confiscate their card? Wouldn't you just tell the voting booth to ignore this persons vote or not let them in to vote? Or not send an "this person can vote in this election" certificate to their card, or something like that?

Compare all of this with what is going on in British Columbia. There they are about to test "information cards architecture" (ie, Microsoft's infocards) to allow citizens to connect with the government's online services more safely and easily. Among other attributes, Bailey said using an information card means:

The government won't know which sites the user visits.
The user is in control of shared information.
The cards won't have to reveal users' birthdates or addresses, or a student's school. Instead, it could simply confirm the user is over 19, a B.C. resident or a student.
He compared using the card to using a driver's licence for identification since, in both cases, the government does not know what the citizen is doing.

Ann Cavoukian, Ontario's privacy Commissioner, said that this implementation will have "several key advantages" over username/password systems.

  • The end of stolen, lost or forgotten passwords.
  • Less "phishing," when a password is stolen by an unauthorized user, because authentication used by one site is useless for another, even for the same information card. (Note: I'm not entirely sure what this means)
  • Less storage of sensitive information, because the cards can resend it every time they are used, so the accessed site doesn't need to retain it.
She simultaneously warned that the system could be misused and "become an infrastructure of universal surveillance". Fair enough, but at least it's a step into the 21st century.

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]

TrackBack

TrackBack URL for this entry:
https://www.typepad.com/services/trackback/6a00d8341c4fd753ef00e54f981cca8834

Listed below are links to weblogs that reference Giving identity cards a bad name:

Comments

QUOTE
Or not send an "this person can vote in this election" certificate to their card, or something like that?
UNQUOTE

With you all the way. Digital certificates together with a sophisticated set of identity management protocols could potentially match the sophisticated requirements of everyday life. Better than the clumsy either-you've-got-an-ID-card-or-you-haven't approach.

One thing to add. Look at that word "send". Instead of storing these certificates on a piece of plastic kept in your wallet next to your 1999 Threshers discount card, wouldn't it be better to store them on your mobile? Then you really could send the certificates.

That would make the certificates cheap to distribute, manage and revoke.

And it would make it more efficient to use the certificates. No need for card readers in fixed locations, the user could take advantage of free infra-red or Bluetooth connections when he or she is present or of the global mobile phone network when not present.

Add mobile phones to the mix and you get dematerialised ID, which I used to think of as my idea. But clearly other people are capable of thinking as well. Other people everywhere, that is, except in the UK government.

Did the Crosby Forum opt for mobiles? Is that why we haven't seen a report of their findings? And why Gordon Brown reputedly wants yet another enquiry, and another, until he gets the right answer?

Best wishes
dm

The comments to this entry are closed.