Is there a business in ID or not?
By Dave Birch posted Feb 2 2009 at 5:22 PM[Dave Birch] I spent the day at the seminar on the business use of ID cards at the EEMA/Digital Identity Forum seminar sponsored by Consult Hyperion at the British Computer Society. The presentations are available from the EEMA web site so there's no need to go through all of them here, but I just wanted to make a couple of points that came out of the day. The event was kicked off by the Parliamentary Under-Secretary for Identity, Meg Hiller. Meg gave an overview of where the UK national identity card scheme is now, and where it will be going. She kindly agreed to stay for an extended question and answer session, and just to show how modern we are I've posted a couple of minutes of this up on YouTube. She gave a couple of examples where businesses might want to use the cards, which was the point of the seminar. The example of video rental was once again to the fore, as well as banks. Meg also said that retailers could see the benefit of requiring an identity card to be presented for certain services and this set me wondering what kind of retailers these might be. I can see that retailers might need to know whether you are 16 to buy glue, or 18 to buy beer or whatever, but they don't need to know who you are. The more I thought about it, the more I thought that there is a real distinction between retail transactions where the retailer needs to know who you are, and retail transactions where the retailer wants to know who you are (and, conversely, in some cases you might want them to know who you are, because of warranties or something), and retail transactions where the retailer doesn't care who you are but needs to uniquely recognise you because of loyalty schemes or promotions. I have to say I was left unconvinced by the retail example. Her public sector arguments were much better, because it is a common an infuriating experience to have to keep giving your name and address and personal details to various departments over and over again. The example that Meg gave was of going through maternity services in the NHS, where she has to keep filling out the same personal information over and over again. I didn't think that was a good example, because the current government has spent TWELVE BILLION POUNDS on the computerisation of NHS patient records. It doesn't automatically follow that another few billion on the identity scheme would make any difference to her experience interacting with her local council, hospital or schools. Meg was also right to say that it's frustrating to have to fill out forms online, and indeed it is, but we had an afternoon presentation form the chief security architect at IPS, Andy Smith, and it was not clear to me from his description quite how the scheme is going to help here. Perhaps more technically-informed delegates could explain further.
I'm a very strong supporter of a national identity management infrastructure. One thing that I am particularly interested in is the use of a national ID infrastructure to enable disruptive innovation. Colin Whittaker from APACS, who was in the banking panel session with Richard Mould from Barclays and I, made a very interesting point when he said that he thought he major impact of new technology infrastructure tended to be through the unexpected consequences rather than the plans of the designers. I'm very sympathetic to this view, and so I tried to factor it in to my presentation on new business opportunities that might arise downstream.
I settled on two to explore for the afternoon session: the potential for identity infrastructure to cause disruption in the payment space by providing new entrants a means to operate simple payment businesses with a lower cost base and the potential for mobile operators to emerge as significant brokers in the identity business because of the synergies between the mobile phone and identity technologies for identification and authentication. Talking to people afterwards, I got the impression that there are plenty of people in the "ID card space" who hadn't really been looking into these kinds of new business ideas and they were very complimentary about the event, so on the whole we very pretty happy with the way the day went. And may thanks to Fiona at EEMA for all of her hard work in making it go so smoothly.
One other small point: Meg Hillier said, early in the day, that "we can never have 100% security" and this is correct. But when I asked the Home Secretary Jacqui Smith what the "break the glass" contigency plan was in the case of a security breach in the national identity system she told that there was no need for one because the scheme was secure, so perhaps Andy needs to get Meg more up to speed on the security architecture.
These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]
silicon.com did an article on your meeting [1] in which they say:
QUOTE
Apacs meanwhile would like a "simple" and "elegant" electronic way to prove the authenticity of the ID card using cryptography, similar to that used in existing credit and debit cards.
UNQUOTE
The same story is carried by ZDNet [2].
When APACS say that they would like a simple and elegant electronic way to prove the authenticity of the ID card using cryptography, do they mean to imply that, as currently designed, the NIS does not provide a simple and elegant electronic way to prove the authenticity of the ID card using cryptography? And are they right?
It is surely axiomatic that it should be possible for anyone duly authorised to do so, e.g. a bank, to prove that the card in front of them was issued by IPS and that the data on it has not been altered since issue.
Has the Identity & Passport Service actually managed to come up with a design that doesn't support this facility? Or have APACS misunderstood? Or have they been misreported?
----------
1. http://www.silicon.com/financialservices/0,3800010322,39389272,00.htm
2. http://news.zdnet.co.uk/security/0,1000000189,39609992,00.htm
Posted by: David Moss | 04/02/2009 at 01:14 AM
"NIS does not provide a simple and elegant electronic way to prove the authenticity of the ID card using cryptography?"
Andy Smith did say that they would be using ICAO EAC, so in principle banks ought to be able to buy readers. I think Colin was referring to the online case, however. For online, Andy said that they would use "EAC 2", which I'm not qualified to comment on because I don't know what it is, and EMV 4.1 CAP. So far as EMV goes you will need to ask Colin but I think the issue might be that you have to go online to IPS to check the CAP crytpogram whereas with a proper PKI you can check the signature yourself. But I will ask Colin.
Posted by: Dave Birch | 04/02/2009 at 09:27 AM
Thank you for your answer.
Posted by: David Moss | 05/02/2009 at 12:02 AM
"... and the potential for mobile operators to emerge as significant brokers in the identity business because of the synergies between the mobile phone and identity technologies for identification and authentication. Talking to people afterwards, I got the impression that there are plenty of people in the "ID card space" who hadn't really been looking into these kinds of new business ideas ..."
I have argued since 2003 that mobile phones are ID cards, http://dematerialisedid.com/Mobiles.html
We don't need IPS's ID cards. We already have a globally interoperable mobile phone system and people already voluntarily take their mobile with them wherever they go.
We (you and I) have discussed the dynamics of telcos-banks-ID-payments in another forum.
In Japan, if I remember, the telcos are already so big that they can be their own bank and the synergies are already working.
In the UK, there is more of a stand-off between the telcos and the banks, neither of them prepared to rent any space on their turf. That was the conclusion then. Before the credit crunch and the implosion of so many old certitudes.
Now, maybe the situation would lend itself to a bit of synergising. Perhaps Vodafone might by the remains of a retail bank and then ...
Posted by: David Moss | 05/02/2009 at 12:18 AM