Gus (who is at LSE) went first. He mentioned that the LSE’s recent report on privacy, comparing the situation in various countries around the world, ranks the U.K. along with Singapore and Malaysia at the bottom of the international privacy league. His main points were about the strange situation in the U.K. whereby the collection of personal data is becoming the norm rather than the exception, which was certainly food for thought but I’m not sure if many people round the table were that interested.
I have to say I was quite surprised how quickly the ensuing discussion around the table collapsed into a "black and white" discussion about privacy and became really rather animated. Perhaps it’s unique to England, but the topic of ID cards has lost none of its capacity to excite passions, which in a way is rather disappointing.
Pete made some good points about the relationship between privacy, data protection and security, including an observation which got a few nods around the table: citizens of the countries that scored best in the LSE survey actually already have ID cards, but they also have strong constitutional protections around the storage and use of their data. In the UK we have data protection legislation, but the system runs mainly on trust. He pointed us a survey (which I think he said was part of the Trustguide effort) showing that people in the UK don’t trust the government to be an identity service provider, so who would they trust instead? Banks, World of Warcraft, Churches?
Ben’s angle was "narrow but important": you want to minimise what you disclose but as you give away all your little snippets of information to one person after another, so the snippets can be linked. Most credential technologies (eg, X.509) are linkable since each credential looks exactly the same every time you use it. He reassured the audience that the cryptographic technologies to provide unlinkable credentials already exist and, what’s more, work. He used the examples of Credentica and some work going on under the EU Prime project using the IDEMIX technology. As an aside, he also passed on an excellent definition of three-factor authentication: something you were, something you’ve lost and something you’ve forgotten!
My opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public.
[posted with ecto]