Written by I didn’t need to register, as I had apparently done so already, by creating something called a Government Gateway account when filing my tax return. I didn’t need to send them a photograph, as they still had my old one on file. I didn’t need to prove my address, as they had the electoral roll. I didn’t need to send them proof of identity, as they could look up my passport, just from the number. Seriously. Twenty minutes.
[From Shared Opinions | The Spectator]
He mentions this to support the idea that there’s no point being against a identity card because, in essence, we already have one. But this is wrong: this is an argument in favour of an effective national identity register (which I am in favour of too) not an argument in favour of an effective national identity card which, had it existed and been designed properly, would have been used to authenticate Mr. Rifkind in this transaction. His experience illustrates precisely why the government should focus on the issuing of national identity numbers and not on storing data — any data — in the register. Adding a national identity number to the DVLA database makes sense: adding the DVLA number to the register doesn’t deliver anything beyond what is already place and makes the system potentially more vulnerable. What should happen is this: Mr. Rifkind logs in to the government gateway — initially using usernames and passwords but using 2FA once the cards have been rolled out in the future — and from then on seamlessly moves around government departments and gets stuff done using standard federated identity products. No spending half an hour searching for the piece of paper that you haven’t seen since last year that has your government gateway log in details on it, as I did when sorting out my tax last month (unluckily just before the whole system crashed).
The level of public debate around ID cards is hopeless. Here’s yet another “are you for or against” survey which finds that
The British public is evenly split on ID cards – 47 per cent think they’re a good idea while 50 per cent think not.
[From Brits split on ID cards | The Register]
Setting to one side for a moment the issue that 58 per cent of those people also think that Sherlock Holmes was real and 20 per cent of them think that Winston Churchill was fictional, what does this survey mean? What’s a good idea? The card? The register? The scheme? What’s the point of asking people if they’re for or against something they don’t understand? And why isn’t there a third category for people like me: people who are in favour of a national identity management scheme but have concerns about the architecture currently proposed (insofar as we understand it) by the government and their management consultants.
The government needs to help the public — and the suppliers, frankly, given that they seem to be giving up the ghost — to engage in a more worthwhile debate about what our national identity management scheme should do and therefore how the necessary systems will actually work. An excellent place to start, in my opinion, is by completely separating the idea of the national identity register from the idea of the national identity card. As Mr. Rifkind’s article adumbrates, a substantial increase in government efficiency (and in a rational world, a consequent substantial decrease in government expenditure) might be expected from the introduction of the register and therefore of national identity numbers. Therefore it’s time to give the Scandi-Austro-Canadian-HK-TfL (I assert the moral right of authorship over this phrase!!) “identity utility” a chance! Here’s my slogan: a register for security, a card for privacy.
Just as a reminder, it’s Scandi (like BankID used in Scandinavia) because it’s the private sector that will provide the authentication systems (the government just provides the number), Austro because it uses sector-specific identifiers as in Austria, Canadian because the identifiers are meaningless but unique numbers (MBUNs) as the Canadian e-government scheme, HK because it provides for symmetric authentication as in Hong Kong and TfL because it should be implemented using fast, contactless interfaces just like a TfL Oyster card. Who’s with me!
These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]
I agree with a lot of what you have to say and certainly share your concerns about the proposed architecture. I am concerned, however, that a national identity management scheme, even one based as I would advocate too on a federated architecture, could provide a centralised audit of our interactions with the services in the federation (including the private sector assuming that’s what’s recommended by the Crosby report if it ever sees the light of day). This may be encompassed in your definition of “architecture” but I would welcome your thoughts.
To get such a plan to work, you (collectively) will need to think like Scandi-Austro-HK-Canadians which can handily be achieved by importing lots of foreigners. Who would also work as the compulsory test market. However this might clash with one of the other objectives, which is to keep out the demon foreigner, without thinking too hard…
“a centralised audit of our interactions with the services in the federation”
This is why an ID card, in my opinion, needs to be a smart card and not an electronic simulation of a piece of cardboard. The ID card must be able to recognise the digital signature of the organisation requesting a credential and must be able to produce a digital signature that can be verified off line.
That way the audit trail exists on your ID card, not on the register.