A function I find particularly interesting is the pseudonym function. A service provider can request an identity that is known only to that service provider and the card will generate a pseudonym according to a published algorithm. Since this involves using the service providers public key, service providers cannot know other service providers pseudonyms, a simple means to increase both security and privacy for very little effort. If there is a specification for the U.K.’s identity card that is currently being procured then I haven’t seen it, but I’d lay a pound to a penny that it does not include this kind of privacy-enhancing technology (PET) because I have never seen it in any of the management consultants presentations, government strategy documents or discussion forums. What a shame. Why do Germans deserve this kind of security but we Brits don’t?
Is this just my bias as an essentially technical person or is the German approach — to develop technical specifications that include advanced functionality and then procure against them — better than the U.K. approach of “output-based specification”? The problem with that latter approach is that even as procurement is well under way, no-one seems to know what the scheme is going to do. If you are a U.K. business and you need to plan for a cycle of investment that will include a shift to the use of identity cards, you need some certainty. Suppose you’re an ATM manufacturer and you want to offer British banks so kind of ID card function: you’re already designing products that will be sold next year and manufactured the year after that for installation the year after. Yet if you phone up the Identity & Passport Service to ask for a specification, you’ll get nowhere. This isn’t helping.
I hate to keep on repeating the same point, but somehow we are not setting the bar high enough on ID.
These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]