Written by The UK’s last attempt to introduce a national identity infrastructure, the national ID card, failed pretty badly and left everyone involved under a cloud (except for the management consultancies who billed tens of millions of pounds to the project).
The Home Office slipped out the final report of the Independent Scheme Advisory Panel (ISAP) this week, more than a year after it was written. The ostensibly independent report, which reveals how the ID system had been compromised by poor design and management, was submitted to the Home Office in December 2009.
[From Henry Porter – Home Office suppressed embarrassing ID cards report]
The report says that there are no specifications for usage or verification (which we knew – this was one of my constant complaints at the time) and, revealingly, that (in section 3.3) that “it is likely that European travel” will emerge as the key consumer benefit. This, I think, is an interesting comment. As I have pointed before in tedious detail, what the Identity & Passport Service (IPS) built was, well, a passport. It had no other functionality and, given the heritage, was never going to have. Hence my idea of renaming it “Passport Plus” and selling it to frequent travellers (eg, me) as a convenience.
As an aside, the report also says (in section 5.5) the “significant” number of change requests after the contracts had been awarded would likely increase risk, cost and timescale. Again, while this is a predictable comment, it is a reflection on the outdated consultation, specification and procurement processes used. Instead of a flagship government project heralding a new economy, we ended up with the usual fare: incomplete specifications, huge management consultant bills, massive and inflexible supply contracts.
The report repeated the same warnings ISAP had given the Home Office every year since the system blueprint was published in December 2006 by Liam Byrne and Joan Ryan, then Home Office Ministers, and James Hall, then head of the Identity and Passport Service (IPS).
[From Home Office suppressed embarrassing ID cards report – 1/7/2011 – Computer Weekly]
How did it all go do wrong? Liam Byrne should have known something about IT as he used to work for Accenture, as did James Hall (Joan Ryan was a sociology teacher who later became famous for having claimed for more than £1,000,000 in MP’s expenses). Yet somehow the “vision” that emerged was profoundly untechnological, backward-looking and lacking in inspiration. What’s different now?
Well, a key change is that the new administration is heading more along the lines of the US (with USTIC) and the Nordics, where people use their bank IDs to access public services. We’re working on a project with Visa Europe and our good friend Fred Piper at Royal Holloway to develop a pilot implementation right now.
Consult Hyperion, working with Visa Europe and Codes & Ciphers, is the industry lead for a Technology Strategy Board funded research project; Sure Identity, for Secure Authentication of Online Government Services. This innovative pilot scheme will investigate the security and cost benefits of consumers using new bank-issued electronic Visa debit cards to securely access online government services
[From Digital Systems – DS KTN Member receives funding from Trusted Services Competition for research into the secure authentication of online Government Services – Articles – Technology Strategy Board]
It’s possible to at least imagine some form of “UKTIC” that is interoperable with the US version, certainly to the extent that an American with a US bank account might be able to open a UK bank account, things like that. And it’s possible to imagine a kind of EUTIC that sets certain minimums in place so that UKTIC can interoperate with France TIC and Germany TIC and so on. I already have one or two ideas about where UKTIC may differ from USTIC. Let’s go back to the EFF’s comments on USTIC.
A National Academies study, Who Goes There?: Authentication Through the Lens of Privacy, warned that multiple, separate, unlinkable credentials are better for both security and privacy. Yet the draft NSTIC doesn’t discuss in any depth how to prevent or minimize linkage of our online IDs, which would seem much easier online than offline, and fails to discuss or refer to academic work on unlinkable credentials (such as that of Stefan Brands, or Jan Camenisch and Anna Lysyanskaya).
[From Real ID Online? New Federal Online Identity Plan Raises Privacy and Free Speech Concerns | Electronic Frontier Foundation]
If we were to make UKTIC something like USTIC but with the addition of a class of unlinkable credentials that might be mandated for certain uses, then we could take a really important step forward: instead of a physical national identity card, the administration could trumpet and virtual national privacy card. (Actually, I’d be tempted call it a Big Society Card in order to get funding!)
Dave,
This is pretty basic. I’m not sure that the need for a national ID infrastructure is going to disappear any time soon. Civil liberties aside, just the need for a clear identity standard when dealing with government departments, utilities, customs, and other such day-to-day interactions.
I think the need is for simplicity and an ID will simply many interactions where an ID is required. It’s not like it is rocket science – we already carry around all this data on our phone, driver’s license, passport, credit cards, health cards, etc – it is just about aggregating the data into a secure platform run by the government.
Make’s perfect sense in my mind…
BK
Dave,
Using the payment card as a credential is exactly what the TOCs have done for quite a while now with TOD. We’re going to go one further with FTP Phase 3, happily.
Will
Good points guys. I think the idea of having a single platform, single credential is appealing but it’s more wrong than right. Letting people choose between different credentials for different circumstances is more right than wrong. I can see how the phone might become a single key (as an authentication platform), but that’s slightly different to me. There are too many dangers in giving any single entity control – whether it’s a bank or the government.