The UK’s last attempt to introduce a national identity infrastructure, the national ID card, failed pretty badly and left everyone involved under a cloud (except for the management consultancies who billed tens of millions of pounds to the project).
The Home Office slipped out the final report of the Independent Scheme Advisory Panel (ISAP) this week, more than a year after it was written. The ostensibly independent report, which reveals how the ID system had been compromised by poor design and management, was submitted to the Home Office in December 2009.
[From Henry Porter – Home Office suppressed embarrassing ID cards report]
The report says that there are no specifications for usage or verification (which we knew – this was one of my constant complaints at the time) and, revealingly, that (in section 3.3) that “it is likely that European travel” will emerge as the key consumer benefit. This, I think, is an interesting comment. As I have pointed before in tedious detail, what the Identity & Passport Service (IPS) built was, well, a passport. It had no other functionality and, given the heritage, was never going to have. Hence my idea of renaming it “Passport Plus” and selling it to frequent travellers (eg, me) as a convenience.
As an aside, the report also says (in section 5.5) the “significant” number of change requests after the contracts had been awarded would likely increase risk, cost and timescale. Again, while this is a predictable comment, it is a reflection on the outdated consultation, specification and procurement processes used. Instead of a flagship government project heralding a new economy, we ended up with the usual fare: incomplete specifications, huge management consultant bills, massive and inflexible supply contracts.
The report repeated the same warnings ISAP had given the Home Office every year since the system blueprint was published in December 2006 by Liam Byrne and Joan Ryan, then Home Office Ministers, and James Hall, then head of the Identity and Passport Service (IPS).
[From Home Office suppressed embarrassing ID cards report – 1/7/2011 – Computer Weekly]
How did it all go do wrong? Liam Byrne should have known something about IT as he used to work for Accenture, as did James Hall (Joan Ryan was a sociology teacher who later became famous for having claimed for more than £1,000,000 in MP’s expenses). Yet somehow the “vision” that emerged was profoundly untechnological, backward-looking and lacking in inspiration. What’s different now?
Well, a key change is that the new administration is heading more along the lines of the US (with USTIC) and the Nordics, where people use their bank IDs to access public services. We’re working on a project with Visa Europe and our good friend Fred Piper at Royal Holloway to develop a pilot implementation right now.
Consult Hyperion, working with Visa Europe and Codes & Ciphers, is the industry lead for a Technology Strategy Board funded research project; Sure Identity, for Secure Authentication of Online Government Services. This innovative pilot scheme will investigate the security and cost benefits of consumers using new bank-issued electronic Visa debit cards to securely access online government services
[From Digital Systems – DS KTN Member receives funding from Trusted Services Competition for research into the secure authentication of online Government Services – Articles – Technology Strategy Board]
It’s possible to at least imagine some form of “UKTIC” that is interoperable with the US version, certainly to the extent that an American with a US bank account might be able to open a UK bank account, things like that. And it’s possible to imagine a kind of EUTIC that sets certain minimums in place so that UKTIC can interoperate with France TIC and Germany TIC and so on. I already have one or two ideas about where UKTIC may differ from USTIC. Let’s go back to the EFF’s comments on USTIC.
A National Academies study, Who Goes There?: Authentication Through the Lens of Privacy, warned that multiple, separate, unlinkable credentials are better for both security and privacy. Yet the draft NSTIC doesn’t discuss in any depth how to prevent or minimize linkage of our online IDs, which would seem much easier online than offline, and fails to discuss or refer to academic work on unlinkable credentials (such as that of Stefan Brands, or Jan Camenisch and Anna Lysyanskaya).
[From Real ID Online? New Federal Online Identity Plan Raises Privacy and Free Speech Concerns | Electronic Frontier Foundation]
If we were to make UKTIC something like USTIC but with the addition of a class of unlinkable credentials that might be mandated for certain uses, then we could take a really important step forward: instead of a physical national identity card, the administration could trumpet and virtual national privacy card. (Actually, I’d be tempted call it a Big Society Card in order to get funding!)
These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers
The NSTIC folks – at least those talking about it in public – definitely see interoperability with non-US identity sources as an important objective.
“Unlinkable credentials” is interesting – there are certainly use cases for that here in the US. There is a parallel concept of directed ID in most new identity products, but does/can NSTIC
address this? Good question.