I posted about the silo-style identity and authentication schemes we have in place at the moment and complained that we are making no progress on federation. Steve Wilson posted a thoughtful reply and picked me up on a few points, such as my “idea” (that’s a bit strong – more of a notion, really) of developing an equivalent of creative commons licences, a sort of open source framework. He says
CC licenses wouldn’t ever be enough. Absent new laws to make this kind of grand identity federation happen, we will still need new contracts — brand new contracts of an unusual form — struck between all the parties.[From comment on Digital Identity: The sorry state of id and authentication]
But isn’t that what CC licences solve?
It’s complicated by the fact that banks & telcos don’t naturally see themselves as “identity providers”, not in the open anyway[From comment on Digital Identity: The sorry state of id and authentication]
Well, I’m doing what I can to change that (see, for example, the Visa/CSFI Research Fellowship), but on the main point I happened to be reading the notes from the EURIM Identity Governance Subgroup meeting on 23 February 2011, talking about business cases for population scale identity management systems. The notes say that
It is alleged that the only body with the remit, power and capability needed for assuring and recording a root identity through a secure and reliable registration process is Government.
The notes then go on to talk about case studies such as the Nordic bank-issued eIDs though. These arguments are to some extent circular, of course, because the e-government applications in the Nordics are using bank-issued eIDs, but the only reason that the banks can issue these eIDs is because they are using government ID as the basis for KYC. In the discussion about this at a recent roundtable in that Visa/CSFI “Identity and Financial Services” series, someone made a comment in passing (and I’m embarrassed to say that I can’t remember who said this, because I noted the comment but forgot the commenter) that all of this takes places in a model absent liability. That is, as far as I understand what was said, the government accepts no liability from the banks, and vice versa. So if the bank opens an account for me Sven Birch, using a government “Sven Birch” identity, but it subsequently transpires that I am actually Theogenes de Montford, then the bank cannot claim against the government. Similarly, if I used my bank eID “Sven Birch” to access government services, but it subsequently transpires that I am actually Theogenes, then the government has no claim against the bank. (If this isn’t true, by the way, I would appreciate clarification from a knowledgeable correspondent.)
So what is the situation? Must we have a liability model, or can we all agree to get along without one. Or do you have to a have a more consensual society, or perhaps one with fewer lawyers per head of population?