The Privacy, Identity & Consent Blog

I'd like to offer my congratulations to the Communications team at the Identity and Passport Service for successfully pulling off one of the most audacious and downright clever pieces of media manipulation I've ever witnessed. If I ever find myself in charge of a large and unpopular public service project, I'm headhunting the lot of you into my team. Here's why.

Yesterday afternoon I was tied up running a small conference when I received an email from a friend telling me that the Home Secretary had scrapped compulsory ID cards. My first reaction was to take that at face value - that the scheme had been binned as a result of the Home Secretary's policy review. Clearly that was the reaction of the media as well - the BBC, the broadsheets and tabloids, even the Metro are running the story that the government has been forced into an embarrassing U-turn*on the National Identity Service, with '£1bn wasted' according to the Metro. The media appear triumphant that the CWIC airside worker trial in Manchester has been switched from compulsory to voluntary, and there will be no compulsion to have an ID Card.

But we're so very wrong, and that's the genius of IPS' communications team.

All that has happened here is that the Home Secretary has reiterated the legislation (Identity Cards Act (2006)) by restating that there will be no compulsion to have an ID card. There never could have been such a compulsion without secondary legislation. Furthermore, work on the National Identity Register continues unabated, and in fact the Home Office is now speeding up the plan for enrolment into that database, which will happen as part of the passport application process. So in one stroke, IPS has managed to persuade the media that the National Identity Service is dead, when in fact enrolment will happen faster than before, and simultaneously distract attention from the delayed CWIC implementation.

The real genius of the move is the headlines that it has created: a seed has been sown in the public's mind that the National Identity Service is no more. If that seed can be made to take root, then ID Cards will cease to be a manifesto battle in the next election. The public won't want to hear debates about something that they believe to have been dropped already. The media will lose interest in an ex-project. And it will continue without the baggage of the public protests (although I'm sure NO2ID will continue their work).

I'm also deeply concerned by a small headline on the BBC feed this morning. In his announcement yesterday, the Home Secretary dropped any sense that ID Cards will be of use in protecting national security or fighting serious and organised crime, instead stating that:

"That is why I have announced today that I intend to see their introduction speeded up. The benefits are not just for individuals but also for communities where a reliable proof of age will be invaluable in the fight against underage drinking and young people trying to buy knives. But at the same time, these cards will benefit young people who, on average, have to prove their age more than twice as often as adults and I want to make that process simple and secure."

Proof of age comes to the forefront of the Scheme's purposes, and with it the fight against knife crime. On the same day, the BBC published the following article:

Trading standards officers have called for a ban on online knife sales after a machete was sold to a 15-year-old for £1.50 over the internet. The potential weapon was delivered in the mail in bubble wrap and cardboard to the teenager who was testing underage sales for trading standards.

To my mind, there's no coincidence here. The government will now shift the focus of ID Cards purposes to meaningless** proof of age arguments, and if it can make it harder for young people to access adult services or goods without proof of age, then they will be coerced into taking an ID Card because life becomes too difficult without one. Expect to see more articles like this, claiming that all teenage social ills could be resolved with a proof of age scheme (which incidentally already exists in a number of successful independent approaches as well as the government's own Proof of Age Standards Scheme (PASS)). We're going to victimise our youth to push this policy through, and that saddens me.

So rumours of the National Identity Service's demise are very much ill-founded - it's alive and well and blossoming. And if I ever have to manage such a difficult project, I'd like IPS' current communications team on my side, since clearly they could sell snow to the Inuit.***

* as a colleague pointed out recently, it's more of a J-turn if something is already going backwards at speed...

** if a young person wants a knife, they can get one from the kitchen drawer. A machete is possibly the least practical edged weapon that anyone could ever choose to carry around with them.

*** to see how this happens, watch the brilliant "Absolute Power" episode on "Identity Crisis"

Scotland's Minister for Community Safety Fergus Ewing has written an open letter * to new Home Secretary Alan Johnson to remind him of the Scottish Government's opposition to the National Identity Scheme:

In his letter to the Home Secretary, Mr Ewing said:

"Given the current financial climate, I believe the UK Government should have better uses for the vast sums of money being spent on this scheme which presents an unacceptable threat to citizens' privacy and civil liberties, with little tangible evidence to suggest it will do anything to safeguard against crime and terrorism.

"In the midst of a deep recession, with more job losses announced nearly every day, it simply beggars belief that the UK Government is pressing ahead with this costly scheme."

The Scottish Government has on a number of occasions made it clear that it will not make access to devolved public services dependent upon an individual registering for, or carrying, an ID Card - in other words that the only uses for an ID Card north of the border will be those that have been legally mandated by Westminster.

That's not to say that the Scottish Government are luddites about ID issues, quite the opposite in fact. Their identity panel has worked to develop a series of common binding principles across all public authorities to ensure that any system that requires identification or authentication technologies complies with a set of rules governing proportionality, interoperability and privacy. Scotland also has a number of programmes in place to facilitate citizen entitlement and public services without the provision of large centralised public databases, and the implications of these were explored in EPG's stakeholder engagement report on behalf of the Identity and Passport Service.

It would be good to see the lessons being learned in Scotland replicated across the rest of the UK, rather than being rejected by the government. In the meantime, Scotland appears to be well on the way to creating a much more balanced environment for ID technologies than the rest of the UK.

* The server appeared to be down at the time of writing

Shadow Home Secretary Chris Grayling appeared briefly on this morning's Today programme to ask the five framework suppliers under the National Identity Service - CSC, EDS, Fujitsu, IBM, Thales - to think carefully before signing any contracts associated with the delivery of the scheme. Restating the Conservatives' manifesto commitment that they will cancel the NIS, he warned them that if they sign the contracts they may find themselves out of pocket when the contracts are revoked.

Unfortunately that's a pretty hollow threat for the suppliers, and there's not a hope that any of them will rethink their delivery plans on the back of it. Aside from the fact that the suppliers will obviously have factored a change of government into their risk models, there are three key reasons why they won't rethink their approach:

1. The Identity & Passport Service has boasted on a number of occasions that the termination clauses in the supplier contracts are so punitive that no government would dare cancel them (sorry, I can't find a reference for this, but IPS representatives have definitely made this assertion);
2. The delivery of ID Cards has become inextricably intertwined with that of biometric passports. Cancelling the ID Cards component would not in fact require a cancellation of the supplier contracts, but instead a simple renegotiation of the scope of work that would most likely only shave a small component off the contract value for the suppliers, and certainly not cause them any major problems;
3. Even if the Conservatives repeal the Identity Cards Act and scale the biometric passport programme back to the bare minimum obligation (which is significantly smaller than the government has repeatedly insisted it is) there will be a gaping void in public service information systems that will have to be filled with some sort of trusted authentication/verification infrastructure. The incumbent suppliers, having been amply compensated already, will have a strong case to argue that whatever new system replaces ID Cards should be procured through the existing framework rather than incurring the cost and delays associated with a fresh framework competition. They also have a wealth of experience in designing these solutions so will be well-placed to bid again.

This highlights one of the policy dilemmas that the Conservatives have created for themselves: it's not enough just to cancel the ID Cards programme, they have to come up with a more constructive alternative that takes into account both our international commitments and the needs of public authorities and industry for a trusted authentication infrastructure.

It'll also be interesting to see whether this reignites the spat between Intellect and the Conservatives, where John Higgins wrote to then shadow Home Secretary David Davis to warn him not to interfere in the IT industry, which was countered by a wonderful open letter from Davis in which he chastised Intellect for its involvement and promised that a Conservative government had learned how to deal with the IT industry.

[Declaration: I have no commercial relationship with any of the ID Cards framework bidders, although HP (who own EDS) are members of the Enterprise Privacy Group]

The Digital Britain report is out, and I'm glad I didn't hold my breath waiting for it. Ian has summarised the main recommendations, which appear to consist of propping up unsustainable copyright models for the recording industry, and throwing a freebie in the direction of 3G network operators in the form of an indefinite operating license extension. Oh, and a 50p a month poll tax on fixed connections to pay for rural rollout.

I guess we probably shouldn't be surprised at such a spectacularly underwhelming and unimaginative approach; after all, innovation is hardly the flavour of the month in the present government, and there would be little appetite to upset major industrial interests. But the fact that the document completely disregards the need for a trustworthy identity management infrastructure, and whilst it pays lip service to privacy, it ignores the importance of privacy as a core strategy objective, instead favouring the need to track down file sharers and expose individuals' details when major corporations ask for them.

I'm sure there's probably some good stuff there in areas that are of less interest to me, but the fact that Lord Carter's review fails to consider the reasons that people don't want to go online - fear of fraud, loss of privacy, uncertainty about to whom they can turn when things go wrong - shows that once again government policy has abandoned the needs of the user in favour of the needs of the state.

I've finally got round to reading the US Cyberspace Policy Review. Authored by Melissa Hathaway, Cybersecurity Chief at the National Security Council, this document was published at the end of May, and provides near-term and mid-term action plans for the White House to protect US interests in Cyberspace.

It's not a bad document at all, and it'll be interesting to compare with Digital Britain when that appears later today. Hathaway was writing for the most senior of policymakers, with just a 60-day timeframe to do so, and as such her document remains very much a high-level policy statement that isn't really news for a security professional: the government has to take responsibility for cybersecurity from the highest executive levels; policies, plans and performance metrics are essential; collaboration with industry and foreign countries will underpin the framework; citizen awareness will change behaviours. All the sort of security recommendations we're accustomed to hearing even at a corporate level.

What particularly interested me was the assertion that cyberspace must "support US goals of economic growth, civil liberties and privacy protections, national security...". The US has prioritised privacy above national security, which is very different from our approach here in the UK where national security 'trumps' any liberties consideration.

There is, for me, one key problem with Hathaway's report. The requirement for an identity management vision and strategy is mentioned towards the end of the body text, and appears as the last of the ten near-term recommendations. That's great to see, but it fails to prioritise the importance of the IdM approach:

• IdM failures are at the heart of a great deal of incidents and frauds, and a decent, trustworthy IdM approach would reduce the number of incidents we have to deal with;
• IdM is essential if 'rescuers' are to be able to assist individuals, corporates or nation states in recovering from incidents - after all, how will they know who they can trust online if systems have become fatally overrun by attackers? The US has thrown a lot of effort into its PIV initiative, and that needs to be replicated internationally in cyberspace;
• IdM will be essential to deliver the inter-agency, public-private, and international collaboration recommended by Hathaway.

That said, it's an interesting report and I doubt I could better it, so let's hope that Lord Carter's document is up to the same standard.

The Sunday Times reports that new Home Secretary Alan Johnson has ordered a review of the National Identity Service. Claiming inside information that he "is more sympathetic to civil liberties arguments than previous home secretaries," the article suggests that he would scrap the ID Card scheme but continue with the build of biometric passports. Could this be the victory that anti-ID campaigners have been seeking?

Continue reading "Might Alan Johnson abandon the ID Cards scheme?" »

Outgoing Information Commissioner Richard Thomas was appointed CBE in the Queen's birthday honours list at the weekend. Richard steps down from his post this Wednesday, and his successor Christopher Graham will pick up the role at the end of the month.

I don't use Facebook much - there's nothing wrong with it, I suspect I'm just a little too old. My friends aren't big users, so there seems little reason for me to spend time there. However, thanks to Eversheds I was tipped about their new naming mechanism - the ability to grab a username with a path directly to your account, so that users visiting http://www.facebook.com/DavidCameron for example will get to see the page of the leader of the opposition. This is a great idea that is common across other social networking sites, and I'm surprised that Facebook didn't implement it sooner.

So, on Saturday morning when the facility was switched on, I was one of the allegedly 500,000 individuals who logged in and grabbed a username. Unlike some of the others though, I just stuck with my own one. The Sunday Times reports that cybersquatters have already moved in on some notable names, such as Prince Charles, Downing Street, Girls Aloud (who they?), Rolls-Royce, Waitrose and Morrisons. Quicker off the mark were Buckingham Palace and David Cameron.

Facebook does have policies for closing and recovering accounts, which should give trademarks some degree of protection over their names, but if you think there's a future on Facebook for you, get over there quick and register your name before someone else does.

Data sharing has become one of the toughest technology topics for the public sector. Our strategies are being driven by the need to gather and exchange huge amounts of personal information within and between authorities. But the majority of the most significant data loss incidents of recent times have been linked to a failure to share data properly: either through gathering and processing excessive information, or sharing it through insecure means because legacy systems do not support our current needs. We have to revisit some of our basic assumptions about service delivery if we are to move forward from our current problems.

Continue reading "The Data Sharing Challenge - What Should the Public Sector Do?" »

The British Standards Institute has today published the first version of its BS10012:2009 - Data Protection: Specification for a Personal Information Management System. Is this the panacea that privacy professionals have been seeking?

Continue reading "BS10012:2009 - Data Protection: Specification for a Personal Information Management System" »