Identity assurance and the sharing economy

| 3 Comments | No TrackBacks
| More
The Department for Business, Innovation & Skills has released Debbie Wosskow's independent review on the potential of the sharing economy,"Unlocking the sharing economy: an independent review".

I haven't had an opportunity to read the document in full yet, but there are recommendations in there for GOV.UK Verify, specifically that the service should be opened up to private sector businesses in 2015. The recommendation is entirely in keeping with GDS' stated aspirations for Verify, but I would imagine would be difficult to fulfil within the stated time, not because of lack of will or funding, but simply because of the time needed to extend the necessary trust frameworks and hub functionality into attribute provision. That's a big step for identity assurance, and GDS' strategy of iterative delivery will want to build up to it over time.

It's important to understand that attribute exchange doesn't mean wholesale sharing of personal data between the parties: rather, that an individual can authorise one authorised provider with whom they have a relationship, to release a defined set of personal data to a relying party, with an associated level of assurance so that the relying party understands how trustworthy that data is. In most instances that would be done as a one-off transaction, rather than any 'gateway' or similar ongoing sharing capability - indeed, attribute exchange offers the potential to do away with many of the gateways currently used to permit free sharing of personal data between government departments. From a privacy perspective, that has to be a good thing.

I would guess that in the first instance, attribute exchange capabilities will be confined to the selected identity providers and service providers. Identity assurance only works if all parties can trust each other, and therefore be trustworthy for service users. Any organisation that wishes to offer or consume attributes within the identity assurance ecosystem will need to have subscribed to the trust scheme; implemented the technologies needed to interface with the hub; had those certified as fit for use; and then built the relationships needed with relying parties so they are able to ask service users for the appropriate attribute data from the appropriate source. 

It is also worth bearing in mind that by the time an organisation has done all that, it is effectively able to be an identity provider in its own right if it wishes to, as it is then able to issue and consume both identity and attribute data. That means that once there is a business case for doing so, the existing identity providers (and those that will emerge from the forthcoming procurement process) will be the private-sector organisations effectively able to issue and consume identity and attribute data, just as recommended in the review.

Identity assurance has the potential to transform how we exchange personal data, but attribute exchange is not going to happen overnight, regardless of how much money is thrown at it. As business cases emerge for individual private sector organisations to join the sharing economy, the path should be open for them to do so.

[These views are my own and do not necessarily reflect those of any organisation associated with the GOV.UK Verify scheme]

Privacy Seals and Privacy Snake Oil

| No Comments | No TrackBacks
| More
One of the constant problems of privacy is knowing who to trust with your data. Laws, policies, technical controls and trustworthy brands go a long way to building consumer confidence in an organisation's data handling, but it's only a matter of time before some bright spark suggests "maybe we could have a privacy seal to prove we're trustworthy?" After all, on the face of it, this seems like a good idea: a trust mark to demonstrated that an organisation handles personal data in accordance with a defined set of good practices.

The problem is, it just doesn't work.

There are a number of privacy seal schemes out there, but the majority are US-centric, with key players including TRUSTe, BBBonline, EuroPriSe and WebSeal*. Each organisation offers its members a set of standards, a self-assessment method, and a logo they can use in customer-facing materials.

Advocates argue that the strength of a privacy seal scheme is that it provides its members with a common standard for personal data management. In an environment that is law-rich but standards-weak, the scheme provides confidence that the members are working from an 'approved' starting point. Individuals are assured that participating organisations will deliver against these standards, and that they can complain to the scheme in the event of a problem. Members hopefully maintain good practices in the management of personal information because they wish to maintain their certification, and in all likelihood their staff will improve their practices through greater awareness of personal data maangement.

A privacy seal scheme also provides a basic confidence that an organisation has a degree of commitment to good privacy practices, otherwise why would it bother to engage in the first place? The process of joining a scheme will most likely raise awareness, and result in improved practices.

Unfortunately, there are some significant potential downsides to privacy seals as well. Firstly, the scheme can only be as good as its underlying standards, and there are a range of standards used by the schemes. Consumers may assume that all schemes are equal, thereby obtaining a false sense of assurance that the weaker schemes are in fact respecting their personal data.

Secondly, the schemes use different approaches to certification. EuroPriSe and WebSeal are both independently assessed by experts to ensure that members comply with standards, whereas the entry point for many other schemes is self-certification. That means we have a broad spectrum of possible privacy outcomes for consumers dealing with seal schemes, since organisations can gain entry to a scheme relatively easily.

Thirdly, and perhaps the most difficult of all, is the ability of schemes to monitor and police their members. If you are a scheme operator, dependent upon your members for your income, then the last thing you want to do is to suspend a high-profile member because they've failed to submit an annual recertification; or to strike off a member for proven poor privacy practices. You'll have to do so very publicly for the scheme to maintain its credibility, otherwise the other members, and the public, may accuse you of opaque practices. You'll need to inspect those members, in response to consumer complaints, to be sure they're doing what they claim, and those inspections aren't going to be cheap. And you'll have to ensure that your members correctly represent the nature and trustworthiness of your scheme, otherwise they might abuse it for their own purposes.

Unfortunately, this last point appears to have been at the heart of a failure for TRUSTe, which is predominantly US-based, and has many thousands of members who use the TRUSTe seal to assure their customers that their data handling practices are up to scratch. TRUSTe has had to enter into an agreement with the US Federal Trade Commission, which has levied a US$200,000 fine, for falling short of a pledge "to hold companies accountable for protecting consumer privacy." TRUSTe is alleged to have failed to conduct annual recertifications of its privacy seals in at least 1,000 incidents over a five-year period; and to fail to ensure that its members correctly described TRUSTe as a for-profit entity. The FTC takes this stuff seriously, and has enforcement powers beyond the UK ICO's wildest dreams, so in all likelihood the agreement offered by the FTC was preferable to going to a full regulatory punishment. TRUSTe has responded to assure members that the problem was remedied long before the fine was levied.

TRUSTe's woes are not necessarily indicative of problems unique to TRUSTe, but of the fundamental challenge for a privacy seal: how do you stay on top of the practices of all the members, all of the time? Full audits are too expensive for all but a handful of potential members, self-certification is open to abuse, and unless the seal provider can stay on top of that abuse, the credibility of the scheme (and all similar schemes) becomes doubtful.

The UK ICO consulted on the topic a few months back, with a view to whether it should support commercial privacy seals in future, and I argued some of the reasons why that's not a good idea. I would imagine that they're having a long, hard think about whether they want to support privacy seals now.

If you want to find out more about trust marks and privacy seals, do check out Gilad Rosner's definitive paper on the subject here:

* (Apparently a key requirement for being a privacy seal provider is a shameful abuse of proper capitalisation)

The Right To Have Facts Redacted (But Not Forgotten) In Certain Contexts

| No Comments
| More

…or “How the Reputation Management Industry Came of Age"

Much fuss has been made in the press about the European Court of Justice’s decision that search engines (and Google in particular) must enable a ‘right to be forgotten’ - that is, that certain search results must be disregarded if the data subject can substantiate that they are not relevant to the search. Some of the best coverage of this comes from Chris Pounder, who reflects on the misinformation and press coverage and points out that Google routinely informs users when results have been changed at the request of a third party.

Google has implemented the ruling, and its process requires the user to prove that they are the data subject (and in all likelihood to check that the data subject is an EU citizen) and to put forward their reasons for the redaction - and a redaction is what it is: when Google removes results, the existence of a search result is noted at the foot of the search results, but the result is not provided.

The fact that Google notifies users when a search has been redacted is an important privacy protection, and one for which Google should be applauded: without that transparency, we might never be aware when a change has taken place, which in turn opens up a path for censorship and manipulation. Censorship is only truly effective if it is covert; if users are made aware that something has been modified, then they at least stand a chance of tracking it down.

But the idea that personal data might be struck from a search database as a result of this ruling is a fallacy: the rate of data collection, aggregation, sharing and analysis in any search engine is such that any ‘forgotten’ (i.e. deleted) reference would most likely be repopulated in a matter of hours, thereby rendering the original request to be forgotten redundant. So in order to comply with this requirement, Google and others will have to maintain a register of ‘redacted terms’ and possible ‘redacted URLs' - those search results which have been deemed as forgettable. 

That gives rise to the inevitable question about who determines what is a reasonable assertion for taking down a search result? Google has an advisory committee that oversees the process, and which has had to preside over 12,000 requests and counting in a matter of days. That’s too many requests for any sensible scrutiny of each one, so it’s reasonable to assume they’ll either set the bar very high or very low for such takedowns to be accepted.

And how do they judge the validity of a takedown request? For example, let’s imagine that a celebrity broadcaster with a history of charitable works is convicted for a string of sexual assaults. Should the individuals whom he supported be able to take down search references to his name bringing up associations with their names? I imagine that the broadcaster would want his charitable works to remain on record, and he might even argue for his own takedown request so that if someone searches on his name, plus the beneficiary of his charitable work, then results showing his conviction should not show up. 

That’s not a process that is going to operate on an Internet-scale very easily.

Some commentators have suggested that this is the end of free speech on the Internet, and that politicians and corporates will use the ruling as a way to stifle or manipulate freedom of speech. That’s certainly a potential risk, particularly if this ruling were to stand (it will be challenged), if it were applied to all search facilities (e.g. within newspaper websites), and if search engines cease to notify users of modifications to search results. But the Internet has a habit of finding its way round such obstacles, and I’m confident it will this time as well.

The most significant outcome, at least in the short term, is likely to be the benefit for reputation management companies, who will be able to sell ‘right to be forgotten’ services to individuals, where the data subject notifies the company, which in turn notifies all the major search providers and checks for compliance with that notification. Search providers will probably welcome such a service if it saves them having to operate their own advisory committees.

 So, the ‘right to be forgotten?’ Not a very accurate description. I’d like to propose the ‘right to have facts redacted (but not forgotten) in certain contexts, until we figure out a better way to live with our mistakes’ as a more meaningful and useful term.*


* And one which demonstrates why I’ve never pursued a career in product branding

Taking a punt on Identity Assurance

| More

The Government Digital Service's (GDS) has announced the next round of procurement for the Identity Assurance Programme (IDAP), which will expand the use of a federation of private-sector Identity Providers (IDPs) to enable access to public services. There are few details at this time, beyond the announcement of a supplier event on 28th April.


Four years in, great progress has been made in cracking a very difficult project, but will this procurement be enough to get IDAP through the next year, and what does the future hold for identity assurance? Given that we’re all gearing up for tomorrow’s big oven-ready lasagne race at Aintree, let’s look at the risks associated with bidding for IDAP services.


How does Identity Assurance differ from other government ID approaches?


I've talked at length about identity assurance, and how IDAP differs significantly from ‘traditional’ government ID approaches, but if you're not familiar with the programme then here's a quick summary (and you can find out more at the GDS blog). 


In the majority of population-scale identity schemes (including the abandoned National Identity Scheme), the government operates a central population database, which is used to authenticate individuals when they transact with public services. Under IDAP, government provides a federation hub, but IDPs come from the private sector and are responsible for registering and verifying users for the service. Users may hold as few, or as many identities as they wish, from as many providers as they wish, and the system is pseudonymous (i.e. no ‘root’ ID). Relying parties specify the level of assurance they need in a given transaction, and the IDP is paid accordingly, so for a low-risk transaction (e.g. query about library services) there is a low level of assurance; whilst for a major transaction (e.g. applying for a passport) there is a high level of assurance from the IDP. 


There are no identity numbers, no identity cards, and no compulsion on users to register, or maintain the accuracy of their data. A 'trust scheme' operators oversees the service and ensures that everyone plays by the rules.


What is the current status of the programme?


The first round of IDAP procurement took place in 2012, and resulted in eight IDPs being recruited to the framework, of whom three declined to go through on the first call-off contract. That leaves us with DigIdentity, Experian, Mydex, Post Office, and Verizon Business. They have been working on the first services, which will connect to a hub provided by GDS. The first private beta services are now running, and will shortly be made public, with selected users being able to enquire their driver records using IDAP. In anticipation of expanding the breadth and depth of the service, and increasing robustness, GDS is now returning to the market to seek additional IDPs.


Procurement event


GDS is hosting a procurement event on 28th April, at which the procurement will be explained, and candidate IDPs can have their questions answered. There is one burning question I'd like to have answered at that event, and in anticipation of the end of the month, I'll outline it here.


The challenge for GDS


This next round of work is not going to be without its challenges: IDAP has to deliver some ambitious objectives, including:

- providing services for multiple central government departments with conflicting needs, architectures, and timescales;

- enabling cross-channel service delivery that enables users to engage with IDAP online, over the telephone, and face-to-face;

- shifting delivery away from the‘traditional’ public-sector providers who are equipped for major project delivery, and instead working with a range of small and large companies, some of whom are not accustomed to working with the UK government;

- rolling out a robust service delivery that does not risk denying services for users if systems face teething problems;

- creating collaborative federation between potentially competing IDPs;

- establishing a trust framework and oversight mechanism that ensures legal protection for all parties;

- building consumer confidence in a new concept which does not yet have a recognised brand, interface or use case;

- growing an ecosystem of IDAP services which is as attractive for private sector providers and relying parties as it is for public authorities.


Each of these is a major change for central government; collectively they are a huge obstacle, and whilst GDS has a track record of delivering 'impossible' projects under challenging circumstances, there is no denying that this next phase of work for IDAP is likely to be the toughest yet.


Commercial challenges for potential IDPs


But the challenges aren't exclusive to GDS - in fact, the current and future IDPs have perhaps the toughest environment of all, since the risks are rising but the possible rewards are a long way off, and we don't yet have a commercially viable IDAP ecosystem. IDPs are currently paid on a “per unique user, per IDP, per annum” basis: that is, for each person who uses an IDP to access IDAP services, the IDP is paid a one-time fee each year, even if that person also uses other IDPs. That means that the IDP must win over users and persuade them to use IDAP if it is going to recoup its investment in IDAP services.


Anecdotal evidence suggests that the minimum cost of standing up an IDP service which could pass muster with the trust scheme, would be in the region of £1.5m - £2m (probably much more for a large company). Add to that the costs of operating, marketing, auditing, etc, and we're probably looking at another minimum £500,000 per annum. This isn't a cheap proposition for the IDP, and the up-front costs drive all the risk to the IDP, with no assured transaction volumes from government.


The transaction payments to IDPs are not publicly available, but if we guess at, say, £20 per user per annum, with an operating cost of £10 to verify and credential each user, that means an IDP would need to run a population of 250,000 users in the first year just to have a chance of breaking even. That's going to be a problem for stretched Sales Directors who are evaluating bid risks and trying to determine where to focus their sales resources. Why bid the high-risk job with the deferred payback, when they could go for safer projects with up-front payment (that is, if any such projects still exist in public sector, but that's another matter).


And the political challenge...


In just over a year from now, Britain will go to the polls. In his Editor's Blog, Bryan Glick considers how GDS is likely to become a focal point for political fighting both before and after the next election. If we end up with a Conservative-led government, then the GDS vision is safe; but if we have a Labour-led government, then there will be those wishing to exact revenge on Conservative policies, including senior political figures who still support the idea of National ID Cards, and in that situation IDAP looks like a pretty easy target for them to cancel and switch back to a more traditional ID approach. Our IDPs would find their contracts cancelled without having made so much as a penny, and potentially having sunk several million pounds into their delivery.


IDAP is therefore a high-risk commercial proposition, not just because of the nature of the service and its commercial model, but because of broader political pressures, and it would be a negligent Sales Director who didn't take that into account when deciding where to focus bid resource. GDS could of course do many things to mitigate this risk, including offering up-front payments to IDPs; ensuring that there are appropriate termination clauses in the contracts; delaying the delivery phase until after the election; or changing the commercial model altogether.


So my question to GDS is: what can GDS do to assure candidate IDPs that the risks associated with bidding and delivery are successfully mitigated by the potential prize and the likelihood of winning it? Until that question is answered, I think I’d rather put my money on a 5-horse accumulator than an IDP bid team.


[Declaration of interests: I am not associated with any of the incumbent IDPs or bidders, although I was part of the Post Office’s bid team. I have an unpaid role in the GDS Privacy and Consumer Advisory Group. And I’d like to see IDAP succeed, because a return to ID Cards doesn’t bear thinking about]

Reflections on Identity and Access Management

| No Comments
| More

This week is Gartner's annual Identity and Access Management shindig in London. I was fortunate enough to attend for the first time in 2011, when there was a real sense of mixed feelings amongst the delegates: the big vendors were split into those who were upset at the cancellation of the National Identity Scheme, and those delighted at the opportunity to compete for whatever might replace it; end user organisations were generally ambivalent, but for some there seemed to be a relief that they could move on from the black hole created by ten years of the NIS.

Three years later, I'll be speaking in this afternoon's session on the government's Identity Assurance programme, and specifically how it might disrupt the way that we buy and sell identity services in the UK.

The Identity Assurance Programme (IDAP) depends upon reuse of existing credentials through federation, rather than commissioning substantial new systems, and providers are having to seek innovative business models to justify their investment. This has created a somewhat surprising list of Identity Providers (IDPs) in the first tranche of suppliers: some welcome SMEs, and a new role for the Post Office, but no big name UK online brands, retailers or financial services providers.

IDAP's success will rest upon whether potential providers and consumers of IDAP services can be persuaded that IDAP's interests align with their own, and that any investment they make in technology, marketing and business transformation will give them a future return. The Government Digital Service will have their work cut out delivering the commercial models that these companies need to justify their investments - maybe we'll see some good ideas at today's conference?

Online Tracking: Keeping Austin Weirder

| No Comments
| More

One of our long-standing problems with Internet privacy is the tracking of user activities, more often than not without any meaningful opt-out mechanism: if you don’t want to be profiled by, say, Facebook then don’t go on Facebook. That’s all very well to say, but no use to someone whose social life depends on the social network (it’s one of the areas which the new EU Data Protection Directive might be able to address, if it ever sees the light of day). There is, however, a sense of balance in Facebook mining user data, since the site offers a free service which its users find invaluable. Users receive value in return for the value in their data. Not a transparent relationship, almost certainly not equitable, but at least it’s commonly understood.

More disturbing is the potential for behavioural monitoring and online tracking by communications service providers. When Phorm’s adventures in deep packet inspection came to light, users were quite justifiably outraged: secret monitoring of their online use of a paid service by a third-party organisation without their knowledge or consent was clearly a big step over the line of acceptable intrusion. When users pay for their services, they expect a degree of respect for their privacy.

But there’s no doubting that a key aspect of consumer empowerment is the potential for users to trade some of their privacy for a reward. If behavioural data is that valuable to advertisers, then why not pass that value all the way through the chain to the data subject, rather than holding it with a service provider? 

It’s interesting to see AT&T taking this a step further in Austin, Texas, by offering discounts to internet customers who choose to submit to online profiling of their behaviours. Customer plans are discounted by 30% for customers agreeing to opt into "AT&T Internet Preferences,” which is the company’s user profiling tool, used to target behavioural advertising. I’d be interested to see the small print - does it allow users to use VPNs to obscure their online activities from AT&T? I suspect the relevant protocols would be blocked.

Whilst it’s not a service I’d personally subscribe to, it’s good to see a provider offering to extend the profiling value chain all the way back to the user. As Constantijn van Oranje-Nassau said at this week’s IAPP Data Protection Congress, “you can be at the table or on the menu,” and even if rewarding consumers for surveillance isn’t quite a seat at the table, at least we’re getting to haggle with the Maitre D’ about whether there might be a seat available.


RSA Conference Europe 2013 - When Security Met Privacy

| No Comments
| More

This year's RSA Conference Europe is themed around how 'Big Data Transforms Security,' requiring support from and feeding into the corporate security function. The tone was set by one quotation from RSA's CEO Art Coviello in his welcoming keynote, where he proclaimed that "Anonymity is the enemy of privacy." In other conference sessions, the implications of processing personal information have come up time and again as flashpoints between the security and privacy communities - but are these disciplines really poles apart?

In his keynote, Coviello went on to explain that in his opinion anonymity is used by digital adversaries to misuse data without fear of being caught or prosecuted. That's fighting talk for privacy advocates, who would of course argue that anonymity is a critical privacy tool, which must be interpreted in subtle and granular ways: zero-knowledge proofs, anonymous attributes and pseudonymous interactions are applications of anonymity which preserve privacy without impeding business objecties or putting data at risk. But within the corporate user environment, which is RSA's customer heartland, the argument holds sway and few employees would have an expectation of privacy that extends to anonymity in their working environment.

Not all of the keynote was quite so contentious, and Coviello used the analogy of privacy and security functions as opposite magnetic poles, which can attract each other when aligned, and can form a powerful bond. It's a lofty ambition, but for many organisations the security and privacy functions still exist in a state of polar repulsion, with security and privacy teams located in different divisions, serving different masters for different outcomes. Privacy functions in particular, hidden away from the sharp end of business delivery in the likes of compliance or legal teams, too often retain a risk-averse culture and a tendency to say 'no' when confronted with a challenging business objective.

Unfortunately, for organisations which suffer this bipolar management of personal information, the nexus between security and privacy is too often in incident management, as the Privacy Officer and Security Officer fight over who should have secured the missing personal data asset, and what to do about its loss. The result is that everyone loses, including the individuals whose data has been leaked or misused, and the security and privacy functions remain in conflict, confined to reacting to incidents rather than taking proactive control of processing risks.

If organisations are to exploit big data, then privacy and security functions need to align to create a shared understanding of risk throughout every part of the project lifecycle. Business cases and change requests should be checked not only for security compliance, but also to ensure that they meet corporate risk appetites in the handling of personal information, as well as legal and sectoral responsibilities for data protection. A truly aligned security and privacy operation should feature co-location of delivery teams, both reporting to a single responsible officer who can identify and resolve problems before they boil over, but equally can ensure that risk decisions take into account both security and privacy needs.

The RSA Conference will of course remain the preserve of the information security community, but with this level of focus on privacy needs, it's likely to become a compelling event for privacy professionals too - and that can only be a good thing for personal data risk management.

[Declaration of interest: I am a member of the RSA Conference Europe programme committee]


| No Comments
| More

The call for papers for 2014's IAPP Europe Data Protection Intensive comes to a close this Wednesday. If you're a privacy professional then this will be the most important event in London next year, and will be well worth attending.

You can find more details about the event here: 

The future of eID in Europe

| No Comments | No TrackBacks
| More
In recent months the fuss about surveillance revelations has distracted attention from some good work in the European Commission to try to align and push forward a harmonised electronic identity and trust services approach. The problem of cross-border identity and trust services is a old one, and because of the competing influences of different legal regimes, divergent commercial interests, and the mix of standards out there, one which is still far from resolved. I last looked at this in detail in 2008, in a report for the Institute for Prospective Technological Studies.

The UK is particularly far from aligned with the broader European Union in this area because we lack a national population register, citizen identity cards, widespread use of notaries, or a common online trust infrastructure (PKI or similar). All the building blocks are available, but first we need to resolve the political and commercial issues around our national identity services (not to be confused with ID cards) before we start to worry about international interoperability. The Cabinet Office-sponsored Identity Assurance Programme (IDAP) is our best hope of achieving that outcome, but it's still far from ready for the big time. International needs are being considered within IDAP's scope of work, but first we need to make it work locally.

With that in mind, I was fortunate to contribute to a conference in Brussels last week on eID and Trust Services. The day was much more practical than many similar events, and the highlight was a speech by Prof Jane Winn of the University of Washington, in which she referred to Gall's Law:'s_law

A complex system that works is invariably found to have evolved from a simple system that worked. The inverse proposition also appears to be true: A complex system designed from scratch never works and cannot be made to work. You have to start over, beginning with a working simple system.

This is so very true for eID: poor online ID services can take a good working system and destroy it completely for the sake of adding complexity. The most glaring example was the National ID Scheme, which was neither simple not evolutionary, instead preferring a 'big bang' delivery with little opportunity to prove the system first. IDAP is running small-scale proofs of concept (the 'Alpha' projects, some of which have only a handful of users) to explore basic concepts before it moves to larger implementations.

The European Commission is now running a survey to support its study activities, and I'd recommend that if you have an interest in this space then you should contribute before it closes at the end of November.


| No Comments
| More

I've a lot of time and respect for my GP, not least because we see eye-to-eye on privacy matters. He shares my concern about the centralisation and automation of healthcare data, not because of any prejudice against the NHS (for which I also have the utmost respect), but because of the inevitable fallibility of any huge institution which brings together people, computers and sensitive personal data.

During a recent checkup he drew my attention to the '' extract of medical records, and showed me some of the internal propaganda he'd received to persuade patients that there was nothing to worry about. Rather than attempt to recount it all, I'd like reproduce a mailer I've received today from the excellent Terri Dowty and Phil Booth at medConfidential.


Information that you share with your GP is about to be extracted from surgery records and stored on a centralised NHS system with your identifying details still attached. From there, it will be made available for administrative, research and other purposes. The government has claimed that your records will be 'anonymised' before they are handed over to anyone else, but this is not true. There are several circumstances in which data that identifies patients will be made available.

Once your information has been uploaded, neither you nor your GP will have any control over who it is shared with, who has access or what is done with it. You will not be consulted, nor will you be asked for consent. Uploads will take place automatically every month.

When you next visit your GP, you may see a small poster headed 'how information about you helps us to provide better care'. This is how the NHS is explaining its plans to you and it is very misleading. It does not give you full details of the information that will be collected and it claims that it will not identify you.

Further down the poster you will see the words 'you have a choice'. What this actually means is: if you do not want personal and confidential information to be taken from your medical record every month, the onus is on you to opt out of the scheme. If you don't do so, it will be assumed that you consent to the extraction.

You can download an opt-out letter to complete and send to your GP from the medConfidential website:

You will also find more detailed information about the scheme - known as '' - on the medConfidential website.

Please tell all of your friends, family and colleagues about this scheme, or forward this email to them. It is very important that everyone knows they must take action if they don't want their information to leave their GP's surgery.

iPhone 5s - Secure in Practice?

| No Comments | No TrackBacks
| More

So the iPhone 5s, Apple's newest shiniest consumer thing, has had its new biometric security broken by no less than the famous Chaos Computer Club (CCC). Using a simple spoofing attack which involves taking a print of the registered finger on a latex sheet, the phone's sensor can be fooled into thinking it's seeing the original digit. By applying a simple trick which can apparently defeat the majority of fingerprint sensors, CCC have demonstrated a weakness in Apple's security and will hopefully claim one of the many prizes which have been offered for the first successful hack.

Except... does it really matter? Let's be realistic here. A successful 'real world' attack on an iPhone 5s - or any other fingerprint sensor - where the subject is not compliant (and one assumes is unaware of the attack), requires the bringing together of the phone and a good copy of the fingerprint. Not beyond the wit of a skilled team of fraudsters, but hardly likely to be used by a casual attacker. In most real-world situations, the fingerprint is still an improvement over a four-digit PIN, which could easily be shoulder-surfed by an observer, and would be an irrelevance to the likes of the NSA.*

Some of the whackier articles out there suggest that the biometric approach is vulnerable to being used whilst the victim sleeps (which suggests a level of intimacy where getting the PIN would be much simpler), or that the owner's cat might be able to unlock it. All this will work in Apple's favour in the long run, but in the short term the stories distract from Apple's 'privacy by design' approach to their sensor. 

What's really welcome in Apple's design approach is the use of a fingerprint hash within a secure element in the iPhone 5s. The phone does not* store a copy of the fingerprint itself, but instead a hash of the print, such that the original image cannot* be recovered by an attacker because it simply doesn't exist* within the device.

This philosophy is an important (if obvious) step for the broader acceptance of biometric technologies. As CCC have shown, a fingerprint image can be stolen, either physically or electronically. But a hash, which is a one-way* mathematical function, cannot be used to recover the original image. This matters somewhat, since most of us only have nine password resets available to us before we have to start using alternative appendages, or alternative biometric technologies.

A really significant headline here would be the *electronic* copying and spoofing of the fingerprint image, in a way which would facilitate a remote attack. But that's not happened yet, has it?*

* NSA/GCHQ caveats - if everything we've read about PRISM and related surveillance, interception, and engineered weaknesses in online security systems is indeed true, then all discussions of commercial security need to be subject to a standard disclaimer that the security doesn't apply to the NSA/GCHQ. More on that later.

Declaration of interests: I'm an Apple user. I don't own a 5s and have no plans to do so. I'm a fan of well-designed biometrics systems.

Government Digital Service publishes Identity and Privacy Principles

| No Comments
| More

One of the common concerns about identity-related technologies is the potential for abuse of privacy, and for function creep of the identity system itself: mechanisms which are designed to support authentication end up being used to hoover up personal data about the user's interactions with relying parties, and pose a greater threat to privacy than the alleged security problems which they were originally intended to resolve.

Of course it doesn't have to be that way: systems which are designed around technical, legal and procedural mechanisms which protect, rather than undermine, privacy can be privacy-preserving rather than invasive. This is one of the key philosophies of Privacy by Design, which recognises that good security, good identity and good governance can enhance, rather than degrade, user's privacy.

With this in mind, a team of volunteers has been working with the Government Digital Service to operate the snappily-titled "Identity Assurance Programme Privacy and Consumer Advisory Group," which provides expert advice and a sounding board for GDS and participating government departments to develop and test a set of design and operation principles which are intended to ensure that the Identity Assurance Programme adheres to strict criteria to respect users' privacy: in short, to ensure that it doesn't 'go off the rails.' The IAPPCAG includes the likes of No2ID, Privacy International, Which?, London School of Economics, Oxford Internet Institute and Big Brother Watch, and I've been fortunate to sit on the Group since its inception.

Yesterday IAPPCAG released the latest version of the Identity and Privacy Principles. These nine criteria will guide the development and delivery of the Identity Assurance programme, and whilst we acknowledge that they will need to evolve to respond to changing needs, we believe that they provide a firm foundation on which to build user trust and respect. The principles, which are explained in detail on the GDS blog (where you can also comment on them), include:

1. The User Control Principle: Identity assurance activities can only take place if I consent or approve them.

2. The Transparency Principle: Identity assurance can only take place in ways I understand and when I am fully informed.

3. The Multiplicity Principle: I can use and choose as many different identifiers or identity providers as I want to.

4. The Data Minimisation Principle: My request or transaction only uses the minimum data that is necessary to meet my needs.

5. The Data Quality Principle: I choose when to update my records.

6. The Service-User Access and Portability Principle: I have to be provided with copies of all of my data on request; I can move/remove my data whenever I want.

7. The Governance/Certification Principle: I can trust the Scheme because all the participants have to be accredited.

8. The Problem Resolution Principle: If there is a problem I know there is an independent arbiter who can find a solution.

9. The Exceptional Circumstances Principle: Any exception has to be approved by Parliament and is subject to independent scrutiny.

Of all of these, perhaps the most challenging principle for government will be that last one, particularly in light of PRISM revelations (and doubtless more to follow) and the hubris around censoring adult content. Will there be the appetite for true transparency and accountability in those situations where some degree of privacy is compromised in the interests of national security or user safety? That will be an acid test for whether the UK is on course to become a true digital economy, or is just paying lip service to online rights.

I hope to be discussing the principles further at the next Open Identity Exchange meeting in London on 2nd July. If you want to add to the debate, then do join us.

Postcodes, PAF and Pseudonymisation

| More

A number of today's papers are reporting on the government's plans to offer up Royal Mail for private investment, and the implications for the Postcode Address File (PAF). Cabinet Minister Francis Maude is claimed to be concerned that if PAF is sold with Royal Mail, then the government will end up spending a fortune on licenses for future access to it (a situation which apparently arose in the Netherlands).

PAF is already a tightly-regulated product, with strict controls imposed on Royal Mail's access fees. Postcodes were originally introduced by Royal Mail to facilitate automated sorting of deliveries, back in the days before computers were available to support that process. They're now used for a whole host of purposes, from insurance and credit rating, through to navigation and lotteries.

But the underlying format of the postcode is a machine-centric construct which has been superseded by technology, which could sort using any form of unique serialisation for an address or group of addresses. So here's a thought: why not allow pseudonymisation of postcodes in much the same was as URL shorteners can provide alternative URLs for websites? A customer simply enters a postcode on a website, assigns the personalisation they want, pays a fee and thereafter any automated sorting system which spots the the personalised code can look up the original and sort accordingly (this could be  done during the initial OCR/keying that prints phosphor sorting dots on the envelope). Similar lookups would work for navigation, lotteries etc.

If we assume there are approximately 22m households in the UK, of which just 5% pay £20 p.a. for a personalised postcode, and a further 0.5% pay £100 p.a. for an 'elite' level of personalisation, we'd be bringing in £33m p.a. simply for the personalisation service - and that's got to be handy for Royal Mail's prospectus.

Could Identity Assurance be the missing ingredient for digital inclusion?

| More

The government's plans to tackle digital exclusion - the significant user population that cannot or will not use online services - are essential if we are to achieve 'Digital by Default' targets for service delivery, which in turn form a cornerstone of key reforms such as Universal Credit. Is it possible that the Identity Assurance programme is a means to provide user confidence in access to shared online service that will encourage large new groups of users to venture online? This might be the case, but only if all the key stakeholders engage with marginalised users as they first register for services, and public authorities ensure that services are redesigned to incorporate Identity Assurance across delivery channels, rather than bolting it on as an afterthought.

Getting online, staying online

Digital inclusion is not just about handing out PCs and broadband connections. Whilst numerous capabilities need to come together for an individual to be considered 'digitally included,' three of the critical factors include:

  • Connectivity: the user needs to have access to an endpoint device and internet connectivity to online services;
  • Capability: the user requires the skills to be able to get online and use online services;
  • Confidence: the user needs the confidence to transact online without fear of loss or penalty should they be unable to complete the transaction.

Perhaps the key first step for digital inclusion is persuading marginalised users to ‘give it a go’ – to attempt to use online services for the first time. This may involve obtaining or sharing access through endpoint devices and/or networks (e.g. local libraries, UK Online Centres); building their skills through trial and failure, and being able to fall back on community-based support when required; and having the confidence that if something goes wrong, they will not suffer financial or other losses as a consequence.

Digital by Default

Universal Credit and similar programmes will only succeed if the bulk of interactions with users take place online: the need to drive down costs while improving service means that customers must use online channels in place of face-to-face or telephony. Online engagement is essential, but Digital by Default cannot succeed unless government has a way to trust people online, without going through the expense of registering each user in a face-to-face interview, and managing their credentials thereafter.

Identity Assurance

The Government Digital Service (GDS) has devised a fresh approach to building online trust: the Identity Assurance (IDA) programme. The aim is to allow users to prove their identity, or other information about themselves, using services from private-sector organisations. In the IDA model, individuals and businesses will be able to ‘reuse’ existing trust relationships to interact with government (and ultimately with each other): for example, a customer might use their online banking credentials to prove their entitlement to a public authority so that they can claim benefits. GDS is working with key authorities to deliver the necessary technical, commercial and regulatory infrastructure to make this new approach possible.

GDS is also developing a market of companies wishing to act as Identity Providers (IDPs), who will have to bid for the right to do so, and undergo rigorous independent certification to ensure that their security and commercial controls are appropriate. Eight Identity Providers have been selected to provide the first set of IDA services in support of pilot activities from October 2013. Those IDPs are working together under the aegis of the Open Identity Exchange (OIX) to deliver the technology, commercial and legal approaches needed to make the service a reality.

Will Identity Assurance support digital inclusion?

Identity Assurance could create an environment that goes a long way towards addressing the needs for connectivity, capability and confidence that would drive digital inclusion for a substantial population of currently marginalized users.


Digital inclusion is about more than just providing digitally marginalised users with access to network connections and endpoint devices: inclusion is increasingly about ‘ambient’ access to online services, available through multiple channels and devices. Truly inclusive connectivity requires trusted access to shared services: users need to be able to share devices and connections without fear of identity-related fraud or security breaches.

IDA could provide the necessary trust mechanism to encourage users to share services. If users have a channel-agnostic authentication token, such as one-time PINs provided by SMS to their phone, coupled with a suitable trust framework to assure them that they will be protected in the event of a problem (in much the same way that credit card customers are protected against fraud by the brand network, e.g. Visa or Mastercard), then they will be empowered to use whatever device or network access they choose, without fear of identity fraud or security breaches.


A key requirement for IDA is the ability for users to prove their identity and transact with government across multiple delivery channels (online, telephony, face-to-face), but if the service is to be inclusive then individual transactions must be accessible across multiple channels as well: rather than users being pigeonholed as ‘online’ or ‘face-to-face’, they should be able to switch channels as and when they choose. For example, a user might start a transaction online, then seek telephone support when they need it, and be returned to an online channel once their problem is resolved.

Making this happen will require action both from the IDPs, who should be encouraged to deliver multi-channel services, and public authorities who need to design their services such that seamless channel changes are supported, rather than having transactions ‘break’ when users need to move between channels. Effective channel shift will only happen when marginalised users can change channels freely as and when they choose.


The diverse and incompatible authentication services used across public services are, for some users, confusing and difficult to use, and are likely to be a contributing factor to their reluctance to use online services. The move to a ‘unified’ IDA solution, where users can select the IDP and credential of their choosing, provides a much more user-centric approach.

Furthermore, the IDA architecture supports the concept of ‘delegated authority’ – the ability for users to delegate trust to other users when required; and to act on behalf of other users when authorized to do so. Appropriate security controls and audit trails ensure that systems can differentiate between the actions of the user and their delegated proxy, and thus the user is protected if the proxy contravenes their instructions. The approach is essential for business identity, where employees and agents (such as accountants) act on behalf of the business.

Implemented correctly, the delegated authority approach could also be an invaluable digital inclusion tool: users could have the ability to delegate trust to the individual, service or organization of their choosing when they require help with a transaction. For example, a user could ask a family member, a voluntary group or a UK Online Centre to assist or act on their behalf, without having to give away their credentials to do so; the user chooses whose hand to hold when they need support, safe in the knowledge that if anything goes wrong, they are protected from fraud or errors committed by their proxy..

Using Identity Assurance to deliver digital inclusion

If IDA is to become a catalyst for digital inclusion, then its implementation must be treated as a strategic change in delivery, rather than just an enhancement to existing authentication mechanisms. Authorities need to re-think delivery workflows to split interactions into smaller transactions which users can control across different sessions, channels, or providers, so that services don’t ‘break’ if the user suspends the session, or changes the delivery channel, IDP, or delegated authority.

Next Steps

GDS, the IDPs and the potential Service Providers (public authorities) need to come together to support the evolution of commercial models which incentivise the nascent IDP market to design services with the needs of marginalised users in mind, and actively engage with and support marginalised users as they register for services. They also need to work together to educate users that they should try to access services online, and ensure that the necessary support mechanisms are in place to help them when they do so.

Real Time Identity?

| 1 Comment
| More

A simple way to build online trust, or another failed technology project in the making? Toby Stevens explores the government’s new identity assurance programme and considers what it means for your business. This article originally appeared in the ICAEW's Chartech magazine, Jan/Feb 2013.

The government’s flagship Universal Credit (UC) programme promises to revolutionise in-work benefits, and will certainly have a profound effect on the way employers report employee earnings to HMRC. The IT delivery risks associated with this change have been widely discussed, not least in a submission by ICAEW’s Tax Faculty to Parliament’s Work and Pensions Committee. What has not been so widely discussed is the government’s identity assurance programme, which is intended to deliver the trust framework so that individuals and businesses can interact with UC, and other government services online.


One of the first major policy moves of the coalition government was to throw out the failing national identity scheme. Touted as a panacea for any possible interaction between citizens and the state, from immigration to underage drinking to fighting terrorism, the ID cards programme came to dominate every aspect of the online identity space. The programme’s cancellation left the UK in the odd position of having no identity infrastructure — industry had ended investment in alternative approaches in anticipation of the new scheme.

Nowhere are the implications of this situation more significant than within the financial sector. Employers need to verify employee identities, rights to work or eligibility, and accountants and agents are obliged to check their customers’ passports or equivalent proofs of ID, and to maintain those copies so that they can prove their anti-money laundering practices at any time. Those checks are often completed by individuals who have little formal training in identifying fraudulent documents, and this has created a service industry dedicated to checking documents and managing the results.

It’s even worse for customers, who have to carry and present passports and driving licenses for these checks, thereby running the risk of identity-related fraud. 


The government was quick to recognise that UC and similar transformational policies can only succeed if the bulk of interactions with users take place online: the Department for Work and Pensions (DWP) alone handles over two million telephone calls each day, and the imperative to drive down costs while improving service means that customers need to be encouraged to use online channels.

However, UC will migrate users from a per person to a per household benefit, coupled with inspection of their income on a weekly basis through the Real Time Information (RTI) programme. This change will inevitably give rise to a huge surge in enquiries as users switch to the new system, and any savings associated with the new policy would be wiped out by the contact centre costs. Online engagement is essential, but ‘Digital by Default’ cannot succeed unless the government has a way to trust people online, without going through the expense of registering each user in a face-to-face interview and managing their credentials thereafter.


Drawing on experiences of the US National Strategy for Trusted Identities in Cyberspace programme, the government devised a fresh approach to proving identity online in the UK — the Identity Assurance (IDA) programme. The aim is to create the necessary technical, commercial and regulatory infrastructure to allow users to prove their identity or other information about themselves using services from private sector organisations.

In the IDA model, the government provides a number of ‘federation hubs’, which provide the data-matching, anonymisation and audit services to support interaction between a market of identity providers (IDPs) and the government departments that will consume identity information. Companies wishing to act as IDPs will have to bid for the right to do so and undergo rigorous independent certification to ensure that their security and commercial controls are appropriate. IDPs will in the first instance be paid on a ‘per user’ basis for providing identity services. 


The first instance of IDA is in support of UC. Seven providers, including Experian, Post Office and Verizon have been selected to provide the first set of IDP services in support of pilot activities from October 2013.

They will have their work cut out: they have to deliver IDA services in a very short timeframe while forming a self- regulating body to ensure compatibility of their technology, commercial and legal approaches. This ‘trust framework’ will set and maintain standards, represent user interests, and ensure that the commercial liabilities are properly managed if things go wrong.

The likes of HMRC, the Department of Health and a number of local authorities are preparing ‘IDA-ready’ services. The Cabinet Office has mandated that central government departments must use the IDA approach for most ID-related developments, and is encouraging other public authorities to do so.


The UK does have a current online trust service in the form of the Government Gateway, which is used by a number of departments, but principally for interaction with HMRC. Like IDA, the gateway enables users to have a digital credential that provides them with access to online government services.

While the gateway works well enough for many business users, it does not provide the scalability, ease of use, or the assurance of identity that would be required to support the new populations of users wishing to access UC.


So how will IDA affect businesses? In the coming year, almost not at all; the early rollout is focused on UC, and employers will not be able to engage with the government through IDA. However, HMRC is expected to start acquiring IDA services in 2013, first for consumers and subsequently for businesses and agents.

Businesses that need to engage with HMRC using IDA are likely to be subject to a slightly different model: the ‘responsible officer’ will obtain a business IDA credential, which can in turn be used to authorise further credentials on behalf of the organisation’s employees.

Unlike DWP, HMRC may choose to mandate use of IDA credentials as they become available, and some IDPs might choose to charge for them; others, such as banks, mobile network operators or accounting software firms could instead offer them for free as part of a broader package of services.


Businesses that have an existing online relationship with their customers – in particular those in the finance sector that have completed an anti-money laundering check on their customers – will have an opportunity to extend those relationships into IDA, allowing their customers to assert that existing trust to the government.

Similarly, businesses seeking cost- effective ways to complete anti-money laundering or risk checks on their customers will be in a position to consume IDA credentials, potentially at a much lower cost than traditional face-to- face checks. In time we are likely to witness the abstraction of IDA services, such that providers offer proof of ID services for free in order to augment other data services such as credit scoring.

Perhaps the most important consequence of population-scale trust services will be a change in the way public authorities and businesses consume customer data. When customers can easily prove who they are, and provide accurate verified information about themselves when it is needed, why should businesses submit to the expense of holding large volumes of personal data unless there is a clear commercial case to do so? Businesses wishing to drive down data storage costs and risks, and exploit this new market in personal data will follow IDA’s progress with interest.

This article originally appeared in the ICAEW's Chartech magazine, Jan/Feb 2013. Note that since then certain key changes have taken place, including the announcement of PayPal as the eighth IDP; the novation of contracts to the Government Procurement Service; and a reduced emphasis on Universal Credit as the initial programme for IDA rollout.

Identity Assurance: Who wants to be an Identity Provider?

| No Comments
| More
One of the more contentious areas of debate about the Identity Assurance programme has been the selection of potential Identity Providers (IdPs), not so much for who is on the list, but who is absent. DWP's candidates for the first tranche of delivery include Cassidian, Digidentity, Experian, Ingeus, Mydex, PayPal, Post Office and Verizon. But when Identity Assurance was first announced, there was an expectation that we would see a list of banks, telecomms providers, credit reference agencies, social networks and online retailers.
So who wants to be an IdP?
The simple answer is that only those companies who saw a compelling commercial or strategic reason to bid, chose to do so. There was no radical downselect in which the list of potential IdPs was thinned out, because they didn't bid for the role in the first place.*
The objective of Identity Assurance is to provide an affordable, user-centric mechanism that allows individuals and businesses to transact with government online, in support of key government deliveries (e.g. Universal Credit) and the shift to Digital by Default. In keeping with the shift to transaction-based procurement championed by G-Cloud, DWP is not paying these companies for a classic systems integration contract, but is instead incentivising them with a transaction payment if they provide the service DWP needs.
Specifically, in this first instance each IdP can receive a single payment, per-user, per-annum, triggered by the user's first authentication to DWP with their IdP. The payment is proportionate to the channel used to access DWP services (e.g. online, telephone, face-to-face), and the price paid will be established by a further competition between the IdPs to compete for the lowest price.
This price model is one that is designed to incentivise these new IdPs to bring in as many customers as possible, since they receive their payment when the new customer starts using the service. If you've got your thinking hat on then you've already spotted that this model can be exploited by the IdPs: if a customer chooses to register and access DWP services through all eight IdPs, then each IdP gets paid (under Identity Assurance principles, DWP has no mechanism to enforce uniqueness across providers). With the low volumes of registrations involved at this stage, that's not a problem, but it's not a sustainable commercial model for the long term.
Furthermore, there's a lot of risk for the IdPs in this programme: they're not being paid to build, so they're accepting all the delivery risk; and they will only generate income if they successfully persuade customers to choose their service over the other IdPs' services. Only businesses who have an existing interest in this space (e.g. Digidentity), or a strategic interest in the success of Identity Assurance (e.g. Mydex) are willing to accept the high levels of effort and risk in return for the relatively low early rewards. For banks, telecomms providers or major e-commerce providers, the market lacks the maturity or certainty of reward to incentivise participation at this early stage. They'll come along in future rounds of procurement.
And which ones are going to win?
The winners in the Identity Assurance market will be the IdPs who can persuade customers to select their services over those of other IdPs. The key factors for customers selecting a specific IdP will include:
  • brand: how much customers trust the IdP's brand for these services;
  • channel: availability of the IdPs' service in the customer's chosen channel (online, telephony, face-to-face);
  • value-add: whether the IdP service is integrated with other attractive propositions, such as telecomms, payments or e-commerce.
So how does that list of chosen IdPs stack up against these criteria?
  • brand: Arguably only two of those brands are household names, but remember that these are the prime bidders - many of the bidders will be supported by partners who have dominant online and high-street brands.** When Identity Assurance launches you can expect to see plenty of names you know and trust.
  • channel: Post Office is clearly dominant in the high street, but there's less clarity about the other IdPs' channel presence. That will change when their partners 'uncloak' and we see mobile telecomms providers and ISPs appear within the delivery partners.**
  • value-add: This is the trickiest proposition area, but one in which Experian and PayPal would appear to have a strong competitive edge. If Experian can sell credit reference data to government at the same time as the customer authenticates, then they might well offer their Identity Assurance service for free; likewise, one could imagine PayPal offering identity services to government for free if the customer pays or receives funds through PayPal as part of the transaction.
And it's this last point which will determine the direction of travel for the market far more than any other factor. Once one IdP offers their services 'for free,' then others will be obliged to follow in the commoditisation of Identity Assurance, and the dominant IdPs will be those which have successfully abstracted the business model for Identity Assurance away from a simple transactional delivery, and into a more mature integrated model. A market such as this favours mobile network providers and payment services, and with the inevitable convergence of those markets anyway, I'd expect to see a lot more interest from them in the next round of Identity Assurance delivery. The market will also favour the natural agility of SMEs over big incumbents who will need time to flex their existing business models to adapt to the world of Identity Assurance. As these companies watch the emergence of Identity Assurance, more and more will sit up and take interest.
Who wants to be an Identity Provider? A lot more companies than know it today.
* I've not been party to the actual selection process in DWP, but since to the best of my knowledge no organisations have come forward complaining that their bid was unsuccessful, we can assume that the list of IdPs is pretty much confined to those who submitted bids. So, in response to the question "why are these the selected IdPs?" the answer is "because they're the companies who bid for the role."
** Yes, I know who some of those are, and if you search around you'll find some of them for yourself. No, I'm not mentioning them here because I might be entering into NDA territory.

Identity Assurance: Risk-based trust?

| 1 Comment
| More


Raj asked the following:

"1. Government's Identity Assurance program accepted eight IdP. I wonder whether all these eight IdPs have the same trust level? Or who will be responsible in defining the trust level for these IdP's? Why I am asking this is that you mentioned that during the federation of IdPs, DWP may only accept IdP account from IdPs who are above a certain trust level.

"2. It is always better to have a federated IdP system. Because users can store different identities in different IdPs. However, it is not clear, when user approaches DWP, does DWP get users identities from all IdPs in plain-domain?"

So, to that first point: will all IdPs offer similar trust levels, and who determines those trust levels? Bear in mind that we are talking about risk-based assurance* here, rather than the somewhat less sophisticated 'gold standard of identity' associated with the likes of the abandoned National Identity Scheme. For any given transaction, a Service Provider (relying party) will define the Level of Assurance (LoA) they require for that transaction. The transaction is then referred to the Federation Hub, which will offer the user access to those IdPs which have been certified to deliver services at or above the LoA requested. The user selects their chosen IdP, and either authenticates using their existing credential (for registered users), or undergoes the registration process (for unregistered users - more to follow in another post). The user's authentication can then be referred back to the Service Provider via the Hub, and the user and Service Provider are free to transact at the required LoA.

Whilst for the DWP implementation it is likely that all IdPs being able to deliver the relatively low LoA required to transact, as the ecosystem matures it would be reasonable to expect that some IdPs will be able to offer higher LoAs than others; for example, a social media logon is likely to have a lower LoA than a bank's customer backed by a face-to-face registration and check of identity documents. That said, in this situation the bank might encourage users to register at a low LoA, and then to upgrade their LoA at a later stage by providing further registration information.

The trust levels for these IdPs are defined in the Cabinet Office Good Practice Guidelines (GPGs) which include:

These documents are in flux, and the Levels of Assurance defined therein will change as the system is developed.

As for who actually oversees the interoperable trust, that will be the duty of the Trust Framework, which will guide the commercial, technical and legal interoperability of the selected IdPs, and is being prepared by the Open Identity Exchange working with Cabinet Office, DWP and the IdPs (more on that in another post).

To Raj's second question then: When a user approaches DWP, does DWP get users' identities from all IdPs in plain-domain? I take it that you're asking about the Hub service by which the user might select their IdP for a given transaction. As already explained, the Service Provider (in this case DWP) is not involved in the selection of IdPs, which is the job of the Federation Hub. The user may select whichever IdP they choose, so long as it can complete an authentication to the required LoA, and the user may have as many (or few) IdP accounts as they wish; if I were to authenticate with Mydex on one transaction, I could return to DWP and use an Experian credential instead. DWP does not get to see which IdP has completed the authentication, but just receives assurance that it is an IdP it trusts.

For the next post, I'll look at the commercial model by which IdPs get paid, and the importance of branding.

* If a given use case only requires a low level of assurance, then the Service Provider should only request a low proof of ID. For example, if my bins haven't been emptied for three weeks then I shouldn't have to provide a credential derived from a passport and two utility bills just to ask them when they're going to collect. 

[Please note these views are my own, and are based upon information available to me at the time of writing, and do not necessarily reflect the latest thinking in Cabinet Office or DWP]

Identity Assurance: Who, where, when?

| More

The government's Identity Assurance programme has finally announced its eighth candidate Identity Provider, in the form of PayPal; the announcement had been delayed pending the completion of PayPal's contract negotiations. This completes the ecosystem of potential providers who may develop certified identity systems for use within the Department for Work & Pensions' first tranche of providers who will support the early deliveries of Universal Credit. Other government departments - most notably HMRC - are likely to use this same framework for their early implementations.

Over the next few weeks I'll try, as best I can, to clarify some of the uncertainties and to dispel some of the emerging myths about what Identity Assurance really is. There will inevitably be some threads at the end of which, if we pull hard enough, we'll find a non-disclosure agreement which prevents too much detail, but that shouldn't hinder a discussion about the key points. Throughout this dialogue it is essential to bear in mind that we are discussing an emerging, immature market: this is the start of delivery, not the finished product. There are still many unknowns. DWP is not procuring a big Systems Integration deal in the expectation of a polished system being delivered (when did that ever happen?) later this year, but is instead defining the parameters for a new market within which the providers will compete for identity business.

I'll open by answering a question that was posted here a few months back, namely:

"What are the plans for federation of IdP accounts? Will individuals be able to use their credentials across more public sector services, such as provided by a local authority?"

Identity Assurance is a federated approach to identity services. DWP have already awarded contracts to build their federation hub which will be used to provide interoperation of Identity Providers (IdPs) with DWP. Once in place, any IdP account which is certified to provide the required trust level will be able to provide access to DWP services. When the first services appear in support of the October 2013 pilots, we will have a 'hub and spoke' environment in which the IdPs are connected through the hub; not true federation but the critical first step for interoperability.

True federation of accounts will appear when we have:

  • multiple hubs: as other authorities come to market, it seems probable that they will require their own hubs. HMRC, for example, has extreme seasonal traffic peaks in January, and it would seem perverse that DWP should provide that level of scalability through a single hub. Furthermore, HMRC is likely to require services not supported in the first instance of the hub, for example delegated authority whereby a business' responsible officer (a real person) can operate on behalf of the business (a legal persona), and delegate trust to the business' employees (e.g. the accounts department) and their agents (e.g. accountants, lawyers). DWP has quite rightly omitted these from the first delivery of their hub in order to reduce the complexity and associated delivery risk.
  • interoperability between IdPs: as soon as IdPs come to market, they will be providing online Identity Assurance services to their customers. Those customers will need to be able to authenticate to the IdP, both as part of an Identity Assurance authentication, and in order to manage their own IdP accounts; the IdPs are therefore 'consuming' their own Identity Assurance credentials. As the commercial market for IdPs develops, it is likely that one of the IdPs will make a competitive move by offering to consume other IdPs' credentials (so long as the hub will support that mode of operation); in other words, a customer might be able to obtain services from, for example, PayPal using an Experian credential. Once one IdP does this, the others are likely to follow suit.

Making this happen will require the technical and commercial interoperability, coupled with an appropriate government framework (as being prepared by the IdPs through the Open Identity Exchange).

In response to that second question, Cabinet Office will not only expect individuals to be able to use their credentials across other public sector services, but in the case of central government they are mandating Identity Assurance as the standard for any such proof of ID or attributes. They have no power to mandate it for local authorities, but are preparing 'directed funding' to encourage innovation by industry, local authorities and other bodies to ensure that this happens. There are plenty of local authorities already delivering identity-related services which align with Identity Assurance (with the key differentiator that the authority is the IdP), and it would seem reasonable to expect that over time these will migrate into the ecosystem.

And when does all this happen? We would expect to see the first pilots in October this year, with more widespread use kicking off in April 2014. This is the beginning of the journey, not the end state, and there are plenty of questions which nobody has fully answered yet; I'll be addressing more of those in the near future. 

The significance of the Identity Assurance programme

| More

Consumer empowerment think-tank Ctrl-Shift is carrying an interview with me on the significance of the Identity Assurance programme, in which I speculate on how IDA will grow over the coming months and years:

How do you see the identity assurance market developing?

Over the next 18 months the selected IDPs will collaborate to develop their service offerings and a delivery Scheme which can handle the branding and governance for IDA services. DWP will pay those IDPs to register and maintain identities on a 'per active user, per annum' basis. After that time, other companies will be able to enter the IDP market, and we're likely to see new financial models emerging; for example, social networks which operate at a lower Level of Assurance might offer free transactions to government in order to enhance their own online services, or mobile network operators could integrate IDA services into their customers' accounts.

I would anticipate this resulting in an 'attribute-driven' market for IDA services, whereby government ceases to pay for identification of individuals, and instead pays providers to verify information asserted by those individuals; for example, DWP would not pay my IDP to know that I am Toby, but would pay my IDP to confirm my last year's earnings when I assert them to DWP. This will create a demand-driven market for credit reference data and personal data stores which will disrupt the way that data providers sell to government.

You can find the full version of the interview here.

DWP Announces First Identity Assurance Providers

| More

The Department for Work & Pensions (DWP) has announced the first seven Identity Providers (IDPs) who will be eligible to provide consumer-facing services within the government's new Identity Assurance Programme (IDAP). IDAP will be critical to the delivery of DWP's flagship Universal Credit programme, so that individuals can engage with the Department online, by phone, and face-to-face, without the need to prove who they are every time they try to transact.

The selected IDPs include:

  • Cassidian
  • Digidentity
  • Experian
  • Ingeus
  • Mydex
  • Post Office
  • Verizon

Many of these bidders will be acting as prime bidders into the framework, with sub-contractors providing specific components of their solutions, and it is possible that their IDP services might be delivered under partners' brands to ensure that they are attractive and recognisable for consumers.

The selected IDPs have not been awarded guaranteed IDAP work: at this stage they are on the framework for IDAP services, and will now need to compete within forthcoming call-off competitions which will fix the price to be paid by DWP for their services (DWP anticipates paying selected IDPs a fixed fee per registered customer per annum). Those IDPs who are able to deliver within the call-off will then develop their solutions in preparation for a test phase in August 2013, and the first pilot project in October 2013.

The IDPs also face the significant challenge of collaborating to form a delivery Scheme, which will provide the necessary contractual framework to ensure self-regulation and interoperability, and enable external certification of IDP services against defined standards through tScheme. The Scheme will also provide a shared branding (in much the same way that Visa or Mastercard do for payment cards) so that consumers can easily recognise a certified IDP service.

The selected IDPs represent the first tranche of providers, acting as pathfinders for a wider identity assurance market. Their exclusivity to deliver IDP services on behalf of DWP will last for just eighteen months (although DWP's contracts are expected to run for four years), after which time DWP is able to bring further IDPs into the framework, most likely under the aegis of the Scheme developed by the first IDPs.

It is also anticipated that HMRC will come to market for IDP services in 2013, and the Revenue hosted a public consultation with potential IDPs over the summer. Whilst HMRC has committed to work within the overall IDAP approach, it is likely that they will require services not defined within the DWP framework (e.g. business identity assurance), and potentially wish to use a different incentivisation model from DWP, and for that reason it is widely expected that a fresh competition to select further IDPs will be held early next year.

Over the coming weeks we will be reporting on aspects of IDAP delivery which have until now been undefined or subject to confidentiality agreements; if you have specific questions about the programme please post them in the comments section and we will focus upon them in future pieces.

(Declaration of Interest: I have been supporting Post Office's ID Assurance work)

(Edited 13/11/12 to amend an incorrect statement about provision of services in different delivery channels).


The views expressed in this blog are my own, and do not necessarily reflect those of any client or other organisation.

Subscribe to blog feed



Toby on Twitter

    Recent Comments

    Erik C Gruet on Identity assurance and th... : I think the solution lies in sharing data across m...
    Toby Stevens on Identity assurance and th... : Peter, I can't speak for GDS, but I agree that the...
    peter wells on Identity assurance and th... : (Declaration of interest: I've been working on #di...


    -- Advertisement --