Yesterday afternoon I was tied up running a small conference when I received an email from a friend telling me that the Home Secretary had scrapped compulsory ID cards. My first reaction was to take that at face value - that the scheme had been binned as a result of the Home Secretary's policy review. Clearly that was the reaction of the media as well - the BBC, the broadsheets and tabloids, even the Metro are running the story that the government has been forced into an embarrassing U-turn*on the National Identity Service, with '£1bn wasted' according to the Metro. The media appear triumphant that the CWIC airside worker trial in Manchester has been switched from compulsory to voluntary, and there will be no compulsion to have an ID Card.
But we're so very wrong, and that's the genius of IPS' communications team.
All that has happened here is that the Home Secretary has reiterated the legislation (Identity Cards Act (2006)) by restating that there will be no compulsion to have an ID card. There never could have been such a compulsion without secondary legislation. Furthermore, work on the National Identity Register continues unabated, and in fact the Home Office is now speeding up the plan for enrolment into that database, which will happen as part of the passport application process. So in one stroke, IPS has managed to persuade the media that the National Identity Service is dead, when in fact enrolment will happen faster than before, and simultaneously distract attention from the delayed CWIC implementation.
The real genius of the move is the headlines that it has created: a seed has been sown in the public's mind that the National Identity Service is no more. If that seed can be made to take root, then ID Cards will cease to be a manifesto battle in the next election. The public won't want to hear debates about something that they believe to have been dropped already. The media will lose interest in an ex-project. And it will continue without the baggage of the public protests (although I'm sure NO2ID will continue their work).
I'm also deeply concerned by a small headline on the BBC feed this morning. In his announcement yesterday, the Home Secretary dropped any sense that ID Cards will be of use in protecting national security or fighting serious and organised crime, instead stating that:
"That is why I have announced today that I intend to see their introduction speeded up. The benefits are not just for individuals but also for communities where a reliable proof of age will be invaluable in the fight against underage drinking and young people trying to buy knives. But at the same time, these cards will benefit young people who, on average, have to prove their age more than twice as often as adults and I want to make that process simple and secure."
Proof of age comes to the forefront of the Scheme's purposes, and with it the fight against knife crime. On the same day, the BBC published the following article:
Trading standards officers have called for a ban on online knife sales after a machete was sold to a 15-year-old for £1.50 over the internet. The potential weapon was delivered in the mail in bubble wrap and cardboard to the teenager who was testing underage sales for trading standards.
To my mind, there's no coincidence here. The government will now shift the focus of ID Cards purposes to meaningless** proof of age arguments, and if it can make it harder for young people to access adult services or goods without proof of age, then they will be coerced into taking an ID Card because life becomes too difficult without one. Expect to see more articles like this, claiming that all teenage social ills could be resolved with a proof of age scheme (which incidentally already exists in a number of successful independent approaches as well as the government's own Proof of Age Standards Scheme (PASS)). We're going to victimise our youth to push this policy through, and that saddens me.
So rumours of the National Identity Service's demise are very much ill-founded - it's alive and well and blossoming. And if I ever have to manage such a difficult project, I'd like IPS' current communications team on my side, since clearly they could sell snow to the Inuit.***
* as a colleague pointed out recently, it's more of a J-turn if something is already going backwards at speed...
** if a young person wants a knife, they can get one from the kitchen drawer. A machete is possibly the least practical edged weapon that anyone could ever choose to carry around with them.
*** to see how this happens, watch the brilliant "Absolute Power" episode on "Identity Crisis"
]]>In his letter to the Home Secretary, Mr Ewing said:
"Given the current financial climate, I believe the UK Government should have better uses for the vast sums of money being spent on this scheme which presents an unacceptable threat to citizens' privacy and civil liberties, with little tangible evidence to suggest it will do anything to safeguard against crime and terrorism.
"In the midst of a deep recession, with more job losses announced nearly every day, it simply beggars belief that the UK Government is pressing ahead with this costly scheme."
The Scottish Government has on a number of occasions made it clear that it will not make access to devolved public services dependent upon an individual registering for, or carrying, an ID Card - in other words that the only uses for an ID Card north of the border will be those that have been legally mandated by Westminster.
That's not to say that the Scottish Government are luddites about ID issues, quite the opposite in fact. Their identity panel has worked to develop a series of common binding principles across all public authorities to ensure that any system that requires identification or authentication technologies complies with a set of rules governing proportionality, interoperability and privacy. Scotland also has a number of programmes in place to facilitate citizen entitlement and public services without the provision of large centralised public databases, and the implications of these were explored in EPG's stakeholder engagement report on behalf of the Identity and Passport Service.
It would be good to see the lessons being learned in Scotland replicated across the rest of the UK, rather than being rejected by the government. In the meantime, Scotland appears to be well on the way to creating a much more balanced environment for ID technologies than the rest of the UK.
* The server appeared to be down at the time of writing
]]>Unfortunately that's a pretty hollow threat for the suppliers, and there's not a hope that any of them will rethink their delivery plans on the back of it. Aside from the fact that the suppliers will obviously have factored a change of government into their risk models, there are three key reasons why they won't rethink their approach:
This highlights one of the policy dilemmas that the Conservatives have created for themselves: it's not enough just to cancel the ID Cards programme, they have to come up with a more constructive alternative that takes into account both our international commitments and the needs of public authorities and industry for a trusted authentication infrastructure.
It'll also be interesting to see whether this reignites the spat between Intellect and the Conservatives, where John Higgins wrote to then shadow Home Secretary David Davis to warn him not to interfere in the IT industry, which was countered by a wonderful open letter from Davis in which he chastised Intellect for its involvement and promised that a Conservative government had learned how to deal with the IT industry.
[Declaration: I have no commercial relationship with any of the ID Cards framework bidders, although HP (who own EDS) are members of the Enterprise Privacy Group]
]]>I guess we probably shouldn't be surprised at such a spectacularly underwhelming and unimaginative approach; after all, innovation is hardly the flavour of the month in the present government, and there would be little appetite to upset major industrial interests. But the fact that the document completely disregards the need for a trustworthy identity management infrastructure, and whilst it pays lip service to privacy, it ignores the importance of privacy as a core strategy objective, instead favouring the need to track down file sharers and expose individuals' details when major corporations ask for them.
I'm sure there's probably some good stuff there in areas that are of less interest to me, but the fact that Lord Carter's review fails to consider the reasons that people don't want to go online - fear of fraud, loss of privacy, uncertainty about to whom they can turn when things go wrong - shows that once again government policy has abandoned the needs of the user in favour of the needs of the state.
]]>It's not a bad document at all, and it'll be interesting to compare with Digital Britain when that appears later today. Hathaway was writing for the most senior of policymakers, with just a 60-day timeframe to do so, and as such her document remains very much a high-level policy statement that isn't really news for a security professional: the government has to take responsibility for cybersecurity from the highest executive levels; policies, plans and performance metrics are essential; collaboration with industry and foreign countries will underpin the framework; citizen awareness will change behaviours. All the sort of security recommendations we're accustomed to hearing even at a corporate level.
What particularly interested me was the assertion that cyberspace must "support US goals of economic growth, civil liberties and privacy protections, national security...". The US has prioritised privacy above national security, which is very different from our approach here in the UK where national security 'trumps' any liberties consideration.
There is, for me, one key problem with Hathaway's report. The requirement for an identity management vision and strategy is mentioned towards the end of the body text, and appears as the last of the ten near-term recommendations. That's great to see, but it fails to prioritise the importance of the IdM approach:
That said, it's an interesting report and I doubt I could better it, so let's hope that Lord Carter's document is up to the same standard.
]]>Over the past five years, successive Home Secretaries have managed to obfuscate the boundaries between the government's international obligations and their own policy desires; between which components of the National Identity Service serve the Identity Cards Act and which serve other border control and security legislation; between the costs of each component; and between how much of the awarded contract values are tied up in cancellation clauses were the scheme to be scrapped. This is most dramatically demonstrated by the fact that Foreign National biometric visa cards are being branded as ID Cards despite the fact that they are issued under completely separate legislation.
So when the review of the NIS goes through, it may well recommend scrapping ID Cards, but I suspect that it will support ongoing work to issue Foreign National cards, critical worker (CWIC) cards, biometric passports and the centralisation of biometric and biographical information into the National Identity Register. In other words, all that will change is that we won't receive the bit of plastic - everything else will continue regardless.
That would score the Home Secretary his PR win of 'scrapping ID Cards', and allow him to shave just a few million pounds off the scheme, although of course it could save many billions of pounds for the other public authorities and private companies that would otherwise have been obliged to purchase card reader equipment. But the cost to the UK would be far greater than the current approach, since we would continue with the bulk of the expense - and the associated hit on civil liberties - but effectively abandon any hope of achieving any of the Identity Cards Act's stated purposes of improving public service efficiency, whilst simultaneously denying businesses the ability to benefit in any way whatsoever.
This shaved down approach to ID Cards would scale the project back to providing border security, law enforcement and right to work functions. That makes the approx. £5bn cost over the next 10 years look rather expensive when any anticipated savings disappear.
What's the bigger picture here?
There is a growing concern within industry, including many individuals and organisations who have long been opposed to the National Identity Service, that abandoning or scaling back the NIS will create a policy dilemma. For five years we've been waiting for the NIS to emerge, and the UK has fallen behind a host of other nations in its provision of identity-related services. Public authorities are reluctant to invest in their own regional or application-specific ID approaches when they've been told to expect the NIS as a trump card to beat all other programmes. Private companies have stagnated in the development of technologies or infrastructure because of the risk that whatever they come up with won't be compatible with the NIS - the lack of standards or a coordinated business approach from government has effectively stifled innovation in this space.
If the NIS is removed from this scenario - or worse still, pared back to eradicate any functionality that might assist authorities other than the Home Office - then we will see a host of public sector programmes appearing to fill that void, and the expansion of functionality expected from the likes of ContactPoint and Government Gateway (and we already know what happens when programmes have extra functionality thrust upon them half way through their development). Industry will start to build a host of competing technologies and initiatives that confuse and divide the market for identity-related services, and suppress any hope of a sensible federated trust approach to pan-industry collaboration. Other countries will leap ahead in competitiveness, leaving the UK as a developing nation in technology terms - so much for 'broadband Britain.'
So what should the Home Secretary do?
The National Identity Service is already too convoluted, confused and chaotic to be able to withstand yet another Home Secretary messing with its objectives and delivery plan. We either have to scrap it and repeal the Act - as opposition parties have committed to do - or continue along our current path but with a much greater focus upon public service efficiency and commercial benefit, as was advocated by the government's own report into the scheme. My preference would be to scrap the Act and start again, but this time basing the project on a more commercially- focussed and citizen-centric approach (those two objectives are complementary, not competing). But we must do something in this space, since ignoring ID would carry an even greater risk for the UK.
As a friend and colleague recently said: "The only thing the government could do now that would be more stupid than building the NIS, would be not to build an NIS".
]]>So, on Saturday morning when the facility was switched on, I was one of the allegedly 500,000 individuals who logged in and grabbed a username. Unlike some of the others though, I just stuck with my own one. The Sunday Times reports that cybersquatters have already moved in on some notable names, such as Prince Charles, Downing Street, Girls Aloud (who they?), Rolls-Royce, Waitrose and Morrisons. Quicker off the mark were Buckingham Palace and David Cameron.
Facebook does have policies for closing and recovering accounts, which should give trademarks some degree of protection over their names, but if you think there's a future on Facebook for you, get over there quick and register your name before someone else does.
]]>Challenging assumptions
But innovation is going to be our saviour. We have to embrace radical change if we are to keep pace with delivery needs, and to do this it’s time to challenge some of our assumptions about data sharing. We need to start thinking much more radically about how we architect our delivery processes. To keep things brief, I’d like to offer three examples of assumptions that must be ditched and reconsidered for the 21st Century:
So what to do about it?
Clearly the solution to this is going to be extremely complex. I’d like to make three recommendations that would, in my opinion, set us on a path towards improving data handling practices and minimising data loss incidents.
We need to educate policy-setters in the language of privacy, identity and security. They simply don’t have the taxonomy to discuss critical concepts of privacy and identity. Hopefully, MPs now understand that no system can be kept 100% secure, even if it does contain their expenses, but policymakers also have to understand how to specify new systems. For example, we rarely have to ‘identify’ anyone outside of a border control or law enforcement environment - instead, we need to verify their credentials. But all too often the policymakers are unable to express their wishes, and we end up building yet another ID system that will gather huge amounts of personal information unnecessarily.
Secondly, there is a pressing need for prescriptive standards for security and data protection that can be applied across all public authorities, not just central government. All too often I come across local authorities where the IT staff aren’t vetted to a sufficiently high level to be able to read the Manual of Protective Security and other standards that they should in fact be using to protect their own systems. Local government cannot afford to push all its staff through clearance and then apply Cheltenham’s requirements to all its systems. We need a pragmatic new set of rules for data management. The emerging data protection approaches from the BSI and BCS are good first steps to help this, but there’s going to need to be policy changes from the very top before they become useful.
Finally, I’d argue that now - in the middle of a recession - is precisely the time to innovate. We need to challenge our assumptions about what is expected of public authorities; about how we procure IT and from whom; about whether we should be collecting or sharing personal information at all. We need bold, brave thinking, and those who have to do it need to know that they will be supported if there are failures, not pilloried by the media and left out in the cold by their managers. It’s innovation that will put an end to our data loss problems, and build a platform for 21st Century information management.
[This article is the text from a panel speech I delivered at GC Live on 9th June. Many thanks to the GC Live team for the chance to speak at an excellent event ]
]]>Without standards, every organisation has to go through the expense and hassle of inventing its own standards from scratch, and risks the possibility that the implemented home-grown controls, and the individuals responsible for managing and auditing them, simply aren't up to scratch. In the current climate of greater scrutiny of standards that's a big risk to take.
To date, we have yet to establish a practical, globally accepted standard for privacy or data protection that any organisation can adopt. Sure, there are some excellent sector-specific or solution-specific standards out there, but nothing that is universally recognised in the way that ISO 9001 for Quality Management, or BS27001 for Information Security are. This is largely because of the rapidly-evolving and globally diverse nature of data protection law - there are simply too many different objectives for a standard to hit.
The BSI has therefore stepped in with an approach which rather than trying to address all the requirements of the law, instead develops a 'Personal Information Management System' - a set of processes that provide a framework for personal data governance.Quoting BSI's website on the standard:
The British Standard, BS10012 Data protection. Specification for a personal information management system has been developed to establish best practice and aid compliance with data protection legislation. It is the first standard for the management of personal information.
BS 10012 specifies the requirements for a personal information management system (PIMS), which provides an infrastructure for, among other things, maintaining and improving compliance with the Data Protection Act (DPA) 1998.
Rather than prescribing exactly how operations should be run, BS 10012 provides the framework which will enable effective management of personal information. It can be used by organizations of any size and sector to create a tailored management system which includes procedures in areas such as training and awareness, risk assessment, data sharing, retention and disposal of data and disclosure to third parties.
This is a valuable first step in defining a privacy standard, and the team behind it are to be congratulated on their work, but it's far from a panacea, and I suspect that it will gain little support from industry in its current form - I certainly doubt that we'll see organisations attempting to 'comply' with it. Our problem is one of creating and maturing an acceptable standard: despite the consultation period, the standard needs to be released into the wild to see what a broad audience makes of it. BS7799 - which became ISO27001 - took a lot of criticism in its first release, and it needed several iterations of revision before it received widespread acceptance.
If I were to offer just one particular criticism of the current approach, it would be that it does not incorporate any form of Privacy Impact Assessment or similar risk analysis. This means that the specified controls are highly prescriptive without necessarily addressing the organisation's real needs, and we're likely to see a lot of complaints that as a result the controls are onerous and top-heavy for a lot of potential users. Future revisions must incorporate a risk-driven approach if they are to be scaleable and proportionate for user organisations.
BS10012:2009 a welcome first step towards privacy standardisation - but don't mistake it for a panacea.
[Declaration of Interest: I am a BSI Committee Member (which is an unpaid role) and was part of the BS10012 group, although I was unable to attend the development meetings because of other commitments]
]]>This is a theme we've discussed before, and one that is becoming increasingly widespread: just last week a senior ACPO representative reiterated his belief that practical applications of CCTV are few and far between. The Home Office is trying to force pubs, clubs, shops and off licenses to install CCTV, despite their experience of what happens when ordinary citizens have the ability to film the police in action, and the fact that this is now technically illegal. And there are still big problems with retention of CCTV images and the difficulty of obtaining subject access to those images.
We need greater honesty about why the government is keen on CCTV: it doesn't prevent crime, but moves it to other areas. CCTV is pretty useful to protect property (for example, when I park at the station I try to ensure my car is within the gaze of a camera). When properly implemented and used, CCTV makes for a great evidence tool, so I've no problem with cameras at bank counters. But when CCTV is used instead of an effective police presence then we run into problems. If the police, or a private organisation, choose to use CCTV in place of a person on the ground, then as well as a Privacy Impact Assessment they should be encouraged to release an economic statement to justify why they have chosen to use cameras instead of eyes. Considering CCTV as an economic, rather than a security, tool would make for a much simpler and easier debate all round.
[Thanks to FIPR for the link]
]]>I'll be writing about all these next week, but this past week's been consumed by preparing for our Identity and Privacy conference. For those of you attending, I look forward to catching up with you there, for everyone else normal blogging service will be resumed shortly.
]]>William's now set the lawyers on Orange - you can follow his progress here.
]]>The conference will be held on 14th and 15th May 2009, sponsored by Consult Hyperion with support from HP, Microsoft, Symantec, Verisign and VoicePay. The Forum will be held at the Guoman Charing Cross Hotel, London, and will be structured around four sessions - 'online identity', 'privacy and consent', 'sharing front line experiences' from the public sector and 'catching up with biometrics' - together with interactive expert panel discussions.
Why are we kicking off this new Forum? Well, for some years the Digital Identity Forum and EPG have been running their own events every year and usually only a week or two apart. We've noticed that the overlap between the events - in terms of subjects, speakers and delegates - has been growing year-on-year, so we decided to get together and focus our efforts on one event that inherits both traditions: debate, discussion and learning in a relaxed atmosphere, mixing technology, business and policy to try and create new ideas, new breakthroughs in identity management for the 21st century.
We have only a limited number of seats for this event, and a small pool of FREE TICKETS. Please contact me directly if you're interested in joining us at the event.
[Please excuse the blatant plug - but this is a not-for-profit event with any profits going to charity]
You've Been Uploaded
Private Eye, 1 May 2009 p.28
The government's NHS database grows apace in its so-called pilot areas, despite its legality being cast in doubt by the European Court and, more recently, the Rowntree Trust... in six pilot areas (aka "early adaptors"), the government has already allowed primary care trusts (PCTs) to upload the so-called summary care records (SCRs) of some 248,000 patients -- almost certainly without the knowledge of the vast majority.
At one south Birmingham practice, for example, the records of more than 11,000 patients have been put on the database. Only 38 people were canny enough to opt out. To do so, they have to surmount various hurdles...
When given full information about the database by wary GPs, virtually no one has allowed their records to be transferred. For example, at the Oaklands practice in east Hampshire, not one of the 11,500 patients have asked for their records to be transferred. Dr Neil Bhatia, the so-called Caldicott Guardian charged with data protection in the area, has decided that only those who give their express consent will have a summary care record on the system. Accordingly, no one did.
The difference between the patients in south Birmingham and east Hampshire seems to be obvious. Those unlucky enough to be in the pilot areas are on the system; those with conscientious GPs scandalised by various government data cock-ups are not.
What we witness here is the importance of any decision to opt-out of a database when compared with opting-in. In the absence of any compelling benefits case for the public to be part of NPfIT, they choose not to be. The government is well aware of this problem, and has for some time now set the bar very high indeed for anyone wishing to opt out.
Some two years ago I wrote to my GP asking that my records (and those of my children) be marked with an appropriate Read code to indicate opt-out. He sent me back a copy of the letter from the Health Secretary instructing GPs not to permit patients to opt-out, but instead refer those enquiries directly to the Department for Health. He'd highlighted the relevant paragraph and then written "like hell I will" next to it, together with confirmation that the requested Read code had been set.
GPs recognise the conflict that NPfIT creates with the Hipocratic Oath. Privacy advocates and database experts certainly know the privacy dangers of this scale of centralisation of personal information without consent. Hopefully, the Department for Health will begin to understand these issues before NPfIT goes completely off the rails with all our medical records aboard.
]]>