Recently in News Category


| No Comments
| More

I've a lot of time and respect for my GP, not least because we see eye-to-eye on privacy matters. He shares my concern about the centralisation and automation of healthcare data, not because of any prejudice against the NHS (for which I also have the utmost respect), but because of the inevitable fallibility of any huge institution which brings together people, computers and sensitive personal data.

During a recent checkup he drew my attention to the '' extract of medical records, and showed me some of the internal propaganda he'd received to persuade patients that there was nothing to worry about. Rather than attempt to recount it all, I'd like reproduce a mailer I've received today from the excellent Terri Dowty and Phil Booth at medConfidential.


Information that you share with your GP is about to be extracted from surgery records and stored on a centralised NHS system with your identifying details still attached. From there, it will be made available for administrative, research and other purposes. The government has claimed that your records will be 'anonymised' before they are handed over to anyone else, but this is not true. There are several circumstances in which data that identifies patients will be made available.

Once your information has been uploaded, neither you nor your GP will have any control over who it is shared with, who has access or what is done with it. You will not be consulted, nor will you be asked for consent. Uploads will take place automatically every month.

When you next visit your GP, you may see a small poster headed 'how information about you helps us to provide better care'. This is how the NHS is explaining its plans to you and it is very misleading. It does not give you full details of the information that will be collected and it claims that it will not identify you.

Further down the poster you will see the words 'you have a choice'. What this actually means is: if you do not want personal and confidential information to be taken from your medical record every month, the onus is on you to opt out of the scheme. If you don't do so, it will be assumed that you consent to the extraction.

You can download an opt-out letter to complete and send to your GP from the medConfidential website:

You will also find more detailed information about the scheme - known as '' - on the medConfidential website.

Please tell all of your friends, family and colleagues about this scheme, or forward this email to them. It is very important that everyone knows they must take action if they don't want their information to leave their GP's surgery.

Government Digital Service publishes Identity and Privacy Principles

| No Comments
| More

One of the common concerns about identity-related technologies is the potential for abuse of privacy, and for function creep of the identity system itself: mechanisms which are designed to support authentication end up being used to hoover up personal data about the user's interactions with relying parties, and pose a greater threat to privacy than the alleged security problems which they were originally intended to resolve.

Of course it doesn't have to be that way: systems which are designed around technical, legal and procedural mechanisms which protect, rather than undermine, privacy can be privacy-preserving rather than invasive. This is one of the key philosophies of Privacy by Design, which recognises that good security, good identity and good governance can enhance, rather than degrade, user's privacy.

With this in mind, a team of volunteers has been working with the Government Digital Service to operate the snappily-titled "Identity Assurance Programme Privacy and Consumer Advisory Group," which provides expert advice and a sounding board for GDS and participating government departments to develop and test a set of design and operation principles which are intended to ensure that the Identity Assurance Programme adheres to strict criteria to respect users' privacy: in short, to ensure that it doesn't 'go off the rails.' The IAPPCAG includes the likes of No2ID, Privacy International, Which?, London School of Economics, Oxford Internet Institute and Big Brother Watch, and I've been fortunate to sit on the Group since its inception.

Yesterday IAPPCAG released the latest version of the Identity and Privacy Principles. These nine criteria will guide the development and delivery of the Identity Assurance programme, and whilst we acknowledge that they will need to evolve to respond to changing needs, we believe that they provide a firm foundation on which to build user trust and respect. The principles, which are explained in detail on the GDS blog (where you can also comment on them), include:

1. The User Control Principle: Identity assurance activities can only take place if I consent or approve them.

2. The Transparency Principle: Identity assurance can only take place in ways I understand and when I am fully informed.

3. The Multiplicity Principle: I can use and choose as many different identifiers or identity providers as I want to.

4. The Data Minimisation Principle: My request or transaction only uses the minimum data that is necessary to meet my needs.

5. The Data Quality Principle: I choose when to update my records.

6. The Service-User Access and Portability Principle: I have to be provided with copies of all of my data on request; I can move/remove my data whenever I want.

7. The Governance/Certification Principle: I can trust the Scheme because all the participants have to be accredited.

8. The Problem Resolution Principle: If there is a problem I know there is an independent arbiter who can find a solution.

9. The Exceptional Circumstances Principle: Any exception has to be approved by Parliament and is subject to independent scrutiny.

Of all of these, perhaps the most challenging principle for government will be that last one, particularly in light of PRISM revelations (and doubtless more to follow) and the hubris around censoring adult content. Will there be the appetite for true transparency and accountability in those situations where some degree of privacy is compromised in the interests of national security or user safety? That will be an acid test for whether the UK is on course to become a true digital economy, or is just paying lip service to online rights.

I hope to be discussing the principles further at the next Open Identity Exchange meeting in London on 2nd July. If you want to add to the debate, then do join us.

DWP Announces First Identity Assurance Providers

| More

The Department for Work & Pensions (DWP) has announced the first seven Identity Providers (IDPs) who will be eligible to provide consumer-facing services within the government's new Identity Assurance Programme (IDAP). IDAP will be critical to the delivery of DWP's flagship Universal Credit programme, so that individuals can engage with the Department online, by phone, and face-to-face, without the need to prove who they are every time they try to transact.

The selected IDPs include:

  • Cassidian
  • Digidentity
  • Experian
  • Ingeus
  • Mydex
  • Post Office
  • Verizon

Many of these bidders will be acting as prime bidders into the framework, with sub-contractors providing specific components of their solutions, and it is possible that their IDP services might be delivered under partners' brands to ensure that they are attractive and recognisable for consumers.

The selected IDPs have not been awarded guaranteed IDAP work: at this stage they are on the framework for IDAP services, and will now need to compete within forthcoming call-off competitions which will fix the price to be paid by DWP for their services (DWP anticipates paying selected IDPs a fixed fee per registered customer per annum). Those IDPs who are able to deliver within the call-off will then develop their solutions in preparation for a test phase in August 2013, and the first pilot project in October 2013.

The IDPs also face the significant challenge of collaborating to form a delivery Scheme, which will provide the necessary contractual framework to ensure self-regulation and interoperability, and enable external certification of IDP services against defined standards through tScheme. The Scheme will also provide a shared branding (in much the same way that Visa or Mastercard do for payment cards) so that consumers can easily recognise a certified IDP service.

The selected IDPs represent the first tranche of providers, acting as pathfinders for a wider identity assurance market. Their exclusivity to deliver IDP services on behalf of DWP will last for just eighteen months (although DWP's contracts are expected to run for four years), after which time DWP is able to bring further IDPs into the framework, most likely under the aegis of the Scheme developed by the first IDPs.

It is also anticipated that HMRC will come to market for IDP services in 2013, and the Revenue hosted a public consultation with potential IDPs over the summer. Whilst HMRC has committed to work within the overall IDAP approach, it is likely that they will require services not defined within the DWP framework (e.g. business identity assurance), and potentially wish to use a different incentivisation model from DWP, and for that reason it is widely expected that a fresh competition to select further IDPs will be held early next year.

Over the coming weeks we will be reporting on aspects of IDAP delivery which have until now been undefined or subject to confidentiality agreements; if you have specific questions about the programme please post them in the comments section and we will focus upon them in future pieces.

(Declaration of Interest: I have been supporting Post Office's ID Assurance work)

(Edited 13/11/12 to amend an incorrect statement about provision of services in different delivery channels).

HM Government Loses its Identity

| No Comments
| More

The government has done something very clever, and people seem not to have noticed. With very little fanfare, it was announced last week that all government departments will share a common logo, that of the Crown, with minimal rights to vary colours and fonts. No more huge rebranding exercises, no more bizarre departmental logos, perhaps even an end to the merry-go-round of renaming exercises that the last administration so enjoyed (I imagine that the DTI BERR BIS will be very pleased to hear that).

This change was apparently driven by Martha Lane-Fox's report, and it achieves much more than just saving money on branding consultants (although that's a worthy aim in itself); it creates an environment in which some of the alleged inter-departmental warfare famously lampooned in numerous political satires is potentially defused, since those departments are less characterised by their branding; it creates a common bond through a shared identity; and most importantly, it is an important step towards proper consumer-centricity in service delivery. After all, do individuals care from which public authority a particular service originates? No. Do they wish to deal with multiple departments to obtain those services? No. Do they have any choice in which authority provides those services? No. So why bother wasting money on promoting the brands of particular departments?

The move aligns nicely with GDS' plans to deliver a single website for government. What would be welcome now would be a similar edict applied to regional authorities, so that we no longer waste money on branding individual NHS or police authorities, or local government bodies. 

DotGovLabs opens for business

| No Comments
| More

If you're an innovator with public service delivery ambitions, then you may wish to take a look at DotGovLabs - DirectGov's Innovation Hub which brings together 1,600 SMEs, entrepreneurs and innovators looking at how digital can help solve social challenges. Part of the government's Skunkworks programme, the Innovation Hub aims to help government to engage with experts in digital delivery.

The Innovation Hub was, until recently, only open to invited participants, but now that a critical mass of users has been reached, it's been opened up to anyone who wishes to register.

Declaration: I have no connection with DotGovLabs other than being a registered user.

(Please excuse the lack of posts in recent months. I've been heavily involved with aspects of the new cross-government identity assurance initiative, which has taken up all of my time. I'm hoping to be in a position to talk about that programme very soon).

Change of Identity

| No Comments
| More

Those of you who follow NO2ID, arguably the most successful civil society pressure group of the past generation, may be aware that National Coordinator Phil Booth has just stepped down from the role after six years leading the organisation.

Phil's quite a remarkable individual, both physically and intellectually a very big guy, and has achieved many remarkable things in his time with NO2ID. He grew the group's membership into one of the largest and well-connected lobby groups in the country; established a personal network of peers, politicians, civil servants, technology experts, industry leaders and academics; and successfully beat down one of the last government's cornerstone manifesto commitments with just a tiny budget and his own undrainable energy reserves.

What's most remarkable about Phil has been his ability to engage across the entire spectrum throughout that time. He recognised the need to work with everyone from the ministers pushing the programme, through the suppliers pushing the technology, to the hard core of ID Card opponents who pledged civil disobedience rather than compliance. He remained courteous and focussed even at times when the government was engaged in some very underhand tactics to destabilise both his, and NO2ID's, position.

Of course Phil would be mortified to be solely credited with NO2ID's success, and the power and passion of that body has to be applauded, but there's little doubt that he has been instrumental in getting us to where we are today. I very much hope that once he's taken a break we'll see him back in the ID space, perhaps this time designing the new citizen-centric, privacy friendly authentication schemes that will emerge from Whitehall over the next few years?

What's in a name?

| 1 Comment
| More

Quite a lot actually, particularly in the world of social media. The popularity of Facebook, Twitter etc is very much driven by their flexibility in extending our real-world lives into the virtual in whatever manner we wish, including allowing us to completely reinvent - or fabricate - ourselves online.

The BBC reports on the rather odd case of Facebook allegedly taking down a user's account because she was 'impersonating' Kate Middleton. She wasn't doing that, she just happens to be called Kate Middleton, and I'm sure there are plenty of other Kates out there who share that surname. It's unusual because in most cases, social media sites leave it to users to sort out name ownership amongst themselves, except where there is a clear criminal intent to defraud or mislead.

Our problem is that the glue that binds online personae to their friends/followers/acolytes is their name: it is the primary identifier for the account, and often the tool against which friends may search for each other. For example, I have three social networking accounts: a Facebook profile which I use mainly for social purposes, a Twitter account that is largely focussed on my professional network, and a second Twitter account in which I take on the persona of an entirely fictional character. Annoyingly, the fictional character has more followers than I do, but that's probably because he's much more interesting than I am, and has some very interesting fictional friends.

We have invented a social media world that reflects the simplest of our identifying conventions from the real world. Just like the real world, we can be pseudonymous. After all, a name is not a fixed attribute, and an individual can have multiple names and change those whenever they wish. That may be fine for social media applications, but it's not good enough for a broader ID system, except possibly as a selector that allows an individual to point to the attributes that they wish to associate with a particular transaction or relationship.

Whilst our chosen identifiers are not unique, and whilst we continue to use contextual, changing identifiers such as names as public identifiers, this problem will continue. Names also provide a simple way for third parties to track us across multiple accounts, or to incorrectly assume that individuals who share a name are one and the same, and that is a key privacy weakness. We need the option to use meaningless but unique identifiers that prevent that tracking but ensure that we can uniquely identify ourselves when we wish to do so. More on that in another article.

In the meantime, I'm pleased to see that the top handful of hits against my name in Google report on my many acting successes, my distillery and US real estate business. Maybe I am as interesting as my fictional persona after all?

The State of the Electronic Identity Market

| No Comments
| More

The European Commission's Institute for Prospective Technological Studies (IPTS) has published a report on 'The State of the Electronic Identity Market: Technologies, Infrastructure, Services and Policies.' I co-authored the report together with teams from IPTS and Consult Hyperion, with the objective of exploring where individuals' identity data are converted into credentials for access to services.

The document concludes that the market for electronic ID is immature. It claims that the potentially great added value of eID technologies in enabling the Digital Economy has not yet been fulfilled, and fresh efforts are needed to build identification and authentication systems that people can live with, trust and use. The study finds that usability, minimum disclosure and portability, essential features of future systems, are at the margin of the market and cross-country, cross-sector eID systems for business and public service are only in their infancy.

This was a particularly tough document to write, since the scope of ID is potentially so large, yet there are so many confused and conflicting concepts, terminologies and delivery approaches. Qualitative data about the value of ID services is almost non-existent, and tends to focus principally upon enterprise identity management technologies. At the time we wrote the document, the UK was gripped by the inertia and non-delivery of the failing National Identity Service, and the impact of that is reflected in the document.

The report is available for free and can be downloaded here.

Talking balls on Facebook

| 1 Comment
| More

The NHS Choices website is a cornerstone of the government's drive for health service efficiency and to move service delivery online. Users can log on to find out more about NHS services, and to use a symptoms checker to understand what might be wrong with them and (hopefully) seek medical attention where appropriate, or save a doctor's time if their condition turns out to be nothing more than a cold. The site has made an effort to engage with social networking sites, such as integrating the Facebook 'Like' button. And as Mischa Tuffield of Garlk has spotted, this is where we get a big privacy FAIL.

Mischa points out that a visit to a NHS Choices conditions page calls on four external service providers:





Two of these - Google Analytics and Webtrends - are used to monitor web traffic. In theory the privacy implications are relatively minor, although in certain scenarios it should be possible to identify an individual user subject to access to other information. It's odd that the NHS has chosen to use third-party analytic services rather than implementing their own. This problem has been explored in detail elsewhere, so I won't dwell on it here.

However, the Facebook and Addthiscdn links are there to drive the Facebook 'like' service, and this is where our problems begin. If a user visits the page from a browser that they've used to access Facebook before, then Facebook automatically gets to know that they've been to that particular conditions page. That means that if someone is concerned about a particular condition - let's say testicular cancer - then if they've been to Facebook before, then Facebook gets to find out about that interest. Not good. And it gets worse - let's say that the user feels they've received useful information, and clicks on the 'Like' button (or does so accidentally) - then it shows on their Facebook profile, and that's really not good at all. Imagine being worried you have a serious illness that you don't want to worry your spouse about, and accidentally clicking 'Like' - they get to find out. So does a potential or current employer if they're checking your profile. The consequences could be very significant indeed.

I'm really quite shocked that NHS Choices has allowed this to happen, and more importantly that they have clearly failed to apply any form of effective Privacy Impact Assessment to how they deliver health information. If they do wish to connect to Facebook or analytics engines, then they should be making it an explicit 'opt-in' for the user before any information is shared at all. The NHS' privacy policy has completely outsourced the problem to Facebook, so that users are left in the dark about the consequences of this functionality.

I'd like to hope that Mischa's research will force the NHS to modify the website, and that at the very least the functionality will be suspended until the privacy issues have been properly investigated.

[Thanks to Ian for pointing this one out]

The best password reset... ever...

| No Comments
| More

A hidden gem on the BBC website points us to what has to be the very best helpdesk call that has ever been made: US presidential nuclear codes 'lost for months'

It would appear that at some time around 2000, one of Bill Clinton's aides misplaced the launch codes for the US' nuclear arsenal, and that the mistake was covered up for a number of months before the periodical password change came around and the problem was rectified.

I'm left with a vivid image of a call to the helpdesk "We can arrange a password reset Mr President. Please could you give us the month and year of your birth, and the first two letters of your mother's maiden name?"

[HT Caspar for pointing this one out]


The views expressed in this blog are my own, and do not necessarily reflect those of any client or other organisation.

Subscribe to blog feed



Toby on Twitter

    Recent Comments

    Erik C Gruet on Identity assurance and th... : I think the solution lies in sharing data across m...
    Toby Stevens on Identity assurance and th... : Peter, I can't speak for GDS, but I agree that the...
    peter wells on Identity assurance and th... : (Declaration of interest: I've been working on #di...


    -- Advertisement --