Identity Management – Who Decides?

Today’s DTI Conference on “Ensuring privacy and consent in identity management infrastructures” was a significant step forward for identity management and privacy in the UK. Amongst other things, it demonstrated that Government stakeholders are open to new ideas and, more significantly, they’re prepared to fund them. They’re also attempting to engage a broader audience of contributors from Industry, Government and Academia. I applaud that.

Some cynics would regard my views as optimistic, perhaps a little bit “on message”. That’s not correct. I’ve been a vocal critic of security in the National Identity Card programme, though I found little to fault in what I heard yesterday. I have high standards of expectation about both the level of security and the degree of consultation with the public. But I’m also realistic about the politics, the risks, the opportunities and the options. So I try to frame my criticism in the context of what’s reasonable, affordable and, most importantly, do-able.

Not everyone agrees me. Casper Bowden of Microsoft, for example, questioned the lack of privacy technology professionals in the room, suggesting that the assembled audience might not have sufficient knowledge to shape public policy and research. I disagree. What we need is a blend of visionary technologists, down-to-earth commercial users, experienced social scientists, smart marketers and experienced practitioners. That’s how you solve those difficult, complex social and technical problems.

I believe the UK Government is trying to get that balance right. It’s taken a while to engage some of the key stakeholders. But let’s keep that dialogue going. We must not let important societel subjects be hijacked by the tiny elite of privacy anoraks. I’d rather hear more from the battle-scarred practitioners of real identity management projects, and the social scientists who’ve spent their time trying to understand the motivations of the Echo boomers. We need to draw on a wide range of skills and experience to solve the numerous social and business problems associated with federated enterprise identity management. Please don’t leave such decisions to the handful of enthusiasts, the politically-correct brigade or the (hopefully) shrinking army of neo-Luddites.

Join the conversation

5 comments

Send me notifications when other members comment.

Please create a username to comment.

Whilst I wouldn't go as far as Casper B., I would countenance such optimism at the intentions of spending yet more millions of my tax money on a 3 year research programme that has, effectively, already been done BY THE DTI. Like hello! Where on earth is this joined up government we keep hearing about. The DTI already spent money on the Foresight Programme - Cyber Trust and Crime Prevention - which concluded at least TWO YEARS ago and it raised ALL of the same issues - particularly highlighting that the key element is not the technology but the human factors that need to be addressed. So time goes by, nothing gets done and we attend these events with still the same people talking to each about the same things, raising the same points and there's no feeling of progress. Optimism is to be applauded but in the face of such hubris, its difficult to remain so.... :(
Cancel
I didn't say any such thing David. (Editor's note: I've since revised my original posting.) I asked how many people in the room were on the program committee of a comp.sci research conference primarily or largely concerned with privacy technology. About half a dozen people put their hands up in an audience of at least a hundred. My point was that privacy technology is a highly specialised field where research has advanced rapidly in the past few years. e.g. http://www.csc2.ncsu.edu/workshops/wpes07/ http://petworkshop.org/2007/ http://privare.fbk.eur.nl/idman07/ http://www.ieee-security.org/TC/SP2007/oakland07.html http://www2.pflab.ecl.ntt.co.jp/dim2007/ Much of this work is not known to security practitioners or even mainstream security researchers. If the DTI and research councils are giving out public money ostensibly for research on privacy in identity infrastructures, they ought to be getting leading-researcher calibre advice to peer-review proposals.
Cancel
Caspar, I didn't quote you, I tried to convey the issue you raised, which as you point out, was the question of who is qualified to shape research and public policy in this subject area. I'm absolutely convinced that you and your more-specialist colleagues have a major part to play. But there are other experienced players missing from the current debate. We need their contribution as well as a much wider buy-in to ideas and "laws" being developed by the specialists. I'm not aware of many researchers in the field who have much direct experience of directing identity management programmes, designing effective user and customer awareness campaigns, managing extended-enterprise systems or investigating internal security breaches. You need all this to address the human factors in Identity Management systems. There's more to this field than understanding how a zero knowledge proof operates. (And yes, to answer your question on the day, I do know what that is.)
Cancel
David What I was objecting to was your attribution to me that "the assembled audience was not qualified to debate the issues". I never said or implied that, and I'd appreciate an unequivocal retraction. You are right to stress human factors, and if you had studied Kim Cameron's work - http://www.identityblog.com you would know that his 7th Law of Identity is all about getting this right. In our Whitepaper we set out how privacy properties are also largely determined by choices of architecture http://www.identityblog.com/wp-content/resources/Identity_Metasystem_EU_Privacy.pdf The people who have been entirely missing from the inside track that shaped the current ID scheme are the privacy technology researchers. If I am wrong, name names? [BTW - this is different community from the web-focussed user-centric IdM community, although Stefan Brands - amongst others - has been tirelessly building bridges - http://www.idcorner.org/ ] I'm puzzled by your claim to have been "a vocal critic of security in the National Identity Card programme". I can find pieces where you have been a critic of the critics: https://www.computerweekly.com/blogs/david_lacey/2006/12/id_cards_and_the_perils_of_ide.html ...and where you have advocated weakening security to allow inter-op with Royal Mail smartcard readers... http://www.no2id.net/news/newsblog/?p=310 ...and cheerleading for the unreconstructed scheme... http://www.vnunet.com/computing/news/2146493/home-secretary-sets-business ...but, er, where is the criticism? I'm glad that you're confident you are familiar with the trends in modern privacy research. I look forward to a survey article from you that explains the main techniques, and why you think these are irrelevant to constructing a system which can assure both privacy and integrity.
Cancel
Caspar, Thank you for your comments. My apologies if you feel I have misrepresented your views. It sounded to me as though you were making a strong point that the audience did not contain a sufficient proportion of privacy technology specialists, i.e. they were not qualified to be shaping public policy or research in this area. If that’s not your view, then I retract my comments. (I've revised the original posting to reflect this.) I have always had many security concerns about Identity Cards and I put mine directly to the Home Office via the Private Sector User Group. They concerned risks such as future developments in technology, management of internal threats and security governance. I also visited the Home Office with several other leading CISOs to discuss these concerns. We were satisfied that these points were understood, accepted and were being addressed. But it's a long programme and it requires ongoing observation to ensure that project and budget changes don't allow intentions and tandards to be reduced. I don’t understand your point about weakening the scheme through exploitation of its use in Industry. The systems you refer to do not exist and have not been designed so you cannot possibly comment. If you are suggesting that card should only be used in conjunction with a biometric check for any potential use of the card then I disagree very strongly. I’m pleased that you agree that human factors are important. That’s always been blindingly obvious and I don’t think that Kim Cameron was the first to spot this. I’m surprised you question my understanding of the subject area, but I’d be more than happy to write a research white paper if Microsoft wish to commission one.
Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close