How I learned to stop worrying and love identity assurance

The past week has seen a surge in media coverage of the government’s new Identity Assurance (IDA) programme, as the Department for Work & Pensions prepares to announce the first group of Identity Providers (IDPs) to be awarded services under their procurement framework. Those who know me will be aware that I played a minor role in trying to persuade the last government to change it’s plans for ID Cards, and that I became known as an opponent to that scheme; but for the past two years I’ve been engaged by the Post Office to support the shaping activities around the the development of the Identity Assurance programme. 

So what persuaded me that IDA is a good idea?

The National Identity Scheme was possibly one of the most ill-conceived and illiberal public sector programmes that the UK has ever seen. The government legislated an architecture that would create a tens of thousands of endpoints, used by hundreds of thousands of users, all linked in to a central database that would provide a ‘deep truth’ on every person in the UK. Every interaction with the State would disappear into that melting pot, which would become a panopticon of our lives.

ID Card supporters promised that the scheme would defeat terrorism, stop illegal immigration, put an end to serious and organised crime and make our lives easier, but each of these objectives fell by the wayside as the project developed. They promised it would be hosted in a secure database but then had to fall back to distributing the data across three silos, none of which were designed for the purpose. They promised it would be secure, whilst simultaneously having to dismiss public servants by the dozen for misuse of existing data sources. They promised it would be accurate, yet needed to legislate compulsion that we would update our own records. They promised that carrying an ID Card would not be compulsory, whilst mandating registration and usage of that card.

Like many, the National Identity Scheme radicalised me. It provoked me into speaking out against the government, something which I had never considered before. As I worked with the likes of the London School of Economics, the Information Commissioner’s Office, and (oddly) the Identity & Passport Service, I believed I’d channelled my inner privacy advocate. But over time I came to realise that in fact my objections stemmed not from a civil liberties motive, but as a taxpayer: I was angry that the government was willing to pay something between £6bn and £17bn (depending upon who you believed) for a system designed to serve the needs of civil servants seeking a ‘deep truth’ about every individual in the UK, driven by a ‘gold standard of identity’. It was designed around their needs, not those of the public. 

The scheme was lunacy. It had to be stopped. And then in 2010, with the new government, it was. ID Cards went out, and the National Identity Scheme was literally put in a shredder. The ‘Intellectual Pygmies,’ as a former home secretary nicknamed the privacy advocates, had won the battle, and danced their victory dance.

Pygmies (physical or intellectual) they are not...

The intellectual pygmies do their dance. They’re not pygmies, intellectually or physically.

But nature abhors a vacuum, and without a clear strategy for population-scale ID, what would fill that space? The Coalition promised it wouldn’t be another National Identity Scheme. But politicians’ promises can’t, ahem, be treated as cast-iron guarantees. A vestigial tail of National Identity Cards still exists in the Foreign National Biometric Residence Permit, and some Opposition MPs still speak of their ambition to bring the scheme back from the dead. If those of us who care about privacy, and about how much tax we pay, wish to drive a stake through the heart of intrusive identity schemes, then we need to build something better to take its place. Something so good that nobody would throw it out. And that’s where Identity Assurance comes in.

Surprisingly, the genesis of IDA came from the same government that brought us ID Cards, when in 2008 HM Treasury published Sir James Crosby’s report on ID which recommended a federated, not centralised approach that flew in the face of the prevailing policies. Not surprisingly, the government hated it and did its level best to bury it, but it was the seed for the new IDA scheme. 

The IDA approach builds upon tried and tested principles which are already being hammered out by the likes of the Open Identity Exchange, working with a collective of experts, potential providers and pressure groups from the UK and overseas. The IDA programme differs from its predecessors in many ways, in that public bodies can’t be Identity Providers (IDPs) – IDPs will be exclusively private sector.

Users can have as few or as many credentials, with as few or many IDPs, as they wish. They can change providers, use credentials for different directed means, and hopefully we will have an environment where any of the cards in their wallet, or their phone, could be usable as a high-assurance credential to interact with government. If they choose not to use IDA then they won’t have to – it will augment, rather than replace, existing means of engagement. That said, if IDA is successful then it would make sense for government to scale back other authentication mechanisms if the public choose IDA instead.

IDA gives us an authentication environment that is anonymous, pseudonymous, distributed, and not subject to centralised control. Government doesn’t get to track our interactions, our movements, our dealings with our IDPs. The design is a truly user-centric approach which embodies the Government Digital Service (GDS) mantra of “What is the user need?” by treating the users as the end customer, rather than the civil servants. 

It’s also a risk-driven strategy that ditches the traditional ‘deep truth’ about each citizen; instead, relying parties must determine transactional risk, and hence what level of identity assurance they need for any transaction. Simple services such as a request for information about local authority benefits might be achieved using lower levels of assurance from social login (the much-speculated ‘Facebook’ ID), whereas payout of those benefits might require the higher levels of assurance provided by a face-to-face verification of the user and their proofs of identity. That’s a really big change for government, and I suspect that many public authorities will struggle to grasp the idea that they don’t need gold-plated identities and attributes to support low-risk interactions.

Under the IDA approach we, the users, are treated as the single source of truth about ourselves. We get to review and update our data. We store it where we want, with whom we choose, and can even delete it if we wish. We can become our own Data Controllers (and it is hoped that in the future the Data Protection Act might be amended to support just that scenario).

And GDS’ adoption of the fresh approach to privacy is more than skin-deep: rather than putting their hands over their ears and saying ‘la la la’ whenever the word ‘privacy’ is mentioned (as some other government departments were accustomed to doing), GDS created the snappily-named Identity Assurance Programme Privacy and Consumer Advisory Group, which comprises a range of privacy advocates and technology experts who have developed the principles which will dictate the privacy approach for IDA. GDS are also working to ensure that the approach aligns with Kim Cameron’s Laws of Identity. 

So where does the IDA journey take us? The logical endpoint is an environment in which minimal disclosure proof of attributes is the norm; that is, that we are able to prove something about ourselves without revealing any other information (Dave Birch uses the great analogy of ‘Psychic ID‘). Relying parties get to see nothing more than information that is essential to validate our entitlement for the service we request. If – and I know that’s a BIG if – we can hold true to the system principles and deliver pervasive identity assurance, we could create an environment where it is normal to assert attributes without even identifying ourselves.

There’s no promise this will work. Sure, the technology is tried and tested, but the commercial and policy challenges are huge, and there is still much to be done – hammering out the contracts, legislation changes and cross-government policies is a job that has only just begun. But in an environment where we lack any trusted population-scale online authentication mechanism, IDA is better than all the other options, and I’d rather we run the risk of failure because our ambitions are too lofty, than because they are too low. If IDA can deliver on its promises, then we might just create an environment where the prevailing identity mechanism protects – rather than degrades – our privacy.

And that’s why I support IDA.

(This article is based upon a flash talk I gave at the RSA Conference Europe 2012).

(Declaration of Interest: I have been supporting the Post Office’s work on IDA).