The significance of the Identity Assurance programme

Consumer empowerment think-tank Ctrl-Shift is carrying an interview with me on the significance of the Identity Assurance programme, in which I speculate on how IDA will grow over the coming months and years:

How do you see the identity assurance market developing?

Over the next 18 months the selected IDPs will collaborate to develop their service offerings and a delivery Scheme which can handle the branding and governance for IDA services. DWP will pay those IDPs to register and maintain identities on a ‘per active user, per annum’ basis. After that time, other companies will be able to enter the IDP market, and we’re likely to see new financial models emerging; for example, social networks which operate at a lower Level of Assurance might offer free transactions to government in order to enhance their own online services, or mobile network operators could integrate IDA services into their customers’ accounts.

I would anticipate this resulting in an ‘attribute-driven’ market for IDA services, whereby government ceases to pay for identification of individuals, and instead pays providers to verify information asserted by those individuals; for example, DWP would not pay my IDP to know that I am Toby, but would pay my IDP to confirm my last year’s earnings when I assert them to DWP. This will create a demand-driven market for credit reference data and personal data stores which will disrupt the way that data providers sell to government.

You can find the full version of the interview here.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

1. In How I learned to stop worrying and love identity assurance, 16 October 2012, you say that you came to support IdA because “nature abhors a vacuum, and without a clear strategy for population-scale ID, what would fill that space?” and “in an environment where we lack any trusted population-scale online authentication mechanism, IDA is better than all the other options”. Could you elaborate on the logic, please, I don’t follow it. 2. You also say that “public bodies can't be Identity Providers (IDPs) - IDPs will be exclusively private sector” and “(Declaration of Interest: I have been supporting the Post Office's work on IDA)”. The Post Office isn’t a private sector body. And yet it’s just been appointed an IDP, as noted in your DWP Announces First Identity Assurance Providers, 13 November 2012. Is it correct to say that the claim that “public bodies can't be Identity Providers” is false? 3. Today’s post, 14 November 2012, enters the world of midata, the Department for Business Innovation and Skills (BIS) consumer empowerment initiative. You describe Ctrl-Shift as a “consumer empowerment think-tank”. Some of your readers may not realise but BIS are a client of Ctrl-Shift, they pay Ctrl-Shift, and Ctrl-Shift have produced at least one report* which extols the benefits of midata without mentioning that BIS are their client. Ctrl-Shift has 106 ordinary shares in issue of which 30 are owned by William Heath, who was a director of Ctrl-Shift until he resigned. He still retains his shares, though. Alan Mitchell is a director of Ctrl-Shift. He and William Heath are founders of Mydex. William Heath is the chairman and Alan Mitchell is the strategy director of Mydex. The Ctrl-Shift report in question* extols the benefits of Mydex without mentioning these facts. Mydex in turn extols the benefits of BIS’s midata and, to cap it all, William Heath sits on the BIS strategy board for midata. Yesterday, Mydex were named as one of the UK’s seven identity providers. Three points: (a) you very properly declare your Post Office interest, perhaps you could in future make Ctrl-Shift’s interest clear; (b) to what extent is Mydex a private sector company given the facts above and given that it is likely – I don’t know for sure – to have received funding from BIS’s Technology Strategy Board and from the Cabinet Office in connection with identity assurance?; and (c) can we please change the name "identity provider", which sounds either laughable or sinister, to something like "electronic identity provider"? ---------- * ,
Dear David You recite straightforward facts almost as if they were a conspiracy. But since you now do it in Computer Weekly, which is a respected neutral forum, let me just once set out my part. Five years ago a small group of us became convinced that individual control over key personal data was an important missing dimension that would be helpful in addressing our concern about the national ID scheme and the database state. This included me and Alan Mitchell, who had written the book Right Side Up and created a "Buyer-centric commerce forum". We wondered why the shift to VRM hadn't happened already, given the case for it is strong in terms of economics, tech and human rights. And we wondered what business model would let us pursue the idea. One idea was Ctrl-Shift (based on a business model similar to Kable which did research and analysis of government IT). Another was Mydex: a social enterprise with the CIC legal form (ie a private business limited by shares but regulated to be asset-locked and limited in what it does with profits, putting the majority back to its community purpose). They did start in the same place, and Alan and I were involved in founding both. I've referred to this many times, including on the Ideal Government blog which you know very well having written for it many times. Ctrl-Shift carries a note about our relationship. We do not exactly deploy Bilderberg-style levels of secrecy. As both businesses started to gain traction I stopped any executive role for Ctrl-Shift (though I remain a shareholder as you rightly observe). Alan is flat out busy with Ctrl-Shift and does not have any executive role with Mydex though he remains a co-founder, director and shareholder. Mydex has been generally unsuccessful with TSB bids, but we did complete one useful project with Voxgen for voice authentication which may prove very helpful for more secure access control. What's really biting you? If you set out your questions and concerns I'll try, as I have offered before, to answer them. You've got my email address (I still get your press releases) and probably my phone number. This is a big change we are all embarking on. Midata and ID Assurance are both a big deal. It does call for well-informed, sceptical vigilance. It's not a time to "shut up and stop criticising" and no-one is saying that; rather it's a time to be more critical and more effective in how we're critical. Let's understand what the real issues are, and see how the businesses involved measure up to what's being asked of them. This calls for careful scrutiny of technical and legal aspects of the services, and of the underlying intentions, core activities and governance of the businesses involved. I agree about the term "Identity Provider" btw. We think it's more about proofs of claims: being able to acquire and reuse them. But what the customer wants...
David, Since William has already responded to point 3, I'll keep out of that. In response to your first two questions: 1. In the absence of a population-scale trust network (e.g. the sort of mechanisms we see in Finland, Estonia), and given the under-investment in trust schemes in the UK over the period 2002-2010 (caused by the NIS), it seems probable that without coordination many different sectoral or regional schemes will emerge, driven by a mix of government departments, local authorities and entrepreneurs. Some of these might be 'good' from a privacy perspective, but some won't be, and some will be downright ugly. The overall effect will be to drag down mean levels of consumer confidence in online trust. Furthermore, if a Labour government were to gain power in 2015, there are still many supporters of the NIS within senior party ranks, and if we still have a vacuum at that time then it seems probable that they would want to fill it with some variant of the NIS. Hence my argument that we have to build the best thing we can now. 2. For the record, Post Office Ltd is a private company whose shares are held by the Secretary of State for Business. Post Office Ltd has to bid for government business in the same way as any other company, and there are specific legal restrictions to ensure that it does not receive any favouritism in the process. I hope that answers your points. Toby
#1 of 3 Dear Toby, thank you for your response. The public may be right to have only a fragile confidence in eCommerce. You assume that it is possible to create on-line trust. That’s begging the question. It may be inherently dangerous to do business on the web. That’s a problem. And there may be no solution to it. The public has been promised sometimes an ecosystem and sometimes a market in identity assurance. Either way, we’ve been promised competition and only the best adapted species will survive. Markets are fairly rough and nature, of course, is unsentimentally ruthless. To find the successful identity assurance solutions – the trustworthy ones – we need a chaotic period of competition. We need precisely the range of privacy-protecting and “ugly” solutions that you decry. You mention Finland and Estonia. They may have arrived at population-scale trust schemes and digital-by-default public services. And private sector services, too. They may have done, I don’t know, but I do know that it was thanks to Estonia’s reliance on digital-by-default that Russia was able to bring the country to its knees in 2007 with nothing more sophisticated than a distributed denial of service attack. If that’s the price of a population-scale trust scheme, no thanks. In your 16 October 2012 essay How I learned to stop worrying and love identity assurance you make a long list of the faults in the old National Identity Scheme (NIS). The public knows nothing about the scheme the Post Office intends to bring to the government’s Identity Assurance Programme (IDAP). So we can’t tell whether your scheme avoids the problems of the NIS. Can you tell us? Will the Post Office scheme: 1. Be ill-conceived 2. Be illiberal 3. Have tens of thousands of end points 4. Have hundreds of thousands of users 5. Create a central database recording a “deep truth” about everyone 6. Record every interaction between people/businesses and the state 7. Be a panopticon 8. Defend us against terrorism and crime including illegal immigration 9. Make our lives easier 10. Be a secure solution 11. Be a tailor-made solution rather than requiring three ill-fitting silos to be pressed into service 12. Allow public servants to snoop on us 13. Be any more accurate than today’s large databases, with their duplicates and omissions and false/out of date data 14. Require us all to carry a material plastic card 15. Require us all to maintain the dematerialised digital equivalent, a personal data store 16. Protect our privacy. If so, how? 17. Serve the needs of the public rather than civil servants 18. Provide a federated identity scheme 19. Abide by the best practices which emerge from the open identity exchange 20. Be based on private sector identity providers only, no public sector bodies. It’s your list, not mine. Apart from No.15. How does the Post Office scheme measure up? Is it more desirable than the NIS? You start with a big problem – in the DWP/Universal Credit application of IDAP, the government is paying for everything and may expect as a result to control everything. As you work your way down your checklist, do you still love IDAP, or do you start worrying again? [Note: Paragraph removed by Toby Stevens 22/11/12]
#3 of 3 Dear William, thank you for your response. Ctrl-Shift, we are led to believe, is a champion of VRM, vendor relationship management. And yet, while it recommends Mydex, Ctrl-Shift repeatedly fails to make clear that the two companies are arguably “associated”, as defined by HMRC. In which case, that is a poor example of VRM – what looks like independent advice is anything but, the public is being misled. Mydex is about “proofs of claims”, you say, i.e. credentials. What are Mydex’s credentials? How can Mydex offer people control over their personal data? That control is not in Mydex’s gift, it is not Mydex’s to grant, the offer looks misleading. How does Mydex propose that people should gain control over their data? By giving it all to Mydex and storing it in a PDS which will be continuously updated with their transactions. And it’s not one-way traffic – the suppliers’ records will be updated whenever necessary, e.g. on change of address. This looks more like losing control than gaining it. Mydex claim that people will benefit from having their transaction data analysed by a new class of apps in what Ctrl-Shift call “the quantified self space”. The company seems to be luring people to share their data with more and more strangers, further diluting their control. How much would it cost to subscribe to these apps? No-one knows. But it wouldn’t be free and that point is not made clear in Ctrl-Shift’s public pronouncements, or Mydex’s, or in the public pronouncements of the Department for Business Innovation and Skills (BIS). Again, this is a poor example of VRM. The data people would be expected to hand over includes their user IDs, their passwords and the answers to secret questions – all the data normally asked for on websites where identification is an issue. How do we know that? How else can our PDSs be permanently updated with transaction data if they’re not logged on to our bank accounts, mobile phone accounts, Amazon accounts, HMRC accounts, and so on? Also, the department for Work and Pensions (DWP) tell us so in their press release about the UK’s putative identity providers: “... providers will be required to ... minimise the number of usernames and passwords a customer will need to remember ...”. People will be asked to give their “keys” to Mydex and/or any of the other six identity providers. In other words, they will be asked to hand over control, the opposite of the Mydex prospectus. How safe would people’s data be on Mydex’s servers? Or the servers of Mydex’s sub-contractors? What are Mydex’s credentials? Why should Mydex be regarded as a trusted third party? The difficulties of keeping data safe on the web are barely mentioned by Ctrl-Shift, Mydex and BIS, at least when they are promoting midata. It looks as though these three organisations are luring an unwary public into danger. It is disingenuous to ask “what's really biting you?”. That has been made clear since at least 9 June 2001. It has also been made clear on my blog in about 20 posts starting with this one on 16 November 2011. “If you set out your questions and concerns I'll try, as I have offered before, to answer them.” But the questions have been set out, they haven’t been answered and your latest offer on Twitter was first deleted and then qualified by subsequent direct messages. Perhaps, in the name of respectability, the public will now be favoured with some answers.
David I have offered to speak with you directly. That offer is still open. Having made it, I don't propose to debate your misconceptions here or anywhere else online. I blocked you on Twitter - as I said I would - simply because you chose to continue sniping at me rather than engage in a reasonable conversation, as we have done in the past. William
Mydex is offering certain services to the public and it makes certain representations about those service in public. Giving users control over their data, for example. I have raised certain questions in public about those representations (for example, above @ and others listed above @ November 25, 2012 2:34 AM) and the longer Mydex goes without answering them in public, the odder it must look to the public. I am asking critical questions about midata and Mydex (recommended by you @ November 20, 2012 8:42 AM above) and have been for a year or so now, without any answer. How could blocking me from your Twitter account stop me from asking those questions? I trust that the strategies adopted in midata and Mydex are more effective. Answers. In public. Highly recommended. Good strategy. Worthy of the name "VRM". Credentials, please.