The British government has been trying to persuade companies to ditch their home-grown ID systems for one it helped design under an international collaboration driven from Silicon Valley and the White House.
Now nearly five years after the coalition government ditched the infamous National Identity Card, it is attempting to replace it with a US-designed, government-led, international alternative operated by a market of private companies.
The initiative got a boost last night when 10 governments joined a White House working group to ensure their implementations of Silicon Valley ID technologies would be compatible, and that governments and corporations would be able to check the same people reliably no matter what country they were in or what they were trying to do.
But it got set back a little yesterday too, when a UK consultation with telecoms corporations was cancelled at short notice and without explanation.
Mobile phones have been earmarked to take the role once reserved for identity cards under the ID regime: a physical token that people can use to prove who they are better than if they used a password alone.
But the UK meeting was cancelled suddenly, according to Sue Dawes, who was running the consultation for the Cabinet Office as UK Program Manager at the Open Identity Exchange, a body that has led international and inter-industry co-ordination of the White House effort. Dawes said she did not know why the meeting had been cancelled.
The GSM Association (GSMA), which had been due to host the consultation meeting, had already developed a global scheme for mobile identity control, and already proven it as a pilot under the White House initiative, which is called the National Institute of Standards and Technology (NSTIC). US telcos including Verizon, which is one of the companies behind the UK’s “Verify” identity scheme, designed their Mobile Connect Initiative to be compatible with the US government programme, the White House agency said in April. Experian and Morpho, two other companies behind the UK programme, took part in the US pilots as well.
OIX itself launched a global identity hub in April, where different industries and governments could exchange the technical and business principles necessary for their ID systems to be compatible. The systems themselves have been constructed largely according to designs produced by Silcon Valley tech standards bodies such as OASIS and the Kantara Initiative, where many large computing, telecoms, military and banking firms, and numerous governments including the UK have collaborated since the start of the last decade. Their work was finally implemented in identity systems such as the UK’s Verify and the US government’s Connect.gov, both of which launched in limited capacity earlier this year. The OIX model envisaged these “federated” identity systems would form into a global ID “ecosystem”, with uncountable numbers of governments and corporations all sharing data in order to better identify people. The once-dreaded national identity system built on single database would become international, based on a distributed set of inter-operating databases.
Another of these bodies, the OpenID Foundation (OIDF), yesterday launched an international “iGov Working Group” where governments would make sure their different ID schemes remained compatible. NSTIC, OIDF and OIX said 10 governments had joined the scheme. They were unable to say which governments had joined.
Li’l ol’ England
The UK consultation has meanwhile tried to sell the principles of identity federation to those sectors most likely to have developed digital ID systems but less likely to be familiar with the nearly two decades of work that has gone into the US-led scheme for identity federation.
OIX and Cabinet Office billed it as a “discovery” exercise: “to understand the extent to which the capabilities government… developed for UK digital identity could usefully be applied to meet needs in the private sector”.
But it would instead ask whether companies had considered the costs and inconveniences of their own ID systems were so great that they really ought to adopt the government’s federated one.
They launched the effort in September with a report that laid out the consultation’s modus operandi. It would run workshops where it would present companies with a set of problems that happened to be those the OIX model and the Cabinet Office Verify scheme were designed to solve. It would then ask participants which they preferred: the problems or the solution.
A preliminary consultation meeting in May reached a consensus agreement that the solution was preferable to the problem. Yet most organisations at the meeting appeared to be either directly involved or closely associated with either Verify, OIX or GSMA Mobile Connect.
OIX and Cabinet Office have not published precisely who attended their consultation meetings, or minuted what they said. But they put a promotional spin on the May meeting in OIX’s September report.
“Senior representatives of some of the UK’s biggest organisations from a wide cross-section of industries”, had “identified that their organisations would like to explore a cross-sector approach to identity needs in the UK”, it said.
The problem, as OIX and Cabinet Office set it out, was that different industries had developed a hotch-potch of approaches to checking people’s identities, leaving gaps were fraudsters thrived, and making users mistrustful and frustrated because they had to juggle too many different log-ins while companies kept their personal data locked out of their reach. The solution was an ID system just like the one they had developed, federated to work across all industrial sectors.
The “wide cross-section of industries” that gave OIX and Cabinet Office their applause included “financial services, telecoms, retailers, online gambling, central government, local government, sharing economy, identity providers and subject matter experts”, said the OIX report.
Those the report implied had thus applauded comprised of Verify and OIX programme members (Barclays, Digidentity, Experian, Timpson and Warwickshire County Council), others that have been associated or allied in various ways before (Lloyd’s Bank, Payments UK, RBS, SOCITM, Telefonica O2, and TISA, an association of companies running savings schemes) and those running the workshop or one the programmes it was seeking to pr omote (OIX, KPMG, Cabinet Office, Innovate Identity, GSMA).
Only two of those cited in the report had no overt, direct connection with the programme before: Malta-based gambling company Unibet and PASS, an association of Microsoft professionals. Microsoft is however prominent among those companies behind the federated ID initiative. At least one other organisation was present – an alternative bank called Ffrees Family Finance Ltd, whose CEO Alex Letts often grabs opportunities to promote his business and got a quote in this report as well.
OIX officials were not able to produce formal records of its meetings when Computer Weekly requested them, including a full list of those who took part and what they said. The Cabinet Office has insisted its work through OIX would be open and transparent.
Speaking to Computer Weekly on Friday, Don Thibeau, who has led international development of the scheme as director of both OIX and OIDF, said the consultation records would be written into another report. He refused to accept the consultation was a marketing exercise for technology and business models already well established.
“I see it as joint R&D,” he said. “Technology is a moving target. There needs to be some capacity for governments and their suppliers to say this technology is not relevant, this one might be helpful,” he said.
David Rennie, head of industry engagement for the Cabinet Office, said earlier this month it commissioned OIX to do the consultation because the ID federation was failing to get enough support.