The debate over ID Cards has not gone away. It will return next year, with plans for security during the Olympics (as an “extension” of the NATO agenda for identifying Goivenrment employers and contractors, including security staff and volunteers), for residents’ cards (to cut the cost of delivering public services) and for EU initatives (supposedly to aid pan-Euopean inter-operability). Meanwhile those wanting us to transact on-line will wish to promote their dreams for global identities that will help them cement market share. It has therefore been suggested that I update my 2004 guide to the politics of Personal Identity to help a new generation (including politicians and those lobbying them) to understand what has changed and what has not. Here goes:
The issues of personal identity are central to a global information society in which we are routinely expected to conduct transactions with those whom we have not met before, cannot remember or may never physically meet. The supporting technologies, from smart cards, encryption and biometrics to secure and efficient databases and networks, have been in regular use for decades. The reasons for the current controversy over ID systems have little or nothing to do with technology developments: save in the sense that they may be used as an excuse for promoting a solution which serves political objectives.
The technologies may, or may not, work but they have to be operated by analogue mammals (hairless apes, alias human beings) whose standards of behaviour have changed little since writing first evolved in the deltas of the Euphrates (Iraq) and Yangtse (China), over five millennia ago. The oldest known writing looks suspiciously like a tax tariff for dealings in a cattle and grain market. The holy books of the monotheistic religions (Judaism, Christianity and Islam) contain many references to censuses, taxes and the means of identifying those who are to be respected. The teachings of Buddha and Confucius build on the wisdom of even older civilisations that recognized nothing was inevitable save death and taxes. Even the most primitive tribes have the wisdom to distrust strangers who take their picture or ask their name.
Today the first priority of our rulers is still to record their subjects and tax anything (or anyone) that moves or dies in their realm. Meanwhile the only identity tokens which their subjects value and respect are those which give credit in the market place. Today, that market place is increasingly international and electronic, with ordinary citizens, not just merchants and their agents, agreeing to transact with strangers on the far side of the world.
In consequence we have increased tensions between rulers, seeking to create and control local or national identity tokens, and their subjects – who want a variety of tokens according to whether they wish to obtain products and services locally or internationally without paying cash. We also have a tension between those who want high reliability tokens (to prevent possible terrorists boarding an airliner) and those frightened of being mugged on the way to the library or post office and having their identity stolen. From Brixton (South London) to Bogota (Colombia) no ordinary citizen carries more cash or ID than they really need.
The disciplines for Identity Management, including protecting transactions from local warlords – alias national governments – go back millennia. The traditions of “correspondent banking” and of the notaries and scriveners who “authenticate” most global trade, go back to ancient Sumeria: where the laws were god-given and applied to the ruler. The traditions of government identity control go back to ancient Egypt, where the Pharaoh was a god. One of the most bitter subsequent clashes between the two traditions is enshrined in the story behind the Da Vinci code: Philip IV’s attempt to expropriate the global correspondent banking operations of the Knight’s Templar. Instead of heaps of gold all his troops found was files of incomprehensible paper – so they set about torturing the “bank managers”. Even the transition to the electronic identities began over 150 years ago, with cable authentication routines, not just decades ago with smart cards et al.
This mature market has been regularly plagued by new entrants who believe they have “the answers” without being aware of what has gone before, the scale and nature of what is currently operational (including who is already doing what for whom, at what price and to what standards of accountability, responsibility and liability). Neither are they aware of what others are planning for the future, or what citizens, businesses and other “customers” would like or are willing to pay for.
Today the average on-line user is expected to remember passwords for around 60 “identity management” systems. Most enter the same personal information and try to use the same passwords for most. Surveys indicate, fairly consistently, that approximately 30% of population is concerned over their privacy etc. Most would like a choice, but assume they will not get one and would rather not draw attention by making a fuss. Some data indicates that as many as 10% of them give random answers, or use fictional persona, when they see no reason for giving their details to who-ever is asking. Most of us also carry over dozen or more machine readable cards, with a variety of chips, barcodes and/or magnetic stripes.
There are a large number of current initiatives to introduce comprehensive integrated, federated and/or inter-operable ID management systems, proposed by a variety of players, with a variety of motivations. Few involve genuine choice or consent on the part of the “data subject”: alias customer, citizen, victim, patient. “client” or “miscreant”. Few relate to the experiences of governments in trying to keep electronic track of their “subjects” (from taxation and law enforcement to education, heath and welfare) or the private sector experience with running digital systems for:
– security printing
– credit reference
– age cards and loyalty schemes
– credit/debit cards, payment clearing and correspondence banking
– notaries, scriveners and supporting services
– fixed and mobile telecoms operators and payment services
– insurance (including life and healthcare)
– freight forwarding (land, sea and air: local, national and global)
– direct marketing: in all its forms: now including over the Internet
– sports and social clubs
as well as for central and local government, charities, voluntary agencies, law enforcement and the military.
Most initiatives ignore research on who we trust:
· doctors and nurses but not health service administrators
· banks and credit reference agencies before local government
· central government little more than pariahs – barely above on-line retailers and ISPs.
Central to the sustainability and acceptability of successful ID management systems appear to be five R’s:
· Responsibility (including ownership, accountability and duties of agents for owners),
· Registration (including confirming a claimed identity and linking an individual to their biography with biometrics and electronic credentials)
· Repair (when the registration and or credentials have been compromised or mistakes identified)
· Revocation (either full because of serious compromise or partial, e.g. moved from “good citizen” to “suspected fraudster” or “convicted criminal”)
· Redress (who should bear the cost of repair and of compensating the victims in the event of compromise – whether deliberate or accidental).
There is little indication of academic, professional, legal or political agreement on “answers” to the questions of trust, but there are indications that some players have found “answers” that their customers, including end-users, find credible and acceptable. The basic questions can be summarised as:
· How are the five Rs (above), and the processes (including/especially the people processes) that support them, addressed (or not) by operational or proposed routines?
· What should be the roles of professional bodies, trade associations, politicians, regulators etc. in identifying and encouraging good practice?
· What should be the means of assessing whether the supporting technologies on offer are fit for purpose and used correctly?
· How could/should inter-operability be handled between different types of schemes (legal basis, management structure, application, ownership etc.), including internationally, across jurisdictions, not just between similar schemes using different technologies?
· How could/should issues of issues of responsibility, liability, accountability and interoperability be handled across civil-military, public-private and international boundaries as well as across departmental or application boundaries?
Meanwhile the gulf between the NATO approach to Identity (driven largely by US post 9/11 paranoia and the aspirations of its would-be technology suppliers) and those of the private sector (especially finance), appears to be growing.
The current US Federal Government initiative has its roots in the confusion of 9/11 itself – when shoot-outs between federal agencies which did not recognise each other’s identities were only narrowly averted, and emergency response teams were denied access. The subsequent refusal of access to those carrying fuel for the standby generators nearly led to a total collapse of communications (mobile as well as fixed) in New York. The US drive to impose their new approach on their NATO partners and supply chains has reinforced the current UK Cabinet Office attempt to meld the many British government working parties on ID systems into one: at the same time as they have scrapped ID Cards and Contact Point, dropped DWP’s CIS database as a fulcrum for rationalization and fired the lead contractor for e-Borders!
Every Directorate and Agency of the European Commission feels the need to have an initiative, whether on the grounds of privacy, data protection or security – with little or no obvious co-ordination, let alone public or business support – other than from those bidding for consultancy or research business. Meanwhile the residents’ cards of most EU states provide more efficient and accountable public sector identity regimes than the UK or US appear to have considered. Perhaps that is because so many have experience of totalitarian regimes.
The limitation of current UK Cabinet Office ambitions to addressing systems to identify those who work for government (including defence contractors etc.) is a good idea, given the obvious cost savings and operational efficiencies that should arise from culling those that are known to be inaccurate, inefficient and insecure. The decision not to extend the approach to cover all those who under statutory powers (not just law enforcement) might claim access to your home, business or computer systems, is unfortunate but understandable. It is not easy to provide routines that would enable a pensioner to check that the caller really is from British Gas and not another would-be distraction burglar, or for an office receptionist to bar the way until the Head of Security has arrived to check that the plain-clothes team really is from Health and Safety, Law Enforcement or the Tax Authorities.
While requiring that identity credentials of government officials have common roots may make good sense to those with military backgrounds, it also leads to vulnerabilities which the financial services industries have learned to avoid from centuries of experience (fraud and malpractice by trusted insiders). All security breaches at the Olympic Games have been carried out by those with impeccable credentials. Would the routines currently being promoted really help prevent a slaughter of the innocents when the security forces of the world shoot it out in London in 2012 after some-one mistakes fireworks for a bomb attack?
The last time that London hosted such large numbers of foreign security staff was 1066 at the Coronation of William the Bastard. It descended into chaos when the Norman guards outside Westminster Abbey thought the “acclamation” was an attack and set fire to the buildings round the Abbey to smoke out the “terrorists”.
Before the General Election, Eleanor Laing MP, then the UK opposition spokesperson on identity issues, presented a ten-point draft action plan. It went down well with civil liberties groups, but like a lead balloon with most government officials and their would-be suppliers. It began with the assumption that we are citizens, not subjects and should own and control our own credentials and be able to choose the intermediaries who we trust to manage them. That would fit with long-standing financial services models for inter-operability between schemes where the issuer of the “credentials” is accepting liability under contract and/or common law tort. It would fit with voluntary residents cards issued by councils to facilitate rapid, uncharged response to enquiries or access to services (libraries, leisure facilities, travel etc.). It would not fit easily with claims to statutory immunity in the event of abuse or compromise.
The all-party Information Society Alliance agreed to address the issues raised by Eleanor as part of their work on Information Governance to help the next government. They also plan to look at these in an international, not just UK or European, context.