Recent “leaks” appear to indicate that Cabinet Office has finally given up on trying to impose a uniform ID scheme on the warring tribes of Whitehall, let alone the rest of us. It is probably a very sensible decision. Howver, given the nature and scale of reported losses of personal details, codes and passwords from the files of those whose ID systems it is suggested we might wish to use, the decision raises interesting questions as to who will be responsible for fraud and error. Can HMG slough off the liabilities (with regard to those IDs which it recognises) being wished on it by the EU e-ID Regulation?
It would also be interesting to know what information will be available to help us make an informed decison as to who we trust to manage the identities we choose to use for dealing with government. And also what happens when we decide we no longer trust them – or they decide they do not trust us and revoke our identities because they think they are being used for fraud or piracy or some other breach of their service conditions.
The competition which I have previously mentioned, on the meaning of trust in the on-line world is now gathering pace.Over a dozen leading Universities planning to use the “questions” to stretch the thinking of some of the brightest and best of their students. The drafting of those questions is also proving to be “fun”. One that has recently been been added to the list is how we could/should handle situations where “identities”, including mobile phones and passwords, may be used by any member of an “extended” household, including “lodgers” and their friends. This is apparently common among a surprisingly large proportion of those dependent on benefits. These may be genuinely collected for them (or spent) by their partners, children, grandchildren or carers. Or they may be stolen: randomly or systemically. Hence the value of the old-fashioned routines for collection by a named individual (who knows and is known to) the counter staff from a named post office. Hence also the concerns of groups like Elder Abuse over ID routines.
Another tricky question is the aggregation of responsibilities, liabilities and risks associated with the “secure electronic identities” issued to the various legal entities of, say, Lehman Brothers (which had over 2,000 separate trading entities). This is exercising the Financial Stability Board which may well mandate action in the not too distant future. It also helps account for the differences between HMRC and DWP over ID policy.
My personal favourite remains not only unanswered but almost taboo: how do you know that it is not only me, but that I am a free agent, not acting under duress? The failure to provide satisfactory solutions is why some very high value industries (such as the jewelry trade) are so reluctant to use electronic authorisation routines.
Meanwhile the Nominet consultation on the possible issue of issuing validated direct.uk addresses could lead to a step-change in our ability to trust that we really do know who we are dealing with. The value of a validated Internet address as an electronic identifier is considerable – provided we have reasonable confidence in the validation process and take action ot use the switch to IPV6 to remove the spoofing weaknesses in the current system. For those who say “what about the right to remain anonymous”. I would say that I would like to see variations on .anon.uk administered by those who we can reasonably trust to ensure that no-one can break the anonymity. Many of the current anonymising are seriously flawed.