ID Wars: the slaughter of the not so innocents

I welcome the cull of public sector ID systems and the plans to merge the many Whitehall working parties to one, focussed on rationalising the systems used to identify those working in the public sector and its supply chains, including defence contractors. I am much more cautious about plans to couple this to the US drive for a common NATO approach, lest the limited applicatiblity of this approach is much better recognised but its proponents than currently appears to be the case.


There is a massive gulf between Central Government approaches to ID and the private sector (especially finance). The former are intended primarily to support national security, taxation, conscription and border control. The latter have several millennia of experience (over a century electronic) into keeping the transactions safe from local warlords (alias National Governments). Meanwhile Local Government is concerned mainly with local services to local voters.



Meanwhile techie enthusiasts tend to offer ever more “solutions”, without really understanding the needs problems of any of the three sets of “communities”, let alone the differences between them.   


The current US Federal Government initiative has its roots in the confusion on 9/11 itself – when shoot outs between federal agencies which did not recognise each others IDs were only narrowly averted and emergency response teams were denied access. The subsequent refusal of access to those carrying fuel for the standby generators nearly led to a total collapse of communications (mobile as well as fixed) in New York.


The limitation of current UK Cabinet Office ambitions to addressing systems to identify those who work for government (including defence contractors etc.) is a good idea, given the obvious cost savings and operational efficiencies that should arise from culling those that are known to be inaccurate, inefficient and insecure.


The decision not to extend the approach to cover all those who might claim access to you home, business or computer systems under statutory powers (not just law enforcement under RIPA) is unfortunate but understandable. It is not easy to provide routines that would enable a pensioner to check that the caller really is from British Gas and not another would-be distraction burglar or for an office receptionist to bar the way until the Head of Security has arrived to check that the plain-clothes team really is from Health and Safety or HMRC.


That government officials should have common ID roots may makes good sense to those with military backgrounds – but also leads to vulnerabilities that the financial services industries have learned, from bitter experience (fraud and malpractice by trusted insiders) to avoid. We should remember that all Olympic security breaches have been carried out by those with impeccable credentials. Would the routines currently being promoted really help prevent a slaughter of the innocents when the security forces of the world shoot it out in London in 2012 when some-one mistakes the opening fireworks for a bomb attack?


The last time that London hosted large numbers of foreign security staff with 1066 at the Coronation of William the Bastard. It descended into chaos when the Norman guards outside the Abbey thought the “acclamation” was an attack and set fire to the buildings round the Abbey to smoke out the “terrorists”.   


Before the election Eleanor Laing, then shadow ID spokesman, presented a ten-point draft action plan at a Westminster Media Forum event. It went down very well with most of the audience. A similar presentation at an lntellect event a few days later went down like a lead balloon with an audience of civil servants and their would-be suppliers. She began with the assumption that we are citizens, not subjects and should be able to own and control our own credentials, ideally also being able to choose the intermediaries who we trust to manage them.


That would fit with long-standing financial services models for inter-operability between schemes where the issuer of the “credentials” is accepting liability under contract and/or common law tort.


It would fit with voluntary residents cards issued by councils to facilitate rapid, uncharged response to enquiries or access to services (libraries, leisure facilities, travel etc.).


It would not fit easily with the claims to statutory immunity in the event of abuse or compromise that are common to most central government systems.


The all-party Information Society Alliance (EURIM) agreed to address the issues raised by Eleanor as part of their work on Information Governance to help the next government.


In the “real” world we need all three approaches. We also need to recognise that they are different and find ways of bridging the differences that will work as operational needs and technology solutions change and evolve over time. In doing so we must recognise that human nature and the proclivities of those running and using the systems (at all levels from minister to counter-clerk) do not. We need the governance frameworks that will prevent over-simplistic (or over-complex) technology solutions being used to once again reduce us to subjects, whose identity information (from biometric details to transaction profiles) may be on sale around the world, leaked, sold or stolen from government files (or those of private sector service providers), with no effective right of redress.