ID Wars: the slaughter of the not so innocents

I welcome the cull of public sector ID systems and the plans to merge the many Whitehall working parties to one, focussed on rationalising the systems used to identify those working in the public sector and its supply chains, including defence contractors. I am much more cautious about plans to couple this to the US drive for a common NATO approach, lest the limited applicatiblity of this approach is much better recognised but its proponents than currently appears to be the case.


There is a massive gulf between Central Government approaches to ID and the private sector (especially finance). The former are intended primarily to support national security, taxation, conscription and border control. The latter have several millennia of experience (over a century electronic) into keeping the transactions safe from local warlords (alias National Governments). Meanwhile Local Government is concerned mainly with local services to local voters.



Meanwhile techie enthusiasts tend to offer ever more “solutions”, without really understanding the needs problems of any of the three sets of “communities”, let alone the differences between them.   


The current US Federal Government initiative has its roots in the confusion on 9/11 itself – when shoot outs between federal agencies which did not recognise each others IDs were only narrowly averted and emergency response teams were denied access. The subsequent refusal of access to those carrying fuel for the standby generators nearly led to a total collapse of communications (mobile as well as fixed) in New York.


The limitation of current UK Cabinet Office ambitions to addressing systems to identify those who work for government (including defence contractors etc.) is a good idea, given the obvious cost savings and operational efficiencies that should arise from culling those that are known to be inaccurate, inefficient and insecure.


The decision not to extend the approach to cover all those who might claim access to you home, business or computer systems under statutory powers (not just law enforcement under RIPA) is unfortunate but understandable. It is not easy to provide routines that would enable a pensioner to check that the caller really is from British Gas and not another would-be distraction burglar or for an office receptionist to bar the way until the Head of Security has arrived to check that the plain-clothes team really is from Health and Safety or HMRC.


That government officials should have common ID roots may makes good sense to those with military backgrounds – but also leads to vulnerabilities that the financial services industries have learned, from bitter experience (fraud and malpractice by trusted insiders) to avoid. We should remember that all Olympic security breaches have been carried out by those with impeccable credentials. Would the routines currently being promoted really help prevent a slaughter of the innocents when the security forces of the world shoot it out in London in 2012 when some-one mistakes the opening fireworks for a bomb attack?


The last time that London hosted large numbers of foreign security staff with 1066 at the Coronation of William the Bastard. It descended into chaos when the Norman guards outside the Abbey thought the “acclamation” was an attack and set fire to the buildings round the Abbey to smoke out the “terrorists”.   


Before the election Eleanor Laing, then shadow ID spokesman, presented a ten-point draft action plan at a Westminster Media Forum event. It went down very well with most of the audience. A similar presentation at an lntellect event a few days later went down like a lead balloon with an audience of civil servants and their would-be suppliers. She began with the assumption that we are citizens, not subjects and should be able to own and control our own credentials, ideally also being able to choose the intermediaries who we trust to manage them.


That would fit with long-standing financial services models for inter-operability between schemes where the issuer of the “credentials” is accepting liability under contract and/or common law tort.


It would fit with voluntary residents cards issued by councils to facilitate rapid, uncharged response to enquiries or access to services (libraries, leisure facilities, travel etc.).


It would not fit easily with the claims to statutory immunity in the event of abuse or compromise that are common to most central government systems.


The all-party Information Society Alliance (EURIM) agreed to address the issues raised by Eleanor as part of their work on Information Governance to help the next government.


In the “real” world we need all three approaches. We also need to recognise that they are different and find ways of bridging the differences that will work as operational needs and technology solutions change and evolve over time. In doing so we must recognise that human nature and the proclivities of those running and using the systems (at all levels from minister to counter-clerk) do not. We need the governance frameworks that will prevent over-simplistic (or over-complex) technology solutions being used to once again reduce us to subjects, whose identity information (from biometric details to transaction profiles) may be on sale around the world, leaked, sold or stolen from government files (or those of private sector service providers), with no effective right of redress.


Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What do you make of this EU tender notification titled "All aspects of identity verification and authentication services for the public sector."?

It includes "Any organisations currently interested in developing initiatives or projects covering the requirements listed above and which may be of interested in collaborating with the public sector should contact the named contacts above in order to request a high-level background information document. This prior information notice sets out the UK public sector’s current thinking on these services only, and will not bind any future procurement of similar services, if such a procurement takes place."

Should Eurim and Socitm be interested in collaborating?

What do you make of this EU tender notification ... ?

1. There is apparently absolutely nothing to show for the £300 million spent on the National Identity Service, the money has been wasted, Alan Johnson and Meg Hillier failed completely. Otherwise, this prior information notice would not be needed.

2. It was always unwise for any supplier to respond to a National Identity Service invitation to tender. It is even more unwise now as the prior information notice makes it quite clear that there is no money available.

3. If you apply for a copy of the high level background document referred to, you are told that:

The cross-government stakeholder group are currently compiling the high level document for supplier review (as mentioned in the PIN).

I will endeavour to get the document to you but as you can appreciate, the PIN has been published on behalf of Government so there are a lot of stakeholders involved. Each stakeholder needs to have their own say on requirements in the high-level document.

Is it a paradox to want both privacy and open identity credentials?

It is important that both suppliers, agencies and users have a debate and that conclusions are drawn from publicly available research and development. Let the alternative technologies compete to meet a fully consulted standard. I don't care whether it is public or private sector as long as the levels of trust are clear and interoperable.

A neutral organisation should convene meetings of the standards drafters. For a model of public and private collaboration look at (it's the education sector, not id management)