Is Cabinet Office Identity Policy relevant to improving confidence in the on-line world?

Over the past week I have received a number of e-mails, not for posting as comments, regarding the role of UK, EU and US policy with regard to improving confidence in the on-line world. A common thread is whether those drafting policy proposals understand the meaning of “confidence” as opposed to “compliance” with regulatory demands. The deadline for responses to the Cabinet Office consultation on identity Principles in less than a month away. This should be an opportunity to help “educate” those at the heart of UK policy. I am told, however, that the response to date has been miniscule, even from the “usual suspects”.

Perhaps that is because those with lobbying budgets are not really interested in what a medium sized nation state with no budgets might, (or more likely will not), mandate with regard to identifying its own employees (including contractors), authenticating transactions with those who must deal with its agencies (HMRC, DWP et al plus those looking after the most vulnerable in society, such as the Office of the Public Guardian) and the identity and authentication services for which it has responsibility (Companies House, DVLA, Land Registry, Passport Office etc.).

Most global players are more interested in intercepting the plans of the Indian and American Governments for their domestic markets and in what the Chinese are offering to Africa and South America, as part of their non-violent neo-colonial infrastructure investments. However, the isues being addressed go to the heart of rebuilding trust in the on-line world. Whether Governments are seen as leaders or followers, It is important to all of us that they follow at least adequate practice.

Most of us trust our governments less than we do our banks: perhaps because we can usually change the latter (albeit it with ever increasing difficulty because of Government interference to supposedly prevent money laundering).  The UK Government, including Cabinet Office, should therefore mandate adequate practice across its departments and agencies. it should also encourage and support good practice in the market for digital identification and authentication services: for example by making the digital, albeit not necessarily on-line, checking of official documents possible and by removing impediments to such services being offered by the private sector. It should, however, leave the evolution of those services to market forces, which have been running their equivalents across borders for 5,000 years (electronically for over a century and digitally for a couple of decades).

It should instead give priority to supporting the UK public sector adoption of that which is accepted by the private sector. It should also give a much higher priority to cleaning up those public sector identities which are so flawed as to be almost worthless: such as an electoral register that would disgrace a banana republic .

Such action is even more important at a time of financial stringency, given the £billions being lost as a result of fogging: the fraudulent obtaining of genuine government issued n? and g? (not sure what “n” and “g” are but the examples included passports and driving licences) 

I therefore invited Mark King, who is rather more balanced and expert on this topic than most (including me), to comment on the Cabinet Office consultation in the hope of interesting others in doing so. You will need copies of the consultation and relevant codes of practice in front of you to get full value from his comments …:  

“There seems to have been very little public debate, perhaps because itseems do esoteric, or because it is not clear how design principles areto be used for a system being delivered. I offer the following separateconsiderations, and would happily expand or debate further if needed.

1.The Cabinet Office Good Practice guide 43 distinguishes between registration of identities (for people andorganisations) and authentication. Whilst government organisations couldclearly benefit from using existing commercial authentication formoving existing ‘clients’, to online service, as has been done inCanada, the need for identification by this method is less clear,particularly when the proposed matching method will fail for all newentrants and for each service they seek: because they have no existing record and because there is not now, nor will there be in the near future,any complete population register.

The “levels” needed for thesesecurity components (in response to different threats) may be quitedifferent, but the privacy principles neither mention authentication inany connection, nor do they explain why full identification is beingcalled for. The privacy concerns with authentication are considerablyless problematic, but surely rate a mention.

ID is often needed, buthas too often been used for convenience in cases when entitlement orauthorisation are what needs checking. The minimisation principle shouldbe extended to make it clear that ID principles apply only once needfor ID has been established. The parking permit example is one ripe forreview. It is sometimes the car, not the person, getting the permit, so amethod to check that the registered keeper’s address is in a specifiedrange doesn’t call for any personal identification at all.

2.GPG43 also demands consideration of all stakeholders, includingnon-users. This is particularly important for cases where an identityhas been usurped. It should be possible for any individual whoseidentity has been hijacked to get problems sorted out, not just users: as currently defined these include the imposters but exclude the rightfulowners.

Clarity is also needed on agents: whose information is being talked about – the person’s, the agent’s, or both?

Consentis highly relevant for attributes and data to be passed around once theauthority to transact has been established, but it is pointless andcounterproductive to ask for consent in the process of establishing anidentity since of course an imposter will agree.

3. Althoughevidence has been called for in support of changes, no evidence has beenoffered for the need for legislation, at Westminster, by Europe, ordevolved assemblies as appropriate. Rather than clarify, legislationcould offer uncertainty (until implemented) and stifle furtherinnovation as well as restrict international interoperability andopportunity.

It should suffice to have exemptions identified andjustified in published Privacy Impact Assessments (note the InformationCommissioners recent request for inputs to a consultation on updatingits code of practice for these ). Thepublication of some aspects, such as anti-fraud measures, isself-defeating if it goes into detail. The need for PIAs has long beenmandated by Cabinet Office policy. It not a novel Europeanrequirement.

The pan-European interoperability by 2010 calledfor in the 2005 Manchester declaration clearly wasn’t achieved, but canbe expected to be required under proposed EU regulations. HMG may beforced to accept other EU mechanisms that do not comply with the statedprinciples.

4. Certification is good for the scheme as a whole,but not for encouraging individual use. The reduction to a bullet pointusing the first person over-simplifies the case, and asserts somethingthat US research shows is not true – it is implausible to claim thatwidespread user trust can be created automatically by the introductionof certification; even many in the industry have never heard of tScheme.

It would be reasonable for organisations in any level ofgovernment, or working for them, to demand use of certified providers.That would also benefit from a clearly defined process for what happenedif certification is withdrawn. How that affected users would be agenuine user requirement, but there still seems a reluctance to addressthe ‘unhappy’ cases (fraud, denial of service, failure of a provider,etc).

5. The suggestion is that the results of ombudsman reviewsshould always be published, as a policy matter. In fact, it might bepreferable, both for privacy and to ensure that referrals are notdiscouraged, that publication will be if and only if the individualagrees.

The principle that an ombudsman will get things fixedwhen they go wrong may give confidence to users may reduce the imaginedvalue for trusted correctness in the first place.

6. The scopeof the principles (and there are nine sets, not just nine principles)claims to cover more than just privacy and needs to be clarified.There’s nothing on who pays – just who doesn’t. There is some mention ofcontractual arrangements, but it’s not clear who are the parties to acontract. Interaction with government is typically not a matter ofcontract; there’s no ‘consideration’ paid for a free service.

7.There’s a portability measure copied from banking and utilityprovision, but in this case data is being copied, not necessarily takenaway. It is not explained why it is to be sent from one IdP to another(who will consequently know each other) instead of simply going via theuser. If it is to be provided with a transfer of liability forcorrectness then it is unreasonable to demand it be at no charge.

8.The more data that HMG demands that IdPs hold, the worse for privacy aswell as security (higher return for attacker so higher threat) and cost(protection and upkeep). The ‘matching data set’ still seems to be indraft, so one can’t comment here on privacy aspects other than to stressthat users will not understand and so not be impressed by thesubtleties of privacy v data protection, aggregation v accumulation,accreditation v certification, matching v sharing.

Users should begiven the opportunity to use common persistent identifiers which theyunderstand such as NI numbers rather than something clever that they donot. This will also aid international interoperability. Methods such asmatching by address (especially old addresses) would change, but do notnecessarily reduce, the threat to individuals (and to the system).

9.The introduction rightly notes the importance of knowing that somethingis safely delivered to the right organisation, but support foridentifying organisations to the user does not appear in the principles.

10. ‘Levels’ are talked about here (and also in the draft EURegulation) as if they are one dimensional and well understood, but theISO standards are still in draft, and GPG45 has three axes (C,M,L). Theyare going to be important for the system, but few users can be expectedto know or care – at least until they find that they are second-classcitizens because they don’t exist in one dimension or another. The 2002e-GIF ones, which turned into the US OMB/NIST definitions are suitablefor (large) ‘closed’ systems, not necessarily for open ones.

11.At the end of the multiplicity principle is a very differentrestriction: the Service Provider doesn’t know the Identity Provider.The commentary does not offer anything on this, or on the resultingability/difficulty/delay for correcting errors. It is right that theIdentity Provider may know the Service Provider, but it is not clearthat they should know which specific service.
(The interfacespecification does not appear to be openly published, so not clear howthis asymmetry is accommodated. If it isn’t, then a different set ofissues arises in relation to repairing mistakes.)

12. Thereseems to be an assumption that attributes will be checked online,whereas things like degree certificates, passports, residency permitscan or could be checked digitally (and even offline) without alertingthe issuer, so long as they are digitally signed in a standardised waywithin a defined and understood infrastructure. Not only is thissimpler, it’s privacy friendly and the user can see that they are incontrol of what information is handed over.

13.What is the intended use of the design principles? The relevant OJEU  statedthat the system needed to be fully operational from Spring 2013. The companies who invested must be anxious for the opportunity to get areturn on investment. It now reads like part of a case for legislation.The doxology “all exceptions by parliamentary approval” (albeitundermined by the further demand for independent scrutiny) sits uneasilywith earlier indications that primary legislation was not needed forroll-out. No evidence is offered that it concerns users or wouldplacate them. If the intention is still to re-use existing credentialsthat users already have, then these come with existing terms and conditions andprivacy statements to which the users are already signed up. Principlesthat will work for “everyone” may not be what 80% want, or need, or canafford.

Precedents on parliamentary agreement such as the release ofPNR information to the US (but not to Russia with the samejustification) are not good in terms of user confidence that their(individual)  information is being protected.”

Final Comment from Philip Virgo:
I am happy to accept comments on the above, but remind readers that these should also be included in their own responses to the Cabinet Office consultation. Equally importantly they should be reflected in inputs to the various EU and other consultations on this topic. If that is too much to ask, then I recommend working together with your peers, via your professional bodies and trade assocations and via cross sector groups like the Digital Policy Alliance (I am now only a member of the advisory board) . Otherwise you risk being stitched up by the sellers of legislative and regulatory snake-oil whose clients are those building compliance empires including within your organisation, not those seeking to inspire confidence among your customers in dealing with you on-line.