Businesses are being advised to reschedule non-essential meetings during the G20 summit because of the expected clashes between over 5,000 police and a coalition of “anarchist” groups. About the same time we will supposedly see the introduction of requirements to register travel plans for those wishing to leave the country.
Whether or not there is a serious “incident”, the chaos caused by the security clampdown on London and the queues at ports and airports will be used to help bolster support for ID cards.
Meanwhile civilians have lost (to the NSA) the battle to control the co-ordination of electronic security in Washington and CESG is supposedly recruiting 300 security experts to enable it to better handle that of UK central government. The result is likely to be the e-equivalant of training the army to fight the last war but one: the drill sergeants and instructors brought back from retirement to train Kitchener’s 1915 New Model Army did indeed use the 1896 infantry manual because they knew it. The 1911 manual was said to be too complicated.
The debate over Identity Management appears similarly dated, with participants now advocating PKI-supported federated identity systems, nearly twenty years after they were first put forward as a solution to the problems of the 1990s Internet. The world has moved on.
Worse, we still do not have any clear debate of why the proposed new systems are needed, by whom and for what reason.
On-line, cross-border transactions are the latest excuse – but is it any more valid than the war against terror, identifying illegal immigrants or treating unconscious accident victims.
On April 1st I hope to escape to Oxford for a workshop on policy and legal frameworks for identity management. The organisers ask participants for an advance note of thier interests..I thought I would share my draft and ask my readers, if any, for advance feedback:
A Policy and Legal Framework for Identity Management
My objective from attending this workshop is to explore the validity of a few deceptively simple hypotheses and the implications, if they are valid.
1) that ID management disciplines date back to Ancient Sumeria (supposed roots of the notary/scrivener traditions) and transitioned to the electronic world over 150 years ago (authentication routines for East India Company cables, i.e. before the Indian Mutiny)
2) that tensions between the approaches to Identity Management of governments (to support taxation and military service and control dissent) and of business (to support transactions between those who have never met) go back nearly as far: with sporadic eruptions of extreme brutality on both sides e.g. the botched looting of the correspondence banking systems of the Knights Templar by Philip 1V and the urban revolt that destroyed the feudal structures of the Duchy of Burgundy. Attempts to seize banking records or destroy taxation or conscription records occur regularly through the ages. Today we have a plethora of attempts to introduce comprehensive integrated, federated and/or inter-operable by a variety of players with a variety of motivations, few of which involve genuine choice or consent on the part of the “data subject”: alias customer, citizen, victim, patient. “client” or “miscreant”. .
3) that alongside the experiences of governments in trying to keep electronic track of their “subjects” (for reasons ranging from taxation and law enforcement to education, heath and welfare) there is over 25 years of private sector experience with running ID management systems in digital environments, including in industries like security printing (e.g. De La Rue or Williams Lea), credit reference (e.g. Experian, Equifax), age cards and loyalty schemes (e.g. Citizencard, Nectar), payment clearing and correspondence banking (e.g Vocallink and Identrust), Notaries (e.g. Global Trust Centre), the mobile operators (e.g. Vodafone) and, of course, direct marketing: in all its forms: now including the Internet.
4) that central to the sustainability, not just acceptability but whether they deliver their objectives over time, of ID management systems are the five R’s:
· Responsibility (including ownership and the duties of “agents” for the “owner”),
· Registration (including marrying biography and biometrics to electronic credentials)
· Repair (when the registration and or credentials have been compromised)
· Revocation (either full because of serious compromise or partial, e.g. moved from “good citizen” to “suspected fraudster” or “convicted criminal”)
· Redress (who should bear the cost of repair and of compensating the victims in the event of compromise – whether deliberate or accidental).
If those messages are correct (and I do mean if – I do not believe they are “self evident truths”). My interest is in:
· how the five Rs and the people processes that support them are addressed (or not) by the various ID management routines already operational or proposed
· the roles of professional bodies, trade associations, politicians, regulators etc. in identifying and encouraging good practice
· the means of assessing whether the supporting technologies on offer are fit for purpose and used correctly
· inter-operability between different types of scheme (legal basis, management structure, application, ownership etc.), including internationally, across jurisdictions, not just between similar schemes using different technologies
My day job is to help “educate” politicians and I wish to see them explore “least dangerous”, rather than “optimum” ways forward. I seek to delete the “o” when whenever I see it. In the “real” world “optimum” is almost always “seriously sub-optimum” before it is operational.