I have yet to digest the implications of the Government response to the strange consultation on digital identity systems issued by DCMS last year. Bryan Glick’s summary is a good introduction to the headlines. But it raises more questions than it asks as to what the responses to the consultation really were, let alone what the drivers behind Government policy are, and whether what is likely to being proposed will address them any better than previous failed proposals. And that is before we think about the increased risk of systemic fraud, on-line harms or threats to civil liberties from the compulsory use of unique digital identities. However theoretically secure the technology, the systems will be operated by humans who are not.
I was therefore delighted to receive an e-mail from my mole in the West Country. He had been through the announcements and commented that we appeared set for a re-run of what had failed under the last Labour Government, with nothing learned since the failure of Frances Maude to find a better way after the 2011 election.
A decade ago I asked what had changed in 5,000 years in the battle for control over cyberspace between Warlords, (who want identities to conscripts and tax their subjects, but not to accept liability when they are fogged) and Merchants (who want to use identities issued by those who accept responsibility and liability for losses caused by their own misconduct and mistakes).
Cabinet Office and DCMS are among those who have difficulty remembering that the use of electronic signatures dates back to the growth of telegraphy services from the 1850s onwards, with common law test cases and authoritative judgements on liability from 1865 onwards. Meanwhile the UK’s only globally recognised services for authenticating signatures and documents, physical or electronic, (the Apostille services of the Notaries and Scriveners) are regulated by the Faculty Office of the Archbishop of Canterbury (which took over from the Pope in 1533).
It is over five years since I last covered comments from my mole, (under the pseudonym of Jim Prideaux), on the UK Government’s ambiguous approach to digital identity. He does not share my view that, since it is clearly good to have a single, unambiguous, all-purpose (including for Covid) policy towards digital identities, it is equally self-evident that every department should have at least one, preferably more., policies as well as multiple identity systems of its own, which it does not share with others. Thus DfE (which he does not mention below) has separate identity systems. for pupils (at school) and students (at college) and they are mutually exclusive – neither to be used by employers for work experience, let alone by other departments and agencies.
I do however, respect his views of my mole and have not edited the guest blog below, other than to insert links to some of the sources he cites and a comment when I could find none. That was embarrassing. The only reference on Google which did not lead to a broken link led to a Gov.UK blog on 2015 on which I commented at the time. Interestingly the promise to fix one of the Verify flaws (concerning married women with legal identities in both their married and maiden names) has still not been fixed.
= = =
What’s is different? – comments from a long service follower of Digital Identity policy and practicality across the world, as well as UK and EU.
‘Jim Prideaux’ was baffled by the report in The Times on 2nd September about unique identifiers and a digital ID card, having failed to spot any mention of this in the government’s published response to the consultation issued the day before. Closer reading spotted that the Times was reporting a Number 10 initiative, seemingly orthogonal to the policy from the elusive/homeless Digital Identity unit, but consistent with the announcement of the £15,000,000 to help the world bank’s ID4D, which has unique identifiers covered in enough fudge to make it impossible to criticise. Perhaps the civil service culture change will break the logjam where even the endless consultant reports get bad news filtered.
So what’s changed since 2010, apart from the colour of his beard?
The September 2020 response to the July 2019 consultation, due before Christmas so that industry could be ready for April 2020’s end-of-Verify, raises the question as to what’s different this time; most of the aspirations sound exactly like what Francis Maude was preaching in 2011. It’s not considered polite to mention the lessons learned, or why Manzoni let it slide for so long, but there are some subtle differences.
Departments visibly on the board are the ones already developing digital ID systems as Verify did not meet their needs and they have tasks to do: the Home Office, the Department for Work and Pensions, HM Revenue and Customs, the Department for Health and Social Care, the Department for Transport, Business, Energy and Industrial Strategy, and HM Treasury.
These need no longer be done covertly to avoid a Cabinet Office veto.
There are still notable exceptions from the high table, including: the Scottish Office, NI Office, and Welsh Office (for different law, borders, and with multi-lingual experience); Local Government (for many the most frequent but also a potential provider not just consumer); Electoral registration (including EONI); The notarial regulator (since 1533 in England, the Faculty Office of the Archbishop of Canterbury) seems to have been ignored, but perhaps that avoids the ICO’s problem of being good and bad cop; General Register Office (who keep the prized canonical records); HM Passport Office (who issue travel documents at scale); DVLA and DVA-NI (staunch defenders of the data protection principles); NCSC (from whence the GPGs came, not to mention public key cryptography in the 70’s).
There are unspecified legal changes, something that Cabinet Office had been stating were not needed.https://identityassurance.blog.gov.uk/2015/03/27/working-with-the-private-sector-to-verify-identity/
- The most glaring, yet still esoteric, is the need for holograms on age identification, which is hard to do online.
- Transparency (in sense of visible not invisible workings) is good for acceptance (without a digression on the significance of still-trendy ‘trust’ ); in what way does it differ from the earlier openness (which still does not apply to appointments and contract awards excused by Covid)?
- ‘will be balanced’ is exactly in line with the European Convention on Human Rights Article 8, but who does the balancing? The ECHR exemptions only talk of public authorities, so can these be done in the private sector (other than simply under contract from government)?
There is now talk of a ‘digital identity economy’, which is surprising when the wider clamour was for the infrastructure to support the regular economy. If there is (to be) such an ID economy, who is selling what to whom? Until this is answered the politicians are buying different flavours of snake oil.
There is an unfortunate appearance of the loaded term ‘citizens’ which was absent in the forgotten GPG43/RSDOPS and similar as its the (non-EU) European Convention on HUMAN rights that is pertinent.
The consultation asked 25 questions (21 but 2 in 3 parts), and it was exceedingly difficult to give coherent responses and examples within the requested word limit.
A ‘pragmatic approach to international digital identity standards’ is indicated; the implications are not transparent, particularly when guidance is confused with normative standards, and the term International may or may not include European. There is hope it means to play nicely in the long-established standards process through the national body, BSI, sponsoring work to provide and maintain free standards not just freely-available (at a cost), but a danger that urgency will be invoked to short-cut the process.
‘The level of enthusiasm and engagement of those who participated in the events was high.’ does not accord with the experience of the Birmingham event, perhaps because it was held the day after the consultation period closed, so it was too late to submit. It was unfortunate that there was no event in Wales or Northern Ireland.
‘once the UK has established a viable model …the UK should encourage other nations to consider following our approach’ is not as pretentious as it sounds if put in the contra-positive: “should not encourage until….”
That is safely well in the future, or in the past, specifically about 2002.
‘ the potential to reduce this opportunity to steal and use stolen documents’ was noted, although that requires physical access, but not the opportunity for new ways to perform crimes that can be done from anywhere in the world and rarely allow for restitution or prosecution.
The ‘benefits in international interoperability and mutual recognition of e-authentication or e-trust services’ is misleading in suggesting there is something mutual going on when it’s really a unilateral decision, not an agreement. The declared e-authentication policy is inconsistent with the relevant Brexit Statutory Instrument which simply says ‘Omit chapter II’, i.e. pull the plug.
There is also no explanation as to why no submissions have been published centrally.
Here are a few items for the agenda for the new board:
- The long-standing principle that the public sector does not compete against the private sector blocked local authorities and others from being providers. Many countries provide services for free, against which it is hard to compete unless they are inadequate (See M6 toll road for a simple example). Is access to public data going to be charged, and, if so, on what basis – given that subject access requests must be free?
- How will anyone with official digital documentation be able to check that it is from an authoritative source?
- Identification flags up illegals, for which different departments have different policies (Education, health, Home Office). What is your policy for handling them?
- Part of ID4D is a model based on having unique state-provided ID (upon which privacy-preserving processes can be built such as authentication in a given context), although that seems to have had difficulties in Scotland. Is a new or existing unique identifier envisaged, or is this model only for other governments? Has anyone told Dom?
Apps are all the rage in some areas, yet blocked by GDS where it can.
When will there be a coherent policy on government provision or support for apps?
Data protection principles such as only using data for the purposes for which it was collected can be over-ridden by law, but it is only prudent to do so when the data quality is adequate for the intended new purpose. If wider use of data is envisaged, what is the budget for cleaning it up, and how long will it take?
Have you all read the lessons learnable list?
And has the PR department had a history lesson so they don’t announce 15-year old initiatives like passport/BRP checking (needed by all employers) as innovations?