Over the past year the Information Society Alliance (EURIM) has been trying to structure a group to look at Identity Governance: the professional and regulatory frameworks that should govern Identity Management systems and those who run them.
The disciplines for Identity management date back to Ancient Sumeria (supposed roots of the notary and scrivener traditions). The transition to the electronic world began over 150 years ago (including the message authentication routines for East India Company telegraph system, without which the Indian Mutiny would have succeeded).
The tensions between the approaches of governments (to support taxation and military service and control dissent) and business (to support transactions between those who have never met) go back equally far.
There have been sporadic eruptions of extreme brutality on both sides. The botched looting of the correspondence banking systems of the Knights Templar by Philip 1V of France was the basis of the best-selling “Da Vinci Code”. The revolt of the merchants and traders that annihilated the feudal hierarchy of the Duchy of Burgundy was even bloodier. Most exercises to seize banking records or destroy taxation or conscription records have been less violent.
Today we have a plethora of attempts to introduce comprehensive integrated, federated and/or inter-operable ID management systems, by a variety of players, with a variety of motivations. Few involve genuine choice or consent on the part of the “data subject”: alias customer, citizen, victim, patient. “client” or “miscreant”. .
Alongside the experiences of governments in trying to keep electronic track of their “subjects” (for reasons ranging from taxation and law enforcement to education, heath and welfare) there is over 25 years of private sector experience with running ID management systems in digital environments.
That experience covers many industries:
– financial services (from credit cards to correspondence banks)
– security printing (from bank-notes and bonds to embargoed reports)
– credit reference
– age cards and loyalty schemes
– payment clearing and correspondence banking
– notaries and scrivenors
– the mobile operators (from phones and messaging to payments)
– insurance (including life and healthcare)
– freight forwarding (land, sea and air: local, national and global)
and, of course,
– direct marketing: in all its forms: now including the Internet.
Central to the sustainability, not just acceptability but whether they deliver their objectives over time, of ID management systems appear to be five R’s:
· Responsibility (including ownership and the duties of “agents” for the “owner”),
· Registration (including marrying biography and biometrics to electronic credentials)
· Repair (when the registration and or credentials have been compromised)
· Revocation (either full because of serious compromise or partial, e.g. moved from “good citizen” to “suspected fraudster” or “convicted criminal”)
· Redress (who should bear the cost of repair and of compensating the victims in the event of compromise – whether deliberate or accidental).
Central to the Identity Governance debate that we have not yet had, despite a decade of wrangling over the value of government issued identity tokens and over philosophical questions, (such as “who owns my identity”), are five questions:
· how are the five Rs and the people processes that support them addressed (or not) by the various ID management routines already operational or proposed?
· what should be the roles of professional bodies, trade associations, politicians, regulators etc. in identifying and encouraging good practice?
· what should be the means of assessing whether the supporting technologies on offer are fit for purpose and used correctly?
· how could/should inter-operability be handled between different types of scheme (legal basis, management structure, application, ownership etc.), including internationally, across jurisdictions, not just between similar schemes using different technologies?
Structuring the Alliance Identity Governance group has not been easy because most of the willing volunteers turn out to be evangelists for specific solutions, unable to accept that they are entering a mature but evolving market. More-over many are evangelists for solutions that do not address the five R’s any better than those already on the market.
But the UK has to be able to earn its way out of the current economic crisis as a globally competitive location for industries that could be located anywhere in the world. Creating governance regimes that better address business and personal needs and cause customers and consumers around the world to gravitate towards e-trading schemes policed from the UK is a key point of leverage.
Hence the priority being given to this area by the Information Society Alliance (EURIM) – despite the problems with finding those who not only understand the issues but wish to see the answers based in London rather than Zurich, Singapore, Hong Kong or Dubai.