Few outside the community of those obsessed with digital identity will keep up to date with postings and comments on the Gov.UK Identity Assurance Blog but a regular reader recently drew my attention to a recent posting, on “User research – asking better questions” . He asked why they were relying on feedback from current trials and had not looked at the market research conducted by others, such as Experian – although he did not say which research they should have looked at.
found his question interesting. My work with the Tech Partnership (formerly e-Skills) on the training modules needed to help organsiations survive the impending cybersecurity skills crisis is largely focussed on identity and access management: IAM.
The skills involved in IAM range from “authenticating and authorising transactions over smart phones”, through “bring your own device” to “multi-level access and authorisation in complex organisations with large numbers of customers, contractors and staff with different permissions in different locations” (e.g. airports or global banks). A cross-cutting issue is the vetting and monitoring of those to be given which access permissions. The processes are complicated by regulatory issues (including data protection), with compliance officers themselves a significant point of weakness, because so many are in post for 18 months or less.
Most discussion of IAM is focussed on the digital components but workable systems are nearly always underpinned by rigorous people processes – except when the organisation is confident that it will not be put a significant risk from insider assisted fraud or unauthorised physical access to safety critical or secure facilities. Where that risk is significant the systems always embed inputs from those who have done physical checks as to the identify of those to whom they have have given electronic credentials.
I am therefore unconvinced that any identity based purely on digital footprint (whether or not it includes on-line financial records) merits my trust, let alone that of those looking after my savings or of the critical national infrastructure. I am therefore not impressed by requests to provide feedback over the precise wording of a requirement to make personal financial information available in order to obtain a digital identity that is more acceptable to government that those it currently requires us to use to pay our taxes or claim benefits.
One of the problems with the original attempt to require farmers to use “Verify” for inter-actions with the Rural Payment Agency was the belated discovery that nearly 20% have no digital footprint – or at least no footprint discernible to the identity providers. More-over those who have never had to borrow money and have always paid cash see no reason to provide their financial information so some-one with whom they have had no previous dealings for unknown transmission and storage. That is not to say they are digitally illiterate. They may well use mobile or satellite services to keep abreast of prices for livestock or crop or to access on-line auction sites but because of not-spots and crapband* have to do so from wherever they can get a signal or via their own choice of trusted intermediaries. They are also often well aware of the risk of fraud and impersonation.
Now let us look at those most reliant on public services, including those stuck on sink estates or transient between bedsits or caravan sites, including those who share their identities which whichever member of their “extended family” they trust to collect their benefits and do their shopping. Hence my expectation of an all-party backlash against the “digital by default” agenda because there is a very big difference between using technology support to provide better services at lower cost and “herding the sheep on-line to be fleeced” . .
I am particularly concerned at the potential risk of those dependent on benefits having their identities registered on-line by fraudsters and their being unaware until left destitute.
More recently I was struck by the findings of the Digichampz Survey conducted under an EU contract by the Digital Policy Alliance for presentation in Huddersfield and a month later in London.
This survey is unusual in that it is based on a high response from on-line users in a poorly served (connectivity, let alone support) rural community. I do recommend looking at the actual report not just the headlines. Despite the editors comment security and child protection were of low concern compared to getting a reliable connection at all, around half the respondents were concerned about security and a third about on-line child safety.
Now back to “Verify” – if I ever get round to applying for an identity, because I am forced to in order to (for example) do my VAT or tax returns, I will probably use the Experian service – but to call this a “digital by default” service would be a misnomer. Experian will be comparing what it is told on-line with what it has collected on me over several decades from those who would not serve me in a department store or mobile phone shop until I had signed a form permitting me to check with Experian as well as giving other proof of identity.
That is not, however, possible for a couple of my “legal” identities (as a trustee or director) because the organisations concerned have never had reason to borrow or purchase anything on credit. I therefore expect those selling to them to require me to use a variety of rather more secure IAM systems, including those that are global and do not reply on local political agendas. I have no problem with this – provided their services are securely firewalled from each other, with my liabilities governed by UK consumer credit and unfair contracts legislation.
But this links back to the current cyber security skills crisis. Those selling to me have to manage and insure their risks, integrating the various IAM systems already on the market in support of their people processes, from physical access to customer and transaction authorisation (both on-line and off-line). I do not yet see the business case for them to regard “Verify” as anything more than an interesting experiment.
P.S. The issues get even more interesting when we consider controlling access to the systems controlling smart cities and those along supply chains. There is still remarkably little attention to this area so I was delighted to learn of an event being organised at the Institute of Chartered Accountants on 25th March
*Crapband = “Copper, Rust And other Pollutants” between the fibre (cabinet or exchange) and the premises (home, workshop, office etc.) or the wireless aerial (for mobile or wifi connectivity).