Governments and administrations are transient. And however complex, they are simple when compared with the complexities that surround how ID cards may be taken to and applied by the population. ID cards are only part of the identity management solution - not the solution - nothing ever is, writes Daniel G Dresner of the National Computing Centre.
Let's be sure of the business case for ID management, and then we can hone the requirements. IT without complete requirements - we've all been there. So far the business case put forward is piecemeal, suggesting partial benefits that fit the concerns of the day - but no definitive political reasoning.
Let's "assume ID cards" for a moment and reverse-engineer the IT landscape. We're at risk of not using IT effectively. Let's look what we've achieved so far what's already in the bag? We've already got a rich library of identifying information in the form of passports, driving licences, NHS numbers, National Insurance numbers, not to mention the potential heuristics of a myriad of other activities (that may be harder to forge). Then there are the architectural efforts of the Transformational Government strategy as firm a foundation as we're likely to find or create.
And let's not shout 'HMRC discs' here. The point of IT is to manipulate information effectively so the information that the National Audit Office required should have been extracted, packaged, transmitted and unpacked electronically and securely throughout. If it was too difficult or expensive, then woe betide those who made it so.
The Home Office tells us that ID cards will help protect people from identity fraud and theft ensure that people are who they say they are tackle illegal working and immigration abuse disrupt the use of false and multiple identities by criminals and those involved in terrorist activity ensure free public services are only used by those entitled to them and enable easier access to public services. With so many topical claims, we risk creating a headless hydra that will require grafts, patches and repairs. It will be a monstrous hybrid without a heart. If we start with piecemeal solutions to part of the risk treatment for (say) undesirable immigration (or attempts at immigration), or terrorism, then we start to believe in the card and not the defence-in-depth approach that risk management requires.
If this is going to work then we need to keep sight of four aspects that will instil trust in the cards:
- Trust in the meaning of the cards
- Trust in the process for using the cards
- Trust in the integrity of the information represented by the card
- Trust in the technology manifest in and supporting the cards
Meaning: The cards should not become our digital persona for there is no such thing (see the recent Crosby report). They are an instrument for each of us to help assure others of our identity. The verifiers - be they an e-government service or a commercial vendor - should be taking an in-depth approach to identity management and work on the mutual risks to allowing a transaction to take place, be it physical entry or on-line activity. If I have an ID card, it won't make me any more or less honest than before.
Integrity: If we have the mechanisms of the Information Commissioner (and a general desire to strengthen this framework) at the core of the scheme's governance, then common-sense prevails. Critical audit is the way forward for quality management - plan, do, check, act. And how much can we rely on the use of cards when the card is in one place and the verifier in another? Do we risk creating the National Post-It Note with cards exchanged like passwords?
Process: Have we got the 'business case' for managing the lifecycle of information associated with ID cards? Involvement with the journey of that information is not restricted to the moment that the card is used for verification. Are we in danger of providing a single link to strengthen little sister harvests? How much will transactions come to rely on the card? What are our plans for service (business) continuity during a power cut or a gummed up card reader. Make the process engender trust in the 'meaning' if the initial recipients are those 'expected' to try to claim benefits they're not entitled to, it brands the scheme as designed for 'digital exclusion', which applies to most of the Home Office description.
Technology: The great quest for interoperability led to the definition of e-GIF (the e-Government Interoperability Framework). The development of worthy cause foundation standards that help shape technology choices rather than constrain them has been left in hiatus now for three years. The government's mandate of e-GIF standards designed to help make systems talk to each other without spending millions on middleware and integration each time hasn't been enforced. A great shame, given that there is more on interoperability of electronic service cards in e-GIF than any other part of the service provision landscape. If we're going to get the quality of service right, then BS ISO/IEC 9126 is a good starting point.
Let's learn lessons from previous successes and failures. Let's have a clear and widely accepted answer to the question: "What are ID cards for?" If we can put a hand on the despatch box and say: "ID management in the 21st Century" then we can breathe a sigh of relief and bear our cards with pride. (The roll-out plans are another story.) If we're aiming to have something artificial to identify ourselves with, then if we keep this standard flying, we are at least beginning with the objective of a holistic resource that will be supported by adaptable, interoperable, effective IT.