Thursday, March 3, 2011

56 - Back to the Future of ID Card By David Birch

Back to the future of the ID card
By Dave Birch posted May 18 2010 at 12:53 PM

[Dave Birch] Well, it's bye bye to the ID card. In the end, I shouldn't think that my constant whining about the scheme made a ha'pence of difference and my time on the IPS Advisory Forum was probably wasted. I did make representations (invited, I hasten to add) to a couple of Conservative think-tanks in the run-up to the election, having previously made a number of representations (invited, I hasten to add) to the Government and its advisors. What I said was, in essence, that the Tory plan to scrap the ID card was almost as bad as the Labour plan to keep it. Neither the existing scheme nor the Coalition scheme (ie, nothing) actually solve any of the problems that the lack of an identity infrastructure creates and I absolutely predict that the lack of such an infrastructure will in turn create a major barrier to improving efficiency in public services: it's going to be really difficult to move government services online, introduce more self-service and reduce fraud without some form of identification and authentication system.

It's fair to observe that there a many people (eg, the LSE team who did the original detailed review on the Home Office's ideas) are enjoying their "told you so" moment. The old scheme, created by the Home Office and their development partners PA Consulting back in 2004, was never going to work. It was flawed from the start, and as a showcase for the British technology industry, it was an embarassment: it provided none of the services that the identity cards systems in advanced nations (eg, Germany, Hong Kong, Estonia) provide and there was never any evidence that it would do so. There were no specifications, no toolkits, no APIs. I should say that I don't blame the people working on the project over at IPS, many of whom I have great respect for: the project was doomed before they started work.

There has been no single narrative explaining what deficiency the card is supposed to address: instead, it has been sold as a cure-all remedy for a host of problems. One minute it was touted as tackling illegal immigration or benefit fraud; the next it was the magic bullet for terrorism and organised crime.

[From / World - MPs deride £5.4bn cure-all]
Indeed, and the card that was built was not only pointless but functionless, implementing nothing more than the existing e-passport application. It wasn't as if they didn't have the money to scour the planet for the best advice.

In 1997/98, the Home Office's total spending on consultants was £7.6m. By last year, it had rocketed to £147.9m. Spending by the Identity and Passport Service - the arm of the department in charge of the ID cards project - has gone up in the same period from £237,000 to £30m.

[From High price of launching ID cards as consultants cost us £150m | the Daily Mail]
I can well remember taking part in the "consultation process" at the time. I can also well remember feeling rather angry about it: no-one paid any attention (as far I could tell) to any ideas or opinions about the scheme or the vision for identity management, only about the procurement process. In particular, just as the Home Office never paid any attention to our submissions about the original entitlement card concept (more on this in a minute), they never paid any attention to any modern conceptions of identity and set about building an electronic version of the scheme was abandoned in 1952. An electronic version of a paper card and an electronic version of a card index. There was always an alternative...

Many people do think eID could and should be implemented without full identification, i.e. more granular disclosure with pseudonymity - see e.g. Dave Birch's brilliant and very readable paper "Psychic ID: A blueprint for a modern national identity scheme" (PDF).

[From Tech and Law]
WH is much too kind, but there you go. Anyway, we are where we are, in an identity limbo. Where do we go from here? It's traditional for incoming administrations to want short and simple instant fixes, so here's a practical three point plan...

Turn the "Identity and Passport Service" back into the "Passport Service" and rebrand the current ID card as "Passport Plus", an optional extra for people who are applying for or renewing passports.
Start an accelerated consultation process for an Entitlement "Card" that will be mandatory within the lifetime of this Parliament for access to public services.
Publish an API for using the service and provide open source software for people to start building services.
I say "Card", of course, because any such plan would distinguish between the identity application that might reside in a smart card, phone, watch, hat, badge or implantable microchip and the smart card, phone, watch, hat, badge or implantable microchip itself. So, my Entitlement Card might have an identity application on it and my mobile phone (SIM) might have an identity application in it and they both have public key certificates with the same link to my entitlement number (or whatever) in it. I'll have to turf out our original response to the entitlement card consultation process and tart it up.

The toolkit of technologies needed to do this -- everything from digital signatures to biometrics to NFC to OpenID -- is already in place. By going back to the original version of the government's pre-Blunkett plan, the government and the industry together can create a more targeted project that can actually contribute to UK plc. I have to say, as an aside, that Consult Hyperion's experiences advising the Irish government on their Public Services Card project has reinforced to me that focusing on a clear, simple and specific goal makes a very, very big difference to national infrastructure efforts of this kind.

banking and finance, government, ID cards, identity, management
I'd prefer the government to commit to psychic ID, naturally, but as that's unlikely to happen we need to build something else workable. If we want to have an identity system for more general use throughout business, as distinct from a public services card which would have the sole aim of efficiency in public service delivery, it's not necessary for the government to provide it. In Scandinavia, they've gone down a different route, of having the banks provide the identity system and having other companies and government departments use it. Norway is an interesting case study.

Internet usage in Norway amongst citizens over 15 years old, according to FNO’s estimates: In 2000, 48% of citizens have internet access, and 17% use internet banking; By 2006, 79% have internet access, 68% are online banking and 26% are shopping regularly, defined as those who make more than five online purchases per annum; and today 89% of Norwegians have internet access, 79% are online banking and 47% are shopping online regularly. FNO put the doubling from 2006 to 2010 down to the success of BankID.
BankID is used about 800,000 times per day on average. This is known because each time a secure internet transaction is requested, the BankID downloads a Java identity to the user. In fact, they know more than this, as 60% of their 2.5 million users (2.2 million certificates, with a further 300,000 issued to users who have more than one banks account) use BankID for online banking, but 40% use it outside banking across 155 merchant websites representing about 5% of transactions. A third of the transactions are digital signatures by the way, rather than securing payments transactions.
BankID has moved beyond the internet as Norway’s largest mobile carrier, Telenor, funded the move of BankID onto mobile SIM chips in 2009. There are now over 9,500 mobile BankID certificates issued and many more expected.
Surely British banks are as clever as Norwegian banks and British telcos are as clever as Norwegian telcos, so why don't we go down the same road. I've already got a Barclays PINSentry at home and would be more than happy to use that it log in to everything from eBay to EDF.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]