We all have multiple identities in the digital world but there is a need for some organisations and governments to have our identity authenticated – we need to prove “who we are”.
And that is where it gets difficult. Some of our identities are not that important. Lots of people have had their Facebook identities stolen – had other people making posts pretending to be them – identity theft. Not very nice for the person whose identity has been stolen, it could be quite traumatic but in the wider scheme of things, it is not really that important. The same happens on other social media sites, Twitter, LinkedIn etc and part of the answer is to improve security using two step verification or 2 factor authentication (2SV/2FA).
Other identities that we hold are more important – our banking identities for example and these should have even better protection – though many don’t. There are however simple ways to limit the damage of any banking breach e.g. by putting a cap on daily transfer amounts.
But even more important than our banking details is “who we are” – our identity as it appears to government departments, health authorities etc.
In the UK we do not have a National Identity Card (NIC) – a single document that everyone has and which contains (in electronic form) a lot of information about a person as well as easily identifiable information (a picture) and biometric identification (fingerprint/iris scan). An attempt by the UK Government to implement a NIC failed due to opposition from privacy advocates (myself included).
The UK Government is implementing such a system via the back-door using private contractors – a scheme called Gov.UK Verify. One of the first Gov.uk Verify providers is the Post Office. The range of services that a verified identity opens up to fraud is significant – see the list and the government intends to add even more to it, virtually every public service.
The first problem is that the technical solution the government is deploying is based on “Federated Identity”, technically very complex that has been shown by several groups to have technical holes and which has already been rejected as not fit for purpose to protect health records, although it seems that that objection is being over-ridden.
The second problem is that these ” Gov.uk Verify Identification Providers” cannot themselves be trusted; one of them Experian was recently hacked. There is no point in Experian explaining that, like the maid’s baby, it was only a “little breach”. A breach of any of the providers will expose a lot of people to a high degree of financial risk – tax refunds could be diverted, cars stolen (who owns your car – do you – can you prove it?), with the possibility of a wave financial crime that the Police cannot/will not investigate – they already claim they do not have the resources to investigate most on-line crime.
The third problem is that, despite assurances and a lot of work being put into guidelines that would protect the owner (you) these have not been implemented. Also, the owner (you) has to secure their identity with a password and many people have a very relaxed approach to protecting their passwords. This is probably the most important password you will ever have.
A fourth problem is to what extent we can trust the Identity Providers – Experian etc. not to use the data they hold on us for other purposes. Experian’s main business is selling information about people and several of the other Identity Providers are in the same business (to a lesser extent). There is no indication that the Gov.uk verify data will be “ring-fenced” – the contracts have not been made public. It is one thing for a company like Experian to hold financial data about people but when you add health records, employment records etc. it becomes quite frightening and even more frightening when you understand that inferences can be made from the different data items. For example, a person with a good credit history might be refused credit or health insurance if medical records showed that the person also had a heart condition or genetic defect.
I could add more problems (cyber attack by a foreign power etc.) but the underlying problem is that the implications of the security process failing and the impact on citizens who are unable to prove their identity in the digital world have not been thought through. Government ministers do not understand IT very well (at all) and you may remember that when Universal Credit was first announced it was going to be “Digital by Default”. John Seddon pointed out that this was a nonsense because many of the people it applies to are on the margins of society and it was quietly mutated to “Digital First”. That a major government initiative (Universal Credit) should get so far with such muddled thinking behind it should be a major cause for concern but there are others – the Northern Powerhouse /HS2/3 and the HMRC’s digital drive which has just come in for major criticism from the Treasury Committee. Another Universal Credit fiasco in the making?
Many people will cease to exist, at least from a government perspective. There are a lot of people on the margins of society (one recent estimate was 10%) and the issue was brought home to me recently when a friend took a homeless man under her wing. Getting him back into “the system” i.e. welfare, medical attention, electoral roll, bank account etc. is proving to be a nightmare – even with the help of a very articulate journalist with a PhD.
Update May 2017
A recent article by Jeremy Fishenden – the former head of the Cabinet Office Privacy Group (PGAG) is pretty damning about gov.uk Verify – it really is time to kill it off. I first came across it when I was invited to apply for the CTO role at DVLA in late 2014. I read about it and wrote the above article because it is obvious t anyone with a background in I&AM that it had many technical and operational holes and could not be made fit-for-purpose. I explained this to GDS but the response was to put their hands over their ears and repeat la-la-la-la-la-la-la…..
Update January 2018
And Equifax have had a 140m user breach including 700k in the UK (although gov.uk Verify does not use Equifax).
HMRC’s attempt to use gov.uk Verify caused huge problems for people trying to file self-assessment tax returns by 31-Jan