Top Marks for Big Brother Watch

Only rarely does the bloggosphere publish such a complete and balanced review of information assurance.  It was so difficult to challenge any point that Quarkside has only extracted some points for brevity.  Toby Stevens quoted in full an article that was originally published by Big Brother Watch in their book “The state of civil liberties in Modern Britain”.

It is prefaced on “The Department of ‘No’”

• NO central information assurance function in the Government.  It is thinly spread among many agencies.  For example the Cabinet Office is responsible for CESG, the Cabinet Office Security Policy Division (COSPD) and the Office of Cyber Security and Information Assurance (OCSIA).  The MOD and other departments do their own thing.
• “NO ‘Government Chief Information Security Officer’ or ‘Office for Government Information Assurance’. …  no one individual or organisation accepts accountability for the proper governance of data in the public sector“. “Each department and agency has to pay to support its own security infrastructure rather than drawing upon the economies of scale that might be achieved by a central security team working for the common good of government. The information assurance environment is far from cost-effective.”
• NO rational Information Risk Management.  Security incidents will always occur, and the public sector culture is to look for someone to blame.  As a result, public authorities are unable to obtain cost-effective information security controls.
• NO Secure Systems.  “Local authorities and arm’s length bodies very often fail to comply with government security standards simply because they don’t know that those standards even exist, and if they do, they can’t gain access to either the standards or cost-effective individuals who are able to assist them.“
• NO Privacy by Design. “How else could designs such as the ill-fated Contactpoint, or the NHS Summary Care Record, be allowed to exist where hundreds of thousands of users can access millions of individuals’ sensitive private records?“
• NO Open Source Software. “Without a vendor to pay for security testing the patches and updates under the current regime, open source software will remain largely inaccessible for government.”

However, the report is not entirely negative.  Seven recommendations are given which seem to show great common sense.  Again, it is worth reading the full document and not just scan the list below:

1. Appoint a pan-government Chief Information Security Officer as a new focal point for information assurance.
2. Create a government CISO Council.
3. Consolidate existing duplicate information assurance services.
4. Ease the administrative security regime for lower-value data.
5. Sort out the existing mess of unaccredited Whitehall systems.
6. Voluntarily accredit open source software where appropriate.
7. Develop the information assurance profession.

“If we want an information assurance function that really supports public authorities, and that can deliver more for less, then these changes are cheap and easily done. We simply have to ask OCSIA to reform the information assurance function, give that office the power to do so, and support it when it encounters inevitable resistance from within the security establishment. All it takes is the will to say ‘YES’.”

Thanks are due to Robin Wilton for tweeting Toby Steven’s blog entry.

Identity Fallacy – No2UID

This is a tough blog. The ideas started six years ago, when I was battling with solutions for multi-agency information sharing, but they have not gone away. Robin Wilton (@futureidentity) privately reminded me. “I know you’re ahead of your time, but some are finally cottoning on to what you said 5 yrs ago”.

How can I describe it clearly and simply to non-technical politicos, and eventually be accepted by academics and suppliers? It is the non-technical who provide the leadership that could make it happen. In the context of public sector services, I want People in Power to say, in three quarks,

1. A person does not need a Unique Identifier (UID).
2. The Law does not demand a UID.
3. Use just sufficient data to identify a person.

Recently I heard highly respected technical advisers saying in Eurim Identity Governance meetings. “You must have a root identity.” I contest this statement if it equates to, “You must have a UID on some central database”.   No2ID are right as far as they go, but do not take the argument to the next logical stage – what to do next. Looking at the Quarkside principles for Process, Governance and Technology, this emerges:

• Citizens and officials understand their own requirements and can agree an acceptable set of processes.
• Governance, rights, responsibilities and constraints must apply within the Law.
• Technology looks simple if Process and Governance are agreed – trusted public sector credentials are an objective.

Public Jobsworths always quark three questions when somebody presents themselves for a service: “Who are you? What do you want? What are your entitlements?”  Jobsworth refuses service if he is not satisfied with the answers to any of the three. This blog only considers “Who are you?”, assuming the existence of the other two questions.

Quark 1: A person does not need a Unique Identifier (UID)

“Who are you?” equates narrowly to Identity. It is only Identity at a sufficient level of trust the meet the requirements of a specific entitlement. In the simplest case, the person can be completely anonymous; in a municipal car park, only the ability to pay makes sense. However, they may keep a record of your car registration number. Requests for Housing Benefits are at the other end of the scale. The identity offered does not need a unique code.

It must be the right person, who must not use false documents as evidence of identity. Identity evidence has to be fit for purpose. To repeat; you do not need a UID.

Quark 2: The Law does not demand a UID

Requests for evidence of Identity are necessary in most circumstances.  A National Id Card might have been useful, but the maintenance of a National Identity Register is effectively outlawed.  No2ID and others mounted a most successful campaign; Id Cards will not re-appear any time soon. However, the Identity Documents Bill 2010-2011 has sanctions against people using false identities and Clause 10, according to No2ID, “creates much broader data-sharing powers than the parallel ones in the 2006 Act.”

I have argued against reliance on central Identity registers for many years, in many forums. The overwhelming evidence is that allocating UIDs leads to errors, duplication, inconsistency and incompatibility. Take the revered National Insurance Number (NINO), it does not cover every person in the UK who might be entitled to a public service, children if you want an example. There are restrictions on where NINOs can be used and re-purposed.  Look at the governance problems engendered by the defunct ContactPoint.  The Data Protection Act permits cross-referencing of computer files when fraud or a  crime is suspected.  Individual voter registration can use both local and central government databases to verify identities.

Nowhere is there a reference to a UID.  UIDs are technologists’ shorthand for a key that identifies a record in a data store, it does not identify a person.  It identifies a computer record.

Quark 3:  Use just sufficient data to identify a person

This is the point of the debate – looking to the future. Only a combination of evidence from several sources can be used to identify a person accurately. This reflects life as it is. People legitimately have choice of names and addresses without breaking any law. People possess credentials for each of their chosen identities; stage names, maiden names, peers, protected witnesses and many more.

Administrative computer systems need to be interoperable for efficiency and accuracy of bureaucratic processes. Poor interoperability is the current norm because of unjustified reliance on poor quality UIDs. The alternative to failed and failing UID processing is to use Linked IDs (LIDs).

LIDs map between entities on disconnected data stores, such as databases, managed by different public sector bodies.  Mapping between identities is embraced in the ISO standards for systems interoperability (ISO 18876). They should be engineered to comply with Kim Cameron’s Laws of Identity.

The technical architecture builds on the rights of a person to manage their own identity data, like Mydex and PAOGA, plus the ability for officials to add assertions of identity from other sources. These assertions can be graded and ranked, within the law.

If this blog raises any interest, I have lots of old material that could be resurrected as a starting point for some innovative technology.  My proposal, made five years ago, was based on properties of Google. Not Google, but cloud based technology that permits intelligent searching of linked data, leading to identifying the right person.  The user interface does not expose any more detail than a citizen is prepared to give as evidence of identity. It is also analogous to credit reference checking, where a strength of identity can be given rather than a credit limit. I hope that it won’t take another five years before the hegemony of UIDs and root identities can be broken.

I want to put a LID on the idiotic and wasteful pursuit of UIDs in the public sector.  No2UID.

Panic predictable for Election 2015

The Cabinet Office new responsibilities and funding will include: “… £85m to support the introduction of individual electoral registration (IER) in 2014 to help tackle electoral fraud by moving away from household registration and confirming identities through secondary sources.”

In total, that sounds a reasonable amount of money, doesn’t it?  Just to keep it in round numbers, that’s about £200k per Local Authority (LA).   What does each council have to do for its money?  My random list:

• Re-vamp or re-write the current electoral registration software
• Introduce and communicate new processes, including for postal and proxy voters
• Verify identity in each LA by using 14 (or more) local and national databases by matching (or not) against the Electoral Register
• Identify people who are entitled to vote, but have not registered
• Prevent access to personal data from unauthorised people.

We will finish up with about 400 independent local registers of voters.  So far, so good (as long as you believe that any LA could perform all those non-trivial tasks for £200k).  One of my favourite tools of project management is the crystal ball.  It usually works.  However, if you don’t feel comfortable telling your boss – the best view of the future can be seen by looking at what happened in the past.  The closest I can get to a comparison, from personal knowledge, is ContactPoint.

ContactPoint (RIP) created a single central data base, rather than 400 disconnected databases, but had otherwise comparable, but smaller, numbers:

• 10 million citizens (vs 50 million),
• 150 LAs (vs 400 LAs),
• Say, 1,500 system matches (vs 6,000 system matches)

A big difference was the original budget; £250m for ContactPoint, £85m for IER.  In other words, each IER LA will have about about one eighth of the budget (£200k vs £1.6m) for a project of greater dimensions and equally complex security issues.  IER has a timeframe of about 3 years.  ContactPoint consumed about 7 years – including a long hiccough for Security by Afterthought. As our American friends say, “Does it compute?”

My answer is – No. If you use the same architecture and development strategy.  Like a submarine, it will head for the rocks, and those on the bridge will panic – but not those who benefit from failed projects.

The answer is – Yes.  If you find a strategy that results in an order of magnitude improvement in the effectiveness of ICT.  I believe it may be achievable. Answers on one side of A4 should be sent to the Cabinet Office.  I am preparing mine.