What’s in a name? EURIM

For many years EURIM has been influential in information technology policy in Parliament.  It is obvious that the acronym, recently exposed as European Information Market, has passed its sell-by date.  The secondary name became the “Information Society Alliance”, and that has now been replaced by the “Digital Policy Alliance”.  Perhaps this is destined to become the new primary name.  But beware, this could become the DPA.  If so, it risks becoming confused with the Data Protection Act.

They have launched a new website at http://dpalliance.org.uk/, with a strapline ‘informing policy for a competitive, inclusive, networked society“.  Great aspirations, but avoid using the site on small mobile devices such as smartphones. The layout is too wide and complex, needing enlargement and sideways scrolling.  The font sizes are small, cramming more on a page, causing problems on small laptops, too.   The website is thus less inclusive than it could be.  Any visually impaired users of the site will have problems.

SOCITM, for a soon to be launched Website, decided to commision a simple 2 column design with the main text, on the left.  It will automatically resize to the device screen size. This avoids the cost of a special redesign for mobile devices.  Old school graphics designers don’t like this style – they place artistic impression ahead of usability and accessibility.

Digital Policy, to be inclusive, must respect the needs of the visually impaired.

Root Identity Principles. Don’t panic.

Here are some principles of Root Identity, arising as a result of a recent Eurim meeting – Principles, quoted in full.

1. Only the state needs an assured root identity (level 3). Therefore most people (but not all) have a root identity logged with a state.
2. A Level 3 identity is only required for “beyond reasonable doubt” which is itself a subjective legal term, but the test required for criminal prosecutions. Even then it is not always needed as the test is to prove “beyond reasonable doubt” that a bit of wet carbon performed the action in question. So for murder etc the identity does not matter per se. For criminal fraud, identity theft, etc. it does. So for most things a Level 2 “balance of probabilities” identity is all that is required as a civil prosecution requires this test.
3. Most Government and pretty much all private sector interactions only require a level 2 ID. This is normally a persona linked only during registration in some way to the root ID (e.g. passport for ‘know your customer’).
4. Many interactions only require a Level 1 identity “User asserted” or a Level 2 identity with Level 1 attributes. Only the minimum level required should be used in transactions and relationships.
5. There should be no way to link level 2 personas via a root identity. The only time this should ever occur is when a person asserts the link between two personas and shows they are both linked to the same root. E.g. showing a passport and credit card to exchange currency.

This seems to clarify a number of points, certainly at the level of most interaction with local authority and voluntary sector agencies.

IVR: Politics prevents progress.

Eurim has produced excellent evidence from overseas to feed into the the Individual Voter Registration (IVR) programme – to be introduced in 2014 under the Political Parties and Elections Act (2009).

The big questions are whether the objectives will be met:

• greater accuracy of electoral registers
• greater citizen confidence in the democratic system
• less scope for fraud.

Both the full report and the summary from Eurim had four main findings:

1. Two distinct trends are discernible in the responses from overseas, between those countries which treat the electoral register almost exclusively for electoral purposes (‘Commonwealth’ or ‘common law’ heritage) and those that create a multi-purpose population register, either at national or municipal level (‘continental’ heritage).
2. Compulsory registration does not work unless underpinned by other processes: e.g. in Australia large numbers of voters may remain unregistered.
3. All sampled common law and continental countries require proof of identity to register the voter; only the UK does not.
4. Countries that operate data matching to maintain a population register, to transfer data with other public bodies, or that allow citizens to view or amend their personal data, do so through secured systems.

The UK is a long way behind most countries.  It’s as though we want to remain backward by rejecting perfectly reasonable solutions.  We mistrust public sector stewardship of personal data.

• We don’t yet know the results of the data matching trials.  Our experience with Contactpoint should demonstrate how difficult this must be.
• We don’t have agreement on how to issue credentials for eID.  There’s a battle about whether a root identity is needed or not.
• Politicians have a morbid fear of a totalitarian government taking hold of registers and creating a single database of all citizens.  The national Identity Card had a lot of opposition, not just No2ID.

Politicians are the key to making progress – but leaving IVR up to over 400 separate voter registration authorities to select their own software doesn’t augur well for meeting the deadline of the 2015 General Election.

eID: Chaos Compounded

The EU has tried to bring some order into the confused world of Identity Management, Electronic Identities (eIDs) in particular.  In the UK’s insular way, there has been little reference to the detailed research completed last year on the State of the Electronic Identity Market.  Again Toby Stevens pointed the way.

Page 38 merely scratches the surface of the problem.

eID ecosystem

No wonder that many mere mortals at Eurim meetings have problems in deciding what to include in a message for MPs.

• How many civil servants are aware of this detailed research and are each of the departmental identity silos including it in their policy and strategy documents?
• Who has the time to read and understand all the implications?
• The area is so complex, why doesn’t the UK Government set up a single, authoritative, font of knowledge about eID?

Breeder Battle at Id Gurus Gathering

Identity Management was the topic of Eurim’s latest gathering of gurus. The bad news is that three points came clear:

• The UK has a lacks coordination of both policy and strategy. Each Government department and agency has its own vision and way of moving forward.
• The advance of standards and software will have to be provided by the private sector – and they need a business model that will eventually show a profit. They will need a secure revenue stream for providing identity management services.
• The world is moving forward quite happily without UK input. The UK’s position of leadership will change to that of followership at great cost to the economy. Global trade needs trusted identities with supporting agreements on liability and indemnity. The UK Government is not fully engaged in EU or international deliberations. On opportunity may be missed to become the headquarters of an identity governance industry.

There was only one organisation at the table with an eye on the commercial opportunity. Their national network could extend their services to provide identity registration for the public. 90% of the population are within 10 miles of their facilities.  Good for all of us.

Unfortunately, we were left with (at least) three unresolved questions:

• Which third party credentials will be accepted by Central and Local Government agencies?
• Who is responsible for governance of all UK identity schemes?  The National Archives as keeper of public records was suggested, but they may not be in the radar of five Cabinet Office working parties.
• Is a ‘root identity’ necessary?  There were two strongly voiced divergent opinions on ‘breeder documents’. The Chatham House Rule prevents naming the parties. But Quarkside promotes the management of multiple identities (personae), which do not require a ‘root identity’ or ‘unique identifier’.

The good news is that everybody seemed to agree on a definition of identity assurance levels for electronic IDs that will make sense to our MPs.  This is all they have to remember:

• Level 0: Anonymous – no personal data registered.
• Level 1: Self-asserted – likely to be the same person returning.
• Level 2: On the balance of probability – good enough for civil action.
• Level 3: Beyond a reasonable doubt – good enough for a criminal conviction.

This may have the technical experts reeling – but it is more important to get our politicians moving in the right direction than giving lessons on the differences between the five As: Assertion, Assurance, Authentication, Authorisation and Accreditation.

 

£22 billion we are paying to criminals

Lord Erroll recently sent an email to members of the EURIM and observers.  It had a stark message to all people interested in reducing the cost of cyber crime.  Yes, it does exist:

“The most costly risk to Government itself is the potential for organised crime to defraud the tax and benefits systems through identity theft, using electronic attack vectors and malicious code similar to that used against banking, unless effective identity governance structures and counter measures are at the heart of the new systems (security by design, not afterthought). Last year the National Fraud Authority estimated the cost of Fraud to to the public sector at nearly £18 billion p.a. and rising That is more than four times the cost (under £4 billion) to Financial Services.”

That’s a reasonable amount of taxation going in the wrong direction.  Even if it looks like Financial Services taking the hit, it is all of us – all the time.  If these numbers are correct, then in true risk management style, it is worth spending a bit of money to minimise the amount of losses.

Let’s work together to get an electronic identity that is difficult to clone and is trustable by both public services organisations and the public.

PASC 11: Plea for Information Governance leadership

The eleventh of the Public Administration Select Committee (PASC) 12 questions, asks:

11. How appropriate is the Government’s existing approach to information security, information assurance and privacy?

The question is limited to a small part of the much more comprehensive field of Information Governance. But taking them in turn:

• Information Security: Developing federated identity management is critical to future efficiency.  Trust between all departments, agencies and local authorities should be high on the agenda. The model that links authentication, credentials, authorisation and consent is incomplete. Isolated departmental strategies should be coordinated and leadership demonstrated to synchronise disparate initiatives.
• Information Assurance: SOCITM has a good route for assessing and promoting Information Assurance in local government. See .
• Privacy: has many pressure groups that will no doubt respond with their own reasons.

The main point, and it can be applied throughout all the PASC questions, is that Information Governance is much wider than just Security, Assurance and Privacy. The Government’s existing approach is too narrow and needs to be broadened into a policy framework that leaves no holes. Eurim attempted this approach. The Information Governance group looked at Basic Principles. This holistic approach to broad information governance can be summarised in one sentence:

“Information Governance is the setting of objectives to achieve measurable outcomes by people using information assets in a life cycle process that considers both risk and time constraints.”

Information Governance standards could be, and should be, developed by the Government CIO. Then there will be a baseline for quality assurance at all operational levels of public service.

7DIG: Information Governance defined

The good news is that it is easy to come up with definitions and frameworks for Information Governance. The bad news is that more definitions mystify than clarify. Let’s demonstrate with a couple, starting with Gartner:

“Information governance is the specification of decision rights and an accountability framework to encourage desirable behaviour in the valuation, creation, storage, use, archival and deletion of information. It includes the processes, roles, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals.”

That’s quite a mouthful for two sentences. Is it different from the Care Quality Commission (CQC) draft?

“Information governance is an umbrella term for a collection of distinct but overlapping disciplines. Reference to “information governance” in this policy shall mean reference to the following areas as well:

• Access to information (Freedom of Information Act 2000 etc)
• Confidentiality and data protection
• Information security assurance
• Information quality assurance
• Records and document management”

‘I don’t know’ is my only honest answer. But does it matter? Putting Gartner and CQC words together is going to be unintelligible. They cover similar concepts in different ways, hoaned towards their normal client base. They are both correct in concept – but not interchangeable. A solution, worked out in Eurim, is a much simpler definition:

“Information Governance is the setting of Objectives to achieve valuable Outcomes by People using information Assets in a life cycle Process that considers the impact of both Risk and Time.”

Put into a list, just seven words can cover the whole domain:

1. Objectives
2. Outcomes
3. People
4. Assets
5. Process
6. Risk
7. Time

This list is intended to be ‘Mutually Exclusive and Collectively Exhaustive’, or MECE. Organisations can write their own guidelines to suit local conditions in a top-down hierarchy. It should not be set in stone; any new requirement, change of law, personnel or technology can be incorporated into a local framework. The easy definition is done; does such a simple set of words help people to adopt an effective, standard, way of working? Quarkside says ‘yes’, reasoning that people can test any issue with seven sets of simple questions:

1. Why are we doing it and what are the constraints?
2. What do we expect the benefits to be and how do we measure them?
3. Who has to do what and who are the beneficiaries?
4. What are the information assets we have, and are we controlling them?
5. What is the entire process from inception, validation, storage and deletion?
6. What are the main risks and what are the plans for reducing them?
7. When should things happen, and is our level of maturity sufficient?

The questions themselves are not as important as structuring an approach that clarifies, rather than complicates, the issues. It is quality assurance of Information Governance that matters, not the precision of the definitions. Expect more quarks about each of the Seven Dimensions of Information Governance (7DIG). PS:  The choice of seven dimensions was not an accident, see “The Magical Number Seven, Plus or Minus Two” propounded by Miller.

PPS:  For those who prefer diagrams, here is the 7DIG Framework, including some of the expanded levels.

Identity Fallacy – No2UID

This is a tough blog. The ideas started six years ago, when I was battling with solutions for multi-agency information sharing, but they have not gone away. Robin Wilton (@futureidentity) privately reminded me. “I know you’re ahead of your time, but some are finally cottoning on to what you said 5 yrs ago”.

How can I describe it clearly and simply to non-technical politicos, and eventually be accepted by academics and suppliers? It is the non-technical who provide the leadership that could make it happen. In the context of public sector services, I want People in Power to say, in three quarks,

1. A person does not need a Unique Identifier (UID).
2. The Law does not demand a UID.
3. Use just sufficient data to identify a person.

Recently I heard highly respected technical advisers saying in Eurim Identity Governance meetings. “You must have a root identity.” I contest this statement if it equates to, “You must have a UID on some central database”.   No2ID are right as far as they go, but do not take the argument to the next logical stage – what to do next. Looking at the Quarkside principles for Process, Governance and Technology, this emerges:

• Citizens and officials understand their own requirements and can agree an acceptable set of processes.
• Governance, rights, responsibilities and constraints must apply within the Law.
• Technology looks simple if Process and Governance are agreed – trusted public sector credentials are an objective.

Public Jobsworths always quark three questions when somebody presents themselves for a service: “Who are you? What do you want? What are your entitlements?”  Jobsworth refuses service if he is not satisfied with the answers to any of the three. This blog only considers “Who are you?”, assuming the existence of the other two questions.

Quark 1: A person does not need a Unique Identifier (UID)

“Who are you?” equates narrowly to Identity. It is only Identity at a sufficient level of trust the meet the requirements of a specific entitlement. In the simplest case, the person can be completely anonymous; in a municipal car park, only the ability to pay makes sense. However, they may keep a record of your car registration number. Requests for Housing Benefits are at the other end of the scale. The identity offered does not need a unique code.

It must be the right person, who must not use false documents as evidence of identity. Identity evidence has to be fit for purpose. To repeat; you do not need a UID.

Quark 2: The Law does not demand a UID

Requests for evidence of Identity are necessary in most circumstances.  A National Id Card might have been useful, but the maintenance of a National Identity Register is effectively outlawed.  No2ID and others mounted a most successful campaign; Id Cards will not re-appear any time soon. However, the Identity Documents Bill 2010-2011 has sanctions against people using false identities and Clause 10, according to No2ID, “creates much broader data-sharing powers than the parallel ones in the 2006 Act.”

I have argued against reliance on central Identity registers for many years, in many forums. The overwhelming evidence is that allocating UIDs leads to errors, duplication, inconsistency and incompatibility. Take the revered National Insurance Number (NINO), it does not cover every person in the UK who might be entitled to a public service, children if you want an example. There are restrictions on where NINOs can be used and re-purposed.  Look at the governance problems engendered by the defunct ContactPoint.  The Data Protection Act permits cross-referencing of computer files when fraud or a  crime is suspected.  Individual voter registration can use both local and central government databases to verify identities.

Nowhere is there a reference to a UID.  UIDs are technologists’ shorthand for a key that identifies a record in a data store, it does not identify a person.  It identifies a computer record.

Quark 3:  Use just sufficient data to identify a person

This is the point of the debate – looking to the future. Only a combination of evidence from several sources can be used to identify a person accurately. This reflects life as it is. People legitimately have choice of names and addresses without breaking any law. People possess credentials for each of their chosen identities; stage names, maiden names, peers, protected witnesses and many more.

Administrative computer systems need to be interoperable for efficiency and accuracy of bureaucratic processes. Poor interoperability is the current norm because of unjustified reliance on poor quality UIDs. The alternative to failed and failing UID processing is to use Linked IDs (LIDs).

LIDs map between entities on disconnected data stores, such as databases, managed by different public sector bodies.  Mapping between identities is embraced in the ISO standards for systems interoperability (ISO 18876). They should be engineered to comply with Kim Cameron’s Laws of Identity.

The technical architecture builds on the rights of a person to manage their own identity data, like Mydex and PAOGA, plus the ability for officials to add assertions of identity from other sources. These assertions can be graded and ranked, within the law.

If this blog raises any interest, I have lots of old material that could be resurrected as a starting point for some innovative technology.  My proposal, made five years ago, was based on properties of Google. Not Google, but cloud based technology that permits intelligent searching of linked data, leading to identifying the right person.  The user interface does not expose any more detail than a citizen is prepared to give as evidence of identity. It is also analogous to credit reference checking, where a strength of identity can be given rather than a credit limit. I hope that it won’t take another five years before the hegemony of UIDs and root identities can be broken.

I want to put a LID on the idiotic and wasteful pursuit of UIDs in the public sector.  No2UID.

Cyber security slaughter

The launch of “Security by Design, not Security by Afterthought” was educational for me.  One of the speakers gave an example where security by afterthought delayed a project by 12 months and doubled the cost.  It wasn’t just the pre-prepared speeches, it was the surrounding chatter – which had better remain anonymous.

• CLAS consultants themselves recognise the problem of differing opinions.  There may be need for specialists.
• All PCs incorporate a hardware security chip to be certified by Wintel.  It’s just that nobody seems to activate it.  A open door for conspiracy theorists.
• Cyber warfare isn’t the sole prerogative of the baddies.  Obviously deniable.

There was a plea for spreading the message around government circles.  Yet, again, there was no attempt in the speeches, nor the document about bringing local government into the fold.  Perhaps selling stuff into local government is just too hard.  Apart from that gripe, the full document is stuffed with good advice and guidance.  Here are three examples:

• consumer surveys indicate that nearly half the public now depends on their broadband connection, more expect to be victims of online crime than of theft from their home or car.
• offer informed choice between “cheap and cheerful” and “secure and reliable” products and services.
• in the absence of shared identity management systems, the need to authenticate each and every time for each of the thousands of services, leads rapidly to a complexity that is antithetical to the intended good practice of access control and authentication. This has been one of the compelling reasons for federated identity systems.

Eurim recognises that MPs are short of time, and the one-pager stress top-down leadership, common terminology and “Policies must be linked to processes for turning principles into practice”.  The MPs present certainly appreciate this approach to spreading technical information this way.

There was lots of food for thought, and I departed resolving to promote the messages through the SOCITM network.   This should bring in other organisations, such as local government, the voluntary sector, fire and rescue, who also need to understand the importance of design and procurement with security as a primary requirement.