IDs for a UK Citizen Account

Quarkside has just heard of a way to solve the following problems:

• Benefits costs
• Under employed people
• Education maintenance allowance
• University living costs
• Basic pensions
• Enhanced pensions
• Recovering money for fines
• Health costs

It requires setting up a citizen account (UK citizens only) for EVERY citizen, including children. For sake of an abbreviation, we will call it the UK Citizen Account (UCA). The following rights are given, they are paid from taxation, without exception, into a freely spendable account (FSA).

• 0-16 child allowance, spendable by nominated parent or guardian
• 16-18 youth allowance, spendable by the young person
• 19-24 tertiary education allowance, spendable by the citizen
• 24-67 working age allowance
• 67-80 first pension
• 80+ second pension

Alongside the government input is personal input which is a proportion of taxable income.  This is a protected endowment account (PEA).  The main aim is to build up a personal fund that can be drawn down as housing, pension, health and mid-life education.  The nearest analogy is Singapore’s Central Provident Fund (CPF).  It is a colonial legacy: ” When the Japanese Occupation ended in 1945, Singapore became a British colony again. Life was hard. People struggled to make ends meet. To ensure that workers could take care of themselves in their old age, the Central Provident Fund was set up as a compulsory savings scheme. ”

The benefits to the government are:

• Simplicity of administration – entitlements are universal, every citizen independent of other income
• Means tested benefits cease, such as housing benefit.
• Personal National Insurance (NI) contributions are paid into the PEA, like a compulsory personal insurance.
• Employers NI contributions are paid into the PEA as a percentage of taxable income.
• Debts to the government can be taken from the fund, eg fines, unpaid taxes.
• Choice by the citizen for medical treatment.  The tariffs are well documented.  A percentage is taken from the PEA for every access to NHS services – lower percentage for basic services (10%) – higher percentage for more expensive, private care provision (90%).
• Funding for infrastructure from accrued savings
• Funding for low cost housing by giving loans from accrued personal PEA savings
• Choice to use the PEA for adult education and retraining for new skills.   The Working Age Allowance is always paid to provide some basic income.

The benefits to the citizen are:

• Guaranteed untaxed income throughout life, whether working or not.
• Working will always be better than not working.
• Protected Fund, built up by work, for spending on housing, further education, pensions and health.
• Additional contributions from employers (including self-employed), interest on account and profits from fund investments.
• Opportunity to obtain a mortgage from funds accrued – commercial interest rates will be charged.
• Opportunity to pay for adult education or re-training.
• No risk of bankrupt or stolen pension funds.
• Choice to pay for care at home or residential homes.
• The residue on death forms part of the estate – not taken by the government.

The details can be sorted out, but it avoids the costly mistake of Universal Credits.  Such a total restructure of the welfare state means sacrificing sacred cows. Singapore now has a handle on social welfare costs, unlike the UK.  They have a successful economy.  Rationing of health costs is left to citizens and their families.

And the governance issue is: – citizens will need to have a trusted Identity,  without too many duplicates.  Perhaps this will be good enough to allow them to vote, too.

Pan Government Arrogance

The Local Government Delivery Council (LGDC) was established in 2007 to support the Chair, in the role as one of two local government representatives on the Cabinet Office Delivery Council. The Delivery Council was the pan government body chaired by Sir David Varney, to drive the transformation of public services so these became, ‘better for the citizen, better for staff and cheaper for the tax payer’.

We now learn that the Cabinet Office’s Delivery Council has ceased and there is no longer a pan government body which includes local government representation. Fortunately, an independent LGDC has become the recognised and established body for central government agencies to engage with when they are working with or plan to work with councils to redesign services. They provide one of the few (perhaps the only?) forum where central government departments get to see what other government departments might be planning in relation to local government. Examples from recent meetings have had representatives from:

• DfT – Blue Badge programme
• Cabinet Office – Digital Britain, Id Assurance
• DfE – Employee Authentication Services
• BIS – UK Broadband programme, Post Office programme
• DCLG – Central Local Digital Collaboration
• DWP – Tell Us Once, Universal Credit
• Home Office – Single Non-Emergency Number (101)

It is good that Local Government has the opportunity to provide feedback from the front-line about the realities of providing face to face services. A neat example is the assumption that broadband is ubiquitous and that claims for benefits could be ‘driven on-line’. It was pointed out that broadband is one of the luxuries that go when a household needs to claim benefits. Another example is a department representative having to apologise to irate Chief Executives about by-passing them in a survey of redundancy costs in a specific service.

The governance of central government projects needs much wider involvement of local government experts. They need to appreciate the diversity of requirements around the country and not assume that a token consultation with a couple of representatives is sufficient. Too much of the initial strategy and architectural work is done by World Class Enterprise Management Consultants; their experience of deprivation is as limited as the policy makers from Whitehall.

QA may madden Maude

The 2011 Government ICT strategy preaches standards.   Tick box = Good.  People who bore for standards preach, ‘to do it properly you must define the standard and check later that the standard has been followed’.  This blog compares the strategy against a standard (standard with a small ‘s’) – in this case against the same set that was used to review the SOCITM ICT Strategy, released in draft last month.

The target for all public sector ICT is established in the introduction:

“6. Information and communications technology (ICT) is critical for the effective operation of government and the delivery of the services it provides to citizens and businesses. It offers key benefits by enabling:

• access to online transactional services, which makes life simpler and more convenient for citizens and businesses; and
• channels to collaborate and share information with citizens and business, which in turn enable the innovation of new online tools and services.”

Everybody must agree with this, and observe that sharing information across multiple agency boundaries is critical for citizens, businesses and agencies.  It has led to much discussion about shared infrastructure, shared services and the benefits this will bring.  Fortunately, we can use a standard for quality assuring the Strategy and highlighting any gaps that need to be addressed.  It has nine dimensions for assessing multi-agency information sharing partnerships.

• Business Scope and Plans
• Governance
• Legal Issues, Policies, Rights and Responsibilities
• Information Sharing
• Identity Management
• Federation
• Transactions, Events and Messages
• Infrastructure
• Sustainability

Overall these can be summarised into Process, Governance and Technology – the Quarkside mantra.  A quick traffic light assessment against the standard dimensions is as follows:

• Business Scope and Plans: Amber

The reasons are good and there is an aggressive, but risky timeplan.  Dependence on on word ‘Agile’, is a recipe for systemic obscuring of progress.  It provides opportunities for hiding problems that only emerge when the end-users in multiple location are expected to change time-honoured processes, and new systems are not interoperable with old systems.  The needs of 450 local authorities must not be ignored.

• Governance:  Amber

A structure has been developed, but it omits the input of local delivery agencies, such as local authorities.

• Legal Issues, Policies, Rights and Responsibilities: Amber

Apart from the Policy, other issues are not raised

• Information Sharing: Amber

Use of open standards and APIs will help at a programmatic level, but additional useful services, such as Master Data Management and systems interoperability standards are not mentioned.

• Identity Management:  Red

Avoidance of a cross public sector strategy for citizen, employee and agent identity management risks complete failure of the strategy and policy objectives will not be met.

• Federation: Red

Federated trust by all involved agencies is vital for both accuracy and efficiency.  Nowhere is this mentioned or implied.

• Transactions, Events and Messages:  Green

Operational systems usually find technical solution for inter-system data transfers.  The use of Web services on the Cloud should help.  Channel issues are addressed

• Infrastructure:  Greenish

The overwhelming weight of the document is technology and infrastructure, there are eleven actions planned.  However, one suspects that the thought process has ignored local government and external agencies in the calculations.  Are local authorities expected to reduce ICT costs by 35%?

• Sustainability:  Red

The standard means to ability to sustain a shared service for operation over many years, not reducing carbon usage.  Most shared services fail because of the inability to agree funding for operations, and all the development investment is wasted.  Central Government must agree a sustainable funding model at the very beginning of every information sharing project.  The Cabinet Office should feel responsible for the whole of the public sector, not just central government departments and agencies.

So how do you react to 3 Reds, 4 Ambers and 2 Greens?  It is low on Process and Governance and higher on Technology.  Quarkside thinks it is good enough for a first draft to get the ball rolling.  But if Francis Maude thinks this document is going to deliver all his policy objectives, then I fear that he, or his successor, is set for a big disappointment and some explaining to do.

Shared Services says SOCITM Strategy

Top marks to SOCITM for developing an open consultation on an ICT strategy for local government.  “Routemap for Local Public Services reform – enabled by ICT“.  As the President of SOCITM confirmed “We have never actually had a strategy and action plan for IT-enabled local public services, let alone one conceived for a citizen-driven public sector.”  So it is long overdue and should help beleagured ICT Managers (aka CIOs) to squeeze out more from less.

The five year Vision is straightforward:

• “pan-local/pan-public-sector” ICT provision , encompassing strategy, architecture and commissioning, to drive efficiency and reform of public services, according to the needs and preferences of people in the diverse places that make up the UK.
• ICT footprint in terms of people, technology, process and costs to be reduced substantially from today’s level.“

The way to achieve it is through sharing, re-design and innovation.  Note that Sharing must come first to achieve the economies of scale and buying power.  Sharing is dependent on partnerships and there’s already been a lot of investment in how to form, implement and sustain multi-agency, information sharing partnerships.  The research and test projects revealed nine dimensions that have to considered for successful partnerships.

• Business Scope
• Governance
• Legal Issues
• Information sharing
• Identity Management
• Federation
• Transactions, Events, Messages
• Infrastructure
• Sustainability

The SOCITM Strategy covers most of the dimensions, but there’s one glaring omission; Identity Management.  All shared service systems WILL FAIL if identity management methods are not applied to both staff and citizens.  Both need federating across the public sector infrastructure. Identity Management cannot be tagged on at the end of a project – look how ContactPoint suffered.

Within the Governance dimension lies funding.  Believe it or not, the inability of partners to agree a funding structure is the primary reason for the failure of partnerships.  The funding formula for shared services should be agreed on Day 1.  This a CEO and CFO role, not the responsibility of the CIO.

The benefit of drafts for consultation is that improvements can be made, and there are over 400 local authorities that can contribute their knowledge and experience.

 

 

Breeder Battle at Id Gurus Gathering

Identity Management was the topic of Eurim’s latest gathering of gurus. The bad news is that three points came clear:

• The UK has a lacks coordination of both policy and strategy. Each Government department and agency has its own vision and way of moving forward.
• The advance of standards and software will have to be provided by the private sector – and they need a business model that will eventually show a profit. They will need a secure revenue stream for providing identity management services.
• The world is moving forward quite happily without UK input. The UK’s position of leadership will change to that of followership at great cost to the economy. Global trade needs trusted identities with supporting agreements on liability and indemnity. The UK Government is not fully engaged in EU or international deliberations. On opportunity may be missed to become the headquarters of an identity governance industry.

There was only one organisation at the table with an eye on the commercial opportunity. Their national network could extend their services to provide identity registration for the public. 90% of the population are within 10 miles of their facilities.  Good for all of us.

Unfortunately, we were left with (at least) three unresolved questions:

• Which third party credentials will be accepted by Central and Local Government agencies?
• Who is responsible for governance of all UK identity schemes?  The National Archives as keeper of public records was suggested, but they may not be in the radar of five Cabinet Office working parties.
• Is a ‘root identity’ necessary?  There were two strongly voiced divergent opinions on ‘breeder documents’. The Chatham House Rule prevents naming the parties. But Quarkside promotes the management of multiple identities (personae), which do not require a ‘root identity’ or ‘unique identifier’.

The good news is that everybody seemed to agree on a definition of identity assurance levels for electronic IDs that will make sense to our MPs.  This is all they have to remember:

• Level 0: Anonymous – no personal data registered.
• Level 1: Self-asserted – likely to be the same person returning.
• Level 2: On the balance of probability – good enough for civil action.
• Level 3: Beyond a reasonable doubt – good enough for a criminal conviction.

This may have the technical experts reeling – but it is more important to get our politicians moving in the right direction than giving lessons on the differences between the five As: Assertion, Assurance, Authentication, Authorisation and Accreditation.

 

£22 billion we are paying to criminals

Lord Erroll recently sent an email to members of the EURIM and observers.  It had a stark message to all people interested in reducing the cost of cyber crime.  Yes, it does exist:

“The most costly risk to Government itself is the potential for organised crime to defraud the tax and benefits systems through identity theft, using electronic attack vectors and malicious code similar to that used against banking, unless effective identity governance structures and counter measures are at the heart of the new systems (security by design, not afterthought). Last year the National Fraud Authority estimated the cost of Fraud to to the public sector at nearly £18 billion p.a. and rising That is more than four times the cost (under £4 billion) to Financial Services.”

That’s a reasonable amount of taxation going in the wrong direction.  Even if it looks like Financial Services taking the hit, it is all of us – all the time.  If these numbers are correct, then in true risk management style, it is worth spending a bit of money to minimise the amount of losses.

Let’s work together to get an electronic identity that is difficult to clone and is trustable by both public services organisations and the public.

Identity Fallacy – No2UID

This is a tough blog. The ideas started six years ago, when I was battling with solutions for multi-agency information sharing, but they have not gone away. Robin Wilton (@futureidentity) privately reminded me. “I know you’re ahead of your time, but some are finally cottoning on to what you said 5 yrs ago”.

How can I describe it clearly and simply to non-technical politicos, and eventually be accepted by academics and suppliers? It is the non-technical who provide the leadership that could make it happen. In the context of public sector services, I want People in Power to say, in three quarks,

1. A person does not need a Unique Identifier (UID).
2. The Law does not demand a UID.
3. Use just sufficient data to identify a person.

Recently I heard highly respected technical advisers saying in Eurim Identity Governance meetings. “You must have a root identity.” I contest this statement if it equates to, “You must have a UID on some central database”.   No2ID are right as far as they go, but do not take the argument to the next logical stage – what to do next. Looking at the Quarkside principles for Process, Governance and Technology, this emerges:

• Citizens and officials understand their own requirements and can agree an acceptable set of processes.
• Governance, rights, responsibilities and constraints must apply within the Law.
• Technology looks simple if Process and Governance are agreed – trusted public sector credentials are an objective.

Public Jobsworths always quark three questions when somebody presents themselves for a service: “Who are you? What do you want? What are your entitlements?”  Jobsworth refuses service if he is not satisfied with the answers to any of the three. This blog only considers “Who are you?”, assuming the existence of the other two questions.

Quark 1: A person does not need a Unique Identifier (UID)

“Who are you?” equates narrowly to Identity. It is only Identity at a sufficient level of trust the meet the requirements of a specific entitlement. In the simplest case, the person can be completely anonymous; in a municipal car park, only the ability to pay makes sense. However, they may keep a record of your car registration number. Requests for Housing Benefits are at the other end of the scale. The identity offered does not need a unique code.

It must be the right person, who must not use false documents as evidence of identity. Identity evidence has to be fit for purpose. To repeat; you do not need a UID.

Quark 2: The Law does not demand a UID

Requests for evidence of Identity are necessary in most circumstances.  A National Id Card might have been useful, but the maintenance of a National Identity Register is effectively outlawed.  No2ID and others mounted a most successful campaign; Id Cards will not re-appear any time soon. However, the Identity Documents Bill 2010-2011 has sanctions against people using false identities and Clause 10, according to No2ID, “creates much broader data-sharing powers than the parallel ones in the 2006 Act.”

I have argued against reliance on central Identity registers for many years, in many forums. The overwhelming evidence is that allocating UIDs leads to errors, duplication, inconsistency and incompatibility. Take the revered National Insurance Number (NINO), it does not cover every person in the UK who might be entitled to a public service, children if you want an example. There are restrictions on where NINOs can be used and re-purposed.  Look at the governance problems engendered by the defunct ContactPoint.  The Data Protection Act permits cross-referencing of computer files when fraud or a  crime is suspected.  Individual voter registration can use both local and central government databases to verify identities.

Nowhere is there a reference to a UID.  UIDs are technologists’ shorthand for a key that identifies a record in a data store, it does not identify a person.  It identifies a computer record.

Quark 3:  Use just sufficient data to identify a person

This is the point of the debate – looking to the future. Only a combination of evidence from several sources can be used to identify a person accurately. This reflects life as it is. People legitimately have choice of names and addresses without breaking any law. People possess credentials for each of their chosen identities; stage names, maiden names, peers, protected witnesses and many more.

Administrative computer systems need to be interoperable for efficiency and accuracy of bureaucratic processes. Poor interoperability is the current norm because of unjustified reliance on poor quality UIDs. The alternative to failed and failing UID processing is to use Linked IDs (LIDs).

LIDs map between entities on disconnected data stores, such as databases, managed by different public sector bodies.  Mapping between identities is embraced in the ISO standards for systems interoperability (ISO 18876). They should be engineered to comply with Kim Cameron’s Laws of Identity.

The technical architecture builds on the rights of a person to manage their own identity data, like Mydex and PAOGA, plus the ability for officials to add assertions of identity from other sources. These assertions can be graded and ranked, within the law.

If this blog raises any interest, I have lots of old material that could be resurrected as a starting point for some innovative technology.  My proposal, made five years ago, was based on properties of Google. Not Google, but cloud based technology that permits intelligent searching of linked data, leading to identifying the right person.  The user interface does not expose any more detail than a citizen is prepared to give as evidence of identity. It is also analogous to credit reference checking, where a strength of identity can be given rather than a credit limit. I hope that it won’t take another five years before the hegemony of UIDs and root identities can be broken.

I want to put a LID on the idiotic and wasteful pursuit of UIDs in the public sector.  No2UID.

50million Voter Id Cards?

Changing the legislation around voting in Northern Ireland has one rather surprising unintended consequence.  Young people have to be registered when they are 16-17 years old, just as in the rest of the UK.  However, when they become 18, they then can then apply for an Electoral Identity Card.  Complete with photograph.   This is now highly valued, trusted, evidence of age allowing them to buy alcohol in public houses.

This is good news for the publicans and brewers who prefer to keep within the law.

Perhaps it is also good news for encouraging young people to vote in Northern Ireland.

Perhaps England, Wales and Scotland should consider the same route to meet the objectives of the Individual Voter Registration Act.  A photocard with other electronic credentials could be valued by more members of the population – and other suppliers of goods and services.  It may comeback to haunt me, but I shall quote Sir James Crosby , who said:

“In the absence of a universal ID assurance system, I believe consumers will have to grapple with an increasingly complex array of identity assurance processes of uncertain quality. As a result, the UK will fail to secure the economic and social advantage achievable at the forefront of ID assurance systems and processes. In a competitive world, any failure to secure advantage quickly becomes tantamount to locking in disadvantage. In other words, the opportunities inherent in ID assurance will not have been grasped but the challenges will remain.”

Bryan Glick blogged the unthinkable back in May, when the ID Card scheme was cancelled: “But even if Crosby himself was pilloried, his proposals for an alternative to ID cards merit serious consideration by our new coalition government.”  Odds on that it is too much of a political hot potato.