Data Privacy: Put ASHs in the bin

There’s a consultation about the regulations for protecting personally identifiable data. The government proposes allowing a number of local organisations to create secure Accredited Safe Havens (ASHs). They will have access to information from peoples’ personal care records, which could be used to identify an individual.

The consultation assumes a solution that there is a need to transfer such data into an ASH.  Quarkside suggest that an alternative is inherently safer. Instead of moving data to an ASH, it stays put in a Personal Data Store (PDS). A PDS resolves the problems of consent by only releasing data for analysis without personally identifiable data.  This could be controlled by Mydex.

The back of a beer mat design goes something like this:

• People control their own health and care records in a suitably encrypted data store.
• Data is held in 5* format in triple stores and using URIs appropriately (ask Sir Nigel Shadbolt how to do it).
• Explicit consent has to be given for the extraction (or viewing) of any attribute. This avoids any data which could lead to identification being stopped at source. The consent could also be given by an Accredited Data Attorney (ADA). An ADA could be the person or any single person who has been trusted to give consent to release data for sharing purposes.
• If an Accredited Data Processor (ADP) wishes to use anonymised data then temporary rights are given by the ADA. Data may be given an expiry period after which any copies of the source data are destroyed. The ADP would be allowed to stored summarised data for analytical purposes.
• Any joins of personal data are done within the domain of the PDS and the method of performing those joins and hidden from the ADP. The risks are reduced for loss of privacy. If you go back to the principles of FAME you will see the nine principles that can make this work. The Identity Management problem is solved at source. Sharing data from multiple agencies is logically performed in an infrastructure that is like a walled garden.
• Each time data is released to an ADP, then the source identity would be irreversibly hashed by the ADA. The regulations would be so much simpler to implement.
• The ADA can release personally identifiable data to multiple agencies, such as health and social care. Again this must be time limited and the agencies would be obliged to destroy data, without any rights to store archives that contain personally identifiable data. A PDS is the repository for health and social care records.

Big data technology has advanced to the stage where this has become possible. Give control of sharing to the citizen. Acknowledge that people have ownership rights to their data, even if it is collected and stored by the NHS (or any other ADP). If you don’t create ASHs, you don’t need to regulate them

BBC: Reduce freebie viewers!

“The future of the BBC licence fee is threatened by political ideology and the impossibility of stopping people from watching on line free of charge.”

is quoted from Private Eye No 1341, page 12.

There are some people who watch BBC programmes on iPlayer who have a TV licence but no TV.  They stick by the condition that you need to be covered by a licence if you watch TV online at the same time as it’s being broadcast on conventional TV in the UK or the Channel Islands.  Watch it an hour later and you don’t need a TV licence.

The BBC is not obliged to provide content for free.  It is not a new idea, but they could contemplate a governance regime that licensed people to view on-line.  A personal data store could have an identity attribute for a current TV licence.  Mydex is free for personal use and would be easy for the BBC to check before a programme downloads.  Registering for viewing on-line content is commonplace and it is reasonable to change conditions to maximise revenue.

Yes, there will be ways of cheating the system – but 40pence per day is not excessive when compared to cable and satellite subscriptions or the indirect cost of TV advertising.  The BBC could then consider developing global terms and conditions which earn extra income.

So it’s not impossible – just unlikely that the BBC will attempt to reduce free viewing.

Identity Fallacy – No2UID

This is a tough blog. The ideas started six years ago, when I was battling with solutions for multi-agency information sharing, but they have not gone away. Robin Wilton (@futureidentity) privately reminded me. “I know you’re ahead of your time, but some are finally cottoning on to what you said 5 yrs ago”.

How can I describe it clearly and simply to non-technical politicos, and eventually be accepted by academics and suppliers? It is the non-technical who provide the leadership that could make it happen. In the context of public sector services, I want People in Power to say, in three quarks,

1. A person does not need a Unique Identifier (UID).
2. The Law does not demand a UID.
3. Use just sufficient data to identify a person.

Recently I heard highly respected technical advisers saying in Eurim Identity Governance meetings. “You must have a root identity.” I contest this statement if it equates to, “You must have a UID on some central database”.   No2ID are right as far as they go, but do not take the argument to the next logical stage – what to do next. Looking at the Quarkside principles for Process, Governance and Technology, this emerges:

• Citizens and officials understand their own requirements and can agree an acceptable set of processes.
• Governance, rights, responsibilities and constraints must apply within the Law.
• Technology looks simple if Process and Governance are agreed – trusted public sector credentials are an objective.

Public Jobsworths always quark three questions when somebody presents themselves for a service: “Who are you? What do you want? What are your entitlements?”  Jobsworth refuses service if he is not satisfied with the answers to any of the three. This blog only considers “Who are you?”, assuming the existence of the other two questions.

Quark 1: A person does not need a Unique Identifier (UID)

“Who are you?” equates narrowly to Identity. It is only Identity at a sufficient level of trust the meet the requirements of a specific entitlement. In the simplest case, the person can be completely anonymous; in a municipal car park, only the ability to pay makes sense. However, they may keep a record of your car registration number. Requests for Housing Benefits are at the other end of the scale. The identity offered does not need a unique code.

It must be the right person, who must not use false documents as evidence of identity. Identity evidence has to be fit for purpose. To repeat; you do not need a UID.

Quark 2: The Law does not demand a UID

Requests for evidence of Identity are necessary in most circumstances.  A National Id Card might have been useful, but the maintenance of a National Identity Register is effectively outlawed.  No2ID and others mounted a most successful campaign; Id Cards will not re-appear any time soon. However, the Identity Documents Bill 2010-2011 has sanctions against people using false identities and Clause 10, according to No2ID, “creates much broader data-sharing powers than the parallel ones in the 2006 Act.”

I have argued against reliance on central Identity registers for many years, in many forums. The overwhelming evidence is that allocating UIDs leads to errors, duplication, inconsistency and incompatibility. Take the revered National Insurance Number (NINO), it does not cover every person in the UK who might be entitled to a public service, children if you want an example. There are restrictions on where NINOs can be used and re-purposed.  Look at the governance problems engendered by the defunct ContactPoint.  The Data Protection Act permits cross-referencing of computer files when fraud or a  crime is suspected.  Individual voter registration can use both local and central government databases to verify identities.

Nowhere is there a reference to a UID.  UIDs are technologists’ shorthand for a key that identifies a record in a data store, it does not identify a person.  It identifies a computer record.

Quark 3:  Use just sufficient data to identify a person

This is the point of the debate – looking to the future. Only a combination of evidence from several sources can be used to identify a person accurately. This reflects life as it is. People legitimately have choice of names and addresses without breaking any law. People possess credentials for each of their chosen identities; stage names, maiden names, peers, protected witnesses and many more.

Administrative computer systems need to be interoperable for efficiency and accuracy of bureaucratic processes. Poor interoperability is the current norm because of unjustified reliance on poor quality UIDs. The alternative to failed and failing UID processing is to use Linked IDs (LIDs).

LIDs map between entities on disconnected data stores, such as databases, managed by different public sector bodies.  Mapping between identities is embraced in the ISO standards for systems interoperability (ISO 18876). They should be engineered to comply with Kim Cameron’s Laws of Identity.

The technical architecture builds on the rights of a person to manage their own identity data, like Mydex and PAOGA, plus the ability for officials to add assertions of identity from other sources. These assertions can be graded and ranked, within the law.

If this blog raises any interest, I have lots of old material that could be resurrected as a starting point for some innovative technology.  My proposal, made five years ago, was based on properties of Google. Not Google, but cloud based technology that permits intelligent searching of linked data, leading to identifying the right person.  The user interface does not expose any more detail than a citizen is prepared to give as evidence of identity. It is also analogous to credit reference checking, where a strength of identity can be given rather than a credit limit. I hope that it won’t take another five years before the hegemony of UIDs and root identities can be broken.

I want to put a LID on the idiotic and wasteful pursuit of UIDs in the public sector.  No2UID.

Personal Data Overload

The Mydex white paper on “The Case for Personal Information Empowerment” advocates personal data stores.

Personal Data Stores are a service to the individual. With a Personal Data Store, the data sits on the side of the individual under the individual’s control; data is collected and stored in the individual’s own database to be managed and controlled by that individual for the individual’s purposes.

Personal data stores are what I have been advocating for years. I even went to the extent of visiting the offices of PAOGA.  However, I don’t yet fully trust solutions that rely on servers that are reputedly uncrackable. I certainly don’t trust my ability to provide a secure database on my own machine. What if my antiphishing protection is one or two steps behind the hacking industry. I might be happy with something on a physical storage device in my pocket (encrypted, of course). Maybe mobile devices need that little bit extra.

For a bit more of background have a look at this blog.  It has a lot more techie background than I can handle.  Paul Trevithick must be a wise guy – he picked the same WordPress theme as me.

Who do we trust?

“Governments and regulators need to pave the way for the new ecosystem by addressing online identity policy and being ready to work with structured authenticated data from verified individuals. This needs standards.”

This is a quote from the Mydex white paper on “The Case for Personal Information Empowerment”.

I  can only agree.  The UK is in urgent need of a cross public sector identity mechanism.  It must not be centralised,  to avoid being blocked by the anti-totalitarian brigade.  It must be as part of a trusted federation.  Many agencies can issue credentials after due process, but all agencies should accept them up to agreed levels risk.  Yes, we need standards first – but who is working on them?

Which agencies should should be certified to issue federable public sector credentials?