Data Protection: MoJ ignores most of the public sector

The Ministry of Justice has called for evidence on the EU Data Protection Proposals.  They are seeking the views of “data controllers and data processors, rights groups and information policy experts or anyone with a professional or personal interest in data protection“.  Quite right – they have asked over 150 organisations to answer a lengthy questionnaire.  They have selected an eclectic mix of companies from Abbey Quilting Limited to Yahoo!  Many are understandable, such as No2ID and the Information Commissioner’s Office.  It is the omissions that are mysterious:

– Virtually no central government departments have been asked.  One would have expected HMRC and DWP should have some evidence – not just the DVLA.

– No representative organisation from local government, such as Solace, LGA or Socitm.  But there are a few individual local authorities such as Norfolk County Council.

When these organisations collectively record personal data for every single citizen, surely they should have been asked.  It is not an issue of politeness – but politics and policy.  Information governance must include the key stakeholders – not just an apparently random selection.

Electronic Identities: We need to trust them

The demise of the Id Card Project in 2010 has not removed the growing need for trusted e-Identities (e-Ids) to give access to public sector services. The State benefits from lower administration costs and reduced fraud; Citizens benefit from much simpler and faster application for services. Far fewer errors will be propagated. The Cabinet Office solution is to encourage a market for Identity Provider (IdP) services from any number of accredited suppliers, many of whom should be from the private sector. Public Service Providers (PSPs) will trust the e-Ids from any such IdP. Their architecture diagram below has been largely unchanged for more than a year.

Between the IdP and the PSP is the managed “Hub”.  This posting raises a fundamental question about why it is necessary.  There are already well established standards that control the governance requirements for federations of IdPs and PSPs.  One is the OIX model.  

 

 

This standard does not have a central hub.  It has rules for level of assurance and protection.  It is supported by many international IdPs such as Google, Facebook and Microsoft.  Public service organisations could act as both IdPs and relying parties.

The UK education sector uses a similar model for simplified sign on to multiple services.  Commonly known as Shibboleth, it is governed by the rules of the UK Federation.  It has an architecture that is scalable to millions of users without the need for a hub, see http://www.ukfederation.org.uk/.  It is a governance issue, you either trust other members of a Federation, or you don’t.  What are the problems of using such a federation architecture?  

  

  

IVR: Politics prevents progress.

Eurim has produced excellent evidence from overseas to feed into the the Individual Voter Registration (IVR) programme – to be introduced in 2014 under the Political Parties and Elections Act (2009).

The big questions are whether the objectives will be met:

• greater accuracy of electoral registers
• greater citizen confidence in the democratic system
• less scope for fraud.

Both the full report and the summary from Eurim had four main findings:

1. Two distinct trends are discernible in the responses from overseas, between those countries which treat the electoral register almost exclusively for electoral purposes (‘Commonwealth’ or ‘common law’ heritage) and those that create a multi-purpose population register, either at national or municipal level (‘continental’ heritage).
2. Compulsory registration does not work unless underpinned by other processes: e.g. in Australia large numbers of voters may remain unregistered.
3. All sampled common law and continental countries require proof of identity to register the voter; only the UK does not.
4. Countries that operate data matching to maintain a population register, to transfer data with other public bodies, or that allow citizens to view or amend their personal data, do so through secured systems.

The UK is a long way behind most countries.  It’s as though we want to remain backward by rejecting perfectly reasonable solutions.  We mistrust public sector stewardship of personal data.

• We don’t yet know the results of the data matching trials.  Our experience with Contactpoint should demonstrate how difficult this must be.
• We don’t have agreement on how to issue credentials for eID.  There’s a battle about whether a root identity is needed or not.
• Politicians have a morbid fear of a totalitarian government taking hold of registers and creating a single database of all citizens.  The national Identity Card had a lot of opposition, not just No2ID.

Politicians are the key to making progress – but leaving IVR up to over 400 separate voter registration authorities to select their own software doesn’t augur well for meeting the deadline of the 2015 General Election.

Identity needed. Yes2ID say stateless.

So you think we in the UK have problems.  From Voice of the Children, an estimated 12 million people in the world are not citizens of any state and are deprived of their rights. In many countries evidence of citizenship is provided by an Id Card. No Id Card means that residents are stateless, stops children from attending school and condemns families to poverty.

For example, the aboriginal population of Malaysia, the Orang Asli, have no documentation and hence no ID Card.  ID cards are essential to open the doors to services, such as driving licences, health, education and voting.  In many countries it is incomprehensible that the UK can operate without any state provided identity.  With an Id Number it really does simplify information sharing and improve the accuracy of statistics.

Politically, it will be hard enough to get individual voter registration accepted, and at least a decade before a central register of citizens is raised again.  No2ID supporters have won their cause – could they divert some of their surplus energy into helping those who are deprived of their rights because they don’t carry an identity credential?

No2UID for ID Schemes

Identity Documents Bill 2010-11.  Thanks to Mike Ballard for the link and highlighting:

“A small number of provisions in the 2006 Act – unrelated to ID cards – reappear in the Bill. These cover offences relating to the possession and manufacture of false identity documents such as passports and driving licences. The Bill also re-enacts data-sharing provisions in the 2006 Act designed to verify information provided in connection with passport applications. ”

Does that mean that the bathwater has gone and the baby remains – or vice versa?  Every provision in the bill should be both challenged and supported – by different groups, of course.

No2ID has plenty to say.  Far less ranting than I was expecting – measured and reasonable.  “The Bill is a good start. With some bad features. Were clause 10 deleted and the re- enactments modified along the lines we suggest then we would support it wholeheartedly. But it is not sufficient to remove the threat of a National Identity Scheme from Britain.”

Clause 10 “… is a huge enhancement of the database state and mass surveillance. No case has been made for it. The most plausibly effective change in Home Office issue of passports, a check for a ‘social footprint’ via credit reference agencies, was introduced several years ago without it. The power is unnecessary and undesirable in itself, but in a broader administrative context it would facilitate the reconstruction of an ID scheme in a slightly different form, based on the passports database. This has actually already been proposed by several advocates of ID cards, including David Blunkett.”

So, the debate centres around the purpose and use of the Passport database.  Re-use of data is an obvious way of reducing frustration in citizens who are repeatedly asked for the same information – and often suffer the consequences of inaccurate recording.  An all-singing all-dancing data base is not an acceptable UK solution.  However, it is perfectly reasonable to cross-check, and extract data from, high quality data sources such as held by the IPS.  You don’t need a UID (or root identity) but identification will benefit from triangulation methods based on combinations of facts and assertions.

Identity Fallacy – No2UID

This is a tough blog. The ideas started six years ago, when I was battling with solutions for multi-agency information sharing, but they have not gone away. Robin Wilton (@futureidentity) privately reminded me. “I know you’re ahead of your time, but some are finally cottoning on to what you said 5 yrs ago”.

How can I describe it clearly and simply to non-technical politicos, and eventually be accepted by academics and suppliers? It is the non-technical who provide the leadership that could make it happen. In the context of public sector services, I want People in Power to say, in three quarks,

1. A person does not need a Unique Identifier (UID).
2. The Law does not demand a UID.
3. Use just sufficient data to identify a person.

Recently I heard highly respected technical advisers saying in Eurim Identity Governance meetings. “You must have a root identity.” I contest this statement if it equates to, “You must have a UID on some central database”.   No2ID are right as far as they go, but do not take the argument to the next logical stage – what to do next. Looking at the Quarkside principles for Process, Governance and Technology, this emerges:

• Citizens and officials understand their own requirements and can agree an acceptable set of processes.
• Governance, rights, responsibilities and constraints must apply within the Law.
• Technology looks simple if Process and Governance are agreed – trusted public sector credentials are an objective.

Public Jobsworths always quark three questions when somebody presents themselves for a service: “Who are you? What do you want? What are your entitlements?”  Jobsworth refuses service if he is not satisfied with the answers to any of the three. This blog only considers “Who are you?”, assuming the existence of the other two questions.

Quark 1: A person does not need a Unique Identifier (UID)

“Who are you?” equates narrowly to Identity. It is only Identity at a sufficient level of trust the meet the requirements of a specific entitlement. In the simplest case, the person can be completely anonymous; in a municipal car park, only the ability to pay makes sense. However, they may keep a record of your car registration number. Requests for Housing Benefits are at the other end of the scale. The identity offered does not need a unique code.

It must be the right person, who must not use false documents as evidence of identity. Identity evidence has to be fit for purpose. To repeat; you do not need a UID.

Quark 2: The Law does not demand a UID

Requests for evidence of Identity are necessary in most circumstances.  A National Id Card might have been useful, but the maintenance of a National Identity Register is effectively outlawed.  No2ID and others mounted a most successful campaign; Id Cards will not re-appear any time soon. However, the Identity Documents Bill 2010-2011 has sanctions against people using false identities and Clause 10, according to No2ID, “creates much broader data-sharing powers than the parallel ones in the 2006 Act.”

I have argued against reliance on central Identity registers for many years, in many forums. The overwhelming evidence is that allocating UIDs leads to errors, duplication, inconsistency and incompatibility. Take the revered National Insurance Number (NINO), it does not cover every person in the UK who might be entitled to a public service, children if you want an example. There are restrictions on where NINOs can be used and re-purposed.  Look at the governance problems engendered by the defunct ContactPoint.  The Data Protection Act permits cross-referencing of computer files when fraud or a  crime is suspected.  Individual voter registration can use both local and central government databases to verify identities.

Nowhere is there a reference to a UID.  UIDs are technologists’ shorthand for a key that identifies a record in a data store, it does not identify a person.  It identifies a computer record.

Quark 3:  Use just sufficient data to identify a person

This is the point of the debate – looking to the future. Only a combination of evidence from several sources can be used to identify a person accurately. This reflects life as it is. People legitimately have choice of names and addresses without breaking any law. People possess credentials for each of their chosen identities; stage names, maiden names, peers, protected witnesses and many more.

Administrative computer systems need to be interoperable for efficiency and accuracy of bureaucratic processes. Poor interoperability is the current norm because of unjustified reliance on poor quality UIDs. The alternative to failed and failing UID processing is to use Linked IDs (LIDs).

LIDs map between entities on disconnected data stores, such as databases, managed by different public sector bodies.  Mapping between identities is embraced in the ISO standards for systems interoperability (ISO 18876). They should be engineered to comply with Kim Cameron’s Laws of Identity.

The technical architecture builds on the rights of a person to manage their own identity data, like Mydex and PAOGA, plus the ability for officials to add assertions of identity from other sources. These assertions can be graded and ranked, within the law.

If this blog raises any interest, I have lots of old material that could be resurrected as a starting point for some innovative technology.  My proposal, made five years ago, was based on properties of Google. Not Google, but cloud based technology that permits intelligent searching of linked data, leading to identifying the right person.  The user interface does not expose any more detail than a citizen is prepared to give as evidence of identity. It is also analogous to credit reference checking, where a strength of identity can be given rather than a credit limit. I hope that it won’t take another five years before the hegemony of UIDs and root identities can be broken.

I want to put a LID on the idiotic and wasteful pursuit of UIDs in the public sector.  No2UID.