UK Government ID Assurance Principles – consultation and feedback

… time to set out a few personal thoughts on the independent Privacy and Consumer Advisory Group (PCAG) — and our work overseeing and advising the UK government on various items relating to privacy, identity and security.

PCAG (which I chair) consists of (unpaid) members from a variety of academic, civil society, business, government and consumer groups. They give considerable time and expertise for free, and bring a wealth of experience and expertise from a suitably diverse range of perspectives.

Sometimes we agree, and sometimes we don’t: the purpose is not so much to reach some kind of pointless “group think” consensus as to ensure a robust and sustainable approach to these complex, interwoven topics that will enable the delivery of better public services whilst respecting the need for strong privacy and security. Neither does participation in the group infer any “endorsement” of any specific aspects of government programmes such as the identity assurance scheme from the individuals or the organisations they represent — they are free to dissent or approve of what is happening, in total or in part, as they see fit.

Our focus is on ensuring that the UK government works to provide users (citizens, businesses and the ‘third sector’) with an easy to use, trusted, secure and privacy-compliant way of accessing public services. This will require users to have control of their own personal information; ensure that information is not centralised into a vulnerable single honeypot; and provide a choice of trusted organisations to use for online identity services. (I’m going to ignore here some macro issues, such as recent revelations about the mass interception of private electronic communications by various government agencies …. that’s a whole encyclopaedia worth of blogs and a subject I’ll return to elsewhere).

The group has worked for some time on developing a draft set of identity assurance principles. In June this year, the latest version was put out for consultation. This was our second round of public, transparent consultation (kindly facilitated by the Government Digital Service, GDS) following on from an earlier draft published in April 2012. This open process is intended to help ensure the principles are designed to the highest standard and that all voices have a chance to make themselves heard.

It was also useful that the Scottish Government provided input via their Identity Management and Privacy Principles, which suggest a close alignment between both the objectives and some of the means by which identity can be made to work in a secure and privacy sensitive way. (On a point of transparency, I should point out I may be hopelessly biased on this point since I was also one of the members of the expert group that earlier helped the Scottish Government develop their principles. Yes, yes, I know – I really must get out more.)

As an independent expert group, PCAG has a mandate to challenge and question, as well as to receive detailed explanations of both the policy intent and the technology being used and the systems and the architectures being developed. To be frank, we have no formal power: the group can advise, question, criticise and comment, but the government’s identity assurance programme (IDAP) team and others we engage with are free to take or leave our advice. In practice, however, we have found the IDAP team receptive to our inputs and critiques.

The principles are to a large extent about re-establishing trust — and build on the premise that personal data should be effectively protected from those who would seek to misuse it either by accident or by design. Whilst an updated version of the principles based on recent feedback will be published as a formal “1.0” release once we’ve had a chance to integrate the recent round of feedback, we have always seen them as a living, breathing entity that will continue to evolve in the light of practical experience.

The range of feedback we’ve received during the most recent public consultation period is diverse, so it’s taking time to collate and action. It also spans numerous categories: some feedback provides material, important clarifications and will be incorporated into an updated draft of the principles. Thank you for this — sometimes it takes others to see the wood when you’ve been standing far too close to the trees examining the intricacies of the patterns in the bark. Other feedback has related to the principles’ wider context, and recommended communicating better where and how they fit; whilst other comments highlighted minor grammatical/presentational aspects.

Many other comments provided a mix of alternative views on the progress of the government’s IDAP programme itself and hence fell outside the scope and role of PCAG. For example, some comments were actually questions about progress of the early alpha and beta services using the new approach to ID, or about the identity providers and the nature of their contracts with government, or about departments and their plans for early adopter services. These questions are for the IDAP team and their work with identity providers and departments on development and delivery, not PCAG. Whilst we take an active interest in the physical realisation of the system, it is the definition of, and compliance with, the principles that concern us — from the low level technical and computational level to the policy and regulatory level. We seek assurance that across all of these levels that the principles are being delivered.

Some other respondents appeared to misunderstand the context of the principles, and sought to cover related, but mature and well understood ground, about the nature of identity systems. It’s therefore worth me restating here that the principles are focused on the operation of a user-centric, privacy-compliant identity assurance service. Their purpose is not to cover the many other, well-worn aspects of identity: much of the foundation for the new service is already well understood and covered in the Good Practice Guides. Likewise, some comments about biometrics having been “missed” for example, seemed unaware that this topic is well covered in GPG 44 (Authentication Credentials in Support of HMG Online Services).

Such comments usefully flag again the important issue of how to ensure a better understanding of IDAP, the principles and the way they will enable users to interact in a trusted way with online public services. We have discussed with the IDAP team the need for better, clearer and simpler communication and some less technical documents that convey the purpose and nature of the programme and the principles — something akin to a Ladybird Book or a  ’101 on identity, privacy and security’ for those who would like or need to better understand.

I hope that we’ll be able to publish the revised and improved principles early in the new year — and thank all of you who found the time to respond. It’s much appreciated.

Posted in future Britain, identity, IT, IT strategy, open government, privacy, public services, security, technology, technology policy | 1 Comment

Updated UK Government ID Assurance Principles published

As I mentioned in ID Assurance Principles — an interim update,  the privacy-related principles that will underpin the UK Government’s identity assurance programme for digital public services have continued to be developed — and yesterday, the latest draft was published online.

This followed a constructive meeting between the independent privacy and consumer stakeholder advisory group and the Minister for the Cabinet Office, the Rt Hon Francis Maude MP. At the meeting we presented the background to the principles and how they are intended to establish and maintain trust after the debacle of the earlier national ID cards and related programmes. (I also couldn’t help but notice that whilst the rest of us shuffled piles of paper around and scribbled with pens, the Minister was using an iPad — an interesting reversal of the usual norms.)

The Government Digital Service (GDS) is now seeking further feedback on these draft principles — see Mike Bracken’s blog here. Please do get involved if you have ideas for how they can be further refined and improved.

I’d like to express my thanks to fellow members of the group who have voluntarily given up their own time to work so diligently and productively on developing these principles into their current form over the past few years. I’d also like to acknowledge the positive and open engagement we have developed with GDS, and numerous government departments.

There have, of course, at times been occasions and areas of disagreement and divergence, both within the group and between the group and others — all of which I regard as both healthy and essential, something to be expected when discussing and developing principles of such importance. Good solutions rarely come out of sycophantic monocultural “group think” in my experience — far better to identify and face problem areas, working to resolve them pragmatically, rather than to deny or ignore their existence.

As the work of the group continues, our interest now is not just in ensuring the principles are as good as they can possibly be, but also to ensure they are consistently applied to digital services — to the benefit of citizens and government alike. More on this as our work develops …

Posted in future Britain, identity, IT, IT strategy, open government, privacy, public services, security, technology, technology policy | Leave a comment

more with Kinect …

Work on developing and protoyping with Kinect some of my earlier research continues.

The video below shows prototyping of the lens that can “see through time”, in this case allowing users’ hand gestures to move the lens around the screen to explore how it looked at an earlier time in the past.

The onscreen skeleton and hand silhouette are there mainly for prototyping purposes — and in part to illustrate in a single video how user movements impact the positioning and movement of the lens.

More soon ….

Posted in augmented reality, computer arts, creative computing, interactive digital technologies | Leave a comment

ID Assurance Principles — an interim update

I’ve had many requests for updates on progress with the status of the identity assurance principles intended to underpin the new UK government identity assurance scheme. So I thought I’d post a brief interim update on how things are going with the excitingly named Identity Assurance Programme Privacy and Consumer Stakeholder and Communications Group (a group of independent experts in all things identity, privacy and security related, spanning their legal, technology and citizen implications), which is providing advice to the Cabinet Office.

Mike Bracken, Executive Director of Digital in the Cabinet Office, posted a draft version of our work in March of 2012, as part of the open and transparent process of sharing progress and soliciting feedback on improvements. I also posted them here, although perhaps not in the most readable of formats.

Since that time, the group has been active on looking at feedback, inviting in various government departments and others to review their work, and generally trying to improve the principles to ensure they are pragmatic, useful and consistent, but most of all to ensure they will help build trust based on privacy, security and identity best practice.

We’re at the stage now where I hope the principles will soon be formally republished in their latest form — watch this space. There are no major changes, mainly just clarifications in an endeavour to ensure they are understandable even when discussing some of the arcane complexities that emerge in this space. The intention is that the principles will be applied to the IDA scheme: that all suppliers on the framework for Identity Assurance and all government organisations will conform with the IDA Principles (as they are equally required to comply with government security and other best practice guidance).

In any case, the principles are never likely to be ‘final’ and carved into stone never to be changed again. They will need to be a living and breathing thing, able to deliver their core intent over time, but equally able to flex and adapt based on real life feedback and the ever-changing nature of the interplay between privacy, security and identity — and trust.

On a related note, the Government Digital Service (GDS) recently published the “Good Practice Guide (GPG) 45 – Identity Proofing and Verification of an Individual” which is also worth a read. So is the earlier GDS overview of what they are working towards, together with some of the embedded links.

In the meantime, the principles as set out in March of last year are still a good steer — and as soon as it is agreed, the updated version will appear here and in a variety of more ‘official’ places too.

Transparency disclosure: I am the Chair of the above-mentioned Identity Assurance Programme Privacy and Consumer Stakeholder and Communications Group and writing this in a personal capacity that reflects no formal views of either the group or the Cabinet Office.

Posted in future Britain, identity, IT, IT strategy, open government, privacy, security, technology policy | Leave a comment

reforming government technology and the #CIO100

This has been a busy and significant week for government’s reform of technology, and its role in improving our public services.

On Tuesday, the UK government’s Chief Technology Officer, Liam Maxwell, posted a blog on Rebalancing technology across government. He set out a clear vision and statement of direction for government technology, founded on three guiding principles:

  • focusing on user needs, ensuring that technology becomes so good that our colleagues, citizens and businesses want to use it
  • putting outcomes first; such as reductions in cost per transaction
  • using ‘openness’ to our advantage – open data, open standards, open source, open markets

His blog post accompanied the release of Government Service Design Manual guidance aimed at supporting Chief Technology Officers and related technology functions across the public sector. It followed on from earlier and ongoing changes to governance, discussed in Mike Bracken’s March 14th blog post. Liam’s interview with Kathleen Hall in Computer Weekly is also worth a read.

The Resources for Chief Technology Officers consolidates expertise in contemporary technology practice and reflects the best of what is happening in both private and public sectors. The guidance will doubtless be added to and enhanced over time (since the whole approach to the design manual is — sensibly — to make it a living, breathing practical set of guidance informed by experience and best practice). In the meantime, the guidance already covers numerous aspects of effective governance and implementation, including (in no particular order):

The guidance further empowers CTOs to help transform the role of technology in our public services as they continue working alongside their users, digital leaders and chief operating officers. I expect some of it may appear quite radical to those less close to current best practice — the guidance on  Creating a culture that supports change provides insight into the level of reform happening in government technology and the changes required to some of the older, less successful approaches.

As if all of this were not enough for one week, last night saw the announcement of the 2013 CIO100, in which public sector CxOs featured strongly. From James Thomas, CIO at UCLH NHS Trust at No 1, to Liam Maxwell at No 10 and a whole host of others — notably in local government, where meaningful improvements are being delivered in some very challenging financial environments — it was a timely reminder of how the right talent and leadership in technology helps transform our public services in enormously beneficial ways.

A video of UCLH’s Macmillan Cancer Centre is below — showing what happens when users (patients in this case) are placed at the centre of design. It’s a small taste of how our future NHS, and the wider public sector, could be — if we ensure the right talent, people and leadership are in the right place …

Transparency declaration: … I am on the judging panel for the CIO100.

Posted in future Britain, IT, IT strategy, open government, privacy, public services, security, technology, technology policy | Leave a comment

from Phidgets to Kinect

Some of my earlier research into user interaction with sound and images of the past of place developed a prototype interface using Phidgets — some of which can be seen in the video below.

For the next stage I thought it’d be interesting to see what could be achieved with the commercial Kinect sensor and SDK.

For an installation environment (such as a digital gallery or museum exhibit), I particularly want to explore what works — and what doesn’t — in terms of gesture control with techniques such as the palimpsest slider and palimpsest lens. It will also provide the opportunity to start exploring how to handle multiple users experiencing the same work at the same time.

So, early work with Kinect has started — shown in the video below. Early days, but I’m impressed with what it’s possible to achieve relatively simply with the Kinect. Of course, I may regret saying that as I get into the more detailed work ahead ….

Posted in computer arts, creative computing, interactive digital technologies, London, technology | Leave a comment

augmented reality – from lab to app

Going through my research material, I stumbled across some of the prototyping I’d done with augmented reality and layers of the past of London. This video gives a flavour.

I’m now at the stage of taking some of this research “into the wild” — building out early apps via our company VoeTek. Although that doesn’t mean the end of research — far from it: the journey to understand and improve the user experience, and hence the techniques and interfaces used, will build upon both the lab-based usability testing and online usability testing. Feedback from the various app stores will be used to continue to refine and improve the apps, to find out what works best and what doesn’t.

The PhD part of this research was just the beginning — I’m looking forward to what is yet to come.

Posted in augmented reality, computer arts, creative computing, interactive digital technologies, London | Leave a comment