As the UK National Identity Card debate continues, there is considerable worldwide technological expertise in this field that can help us ensure the proposals are developed in the best possible way. Of course, no-one claims a monopoly on thinking in this area – but it makes sense to cultivate and capitalise upon this expertise as we think about how technology can help deliver successful identity systems (and equally to be realistic about which aspects of technology will not help).
As Niels Bergstrom comments:
“… national eID systems bear very limited resemblance to a corporate Identity Management system, and the solutions cannot simply be transferred”
He proposes a list of core values that an electronic identity should adhere to:
- it must be able to bind out to other processes
- it must specifically be able to facilitate an irrefutable link between its user and itself
- it must be able to participate in authorisation procedures, in my view without leaking any identity information – helping to answer the question: is this individual allowed to do this in this context? In most cases you do not need identification to answer this type of question
- it should be able to facilitate authentication processes without compromising identity – allowing anonymity or pseudonymity most of the time is a fundamental requirement of any eID system in a free society
- it should be able to uniquely represent the legitimate holder (and only the legitimate holder) in public key cryptographic protocols – a consequence of the two points above
- it should be able to participate in identification processes if identification is required and legitimate
- it must not depend on irreplaceable personal characteristics, in the sense that the system as such must be able to cope with the problem of compromised or lost/changed characteristics
- the token containing the eID must be replaceable without unwanted consequences, or as a corollary, theft or loss of a token must not enable impersonation
- all its functions, including any disclosure of information in the token, must be fully controlled by the owner
I am reminded of similarities here with Kim Cameron’s “7 Laws of Identity”, which I summarise as:
- users must be aware of what information is being used and revealed, and to whom (the principle of informed consent and user control)
- the amount of personal information held and the disclosure of such personal information must be limited to the least amount necessary for its purpose (eg. proof of age being over 18 to a pub landlord)
- disclosure of identity information must be limited to only those parties who have a necessary and justifiable need for access
- identifying information should not be ‘broadcast’ or ‘leaked’ inappropriately to everyone: for example, standard PKI is unsuitable since it broadcasts the same identifier to every party
- identity systems must enable the interworking of multiple identity technologies run by multiple identity providers (there will always be a diversity of technologies – and new technologies – needing to be supported)
- the human user needs to become an essential part of the system, ensuring a means of their participation through unambiguous human-machine communications
- the identity system must provide a consistent user experience (to help reduce attack surfaces) and enable the separation of contexts through multiple operators and technologies
One of my concerns with the current UK proposals is that they do not seem to have a clear framework that sets out the basis on which the scheme will operate. It seems to move from political aspiration (the business requirement) to low level technical solutions and models. But we know IT systems that do not clearly set out the basis on which they will operate are systems that fail. This missing layer between business objective and technological solution is what I term the ‘technology policy’ layer. And it’s essential we have this well defined and agreed to before we start contemplating exactly how the system might be designed and what it should contain in order to work. Kim’s “7 Laws” seem to be a good attempt to begin to address this technology policy layer (and one which I think has importance for technologists way beyond purely the identity discussion).
It’s also useful to look at some of the issues coming to light with the Belgian ID Card: its technological approach has cut across some of the recommendations contained in the thinking of Niels Bjergstrom, Kim Cameron and others. The adoption of a single electronic identifier removes the traditional segmentation that normally provides a bulwark against unlimited compromise of our identity. Perhaps an analogy would paint a clearer picture here. Imagine a ship or submarine that has been carefully designed with a series of water-tight compartments. In the event that part of the vessel is holed and lets in water, that area can be sealed and the damage carefully contained to that one section of the vessel. Without such segmentation, the entire vessel would flood and sink.
The same applies to our identity: we need to ensure that it is maintained in relevant domains that limit the potential impact of any compromise.Moving to a system that no longer restricts identity thieves to a single aspect of our identity gives rise to serious concerns about the scale of the problem that could result. It would be in the UK as if we suddenly decided to hinge all of our identity relationships with Government off of a single number – National Insurance Number (NINO) for instance – rather than ensuring we keep different identity relationships separate. For example, we would not want access to our medical records or other sensitive information to be accessed using the same identifier that provides us with a service to report a faulty street lamp to a local council. Identifiers should be appropriate to their context and for the purpose for which they are being used.
Using a single identifier, such as NINO, also opens up other potential vulnerabilities – since such a common identifier used indiscriminately across all services would enable the likes of service providers to build up a profile of individuals across all their activities. Social engineering (such as the bribing of insiders) and the professional (and incredibly well-funded) criminal hackers would be able to digitally hijack citizens’ identities for access to government services – and hence potentially to cause significant identity theft on a scale not seen before.
The UK proposals currently foresee some 265 government departments and as many as 44,000 private sector organisations having access to the identity database. Multiply this by the number of individuals within each organisation requiring access and the suggestion is that hundreds of thousands of people are going to have access to the system. Someone once commented that the UK system would be designed to be as secure as the Trident missile launch sequence codes. It is hard to reconcile such high levels of security with the apparently largely open nature of the proposed system.
It is also foreseen that citizens will be able to update and maintain their records via ‘secure Internet access’ – and, I presume, call centres. Wider issues come into play here, particularly given the scale of both phishing and pharming. And I don’t just mean via Web browsers and the Internet: phishing and pharming are just as likely with voice phone calls too.
Both the scale of external access being proposed and the Internet-based and call-centre access provide potential ways in which the system could be compromised. It will be almost impossible to ensure that such an open system can remain secure, even if we further protect the likes of Internet access through new developments such as InfoCard and the chip and PIN card readers that we may well have within our households in another year or so.
It’s positive that Unisys and a few others have also now entered the public debate about the technology issues and how such a system might best be designed and used. But before we get into that debate in any great detail, let’s first of all sort out that missing layer: the technology policy layer. It seems to me that the ideas of Niels Bergstrom and Kim Cameron are as good a starting point as any to help us do this.
This blog post originally appeared when I hosted NTOUK on SimpleBlog. It’s one of several I’m retrieving and posting here to bring together my posts in one place. The content and date shown for this post replicates the original. Many links are, inevitably, broken: where I can, I’ll substitute ones that work, particularly where the Internet Archive Wayback Machine has captured the content originally linked to.