You say (paper) identity, I say (digital) identity

So identity is back mainstreaming in the news once more from Bill Goodwin at Computer Weekly to Kim Cameron’s podcast on Idealgovernment, which is provoking a healthy mix of constructive discussion and comment. Identity and identity card stories are back in the tabloids and broadsheets, with much speculation about the series of reviews currently underway inside the Home Office.

Bill’s recent piece picked up on some of the discussions at the recent IAAC event, which included a range of speakers, myself amongst them, and which I commented on briefly during an earlier posting.

One of the main themes that I aimed to bring out during my contribution was that we need to shake off the old thinking that we had in the paper-based world and really think about what identity means in the digital age. In the paper age, of necessity, paper-based identity documents broadcast identity information to anyone who had access to them.

We’re familiar and, broadly, comfortable with this model. So anytime we hire a rental car, the employee at the company gets to see our driving license which contains all sorts of potentially interesting information, such as name, full address, date of birth etc. Alongside this they also have access to our credit card details. A useful combination of information of course in the wrong hands. And in a world in which paper predominated there wasn’t really a great deal we could do about this — not without imposing an absurd amount of process overhead that would have been disproportionate to the problem we were aiming to tackle.

In effect, it was not the paper document itself that was taken to confirm identity so much as physical possession of it. But at least in the paper world there was usually just the one physical copy of a document, so once stolen or otherwise misappropriated its scope for damage was limited. In a digital age, identity can be cloned, replicated and abused on a scale that requires us to rethink the whole issue of identity and how we best protect our identity and related personal information.

But let’s not be too down-hearted. The world of digital identity offers us the prospect for radically improving what we had in the paper age. No longer does such personal identity information need to be carelessly broadcast to anyone who happens to gain access to our identity documents. In fact, it’s perfectly possible to imagine an identity card that is nothing more than a piece of blank plastic with an embedded chip on it.

Of course, this is probably pushing things a bit too far. You could end up with a wallet of blank cards issued by various parties. So, although the theory holds good, in practice a mix of branding (so you can easily tell which card you hold in your hand), compliance with ICAO requirements (such as for a full-face photo) and other elements would need to be added back in.

However, we have not had sufficient research and debate on what seems to me one of the most obvious topics when we start looking at identity and identity cards. At the IAAC event, there was an audible ripple of concern from the audience when Nigel Seed, project director at the Identity and Passport Service, listed a whole range of personal identity information that he stated would be physically printed on the face and back of the card. This went well beyond branding and ICAO requirements. It included items such as national insurance number and date of birth.

I think we’re all keen to understand why such information would ever be made publicly available in such a way since we know once it exists that almost everyone is going to ask to start seeing the ID card, even for relatively trivial exchanges such as purchasing beer at the off license. Printing in a single place so many pieces of personal identity information — name, signature, date of birth, national insurance number etc — does not seem to me the most obvious way of strengthening protection around our identity.

So I welcome news of the apparent delay in the programme since any system of this scope needs to be very thoroughly researched and designed. It was Dave Birch from Hyperion who made the point when we were on the panel giving evidence to the House of Commons Science and Technology Committee that this is the type of detailed technical and scientific consideration that has been lacking from public consultation in the programme to date.

Giving the programme enough time to step back and take account of such issues can only be a good and healthy thing. There is so much that could be done to really help protect and enhance identity that it’s worth taking the time to get it right.

This blog post originally appeared when I hosted NTOUK on SimpleBlog. It’s one of several I’m retrieving and posting here to bring together my posts in one place. The content and date time shown for this post replicates the original. Many links are, inevitably, broken: where I can, I’ll substitute ones that work, particularly where the Internet Archive Wayback Machine has captured the content originally linked to.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.