WRITTEN ON July 3rd, 2009 BY Harry Metcalfe AND STORED IN Foundation of Trust, Identity, Transformational Government, What do we want?

We need to be able to authenticate ourselves online. The Government’s Identity Card scheme is in part an attempt to do this, and it’s really bad, but we do need some sort of system that offers more than traditional proofs of identity.

I’ve just read Alan Johnson’s article at Comment Is Free. Other than to say that it’s the same old Home Office nonsense, I shan’t deconstruct it further — Longrider has already done that with characteristic style (NSFW). What I’m more interested in is the sentiment expressed by Johnson’s headline: “We need Identity Cards, and soon”. While it is wrong, it does hint at a real problem, and one which has not been convincingly solved.It’s difficult to interact with Government properly on the Internet. Public services should all be available online, but attempts to put them there are often stymied by the absence of good ways to identify and authenticate people. It’s important that we fix this problem. Interacting with bureaucracy electronically has clear benefits: it’s fast and convenient, it permits services to be customised and interlinked, it makes it easier to help people who are confused, it simplifies data collection and significantly reduces cost. These are real, substantive benefits.

An so, we have Identity Cards, which — among other reasons — the government is introducing in order to make these changes possible. Unfortunately, ID Cards are a deeply inappropriate solution. They miss the point so severely that it would be funny if it weren’t so dangerous. The main mistake made by the benighted scheme is to assume — more or less blindly — that a proof of identity is actually what’s required.

What organisations really need to know is not who you are, but what you are authorised to do or have, and whether you are a person they already know. They need to understand what they should and shouldn’t give you, and they need their relationships with people to be consistent: whether you’re called Bill or Bob couldn’t matter less, but if you’re Bill and you’re now just calling yourself Bob, that’s important for organisations to realise.

What’s needed is not a card. It’s not a gigantic database cataloguing every conceivable fact about all of us. It’s not an authoritarian state insisting that you must identify yourself on demand. Government assumes that it should control the tools that we use to identify ourselves, but that attitude is what’s got us into the situation we’re now in: where impersonal juggernauts of institutions are incapable of interacting with us efficiently and empathetically. Where we strive to avoid contact with them and always take the shortest route out of any interactions we have to have, because they feel like wading through treacle.

What’s needed is a way for organisations to interact with us where we control our own data, releasing it to those we trust, and revoking it when relationships break down. Where we can selectively provide the information that organisations need. To have privacy and respect from a system that currently treats people rather badly: as a number, as the sum total of their customer record and credit rating, as a threat presenting a risk to be managed. A system, in other words, that allows organisations to get the assurances they need without sacrificing our dignity.

The ID cards scheme is not this system, and we must fight the good fight — but let’s not let be blinded by it. We mustn’t throw the baby out with the bathwater. Fantastic things could be made if a respectful and effective authentication scheme were to exist — so perhaps, despite Johnson’s article being the same old Home Office balderdash, there was an iota of truth in his headline.

Cross-posted from Harry’s Blog