WRITTEN ON September 12th, 2009 BY William Heath AND STORED IN Foundation of Trust, Identity, What do we want?
It has been a leitmotiv through years of Government-Idealism that the UK National Identity Scheme offers no perceptible benefit to the ordinary citizen or taxpayer. Ministers have once or twice protested they’re about to tell us what the benefits are (while conceding it will offer no online functionality “in the present phase” ie until 2020 or so).
This must concern suppliers. WW2 is over. The pressing and growing need is for online ID services. A massive proposal without perceptible benefit to its end users, even fully funded, carries high risk of project failure.
IBM’s Defence & Homeland Security division shared £650m-worth of ID Scheme contracts with CSC. I’m not privy to what goes on between IPS and its contractors, but quite clearly such companies have a big interest in making this work and taking it forward amid uncertain future political support for the ID Scheme.
IBM has some interesting thinkers. I’ve always heard the privacy-friendly work of Dr Jan Camenisch in the Zurich labs highly recommended, and there are other strands too. The other day Peter Dare of IBM UK was kind enough to show me the working demo of something called Identity Grid. This idea, I should make clear, is not in any sense commissioned or sanctioned by the UK IPS, but conceived as a creative extension of possibilty, no doubt mindful of what IPS is already undertaking.
It runs like this (IIRC; correct me if I’m wrong etc).
You place a chip-enabled card in a custom card reader (with LCD screen), connected via USB to a PC. To set up a bank account you point your PC browser at the bank’s website. It sends a request via your laptop to your card reader, which asks (via the LCD screen) whether you authorise the bank to take a set of details from the National ID Register. To authorise, you enter a PIN to the card reader. This sends a digital signature to the bank. The bank takes a whole set of details from the NIR. Thus, instantly, you have a bank account. Simple as that.
Next you set up a company the same way. Companies House web site sends a prompt to your card reader, you authorise CH by PIN to get your details from the NIR, and you have a company, simple as that. Third, you set up a company bank account. But this time the bank asks you to authorise Companies House to release a set of your details. You OK this via PIN, and you have a company. Simple as that. I didnt time the demos but the whole thing took maybe five minutes. So, unlike anything we’ve seen or heard from IPS, this saves time. And it works online. It’s quite different from what we’ve seen before.
Did I miss anything? Does that make sense? Above all, dear friends: is this Ideal? Is this the way to go? Some of us will have reservations. Let us express them in a clear and moderate manner. And if there are better alternatives, let’s hear them.
19 Responses to “Does IBM’s Identity Grid idea show us the future for online public services?”
It’s certainly an interesting proposition, but, in my opinion, still far from ideal: it assumes the government to hold the gold standard/deep truth/(insert metaphor here) attribute information, and success depends upon the infallibility of the NIR. WIBBI if the approach facilitated verification of information held by a VPI broker? In other words, you authorise your VPI provider to release information to the bank, the bank then forwards the relevant information to the NIR and asks ‘is this correct?’. The NIR authorises the account/company/library card but does not retain any information beyond the minimum needed. That way we get choice and government does not become an inappropriate broker in the ID relationship…
Review notes #2:
To set up a bank account you point your PC browser at the bank’s website. It sends a request via your laptop to your card reader, which asks (via the LCD screen) whether you authorise the bank to take a set of details from the National ID Register. To authorise, you enter a PIN to the card reader. This sends a digital signature to the bank. The bank takes a whole set of details from the NIR. Thus, instantly, you have a bank account. Simple as that.
There is a triangle here, formed by three agents: the prospective accountholder; the bank; and the Identity & Passport Service (IPS).
The assertion has been repeated by IPS in particular and the Home Office in general for at least seven years that there will be a one-for-one correspondence between real people and electronic identities on the NIR. That is a promise they make, a guarantee, an underwriting pledge on the basis of which they claim that creating the NIR will make it easier to open a bank account.
No commercial bank chairman or chief executive has ever said that he or she agrees. Not one.
The claim is a pipe dream of IPS’s and a dream they know they cannot deliver. They cannot promise that the NIR would make multiple, false identities impossible. They cannot promise that it would always be possible to establish that the prospective accountholder corresponds to the electronic identity on the NIR.
The Crosby Forum on Public/Private Identity Management told HM Treasury that there is nothing in the National Identity Scheme for banks or for major retailers.
It is the banks who have to operate Know Your Customer (KYC) and not IPS. It is the banks who take the risk when an account is opened. IPS will not underwrite that risk, they want power without responsibility.
So at the very least, one of the vertices of IBM’s triangle has got the wrong agent sitting on it – IPS.
David tweets:
the IBM vision wouldn’t happen to involve anything patented by IBM would it?
Review notes #3:
IBM’s Defence & Homeland Security division shared £650m-worth of ID Scheme contracts with CSC. I’m not privy to what goes on between IPS and its contractors, but quite clearly such companies have a big interest in making this work and taking it forward amid uncertain future political support for the ID Scheme.
IBM and CSC do, indeed, have an interest in making the National Identity Scheme work.
They face considerable obstacles, please see http://dematerialisedid.com/BCSL/Risk.html.
Nothing in the rôle-plays you describe suggests that these obstacles have been overcome or that they can be.
Review notes #4:
… unlike anything we’ve seen or heard from IPS, this saves time. And it works online. It’s quite different from what we’ve seen before.
To put your point another way, the Identity & Passport Service (IPS) are uninterested in the procedures for online verification.
I have been sending them (and IBM) use cases for consideration since 2003, please see
Review notes #5:
The suggestion has been made by an Administrator of my online-only acquaintance that this initiative of IBM’s is an example of “organisation-centric public services”.
Category mistake?
Opening a bank account is a private sector transaction. So is setting up a company.
It has yet to be demonstrated that the public sector has anything to offer in these private sector transactions. Until it is demonstrated, it seems only sensible to assume that the public sector has nothing to offer.
Org-centric wd be as opposed to person-centric. It’s not about public sector v private sector.
R emails some trenchant and eloquent points. In essence:
– how many bank accounts do we want to open and companies do we want to form? These are low volume transactions which do not merit a custom card reader
– cf EMV/Chip & PIN. Despite its shortcomings, with 20,000 banks, hundreds of vendors, millions of merchants and over a billion cards issued, we’re stuck with it
– we dont see IPS accepting any liability
– UK doesnt matter in setting global standards
– nor does IBM (cf Google and Microsoft)
Review notes #6:
The bank takes a whole set of details from the NIR.
How? How does the bank get these details from the NIR? Via the Government Gateway? http://www.theregister.co.uk/2009/09/02/uk_eu_data_menace/
Do we want banks to be able to download data from the NIR?
Review notes #7:
… instantly, you have a bank account. Simple as that.
I reckon you’ve got a bank account when you can pay money into it and out of it.
… and you have a company, simple as that.
Does this company have the right memorandum and articles of association? Has it been correctly classified by Companies House? Is there a Minute of the Board’s Resolution to set up a bank account?
I didnt time the demos but the whole thing took maybe five minutes.
You still don’t have a personal bank account or a company bank account or a company, several days after the demonstration.
I can ring my man in the City Rd and order a company over the telephone and pay for it with a credit card in roughly a quarter of an hour and the paperwork all turns up next day in the post.
Where’s the benefit of involving the National Identity Register (NIR)?
Millions of us ran sceaming out of the house to open bank accounts all over the place to try desperately to keep our balances under the government guarantee limit. It wasn’t difficult. It didn’t nee the NIR.
Where’s the benefit of involving the NIR?
Review notes #8:
… this saves time. And it works online.
Why is that a benefit?
I think I know why some people think it’s a benefit.
Take a look at my use case, http://dematerialisedid.com/Evidence/Verification.html. You will notice two differences compared with the IBM use case.
1. There is an emphasis on checking for revocation which is not mentioned in your brief description of the IBM use case.
2. There are people in it.
I think a lot of people are looking for secure services that don’t involve people, just authenticated book entries made on the basis of telecommunications.
IPS are trying to turn government into nothing more than a massive computer game.
And you know what, with games – they’re not real. Take the people out of the equation and the NIR and the Companies House records will instantly become detached from reality.
That is not a benefit.
You place a chip-enabled card in a custom card reader (with LCD screen), connected via USB to a PC. To set up a bank account you point your PC browser at the bank’s website. It sends a request via your laptop to your card reader, which asks (via the LCD screen) whether you authorise the bank to take a set of details from the National ID Register. To authorise, you enter a PIN to the card reader. This sends a digital signature to the bank. The bank takes a whole set of details from the NIR. Thus, instantly, you have a bank account. Simple as that.R writes:
I place some malware on your machine, it asks whether you would like a free entry into the national lottery and asks for your PIN (to ensure you don’t cheat and enter twice).
I have now set up a bank account in your name… which I can use for money laundering, or just persuade your employer to pay in your salary to that account at the end of the month.
Next you set up a company the same way…
People are always setting up companies, making it simpler than a phone
call to your accountant will clearly make all the difference to the British economy going forward. (not!!)Good grief, can they think of no better examples ?
Third, you set up a company bank account…
It’s not changing the lives of ordinary folk is it — and they’re the people paying for all the back end infrastructure!
A writes:
Software, drivers, windows compatibility with old/new releases ?
For pin -> code sequence its easy. PoS systems fake a HID device so need no particular support (its an extra “keyboard”)
Its interestingly old hat from the tech side – except for certs not just identifiers – so combining crypto stuff and ‘secure’ reader stuff
Obvious question:
If I can use the card to release auth permissions between people why can’t I just keep my personal data on a card, as I want, which bits I want and why do we need an identity register involved. Secondly on some diddly second device screen how will they provide as good enough UI to allow the user to really understand what is being authorised and to whom. If the explanations are on the main PC screen they are insecure.
Related problem unless they are very careful – I provide a cert to a web site that looks like say the DoT for a driving licence update. But a) how
do I know it is the DoT, and b) how do I know either the cert auth or request are not being tampered with if my PC was trojanned ?For general purposes you can also extract certs from people trivially so they need to be carefully designed – otherwise every muppet will happily provide “proof of age” to random porn sites.
D writes
i am not techy but still saw red lights going off everywhere … “this saves time. And it works online.” mmmm until someone cracks it or steals my details (or the details of someone who is stupid enough [or
hasnt got a good enough memory] and jots these pins down – or someone forces someone to reveal their pins. and then they clean you out,
transferring your money instantly to wherever with their new accounts and new companies (are the cayman islands into this yet??)
Go and google ‘zero knowledge systems’ – there’s no need for the bank to know anything about me, other than I can unlock my NIR record.
And, as others have said, the system is vastly more complicated (expensive, fragile) than even the massively complicated discredited system currently planned. At least till the current bunch of muppets are out and anyone else gets in and scrapes the system
“connected via USB to a PC”
So how exactly can thisbe secure against all the existing hardware and software, which can already snoop, sniff, capture and probably replay, any of the data traffic on a shared Universal Serial Bus ? This has no inherent security at all, neither under Windows, nor under any other operating system.
Try a web search engine query for “USB sniffer”:
OK – thank you to correspondents for two useful URLs (expressed with dry geeky passive-aggression, but kindly intended no doubt):
http://lmgtfy.com/?q=zero+knowledge+systems
http://lmgtfy.com/?q=USB+sniffer
I’d better ask Peter at IBM whether they feel these issues are sufficiently taken on board in what they’re showing.
C emails to to the effect that without Brands/Camenisch technology, everything is
totally centrally traceable. That is what the technology was invented to prevent and there ain’t no way to prevent it without that technology.
It really is as simple as that.
What is described here is the blueprint for the totally traceable database state.
Review notes #1:
Arguably, this introduces the need for a new national infrastructure of cards, card readers, keyboards, monitors and secure telecommunications which is entirely unnecessary given that we already have mobile phones, a globally interoperable mobile phone network and the 40 year-old technology and procedures of public key encryption which allow us to use this network securely.
In which case, step #1 in the IBM use case is a step in the wrong direction, a step backwards from the 21st to the 20th century, a failure of imagination, a case of ignoring the resources already available to us and ignoring the evolution of society perfectly evident all around us, a way of delaying deployment by decades while the unnecessary and superannuated infrastructure is put in place, a way of introducing the risk that all the work done will be wasted and redundant the minute a more imaginative market anthropologist spots the mobile phone.
http://dematerialisedid.com/Mobiles.html
http://dematerialisedid.com/PKI.html
http://dematerialisedid.com/Dematerialisation.html