Government departments will begin testing a first prototype of the Coalition's new identity assurance model for its entire online public services space in October this year. Cabinet Office minister Francis Maude confirmed the plans in Parliament yesterday. As The Register reported last week, the government is already in early …
Multiple logins were probably the only security
against some civil servant inevitably leaving a snapshot of the db on a train.
So this is SSO all over again then?
The immediate basic problem is that, while an obvious approach to an obvious problem, is too corporate to scale in the long run. I mean, sure, you can, but the obvious lack of uptake of services like openid (and de-facto abuse of say, offering to use your facebook login in many places to do pretty much the same) means that it's only a good idea if you don't think too hard about it.
The not-so-obvious problem is that increasingly we'll be forced to let go of the oh-so-convenient assumption of needing to start with "ascertaining identity" as the first step when all you really want it authorization or authentication. That is, we must ask ourselves what we really want and find ways to do that instead of stick to the obvious, for the obvious has obvious privacy problems that inevitably will come back to bite you. It's not a question of if, but of when, and how much fallout from how big a breach. So.
Yes, some innovation here is needed. I get the feeling that dear Kim sees what's going wrong but doesn't really have any idea how to fix it. Humbly I'll admit that I do have such an idea even though it's as of yet too abstract to do anyone much good. I do foresee any workable solution is of necessity going to be disruptive quite a lot, at least in the administrative procedure type sense, but sticking to the old ways will be more painful though more in a chronic toothache type pain that everybody will just put up with until they figure out what it is that's hurting them.
So I don't expect much to happen for the foreseeable future. What'll happen first is Napoleonitic administration practice to be poured into New! Shiny! contractor code and it'll work of sorts but never really well and nobody'll be really happy with it. It'll last for a while though, so there's no real incentive to come up with really good new ideas.
A long time ago, when I was young and naive, I used to think that a single joined-up system would be really good and useful. Over the years I've grown less naive, and the previous government demonstrated really well just how such a joined-up system can, and will be, abused.
So now I'm quite happy to have multiple sign-ons and accept that slight increase in cost and complexity and the need to duplicate data entry is a small price to pay for freedom.
If they want to make it simpler, provide an option to all the forms where users can upload a plain text file in standard format that auto-completes the form fields. If government departments can standardise on a minimum subset of data then it should be quite easy to generate the text file once.
pro's and con's
It's a nice theory to have all data in one, very secure place.
One password to rule them all etc....
- only one organisation has your information. No more of your details getting hacked from several sites.
- easier to remember and therefore less frustration
- cheaper for us all.
- this is another quango isn't it? Thought the conservatives said they would have less quangos? Oh yes - they are called con-tradication party where they do the opposite of everything they said they would/wouldn't do. Well except be a bunch of rich ponse's only looking out for the rich - that hasn't changed!
- is if that system is not secure, your very private and accurate (no one lies to the gov and gets away with it eh?) information is up for grabs. This is worse than a normal website where you can try to keep real info to a minimum.
- one gateway to hack which probably makes it less secure. Hit it hard enough and it could be taken down.
- DDoS problems - 1 target = easy target
- you cannot access these services if you are banned from the internet (BPA three strikes rule)! Is this against your rights if your banned that you cannot access gov websites?
No system is secure over time and I fail to see how any government of this country would be able to keep ahead of exploits in time because of a lengthy change control process.
"you cannot access these services if you are banned from the internet (BPA three strikes rule)! Is this against your rights if your banned that you cannot access gov websites?"
You just login to your gubermint sevices and let them know that you can't access the site
--oh, hang on. You write a letter to, oh - they've closed that bit as everyone now logs on.
They'll text you a new password instead.
It appears to be way more complicated than that...
I've seen some documents - presented at a terrifically high level of abstraction - and had one personal meeting with some senior Cabinet Office people. Thsoe documents certainly contain some words which *could* describe a scheme that might not be entirly destructive of privacy and civil liberties.
I've expressed NO2ID's doubts on a similarly abstract level: viz - we don't want a nice-sounding scheme, with the appearance of a distributed trust network, to become a means in practice for departments to hoover up even more personal details of citizens, control identities, and/or to slosh the silos together; and for that reason we want a clear view of the legal framework first, because that, in government is a clearer guide to what can happen than any number of pretty diagrams.
Gov appears to expect to rope in banks in a big way, to create a magic market of various service providers (identity providers, and a shadowy group called "attribute providers", and to start with this as the armature for the massive redesign of the social security system - and therefore to address as its first user base the hugest reservoirs of the non-digital citizenry. Quite how it is supposed to be going to be doing all that inside about 18 months, I do wonder.
It will be interesting to watch. But will we "contribute" as some reports have it? Not if it is used to suggest we endorse the scheme beforehand.
General Secretary, NO2ID
Its ID cards all over again.
Is it not?
Ooh! I geddid.
They've read that NSTIC thing too, and now want /an ecosystem/ bandwagon to jump on.
Apropos database linkup creep, specifically social security and such. Yes, that happens. The Americans found that out the hard way (we all know that, qv _ssn snake oil faq_), and OF COURSE the Dutch state apparatus had to try it out for themselves, and yes, it still happens. We'd best not build that right into the system then.
The thing is, what you describe from that document is very similar to too many other such documents and it's all corporate theorising. We don't want that.
We do want a level playing field and that starts with every actor a first class citizen, and every check (regardless of _what_ is checked) be mutual. So no special casing of providers of anything whatsoever.
If I wanted to start a provider overnight, why, I should be able to. Whether it means to anyone else just as much as the services that operate in the Queen's name is something else again, but the playing field should be agnostic to that, and the <yuck>ecosystem</> built on top of it should be robust against that sort of thing. Otherwise you're going to build dependencies into the system that will cause monopolies and will prove abusable.
Apropos: Anybody notice that Kaspersky guy blather about everyone an "internet passport in 15 years"? That guy definitely has something to sell.
But anyhow. Thanks, Guy.
"It's ID Cards all over again."
It's conceivably ID cards without the cards (which has been a worry from the off, hence "... and the database state"), and conceivably not.
I've no doubt the intentions are good. But that does not mean the outcome will be.
Beavering away on Martha Lane Fox...
...El Reg gets more like a Carry On film every day.
But back to the point. This does have a tiny whiff of the database state that I thought the UK had tried to get rid of at the last election. At least some good people such as NO2ID are having some input this time.
Re: Beavering away on Martha Lane Fox...
I'll take that as a compliment ;)
I have SSO already
I use KDE K Wallet Manager - I'm sure there are loads of other ones. It stores the plethora of user IDs and passwords in a password protected file on my desktop. At the start of a new session, it asks me to enable one time access so Konqueror or other applications that access stuff online can get on with it until I log out.
Of course as I only use K Wallet Manager on my desktop it has a few inconveniences:
- it's very difficult for me to do important stuff using public wifi and my laptop
- similarly a cyber-cafe is no use, and
- my mob is a bit useless
What a pity...
What I find especially confusing about the idea of internet banking on my mob, is that if I set up a new payment (such as sending a few quid to that nice Nigerian that wants to share the country's oil revenues with me) they will telephone me with a one time password to confirm. Keeping internet banking and mobile phones well separated seems to be a good idea.
Headless Coalition Chickens
You're 'avin' a larf, El Reg/Kelly, and the government are certainly not the ones to be thinking about identity assurance schemes whenever they themselves are frightened into assuming pseudonyms whenever interacting with the public, as the recent case reported by Gerald Kaufman illustrated, whenever he tried to get back in touch with an office to speak with someone who had replied to him, to find out that that particular named person didn't exist. For security reasons they said, is why the likes of a Mr Jones to one person is a Mrs Smith to someone else and probably a Ms Busybody to another ......... http://www.guardian.co.uk/politics/2011/may/11/gerald-kaufman-complains-letter-signed-fake-official
With so much to hide and prevent the public from knowing because of the necessary abuses of the public to keep the system going in its present form, will the government always be fighting a losing rear guard action against transparency and accountability even as the puppets profess to be worthy champions of both for an new age of politics ...... same as the old politics.
And cyberspace quite rightly scares them witless, for that is a space in which you have be smart in a way that is exceptional and different to excel and lead, and that rules out anyone and everyone who would be thinking that politicians lead rather than just do as they are told.
If you trust Gov.UK to run secure web sites...
...you haven't tried this simple sanity check on Google...
Seach for the terms
site:gov.uk "cheap cialis" OR "cheap levitra" OR "cheap viagra"
Currently... About 4,260 results.
Re: If you trust Gov.UK to run secure web sites...
Don't knock it. If we can get the yanks to spend their hard-earned buying knob pills from the British Government rather than Canadian pharmacies, we can pay off Sweaty Gordon's legacy with bent US dosh rather than British taxes.
Re:If you trust Gov.UK to run secure web sites...
The search suggested by dephormation.org.uk is interesting, but instead of just looking at the number of hits it's worth looking at some of those hits. (And it's also worth noting that .gov.uk is not an organisation at all, let alone an organisation that has websites or provides secure hosting for websites - its a UK SLD, ffs!)
Of the first 20 hits delivered by Google today using that search, 13 had been fixed when I looked at them - they would no longer be hits if google looked at them again; one of the fixes was extreme - the website now consists of a single page (apparently used to catch 404 errors) which says something like "this site is now defunct". One of the remaining hits was a page which allowed comments from the public, without moderation: it had been comment-bombed (unmoderated comments are probably a bad ideas, but moderation brings the risk of moderator-induced bias in comments). Two were pages from a website that has been defunct for five or six years (I wish LG associations would clear up behind themselves instead of leaving ancient junk lying around and susceptible to attack when they move on to be hosted by a larger organisation). The remaining four were from one small parish council, probably set up by a part time town clerk with practically no understanding of IT with assistance from enthusiastic but security-unaware amateurs. None of the sites (whether fixed or still defaced) were national government sites - they all belonged to local government, LGAs, or Quangos.
I don't think that this sample of 20 hits provides any evidence that UK national government websites are careless about security (that's not to say that such evidence is not available elsewhere).
It does demonstrate that the idea that being in the .gov.uk domain doesn't guarantee that a website is secure - but no-one could resonably expect it to, when .gov.uk includes the websites of parish councils whose only employee is a part-time town clerk who has no IT experience at all, websites of associations of local government bodies which have only slightly greater staffing resources (a part time administrator and a full time secretary), and websites of current or former local government bodies and quangos which either no longer exist or which no longer maintain that website because they discovered how difficult it was to do properly and joined some larger group the cost of bringing in someone at least partly qualified to set things up properly could be shared, but forgot to eliminate the old site (or thought that just making the default page redirect to their main page on the new shared site was all they needed to do).
>> Gov appears to expect to rope in banks in a big way, to create a magic market of various service providers (identity providers, and a shadowy group called "attribute providers", and to start with this as the armature for the massive redesign of the social security system - and therefore to address as its first user base the hugest reservoirs of the non-digital citizenry. Quite how it is supposed to be going to be doing all that inside about 18 months, I do wonder.
I can't begin to share your wonder, because while you may know what you've written, I haven't a clue what you mean (except the bit about 18 months). Which part of No have you reconsidered your understanding about?
Be glad. Or not.
Reconsideration, on the government's part, is what we need, actually. What's talked about is lots of abstract words to describe how "digital identity cards" would work.
So, you invent a system to "do identity". To do that, people don't own their own identity, a third party does, and it is provided them by that third party. So if Guv wants to know just who Alice is, then he'll ask Indiana to ascertain Alice's identity and give Guv the nod.
After that, Guv scratches his head and wonders why he even asked because that nod doesn't say squat. Instead, he'll ask Terrence to check whether freshly nodded-at Alice can be safely labeled with some certain attribute Guv wants to know about ("allowed to access this website", for example), and given the nod there, he can proceed.
All this so Guv can pretend he's not sitting on a copy of Alice's identity or has a do-access-list with her name on it. That's split out over Indiana and Terrence. Who are, of course, very likely commercial parties.
The thing is that Alice, being any random citizen, now has not merely to trust Guv, but Indiana and Terrence too, and pretty much do that without the benefits of the system just enacted. All this so Guv can be reasonably certain Alice isn't secretly Eve and trying to pull Guv's leg.
Note that in this model there are now several intermediaries much like in the PKI system, which is what makes SSL give such poor security bang for the buck. Not so much because the crypto doesn't work --that works reasonably well, as far as we know anyway--, but because the premises on which the trust in the system rests are, well, bunk. But it's good monies for Indiana and Terrence so Alice R. Citizen who gets to pay for all these "services" alone doesn't have the power to stop it.
Guy says that it isn't impossible to make a good, or at least acceptable, system on top of the abstract ideas the government is kicking around. We all know how likely it is they'll manage to get there, but it's what he's got so he's rolling with it, and answering them in comparably abstract language.
But since techies here already wonder just wth the bureaucrats are talking about, you can't really expect anyone else but a couple experts to get it, handily preventing mobs from rallying outside Whitehall to protest this. And so the bureaucrats and their "industry partners" can whittle away at the system undisturbed. Win-win, baby.
@AC 20th May 2011 09:10 GMT
I'm afraid that's about the size of it. Well described.
But if they start with pensions and social security as it appears the aim is, then the chances of generating some kind of mob are quite high - even if it is of PCS and UNISON members who've been assaulted after suggesting to clients that they have to get online identity verification through a bank before they can be assisted.
Warning from Scotland
In Scotland our Citizens Account links to something much bigger.
The Scottish surveillance scandal has recently been exposed by old school investigative journalist Kenneth Roy of the Scottish Review. I've been collating Kenneth's excellent articles and other recent coverage on the Big Brother Scotland thread mentioned in the above post.
All these systems are to be interoperable and it's not just me scaremongering. This is what open democracy has to say:
"In this two-part exposé, Kenneth Roy, editor of the Scottish Review, reveals the true nature of the long-awaited 'privacy principles' and the back-door introduction of a compulsory ID scheme for Scotland. In both cases, it is the liberties of children that are first on the line.In addition to the intrinsic importance of what happens in Scotland, there are two reasons why everyone across the UK should be alert to warnings of this kind. OurKingdom and openDemocracy played a big role in the 2009 Convention on Modern Liberty. This was a"wake up call" about the dangers of the database state. The evidence it brought together shows that there is a driving state-culture pushing for the penetration of information on citizens and central control of that information, while people are far too complacent and trusting about what this process is, which is being developed with minimal publicity. This is the first reason. Second, from the Poll Tax to the Scottish Consitutional Convention, in both bad ways and good, what happens in Scotland today can impact on what happens in London tomorrow. This is a warning! "
trust us, we know what we're doing
We're losing all your details at once.
This thing about "multiple logins"
Does anyone seriously complain about the number of physical keys (say, door keys) they have to use. For instance, for a lot of people to go out, they need to a) unlock the front door, b) lock it (same key, but new action), c) unlock the garage (different key), d) unlock the car (another key), e) start car (same key in most instances, but new action), f) lock garage (possibly after stopping car and removing key) etc. Add in other actions that may not use a physical key (e.g. home burglar alarm and car immobiliser/alarm) to taste. All these are time consuming actions that may be inconvenient, but how many people would seriously want one key for all those actions? Would the government mandate a "single key" scheme to it easier for people to get access to their own stuff? Very unlikely, so why insist on one for other stuff that needs protection?
If there are people who want this sort of thing (the type of person that gets remote controls for garage doors, and has "smart keys" for their cars that open them before you get there), by all means give them the option. I, on the other hand, want my information hidden behind as many passwords, and distributed across as many servers, as possible.
This thing about multiple door keys
They open different doors - so I know that the square ones do the back of the house and the round ones do the front. The conservatory door looks very different to the front door, so it's not confusing.
However, I've had the opportunity to road test various bits of one click, and the common frustration of both us & the HMRC team trying to demonstrate it is the need to have different "personal" and "business" tax logins for otherwise identical screens in utterly indistinguishable (and undistinguished) bits of the system which are doing the same thing for the same person's data.
It's difficult to tell from the context which key you need to use, and none of us can come up with a good reason (in technology or tax law) why they need separate silos of information and processing for information/registration on the different taxes. It's like needing to put a different key into the same keyhole depending on whether you're going into the garage to get in the car or get the lawnmower out. And if it annoys a fairly IT literate tax professional, you can be sure as heck it'll irritate a normal tax payer/businessman trying to use the system (remember, they are often not IT literate and only use this system occasionally) - so they'll just write ALL the passwords on a post-it on the monitor.
That a reason to come up with a gigantic elaborate private/public mixup ecosystem platform project thing then?
Separate login and function and allow multiple functions to be accessible behind one login entrance, like I dunno multiple bank accounts in the same name accessible from your banking login. But limited to this one site, not a full blown SSO reinvention. Nevermind the "identity provider" and so on theorising.
Or colour code the entrances. Different designs, and accessible from say business.taxman.gov.uk and private.taxman.gov.uk with clearly different website designs.
Both easily done and well-understood. Why instead the jump to fishkill?
The UK’s double standards around data protection and Human (Privacy) Rights
I attended the cabinet office briefing on eID Identity Assurance and blogged about it here..
Obviously anything with the word identity is a political hot potato in the UK after the new Tory-LibDem coalition government literally ‘crushed’ Labour’s National eID card scheme. I still wonder why apparently it’s one of the deadliest of privacy sins in the UK to suggest using the same unique identifier in one’s dealings with different government departments. Just rename NI Number to ‘Citizen Service Number’ like the practical Dutch did with their SOFI number and Bob’s your uncle. Isn’t this what governments have been happily practicing in Sweden and most other EU countries for decades? In the UK it seems this is a ‘no-go’ area because of the implied impact on citizen’s privacy. God forbid that someone in the DWP’s Child Support Agency could easily trace a deadbeat father in a HM Treasury system and find out that he can easily support his children after all. Or god forbid that someone claiming housing benefit from his local council could be found out actually owning six properties in the next town. That kind of joined-up government ‘just wouldn’t be cricket’ in the UK.
Personally the only exception I would make is using a different unique Identifyer for anything to do with the National Health Service, but that is a situation quite unique to Britain.
This is replacing the creeping National ID
The current DirectGov IDs that are being used to submit tax returns etc...were becoming by default the new national online ID. Gov owned them and controls them via one single point. Our data is supplied and associated with them and no one is complaining! The longer DirectGov ID runs and more services will be added to it = increase risk for privacy.
They propose a new scheme which breaks this up into a distributed model allowing us to pick as many IDs as we want from third party sources and people start complaining. Come on you should start singing from the rafters that there has been one positive outcome from us running out of money or perhaps I should be more charitable and say they care about choice and privacy. Either way the result is they are having to move to a model which will dramatically reduces our risk of snooping. If they do not go forward with this it will be far easier for them to spy on everything we do if DirectGov, Inland Rev etc..Time to start worrying this does not happen rather than it does. We need to get rid of the creeping DirectGov National ID scheme and replace it with user centric identity choice.