Facebook and other social networks could be used by British citizens to sign into public services online, The Register has learned. A Cabinet Office spokeswoman confirmed to us this morning that the department was speaking to "a range of industry" about its ID assurance scheme, a prototype for which is expected in October this …
Who am I?
Only the UK government can be authoritative on that score (at least I hope it cares enough about who is who in this country to take that responsibility), so the quote "no data would be held by the government through the ID assurance scheme" seems a bit wrong.
Sure, the whole thing can be distributed, but if the IDs handled are to be trusted enough, they must be linked to a fundamental verified identity - which only UK Gov can define.
I'd be interested in how they plan to cover that without having a National ID scheme.
Re:Who am I
Indeed the concept of Facebook being able to genuinely ID anyone makes the whole story seem as if it was meant to contain enough buzzwords and phrases such that the Government's press release scores top result in Google. Has the Government started trying to collect Google ad revenues on its sites?
I know who I am
The UK government can make no claim to be authoritative on the score of my, or anyone else's identity. They do not own me, I am not a servant of their state. The government exists to provide certain services for the common good. My identity belongs to me, not to them.
re : "I know who I am"
I agree with you sentiments 100%. Perhaps I was a bit careless with my use of "authoritative". What I meant was that UKGov must be the sole authority for providing the means by which my identity as a British Citizen can be verified, where such is necessary, since it makes the rules governing who is/isn't a British citizen.
As you say, it doesn't define me and it doesn't own me ; but it does sometimes need to be sure who I am, and I need to be sure that no-one else can purport to be me in dealings with the government.
Where to start? The complete disinterest in user privacy on the part of FB, G et al? The fact that UK gov will somehow recognise users' electronic IDs from platforms where it's really easy to create multiple fake IDs? The huge potential for abuse on the part of both the government and giant corporations whose real clients are advertisers, not the users? The fact that criminals would be able to pick a platform of choice to spoof someone's ID to the gov? etc etc
I did have a moment where I thought: Well, that way the gov will force FB, G etc to bring their login & security standards up to scratch with online banking tokens offered by the banks.... and tghen I remembered this is UK gov + IT we're talking about, and I returned to sanity.
The same porous organisation that I wouldn't trust with my personal data even if I was impersonating a non existent person, with someone else entering the data on a PC that was switched off and disconnected from the Internet .
About as likely as a Marmite laser.
Incompetence, meet Evil.
What is an identity assurance service? And if it is what I think it is, a means for them to verify that you are actually who you say you are, then how does anyone expect a "market" for such services to work?
I can see how it might work (without reference to questions of security and / or privacy) to have a single outsourced supplier of such services. That is, a single organisation that is not part of the government to which the online public services refer questions of identity verification. However, a single supplier supplying services to a single (many-parted) consumer of such services does not constitute a market.
So, given that the single many-parted consumer doesn't change (except to get bigger and more centralised, that being the tendency of British governments), the only flexibility is to add multiple suppliers. That creates what is technically termed a monopsony, a single buyer buying from many suppliers, and usually creates a market with lower-than-natural prices (in the same sort of way that a monopoly usually features higher-than-natural prices).
However, we just know from the bitter lessons of experience that the reality would be different, notably that the corporate entities involved would (a) probably be foreign, (b) not be to blame for problems (unless the government wanted a scapegoat), and (c) charge a price more like the monopoly price.
And how does it work, anyway? Do you, the punters, (I can be left out of this, as I moved to France a couple of years ago. My only reason to look back is to see who is following me over.) get to choose your validation supplier? (Doesn't work, as questions beyond "what is your name, what is your quest, what is your favourite colour" might as well be written, "argle flargle".) Do we give all the suppliers full access to the data set? Something else?
All in all, I'd say I'm well out of it, being over here.
well out of it in france?!
UK govt and IT is a farce, no arguments there. Agree with everything you said.
But you have moved to France and think you have no more IT worries?
Sar - Coz - Eee
No No and Thrice no
I don't want no stinking facebook account than you very much. I'm fast approaching retirement and will probably need government services in a few years (Bus pass, pension etc) but as a victim of identity fraud (No darling I didn't spend $10,000hk on a certain type of hotel in Macao) I won't use any form of social networking in order to get services.
Scared of IT systems? Nope. I found my wife via the internet.
BB? you bet.
Who do I trust with my identification
Banks yes, Facebook no.
Most of whom use one of two credit reference agencies for verification of identity. Now then try reporting a problem to either of these two organisations?
The response is not as you might suspect 'Ah yes Mr Phobe, so you are telling us we are holding incorrect personal data about you, let us get on to that straight away', it is rather (having paid them as many £2 data request fees as they can get away with) 'Incorrect data, not our fault gov.... you need to contact the telephone company, food supplies company, wine supplies company, solicitors etc etc. They will then correct the records for you'.
This whole process takes about 6 months, lots of letters, phone calls etc etc basically to correct a credit reference agency committing a legalised form of libel. So no I wouldn't trust the banks at all. Mind 'Face book' as a verification agency OMG it is the middle of June not April the first.
Who do I trust with my identification
!Me: no. (and that **includes** banks, dammit!)
Re: credit reference agencies
I'm not really surprised that correcting the credit reference agencies (CRAs) records on you can be painful in practice; The ICO leaflet on such agencies suggests that fixing the problem at "source", i.e. the lender who "downvoted" you, will automagically fix your CRAs record as it filters through - which sounds reasonable, but if the lender screwed up & can't be bothered fixing the data - They're the ones libelling you
However, isn't one of the requirements of the Data Protection Act that the data any company holds on you must be accurate? So the onus is on the CRAs to correct the data if you dispute it, and in the meantime it should be flagged as "disputed". It may still be disclosed to companies asking for your record, but would make it easier to ask a new lender why they had turned you down & to review their decision.
I assume you are serious, but this point is really not appreciated widely enough. The requirement is to "authenticate the transaction" (http://www.schneier.com/essay-153.html) rather than "identify the person" and a deep understanding of the difference leads one to solutions that don't require shared ID at all. In fact, if you think you need an ID database, then you are probably in the middle of designing a broken system.
Not going to happen...
...I'm currently engaged in the public sector. All very keen to engage in social networking. So keen only LinkedIn is allowed through the proxy.
Not for profit
They've privatised most parts of the UK already
so now they are going to privatise our privacy?
"social networks could possibly be involved"
That ought to be a *very* low possibility and one that only happens in the unlikely event that a privacy directive actually offers real privacy and insists that companies cannot disclose personal information to any party other than the one that the user has specifically given it to.
Social networks are known privacy leaks and indeed most of them are set up for the specific purpose of invading privacy.
What comes to mind...
is "Bollocks". I've already started using Facebook with a different browser so that it is isolated from everything else I browse. No sending of cookies to Facebook because I'm reading some other site, they can live in a walled garden.
Meanwhile, we're all jumping up and down over here about the crazy idea, what are the government up to over in the shadow in the corner?
Face meet palm
Facebook? Just in case I've missed an important news story, is the government proposing to secure our personal information with the same foreign company that relentlessly infringes users' privacy and distributes their information far and wide? Or is there another Facebook out there.
Take a look at Francis Maud, does he look like the sort of person who has the vaguest clue he knows what he's talking about?
Forced to hand over personal details to advertisers (for that is what FB and Google are) in order to receive public services? I'd rather go without the services.
No f***king WWAAYY!!!
Believe me - this happens I am cancelling my account and going off grid!
Makes you think how much they are paying interim managers within the government to find this out! plus you cant even get on FB on the government intranet!
It's about time that you could use X509 certificates to log into the government gateway. The option has been there for a while but just plain doesn't work because both of the issuing authorities no longer offer the service.
Please kindly explain. Was that an argument for, or against?
I mean, "issuing authorities" no longer offering the service is a bit of a sign on the wall, not so? Also, why third parties, for who are the authorities here, really? The government usually reserves that for itself. Why even require a hierarchical system if you're not going to use it properly? Certain government agencies abroad allowed you to (securely) submit any certificate, even a self-signed one, for subsequent communication assurance use. And that does make sense. This, er, not so much.
Sincerely, confusedly confused.
Perhaps I'm missing something
"to prove identity when accessing any public services [via the internet]"
Why would I want to do that, then? The only reason to bother proving my identity to a government website is so that the subsequent actions can be legally binding. I'm not going to trust a social networking site with *that* authority.
Coming up next: green paper suggests that everyone signs over power of attorney to their local MP so that we can be governed more easily. No-one in parliament spots the obvious flaw because none of them have any legal expertise.
"No-one in parliament spots the obvious flaw because none of them have any legal expertise."
Nope, sorry a LOT of MPs are lawyers, Tony Blair (remember him ?) was one and look at the way he viewed the privacy of the public.
Re: Not so
I'm aware of their paper qualifications. I was speaking of the expertise demonstrated by their actions. Can you imagine any country solicitor suggesting that credentials that enable legally binding (on you) actions be stored on a foreign website run by someone with Zuckerberg's track record? Neither can I.
So what exactly happens to lawyers when they become MPs? Does it hurt? Are there videos?
Sorry, you've got the wrong friends
"We cannot connect you to any goverment department, as it has been noted that amongst your friends are - Labour Party, Tories are Tossas, Amnesty International, etc etc"
Re: you've got the wrong friends
And that's just the Lib Dems.
So, right back in the beginning....
How do these various trusted personal data agencies establish the authenticity of the applicants who would wish to use their services? This part is the absolute critical element of any identity verification system, particularly one that will eventually involve all government departments, both national and local. Unless the initial enrolment system is very robust indeed, the opportunity for fraud and criminal deception could potentially be enormous. Social security and pension payments alone run into billions of pounds a year and a half-baked registration regime could provide some lucrative earnings for the criminal masterminds out there. I hope I'm wrong about this, but this does seem like a " all eggs in one basket solution" that might well become ripe for exploitation.
Cabinet Office, Arees & Elbows
Why are the Cabinet Office talking to Facebook, when the originator and the IPR of TADAG is in the UK? A small component of TADAG spawned OpenID, now on a billion computers world-wide. Maybe they ought to think about sustainable architectures before they go dressing their shop window...?
It would appear that they have now lost the plot
They are totally off their trolleys
This looks like fun.
So, I go down the Darby and Joan club, chat up some old biddy, buy her a gin and get her to tell me her life story. Then I go home and create a Farcebook account for her (it's not likely she's got one, is it?). Now I go to pensions.gov.uk and ask to get her pension sent to me. ID check? Farcebook innit? Win.
This is such a ludicrous story that I wonder if it isn't being misreported.
Still, FB as "identity assurance service" - Hmm. It makes me even more suspicious of this alleged 'face recognition' system. In discussions on that, I pointed out that working face-recognition AI had yet to be demonstrated, but that the massive database of tagged face-shots that FB threatens to accumulate might make the problem solvable.
But to be an "identity assurance service" you don't actually _need_ the AI. Provided the fee is high enough, a human operator should be able to confirm your identity quite quickly from a current image, if she can instantly call up a number of images that have been tagged as you (even if some of them are actually pot plants, domestic pets, or celebrities). They can also add the new image to your portfolio, so that the more you use them, the better they get.
Have you ever thought 'Nobody could be that stupid' only to find that yes, indeed they could? Well, I think I've worked out what is happening. It's a quantum effect proportional to the size of the organisation, our distance from them and the number of us thinking the same thing.
I call it Neurological Unthinking Twaddle Syndrome.
So obviously, the more of us think that the government couldn't get any worse, the more likely it is for *exactly* that to happen. So please, stop now.
It's not even a bad plan if you care to look at it from their perspective.
Yes, this post is somewhat trollish, but humour me and just for a few moments forget just about everything you know about computers, computing, networking, and the internet.
Humour me. They're senior civil servants and really really like the status quo, and now there's this digital thing and they're on the short end of the divide and oh dear people are trying to communicating with them ovar teh intarwebz. Oh noes!
So who are those nasty people trying to talk to them then? Best find out. All the expensive consultant suit experts say you need identity management, and hey do they know identity. It's like passports, isn't it? But then come the problems:
They've burned themselves hard on ID cards.
But they (think they) need to hop on this "digital ID" bandwagon too, you know. Have to. No choice. Sooo... what better than to outsource all that, eh? Let someone else worry about the details. What do you say, my man?
I say, all sorts of upsides, old chap!
Like quick lead time. Easy roll-out. NO CULPABILITY. And so on. Fabulous!
Except that, say, requiring every citizen who wants to deal with the government "over teh intarwebz" to have a "fully verified" facebook account is its very own very special very short bus kind of very stupid.
Yes, you and I know just how stupid it is. But if you don't know that, it's not quite that bad. And they in fact do not know that. But they must do something. And this is something.
In fact, other than that, it's sheer brilliance. I dub this short bus brilliance, for short.
Profound Government stupidity
It looks like we are witnessing a truly unprecedented event in the history of government stupidity. Government & Facebook merging, our worse fears are coming true!
@Will Godfrey, "Have you ever thought 'Nobody could be that stupid' only to find that yes, indeed they could?"
It often takes an extreme case to test the boundaries of a current theory to create a new theory.
Will Godfrey, in honour of your discovery, we need a new SI unit to quantify stupidity and so I am extremely tempted to suggest we call it the Godfrey. :)
This helps explain a lot. For example, everyone suffers from time to time with milli-Godfreys (milli-Gods?), but it takes true dedication, only ever found in politics to achieve a pure reading of 1 Godfrey (or as they think of themselves, 1 God). Also this means organisations can be rated in multiple Godfreys and therefore the larger the organisation, the larger the Godfrey reading, which explains why corporations are so stupid and slow to react.
Which leads me to wonder what is a fatal dosage of Godfreys? How much Godfrey exposure can kill? This would also help explain why governments are so harmful to people's health and truly frightening levels of Godfrey are usually only ever attained during times of war, resulting in the deaths of potentially millions and then future generations are left to wonder what the madness of it all was for; only to, (all to often) end up suffering the same fate as their predecessors. :(
But even to a lesser degree an exposure of anything above about 0.1 Godfrey is enough to induce considerable stress in the victim, which is potentially fatal.
So how do we rate this government & Facebook news? We have many thousands in and behind government converging for the first time ever with 700 million people on Facebook. We could therefore be witnessing the formation of the first ever recorded Godfrey singularity of stupidity! An unprecedented event in the history of stupidity. Only time will tell what the half-life of this Godfrey singularity is, but if this continues for much longer, I fear for the survival of our species!. :(
(Disclaimer, as you can tell, I'm only half joking, but I thought humour was better than ranting with such dismay about such a blatant and jaw dropping example of government stupidity!).
It's all very well for Reg Readers (who are a self-selecting population that might be expected actually to understand something about identity management) to be unanimously opposed to the idea of using FaceBook as a trusted identity provider, but as we have seen all too often, that will be no impediment to ministers and those who brief them proposing schemes that they think will be eye-catching and show that they are "with it".
Many such issues are FAR too important to be left in the hands of ill-informed politicians. Informed public debate is desperately needed, but the very media through which such debate might be conducted is driven by vested interests, not least selling copy and advertising.
None of this is helped either by organisations opposing the more hare-brained proposals themselves often seeming to prefer publicity-friendly, exaggerated and sometimes also ill-informed scaremongering rather than rigorous, reasoned analysis.
As we create an ever more complex and interconnected society, how should we decide questions that require some understanding of difficult principles?
"Military Intelligence", "New and Improved", "The future is now", etc, etc, "Facebook... trusted"...
Say no more!
"Nobody could be that stupid..."
Never have I been so glad to have left the UK over 20 years ago
Salut! Steve..same here ;-)..it's like watching the Titanic go down, looking across the channel from France.
Being a self satisfied smug cretin despising all things British, just like your countrymen, seems to have well and truly rubbed off on you! At least our leaders don't just bend over the table, trousers round ankles at the first of a CEO of a media mega-corp coming in the room, like Mr Tea-Cosy or whatever your pres is called!
Ok so they are going to let a foreign based company check the identity of UK citizens . Not subject to UK laws. Look I'm an American and I love American but this is way beyond stupid. The see this borders on treason . You should always be critical of your government and hold them accountable . But how would UK citizens hold foreign government accountable ? What that guy is proposing is slowly giving away the sovereignty of UK. I take it back it does not border on treason it is treason.
This is already going on in British embassies and consulates around the world. Passport renewals and visa applications are handled by one of two companies: Worldbridge or VFS Global. Employees of these foreign companies will collect and process the application forms and photos of British citizens renewing their passports. The situation is similar for UK visa applicants, except that their fingerprints are also taken.
When my wife applied for a visa at the British consulate in Düsseldorf last year, we did not come into contact with any British staff, only local Worldbridge employees. Even the person conducting my wife's visa interview was German and complained that my wife spoke English and not German - in the British Consulate! I assume my wife's details (and my details that were on her UK visa application) are now stored in some database in the USA.
so let me get this straight
They want to let us associate our official identity with our online persona's, thus giving cyber ctiminals even *more* reasons to steal them. Combined with the fact that these private companies are outside UK control or sovereignity and we have a receipe for disaster!
The trouble with single sign-on systems...
When you consolidate sensitive data like this, it makes its exposure all the more damaging, should the system subsequently be compromised.
Imagine if Sony's network had been one authorised portal to such a service, and a custodian of the personally identifiable information necessary to access it, then consider what recently happened to its network.
No thanks, I'll just keep my accounts and passwords unique for everything I sign up for, whilst providing as little information (or as much false information) as possible.
What is it with the UK government and its obsession with consolidating its citizens' private data, then outsourcing it to foreign third-parties?
Will it be compatible
with Windows for Warships?
Our Christian Brothers
will no doubt find a way of using this to distribute everyone's late uncle's fortunes in an equitable way.
Once the Lads from Lagos have run a coach and horses through all this the guv will presumably be more prepared to deal with reality. In fact, the £millions OCB rob will be a bargain compared to the £billions that the standard procurement process would cost.
I got all worked up because stupidity seems to be contagious. Long time it use to be just because one country proposed some thing silly , it was not an excuse for others to follow. Now it seems like its either a me too effect or they politicians were waiting for some else to say it so they could propose it . I use to read the reg and it made me feel slightly better know that it's not only American politician doing ass backwards things. I use to get get upset when people here would jump on American for doing stupid things(like we were the only country to do so ) But now no matter the country I cry. It's like a domino affect. It matters not if its the UK or OZ or Canada or my home country . I see it all as an assault on my freedom becomes a global race to the bottom. I love my country byt things have gone so far south that I was thinking about leaving, but were can I go ?
Ok now that I've address the political ramification lets talk about the technical ramification. Short and simple are you freakin out of your mind . This guy should be bared for any job harder than flipping burger .
- Xmas Round-up Ten top tech toys to interface with a techie’s Christmas stocking
- Exploits no more! Firefox 26 blocks all Java plugins by default
- Xmas Round-up Ghosts of Christmas Past: Ten tech treats from yesteryear
- Review Hey Linux newbie: If you've never had a taste, try perfect Petra ... mmm, smells like Mint 16
- NSFW Oz couple get jiggy in pharmacy in 'banned' condom ad