Midata
Trademarked already. You have to call it 'midata'. That lower case m is gonna make all the difference when they get sued.
The Cabinet Office's newly installed digital captain has robustly defended the department's plans to beef up an identity assurance scheme with the help of banks and internet companies. Mike Bracken, skirting over the fact that a new law will almost certainly be needed to be pushed through Parliament to make such a proposal a …
As the article says, the intention is to put identity assurance in the hands of a number of "trusted private sector identity service providers". Trusted? The CO might trust them, but I doubt if the rest of us do.
As a private citizen I distrust the likes of Google and Facebook - I know that both view me as simply a potential source of revenue. How, then, can I trust them to manage my identity information reliably (let alone securely).
As the blog says, "Identity assurance is a complex subject", so why do they persist in going down a route based on a simplistic approach that ignores the fundamental difference between what identity means to the likes of facebook and what it means to government departments.
Bollocks.
There's no way in hell I'm going to link my Google or Facebook account to anything that involves my meatspace identity, let along a cash transaction.
This sort of talk astounds me every time I hear/read it (which is often). The only three UK organisations I'd trust (with varying degree) as identity providers are the General Register Office, Identity and Passport Service and the DVLA.
Anybody else, be it HSBC, Tesco, Facebook or BT could (in my view) only ever be seen as an attribute provider to an identity provided by one of the above.
Sure, the linkes of Kim Cameron seem to think that a credit check agency like Experian is well placed to provide identity services, but there's no trust there either. They get things wrong, and identity is one of those that shouldn't have any margin for error.
The technology exsists - we have identity selectors like the Higgins Project, SAML tokens* and WS-Federation to manage identity online, and U-Prove to deal with attribute provision. This shit is not that difficult to pull of, FFS.
* SAML protocol is useless, because it relies on the passive requestor profile. Which means that only works within a browser - which means that a service cannot make use of it.
Just re-read my post and stopped counting the spelling mistakes. Anyways.
Pre-empting the inevitable:
Using a card selector like Higgins or CardSpace (now abandoned by Microsoft - why??) and technology like U-Prove the user retains complete control.
That means that I could order a bottle of Whiskey from an online shop - my identity would be verified by, say, the Home Office (identity provider), and my age by the DVLA (attribute provider).
I would then chose to withold any identifying details from the online store, but be able to prove byond doubt that I am over 18.
Neither the Home Office, not the DVLA would be able to discover where I was shopping. The online store would never know who I am, even if they colluded with the identity provider and the attribute provider.
It's an awesome system.
If I *don't* have separate usernames and passwords for my online banking then I'm in breach of the terms of service.
I wonder who understands more about online security, a bank whose financial solvency probably depends on it, or a politician too stupid to wonder why commercial providers are actually interested in bidding for this sort of contract?
I was one of the original 10,000 people who signed up to pledge £10 to a new campaign called NO2ID, so I have bit of a pathalogical hatred of anything like a national ID card.
However....I do work in IT in Local Government. Increasingly we want to provide services to citizens (that's you and me) via the Internet. Some of these services are sensitive, such as care packages where the citizen can choose how they want to spend the monies we allocate to them. We increasingly use partners (other organizations) to deliver services on our behalf. They will need access to our systems, including the ones that hold sensitive citizen data.
Confirming identity is therefore going to be a major issue for us. If there was a way for citizens to have a trustworthy identity that could be used by different organizations, safely and securely, then that, to me, would have benefits for both citizens and service providers. So please don't dismiss this out of hand.
My objection is not to the concept as such, but to the proposals for managing identity/providing identity assurance.
If an electronic identity is going to be used to access sensitive citizen data then the mechanism for managing that identity must satisfy very high standards. I would say that the standards should exceed those currently applied by the banks for on-line transactions - and so at least involve use of physical tokens for the login process. Creation of the identity itself should be a job for government organisations only - I tend to agree with 'Spearchucker Jones' above on that score.
The proposals to rely on the identity management of Google, Facebook etc. fall way short of these fundamental needs, hence my strong reaction.
Having posted 'Think of the possible benefits' I agree that Facebook and Google almost certainly don't have the necessary security. But I have been talking to some commercial organizations who do have some interesting citizen authentication solutions that seem secure, trustworthy and robust. I'll let those in Central Government go for the headlines, we in Local Government tend to be a bit more sensible and pragmatic.
Nice to see that sensible thinking is allowed to exist somewhere. I wonder what will happen down the line when the central government shitty solution is mandated across the country? Maybe if there is a big enough local take-up they will be added to the community of approved identity suppliers (along with Google, facebook, Twitter etc., no doubt).
It's not that people can't *see* the benefits.
It's that when government propose them the *approach* they use (curiously) *always* involves them acquiring a hugely *disproportionate* amount of data and the ability to track the people involved.
As other posters have pointed out options exist that ensure the money/personal information/whatever is *only* supplied or share with the right people and confirming authority has *no* idea of what is being confirmed to who.
And that's a problem for people who give a s**t about cradle-to-grave surveillance of their behavior.
I know he's been about 20,000 leagues under the sea since May 20, 2011 after he beat me out for that "job," but . . . forgotten him already?
http://mikebracken.com/
Oh, and wasn't his interview mantra: "all government websites to be seen through one porthole?" That would be just one UN/PW for back and forth grifting.
What's he on about?
Given the government and civil servants penchant for destroying all privacy ANYTHING the government is involved in is suspicious.
I don't trust passwords to anyone and my Will contains my password, which can only be decrypted with some very private knowledge, so my wife can clean out the accounts before the banks freeze the accounts post my death.
Common passwords are a very weak security defence as almost anyone knows, other than gullible nanny politicians. Their 'plan' is like coercive phishing on an industrial scale.
... since we just started to learn what breach of trust can do to PKI, I think I will wait until good patterns for handling system failure emerge. Give it 15 years, maybe 50 (or more ?)
on the other hand, if identity systems NOT linked with private protected information were to gain gov. support , that /could/ be nice. Something to help me to link Google+ , facebook , various forums etc. together, but /away/ from my bank.
Ex-Guardian man Mike Bracken says on the GDS blog:
"The days of creating different user names and passwords for every new website are numbered, thank goodness. There is a strong desire to work collaboratively across the public and private sectors to develop solutions that meet users differing needs. That desire is international. The USA’s National Strategy for Trusted Identities in Cyberspace and the EU Project STORK pilots testify to the opportunities."
"Project STORK" in that quotation links to https://www.eid-stork.eu/ where you might expect to see a lot of opportunities testified to. Instead, what you find is this:
"The aim of the STORK project is to establish a European eID Interoperability Platform that will allow citizens to establish new e-relations across borders, just by presenting their national eID."
But we don't have a "national eID", we Brits, do we. Is Mr Bracken suggesting that we should have a national electronic identity? If not, what is he suggesting?
----------
Many people won't know this, but the UK leg of Project STORK is the UK Government Gateway, the very system that the Cabinet Office want to get rid of. If they succeed, how will we Brits partake in any of the exciting opportunities which are testified to by Project STORK?
----------
Obviously that last point is otiose as far as regular ElReg aficionados are concerned. They will remember the article 'How much of the EU's data will the UK lose?', http://www.theregister.co.uk/2009/09/02/uk_eu_data_menace/
But does ex-Guardian man Mike Bracken realise how important the Government Gateway is for any Brit who wants to avail himself of the opportunity to set up a new business in, say, Greece?
And would you trust them *not* to excerpt it mis-represent it in a damaging way?
And would you trust that their internal systems were strong enough to prevent crooked staff misusing their access authorities (like the 200 odd access requests by members of Merseyside Police for example)?
If reality TV has taught anyone *anything* it's that it's not just the *existence* of this information source, it's how it's edited and presented. A few out-of-context conversations, shown out of order and hey presto, I look like a genius, you look like an idiot.