Identity, Privacy and Trust

November 13, 2012  12:54 PM

DWP Announces First Identity Assurance Providers

tobystevens tobystevens Profile: tobystevens
dwp, GDS, HMRC, identity, Identity assurance, tScheme

The Department for Work & Pensions (DWP) has announced the first seven Identity Providers (IDPs) who will be eligible to provide consumer-facing services within the government’s new Identity Assurance Programme (IDAP). IDAP will be critical to the delivery of DWP’s flagship Universal Credit programme, so that individuals can engage with the Department online, by phone, and face-to-face, without the need to prove who they are every time they try to transact.

The selected IDPs include:

  • Cassidian
  • Digidentity
  • Experian
  • Ingeus
  • Mydex
  • Post Office
  • Verizon

Many of these bidders will be acting as prime bidders into the framework, with sub-contractors providing specific components of their solutions, and it is possible that their IDP services might be delivered under partners’ brands to ensure that they are attractive and recognisable for consumers.

The selected IDPs have not been awarded guaranteed IDAP work: at this stage they are on the framework for IDAP services, and will now need to compete within forthcoming call-off competitions which will fix the price to be paid by DWP for their services (DWP anticipates paying selected IDPs a fixed fee per registered customer per annum). Those IDPs who are able to deliver within the call-off will then develop their solutions in preparation for a test phase in August 2013, and the first pilot project in October 2013.

The IDPs also face the significant challenge of collaborating to form a delivery Scheme, which will provide the necessary contractual framework to ensure self-regulation and interoperability, and enable external certification of IDP services against defined standards through tScheme. The Scheme will also provide a shared branding (in much the same way that Visa or Mastercard do for payment cards) so that consumers can easily recognise a certified IDP service.

The selected IDPs represent the first tranche of providers, acting as pathfinders for a wider identity assurance market. Their exclusivity to deliver IDP services on behalf of DWP will last for just eighteen months (although DWP’s contracts are expected to run for four years), after which time DWP is able to bring further IDPs into the framework, most likely under the aegis of the Scheme developed by the first IDPs.

It is also anticipated that HMRC will come to market for IDP services in 2013, and the Revenue hosted a public consultation with potential IDPs over the summer. Whilst HMRC has committed to work within the overall IDAP approach, it is likely that they will require services not defined within the DWP framework (e.g. business identity assurance), and potentially wish to use a different incentivisation model from DWP, and for that reason it is widely expected that a fresh competition to select further IDPs will be held early next year.

Over the coming weeks we will be reporting on aspects of IDAP delivery which have until now been undefined or subject to confidentiality agreements; if you have specific questions about the programme please post them in the comments section and we will focus upon them in future pieces.

(Declaration of Interest: I have been supporting Post Office’s ID Assurance work)

(Edited 13/11/12 to amend an incorrect statement about provision of services in different delivery channels).

October 16, 2012  7:57 PM

How I learned to stop worrying and love identity assurance

tobystevens tobystevens Profile: tobystevens
GDS, ID CARD, identity, Identity assurance, liberty, privacy

The past week has seen a surge in media coverage of the government’s new Identity Assurance (IDA) programme, as the Department for Work & Pensions prepares to announce the first group of Identity Providers (IDPs) to be awarded services under their procurement framework. Those who know me will be aware that I played a minor role in trying to persuade the last government to change it’s plans for ID Cards, and that I became known as an opponent to that scheme; but for the past two years I’ve been engaged by the Post Office to support the shaping activities around the the development of the Identity Assurance programme. 

So what persuaded me that IDA is a good idea?

The National Identity Scheme was possibly one of the most ill-conceived and illiberal public sector programmes that the UK has ever seen. The government legislated an architecture that would create a tens of thousands of endpoints, used by hundreds of thousands of users, all linked in to a central database that would provide a ‘deep truth’ on every person in the UK. Every interaction with the State would disappear into that melting pot, which would become a panopticon of our lives.

ID Card supporters promised that the scheme would defeat terrorism, stop illegal immigration, put an end to serious and organised crime and make our lives easier, but each of these objectives fell by the wayside as the project developed. They promised it would be hosted in a secure database but then had to fall back to distributing the data across three silos, none of which were designed for the purpose. They promised it would be secure, whilst simultaneously having to dismiss public servants by the dozen for misuse of existing data sources. They promised it would be accurate, yet needed to legislate compulsion that we would update our own records. They promised that carrying an ID Card would not be compulsory, whilst mandating registration and usage of that card.

Like many, the National Identity Scheme radicalised me. It provoked me into speaking out against the government, something which I had never considered before. As I worked with the likes of the London School of Economics, the Information Commissioner’s Office, and (oddly) the Identity & Passport Service, I believed I’d channelled my inner privacy advocate. But over time I came to realise that in fact my objections stemmed not from a civil liberties motive, but as a taxpayer: I was angry that the government was willing to pay something between £6bn and £17bn (depending upon who you believed) for a system designed to serve the needs of civil servants seeking a ‘deep truth’ about every individual in the UK, driven by a ‘gold standard of identity’. It was designed around their needs, not those of the public. 

The scheme was lunacy. It had to be stopped. And then in 2010, with the new government, it was. ID Cards went out, and the National Identity Scheme was literally put in a shredder. The ‘Intellectual Pygmies,’ as a former home secretary nicknamed the privacy advocates, had won the battle, and danced their victory dance.

Pygmies (physical or intellectual) they are not...

The intellectual pygmies do their dance. They’re not pygmies, intellectually or physically.

But nature abhors a vacuum, and without a clear strategy for population-scale ID, what would fill that space? The Coalition promised it wouldn’t be another National Identity Scheme. But politicians’ promises can’t, ahem, be treated as cast-iron guarantees. A vestigial tail of National Identity Cards still exists in the Foreign National Biometric Residence Permit, and some Opposition MPs still speak of their ambition to bring the scheme back from the dead. If those of us who care about privacy, and about how much tax we pay, wish to drive a stake through the heart of intrusive identity schemes, then we need to build something better to take its place. Something so good that nobody would throw it out. And that’s where Identity Assurance comes in.

Surprisingly, the genesis of IDA came from the same government that brought us ID Cards, when in 2008 HM Treasury published Sir James Crosby’s report on ID which recommended a federated, not centralised approach that flew in the face of the prevailing policies. Not surprisingly, the government hated it and did its level best to bury it, but it was the seed for the new IDA scheme. 

The IDA approach builds upon tried and tested principles which are already being hammered out by the likes of the Open Identity Exchange, working with a collective of experts, potential providers and pressure groups from the UK and overseas. The IDA programme differs from its predecessors in many ways, in that public bodies can’t be Identity Providers (IDPs) – IDPs will be exclusively private sector.

Users can have as few or as many credentials, with as few or many IDPs, as they wish. They can change providers, use credentials for different directed means, and hopefully we will have an environment where any of the cards in their wallet, or their phone, could be usable as a high-assurance credential to interact with government. If they choose not to use IDA then they won’t have to – it will augment, rather than replace, existing means of engagement. That said, if IDA is successful then it would make sense for government to scale back other authentication mechanisms if the public choose IDA instead.

IDA gives us an authentication environment that is anonymous, pseudonymous, distributed, and not subject to centralised control. Government doesn’t get to track our interactions, our movements, our dealings with our IDPs. The design is a truly user-centric approach which embodies the Government Digital Service (GDS) mantra of “What is the user need?” by treating the users as the end customer, rather than the civil servants. 

It’s also a risk-driven strategy that ditches the traditional ‘deep truth’ about each citizen; instead, relying parties must determine transactional risk, and hence what level of identity assurance they need for any transaction. Simple services such as a request for information about local authority benefits might be achieved using lower levels of assurance from social login (the much-speculated ‘Facebook’ ID), whereas payout of those benefits might require the higher levels of assurance provided by a face-to-face verification of the user and their proofs of identity. That’s a really big change for government, and I suspect that many public authorities will struggle to grasp the idea that they don’t need gold-plated identities and attributes to support low-risk interactions.

Under the IDA approach we, the users, are treated as the single source of truth about ourselves. We get to review and update our data. We store it where we want, with whom we choose, and can even delete it if we wish. We can become our own Data Controllers (and it is hoped that in the future the Data Protection Act might be amended to support just that scenario).

And GDS’ adoption of the fresh approach to privacy is more than skin-deep: rather than putting their hands over their ears and saying ‘la la la’ whenever the word ‘privacy’ is mentioned (as some other government departments were accustomed to doing), GDS created the snappily-named Identity Assurance Programme Privacy and Consumer Advisory Group, which comprises a range of privacy advocates and technology experts who have developed the principles which will dictate the privacy approach for IDA. GDS are also working to ensure that the approach aligns with Kim Cameron’s Laws of Identity. 

So where does the IDA journey take us? The logical endpoint is an environment in which minimal disclosure proof of attributes is the norm; that is, that we are able to prove something about ourselves without revealing any other information (Dave Birch uses the great analogy of ‘Psychic ID‘). Relying parties get to see nothing more than information that is essential to validate our entitlement for the service we request. If – and I know that’s a BIG if – we can hold true to the system principles and deliver pervasive identity assurance, we could create an environment where it is normal to assert attributes without even identifying ourselves.

There’s no promise this will work. Sure, the technology is tried and tested, but the commercial and policy challenges are huge, and there is still much to be done – hammering out the contracts, legislation changes and cross-government policies is a job that has only just begun. But in an environment where we lack any trusted population-scale online authentication mechanism, IDA is better than all the other options, and I’d rather we run the risk of failure because our ambitions are too lofty, than because they are too low. If IDA can deliver on its promises, then we might just create an environment where the prevailing identity mechanism protects – rather than degrades – our privacy.

And that’s why I support IDA.

(This article is based upon a flash talk I gave at the RSA Conference Europe 2012).

(Declaration of Interest: I have been supporting the Post Office’s work on IDA).

October 15, 2012  2:22 PM

Proof of age comes of age

tobystevens tobystevens Profile: tobystevens
alcohol, bath, identity, Licensing, privacy, touch2id

It’s October, the time of year when another intake of students are released from school into the adult world of university, and fill the pubs and clubs of university towns. These establishments are legally bound to verify that their customers are old enough to enter, and risk losing their license for failure to do so. Under ‘Challenge 25‘ guidelines (in Scotland these are legal requirements), licensees are expected to verify the age of any customer who appears to be 25 years old or younger. In practice, Home Office guidelines mean that to date the only ‘acceptable’ proofs of age young people have been either a passport, a driving licence, or a PASS card.

However, passports and driving licences are far from ideal; from the licensee’s perspective, their staff have to confirm that the photo matches the bearer, and that the date of birth is old enough, and this often has to happen in a noisy, poorly-lit environment. The PASS card removes the need to confirm the date of birth, but has long been subject to criticism that it is vulnerable to forgery (although PASS assert that no fakes have been found), is not accepted everywhere, and certainly suffers from potential transferability between holders, particularly if licensees fail to check the details properly.

From the young person’s perspective, passports and driving licences can be a real problem. Many young people don’t drive or have a passport, but end up having buy one just to be able to go out with their friends. Passports and driving licences are easily lost or damaged, resulting in a risk of identity-related fraud, potential safety concerns, and a nasty bill to obtain a replacement (a new passport costs £72.50). Young women can be particularly vulnerable if they have to carry and offer proof of ID that includes their name and home address, and in discussion with the NUS in Northern Ireland a few years ago I heard anecdotal stories of students being attacked after unwittingly offering up proof of ID that identified them as living in a predominantly Protestant/Catholic area. 

This is a societal problem whose current solutions fail to properly address the needs of any of the stakeholders. Indeed, ACPO advises against carrying valuable ID such as passports for alcohol-related purchases. Yet the Home Office now acknowledges that the problem of fake ID is in fact dwarfed by genuine ID being passed down, or sold on when expired, which ends up as a valuable commodity doing the rounds amongst the underage. 

It’s therefore been fascinating to be part of a new initiative that seeks to address proof of age using a Privacy by Design approach to biometric technologies. Touch2id is an anonymous proof of age system that uses fingerprint biometrics and NFC to allow young people to prove that they are 18 years or over at licensed premises (e.g. bars, clubs).

The principle is simple: a young person brings their proof of age document (Home Office rules stipulate this must be a passport or driving licence) to a participating Post Office branch. The Post Office staff member checks document using a scanner, and confirms that the young person is the bearer. They then capture a fingerprint from the customer, which is converted into a hash and used to encrypt the customer’s date of birth on a small NFC sticker, which can be affixed to the back of a phone or wallet. No personal record of the customer’s details, document or fingerprint is retained either on the touch2id enrolment system or in the NFC sticker – the service is completely anonymous.

At the licensed establishment, the staff member has a handheld reader which comprises a fingerprint scanner, NFC reader and red/green indicator lights. The customer presents their sticker and places their finger on the reader; the scanner generates a hash from the fingerprint, uses it to unlock the date of birth, and then provides a red/green light to the operator to indicate success or failure. Again, no record of the transaction is retained (beyond statistical data so that the licensee can prove how many checks were done and at what times), and in the event of a failure the operator is not told the reason. Privacy is preserved at all stages of the process.

Touch2id is working with the licensing authorities in Bath and Trowbridge to roll out the service (the launch needs to be regional to ensure that a critical mass of stickers and readers exist in a given area). I was invited down to the Bath University Fresher’s Fair to help to promote the service to the new intake, and to get a first-hand feel for their reactions to biometric ID. Clearly the audience was subjective – we only got to speak with students who were interested in the service – but the response was overwhelmingly positive. In approximate order of popularity, their reactions were:

  • “Oh wow, a free USB memory card, how big is it?” (these are students we’re talking about, so always quick to spot a freebie);
  • “Does that mean I don’t need to carry my passport around?” (correct!);
  • “Can I use it in all the pubs in town?” (not all of them yet, but nearly all);
  • “Where can I get it?” (participating local Post Offices);
  • “Can I use it in the campus library?” (no, but not through any limitation of the technology);
  • “Do you get to store my fingerprints?” (no);
  • “What happens if I lose it?” (if you get a spare sticker then you’ll have a backup, otherwise you have to re-enrol from scratch);
  • “What happens if someone steals my sticker?” (some of these students were very hung over so it took a few seconds for the coin to drop that the biometric credential is non-transferrable).


What we didn’t hear – and this surprised me – was any adverse reaction. A few students were initially sceptical, but after asking a few of the above questions, they were quickly won over. I had anticipated vocal objections to the very concept of a fingerprint proof of attributes scheme, but that simply didn’t happen. This might be because some have become accustomed to fingerprints in schools, but I suspect it is much more likely that they see clear value in the proposition, without any risk for themselves – unlike other ID schemes touch2id is built around user needs rather than an underlying desire to amass data.

We were fortunate enough to have coverage from a regional ITV News team, who also interviewed Don Foster MP – he’s been very supportive of the programme. You can see their footage here.


What next for touch2id? The team is hoping to expand the West of England coverage, and kick off another region elsewhere in the UK. I’m hoping we’ll see the same minimal-disclosure proof of attributes ideas brought into play in other ID arenas – including the government’s new Identity Assurance programme – but more on that shortly… 

Declaration of interest: One of my duties for Post Office Ltd is to provide support for the roll out of touch2id.

May 14, 2012  5:20 PM

HM Government Loses its Identity

tobystevens tobystevens Profile: tobystevens
department, government, identity, logo

The government has done something very clever, and people seem not to have noticed. With very little fanfare, it was announced last week that all government departments will share a common logo, that of the Crown, with minimal rights to vary colours and fonts. No more huge rebranding exercises, no more bizarre departmental logos, perhaps even an end to the merry-go-round of renaming exercises that the last administration so enjoyed (I imagine that the DTI BERR BIS will be very pleased to hear that).

This change was apparently driven by Martha Lane-Fox’s report, and it achieves much more than just saving money on branding consultants (although that’s a worthy aim in itself); it creates an environment in which some of the alleged inter-departmental warfare famously lampooned in numerous political satires is potentially defused, since those departments are less characterised by their branding; it creates a common bond through a shared identity; and most importantly, it is an important step towards proper consumer-centricity in service delivery. After all, do individuals care from which public authority a particular service originates? No. Do they wish to deal with multiple departments to obtain those services? No. Do they have any choice in which authority provides those services? No. So why bother wasting money on promoting the brands of particular departments?

The move aligns nicely with GDS’ plans to deliver a single website for government. What would be welcome now would be a similar edict applied to regional authorities, so that we no longer waste money on branding individual NHS or police authorities, or local government bodies. 

April 18, 2012  8:21 AM

CCDP: It’s not what you know, it’s who you know

tobystevens tobystevens Profile: tobystevens
CCDP, identity cards, interception, liberties, No2ID, privacy, Surveillance

The dust has temporarily settled a little on the Home Office’s announcement of the Communications Capabilities Development Programme (CCDP), and doubtless some Ministers are now licking their wounds whilst others sharpen weapons in preparation for the fight that lies ahead when the legislation appears before Parliament. That the Coalition could countenance such an illiberal and disproportionate dismantling of privacy rights came as a shock; that they almost immediately fell into the same traps as the last government whilst they tried to justify their arguments was risible.

So what’s all the fuss about? CCDP is the logical successor to the last government’s abandoned Interception Modernisation Programme, which was intended to create a central database of all telephone and Internet communications traffic. In its new guise, the plan will force Communications Service Providers (CSPs) to maintain their own databases of communications metadata: storing details of all communications over their networks, but not the actual content of the communications. Government bodies will have access to communications metadata under statutory powers, but will not be able to access the actual contents of the communications without first obtaining a warrant to do so. The excellent ORG wiki has a wealth of information about CCDP.

The Coalition has been at pains to play down the significance of the strategy, which is championed by the Home Office, and has been lurking around for some months now, but was thrust into the spotlight by articles in the Telegraph and the Sunday Times. Prime Minister David Cameron assured Parliament that “we have made good progress on rolling back state intrusion in terms of getting rid of ID cards and in terms of the right to enter a person’s home. We are not considering a central Government database to store all communications information, and we shall be working with the Information Commissioner’s Office on anything we do in that area.” The Prime Minister’s reassurance should make everything OK. After all, the government’s only asking for communications metadata, and doesn’t want to store it centrally; and the ICO will ensure that things happen by the book. Isn’t that a reasonable and proportionate requirement in the Internet age? Absolutely not.

Let’s debunk the facile arguments about centralisation and oversight. The government does not want, nor need, a central communications database in order to monitor our lives, and in fact that would make the job harder: rather than wanting one giant haystack in which to find a particular needle, the Home Office plans to create many smaller, more manageable haystacks, the costs of which can be forced upon the CSPs, together with associated delivery challenges, so that there’s a much smaller risk of the implementation failing. In the federated world, there’s no point in having a centralised database, when multiple sources can be accessed as easily (or even more easily) than once central one. As for oversight, that’s a hollow reassurance given the ICO’s impotence at dealing with the most basic threats to privacy and liberties caused by central government departments and major corporations. The Commissioner doesn’t have a fraction of the resources required to apply even a veneer of control over public servants’ use of CCDP data, and any claim of governance from his office is clearly meaningless.

But the most worrying aspect of CCDP is the mandatory interception of communications metadata. That metadata can provide a richer and deeper insight into an individual’s life than any amount of communications content. Simply by analysing the times, sources and destinations, geographic locations, devices and contexts of an individual’s communications – as well as taking into account things that they don’t do – a wealth of information can be obtained. At a glance, a public servant who has not had to obtain a warrant or apply to a court, will be able to find out where you live and work, with whom you correspond, what your financial, health, sexual, religious, political or professional interests might be, your day to day movements, and from these, your likely intentions.

Consider Google’s interest in your online activity: the search giant is actively trying to drop personal data about users because it doesn’t need it; what Google is after is not to know who you are, but what you are about to do. If it can accurately predict that, then it can intercept your plans and try to modify them with paid-for advertising. That’s how Google makes money. Social networks are very similar. LinkedIn, for example, will allow you to post and browse to your heart’s content for free, because it’s exploiting that behaviour on behalf of paying advertisers. If you want to see who’s looking at your profile then you have to pay hard cash to do so. So the real value in online activity is not in the content, but in the communications metadata, and that’s what the Home Office is now seeking: they don’t want to mine what you know, they want to mine who you know. Without recourse to the courts, or meaningful oversight mechanisms. Without any form of opt-out mechanism or user transparency.

Fortunately, there are storm clouds are gathering over CCDP. Sir Tim Berners-Lee has spoken out about the scheme, saying that “The idea that we should routinely record information about people is obviously very dangerous…”  Civil liberties groups will be meeting at the London School of Economics on Thursday 19th April to discuss how best to fight the plans, in a revival of the ‘Scrambling for Safety‘ events which were last held in the fight against the National Identity Scheme. The likes of NO2ID and 38 Degrees are pushing politicians to drop the draft legislation before it even reaches Parliament. But if this idea is to be stopped in its tracks, it will require the sort of popular protest that killed ID Cards and must now be brought to bear on CCDP. As the greatest living Englishman says in his Guardian interview:

‎”The amount of control you have over somebody if you can monitor internet activity is amazing… You get to know every detail, you get to know, in a way, more intimate details about their life than any person that they talk to because often people will confide in the internet as they find their way through medical websites … or as an adolescent finds their way through a website about homosexuality, wondering what they are and whether they should talk to people about it.”

April 3, 2012  8:00 PM

Rolling Out the Surveillance State

tobystevens tobystevens Profile: tobystevens

When the Coalition came to power, there was a clear manifesto promise to “roll back the surveillance state,” including abandoning the much-hated National Identity Scheme and Contactpoint database, and applying much tighter controls to interception of private communications.

This week’s announcement of the new Communications Capabilities Development Programme by the Home Office appears to fly in the face of that commitment. Home Secretary Theresa May has already started shuffling through the same weak excuses that the last government used to justify ID cards – we’ve seen ‘prevention of terrorism’ and within a day have got to ‘protection of children.’ At this rate we should reach ‘control of immigration’ by teatime tomorrow.
The inevitable and justifiable outrage in conventional and social media has already covered pretty much every angle, but I thought it appropriate to dig up a piece I wrote here shortly before the last government left office, when we had heard the old canard “if you have nothing to hide, you have nothing to fear” trotted out by a range of Ministers and government spokespeople. The Home Secretary has just resorted to that last bastion of the desperate illiberal trying to justify an unnecessary attack on civil liberties, and it’s time to remember:
“Nothing to hide, nothing to fear” is a myth, a fallacy, a trojan horse wheeled out by those who can’t justify their surveillance schemes, databases and privacy invasions. It is an argument that insults intelligent individuals and disregards the reality of building and operating an IT system, a business or even a government.”

March 30, 2012  4:00 PM

The Great Liability Sinkhole

tobystevens tobystevens Profile: tobystevens
identity, kyc, liability, risk

Building identity management systems is a doddle, it really is. All you’ve got to do is to knock up a web interface with a database behind it, offer a store for trusted attribute data, tie the lot to a federation standard like OpenID, market to the target user base and wait for the money to come flowing in. Simples.

Oh hang on, that’s wrong, I think I may have dreamed that last bit – building identity management systems is very difficult indeed. The problem is there are are still a lot of dreamers out there, and in consequence we see some good, some bad and some downright ugly identity management systems out on the interwebs. I was reminded of this as I examined a service recently – let’s call them Yaoids (Yet Another Online ID Service). Like many similar offerings, Yaiods claims to be able to protect every aspect of my modern lifestyle by helping me to prove who I am online (we’ll overlook the fact that I rarely feel the need to prove who I am, I already know who I am; what I want to know is who the hell I’m talking to online, and to have assurance that they’re not going to talk to anyone else purporting to be me. Top tip for the sales people there).

Like any similar identity service, Yaoids has to overcome a number of challenges, including registering users in a trusted way so that the market can be confident that Yaoids’ users are who they claim to be; and maintaining that trust level so that when things go wrong (which sooner or later they always do) then the users don’t ditch the service.

These challenges are potentially huge for any provider, and in the majority of cases prove insurmountable. PayPal is an example of a company that has tackled them very well indeed: whilst it has a number of registration mechanisms, for the majority of users, they need to already be in possession of a credit card to obtain service, and PayPal runs a couple of small transactions, with refunds, to confirm the details, and hence that there must be an issuer’s KYC check. PayPal has made it easy for service providers to integrate the platform, particularly through its X sandbox environment. Genius.

Yaoids, on the other hand, has attempted to achieve the same outcomes through slightly different means. The service also rides on the back of another company’s registration efforts (which isn’t a bad thing), but in this case it’s an online bank account: the customer provides their e-banking details, and Yaoids uses a third-party service to log in on their behalf to check the account is real, and that therefore someone must have conducted a KYC check on the user.

Have you spotted the problem yet? If not, then I’d like to introduce you to a mate of mine in Lagos who’d appreciate your help in transferring some funds from the estate of a deceased dictator out of the country, because I think you two would hit it off just fine.

Because PayPal uses a credit card transaction to build and maintain trust, the customer is assured that if anything goes wrong they are protected by consumer credit legislation, which generally falls in favour of the customer. If their PayPal account is hacked or phished, then the liability for the loss is transferred onto the card issuer. Of course the credit card companies don’t like that, but because PayPal has been so effective at encouraging adoption, they’ve got little choice but to play along.

But Yaoids has instead left the customer at the mercy of banking regulations, and that’s a very different liability story. If you’ve signed up for Yaoids’ service, and my mate in Lagos has somehow emptied your bank account (oops, given the game away there) by some or other unrelated means, then regardless of whether or not the Yaoids service was compromised, you’re going to have a very difficult conversation with the bank:

“Hello, this is the Grabbit & Run Online Banking fraud department, how may I help you?”

“My online service has been used to transfer all the funds from my account to Toby’s mate in Lagos, I’d like it back please.”

“Oh we’re so sorry to hear that. Have you shared your online credentials with anyone?”

“No, of course not. Oh, except with Yaoids, who passed it on to their registration subcontractor, but they’re all lovely trustworthy people.”

“That’s as maybe sir, but Grabbit & Run’s online banking policies make it clear that we will not repay funds to customers who have handed their online banking credentials to a third party. Sorry sir but we cannot pay you back. Have a nice day. You muppet.” <click> <beeeeeeeeep>

And there you go. Out of pocket, out of luck, and left with little choice but to resort to being patronised by the Watchdog team as they interview you about how hard done by you are, blaming Yaoids because that must have been the source of the loss, whether or not Yaoids did anything wrong at all. Yaoids customers then turn and flee, revenues dry up and the service closes.

What Yaoids have created here is a sinkhole for transaction liability: they’ve sidestepped the very necessary and often expensive step of building a trusted customer relationship, and there is now a mountain of commercial liability being swallowed into a sinkhole, and sooner or later that toxic liability will come pouring out in an unexpected place, destroying customer confidence and taking Yaoids – and its customers – with it.

Not in my back yard


This sort of problem isn’t confined to Yaoids: most KYC checks want a passport as the document of choice, and there’s nothing in the front cover which says:

“Her Britannic Majesty’s Secretary of State requests and requires in the Name of Her Majesty all those whom it may concern to allow the bearer to pass freely without let or hindrance and to afford the bearer such assistance and protection as may be necessary … oh, and she’ll see you right if this passport turns out to be dodgy.”

It’s only society’s conventions and habits which render the passport a trusted document for proof of ID outside of border control use cases. The doomed National Identity Scheme expected businesses to rely on ID Cards as their credential of choice, yet made it clear that no liability would be accepted for fraud or error, and that was a key factor in the total disinterest of UK.plc in that scheme (with the exception of those major IT providers who stood to profit).

It’s this registration and liability conundrum that the Cross-Government Identity Assurance Scheme is intended to address at the root of its proposition, and at the moment there’s every indication that it might just work. By federating existing trust relationships under trust schemes, the identity assurance approach should allow users to reuse their existing credentials – such as online banking – without liability issues, because there is no inappropriate third party, such as an independent commercial identity provider, involved in the relationship. There is no requirement to reveal banking passwords because the bank becomes the identity provider.

But until that happens, take care that when you sign up for an online ID service, it’s not trying to hide your liability in a sinkhole somewhere – otherwise the Lads from Lagos will be in touch sooner than you might expect.

March 23, 2012  10:07 AM

Draft principles for the UK identity assurance programme

tobystevens tobystevens Profile: tobystevens

Jerry Fishenden, Chair of the Cabinet Office Identity Assurance Programme Privacy and Consumer Group, has blogged the draft principles for the new identity assurance scheme, with a view to obtaining public feedback on those principles. I’m involved with the Group, and would urge anyone with an interest in this area to comment on his blog so that we can obtain the broadest feedback in order to deliver this important piece of work.

The principles are summarised below; there’s a lot of work going on behind the scenes to define the small print that supports these.
1. The User Control Principle
Identity assurance activities can only take place if I consent or approve them.
2. The Transparency Principle.
Identity assurance can only take place in ways I understand and when I am fully informed.
3. The Multiplicity Principle
I can use and choose as many different identifiers or identity providers as I want to.
4. The Data Minimisation Principle
My request or transaction only uses the minimum data that is necessary to meet my needs.
5. The Data Quality Principle
I choose when to update my records.
6. The Service-User Access and Portability Principle
I have to be provided with copies of all of my data on request; I can move/remove my data whenever I want.
7. The Governance/Certification Principle
I can trust the Scheme because all the participants have to be accredited.
8. The Problem Resolution Principle
If there is a problem I know there is an independent arbiter who can find a solution.
9. The Exceptional Circumstances Principle
Any exception has to be approved by Parliament and is subject to independent scrutiny.

March 20, 2012  9:06 AM

Bring Our Bytes Back Home

tobystevens tobystevens Profile: tobystevens
This week’s Sunday Times (no link, it’s behind the paywall) carries a double page ‘exposé’ of the trade in stolen personal data from Indian contact centres, data entry services, IT support helpdesks and hosting services. The article describes how undercover journalists were offered lists of personally identifiable information, including bank data, credit records, loan details, card issuance details, account data and other records, allegedly stolen from the likes of Barclays, Lloyds TSB and Sky TV. The black market traders were asking from 2p to £2 per record, depending upon the potential value (driven by content, context and timeliness) of the data provided.
The article quotes a number of horrified ‘victims,’ (none have actually suffered a material loss) who express their outrage that their details are available, and in some cases claim they know the only possible source for the data, citing conference bookings and IT helpdesks as sources. The authors interview the Information Commissioner’s Office, obtaining a commitment that the ICO will investigate, and Richard Bacon MP calls for the government to cease sending personal information overseas (for example, the NHS sends forms to India for data entry purposes).
What the authors fail to do is to interview an acknowledged security expert. Had they done so, they would have realised that this story is hardly news, and it’s hardly fair to specifically point the finger at India. The offshoring of data for economic purposes is fraught with risk: services are invariably outsourced to the cheapest bidder, which means that corners are going to be cut somewhere, and information security controls are bound to be squeezed; the cheapest bidder is likely to draw its workforce from an environment where incomes are very much lower than the UK, and that means that the threshold for a successful bribe is much, much lower (almost any security system can be circumvented if the sysadmins collude to accept bribes); firms that offshore their services are rarely in a position to monitor or enforce the arrangement (after all, the whole point was to get rid of the function) and if they do discover something amiss, they’re hardly likely to publicise it or to report it to the police or ICO because what can they actually do about it, other than to close down essential business functions (although this does sometimes happen); and even if the police are called in, there is the horrendous cost for the client to liaise with the investigation and bring a conviction, when local officers are also subject to the ‘cheap’ bribes that the culprits accepted.
All in all, once that data goes offshore, it’s safe to assume that it’s leaking, and that has always been the case.
What the article seems to reveal is an ignorance – at least amongst the individuals quoted – of the insight that credit reference agencies and data mining companies have into our personal lives, all through legal and regulated means. The claim that data could only have been leaked by Sky TV or a particular bank is hogwash, since those companies consume risk data from credit reference agencies as part of their account provisioning processes, and provide it back again in a reciprocal arrangement to maintain the accuracy and completeness of those records. The difference between the legitimate and black markets for personally identifiable information is how that information is used, and when offshore staff are handling that information on behalf of credit reference agencies, or have access to agencies’ data services as part of their day-to-day jobs, then the legitimate data leaks into the black market.
So no big deal there, and no real news story for the Sunday Times. But on the same day the Observer came up with something more interesting that adds a new context: that the government has allegedly reached a ‘secret’ agreement that access to ‘particularly sensitive’ personal data on on all 43m UK drivers can be offshored to India by IBM. I’d argue that in most cases the data is unlikely to be ‘particularly sensitive’ (although photocards can imply the holder’s ethnicity, and in some cases records may relate to drivers’ health conditions), what is more worrying is the potential for local staff to modify records in response to organised criminals’ bribes. The driving license is, rightly or wrongly, one of the most widely trusted identity documents, and if we start to see widespread fraud entering the system (as opposed to the small-scale fraud that will inevitably already be in there) then trust in that document will be undermined. There is a strong likelihood that DVLA’s data will be of importance for the cross-government identity assurance programme, so now is not the time to break confidence in that data source.
What’s to be done? As Richard Bacon MP demands in the original Sunday Times piece, we need much tougher enforcement of Data Protection laws, but we should stop expecting that to come from overseas: the solution rests in our being able to impose severe penalties upon Data Controllers who are shown to have failed to control their offshored data in an adequate way, and even tougher penalties on companies that knowingly consume illegally-obtained data. That can only happen with reform of the regulatory bodies concerned to ensure that they are suitably resourced and empowered.
For enforcement to work, we need to be able to prove the source of both legitimate and leaked data, and that will require a mandatory change in the way that companies record personal data: specifically, it’s time for mandatory metadata to be held, with associated digital signatures, to prove the source and legitimacy of a personal data asset. Only when companies are obliged to cryptographically prove the source of their data will we have any hope of meaningful enforcement. 
Consumers will have to accept some hard facts as well: if they don’t want their data to go offshore, they’re going to have to pay for it to stay in the UK, because businesses will need to offset the increased cost of UK processing. Consumers also need to understand that most every aspect of their personal history is already out there in some shape or form. We can’t delete it because we don’t know where it all is, but we might possibly ensure that legitimate organisations can only use it in accordance with the law; and until there is a more effective regulatory regime in the UK, there’s little point in trying to bring our bytes back home.

March 8, 2012  5:49 PM

Time to pay for privacy?

tobystevens tobystevens Profile: tobystevens
Google has been in the news again, this time for changes to its privacy practices, which involved consolidating around 60 statements into one to cover all of Google’s services, including search, plus, gmail, docs etc. Google claim this was done to simplify the user experience and thus to satisfy demands from regulators who were unhappy about the fractured privacy controls within Google’s services. The move is perhaps the biggest single change in privacy management that the Internet giant has yet implemented, and it seems unlikely that such a change was taken without careful consideration of the associated legal and commercial implications. So whatever Google has in mind, they know what they want to achieve. What does it really mean for everyone else?

As Robin points out, one of our key problems is that Google seem to have deliberately conflated ‘privacy policy statement’ and ‘privacy policy: they have not only changed the way that they inform users of how they manage personal information, but they have made a major material change to how they go about that management. Specifically, Google’s consolidation approach has resulted in a new policy that they will, if they choose, use personal information gathered across all services. Their policy now permits them to mine data across all of a user’s services in order to simplify services, tailor the user experience and facilitate sharing and collaboration – or that’s how Google is pitching it anyway; a user might feel that the change permits Google to mine their browsing, networking, mail, documents, shopping and pretty much any aspect of their online experience, in order to force them towards Google’s paying advertising customers. The Twitterati were up in arms about the change, and many people took the opportunity to delete their browsing histories before Google had the opportunity to start cross-referencing those against their other online activities.

Of course it’s not just Google’s web activities, or even just Google that is the problem. Facebook continues to attract criticism for privacy policies that seem to be in constant flux. Google’s Android and Apple’s iOS platforms have been criticised for mining users’ photos and address books through seemingly innocuous apps and for bizarre or obfuscated purposes. What’s causing the upset here is not so much what Google have done, but their dominance in our online lives. In a more fragmented market, such as retail or banking, if a company does something that upsets their customers, then those customers have the ability to terminate the relationship and to move to alternative providers. If sufficient customers do so, then the company takes a hit to its bottom line and changes its ways. But Google and Facebook in particular have achieved a dominance in our online world that makes it very difficult to avoid them. Users who choose to avoid Google find themselves marginalised and forced to use disjointed services from a range of providers. Those who opt out of Facebook (or any other social network for that matter) are left without networks that others enjoy. Opting out is not an option for many.

Our problem is not Google, or Facebook, or privacy legislation, or market regulation, or a lack of user-centricity in system implementations. Our problem is the underlying commercial model whereby we expect to receive these services for free. These companies deliver previously unimaginable richness of interaction without charging us a penny in cash for the experience. A substantial amount of data mining is essential if they are to create that richness, but the root cause for our lack of control over that mining is the fact that we’re the product, not the customer. The money flows in from the advertisers and affiliates, but as providers fight to meet shareholder expectations for revenues they are having to push harder and harder for our data, and take increasing risks with our privacy to produce the profits.

So what’s to be done? We can’t put the genie back in the bottle, our data is out there, and it’s not going to disappear from the interwebs in a hurry. There’s no point in speculating about breaking up Google’s control over the online world. It also seems improbable that competing systems with different business models will emerge in the near future; for example, the Vendor Relationship Management (VRM) approach championed by the likes of Mydex clearly has the potential to address the problem, but it’s still a long way from gaining the sort of momentum that will shake the big players. What we really need is a way to pay Google, Facebook et al for their services using hard cash instead of personal data. For example, if I could pay a small monthly fee to guarantee that an Android phone would never mine my data, and would in fact create a ‘walled garden’ environment to protect my privacy, then my iPhone would be up on eBay in a flash. If Facebook offered me enhanced private service with proper granular privacy controls with a certainty that my usage and relationships will never be analysed by them or a third-party app unless I expressly consent, then they’d get my monthly payment.

But a step such as that will require these companies to expose the dark heart of their business models, and that will not happen in the current economic climate. If they admit each customer is worth on average, say, £20 p.a. to them, then all those who don’t pay up will be demanding to be paid for their data. If they admit each customer is worth, on average, say, £2 p.a. to them, then their shareholders will be howling at their grossly inflated market capitalisations. Reputation businesses such as Klout exist to help these companies to assign a value to individual users, but being told your friend’s data might be worth £10 p.a. to Facebook, but yours isn’t worth £1 is hardly going to curry favour with Facebook’s users. The providers can’t win if they go down this route, at least not until a price poi nt is found that satisfies consumers and shareholders alike, or a disruptive new venture enters the market and forces their hand.

So that’s the challenge for the market, and in particular for VRM providers: if we want privacy *and* open data *and* free services, we need a way to make that more attractive to the major incumbents than their current business models. They need to see that they can make privacy pay without jeopardising existing revenues. And we all need to get ready to pay for our privacy.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: