Who Am I?
... the case for a UK Digital ID
If truth be told, I had not anticipated discussing the merits of digital ID, and it is not the announcement by the UK Government of a digital ID scheme that has compelled me to do so. Rather, it is the widespread - and principally negative - reaction to that announcement that has occasioned this response. This reaction is, I feel strongly, misplaced and primarily motivated by misunderstandings, not simply of how digital ID technologies work, but also of how data and services are currently delivered.
Before I consider what might be achievable with a UK digital ID, I need to address the politics. Or more accurately, side step them. I have no strong view about whether or not a national digital ID should have been tested at the election. I similarly have no particular view as to whether ‘Right to Work’ (associated with illegal working and migration) is the appropriate platform on which to launch this scheme. I have limited sympathy with the view that digital ID is somehow ‘un-British’. Whilst I recognise concerns in each area, they are not, I feel, material to any consideration of the benefits, or for that matter risks, of digital ID.
So ... what, in essence, is being proposed? Whilst the details of the UK digital ID scheme are as yet unclear, this is a general outline. It falls substantially short of a comprehensive account.
UK citizens will possess a single unique digital ID, securely linked to them through personal information and limited biometric data, and associated with cryptographic keys. These keys (private and public) allow citizens to prove who they are, that is, to authenticate themselves (using the private key), and to protect information in transit using encryption (using the public key). This scheme makes the ID secure, verifiable, and hard to forge.
Once enrolled, using existing trusted sources such as current government records, the citizen can be issued with a digital credential in the form of a smart card, app, or secure cloud-based key. A trusted identity provider, likely a federated or accredited service of some form, will be able to confirm to a requesting service that the authentication is valid.
An important feature of a digital ID in this form is that it provides for data minimisation. It is not necessary to provide the entirety of the information associated with the identity; instead, specific attributes derived from that information can be shared. This depends upon cryptographic proofs that do not disclose unnecessary information.
In substantial part an identity system of this kind can be built on open standards. There are, of course, a range of design choices each striking a slightly different balance in terms of security, usability, inclusion and ‘citizen-centricity’. I anticipate that, at least some, computer scientists will make a great deal of noise about these choices, and in particular the merits of so-called ‘self-sovereign’ identity - a scheme by which individuals retain control over their own digital credentials. These schemes have advantages, but are also complex and place responsibility for managing cryptographic keys on users, they do not obviate the need for trusted parties and of course governance. They are subject to a set of vulnerabilities it may prove difficult to mitigate. Some of the advocacy for this approach stems from politics that I do not share, I am not a libertarian and repose more trust in democratic control. Whilst the design choices that will have to be made are important, it is overall more important that we develop a scheme that can work.
The benefits of a UK digital ID scheme are clear. Rather than a patchwork of inconvenient and unreliable methods for authentication, for which the burden falls equally on service user and provider, a single method can form a spine for joined-up public services. This principally benefits those who are most dependent on those services and who are vulnerable, and who, by the by, struggle the most to authenticate their identities. It largely eliminates risk associated with forged identities and many of the challenges of identity theft. It simplifies the implementation and provision of services, reducing costs and administrative burden.
The data minimisation angle is important to emphasise. It is always possible for services to achieve some level of assurance across systems that use different, and potentially insecure, means of identity and authentication. It is just inconvenient, unreliable and, critically, discloses more than is necessary. An ill-intentioned government would have no problem - other than expense - in enabling tracking, profiling and behavioural analysis without digital ID. We set aside here the vast amount of identifying data that citizens have willingly, or necessarily, provided, with limited guarantees of privacy, to commercial organisations, and which is routinely traded.
A digital ID, when combined with a suitable scheme of regulation, can be more protective against unwarranted intrusion than the current patchwork approach. I should note here however, that I am not a privacy absolutist, and to the extent that a UK digital ID enables security and protects against the abuse of government services I think these are worthwhile aims.
Clearly, there are risks with a digital ID. First and foremost, whilst it protects against many forms of technical attack it does not protect against manipulation and deception. Depending on the implementation of the service it provides a single point of failure. Even a decentralised service relies upon shared protocols and implementations and thus, potentially, common vulnerabilities. A failure that exposes identities or gives access to digital credentials could have significant impact because of the linkage to multiple services. There is a high requirement for reliability and resilience to address service denial that necessitates a suitable infrastructure. Inclusion remains a concern, and whilst smartphone penetration is high, the elderly and ‘digital-poor’ may find use of a digital ID challenging. Similarly, they may find it difficult to meet the requirements for enrolment. Potential vendor lock-in, and dependence on the use of proprietary components remain serious concerns. Finally, alignment with other national ID schemes and interoperability (for travel, cross-border transactions etc) can be limited through diverse and evolving standards.
Whilst these risks are real, they are also mitigable. The existence of ‘gold-standard’ models, such as Estonia’s e-ID/X-Road, and the surrounding digital services ‘wrap’, demonstrate that the primary issues might be overcome. No system is perfect, but digital ID is a lot better than the status quo.
So to what seems to me the most corrosive and damaging objection to a UK digital ID: that the UK government is not capable of implementing a suitable scheme. It is argued that we have a deep-seated inability to assemble the collective will across political cycles that the development of such infrastructure requires, a funding system that fails to account for strategic benefits of infrastructure, a history of repeated failures to develop programmes to time and budget, limited capability for technical leadership, risk-averse procurement and poor commercial management, and significant technical debt locked in existing government systems. Most challenging is the coalition of critics that eat away at any infrastructure proposals but lack a constructive alternative. All of these must be addressed, but cannot be allowed to stand in the way of our ambition to provide better infrastructure and services. Digital projects such as the many services accessible through GOV.UK and the NHS App are examples of where we have got it right.
With determination we can make services more accessible to those entitled to them, and more joined up, as well as making citizens more secure. The ambition to create a UK digital ID has my support - it merits yours.
Last Friday, on Radio 4 PM Programme, one of the objectors was interviewed and she failed to land any blows at all. Perhaps her best argument was that the ID would create a vulnerable data asset that might be hacked by (unnamed) malevolent actors. She certianly wanted an opt out (an act of self harm IMHO). There was no coherent argument against other than an idea of "personal choice" being fine, but any "enforcement" being not fine. She also deployed the "slippery slope" argument, without any realistic scenario (but see below, for one such).
Consider the following: you cannot really get anywhere these days without a smart phone, a driving licence, a passport, and an NI number. Consequently you really need an Apple ID and iPay, or a Google Wallet, which in turn require Face ID and Touch ID. The benefits of these services to all citizen users are obvious.
We are moving towards a cashless society now, with a generational OAP lag for some that will need to be managed (as in China already). The benefits to citizens are so obvious. Users clamour to opt-in every day, choosing to do so. Excited by the impacts and opportunities these innovations bring into their lives. We all move (fairly) seamlessly through both public sector and commercial services, with our ID established and subscriptions, payments, media consumption, travel, and ticketing. These days the NHS app is improving access to information and ordering repeat prescriptions.
So your own ID data is held by your banking and payment mechanisms, by your digital service providers (commercial, not public, and mostly US), your media providers, your email and WhatsApp accounts, your state NI + passport + driving licencing; the UK Government Gateway for HMRC; your NHS number; your DVLA car tax; your pensions; your energy and utility providers, and so on. Your employer probably knows the least! All of this is digital - and increasingly the non-digital option is being left behind (a new form of second class citizenship - of self-harm). Digital inclusion is more important than any Cnut-like holding back and hand wringing.
In fact, the objectors should better focus on who can store and examine personal biometric data (which are not completely the property of an individual, being partly shared by close kin), rather than any ID data. They are tilting at the wrong windmill because they aren't properly (technically) au fait; and are ignorant at worst.
Biometric data, such as the UK Passport database and the DVLA database, which are linked and both contain facial images (which is demonstrably shared between them, sideways), is a big further step, and it is discoverable and examinable for purposes that ill defined by the police. Even the police DNA data base for anybody arrested is a concern as deletion required by law isn't automatic as it should be. On the other hand many historical crimes (from decades ago) are resolved when some kin of the perpetrators are put onto the DNA database (I am saying that while fingerprints are unique to the individual, DNA and facial features are not). Professor Serious certainly looks like his brother! Just sayin'
Lots of good points - like data minimisation, and also exemplar of Estonian System. Just to also support that not all government projects are bad - DVLA (which includes a form of id) was a big win, and points the way. What I question is a) whether it would actually simplify citizens lives and b) whether it would actually reduce government costs much at all - the big wins were simply going digital (as we have for NHS, HMRC, DVLA etc). So unifying sign-on is only a win for the services if there's some data joins they can then usefully do, but that flies in the face of privacy and data minimisation. For the user, unifying sign on can just be hidden in a wallet app - you don't need to have one id - you just need a nice federated service - I already use such tech for many things. The argument (made in some quarters) it will solve small boats/illegal immigrants is 100% BS - legal immigrants already get a digital identifier from the home office which they show for entitlement (to work, healthcare, accommodation etc). Else we have NI, etc... what I'm failing to see is a proper analysis of the actual cost/benefit that would preceded any such large project in a sensible business (due diligence too:-)