With a general election in the offing, the question of Internet voting has risen its head once again but the big problem with it lies in “verification” by which I mean, is that a valid vote, is that an actual individual who is entitled to cast their vote electronically ?
For people like the Speaker of the House, Bercow to gaily indicate that it will happen in 5 years, is entirely stupid because he is seriously underestimating one of the key elements that makes any democracy valid, “That the count itself can be trusted”, even the most repressive countries have elections based upon one person one vote, but it doesn’t make them a democracy and there have been abuses of postal voting.
A Question of Identity
The issue is both important and pressing in a number of ways as technology has outstripped existing ‘processes’ so, we do need to revisit some past projects concerning proving identity and examine what we now need to do because doing nothing, is not really an option. The problem is that the Internet has been far more disruptive to the old ways of doing things than people could possibly have realised only 15 years ago and we are constantly playing catch up, time that we got ahead of the loop.
There have been various government projects on the issue of identity, the most recent and notorious being the ID Cards under the Blair Government. However if I remember rightly and before that under the Major Government, there was a project to introduce a ‘Benefits Card’ related to an individuals entitlement to State Benefits. http://www.nao.org.uk/press-releases/the-cancellation-of-the-benefits-payment-card-project-2/
The main problem with all of these initiatives is best summed up in the following headline: “The Speaker’s Commission on Digital Democracy wants to transform Parliament into a digital-friendly institution”
The reason why all these projects have failed in the past and any future ones are also likely to flounder, is that they were/are far too narrow in the thinking behind the scope of the project and consequently fail to grasp and deal with the fundamentals behind reaching their objective. The failures are wholly the result of intellectual failures in the first place, the inability to focus in on the one key element common to all potential “stakeholders” namely SECURITY of identity.
To be frank, I don’t like the word “stakeholders” because it has been too often misused and has acquired a degree of “gobbledygook” but, as a description of “people with skin in the game”, it will have to do so let’s press ahead to describe who these people are: There are essentially three main categories which you might envisage as being three sides of a triangle, us as users, the organisations that need secure transactions and finally, the administrators that oversee a secure system.
You and me. When we do on-line banking or shopping, use our debit or credit cards in a shop, register to vote, register at a GP surgery, tax our car, obtain a passport or driving licence, buy or sell investments, ensure that our property is properly registered in our name, pay taxes, claim rebates or State Benefits we are entitled to, for all of these situations and many more besides, we all want and need a secure personal identity.
A secure and safe ‘electronic’ ID of some kind does offer maximum convenience to us as ‘users’ but obviously we need to be assured that it is reliably safe and does not hand all our personal data over to one organisation to use as it wishes and without our consent.
The organisations that need secure transactions. This is a very clumsy phrase but it is one that is not often heard in the context of “Secure Personal ID” which is as surprising as it is shocking.
The focus of the Benefits Payment Card was largely paying State Benefits through Post Office Counters and most likely failed mainly because a viable infrastructure just wasn’t available then back in the Nineties. The Blair ID Card was focused on driving licences, passports and fancy ‘biometrics’, it also suffered from lots of BS and hyperbole which mainly demonstrated that politicians generally are not technically equipped to take such spending decisions.
Both of the above were undertaken using public money directed at very narrow Government objectives. To the best of my knowledge, at no time did they tap into non governmental stakeholders who were already spending many millions on a similar thing and also had a vested interest in establishing secure personal identities. Obviously here I’m talking specifically about the credit card businesses and other financial institutions who have had very many years constantly updating their business practices against the commercial background of an ever changing world in which they do business.
The third side of the triangle would be made up of an organisation that administers and monitors any system that bridged the State and Commercial interests, it would need to be a totally independent body and devoid of any political or commercial interference. Although I am not laying out any kind of detail on what this might need to be, there are a couple of features that I can touch upon to illustrate some key requirements.
Ignoring American Express and Diners who may have their own systems, globally there are two credit card clearer s, Visa and Master Card who provide all the transaction services to the card issuers who are mainly banks and other financial institutions. Obviously both of these are purely commercial businesses and therefore primarily owe allegiance to their shareholders, this is not a model that would be appropriate to the kind of organisation that would be administering British identities.
The key point here being that if you were to set up such a body, in an age of global terrorism there could be pressure to disclose confidential information to the security services but, such agents of the State should not be able to plunder such information at will therefore the ‘Body’ would need to be a legal entity subject to Parliamentary Charter of some kind and constructed with Civil Liberties in mind. Access to information would need to be subject to Court Orders and on a case by case basis. Such an organisation would need to be funded by charges laid on the organisations that use it be they government departments or commercial organisations.
It would be foolish to launch into detailed technical descriptions at this stage of the game, any project that looks at this would need to spend a couple of years interviewing and ‘listening’ to interested parties before even suggesting how it might be done but that said, it is worth lobbing a couple of “technical grenades” into the pot early on if more as questions than answers.
One of the notable features missing from the ID project under the Blair government was a “Security Model” which was surprising as there were many who questioned the project on civil liberties grounds as well as ID cards being Continental and “Not British in anyway”. To explain, a security model is not a piece of software, it is simply stating “Who can see what information and under what circumstances”, pretty basic stuff, they should have done that first, it is a key exercise that only requires pencil, paper and brain.
At the time, I along with many of my colleagues in IT, never got round to looking at the civil liberties issues because there appeared to be another glaring technical mistake being proposed, a Single Database ! As every database will eventually get hacked, one never relies on a single database, you retain the principle of distinctly separate “silos of information” or deliberately using multiple data sources to validate identity, rather like the variable teeth in any physical key, there is a good reason for these things !
Our current method of identifying people in terms of pension and all other State Benefits is the National Insurance Number which is well known to be totally insecure, some years back someone discovered that there were over 10 million more numbers issued than there were ever people ! It might well be time to think totally differently, forget the idea of a physical card, something based on mobile phones, even a ‘phone number for life’ issued at birth might be a better platform.
At this stage, I am not proposing any particular technology, I’m more interested in a debate about what is needed and in broad principle, the shape such a solution might take, the important thing is to get the public engaged in the idea.
Why Bother ?
The idea of an ‘Identity Card’ conjurers up the agents of the State be they Police or others, stopping you on the street and demanding that you prove who you are, all very Nazi and negative. However, turn the concept around to a “Clear Proof of Our Identity” that is valid for transactions with both the State and commercial organisations and we have a very different feel about the whole thing.
There are obvious benefits for dealing with the State because it not only can make all transactions far more efficient but also, far more flexible thus cutting down on the costs of administering such systems and allowing for pretty instant flexibility so that Benefits adjust seamlessly to the changing circumstances of the individual. Clearly once you have a system, other ‘State’ systems that need identity be it a bus pass, a driving licence or passport and even voting can be dealt with efficiently too.
The same system can also be used for banking, credit cards, loans, leases and so on in the commercial sphere. Whether using Facebook, Twitter, any social media, buying goods and services on line, we give away a lot of personal information already, we may well just accept that and engineer greater security into an overall system that provides better protection from fraud and eases our way through life.
Time to revisit Proof of Identity.