This is a tough blog. The ideas started six years ago, when I was battling with solutions for multi-agency information sharing, but they have not gone away. Robin Wilton (@futureidentity) privately reminded me. “I know you’re ahead of your time, but some are finally cottoning on to what you said 5 yrs ago”.
How can I describe it clearly and simply to non-technical politicos, and eventually be accepted by academics and suppliers? It is the non-technical who provide the leadership that could make it happen. In the context of public sector services, I want People in Power to say, in three quarks,
- A person does not need a Unique Identifier (UID).
- The Law does not demand a UID.
- Use just sufficient data to identify a person.
Recently I heard highly respected technical advisers saying in Eurim Identity Governance meetings. “You must have a root identity.” I contest this statement if it equates to, “You must have a UID on some central database”. No2ID are right as far as they go, but do not take the argument to the next logical stage – what to do next. Looking at the Quarkside principles for Process, Governance and Technology, this emerges:
- Citizens and officials understand their own requirements and can agree an acceptable set of processes.
- Governance, rights, responsibilities and constraints must apply within the Law.
- Technology looks simple if Process and Governance are agreed – trusted public sector credentials are an objective.
Public Jobsworths always quark three questions when somebody presents themselves for a service: “Who are you? What do you want? What are your entitlements?” Jobsworth refuses service if he is not satisfied with the answers to any of the three. This blog only considers “Who are you?”, assuming the existence of the other two questions.
Quark 1: A person does not need a Unique Identifier (UID)
“Who are you?” equates narrowly to Identity. It is only Identity at a sufficient level of trust the meet the requirements of a specific entitlement. In the simplest case, the person can be completely anonymous; in a municipal car park, only the ability to pay makes sense. However, they may keep a record of your car registration number. Requests for Housing Benefits are at the other end of the scale. The identity offered does not need a unique code.
It must be the right person, who must not use false documents as evidence of identity. Identity evidence has to be fit for purpose. To repeat; you do not need a UID.
Quark 2: The Law does not demand a UID
Requests for evidence of Identity are necessary in most circumstances. A National Id Card might have been useful, but the maintenance of a National Identity Register is effectively outlawed. No2ID and others mounted a most successful campaign; Id Cards will not re-appear any time soon. However, the Identity Documents Bill 2010-2011 has sanctions against people using false identities and Clause 10, according to No2ID, “creates much broader data-sharing powers than the parallel ones in the 2006 Act.”
I have argued against reliance on central Identity registers for many years, in many forums. The overwhelming evidence is that allocating UIDs leads to errors, duplication, inconsistency and incompatibility. Take the revered National Insurance Number (NINO), it does not cover every person in the UK who might be entitled to a public service, children if you want an example. There are restrictions on where NINOs can be used and re-purposed. Look at the governance problems engendered by the defunct ContactPoint. The Data Protection Act permits cross-referencing of computer files when fraud or a crime is suspected. Individual voter registration can use both local and central government databases to verify identities.
Nowhere is there a reference to a UID. UIDs are technologists’ shorthand for a key that identifies a record in a data store, it does not identify a person. It identifies a computer record.
Quark 3: Use just sufficient data to identify a person
This is the point of the debate – looking to the future. Only a combination of evidence from several sources can be used to identify a person accurately. This reflects life as it is. People legitimately have choice of names and addresses without breaking any law. People possess credentials for each of their chosen identities; stage names, maiden names, peers, protected witnesses and many more.
Administrative computer systems need to be interoperable for efficiency and accuracy of bureaucratic processes. Poor interoperability is the current norm because of unjustified reliance on poor quality UIDs. The alternative to failed and failing UID processing is to use Linked IDs (LIDs).
LIDs map between entities on disconnected data stores, such as databases, managed by different public sector bodies. Mapping between identities is embraced in the ISO standards for systems interoperability (ISO 18876). They should be engineered to comply with Kim Cameron’s Laws of Identity.
The technical architecture builds on the rights of a person to manage their own identity data, like Mydex and PAOGA, plus the ability for officials to add assertions of identity from other sources. These assertions can be graded and ranked, within the law.
If this blog raises any interest, I have lots of old material that could be resurrected as a starting point for some innovative technology. My proposal, made five years ago, was based on properties of Google. Not Google, but cloud based technology that permits intelligent searching of linked data, leading to identifying the right person. The user interface does not expose any more detail than a citizen is prepared to give as evidence of identity. It is also analogous to credit reference checking, where a strength of identity can be given rather than a credit limit. I hope that it won’t take another five years before the hegemony of UIDs and root identities can be broken.
I want to put a LID on the idiotic and wasteful pursuit of UIDs in the public sector. No2UID.