UK Government identity initiatives since the late 1990s - IDnext 2015
3 likes2,387 views
The document discusses the evolution of identity initiatives in the UK government, highlighting the transition from traditional identity cards to a federated model utilizing digital authentication methods. It emphasizes the need for a modern identity framework that prioritizes citizen control over personal data while ensuring privacy and security. Key considerations include promoting open standards, minimizing information disclosure, and adapting policy-making to keep pace with technological advancements.
UK Government identity initiatives since the late 1990s - IDnext 2015
- 1. UK government identity initiatives past, present, future: policy and technology perspectives IDnext April 2015 Dr Jerry Fishenden Chair, UK Government’s Privacy and Consumer Advisory Group (PCAG) Senior Research Fellow, Bath Spa University Director, VoeTek Ltd The European networking and knowledge platform for Digital Identity 2015
- 2. 1998 “… it is the responsibility of government to provide an official ‘citizens card’ once it expects people to use it to access and validate official transactions – just as it provides other documents such as passports and driving licences.” 2 opposing views of identity: “… if there is a ‘market’ for ‘identity’, then it can be met by any number of private means and does not need a single official mechanism which could be portrayed by some as the equivalent of a national identification card.” Electronic Government: Information Technologies and the Citizen. February 1998. Parliamentary Office of Science and Technology (POST).
- 3. View 1 “… it is the responsibility of government to provide an official ‘citizens card’ once it expects people to use it to access and validate official transactions – just as it provides other documents such as passports and driving licences.” View 2 “… if there is a ‘market’ for ‘identity’, then it can be met by any number of private means and does not need a single official mechanism which could be portrayed by some as the equivalent of a national identification card.” Identity Cards Act 2006 Repealed in January 2011 by the Identity Documents Act 2010 (cards invalidated with no refunds to purchasers) 1990s – everyone does their own thing 2001+ – hub-based, federated ID model (digital certs, UserID/password) 2008+ – enhanced with EMV (chip and PIN) authentication 2011 – Identity Assurance Programme (IDAP) 2014 – GOV.UK Verify
- 4. A LOOK BACK ....
- 5. c. March 2004 service service service service service service transactions authentication API API API API API API API API payments API secure messaging helpdesk websites 3rd party applications trusted third parties API API API API API Govt Gateway UI X.509 digital certs with W3C digsig, SAML & UserID/password (with EMV implemented 2008) Dept Dept Dept Dept Dept Dept Government Gateway View 2
- 6. View 2 2001 onwards - federated authentication using a variety of credentials, from UserID/Password to digital certificates to (later) EMV (chip and PIN)
- 7. technical standards Standards CustomerCustomer ApplicationsApplications GatewayGateway BackendBackend SystemsSystems •• XML using XSD schemas and GovTalk headerXML using XSD schemas and GovTalk header •• 128 bit SSL encryption128 bit SSL encryption •• HTTPHTTP •• tScheme digital ID (optional)tScheme digital ID (optional) InternetInternet InternetInternet •• SSLSSL •• HTTPHTTP •• HTTPHTTP •• SSL for authenticationSSL for authentication •• XML and GovTalkXML and GovTalk •• HTTPHTTP •• Reliable messagingReliable messaging •• tSchemetScheme digital certificatesdigital certificates •• HTTP and SSL server certificatesHTTP and SSL server certificates •• XML and GovTalkXML and GovTalk •• SMTP for email acknowledgementsSMTP for email acknowledgements •• Reliable messaging using SOAP andReliable messaging using SOAP and BiztalkBiztalk •• AuthenticationAuthentication •• Store & forwardStore & forward •• TransformationTransformation •• RoutingRouting ApplicationApplication •• Any application:Any application: Dept/Portal/3Dept/Portal/3rdrd partyparty •• Any hostAny host •• Any deviceAny device GatewayGateway SystemSystem TCP/IP HTTP HTTP 128 bit SSL (TLS 1.0) HTML XML X.509 digital certificates W3C XML signing EMV (chip and PIN) Liberty ID-FF and Web Services WS- Federation SAML 2 SOAP SMTP View 2
- 9. ID Cards 2006 Edition ... 1. Symbol meaning a chip is embedded in the card 2. ID card number 3. Citizenship. Foreign nationals in the UK are being given different cards. 4. Place of birth 5. Signature - digitally embedded in the card 6. Date of card issue and date it becomes invalid 7. Photo taken to biometric standards 8. Biometric chip holds fingerprint record 9. Swipe zone. Information which can be automatically read by computer View 1 Identity Cards Act 2006. Card + National Register.
- 10. View 1 ... the return of 1930’s thinking? National Registration Act 1939. Card + National Register. ID Cards 1939 Edition
- 11. (aside) private sector not a great model either … 234 your name, bank account number, sort code number … (conveniently embossed for easy skimming) … your signature, “security code” and “automated hacking magnetic strip” View 1
- 12. View 1
- 13. View 1
- 15. National Audit Office. Identity Assurance Programme. December 2014. http://www.nao.org.uk/wp- content/uploads/2014/12/Identity-Assurance-Programme1.pdf
- 16. http://www.gov.scot/resource/doc/16999/0110002.pdf https://www.gov.uk/government/consultations/draft-identity-assurance-principles/privacy-and- consumer-advisory-group-draft-identity-assurance-principles (original draft) https://ntouk.files.wordpress.com/2014/07/pcag-ida-principles-3-1.pdf (Version 3.1, 17th July 2014) first - rebuild trust
- 17. IDENTITY ASSURANCE PRINCIPLES PRIVACY AND CONSUMER ADVISORY GROUP (PCAG) V3.1 17th July 2014 https://ntouk.files.wordpress.com/2014/07/pcag-ida- principles-3-1.pdf
- 18. Verify
- 19. standards • SAML 2.0 • Identity Assurance SAML 2.0 Profile defines the authentication flow (published publicly) • HTTP redirect binding • SOAP back-channel between hub service and matching service • Matching Service Adapter (MSA) provided by IDAP as a black-box service (JSON API)
- 21. concepts • the hub is stateless and acts as a privacy barrier • the hub provides users with IDP discovery and orchestrates the authentication and matching process • a successful authentication provides an assertion of identity including Matching Data and a Persistent Identifier (PID) • matching data = name, address, DOB, gender + history where available
- 22. a market place of suppliers • multiple third party providers able to assure specific attributes of identity • currently: – Barclays bank – PayPal – Royal Mail – Experian – Verizon – Digidentity – the Post Office
- 23. WHAT NEXT?
- 24. caveat • General Election, May 7th .... Source: Sky News, 06/04/2015
- 25. • a 21st century approach to identity with clear value and incentives for citizens, businesses and the public sector • proof of entitlement and authorisation to use a service, without necessarily identifying the user – that is, the disclosure of only the bare minimum of information necessary for a transaction: • for example, providing a proof that a person is over or under a certain age threshold, without disclosing their actual date of birth or their age
- 26. • a choice of devices that makes sense not only to government, but also to us as citizens and to the commercial sector • the effective management of electronic credentials throughout the lifecycle between issuance and revocation, in a privacy-friendly way • decentralised governance of identity infrastructure across the private and public sectors, without the need or desire for anyone to sit in the middle and log and monitor everything we do in our daily lives
- 27. This is what the nightclub bouncer sees ...
- 28. Courtesy Dave Birch, Consult Hyperion http://www.slideshare.net/15Mb/rusi-psychic-id-slides-493294
- 29. ... this is not new: there is a toxic lag between out- dated analogue policymaking and modern digital technology ... ... better approaches have been understood since at least 2003 ...
- 30. Name: Alice Smith Address: 1234 Crypto, Seattle, WA Status: gold customer DOB: 03-25-1976 Reputation: high Gender: female minimal disclosure tokens: basics Name: Alice Smith Address: 1234 Crypto, Seattle, WA Status: gold customer
- 31. Prove that you are from WA and over 21 Name: Alice Smith Address: 1234 Crypto, Seattle, WA Status: gold customer Which adult from WA is this? ? ? minimal disclosure tokens: basics DOB: 03-25-1976 Reputation: high Gender: female Over-21 proof
- 32. Name: Alice Smith Address: 1234 Crypto, Seattle, WA Status: gold customer Prove that you are a gold customer authenticated anonymity
- 33. Name: Alice Smith Address: 1234 Crypto, Seattle, WA Status: gold customer Name: Alice Smith Address: 1234 Crypto, Seattle, WA Status: gold customer UserID: Alice S. City: UserID: Alice S. Seattle, WA? unlinkable data sharing ? No unwanted linkages
- 34. policy implications • monolithic, analogue-based identity management models present unacceptable risks to security and privacy • we need open standards and protocols for ensuring interoperable and secure user identity solutions both online and offline • users must be able to use context-specific identities and minimised attributes (including anonymous and pseudonymous) in online interactions • users must be able to control and disclose minimal information (e.g. “I am over 18”, “I am a UK taxpayer”)
- 35. at the macro level • modernise the policymaking process: – ensure technological and scientific evidence is gathered and understood prior to legislation being brought forward • e.g. avoid ‘the Identity Cards Act’ model, where a single out-dated and weak technology solution (simple cards) became damagingly fused with the objective and policy outcome • don’t plan based on what you can see in the rear-view mirror
- 36. conclusion • the public sector should raise the game for everyone: – place the citizen, not private or public sector organisations, at the centre and in control of their own data – empower the citizen with additional safeguards and protections well beyond those that the current leaky plastic cards and online logins provide – act as a catalyst to encourage the adoption of user-centric, not organisation-centric, models – exploit the potential of personal data stores
- 37. • a twenty-first identity framework must – ensure technology underpins the rule of law, security, and privacy and other core democratic freedoms in contributing to trustworthiness, not undermines it – honour throughout the entire design (from protocols to device design) European values such as privacy, freedom of expression, protection of minorities, freedom of association, and freedom of belief
- 38. ... reading the future http://www.billbuxton.com/
- 39. acknowledgements • (all opinions, and errors, are my own work ....) • my thanks to .... – the Verify team at the Government Digital Service – Dr Stefan Brands – Kim Cameron – Dave Birch, Consult Hyperion – all the members of the Privacy and Consumer Advisory Group – Privacy International and Big Brother Watch • some elements of this presentation draw upon papers and presentations from around 2000 onwards – some of which are available via http://www.slideshare.net/jerryfishenden
- 40. UK government identity initiatives past, present, future: policy and technology perspectives IDnext April 2015 Dr Jerry Fishenden Chair, UK Government’s Privacy and Consumer Advisory Group (PCAG) Senior Research Fellow, Bath Spa University Director, VoeTek Ltd The European networking and knowledge platform for Digital Identity 2015