What We Will Tell The Government, Part 1
We will be giving a draft of our report forecasting the impact of emerging technologies to the CSIA next week, if we don’t collectively develop writer’s cramp. It is based on what you have told us on this blog and what’s been put up on our wiki. Since you did so much to build it, you get the chance to inspect it before it’s delivered.
We will post it in stages on the wiki and excerpt it here. In total, it is to be 20 pages in length. In a previous post, we told you which subjects would be covered in the report. We also took the decision to highlight 3 issues for more in-depth exploration, those issues being Identity Management, Convergence and Nanotechnology.
Here is the overview for the Identity Management section, followed by our thoughts on the implications for UK government. The entire section will be on the wiki’s Identity Management page. If you don’t think this is what we should be telling the Cabinet Office, tell us here or on the wiki, or email me at tom dot fuller at kable dot co dot uk.
Identity Management Overview
The topic is discussed in depth here:
Not truly an emerging technology, identity management is an emerging discipline growing out of IT security and password/certification authentication and communications. Of the relatively tiny number of academic publications and patent filings found at Scirus (a cross-disciplinary database of scientific publications), 89% of journal publications and 93% of patent filings with the phrase “identity management” in the title, abstract or text were published after 2002. It must be emphasized that little work has been done in this field; only 321 academic publications are found on Scirus and 597 patent applications in total. This compares with 17,833 academic publications and 8,309 patent applications for “biometrics.”
Identity management issues transition to information assurance issues, sometimes seamlessly. ID management has a tighter focus, concerning itself with the management of the identity life cycle. However, it should be noted that
-
if identity management fails, information assurance is impossible
Citizen-Centric
• Do I trust the system that holds the information used to authenticate my identity? Will they lose it, sell it or abuse it?
• Can I manage the multiple logins and passwords mandated by the numerous systems I interact with?
• Do I have to continuously re-enter the same information time after time, frustrating me and increasing the chances of an error on my part or on the system’s?
Implications for UK government
• Biometric information used in identity management should be encrypted prior to transmission. Encrypted biometrics enables a more robust data management programme
• The most successful systems rely on user input and verification of data.
o Amazon and eBay have systems that are more robust than banks, as they get information directly from the user alone, and prompt for updates with each transaction. Banks get information from customers too, but it is at the beginning of the relationship and they do not prompt for information change, and side inputs from other sources (credit rating agencies, etc.) are prone to much higher error rates.
o Information assurance programmes willing to accept private sector verification of identity might well consider using retailers that make home deliveries, looking for recency of successful interaction rather than length of relationship.
The number of online shoppers was estimated at 14.5 million in 2005, including 2.7 million over age 55.
• Information assurance programmes that do not carefully vet every element of identity management procedures in sub-hierarchies should not rely on those organisations’ attestations of verified identity.
o An ongoing audit programme including attempts to defeat individual systems should be a vital part of any information assurance programme
o More importantly, the audit programme should try to construct false identities using information from a variety of systems to establish bona fides, with a goal of getting drivers’ licenses and passports. Information from these efforts should be shared only with system owners in efforts to improve system performance, to improve co-operation with affected organisations
• Of pressing current interest is the use of mobile wireless networks for Internet access. Laptop computers that use an unsecured network should not have confidential information on them, nor should they be permitted access to confidential information. Identity management protocols should identify the status of a user’s network connection and politely deny access until a secure connection can be established. Individual laptop computers that permit storage of or access to confidential information should be configured to prevent access to unsecured networks.
o As the physical security of laptop computers is not addressed elsewhere in this report, we take this opportunity to note that:
laptops should have a proximity alarm installed to remind the user not to leave a laptop behind,
a form-based permission mechanism should be used to minimise the loading and retention of confidential information on laptops. This could include automatic destruction of sensitive data after a date set by the user
GPS tracking should be used to retrieve lost or stolen laptops
Preparations should begin now for similar security protocols for mobile phones and PDAs to future-proof identity management systems prior to introduction of devices with capabilities much greater than present versions
Have at it!
July 4th, 2007 at 8:45 am
Tom - I don’t think identity management has much to do with mobile device security. Any server communicating secure information should simply not offer insecure channels to access that information. If you want those servers to deny access to devices in a non-secure state, you need the remote attestation features of Trusted Platform Modules, not ID management.
July 4th, 2007 at 8:47 am
Hi Ian,
At preset that is true. But how much longer will that be the case?
July 4th, 2007 at 8:48 am
On GPS tracking: how will you stop thieves enclosing stolen laptops in a case that blocks any tracking signals?
On proximity alarms: how will these alarms detect when users move a certain distance away?
On biometrics: the robust way to use biometrics remotely is to have a local device verify the metric, then unlock private keys that are used to authenticate the device and user to remote servers. Transmitting a biometric for remote verification simply enables captured biometrics to be replayed to those servers.
July 4th, 2007 at 8:49 am
I think ID management and remote attestation/trustworthy computing are and will remain two separate categories.
July 4th, 2007 at 8:50 am
Why no mention of privacy, which is the most pressing issue in ID management? (If it wasn’t, you could simply tatoo ID numbers on everyone’s forehead and be done with it.)
I think ID management itself is a misnomer; most applications are actually concerned with credential management, which is subtly but importantly different.
July 4th, 2007 at 8:55 am
You have support on your second comment from a security systems expert I spoke with yesterday who thinks IDM should be called something else. We are dealing with privacy in the next section of the report, which treats the wiki sections on anonymity, surveillance society, cctv and location-based services. Stay tuned…
July 4th, 2007 at 10:24 am
Hi all,
Ian, in response to you comment 3, I think there are workarounds for this. A proximity alarm could just consist of an RFID chip and a text message to a mobile. You could rig a laptop to where if it cannot ping a host either on the person or a GPS locator it shuts down dead until reactivated at work.
We do recommend using encrypted biometrics, which I think deals with your issue with that.
The overall point we’re trying to make about identity management is that it’s so new that there are a lot of first-time situations that have to be dealt with in just this fashion, with many Ians bringing up possible problems and many Toms (hopefully much better Toms) saying, hmm, I think we could fix that in this fashion… and that this poses a hurdle for successful information assurance programmes.
July 4th, 2007 at 1:57 pm
Seen this?
New boss fo government IT
http://www.computerworlduk.com/management/government-law/public-sector/news/index.cfm?newsid=3863
July 5th, 2007 at 9:33 am
I agree that ID management has become a counter-productive term. Also it mixes the personal/internal with the impersonal/external, like having a Department for Administration of Intimacy. I think credentials management sounds specific, neutral and helpful for that part of it.
July 5th, 2007 at 7:37 pm
Oh yes, I mean we didnt see that article but we know all about the appointment of Alexis Cleveland. Best news I’ve heard for government IT for a long time. The Cabinet Office IT strategy is dry, centralised, authoritarian. But the Pensions Service chief exec is driven by what her customers need. She’s a long-standing public servant, right from within the IT profession. Exactly what “Transformational Government” needs. Hurrah.
July 6th, 2007 at 9:17 am
I have just picked up on this thread and am reading my way through. I havent seen much on transparency over IdM transactional activities. In the more sophisticated data environments of the future there is an expectation that Gov managed IdM would provide a great deal of transparency over the management and use of citizen-centric identity. Has something been written about this yet?
Another set of burning questions.
Is there anything written on standardizing the minimum and maximum levels of identification transparency needed in public life. FOr instance, when is it okay to by anonymous? When is it okay to be pseudo-anonymous? when is it necessary to be fully transparent and public?
To slip another one in here, is there anything on setting limits and policies that work against function creep? This would go a long way to get trusted user-centric activities happening.
July 9th, 2007 at 3:53 pm
Toby Stevens wrote a very useful article on ‘identity management’, which I think we’re all agreed is becoming a very counterproductive term:
http://www.bcs.org/server.php?show=ConWebDoc.11113
As well as transparency, it might also worth factoring in practical issues like liability which we tried raising during the Parliamentary debate and to which we - to date - have received no meaningful response. If someone is managing something ‘on my behalf’ then what happens when/if their system/credential/process goes wrong? Sometimes the simple questions are the most illuminating.
Trust ain’t a technical fix and, until the fundamentals (of which I’d argue privacy and liability are absolutely key) are agreed, discussion/predictions about specific platforms or technologies can wander all over the place. “Who pays when it breaks/screws up?” might focus a lot more attention on citizen risk, and force people to tease out more of the comparative strengths and weaknesses of various approaches.
There are no 100% solutions, which the banks and business have understood for a long time - the sooner government gets sensible about this, the sooner I’ll believe they are serious about trust. I can guarantee you that one of the biggest impacts imaginable is the public failure of a system that purports to manage the identities of everyone in the land, regardless of which technologies you use.
I can understand that government doesn’t want to talk about this in public, but if it still doesn’t have a compelling answer in private then it clearly doesn’t understand ‘impact’.
Two final points: rather than encryption of biometrics for transmission (which I’d assume anyway) shouldn’t you be talking about Biometric Encryption [see Kim Cameron http://www.identityblog.com/?p=733]? Handing over my unique biometric identifiers as a once-in-a-lifetime event puts way too many of my eggs into someone else’s basket. BE is clearly an emergent technology, but one grounded in principles that make a lot more sense than virtually all of the biometric solutions I’ve seen touted to date.
I actually think that one of the more important lines in your draft above is “The most successful systems rely on user input and verification of data” - NOT penalty-enforced (or, God forbid, charged-for) updates of personal info and compulsory registration. Find a way to help people create and maintain useful credentials - giving them ‘a number for dealing with government’, rather than the other way around - and many will. Build on what works, not what might, and you’ll end up with something more trustworthy, long-lasting and useful.
It’s always handy to prove you can walk before you try to run…