Jan 10, 2011
The Nature of the Relationship, part 1
This is where the going gets tougher. The previous post here was about the different things we use to bodge our way around the minor inconvenience that you can’t actually prove anything about identity with absolute certainty (and it’s all even harder on the Internet). Accepting that we’re all just a collection of risks and uncertainties to be managed, and that we’ve got quite a few tricks (good and bad) at our disposal for doing so, we move towards an even knottier problem.
But to help us do this, let’s bring back Tortoise. Who is on a bit of a mission.
Tortoise: Achilles, Achilles—I’ve been reading all this waffly crap about online identity and I just want to get on with things.
Achilles: How so?
Tortoise: Screw it, fella. I just want my unique identifier now, please. I’ve got nothing to hide. I’m volunteering for you to strap everything you like on to me. Tie it to my old shell, big boy.
Achilles: You sure? Well, if it’s to make a bloody good point about what happens if you do—for the purposes of illustration—I’m game. You want it public or private?
Tortoise: How do you mean?
A: Do you want your identifier to be kept a secret that only you know about, or do you want it splashed everywhere in public?
T: Well, secret, I guess? Is it really a straight choice like that?
A: I’m afraid so. What type of things were you hoping to use it for?
T: Well, to log on to my local council services, naturally. And to see my health record. And to book a driving test. And to pay my taxes. And, and, and…
A: And you reckon that using this fiddly little string of numbers in what already adds up to hundreds of systems from that little list you’ve just given me means that number can be kept…secret? [raises a well-groomed Grecian eyebrow]
T: Fair point. So at some point I have to be ok with the fact that an abandoned hard disk…but surely encryption and good local security management policy will take care of that?…oh, wait, yeah, I see…I have to be ok with the fact that a big list of unique identifiers is going to wind up on Wikileaks or something like that eventually?
A: You do.
T: OK. I accept. I’m ok with that. After all, it’s just a string of fiddly little numbers. It’s not about me, the actual Tortoise that is me. Oh, or is it?
A: What do you think?
T: Well, I don’t really know. It could be. Or it might not be. If it isn’t, then is it really that much use? And if it is, I have this creeping feeling you’re about to show me cracking ice and swooping vultures. Hell’s bells, this has gone and got difficult already, hasn’t it? Why does this always happen? What’s the right answer, Achilles?
A: I guess it depends on whether you want to be identified as you, the real Tortoise, in all these transactions. And you do, don’t you? You have nothing to hide, remember?
T: Sure. But doesn’t that mean…oh I see what you’ve done, you clever bugger. You’ve let me neatly draw out the conclusion that the actual identifier is no great shakes, it’s what it’s attached to that really matters.
A: Quite. And as you’ve said that you’ve got nothing to hide, let’s take your Tortoise Insurance Number (TINO) and from henceforth make it the only identifier about you to be used anywhere in government. After all, lots of people keep banging on about how that must be the long-overdue common-sense solution to all this identity uncertainty. £1,500 please.
T: What? You’re going to charge me for giving me a number you’ve already given me?
A: No, don’t be absurd. This is just a one-off charge for all the migration work.
T: Migration?
A: Changing every single existing government system so they all sing and dance and recognise you off of this here TINO.
T: [Gulps] Is that strictly necessary?
A: Well, perhaps not. We could build some elaborate middleware and interfaces and yada yada yada. Might be a bit shonky and fall over from time to time. Or scramble your records with someone else’s. But you’re ok with that aren’t you. £1,500, remember?
T: It just all seems so expensive.
A: That’s because this is the real world, old son. I know when you were just out of the shell, you used to line up all the other tortoises and make up your own Little Tortoise Club stuff, giving everyone a secret name and a password?
T: Bloody hell – so I did. How did you know?
A: We all did. And it worked, didn’t it? You kept pretty strict records of, oh, a whole 10 individuals. Nothing leaked, nothing got mixed up, and it was all beautifully administered. And you used that as a mental model in your horny wee head of how identities and secrets and all that might work in the big world. But you know what, dear little chap? You were utterly wrong. This is a world of baddies, of fraudsters, of the incompetent and the helpless, of the excluded and the disabled. It’s a world of error, of approximation, of faults and mistakes. Lots of gritty reality that, if I’m honest, tends to bugger up enterprise-scale secrecyidentitysecurity systems faster than we can actually squeeze benefits out of them.
T: Lawks! Have you finished?
A: Yeah. But then I start again, and spend another £100m repeating all the mistakes I made last time. Just using a different firm of consultants. Boom boom!
T: So, to recap, I’ll be able to use my TINO wherever I like, accepting that at some point the relationship between it and me will come into the open somewhere, and that it provides a handy hook for anyone, anywhere, with or without me knowing, to hang whatever facts, associations or other metadata they like on me—which may be used against my interests to sell me stuff, compromise me or do loads of other bad things? And that I’ll be reliant on a panoply of passwords and other tokens to associate with my TINO to unlock the various doors that need unlocking in such a way that losing one of them doesn’t give the bad guys control of my entire life, but at the same time, a panoply that I will find easily manageable? I don’t see how that’s possible.
A: S’ok, my shelled friend. You have nothing to hide, remember?
T: I’m really not liking this much at all now. Is there an alternative to my ill-thought-through quick and dirty answer?
A: Why yes, there is. But we’ve just gone over 1,000 words, and according to the rules, that means waiting for the next post.
T: Oh, cloacas.
[…] This post was mentioned on Twitter by Paul Clarke. Paul Clarke said: Achilles and the Tortoise return, with Tortoise on a mission to use his TINO… http://rb.tl/fN2bXo #gov20 #identity […]
What makes me laugh a little is that I have a little card in front of me that is entitled “Government Gateway” with a long string of numbers on it called “My User ID”. I needed it for my tax issues online.
Even funnier is if I turn the card over, it states “Connecting you to Government”! http://www.gateway.gov.uk!
And it didn’t cost me anything! (Well, not directly!)
That Gateway User ID is an interesting beast. By definition, it has nothing to do with you. By itself. Registration for a Gateway ID is an insecure, unverified process. You can go and get another one now. So can I. At the last count I think I had 12. Nowhere on a government system is that ID referenced to me, the real me.
So, what does it do? Well, it allows you to attach “confirmed” relationships to it – think of them as secure keys on an insecure keyring. Once you’ve been through whatever a particular bit of government thinks is secure enough (that PIN in the post sent to your registered address with HMRC, for example) then you are “enrolled” into that service. Henceforth you can use the Gateway ID to access HMRC services – they recognise the link, but hold the relationship with you. The Gateway itself doesn’t.
This system of “Registration and Enrolment” superseded earlier attempts to “Register and Authenticate”, for reasons which I hope are self-evident from reading some of the posts. Disclosure: I was the Programme Office Manager on one of these earlier Gateway incarnations.
Certificates are also supported. It’s fair to say that the Gateway is more used by (and useful to?) businesses than individuals, and a greater number of these use certificates to use the Gateway.
I suppose it can be argued to have some advantages: theoretically a single user name and password which allow entry to lots of services. But it still requires additional processes to actually work, and the multiplicity of ID’s per person can be a problem. Take-up (by services) has been poor over ten years, which tells its own story.
The Gateway does some other things in connection with secure messaging between back-office systems, but this response focuses on the very interesting user-facing functions. I may do a separate piece just on this. Glad you raised it.
Wonderful stuff, Paul! As an old Philosophy student who now has to worry about these identity things, a Socratic dialogue about Gov Gateway has combined headches ancient and modern for me.
Please do a piece on Gateway – for me its biggest failing is the lack of a way to synchronise data in the various stores that an ID can unlock. You know, “tell us once”…Then again, having read this blog, maybe that’s its strength.
Well spotted. That’s exactly right ;)