Achilles and the Tortoise do Identity Management

Achilles: I’ll make things cheaper and simpler for you, you’ll see. Then you’ll be happy. And richer. And so will I.

Tortoise: What?

Achilles: I’m going to give you a new unique identifier so you can have a better relationship, and do business, with me–your personification of government!

Tortoise: I don’t want one.

Achilles: Psst. *whispers* For the purpose of this dialogue, you do. OK? Now play along.

Tortoise: Fair enough. Where’s my identifier then?

Achilles: I can’t just give it to you. How do I know you’re you?

T: I’m Tortoise. Can’t you see?

A: But you could be any tortoise. Where’s your passport?

T: I haven’t got one. I’ve lost it, I mean.

A: For the purpose of this dialogue…

T: OK OK, here…

A: Thank you. Here’s your identifier.

T: What happens if I lose it? Can anyone else use it? And pretend to be me? And do all these things in my name?

A: Um, no. Of course not. This is secure.

T: Right… So how did I get my passport in the first place?

A: You sent in a birth certificate, and had someone else who’s got a passport to vouch for you. Don’t go there.

T: And assuming we weren’t face-to-face here, right now, in this dialogue–how would you send me the identifier?

A: In an envelope to your house.

T: What if somebody else got hold of it en route? Then they could pretend to be me online, no? Like really, really easily? That wouldn’t be good.

A: I’ll give it some thought (I probably won’t). For now, I’m just giving it to you.

T: OK, so I have this universal identifier (assuming I want one, and have a passport, and I haven’t fraudulently obtained it, and ignoring lots of other things that we can just regard as edge cases). So, what’s the universal identifier going to allow me to do?

A: Well, it means you can quite simply log in and find lots of information that’s been personalised about you–so instead of having to look at all the information available on bin collections, you can just see when your bin will be collected.

T: So, how will the online system know where I live?

A: Oh, simple, there’s this big database which holds everyone’s address along with their name…

T: But doesn’t that sort of mega-database tend not to work? I mean, who’s going to keep it updated? Surely people’s addresses change quite a lot? Having the right one there is going to be pretty important, no, if this is to be the One True Record?

A: OK, scrap that idea. Well, you can put in your own address if you like.

T: But what if I don’t put in the right address–if this is some kind of Master Record of me, Tortoise, isn’t that going to cause a bit of bother when you try to send me a tax demand–I mean, I might “accidentally” put in a gibberish address to stop you getting hold of me?

A: Ah. Good point. OK, forget all that–we won’t hold the address any more.

T: It’s still the Master Record about Tortoise, though? This is getting more complicated than I was expecting.

A: That’s because we’re stepping through a dialogue to show that it’s more complicated than everyone thinks it is. But nobody really likes to engage with the detail.

T: Ah, yes, of course. Carry on.

A: So with your universal identifier you have a simple way of getting in to your various accounts with government, all in one place, so that you can do things more easily.

T: I don’t really have ‘accounts’ as such–well, income tax, I suppose, and council tax, but that’s about it.

A: Yes, but you buy things sometimes, don’t you? Driving licences, and passports? And you pay parking fines sometimes, no?

T: Sure, but… oh, ok, I have these accounts, and because I can get into them all with the same identifier, which shows I’m definitely me (subject to all the reservations earlier), then things are easier and cheaper. Hang on a minute–if you put all my data in one basket doesn’t that mean that you’ve created a sort of super-record about me? You, as the personification of an initially benevolent but ultimately potentially totalitarian government, might want to keep all sorts of other information on that single record. I might not even be aware of half of it.

A: Ah, but if you’re got nothing to hide…

T: Don’t go there. How big’s your “Gentleman’s javelin” again?

A: Right.

T: Right. And if someone gets access to my account, that’s an awful lot of personal data they’re going to be able to get hold of in one place. Is that wise?

A: We can put in all sorts of detailed access controls and permissions to make sure any one of the 12 million people with access to these systems only gets to see exactly what they’re supposed to.

T: Right you are. Hasn’t that sort of minor, niggling detail been one of the main reasons that such projects have consistently fallen on their arse over the last 20 years?

A: Possibly so–I tell you what–we’ll give YOU the ability to partition your data and decide who’s allowed to see what. This simple 59-screen control panel will allow you to do exactly that.

T: Hang on a minute–I have to go to enormous amounts of bother to administer something I might use once a year to check whether a council tax payment’s gone in? No thank you! I have enough trouble with my Facebook settings. Look, do we really have to have all this personal data stuff in there? It’s so risky–sod the convenience bit; there’s some things I really don’t mind logging in separately for.

A: OK, you’re right. It was worth a try. Tell you what–your account can just be one where you don’t keep any personal data–just things you choose to keep there. That takes a lot of the risk away, and you can use it to remember what sort of screen colours you like, who your local council is, that sort of thing. But…

T: But?

A: But you’ll have to get over the constant disappointment when you’re using it that we’ll never be able to take any of the data you put in there at face value, without checking it some other way, I mean.

T: Why not?

A: Because your account is either about the “real Tortoise” or it’s not. There’s no half-way house. We either do the sort of hard authentication you’d do with your bank so that you can move money around online, or we do the sort of self-asserted stuff you do when you buy, say, a bag of teabags online. We don’t really care who you are, as long as you pay us, and give us an address to send the tea to.

T: But that sort of “hard identity” stuff makes sense for things involving money–especially where someone might steal some from me (or steal details that would help them pretend to be me and get money diverted that should come to me). It just seems like complete overkill for finding out when my bins will be emptied.

A: Quite possibly–but you wanted all your government business in one place, didn’t you?

T: Did I?

A: I thought you did. Somebody did. All I hear about is “make government more like Amazon”, “make it all simply accessible in one place” blah blah blah. You mean that might not be the requirement?

T: So far, Achilles, we’ve piddled around changing the requirement through a massive spectrum of parameters including data richness, hardness of trust, ease of use, and personalisation. I’m beginning to suspect that people blithely use this concept of “easy access in one place” without actually thinking through what sort of requirement that implies in practice. Furthermore, this sort of woolly guff is likely to get lots of people spending years dicking about running pilots that won’t really go anywhere, testing technologies that are completely inappropriate, and listening to quite a lot of baloney from vendors who stand to make a great deal of money as long as such requirements are never actually bottomed out. What say you, Achilles?

A: Fuck. Rumbled.

(with apologies to Lewis Carroll, and especially Douglas Hofstadter)

You can read more whimsy from these two here.

Verification: I can’t even

I can’t even – and neither can they…

Yes folks, it’s back again! The Queen’s Speech today promises yet another Mumsnet/Mail pleasing crackdown on one-handed websurfing – age verification!

Ha, brilliant – so obvious – all we have to do to send the kids back to the era of damp grotmags in the bushes is do a bit of proving-who-you are when someone clicks their way to a nacky site. No proof, no nacky.

Couldn’t be easier!

So how are they going to make it work then?

Short answer: they can’t.

Longer answer: they’d have to solve the Big Problem, and also some Littler Problems.

The Big Problem is an ancient conundrum: how do you build a checking system that’s solid enough to be worth doing, but not so solid that it doesn’t immediately bugger up the life of someone who loses access to their digital self?

Solid example: imagine you have a password that will ‘prove’ who you are wherever you use it, to anyone (we gloss over here how that trust might actually be set up). Lovely! But anyone who nicks that from the Post-It on the side of your monitor can then start buggering up your life. So you add a special chip they have to hold at the same time, and a scan of their toeprints that has to match, and…and…you’ve got something that’s so clunky that no one will be able to use it reliably.

Less-solid example: you have to upload a paper document of some degree of ‘officialness’ – perhaps a driving licence or similar – or type in some reference number from it – and someone on the other end agrees to let you in. Cue instant exchange of document scans – anyone’s will do – and reference numbers between bulging-balled/clitted teens.

Or you could try and connect identity to payment; the “credit card as key” approach – cue even more bad things happening involving credit cards and real hard money.

So that’s the Big Problem: any system with very strong trust is a magnet for people who want to do bad things with it. And I’m not talking about watching-porn-bad-things. Because that’s not bad. But that’s a whole different (mass) debate.

But let’s assume we do want to have some system that’s worth doing: we have two options – build a central identity register (think of it as a single digital “you” that can be checked, tracked etc.) and have you prove your right to be identified as that person; or establish the trust in other ways.

Without rehashing all the central registry arguments – though you can check out Achilles & the Tortoise for a bit of light relief (tl;dr vulnerable to attack by undesirables, or misuse by a State gone Bad, all eggs in one basket) suffice to say that government thinking of late has steered away from such a thing. For now.

The alternative approach rests on a nice workaround: if you can prove who you are to organisations that already know about you – and they do their job to an agreed quality standard – then that trust can be taken, well, on trust by other services. Your bank went to huge amounts of trouble to find out who you were, so if they say you’re you, you probably are. And actually, for age verification, they don’t even need to say much about you to the porn-keepers – merely confirming that someone’s at the door with age >= 18 (or whatever) will do the job.

The great Dave Birch has done the most elegant job I’ve seen of describing how you’d do this.

All neat and compact and a whole lot less terrifying than having a great, groaning Database of Everyone sitting in a Cap Gemini data centre.

This is essentially what the government’s Verify programme of identity assurance is currently trying to do. It involves solving a number of Littler Problems.

– what sort of organisations know enough about enough of the population to be able to accurately and reliably work at the scale of millions of people?

– how good is their data, and might they have to ship in data from other sources to fill in any gaps?

– what’s in it for them? i.e. what’s the business model for them to do all these verifications?

– how’s everything going to be kept safe, and how can that be shown to everyone’s satisfaction?

– how much risk should we plan in? Identity is never ‘proven’ as such; merely claimed within an accepted range of risk. Otherwise systems would be unusable by normal humans, and break all the time.

– who picks up the bits when things go wrong? (which they will – no system is 100% safe) – this of course harks back to the Big Problem – if you really want a universal key to lots of services through a simple interface, have you also opened up a bottomless pit of liabilities when that trust is compromised?

and so on. Incidentally, all that while facing the spectre of individual government departments who have their own wide-ranging databases about us and who may continue to itch, as they’ve always itched, to use those databases to vet you against. Why rely on transferring trust from a third party when you can assure it in-house, they might say?

So that’s a crash through what’s involved as a result of today’s declarations. Not really that easy, huh?

Oh, and you do all of the above and you still have to do some incredible amounts of Whack-A-Mole to stop other porn sites springing up that you might not know about, and who might not give a stuff about these crazy UK requirements to prove age oh dear me hahahahaaaaa… That’s why it’s a “they can’t” overall – damn ‘inter’ bit in internet again. Gah!

Or maybe this isn’t about the porn sites at all – but about seizing control over everything that’s pumped out to us! HAH! You may choose your own favourite conspiracy at this point. (But yeah, quite possibly some elements aren’t mere conspiracy.)

You’ll hear people saying that other countries manage central registers, and why can’t we? You’ll hear people saying that we just need to trust the state a little more – and of course will someone think of the kids? You’ll hear armchair service designers telling you that it really isn’t all that difficult, and politicians saying “well of course we now hand this one to the clever technologists to implement; we know their grate branes will Find a Way…”

We’ll see, won’t we?

But as I say, don’t go thinking this is in any way real policy. It will keep a lid on tabloid outrage, hopefully, perhaps for a bit, just until something more distracting comes along.

Biting the bullet

Shall we just do it? Just build it and get this over with?

We have it anyway, don’t we? Just in a distributed and not-very-accountable way. So why not do it properly?

The stuff I wrote yesterday about registers is just a part of a vastly bigger story about information, people, and government.

[tl;dr of that piece: using ‘registers’ – lists of authoritative data – to make government services better has lots of benefits, and raises interesting questions]

It’s a story that’s so big it doesn’t really have a beginning, or an end. How we meet the needs of people, society, democracy, everything – with technology, data, organisations, everything.

So I’ll home straight in on one part. Probably the most sensitive registry of all would be a register of citizens. Of people. Of the entitled-to-vote. Of permanent residents. Yes, tricky, hey? Let’s just call it people.

The Promised Land of a canonical list of people sat (sits?) behind the for-the-moment-abandoned (I expect this to change/is changing!) concept of a national identity card.

It sits behind lots of other things too – either as the manifestation of the ultimate authoritarian state, or as the lubricant for a trillion safer, more secure, more efficient digital transactions. Depends on who you ask, what they’re trying to sell, and the weight they give to various arguments of logic, experience, ideology and emotion.

It’s hugely political, obviously. The argument that it is “poor civic hygiene” is usually high on the list of “why nots”. A future government may be in a position to do all sorts of terrible things to its people if it can track and target information very precisely at individual level, or even make people appear and disappear at will, through manipulating a central megadatabase.

(But Estonia!)

And that’s to say it’s even possible to procure, build and operate such a beast. The track record at this scale isn’t great.

(But Sweden!)

It’s so sensitive that registers of personal or sensitive data have been explicitly excluded from the current scope. Instead, Verify is doing sterling work to do digital identity checking through the use of third parties – essentially using what outside organisations know about people as a proxy for government’s knowledge, then accepting that trust as being good enough for subsequent interactions with government. A very neat, and widely welcomed, sidestep around the problems and concerns that bedevil a central people register. But it has limitations – you can use it to check facts about people, but you can’t write information back to it, or assemble a master list of people you could then sign up for electronic voting (or any other new thing you dreamed up).

(But Singapore!)

So none of this means that the clamour for a central people register has gone away. It never will. It’s what James Randi once described as an “unsinkable rubber duck.” An idea that no matter how many times you unpack it, debunk it, resolve it…will always bob back to the surface. It’s so tempting. The perfect answer for those who love hierarchy and are convinced that hard-edged systems can save the world. (But Estonia!)

Yes, yes, ok, Estonia etc. – there needs to be a better response available to the “But Estonians”. Your vulnerable minister and officials will be regularly swept over there to marvel at how all this digital identity and database stuff just…works. Nobody dies because of it, the tanks don’t roll in, there isn’t a monitoring screen in every house. I’ve asked a lot of people who should know about this stuff what the solid counter should be to the But Estonians. Curiously, I haven’t found one yet. Have you?

And then, I think – hang on, is any of this resistance actually meaningful?

We may not have a single people register, but we have lots of things that are a lot like it. You may be surprised by some of the questions you get asked when you use Verify. How did they know that? They know lots, really, those identity providers. That’s why they’re identity providers. They’ve spent years buying and integrating things about you. It helps commerce operate. But it’s private, opaque, unaccountable. Sure, it’s not government, but it’s still a thing.

Or what about the Police National Computer? Who knows how they refer to you? But they know things about you. Try getting stopped in the street by the cops and not showing any “ID” (don’t start me off on that term…but full disclosure: I have done this, just to see what happened.) You’ll find some of their questions to you, and their radio checking, pretty interesting too.

So whether it’s done through a single unique identifier (ooh – somebody said “just use the National Insurance Number!” DRINK!) or through the patchwork of private and occult registers, we live in a database state anyway. The infrastructure, and the surveillance powers, are already such that pretty much any bad consequence could already happen (is happening?). Data sharing work is developing apace. If one of the main concerns about a centralised people register is its vulnerability to attack, then those concerns apply to the private registers too, no? Ok, but the prize is bigger, but still… The police manage to do it. Experian manage to do it.

Is all the protestation just for show, really – we attack the thing we’ll be able to see because we can’t attack the things we can’t?

My personal view on this (as a non-practising civilian with a lifelong interest in civic data) is that the central register has some benefits. But enormous risks. And that the risks scale faster than the benefits. You aggregate that much in one place and the consequences of error, or breach, or yes, totalitarianism, are unthinkable. So it’s a bad thing.

My friends Achilles and Tortoise teased out some of these issues for me a while ago.

But I’m not convinced I’m right. That would require a level of evidence I don’t have, or a level of ideology I find distasteful.

Help me out here – what would it really take to sink, or float, that rubber duck?

At least for a bit?

Know Me, Know Me Not


A featureless airport departures hall.

Behind the check-in desk, a large warrior stands, strip-lighting lending a pale lilac wash to his magnificent plumed helmet.

Half-way along the queue is a rather dishevelled Tortoise, surrounded by heavy bags.


Achilles (for he’s back again): Oi, Tortoise!

Tortoise [po-faced and unresponsive]


Tortoise: WTF? How do you know my number? Thought that was just between me and the hatchery?

Achilles: See this print-out of your markings? [holds up said print-out] Got this off of Google; on CheloniansOfNote.com it was. That’s you, isn’t it? Blotch, blotch, stripe, worn patch, shape that looks a bit like David Willetts’ head? Yes? Got a few other bits of info here too, to help me recognise you and the better to meet your every need.

T: Um, so I see. But how dare you…

A: Hang on, my horny-carapaced friend. Shuffle up to the front here. Let’s have a quiet word about this. [Tortoise makes the painfully slow journey to the head of the queue, nudging his bags one by one with his nose.] This is what you wanted, see?


A: You told us. You did. Well, not you individually, Tortoise NP150…


A: Ok, ok. Well, collectively, our customers said things like “Hey Trojan Air, time to wake up to the new world and start treating us like people. We’re not just lumps of flesh with wallets. We want you to throw away all that stiff, corporate formality. Get to know us. Empower yourselves. Adapt. Use a bit of bloody initiative. See us for who we are.” So we have.

T: Yeah, but you can’t just go gathering information like that about me, without my permission. It’s like me shell’s been invaded. Horrible. Oi moi!

A: Don’t go getting classical on me: these characterisations are only pixel-deep. Now, look over there, now, at the SleazyJet desk. See that queue? Hundreds of them. Hot and knackered, they are. And going nowhere for a couple of hours yet. Now, I know, and the SleazyStaff know, that there’s a nice little waiting room round the back. With just one very comfy seat in it. And air-con. They can’t tell everyone, it’d get rammed. But see that woman just there? With the huge bump? Could drop any minute. You think it’s ok for the staff to, you know, use their bloody EYES to spot her, and offer her that seat? Or are you going to go all “no, no, they must know nothing, they must treat us all-equal-and-anonymous like”?

T: Well, I suppose that’s a bit different.

A: So it’s ok to use my bloody EYES to infer stuff about my customers, so’s I can make their service better, but it has to stop when I use, what? A computer? A phone? A database?

T: Now you come to mention it…

A: Because isn’t that where mechanical process (oh so twentieth century) stops, and service begins? When we start inferring? When we use one of the very few gifts that mankind seems to be blessed with – pattern recognition – to judge that if someone is cross-legged and hopping from foot to foot, it might be politic to proactively remind them where the loo is? To check on our systems so that their seventeen letters of complaint that they keep getting woken for meals when they’d rather sleep haven’t been an utter waste of time? To infer, beyond this, that similar awakenings for important matters of Shop-In-The-Sky sales might also receive an unfavourable response even though they haven’t actually WRITTEN TO US ABOUT THIS NOR GIVEN US EXPLICIT PERMISSION TO EVEN GUESS IT MIGHT MATTER TO THEM?

T: Steady on, old boy.

A: Sorry. Emotive stuff, this. Which is why this post is written as a dialogue – less confrontational that way. Where were we? Oh yes – look over there! PoshAir have got one of their regulars arriving. He’s a FTSE-100 Chairman, he is. Yeah, I know. Miserable and anonymous, grey and crumpled, to you and me. But to him? The Grand Kahoona. The Large Cheese. He wants to be recognised. And look again: by the sort of chance that only occurs in allegorical blog posts, he happens to be featured on the cover of this month’s Kahoona magazine over there on that newsstand. Now, shall we ask their staff to shield their eyes so that there is no prospect of them contaminating their green-field minds with this inarguably public-domain factuality of who the fuck he is?

T: Yeah, but it’s invasive. He might not want to be recognised.

A: Isn’t that a matter for their judgement? They are, remember, humans. Providing a service. Let’s at least hope they have some basic lightness of touch. They do not have to march up and shout “Mr Cheese great to have you back it has been 34 days and 2 hours since you flew with us shame about the collapse of the zinc deal in Bolivia your usual gin and valium then?” A mere “Mr Cheese, good to see you again. Let us know if you need anything” isn’t invasive. Invasive is ferreting through information that’s not public. Invasive is phoning people up or emailing them out of the blue, forcibly taking their time away. This stuff here is just observation, inference and discretion.

T: Ah, but it’s where it could all lead, innit. That dossier on me that you’ve got behind the desk…

A: Dossier? Ooooh how very Le Carré! You got that out of that article, didn’t you? One of many using lurid language to play on everyone’s fears about “where it could all lead”.

T: Call it what you will. You are reprocessing data and creating databases and riding a chariot and horses through the provisions of the Data Protection Act (1998). And you know it.

A: I am, and that’s a very fair challenge. I am struggling to justify it – hey, hang on, pass me your phone for a minute.

T: No bloody chance. You know enough about me already.

A: I just wanted a quick peep at your contacts book.

T: That’s none of your business.

A: And yet you download all these apps to your phone and give them permission to access what must be hundreds, maybe even more, personal records and upload them to Morin Towers and gods knows where else, and remind me at what point did you register yourself with the Information Commissioner let alone do any of that “seeking consent” hoo-ha?

T: Yeah, well, that’s for organisations. I’m just Tortoise.

A: Tortoise With A Talent, Ltd, according to my, erm, “dossier”. You still think the boundary between individual and organisation is that clear, and in any case serves as any sort of robust moral framework for this sort of issue about data responsibility? You still content that the DPA (1998) is in any way fit for purpose for the world we now live in? A world of massive volunteered personal information? A world where even if you don’t put your own pics up somebody is going to tag your face and you will be able to do jack all about it and will just have to get over this unassailable fact?

T: I suppose. That’s all going to need clearing up when they refresh the Data Protection Act, innit?

A: Just. A. Bit. But in one final attempt to justify my creepy snooping, can I at least appeal to your libertarian side? It’s one thing to berate the state for acting like this, for gathering information and building megadatabases about individuals. Its civic hygiene may one day become suspect, its motivation potentially questionable, and it’s pretty hard to avoid. But this is a freaking airline. You don’t like what we do, if you think we’re creepy, then you’ll stop using us, and we’ll change the way we work to get you back again. Less of this Big Brother Watch angst; save that for those who really deserve it. Frankly Tortoise, there’s some cognitive dissonance going on here. I know (coz it says so in your dossier) that you hate all this state intervention stuff. You really want businesses to be able to do a good job with the very lightest hand of regulation ‘pon them. Now you’re making no sense with all this paranoid guff.

T: Ok, ok. The jig’s up. I guess what’s really going on is that a general, non-specific feeling of impending doom about personal data in the cloud (and in our hands/claws) is creating a toxic environment where any story that even touches on search, or social networks, or biometrics leads us to throw all common sense out of the window. I guess.

A&T: Oi moi! Ta’las! Tlê’môn!

The Nature of the Relationship, part 2

In which we look more deeply into that business of what an online trusted relationship actually means—over and above the mechanics of actually “proving” something about it to a particular degree.

New readers will probably want to read an introductory piece, a logical separation of issues relating to trust from those of identity relationship, and the post immediately preceding this one. (Keener-eyed regular readers may now be getting some clues as to what this oddity was all about.)

So we’ve found so far that some of the stuff we imagine should be quite simple, isn’t. A single log-in using one identifier to get to lots of services is a shaky concept. In theory, it should be fine (we can create models very easily in our minds of things that work like that and don’t cause much difficulty). But in practice it creates what—at scales of national, or even widespread local level—quickly become data management and security nightmares. It leaves the way open for other things, perhaps unwanted, to be attached to that identifier, covertly or overtly. And, assuming that you provide a few different passwords or other tokens, or even add in some biometric checks to the mix (coz you wouldn’t want to lock all your possessions using just one type of key, would you?), you begin, very quickly, to make things very much more complex. And we’re trying to use online channels to simplify, save money and increase access, aren’t we?

There’s an inherent tension here: if the credentials you use are powerful enough to actually be trusted and useful, then they quickly become fraught with risk and unusability. I’d suggest that the risks scale faster than the benefits, which might account for the fact that a plain old general “account” type relationship with government hasn’t made much progress in well over a dozen years of (expensive) trying.

There are some twists too that come from the fact that it’s government we’re talking about here, not an online bookseller. We take a different view, as I wrote in the previous post, about business risks that attach to public sector transactions. Many people quite naturally think of government as one indivisible entity, even though many different agencies, people, standards, systems and contractors may be involved. That’s just reality. We want government to have an overall view of us a whole when it suits us, for instance when changing name, address, or informing of a death (à la Tell Us Once programme), but on the other hand we don’t want everything too joined up. We really don’t. Contradictions, paradoxes, tensions…

A few other twists: because these services are public, we expect (and deserve) the very highest standards of accessibility. And, if we’re serious about building them as part of the infrastructure of life in the UK, having a decent quality connection to actually get to them is a good start. We’d like to have more options about where transactions are served—to have more flexible models of delivery so that government might offer an interface to its processing engine, allowing other bodies to run a user front-end. But we want to be absolutely sure we don’t create brand confusion, or create gaps that accountability can fall through. Contradictions, paradoxes…

Oh, just one more—if your bookseller stuffs up with your account, you go to another bookseller: there isn’t another government—how do you really think you’re going to get your data back? (There’s more, but this is just a quick glide through some of the reasons we can’t just take a completely standard ecommerce approach to this.)

But, and it’s a big but, many of these challenges arise if we’re trying to envisage an account-type relationship with government. We’re conditioned to do so. We’ve been trained. By customer relationship systems in the commercial sector—we have Amazon, Google, eBay and our bank accounts—and we even have an HMRC online tax account. It looks, and feels, a bit like any other financial service. Surely there’s nothing more natural than trying to extend this concept to accessing health records, to applying for things like licenses, to making complex choices about social care? If you’re getting a bit wary that an “account” is a bit of a conceptual stretch for something you do only once every ten years (bearing in mind what’s gone before in these posts about the problems with a “general purpose” relationship) then you’re probably right. But that’s another side-turning we might explore separately.

If, and I believe this to be true, the concept of a general citizen account—a governmental panopticon which stores, links and serves us a unified whole—lies out of our reach, whether for privacy, security, complexity or technical constraints (and combinations thereof), is there another way?

The answer, we hope, is yes. US and UK policy at the moment is bent on developing along these lines, anyway.

The concept of this alternative: a trusted identity framework is tricky. There’s a particularly good description here of some of the concepts involved—which I’m not going to attempt to rewrite, for the moment. Except to note that it contains useful concepts such as what I like to call “transferability of trust”—the ability to reuse a trusted relationship (a classic one being that if you log into your bank online, it’s seriously likely that the bank will hold the correct address for you, and be able to confirm it) to do other things. You don’t have to reenter or reprove it, but crucially, government doesn’t have to go through the business of verifying and processing it, either.

But fragmenting the Nature of the Relationship like this is not without its problems. It doesn’t give us Tell Us Once (about changes of circumstances). Far from it—it deliberately compartmentalises an interaction so that just those bits which need to be proved, get proved. The eventual models of relationship that emerge are still being determined, I think—with relationships emerging that vary from entirely anonymous (though verified where needed) to increasingly rich with personal information. Maybe there is a Tell Us Once-type account at the bottom of the well, but I seriously doubt it. It’s all going to be a long and tricky journey.

I might bring back the Greek and his pet for a play with a trusted identity framework later. Might. This is heavy going ;)

The Nature of the Relationship, part 1

This is where the going gets tougher. The previous post here was about the different things we use to bodge our way around the minor inconvenience that you can’t actually prove anything about identity with absolute certainty (and it’s all even harder on the Internet). Accepting that we’re all just a collection of risks and uncertainties to be managed, and that we’ve got quite a few tricks (good and bad) at our disposal for doing so, we move towards an even knottier problem.

But to help us do this, let’s bring back Tortoise. Who is on a bit of a mission.

Tortoise: Achilles, Achilles—I’ve been reading all this waffly crap about online identity and I just want to get on with things.

Achilles: How so?

Tortoise: Screw it, fella. I just want my unique identifier now, please. I’ve got nothing to hide. I’m volunteering for you to strap everything you like on to me. Tie it to my old shell, big boy.

Achilles: You sure? Well, if it’s to make a bloody good point about what happens if you do—for the purposes of illustration—I’m game. You want it public or private?

Tortoise: How do you mean?

A: Do you want your identifier to be kept a secret that only you know about, or do you want it splashed everywhere in public?

T: Well, secret, I guess? Is it really a straight choice like that?

A: I’m afraid so. What type of things were you hoping to use it for?

T: Well, to log on to my local council services, naturally. And to see my health record. And to book a driving test. And to pay my taxes. And, and, and…

A: And you reckon that using this fiddly little string of numbers in what already adds up to hundreds of systems from that little list you’ve just given me means that number can be kept…secret? [raises a well-groomed Grecian eyebrow]

T: Fair point. So at some point I have to be ok with the fact that an abandoned hard disk…but surely encryption and good local security management policy will take care of that?…oh, wait, yeah, I see…I have to be ok with the fact that a big list of unique identifiers is going to wind up on Wikileaks or something like that eventually?

A: You do.

T: OK. I accept. I’m ok with that. After all, it’s just a string of fiddly little numbers. It’s not about me, the actual Tortoise that is me. Oh, or is it?

A: What do you think?

T: Well, I don’t really know. It could be. Or it might not be. If it isn’t, then is it really that much use? And if it is, I have this creeping feeling you’re about to show me cracking ice and swooping vultures. Hell’s bells, this has gone and got difficult already, hasn’t it? Why does this always happen? What’s the right answer, Achilles?

A: I guess it depends on whether you want to be identified as you, the real Tortoise, in all these transactions. And you do, don’t you? You have nothing to hide, remember?

T: Sure. But doesn’t that mean…oh I see what you’ve done, you clever bugger. You’ve let me neatly draw out the conclusion that the actual identifier is no great shakes, it’s what it’s attached to that really matters.

A: Quite. And as you’ve said that you’ve got nothing to hide, let’s take your Tortoise Insurance Number (TINO) and from henceforth make it the only identifier about you to be used anywhere in government. After all, lots of people keep banging on about how that must be the long-overdue common-sense solution to all this identity uncertainty. £1,500 please.

T: What? You’re going to charge me for giving me a number you’ve already given me?

A: No, don’t be absurd. This is just a one-off charge for all the migration work.

T: Migration?

A: Changing every single existing government system so they all sing and dance and recognise you off of this here TINO.

T: [Gulps] Is that strictly necessary?

A: Well, perhaps not. We could build some elaborate middleware and interfaces and yada yada yada. Might be a bit shonky and fall over from time to time. Or scramble your records with someone else’s. But you’re ok with that aren’t you. £1,500, remember?

T: It just all seems so expensive.

A: That’s because this is the real world, old son. I know when you were just out of the shell, you used to line up all the other tortoises and make up your own Little Tortoise Club stuff, giving everyone a secret name and a password?

T: Bloody hell – so I did. How did you know?

A: We all did. And it worked, didn’t it? You kept pretty strict records of, oh, a whole 10 individuals. Nothing leaked, nothing got mixed up, and it was all beautifully administered. And you used that as a mental model in your horny wee head of how identities and secrets and all that might work in the big world. But you know what, dear little chap? You were utterly wrong. This is a world of baddies, of fraudsters, of the incompetent and the helpless, of the excluded and the disabled. It’s a world of error, of approximation, of faults and mistakes. Lots of gritty reality that, if I’m honest, tends to bugger up enterprise-scale secrecyidentitysecurity systems faster than we can actually squeeze benefits out of them.

T: Lawks! Have you finished?

A: Yeah. But then I start again, and spend another £100m repeating all the mistakes I made last time. Just using a different firm of consultants. Boom boom!

T: So, to recap, I’ll be able to use my TINO wherever I like, accepting that at some point the relationship between it and me will come into the open somewhere, and that it provides a handy hook for anyone, anywhere, with or without me knowing, to hang whatever facts, associations or other metadata they like on me—which may be used against my interests to sell me stuff, compromise me or do loads of other bad things? And that I’ll be reliant on a panoply of passwords and other tokens to associate with my TINO to unlock the various doors that need unlocking in such a way that losing one of them doesn’t give the bad guys control of my entire life, but at the same time, a panoply that I will find easily manageable? I don’t see how that’s possible.

A: S’ok, my shelled friend. You have nothing to hide, remember?

T: I’m really not liking this much at all now. Is there an alternative to my ill-thought-through quick and dirty answer?

A: Why yes, there is. But we’ve just gone over 1,000 words, and according to the rules, that means waiting for the next post.

T: Oh, cloacas.

Petitions and democracy

Tortoise: Y’know Achilles, when we were last talking about this identity business we got into all sorts of hot water very quickly in trying to find ways to use a definitive identity to do governmenty things on the Internet. But I’ve found a brilliant use for one this morning!

Achilles: Really? What’s that then?

Tortoise: Well – this new idea to transform our democratic participation by cutting a swathe through centuries of saggy old unsexy representative democracy and allowing us, through the power of the Interwebs, to have our say directly about what does and doesn’t get gamed into the Parliamentary timetable.

Achilles: Gamed?

Tortoise: I mean, debated. Sorry. We haven’t got to that bit yet, have we?

Achilles: And it’s also a great excuse for some cheap headlines about the X-factor, isn’t it?

T: Naturally.

A: So what have you read?

T: That this new petitiony thing is coming in and it will let you band together in a free and open way and get really popular people’s choices some proper Parliamentary time.

A: And will this change anything?

T: Dunno. But giving the important stuff some proper Parliamentary time has got to be a good thing in itself, hasn’t it? Especially stuff which is bound to be based on issues that get people to join their voices together, really quickly, using the Internet? Oh…

A: Indeed. But you mentioned something about identity?

T: Yeah. But aren’t you meant to be the personification of the State in these dialogues?

A: I am. Sorry. That’s what happens when you start to mess around with the model of who really holds the power, hey? Just my little joke. Sorry.

T: Accepted.

A: So. Tortoise. I have realised that with this direct democracy business it’s pretty important that we only hear from those from whom we should hear. If you get my drift. So, if you’re not on the electoral roll, I’m sorry, your voice has no place here.

T: Couldn’t agree more.

A: So, are you on the electoral roll then?

T: Is that it? Is that the test – you ask me, and I say I am, and then my voice gets heard? Is that all?

A: It’s what happens when you vote in a polling station, pretty much. There’s nothing by way of a very rigorous identity check, is there? Got a little piece of card, you vote. Not got one, you say your name, my guys check it’s on a big paper list, you vote. What’s the difference?

T: Have you heard of channel friction, Achilles?

A: Yes, I had a touch of that when Agamemnon stuck his javelin… What do you mean, Tortoise?

T: Well, it’s a bit weak to say that just because something works one way in the physical world then its online analogue must be just the same. There’s a certain amount of bother involved in diddling votes down the polling station. You have to queue up, you might see someone who knows you and says “Hi Tortoise!” just as you’re squeaking “I’m Mr Mouse” to the teller, and you can only get away with it once in the same place or you’re really asking for trouble. That all takes time and effort. Think of it as a kind of ‘friction’ associated with the physical voting approach that sort of acts as a check on all the other bad things that might happen. It’s not perfect, but it’s worked just about well enough for quite a while now.

A: Whereas the Internet is very much a frictionless channel, isn’t it? Hmm. It would seem, Tortoise, that those who want to create mischief or subvert the democratic process can do so easily, at great speed, in great fictitious numbers and all without having to leave their bedroom and feign an honest face to the bobby looming at the school doorway. Yes, I see your point.

T: You’re getting there…

A: We’d better stiffen it up then. I need, Tortoise, for you to prove, online, that you are the same Tortoise who is on my electoral roll. Otherwise this whole petitiony thing is quickly going to descend into discredited chaos. (If I’m not to quietly drop the bit about electoral roll verification, that is, hem hem.)

T: And how are you going to do that then?

A: Well, I tell you what – I’ll build this massive database which has a unique identifier associated with every person who appears on the electoral roll, and then I will, having verified through the physical examination of something like your passport, securely give you that identifier and some associated credentials…oh bollocks. We’re here again, aren’t we?

T: I’m afraid so.

A: And we haven’t even got to the bit where any attempt at online democratic participation is going to be holed below the waterline morally, and possibly legally, when so much of our population doesn’t have decent Internet access anyway?

T: I’m glad you got there before Cyberdoyle did.

A: Quite. One for a future conversation?

T: With pleasure.