Five questions for Identity Assurance


We’re getting closer to the launch of the government’s “identity assurance” (IDA) service – providing a way of confirming that people are who they say they are online, when they interact with government services.

There’s much on the IDA team’s blog about progress to date, and much to like. Such as the upfront decision to separate the confirmation of identity bit from what government’s there to do, and to open up a choice of identity providers (IDPs) who’ll be able to offer different ways of creating and using an online identity.

But there’s still too much that isn’t clear about the scheme. And given its importance – it will be essential if there’s going to be a major improvement in transactional services – here’s some of the detail I’d like to see:

1. how does it actually work? (and I don’t mean at the theoretical level described in the “Good practice guides”, but using real examples of real services, processes and data) It’s all well and good saying that I will be able to choose an identity provider, and be able to set up a trusted relationship with them online…but what’s actually going on to make this happen, and to support me once it has? How will they know I am who I say I am? Will they have access to something that only I would know, and if so, what? If they’re an organisation I’ve never (knowingly) had any dealings with before, what will they know about me? If they’re a new entrant to the identity provision market (as some in the running are) – where are they getting their sources to do checks? And, as ever, what’s being passed around to whom, how’s it held, secured, indexed…and all the rest of the usual, essential hygiene issues around personal data?

I have a feeling that as these details emerge we could be in for some interesting food for thought about what information is being shared by whom. But best we start to see some real examples so we can get our heads round it, and to make sure we’re comfortable with who knows what about us. Given we’re dealing with that most treasured currency of all – personal data – I think we need much more transparency about what’s being proposed. And we’ll only have realistic scrutiny if there are realistic proposals to chew on.

2. will government department x actually hand off the responsibility for identity confirmation to identity provider y? This has to happen for the service to work as intended, yet it has big implications for the accountability of delivery. Will heads of service still take responsibility if things go wrong in the checking process, or if they find they’re transacting with fraudulent or misidentified accounts? Who does the service user contact to fix things that go wrong, now that more than one organisation is involved?

Make no mistake, I’d absolutely love to see it happen – so I’d be reassured if a government department made a clear statement of this intention and, furthermore, that it no longer intends (or needs) to operate its own version of identity checking in favour of that provided by an IDP. It’s relatively easy to do new, parallel things in government. But confirmation that there’s actually been a change is usually only provided by stopping doing an old, superfluous thing.

3. following on from that, how will the service be paid for? The IDPs aren’t in it out of the goodness of their hearts – how are they incentivised, how can we have assurance that they’re being paid a fair rate, and what’s the outcome for them financially if they get things wrong, or provide a poor quality service in some other way?

4. who’s watching what I do? We live in sensitive times – aware that beady eyes are watching all that we do online. Who will be watching our transactional exchanges – as we’re identified, and then as we go on to use services? One of the big selling points of using a layer of IDPs independent of government was that there’d be no creation of a vast, centralised database of identity and activity. What’s the assurance that such data capture isn’t happening anyway – creating just such a central viewpoint, albeit one in which lots of separate things connected to us are being indexed together?

5. and lastly – where’s the big picture here? Where’s all this going? Will an identity be reusable across more and more services? What will happen when services require different levels of assurance? (For example, an identity created using some basic checks to access a relatively insecure look-up service might need to be ‘strengthened’ to access something that’s more complex in terms of money or confidentiality. How?) How clear will it be to the user what level of trust they’ve achieved using a particularly identity?

And if more and more services can be accessed using the same online identity, doesn’t that create the “all eggs in one basket” problem, as well as creating a virtual single “person” that government’s dealing with – reviving lots of the problems that IDA is designed to avoid? Are we expecting people to try and reuse the same identity as much as possible, or to create a few at different levels of trust, or to start from scratch every time they touch a new service? If there’s the ability to reuse an existing trust relationship (for example with a bank or a mobile phone company) what effect might that have on fair competition for new customers? And how will government in general address the lack of provision of an IDA option as IDA’s use becomes more widespread. Customer expectation is going to rise (as it should for any useful, improved service) and at some point it’s going to become unacceptable for an area of government even to try using a non-IDA verification method. Or has that already happened?

They’re tricky questions and, as ever, not complete nor perfectly phrased. Please do comment with anything else you’d like to know more about. But I’d really like the IDA team in GDS to share much more of their thinking in these areas – and where there are still details to be ironed out, to be open about them. This will lead to more robust solutions, less uncertainty about the myth and reality of what’s planned, and a lot of external help in planning for and addressing the issues that will inevitably surface when millions of transactions are being supported by IDA.

UPDATE 23 Jan: The Identity Assurance team have published a blog post that gets into more detail on some of these issues, and points to a number of posts to come, on issues ranging from user research to the outcomes of a private beta that will apply identity assurance to two specific “exemplar” services – HMRC’s PAYE and DVLA’s “view driving record” services.

Achilles and the Tortoise do Identity Management

Achilles: I’ll make things cheaper and simpler for you, you’ll see. Then you’ll be happy. And richer. And so will I.

Tortoise: What?

Achilles: I’m going to give you a new unique identifier so you can have a better relationship, and do business, with me–your personification of government!

Tortoise: I don’t want one.

Achilles: Psst. *whispers* For the purpose of this dialogue, you do. OK? Now play along.

Tortoise: Fair enough. Where’s my identifier then?

Achilles: I can’t just give it to you. How do I know you’re you?

T: I’m Tortoise. Can’t you see?

A: But you could be any tortoise. Where’s your passport?

T: I haven’t got one. I’ve lost it, I mean.

A: For the purpose of this dialogue…

T: OK OK, here…

A: Thank you. Here’s your identifier.

T: What happens if I lose it? Can anyone else use it? And pretend to be me? And do all these things in my name?

A: Um, no. Of course not. This is secure.

T: Right… So how did I get my passport in the first place?

A: You sent in a birth certificate, and had someone else who’s got a passport to vouch for you. Don’t go there.

T: And assuming we weren’t face-to-face here, right now, in this dialogue–how would you send me the identifier?

A: In an envelope to your house.

T: What if somebody else got hold of it en route? Then they could pretend to be me online, no? Like really, really easily? That wouldn’t be good.

A: I’ll give it some thought (I probably won’t). For now, I’m just giving it to you.

T: OK, so I have this universal identifier (assuming I want one, and have a passport, and I haven’t fraudulently obtained it, and ignoring lots of other things that we can just regard as edge cases). So, what’s the universal identifier going to allow me to do?

A: Well, it means you can quite simply log in and find lots of information that’s been personalised about you–so instead of having to look at all the information available on bin collections, you can just see when your bin will be collected.

T: So, how will the online system know where I live?

A: Oh, simple, there’s this big database which holds everyone’s address along with their name…

T: But doesn’t that sort of mega-database tend not to work? I mean, who’s going to keep it updated? Surely people’s addresses change quite a lot? Having the right one there is going to be pretty important, no, if this is to be the One True Record?

A: OK, scrap that idea. Well, you can put in your own address if you like.

T: But what if I don’t put in the right address–if this is some kind of Master Record of me, Tortoise, isn’t that going to cause a bit of bother when you try to send me a tax demand–I mean, I might “accidentally” put in a gibberish address to stop you getting hold of me?

A: Ah. Good point. OK, forget all that–we won’t hold the address any more.

T: It’s still the Master Record about Tortoise, though? This is getting more complicated than I was expecting.

A: That’s because we’re stepping through a dialogue to show that it’s more complicated than everyone thinks it is. But nobody really likes to engage with the detail.

T: Ah, yes, of course. Carry on.

A: So with your universal identifier you have a simple way of getting in to your various accounts with government, all in one place, so that you can do things more easily.

T: I don’t really have ‘accounts’ as such–well, income tax, I suppose, and council tax, but that’s about it.

A: Yes, but you buy things sometimes, don’t you? Driving licences, and passports? And you pay parking fines sometimes, no?

T: Sure, but… oh, ok, I have these accounts, and because I can get into them all with the same identifier, which shows I’m definitely me (subject to all the reservations earlier), then things are easier and cheaper. Hang on a minute–if you put all my data in one basket doesn’t that mean that you’ve created a sort of super-record about me? You, as the personification of an initially benevolent but ultimately potentially totalitarian government, might want to keep all sorts of other information on that single record. I might not even be aware of half of it.

A: Ah, but if you’re got nothing to hide…

T: Don’t go there. How big’s your “Gentleman’s javelin” again?

A: Right.

T: Right. And if someone gets access to my account, that’s an awful lot of personal data they’re going to be able to get hold of in one place. Is that wise?

A: We can put in all sorts of detailed access controls and permissions to make sure any one of the 12 million people with access to these systems only gets to see exactly what they’re supposed to.

T: Right you are. Hasn’t that sort of minor, niggling detail been one of the main reasons that such projects have consistently fallen on their arse over the last 20 years?

A: Possibly so–I tell you what–we’ll give YOU the ability to partition your data and decide who’s allowed to see what. This simple 59-screen control panel will allow you to do exactly that.

T: Hang on a minute–I have to go to enormous amounts of bother to administer something I might use once a year to check whether a council tax payment’s gone in? No thank you! I have enough trouble with my Facebook settings. Look, do we really have to have all this personal data stuff in there? It’s so risky–sod the convenience bit; there’s some things I really don’t mind logging in separately for.

A: OK, you’re right. It was worth a try. Tell you what–your account can just be one where you don’t keep any personal data–just things you choose to keep there. That takes a lot of the risk away, and you can use it to remember what sort of screen colours you like, who your local council is, that sort of thing. But…

T: But?

A: But you’ll have to get over the constant disappointment when you’re using it that we’ll never be able to take any of the data you put in there at face value, without checking it some other way, I mean.

T: Why not?

A: Because your account is either about the “real Tortoise” or it’s not. There’s no half-way house. We either do the sort of hard authentication you’d do with your bank so that you can move money around online, or we do the sort of self-asserted stuff you do when you buy, say, a bag of teabags online. We don’t really care who you are, as long as you pay us, and give us an address to send the tea to.

T: But that sort of “hard identity” stuff makes sense for things involving money–especially where someone might steal some from me (or steal details that would help them pretend to be me and get money diverted that should come to me). It just seems like complete overkill for finding out when my bins will be emptied.

A: Quite possibly–but you wanted all your government business in one place, didn’t you?

T: Did I?

A: I thought you did. Somebody did. All I hear about is “make government more like Amazon”, “make it all simply accessible in one place” blah blah blah. You mean that might not be the requirement?

T: So far, Achilles, we’ve piddled around changing the requirement through a massive spectrum of parameters including data richness, hardness of trust, ease of use, and personalisation. I’m beginning to suspect that people blithely use this concept of “easy access in one place” without actually thinking through what sort of requirement that implies in practice. Furthermore, this sort of woolly guff is likely to get lots of people spending years dicking about running pilots that won’t really go anywhere, testing technologies that are completely inappropriate, and listening to quite a lot of baloney from vendors who stand to make a great deal of money as long as such requirements are never actually bottomed out. What say you, Achilles?

A: Fuck. Rumbled.

(with apologies to Lewis Carroll, and especially Douglas Hofstadter)

You can read more whimsy from these two here.

Verification: I can’t even

I can’t even – and neither can they…

Yes folks, it’s back again! The Queen’s Speech today promises yet another Mumsnet/Mail pleasing crackdown on one-handed websurfing – age verification!

Ha, brilliant – so obvious – all we have to do to send the kids back to the era of damp grotmags in the bushes is do a bit of proving-who-you are when someone clicks their way to a nacky site. No proof, no nacky.

Couldn’t be easier!

So how are they going to make it work then?

Short answer: they can’t.

Longer answer: they’d have to solve the Big Problem, and also some Littler Problems.

The Big Problem is an ancient conundrum: how do you build a checking system that’s solid enough to be worth doing, but not so solid that it doesn’t immediately bugger up the life of someone who loses access to their digital self?

Solid example: imagine you have a password that will ‘prove’ who you are wherever you use it, to anyone (we gloss over here how that trust might actually be set up). Lovely! But anyone who nicks that from the Post-It on the side of your monitor can then start buggering up your life. So you add a special chip they have to hold at the same time, and a scan of their toeprints that has to match, and…and…you’ve got something that’s so clunky that no one will be able to use it reliably.

Less-solid example: you have to upload a paper document of some degree of ‘officialness’ – perhaps a driving licence or similar – or type in some reference number from it – and someone on the other end agrees to let you in. Cue instant exchange of document scans – anyone’s will do – and reference numbers between bulging-balled/clitted teens.

Or you could try and connect identity to payment; the “credit card as key” approach – cue even more bad things happening involving credit cards and real hard money.

So that’s the Big Problem: any system with very strong trust is a magnet for people who want to do bad things with it. And I’m not talking about watching-porn-bad-things. Because that’s not bad. But that’s a whole different (mass) debate.

But let’s assume we do want to have some system that’s worth doing: we have two options – build a central identity register (think of it as a single digital “you” that can be checked, tracked etc.) and have you prove your right to be identified as that person; or establish the trust in other ways.

Without rehashing all the central registry arguments – though you can check out Achilles & the Tortoise for a bit of light relief (tl;dr vulnerable to attack by undesirables, or misuse by a State gone Bad, all eggs in one basket) suffice to say that government thinking of late has steered away from such a thing. For now.

The alternative approach rests on a nice workaround: if you can prove who you are to organisations that already know about you – and they do their job to an agreed quality standard – then that trust can be taken, well, on trust by other services. Your bank went to huge amounts of trouble to find out who you were, so if they say you’re you, you probably are. And actually, for age verification, they don’t even need to say much about you to the porn-keepers – merely confirming that someone’s at the door with age >= 18 (or whatever) will do the job.

The great Dave Birch has done the most elegant job I’ve seen of describing how you’d do this.

All neat and compact and a whole lot less terrifying than having a great, groaning Database of Everyone sitting in a Cap Gemini data centre.

This is essentially what the government’s Verify programme of identity assurance is currently trying to do. It involves solving a number of Littler Problems.

– what sort of organisations know enough about enough of the population to be able to accurately and reliably work at the scale of millions of people?

– how good is their data, and might they have to ship in data from other sources to fill in any gaps?

– what’s in it for them? i.e. what’s the business model for them to do all these verifications?

– how’s everything going to be kept safe, and how can that be shown to everyone’s satisfaction?

– how much risk should we plan in? Identity is never ‘proven’ as such; merely claimed within an accepted range of risk. Otherwise systems would be unusable by normal humans, and break all the time.

– who picks up the bits when things go wrong? (which they will – no system is 100% safe) – this of course harks back to the Big Problem – if you really want a universal key to lots of services through a simple interface, have you also opened up a bottomless pit of liabilities when that trust is compromised?

and so on. Incidentally, all that while facing the spectre of individual government departments who have their own wide-ranging databases about us and who may continue to itch, as they’ve always itched, to use those databases to vet you against. Why rely on transferring trust from a third party when you can assure it in-house, they might say?

So that’s a crash through what’s involved as a result of today’s declarations. Not really that easy, huh?

Oh, and you do all of the above and you still have to do some incredible amounts of Whack-A-Mole to stop other porn sites springing up that you might not know about, and who might not give a stuff about these crazy UK requirements to prove age oh dear me hahahahaaaaa… That’s why it’s a “they can’t” overall – damn ‘inter’ bit in internet again. Gah!

Or maybe this isn’t about the porn sites at all – but about seizing control over everything that’s pumped out to us! HAH! You may choose your own favourite conspiracy at this point. (But yeah, quite possibly some elements aren’t mere conspiracy.)

You’ll hear people saying that other countries manage central registers, and why can’t we? You’ll hear people saying that we just need to trust the state a little more – and of course will someone think of the kids? You’ll hear armchair service designers telling you that it really isn’t all that difficult, and politicians saying “well of course we now hand this one to the clever technologists to implement; we know their grate branes will Find a Way…”

We’ll see, won’t we?

But as I say, don’t go thinking this is in any way real policy. It will keep a lid on tabloid outrage, hopefully, perhaps for a bit, just until something more distracting comes along.

Biting the bullet

Shall we just do it? Just build it and get this over with?

We have it anyway, don’t we? Just in a distributed and not-very-accountable way. So why not do it properly?

The stuff I wrote yesterday about registers is just a part of a vastly bigger story about information, people, and government.

[tl;dr of that piece: using ‘registers’ – lists of authoritative data – to make government services better has lots of benefits, and raises interesting questions]

It’s a story that’s so big it doesn’t really have a beginning, or an end. How we meet the needs of people, society, democracy, everything – with technology, data, organisations, everything.

So I’ll home straight in on one part. Probably the most sensitive registry of all would be a register of citizens. Of people. Of the entitled-to-vote. Of permanent residents. Yes, tricky, hey? Let’s just call it people.

The Promised Land of a canonical list of people sat (sits?) behind the for-the-moment-abandoned (I expect this to change/is changing!) concept of a national identity card.

It sits behind lots of other things too – either as the manifestation of the ultimate authoritarian state, or as the lubricant for a trillion safer, more secure, more efficient digital transactions. Depends on who you ask, what they’re trying to sell, and the weight they give to various arguments of logic, experience, ideology and emotion.

It’s hugely political, obviously. The argument that it is “poor civic hygiene” is usually high on the list of “why nots”. A future government may be in a position to do all sorts of terrible things to its people if it can track and target information very precisely at individual level, or even make people appear and disappear at will, through manipulating a central megadatabase.

(But Estonia!)

And that’s to say it’s even possible to procure, build and operate such a beast. The track record at this scale isn’t great.

(But Sweden!)

It’s so sensitive that registers of personal or sensitive data have been explicitly excluded from the current scope. Instead, Verify is doing sterling work to do digital identity checking through the use of third parties – essentially using what outside organisations know about people as a proxy for government’s knowledge, then accepting that trust as being good enough for subsequent interactions with government. A very neat, and widely welcomed, sidestep around the problems and concerns that bedevil a central people register. But it has limitations – you can use it to check facts about people, but you can’t write information back to it, or assemble a master list of people you could then sign up for electronic voting (or any other new thing you dreamed up).

(But Singapore!)

So none of this means that the clamour for a central people register has gone away. It never will. It’s what James Randi once described as an “unsinkable rubber duck.” An idea that no matter how many times you unpack it, debunk it, resolve it…will always bob back to the surface. It’s so tempting. The perfect answer for those who love hierarchy and are convinced that hard-edged systems can save the world. (But Estonia!)

Yes, yes, ok, Estonia etc. – there needs to be a better response available to the “But Estonians”. Your vulnerable minister and officials will be regularly swept over there to marvel at how all this digital identity and database stuff just…works. Nobody dies because of it, the tanks don’t roll in, there isn’t a monitoring screen in every house. I’ve asked a lot of people who should know about this stuff what the solid counter should be to the But Estonians. Curiously, I haven’t found one yet. Have you?

And then, I think – hang on, is any of this resistance actually meaningful?

We may not have a single people register, but we have lots of things that are a lot like it. You may be surprised by some of the questions you get asked when you use Verify. How did they know that? They know lots, really, those identity providers. That’s why they’re identity providers. They’ve spent years buying and integrating things about you. It helps commerce operate. But it’s private, opaque, unaccountable. Sure, it’s not government, but it’s still a thing.

Or what about the Police National Computer? Who knows how they refer to you? But they know things about you. Try getting stopped in the street by the cops and not showing any “ID” (don’t start me off on that term…but full disclosure: I have done this, just to see what happened.) You’ll find some of their questions to you, and their radio checking, pretty interesting too.

So whether it’s done through a single unique identifier (ooh – somebody said “just use the National Insurance Number!” DRINK!) or through the patchwork of private and occult registers, we live in a database state anyway. The infrastructure, and the surveillance powers, are already such that pretty much any bad consequence could already happen (is happening?). Data sharing work is developing apace. If one of the main concerns about a centralised people register is its vulnerability to attack, then those concerns apply to the private registers too, no? Ok, but the prize is bigger, but still… The police manage to do it. Experian manage to do it.

Is all the protestation just for show, really – we attack the thing we’ll be able to see because we can’t attack the things we can’t?

My personal view on this (as a non-practising civilian with a lifelong interest in civic data) is that the central register has some benefits. But enormous risks. And that the risks scale faster than the benefits. You aggregate that much in one place and the consequences of error, or breach, or yes, totalitarianism, are unthinkable. So it’s a bad thing.

My friends Achilles and Tortoise teased out some of these issues for me a while ago.

But I’m not convinced I’m right. That would require a level of evidence I don’t have, or a level of ideology I find distasteful.

Help me out here – what would it really take to sink, or float, that rubber duck?

At least for a bit?

Roll up, roll up…

Bus crash photo, by Paul Clarke

…for all the fun of the fair

There’s a good chance you’ll see something today, if you haven’t already, about a pseudonymous online character for whom life seems to have taken a very recent and very awkward turn.

This character specialises in winding people up in extreme ways, in generating and thriving on outrage, in what we call (safely, for once) “trolling”.

“Hello people with some particular cause to be sensitive, hello public servant, hello anyone who may disagree with me – you’re a c**t, this is why, and I’m actually really on your side for saying it. Oh, and one day you’ll thank me that I stood up for those rights.” “Listen to me, notice me, tell all your friends how outraged you are and hope they join in…yada yada yada.”

I’m not linking to or referencing the specific details here, as I avoid doling out troll food – but he seems to have bitten off a big one this time. Repeated taunting and goading of a community who not only have some pretty good reasons behind their pride and sensitivity, but also a track record (first successful petition to be debated in Parliament, anyone?) of organising and supporting each other.

And support blends seamlessly into the formation of a mob, and from there, the path to actual, real-world, nastiness can spiral upwards rather quickly.

Thing is, our Defender of Freedom didn’t really do the tightest job of hiding his real identity. Pieces to camera in his natural voice behind a mask; social media accounts under his pseudonym showing real people with real names, in identifiable locations. Almost like he wanted to be outed eventually. Hmm.

And now that doxxing has happened. Personal information is out there. Whether it’s accurate or not is anybody’s guess. Whether the entire episode is some extraordinary situationist stunt to promote a brand of soap is still a possibility. (Ok, it’s not.)

Did he want to be unmasked? Was the online attention not enough any more? Did some sort of martyrdom – however you want to interpret that – represent a fitting culmination to a sustained period of effort?

OK, so what’s my point here?

It’s one of those cases that features a regular theme on this site: the gap between nice, clearly-marked, “how-the-world-should-be” and its messy reality.

My opinion is that you can’t slip a fag paper through the logical thought process that says one should have the freedom to cause the potential for offence. Any attempt to lock out that freedom will fail to work, and even if it did, would take more away from us than it gave us back. Potential is of course an important word here: the online media he uses are seen “by choice”, not forced into people’s homes…yeah, right. It doesn’t work like that, of course. Rubbernecking always trumps rationality.

Yes, we’ve built rules like banning public incitement to hatred, but they don’t adapt easily to media where my choice to subscribe (or my friends’) drive what I see. That word “public” again… but this is getting into more detail than I intend to in this post.

Back to the point: which is that this case made me think about how reactions, and change, really work. You know, in the normal world.

Where I grew up, when things were changing fast, like going through school, being a teenager, finding your feet in a new area – there was a contrast between the official boundaries intended to guide behaviour, and the “corrections” that would be applied by the environment. Bluntly: if you really pissed somebody off, you’d get thumped. And the rules? Irrelevant. At some point, with enough sustained “correcting” going on, there might be a shift in the official rules to keep us all sane, and we’d all lumber onwards.

The first bit of that process might be brutal, and horrible, of course. But it’s what happens. You can say what you like – be as offensive as you like – but it doesn’t mean there won’t be consequences. They might not be legal. Or a Good Thing. But you can’t just vanish them away. Do I condemn any violent action that might result from a case like this? Yes. Do I see that it might also be an inevitable component of something more wide-ranging? Yes to that too.

We need corrections. They’re part of making change: whether that’s to a price, a set of laws or to the behaviour of a society.

There are no smooth dials on society – or levers that leaders can pull to make big things happen as planned. (From Gove to Pickles to Duncan Smith the reality of this is now hitting hard, but that’s definitely another post.)

In today’s example I can’t help feeling there’s a certain irony in a professed free-market libertarian being prepared to test the market – and its possible application of a correction – in quite such an extreme and personal way.

I am very interested to see how this plays out. And we should take an interest, perhaps from a distance – without lobbing in a ton of troll food – on how it does play out. It matters. The seismic societal change here is one where everyone can create content and reach an audience (or be reached by it). Despite a lot of fury on the internetz, there’ve been remarkably few examples of that boiling over into actual, tangible, harm.

We’ve had outrages about Daily Mail articles, we’ve had anger about privilege and so much else, but something about this one feels very different. Hard people are involved here. For whom the jokey “I’ll do time…” phrase beloved of Private Eye’s spoof comments thread may well have a different resonance.

“It’s all fun and games until somebody loses an eye” as they say.

We’ll see, won’t we.

The underpin

A quick post on identity, written after seeing Dave Birch’s marvellous TEDx talk on identity, but rooted in a Nasty Thought about identity assurance (proving things about you to be true) that’s been troubling me for a while.

To summarise current thinking on this (but do watch Dave’s talk): old identity approaches are hopelessly flawed because they try to recreate a clunky, record-based model of Who You Are: as a list, or a database, of lots of things about YOU: from name, address, date of birth, fingerprints (and whatever reference numbers anyone – typically but not necessarily the government – want to sling in there), etc. etc.

Enlightened identity thinking says: bugger that – most of the time it’s not important WHO you are, merely that you can prove a certain thing to be true for a certain purpose. So a baby-faced boozer only needs to demonstrate AGE>18. A council service user may need to show POSTCODE=BN****. This is sometimes called “authentication, not identification”, and there’s a whole marvellous book about this by Jim Harper which is basically a bible for sensible, non-Big-Brothery approaches to these issues.

Reassuringly, these principles are found within the current strategy of both the US and UK governments. Which is ace. And to be wholly applauded. (There is a lot more to these strategies than just the idea of authentication over identification, by the way, but that isn’t the focus of this post.)

No more will you have to haul out a document showing that you buy electricity in order to rent a DVD. No more does your passport have to be hijacked to confirm you can start a job. All the machinery used to hold and prove things about you can be turned upside down: instead, you control what you share with whomever you need to prove something to. Provided there is a “binding” of something about you (maybe your face, or your fingerprint) to the fact that needs to be asserted, then you get what you need without having to BE any particular person.

If that thing about binding sounds a bit spooky, look more closely at this scheme. It’s been used to verify drinking age in pubs. The important bit is that there’s no central database anywhere that a (future!) malicious government can use to attach other “facts” about you. Or that can be corrupted or lost or misused etc. etc. It simply links some data points from a fingerprint to the fact that needs to be proven (age), and serves that up neatly and securely when required. But read up for yourself how it works. It’s well thought of and has the blessing of some who really do make a habit of tearing strips off dodgy approaches to personal data and biometrics.

But this post isn’t about clever new ways of doing things differently, and better.

It’s about a problem that will still exist. It’s about something that underpins many rather trivial, low-value transactions and life events.

Sometimes it’s not enough just to satisfy a particular information need for a transaction, like verifying an address, for example. Well, it is when everything goes right. But not when things go wrong. Because if things go wrong, and you want to take action, you want to underpin the information you’ve got with something else: the ability to tie the transaction back to a particular individual. Yes, someone with a name, an address, and lots of other things that the police and criminal justice systems know you by. So how quickly will Dave’s “no names” approach actually stand up in practice, in any situation where some future recourse may occur?

Because the one recourse you ultimately have is to take action which might involve a fine, an endorsement, even ultimately imprisonment. And these are things you can’t do if you only know AGE>18 or DRIVING TEST PASSED 1985, LICENCE CLEAN. Many things you can do “as somebody else” – like paying for something – but you can’t be banged up as someone else. That’s the “underpinning” bit.

The car hire company really does need to know who you are. Perhaps not to satisfy insurance requirements, or some other aspect of the up-front transaction. But just in case you disappear… Even for something as low value as a DVD rental… And if you bump your car into someone else’s, swap details and get an odd feeling about your opposite number, are you going to be more or less likely to insist on police attendance if they pull out a decent-looking driving licence for you to note down, or scratch it out in pencil on a Post-it note? Even peer-to-peer we use underpinning as part of our understanding of trust.

Our old-fashioned “hard identifiers” are hugely important in backing things up in these cases of trust and liability. It’s that thing where it’s much more important that the system is designed for things that go wrong, rather than things that go right.

Realistically, what will actually change if we move towards an authentication culture? Will we still fall back on the same old props to do that critical underpinning of trust? It’s a hole that I perceive in these concepts of individual-controlled information.

I’d love to hear your thoughts.

Know Me, Know Me Not


A featureless airport departures hall.

Behind the check-in desk, a large warrior stands, strip-lighting lending a pale lilac wash to his magnificent plumed helmet.

Half-way along the queue is a rather dishevelled Tortoise, surrounded by heavy bags.


Achilles (for he’s back again): Oi, Tortoise!

Tortoise [po-faced and unresponsive]


Tortoise: WTF? How do you know my number? Thought that was just between me and the hatchery?

Achilles: See this print-out of your markings? [holds up said print-out] Got this off of Google; on CheloniansOfNote.com it was. That’s you, isn’t it? Blotch, blotch, stripe, worn patch, shape that looks a bit like David Willetts’ head? Yes? Got a few other bits of info here too, to help me recognise you and the better to meet your every need.

T: Um, so I see. But how dare you…

A: Hang on, my horny-carapaced friend. Shuffle up to the front here. Let’s have a quiet word about this. [Tortoise makes the painfully slow journey to the head of the queue, nudging his bags one by one with his nose.] This is what you wanted, see?


A: You told us. You did. Well, not you individually, Tortoise NP150…


A: Ok, ok. Well, collectively, our customers said things like “Hey Trojan Air, time to wake up to the new world and start treating us like people. We’re not just lumps of flesh with wallets. We want you to throw away all that stiff, corporate formality. Get to know us. Empower yourselves. Adapt. Use a bit of bloody initiative. See us for who we are.” So we have.

T: Yeah, but you can’t just go gathering information like that about me, without my permission. It’s like me shell’s been invaded. Horrible. Oi moi!

A: Don’t go getting classical on me: these characterisations are only pixel-deep. Now, look over there, now, at the SleazyJet desk. See that queue? Hundreds of them. Hot and knackered, they are. And going nowhere for a couple of hours yet. Now, I know, and the SleazyStaff know, that there’s a nice little waiting room round the back. With just one very comfy seat in it. And air-con. They can’t tell everyone, it’d get rammed. But see that woman just there? With the huge bump? Could drop any minute. You think it’s ok for the staff to, you know, use their bloody EYES to spot her, and offer her that seat? Or are you going to go all “no, no, they must know nothing, they must treat us all-equal-and-anonymous like”?

T: Well, I suppose that’s a bit different.

A: So it’s ok to use my bloody EYES to infer stuff about my customers, so’s I can make their service better, but it has to stop when I use, what? A computer? A phone? A database?

T: Now you come to mention it…

A: Because isn’t that where mechanical process (oh so twentieth century) stops, and service begins? When we start inferring? When we use one of the very few gifts that mankind seems to be blessed with – pattern recognition – to judge that if someone is cross-legged and hopping from foot to foot, it might be politic to proactively remind them where the loo is? To check on our systems so that their seventeen letters of complaint that they keep getting woken for meals when they’d rather sleep haven’t been an utter waste of time? To infer, beyond this, that similar awakenings for important matters of Shop-In-The-Sky sales might also receive an unfavourable response even though they haven’t actually WRITTEN TO US ABOUT THIS NOR GIVEN US EXPLICIT PERMISSION TO EVEN GUESS IT MIGHT MATTER TO THEM?

T: Steady on, old boy.

A: Sorry. Emotive stuff, this. Which is why this post is written as a dialogue – less confrontational that way. Where were we? Oh yes – look over there! PoshAir have got one of their regulars arriving. He’s a FTSE-100 Chairman, he is. Yeah, I know. Miserable and anonymous, grey and crumpled, to you and me. But to him? The Grand Kahoona. The Large Cheese. He wants to be recognised. And look again: by the sort of chance that only occurs in allegorical blog posts, he happens to be featured on the cover of this month’s Kahoona magazine over there on that newsstand. Now, shall we ask their staff to shield their eyes so that there is no prospect of them contaminating their green-field minds with this inarguably public-domain factuality of who the fuck he is?

T: Yeah, but it’s invasive. He might not want to be recognised.

A: Isn’t that a matter for their judgement? They are, remember, humans. Providing a service. Let’s at least hope they have some basic lightness of touch. They do not have to march up and shout “Mr Cheese great to have you back it has been 34 days and 2 hours since you flew with us shame about the collapse of the zinc deal in Bolivia your usual gin and valium then?” A mere “Mr Cheese, good to see you again. Let us know if you need anything” isn’t invasive. Invasive is ferreting through information that’s not public. Invasive is phoning people up or emailing them out of the blue, forcibly taking their time away. This stuff here is just observation, inference and discretion.

T: Ah, but it’s where it could all lead, innit. That dossier on me that you’ve got behind the desk…

A: Dossier? Ooooh how very Le Carré! You got that out of that article, didn’t you? One of many using lurid language to play on everyone’s fears about “where it could all lead”.

T: Call it what you will. You are reprocessing data and creating databases and riding a chariot and horses through the provisions of the Data Protection Act (1998). And you know it.

A: I am, and that’s a very fair challenge. I am struggling to justify it – hey, hang on, pass me your phone for a minute.

T: No bloody chance. You know enough about me already.

A: I just wanted a quick peep at your contacts book.

T: That’s none of your business.

A: And yet you download all these apps to your phone and give them permission to access what must be hundreds, maybe even more, personal records and upload them to Morin Towers and gods knows where else, and remind me at what point did you register yourself with the Information Commissioner let alone do any of that “seeking consent” hoo-ha?

T: Yeah, well, that’s for organisations. I’m just Tortoise.

A: Tortoise With A Talent, Ltd, according to my, erm, “dossier”. You still think the boundary between individual and organisation is that clear, and in any case serves as any sort of robust moral framework for this sort of issue about data responsibility? You still content that the DPA (1998) is in any way fit for purpose for the world we now live in? A world of massive volunteered personal information? A world where even if you don’t put your own pics up somebody is going to tag your face and you will be able to do jack all about it and will just have to get over this unassailable fact?

T: I suppose. That’s all going to need clearing up when they refresh the Data Protection Act, innit?

A: Just. A. Bit. But in one final attempt to justify my creepy snooping, can I at least appeal to your libertarian side? It’s one thing to berate the state for acting like this, for gathering information and building megadatabases about individuals. Its civic hygiene may one day become suspect, its motivation potentially questionable, and it’s pretty hard to avoid. But this is a freaking airline. You don’t like what we do, if you think we’re creepy, then you’ll stop using us, and we’ll change the way we work to get you back again. Less of this Big Brother Watch angst; save that for those who really deserve it. Frankly Tortoise, there’s some cognitive dissonance going on here. I know (coz it says so in your dossier) that you hate all this state intervention stuff. You really want businesses to be able to do a good job with the very lightest hand of regulation ‘pon them. Now you’re making no sense with all this paranoid guff.

T: Ok, ok. The jig’s up. I guess what’s really going on is that a general, non-specific feeling of impending doom about personal data in the cloud (and in our hands/claws) is creating a toxic environment where any story that even touches on search, or social networks, or biometrics leads us to throw all common sense out of the window. I guess.

A&T: Oi moi! Ta’las! Tlê’môn!

Seeing red

A bold tweet’s been getting a bit of an airing this morning:

Shall we have a closer look at that one?

Firstly, I have some doubts about the practicality of actually getting the smoking-tyre photos needed to make this work. I presume the idea isn’t for fast-lensed SLR owners like me to camp out at the lights for a day, ready to get crisp face pics of the transgressors? Good luck using your BlackBerry camera for that.

And I presume it is faces that’s being sought here. I mean, otherwise you’d just be building a Tumblr of blurry lycra-clad arses. Which might be of some “specialist” interest–but not actually a whole lot of use.

Which means you need to be ready in waiting on the outgoing side of the junction. Having predicted that matey with the headphones and fixie is intent on diving over the red. OK…bear with me here.

So what use will all those faces be, then? For outraged anti-cyclist types to roar at the screen: “Naughty, naughty man! Is the advanced stop line not enough for you, you bounder?”

Or perhaps for some sort of vigilante action, especially in smaller towns where you might just see the same cyclist ever again? Stand by with your spoke-sticks, defenders of the peace.

Or for, oh wait–here we go, some kind of enforcement by the Authorities. Now that either means we get serious about facial recognition…or…we treat cyclists more like car drivers, and bring in a compulsory licensing-and-visible-identity-number scheme. Neither of which will be expensive, problematic or intrusive at all.

Hang on. What flavour of libertarian is this then?

One that prefers heavy-handed state surveillance and intervention over the free choice of the individual to exercise a decision (which will sometimes be flawed, but hey, that’s free choice) over the extent of their compliance with a system designed for much more dangerous vehicles capable of driving at far greater speeds?


I mean there couldn’t be another reason that someone would come up with a proposal to have a go at cyclists like this?

There must be one. I just can’t quite put my finger on it. No, it’s gone again. Damn. Nearly had it there.

Customer First? Yeah, right.

I see, via the excellent Robert Brook mail-out (do please subscribe), that there’s another site out there trying to cut the biggest Gordian knot of all in the field of customer services. Of course customers want cheapness. Of course customers want quality. But the two are in tension against each other.

Unlike the cruder saynoto0870 about which I’ve written before, Get Human attempts a subtler combination of crowd-sourced wisdom not only on what channels prove to be the best for getting through to Customer Services, but also offering handy hints on how to navigate them more easily once you’re connected.

Sample: “dial 08xx… and keep pressing 0, ignoring all prompts, until you get to an operator.” Well, indeed. And it’s hardly a new discovery that banging away on the zero or the hash button can get you that elusive human voice.

But it’s still a hack. It’s still “defecting” in the vernacular of game theory – trying to find a way around the system rather than devising something that actually works, and doing it in a way that doesn’t involve subterfuge.

What’s missing – what’s always been missing – for me in all of this Customer First rhetoric is any real appreciation of why things are the way they are. It’s not all perverse behaviour on the part of organisations. Nor is it all blatant cost-cutting or profit-grabbing. It’s a trade-off.

“We put the customer first” is one of the most weaselly phrases imaginable, whether in public or private sector. It’s probably Shareholder (or Taxpayer) First, in reality. And is that so very wrong? What’s much worse is the masking of true intent behind these bizarre slogans.

The system may be optimised for a lower price. It may be optimised for speedy and free-flowing service. But it won’t be optimised for both.

When you have to indulge in odd behaviour in an attempt to change this optimisation (like that banging away at the 0 key) you know there’s some reality masking going on.

Here’s a little case study to make the point: Ever hired a car abroad? You go through a ton of online data entry to ensure your personal and driver details, and payment, are handed over as requested. In advance. All you have to do when you get to the airport desk is establish your identity and take your key – everything else has been done? Right?


Spend a few minutes listening to what’s going on in a queue like this. It’s fascinating. No transaction takes less than five minutes – many take at least ten. The queue always builds quickly. Always.

And what is going on? Well, transactions are being optimised for revenue, not speed.

Take the additional paper-filling that appears at this stage. It might be a “local police form”, or an additional statement of insurance liability. There’s absolutely nothing on these forms that hasn’t been already provided online (or could have been).

But the act of filling it in starts to work in other ways on the hapless victim. It’s a foreign country. See? Foreign form in front of you. Thoughts fly fast: they drive badly here – or do they? Shit. Best check. And what about the police? Mirrored shades, being pulled over on a dusty road, accused of goodness knows what. Gold teeth. Lip-smacking. Cash fines. Smelly cells. The images are set in train.

The swift passage from carousel to exit gate has been interrupted, and certainly not for your benefit.

And then the killer words come across the desk. A script that never fails to elicit a visceral response. “You agree you have taken the minimum insurance cover permissable. The excess will be a thousand euros. But you can wipe this out with a simple payment of just twenty a day…” And inevitably, beads of sweat now falling down, a judgement has to be made. Invariably on the side of cautiousness. The picture has been painted.

You had all this information back in your office a week ago. You made a rational judgement of the likelihood of you stacking the car, and made your choice. But now? Now it looks different. And the tapping and shuffling in the queue behind means you have to make a decision. Now. Tick. Tick. Tick.

Oh, and a good bit of time is often spent with customer saying “but I thought I’d already done all this…” Tick. Tick. Tick.

So. That’s what optimised for revenue looks like. Not customer comfort.

Let’s be honest, though. This is all fine. It is what it is: business.

The increase in revenue keeps the hire business afloat. Keeps it competitive in other ways. Allows for headline hire rates to be very low. Gets customers to the desk in the first place. And round it goes… Etc. etc. etc. Hardly the stuff of a management science PhD.

You just have to hack the bullshit process like this. For yourself. Every time.


My plea? Please just give me a signpost at the top of, well, any transaction really: “Give me convenience, or give me cheap.” At least let me decide what’s optimised.

Keep that separation right the way along the line: forms, queues, phone lines. Really. Because one day we’ll grow up about the psychology of customer service and wonder why we ever fell for games like this. Ever.

(I hope.)


Postscript: Stefan C has pointed me in the direction of this neat little service, allowing you to buy your own excess reduction insurance. Nicely disruptive. More of these, please.

On trolls and anonymity

Picture this.

You’re walking down the street one day and a strange figure blocks your path. They’re clad head-to-foot in a black sheet. They’ve got some strange sort of voice scrambler strapped to their mouth beneath, and you hear this grating mechanical voice emerging.

It’s low, sinister, and very, very unnerving. You’re told that you’re worthless, stupid, wrong, and that all manner of terrible tortures will now befall you. There are slurs on your gender, your age, your politics, your sexuality.

At first, you’re shocked. Terrified and horrified.

Then you take stock. This creature…this shambling figure who dare not show their face nor reveal their true voice. This creature, who you now see is wearing a little badly-spelled badge so that their “distinctive” ranting can be identified wherever they choose to spew it out.

And you’re there, unmasked, identifiably, proudly, you. And you think of the feedback you get–good and bad–from those who do show their faces, and who use names which you can check out at least roughly in twenty seconds on Google or Facebook.

And you also think of those who are generally helpful and positive to you, but go under a pseudonym that can’t be easily checked back to an identifiable person.

And you put these in order of importance in your head. And you look again at the grating, shrouded, cowardly figure, and you laugh. They’re at the bottom. Actually, they and their opinions are completely worthless. The out-and-proud are at the top. And the pseudonymous somewhere in the middle.

You begin to laugh at the creature. Not viciously, not gloatingly. Just in mild amusement that anyone, ever could think that this creature mattered. Others join you. A warm buzz of gentle ridicule washes over the creature. It slopes away.

And you walk on.

Now. That’s a twee little tale if ever there was one. A piece of blogger whimsy, and not a little patronising with it. Of course it is. (I hope to God it doesn’t come over as a piece of “mansplaining” by the way. Because it’s not aimed at any group or individual in particular.)

It’s an observation not on “how we stop anonymity”–if you read my stuff on identity on this blog you’ll understand that I don’t believe that’s possible. Instead it’s a sketch of what type of framing it might take to assign anonymous, negative comments such a low value that everyone–from direct recipient to disinterested observer–just goes “oh, yeah, right, ok, anonymous blah, where’s the valuable stuff?”

Idealistic. Yes. I know. And I’ve skirted around a few obvious issues, above.

That the shock and pain of these comments can be so blithely overcome, if at all. And yes, I’ve had some myself, and not done a very good job of prioritising them as unimportant. (By any stretch of the imagination.)

I’ve ignored the physical reality of intimidation–of attacks moving from the space at the bottom of the blog to a text on your phone or a knock at your door. I’m making some big assumptions that the machinery of our society’s protection of the individual, plus a diminishing urge on the part of trolls to convert their keyboard bile into further threats in riskier channels, combine to mean that actually personal safety isn’t endangered that much. But it is sometimes. I know that.

But the key message of this illustration is to suggest that it isn’t just the personal reframing of a recipient of anonymous hate speech that takes us nearer to a solution–if that worked, we’ve have all done it a long time ago.

It’s that we might find the answer in the growth of a collective recognition–in our society and culture–that there is a pecking order of importance, with anonymous, negative right at the very bottom.

It’s obvious that there’s an asymmetry involved: for hate speech to be a problem the original author has to be identifiable to some degree, and the troll almost without exception anonymous. It would be wonderful if that asymmetry also became the foundation of a recognised hierarchy of weight-given-to-commentary. (No fancy technical mechanics here in the giving of points or +1s–I mean a completely, socially-pervasive, understood hierarchy).

And that would extend not just to an author’s reaction to their troll, but to it becoming completely normal for other commentators to perform the online equivalent of shrugging, smiling slightly, and stepping around the shambling, cloaked, figure. No quick fix, of course: but a cultural goal to aim for.

With thanks to Julia Hobsbawm who wrote about this tonight for making me think more about an issue that’s been bubbling away in my head for a while now. I saw other angles on the debate earlier today too, asking how technology might save us from the curse of the troll: a framing of the question, in my view, that will be very unlikely to lead to fruitful answers.

I guess my one-line summary is: the only viable solutions will come from a focus on how we all react, and not on how we police boundaries. Please let’s not get tangled up with more futile attempts at gatekeeping.