honestlyreal

Tortoise: Y’know Achilles, when we were last talking about this identity business we got into all sorts of hot water very quickly in trying to find ways to use a definitive identity to do governmenty things on the Internet. But I’ve found a brilliant use for one this morning!

Achilles: Really? What’s that then?

Tortoise: Well – this new idea to transform our democratic participation by cutting a swathe through centuries of saggy old unsexy representative democracy and allowing us, through the power of the Interwebs, to have our say directly about what does and doesn’t get gamed into the Parliamentary timetable.

Achilles: Gamed?

Tortoise: I mean, debated. Sorry. We haven’t got to that bit yet, have we?

Achilles: And it’s also a great excuse for some cheap headlines about the X-factor, isn’t it?

T: Naturally.

A: So what have you read?

T: That this new petitiony thing is coming in and it will let you band together in a free and open way and get really popular people’s choices some proper Parliamentary time.

A: And will this change anything?

T: Dunno. But giving the important stuff some proper Parliamentary time has got to be a good thing in itself, hasn’t it? Especially stuff which is bound to be based on issues that get people to join their voices together, really quickly, using the Internet? Oh…

A: Indeed. But you mentioned something about identity?

T: Yeah. But aren’t you meant to be the personification of the State in these dialogues?

A: I am. Sorry. That’s what happens when you start to mess around with the model of who really holds the power, hey? Just my little joke. Sorry.

T: Accepted.

A: So. Tortoise. I have realised that with this direct democracy business it’s pretty important that we only hear from those from whom we should hear. If you get my drift. So, if you’re not on the electoral roll, I’m sorry, your voice has no place here.

T: Couldn’t agree more.

A: So, are you on the electoral roll then?

T: Is that it? Is that the test – you ask me, and I say I am, and then my voice gets heard? Is that all?

A: It’s what happens when you vote in a polling station, pretty much. There’s nothing by way of a very rigorous identity check, is there? Got a little piece of card, you vote. Not got one, you say your name, my guys check it’s on a big paper list, you vote. What’s the difference?

T: Have you heard of channel friction, Achilles?

A: Yes, I had a touch of that when Agamemnon stuck his javelin… What do you mean, Tortoise?

T: Well, it’s a bit weak to say that just because something works one way in the physical world then its online analogue must be just the same. There’s a certain amount of bother involved in diddling votes down the polling station. You have to queue up, you might see someone who knows you and says “Hi Tortoise!” just as you’re squeaking “I’m Mr Mouse” to the teller, and you can only get away with it once in the same place or you’re really asking for trouble. That all takes time and effort. Think of it as a kind of ‘friction’ associated with the physical voting approach that sort of acts as a check on all the other bad things that might happen. It’s not perfect, but it’s worked just about well enough for quite a while now.

A: Whereas the Internet is very much a frictionless channel, isn’t it? Hmm. It would seem, Tortoise, that those who want to create mischief or subvert the democratic process can do so easily, at great speed, in great fictitious numbers and all without having to leave their bedroom and feign an honest face to the bobby looming at the school doorway. Yes, I see your point.

T: You’re getting there…

A: We’d better stiffen it up then. I need, Tortoise, for you to prove, online, that you are the same Tortoise who is on my electoral roll. Otherwise this whole petitiony thing is quickly going to descend into discredited chaos. (If I’m not to quietly drop the bit about electoral roll verification, that is, hem hem.)

T: And how are you going to do that then?

A: Well, I tell you what – I’ll build this massive database which has a unique identifier associated with every person who appears on the electoral roll, and then I will, having verified through the physical examination of something like your passport, securely give you that identifier and some associated credentials…oh bollocks. We’re here again, aren’t we?

T: I’m afraid so.

A: And we haven’t even got to the bit where any attempt at online democratic participation is going to be holed below the waterline morally, and possibly legally, when so much of our population doesn’t have decent Internet access anyway?

T: I’m glad you got there before Cyberdoyle did.

A: Quite. One for a future conversation?

T: With pleasure.

Well, it hasn’t really – not for a while anyway – but it’ll do as a title.

The massive problem of mobile phone handsets being stolen led in 2002 to a marvellous bit of innovation. If a phone was stolen, its unique reference number – the International Mobile Equipment Identity (IMEI) – could be logged on a central database of blacklisted numbers, and it wouldn’t work any more. Not on any UK service, anyway, regardless of what SIM card you put in it.

Now, with an idea this brilliant in its simplicity there are bound to be a few drawbacks. (It’s also a really good illustration of problems that come up in any distributed system built around a central point, with a large number of players and variables involved.)

I haven’t managed to find out much in the way of fact about this mysterious IMEI database. I have established that it is known as the Central Equipment Identity Register (how Orwellian is that?) and that the Global System for Mobiles Association (GSMA) handles requests from mobile network operators (MNOs) to join the membership of those able to update it. Whether there is any more regulation relating to it than that is unclear. [Wikipedia tells me there are certain weaknesses in the non-uniqueness of IMEI numbers across handsets, and that handsets can be reprogrammed with a new IMEI number with enough effort. But that’s incidental to the argument of this post.]

My main point is that from a process perspective, it doesn’t actually do the job it’s intended to. This is why.

One day my phone stopped working. I took it into the shop. “It’s not the SIM”, they said – “your handset’s been blacklisted. You have a SIM-only contract with us, nothing we can do. Our responsibilities stop there. Where did you get the handset?”

I explained that I’d bought it on eBay about 9 months before (from a very genteel lady in Dorking who didn’t want it as an upgrade). “You’ll need to find her, and get a receipt.” And then what? They looked blank. And what if I can’t? Blanker. “Nothing we can do”. Hmm, I thought.

Obviously, there was no chance of finding the seller – I had absolutely no idea who or where she was, and anyway, why should I? This was a mistake. Could the wrong IMEI have been put on the blacklist by mistake? “Yes.”

I made a big fuss. I tried to track down a regulator. I wrote to Ofcom. I did all the usual things that a public service process obsessive does. Nothing. Silence everywhere. I carried on making increasing levels of fuss to Vodafone – my only hope: with membership of the GSMA club and able to get their digits on the database. Finally, after much griping, emailing and phoning, they said “it’ll work now.” And it did. “It was a mistake,” they said. “Happens quite a lot.”

Which means that making a big enough fuss, being articulate and invoking stories of nice grey-haired ladies in Dorking will get your phone unlocked. Stolen or not. By any MNO you pick on to force the unlocking.

Which seems like a complete load of bollocks.

This is a hugely powerful system, capable of causing immense inconvenience due to a finger-slip by any of hundreds of people, scattered widely. It’s designed to provide a serious barrier to theft, yet it can be unpicked with a sustained bout of whinging and some smartly written emails.

It reminded me of some of the concepts of centralised identity management, which I’ve written about before. As soon as a centralised system becomes powerful enough to be any use, almost by definition it becomes unusable when exposed to many real world conditions. The blocking process might have been quite effective when almost all handsets came via your MNO, and you didn’t swap networks much. But those days are long gone.

Gary Gale reported a similar experience to this today, triggering thoughts that it wasn’t just me, and provoking me to write this post. Thanks Gary. Add any comments you like.

I’m not a mobile industry expert. If any of you are, and I’ve made a string of howlers above, I’m sure you’ll let me know. Is something missing here in terms of an independent point of contact to appeal mistakes like this? Who would run it? Who would pay? We can certainly forget a “well, government should just do it” solution in the current climate.

Online interactions between people and government fascinate me. Which is just as well, given I’ve spent a long time working on innovation and programmes that attempt to do this sort of thing.

I’ve written before about some of the challenges behind the “government account” concept: online tools that would help citizens to transact with government in smarter ways. They represent a wicked problem – in that you can describe what such an account does in a single, simple line but nobody’s actually managed to produce one in practice, for all the money that’s been spent trying.

This is because as soon as you endow them with any sort of real usefulness you also need to build in so many safeguards to a) protect privacy, b) be proportionate in what information is shared for what purpose, and c) to guard against misuse (fraud, impersonation etc.) that you quickly render them unusable by real people, and unimplementable by government machinery. Yet the “vast savings in the future” business case sits there, taunting us to try and try again to find a way. And it’s human nature to want to believe (sometimes in the face of very strong evidence) that simple conceptual challenges must have simple solutions. Truly, a wicked problem.

Proposed solutions inevitably gravitate towards two poles: the absolute identity model (beloved by the “nothing to hide, nothing to fear” brigade) where everything is pegged back to a single (probably biometrically-founded) master record. Or non-personal, “opt-in” models. (“Non-personal” in the sense that although you can create your account to look like it’s about you, it’s not evidentially reliable for any form of ‘strong’ transaction. The sort you might later conceivably have a court case about, for instance.)

If you try and get clever, and design hybrid solutions that mix-up trusted and non-trusted areas of information, then you can solve more of the implementation challenges on paper, but you magnify the usability (and security) problems exponentially. And so we go on – that’s another story.

But let’s set aside conceptual discussion for a moment and focus on just one very topical instance of interaction with government: voting.

The scenes of chaos last night at polling stations were quickly followed by cries for a better way. Our Victorian processes and infrastructure can’t cope, say the people – and now we have teh shiny internetz – surely A Way Must Be Found.

(What tickled me a little is that some of those cries for A Better Way came from people who would probably have serious reservations about the unintended consequences of this sort of thing.)

Bear in mind that for any electronic voting solution there are a few core concepts that need to be considered – notably the need to have a referencing method, and a proof process.

A referencing method might be a list of National Insurance numbers, for example – a common index by which people and government agree that they’re talking about the same person. In traditional voting, this is the electoral roll – a list assembled for the specific purpose of enfranchisement. Although it’s shared (and sold) for other purposes, this isn’t generally used to enable other business with government. It’s not (that I know of) connected to your tax or benefit records, for example (other than having ancillary involvement in identity verification, credit-reference-style).

It’s worth bearing this in mind when you consider the referencing method that online voting might use. You want to connect your voting record to other things you do with the state? You’re sure you don’t want to think about that a little more, liberally-inclined Twitter-folk? So, your referencing solution might instead be merely the migration of electoral rolls to an online register, but one that’s not connected to other government interactions. Sensible precaution, or massive missed efficiency opportunity? That’s the sort of real-world difficulty we face with these decisions.

The proof bit is where the voter makes a claim (to an acceptable level of proof) that they are that person. That could be as simple as replying to a letter sent to your house, showing online (or by phone) that you know something about other account records that only the account holder would be likely to know, or as complex as turning up at a government office bearing original birth certificates.

But bear in mind that if the proof bit isn’t done online, there’s an extra level of complexity in sending you whatever you need to then use online to demonstrate you’ve done the proving. Even if you just want it emailed, that means someone has to be responsible for the email addresses, not letting them be used by spammers or left on a disk on a bus (etc. etc.).

Even the simple gets complex. It’s the nature of this territory. It’s all ultimately based on what level of risk, whether of error or malefaction, is acceptable.

You’ll spot at this stage that the relative level of proof required for traditional voting is absurdly small. You need a card in your hand (which you can pick up from anyone’s doorstep or shared mailbox) or, failing that, some identity that can be checked against paper records at the polling station. Can it be fiddled? Of course it can.

An acquaintance of mine received two polling cards in 1992, one at his parents’ address, and one at his student address. Both were in marginal constituencies which changed hands. He happened to be travelling between the two areas that day… And that wasn’t even ‘intentional’ fiddling – just sloppy record-keeping.

There is something – I think of it as channel friction – which comes into play here. It’s relatively burdensome to blag your way into a polling station; to extend a trembling hand full of someone else’s utility bills or to queue for half an hour. It’s a lesser pain to do things on the phone: it might cost you money, it takes time, you need to work harder to cover your tracks. But online, you have a very well-greased channel – register another 50 voters at a time? Sure. *click* Scan the registers for names that can be more easily spoofed? *click* Do all of this on a massive scale without leaving your bedroom? *click* Not to mention all the other service disruption and denial tactics at hand.

And while you’re thinking about the information flows as you design your solution, have a think about the potential impact of e-voting on political volatility. I may be strapping on the tin-foil hat here, but isn’t it conceivable that if we make the tools very easily available then their use might be demanded (by both sides) more and more frequently? For that budget decision, to go into that war, to execute that prisoner? I’m not saying that this level of ‘open’ government is necessarily bad – just that it’s different. And there are serious societal implications, from digital inclusion to softer issues of how online channels can lead to selective participation and extremity of view, to be borne in mind.

Be careful what you wish for; perhaps there are very rational, if unstated, reasons not to modernise some things?

Honestly, I’d love someone to crack this one. I really would. If you believe there’s a potential solution to this one, do please sketch it out below. Let’s have the discussion.

I’d love, as always, to hear a view from the VRM crowd – the self-assertion of the data you want to share is a useful concept when you’re buying things or services, but I’m baffled as to how it would solve either the “who am I saying I am” test, or the “who I am” test.

Personally, I vote postally. Because it makes more sense to me. It strikes an acceptable balance between my time spent, electoral administrators’ time spent, security and emotion. I’d like to have a go at improving the actual design, mind you – those multiple envelopes were bonkers – but it works.

Sure, I don’t get to smell the plyboard booths, and finger the grubby, stubby pencil but it does the job. And I don’t have to avoid eye-contact with rosette-wearers outside (really, why do they do that?) or risk a late-night lock-in with the police and an angry mob.

So, over to you.

If you think there’s a way to improve this electronically, pitch it… And if reading this has been useful, and opened up a few more areas of thought around this, do share it with others.

I don’t know where this story ends. I know where it starts though.

At various times since the dawn of technology-enabled government – since information about some of the big things in your life was held on computers – the cry goes out: “Why can’t we join all this up?” “Why do I have to keep telling government the same information time and time again?” “Why can’t I get at all the things that are important to me – all about ME – in one place?”

And other such variants. But you get the point – simple, obvious questions.

And as the years have ticked by, the progress made towards answering these questions has been…well, shabby, to say the least. Especially in proportion to the money that’s been spent in this area.

We’ve had talk of passports, of portals, of “Tell Us Once”, of Citizen Accounts. Of Gateways, single identifiers, and now, MyGov.

None of them, with the exception of the last one – for whom it’s too early to tell – have done very well. (Online, anyway. Tell Us Once has apparently being doing quite well in face-to-face service pilots.)

Isn’t that interesting? Simple questions. Obvious goals. But never any progress. Ah – the wise will say – that’s just because nobody in government wants to change. There are all these vested interests. We’d have to rewire the way everything worked. And – say the privacy campaigners – do you realise what you’re also doing here? Creating an environment where a future totalitarian government can control everything you do from that one place – and where the loss of that single picture of you would make your life completely unmanageable until it got sorted out again.

I’ll argue that there’s an even more obvious reason why progress falters and eventually stalls. Time after time.

Temptation.

The temptation to believe that such easy questions must have simple answers, and to keep on searching for them in the same way over and over again. Usually by starting with a simple model, getting frustrated by how quickly it gets complicated, then abandoning the work and starting with another simple model. Rather than the harder task.

Which is to ask: what’s the actual goal of this ‘personalisation’? For it’s really not as obvious as it may seem.

Some of you may stop reading at this point. Or find yourselves wanting to dodge the difficult questions. “Why make this more complicated than it needs to be?” you may think. Why, indeed? “Surely the goal is to make things simpler for the citizen, and less expensive for government? Like, durrr…”

The White Knight of Personalisation (and I’ve met a few over the years) generally says one of several stock things at this point. Here are a few of them: “All your data can be cross-referenced in any case by government: why the hang-up? Just accept this and build everything around one identifier, hey how about the National Insurance number?” “Let’s just do an account that doesn’t hold personal data, then we don’t need to make it too complicated.” “Ok, let’s start from scratch – let people just choose their own identifier, maybe their email address, and use that to log in”. Or the delightful line: “but I have accounts with my bank, and to buy things online – why does government have to be so different?” Believe me, I’ve heard them all. The “why is government different?” question needs a whole post to itself.

White Knights either wear suits and get paid a lot to try and crack the problem afresh, or step forward from the lower orders to show how simple it all is, and try to stick it to these greybeards in government who “just don’t get it”. Isn’t it a bit odd though how the Knights never actually demonstrate a workable solution, no matter where they come from? Shouldn’t that tell us something?

(I owe an honourable mention here to The Tall Knight of Vendor Relationship Management – Google it when you have a moment – who may surface at some point and tell you the whole model is upside down, and people should be choosing what information they share with government, because that makes everything much cheaper and safer to manage. But I’m definitely not taking on that one in this piece.)

I can’t address every twist in this topic in one post by the way. It would become a very long, dreary read indeed, and perhaps detract from my main point. But here are just two of the many simple models of “a personal relationship with government” that you can use to illustrate the point about how it all complicates rather faster than you’d expect.

Case 1: the simple ‘account’. I just want somewhere I can bring together basic information relevant to me. My bin collection dates perhaps. And school terms. Local services for my area, not just generic national information. And reminders about stuff like my next MOT date. No personal data though. I don’t want it to be so secure that it’s hard to access, and I don’t want it holding information about me that will matter if it gets mislaid on a memory stick.

Case 2: the single place to do business online. This is more advanced: it’s an online service that I can log into and then do really useful things. See my tax and benefit account information in one place. Make payments. Change where my benefits are paid into. Find out about eligibility for things I didn’t know I was entitled to, based on what I am already. Correct my address details if they’re wrong. Upload my photo and allow it to be used for several purposes. Notify my change of circumstances. And so on…

Can you see why these two examples are very different? And why it would be next to impossible to morph a Case 1 solution into one for Case 2? Get a blank sheet of paper and a pencil and try that for yourself as an exercise. (Focus on who knows what about whom at all stages.)

Here’s how Case 1 can get complicated: quite quickly we realise that any meaningful personalisation of services actually requires more than just bookmarking things nominally “about us”. We can use personalised portals (netvibes.com, for example) or even just browser ‘favourites’ to bookmark things like that. We don’t actually need government to provide this. So, either our Case 1 solution is a publicly developed version of something we can get elsewhere, or it’s something more. “It’s something more”, we cry – it does the pulling together of the relevant bits based on who we are or where we live. “Who we are?” I respond – but remember we said this wouldn’t deal with personal data? Ok, ok then – how about “where I live” (comes an arbitrary counter). My postcode sits in the account and then my view of services gets ‘localised’ in some way. So it’s not really a personalised service any more, it’s a service about my house. And I haven’t even started on what sort of ‘identity’ you then assert in this account. Do I pick my own (in which case it can never be used for anything secure or confidential) or is it given to me (in which case we have to deal with distribution, record-keeping, level of asserted trust and so on)? We realise soon enough that what we really wanted was stuff to be suggested to us based on who we were, not as a result of us finding it and then bookmarking it. See, it’s really complicating already, isn’t it? We didn’t really understand what we were asking for by a non-personal, personalising service.

Case 2: the other extreme to which solutions usually gravitate – the one strong identifier that lets you prove yourself, be suggested to, self-serve and all the other good stuff. How are you going to get that identifier? In the post? At a face-to-face interview? Sent online in response to a passport number? You get my drift. And if all my data is then linked up around it, will I be able to control who in government sees what? Yeah, sure – you can have this 22 page e-form to fill in allowing for various combinations of permission and restriction. But I only wanted to know when my bins were being collected, isn’t that a bit of overkill? Etc. etc. The problem here being that the usability of the service rapidly complicates at a faster rate than its usefulness.

There are lots more nuances to all this – and many more types of solution. But this post is already longer than I’d have liked for easy readability. I wish I could wrap all this up in 500 words. I really do. It could save millions. But I can’t, and I accept that. This is difficult territory.

I even think one particular type of solution may actually be achievable. But you’ll have to get in touch with me to talk about that one. Clue: it’s neither of the cases sketched out above, nor indeed VRM.

If you bump into a White Knight of Personalisation, here are a few posers to try, just on the topic of the identifier (the equivalent of your account number for online banking, or your Driver Number on your driving license, perhaps).
– Will you have to have one?
– Can you have more than one if you choose?
– Can you end up with more than one by mistake, and if so, what happens?
– What’s the worst case if it’s lost or falls into someone else’s hands?
– Will it be possible to connect it to any service that I might use, or will there be limitations, and if so, what?
– Will I be able to stop it being used to connect up any services to each other if I choose?
– Will it be held in a big database (and who would look after that database)?
– Will it be connected to a register that’s also used for ID cards?
(I did actually ask the Prime Minister that last one at the MyGov launch. Just sayin’. The answer, via Jim Knight, wasn’t terribly clear.)

You’ll probably find your White Knight will go a little whiter when you do ask. And then either charge you another couple of million for another ‘scoping’ study, or turn smugly away saying: it’s so easy, surely we can work this out, stop being so negative…

This is very complicated stuff. But it always looks so simple to begin with.

UPDATE 18 December: MyGov died with the change of government, I think. It was a short-lived initiative (perhaps not even that) to reposition the mythical “single place online where you can do everything”. But it will be back. It always comes back. Google “unsinkable rubber ducks” (Randi) when you have a moment…

Johnny was a rebel. A real maverick of a man. Show him a system, and he’d find a way round it. All the little get-outs, he got out through. He opted out of all opt-in mailings, he had his number put on the list to avoid junk calls, he made sure as hell he wasn’t on that electoral roll that’s for sale. His email address was a miracle of concealment to fool the bots, and you’d be bloody lucky to get it. And almost nobody got anywhere near his ‘real’ online identity.

If he was a bit naughty in his car, he’d make a real song and dance about ’fessing up to who was actually driving. There had to be pictures. Of his face. If not, he’d write long letters inevitably quoting the Human Rights Act. Stopped by the coppers in Waterloo? Same thing, knowing all the right responses to give to stay just the right side of the law, and exactly what would press the frustration button of the guy in the yellow jacket.

Junk calls? He loved those – playing right into the hands of his call centre victim – baiting them further and further into revealing who they worked for, and where, while tapping away merrily on his 192.com account and his Google Maps (and other, darker sources). Until he could surprise them by telling them the name of their wife. And if really pissed off, that he was watching their house from across-Church-Street-right-at-this-minute-pal.

Always pushing things to the very edge to protect his data, and his rights. Because information was Johnny’s lifeblood. His belonged securely locked away. But others’? Especially ‘public’ information? Ah, that was a bit different. Everything had to be open. Without compromise. If the government had it (or he thought they had it) he wanted at it. If there was something out there about a corporation, he wanted it mashed-up, unpacked, aggregated, chopped every which way.

Consumer rights were a passion. He joined every pressure group he could. It was his duty to share with others, not about himself of course, but about his purchases, how he claimed his benefits, what he did to swing the right school place for his kids, and so on…

He delighted in sharing the things The Man didn’t really want you to find out. The uglier stories of corporate hell. The product reviews that told tales from inside the factory. The quicker routes to claiming from the state. Where the councillor lived, and what they got up to on the internet that they thought nobody could find out about…

He bloody loved saynoto0870.com.

He whiled away boring afternoons phoning companies to pester them into giving up geographical alternatives to those noxious money-making numbers. They hated it, he really knew they did, but he knew how to beat the scripts – where to find the weak spots. And when he struck gold, up on the site it went.

Johnny was liberating the system for the downtrodden: the people who actually lived in the same town as their bank and shouldn’t be paying national rate numbers. The bundled-mobile-minutes crowd, who were buggered if they were going to pay twice for the same call.

And so it went. Until the day the crushing pain gripped his chest. Late nights, junk food, way too much coffee – his heart was giving out. He reached for the phone. The local health practice’s 0870 number… nah, he had the ‘real’ one. – Sure, get here asap, they said. The ambulance came. On the trolley now, doctors coming and going. A bit blurry. Fading, fading. A machine – wires… something, something wrong. Shaking heads. Dark, dark, dark.

The back-up defibrillator had failed. Wouldn’t normally have been used, but the real one had gone away for repair. In the old days, when the budget allowed, they’d have got the engineer on site. But things were pared to the bone now, and there was a 24-hour turnaround contract.

Of course, the budget shortfall hadn’t been helped by the drop in all the little sources of income for the health centre. Those guys who’d found an inconsistency in the boundary records for the car park, and had clawed back all those parking charges. Oh, and the strange drop in the margin on the 08— numbers. Some clever arses had found out the local numbers and put them on the internet.

At the edge of every system, it’s the tiniest differences that swing things. Johnny had just slipped, irretrievably, over the edge.