Achilles and the Tortoise do Identity Management

Achilles: I’ll make things cheaper and simpler for you, you’ll see. Then you’ll be happy. And richer. And so will I.

Tortoise: What?

Achilles: I’m going to give you a new unique identifier so you can have a better relationship, and do business, with me–your personification of government!

Tortoise: I don’t want one.

Achilles: Psst. *whispers* For the purpose of this dialogue, you do. OK? Now play along.

Tortoise: Fair enough. Where’s my identifier then?

Achilles: I can’t just give it to you. How do I know you’re you?

T: I’m Tortoise. Can’t you see?

A: But you could be any tortoise. Where’s your passport?

T: I haven’t got one. I’ve lost it, I mean.

A: For the purpose of this dialogue…

T: OK OK, here…

A: Thank you. Here’s your identifier.

T: What happens if I lose it? Can anyone else use it? And pretend to be me? And do all these things in my name?

A: Um, no. Of course not. This is secure.

T: Right… So how did I get my passport in the first place?

A: You sent in a birth certificate, and had someone else who’s got a passport to vouch for you. Don’t go there.

T: And assuming we weren’t face-to-face here, right now, in this dialogue–how would you send me the identifier?

A: In an envelope to your house.

T: What if somebody else got hold of it en route? Then they could pretend to be me online, no? Like really, really easily? That wouldn’t be good.

A: I’ll give it some thought (I probably won’t). For now, I’m just giving it to you.

T: OK, so I have this universal identifier (assuming I want one, and have a passport, and I haven’t fraudulently obtained it, and ignoring lots of other things that we can just regard as edge cases). So, what’s the universal identifier going to allow me to do?

A: Well, it means you can quite simply log in and find lots of information that’s been personalised about you–so instead of having to look at all the information available on bin collections, you can just see when your bin will be collected.

T: So, how will the online system know where I live?

A: Oh, simple, there’s this big database which holds everyone’s address along with their name…

T: But doesn’t that sort of mega-database tend not to work? I mean, who’s going to keep it updated? Surely people’s addresses change quite a lot? Having the right one there is going to be pretty important, no, if this is to be the One True Record?

A: OK, scrap that idea. Well, you can put in your own address if you like.

T: But what if I don’t put in the right address–if this is some kind of Master Record of me, Tortoise, isn’t that going to cause a bit of bother when you try to send me a tax demand–I mean, I might “accidentally” put in a gibberish address to stop you getting hold of me?

A: Ah. Good point. OK, forget all that–we won’t hold the address any more.

T: It’s still the Master Record about Tortoise, though? This is getting more complicated than I was expecting.

A: That’s because we’re stepping through a dialogue to show that it’s more complicated than everyone thinks it is. But nobody really likes to engage with the detail.

T: Ah, yes, of course. Carry on.

A: So with your universal identifier you have a simple way of getting in to your various accounts with government, all in one place, so that you can do things more easily.

T: I don’t really have ‘accounts’ as such–well, income tax, I suppose, and council tax, but that’s about it.

A: Yes, but you buy things sometimes, don’t you? Driving licences, and passports? And you pay parking fines sometimes, no?

T: Sure, but… oh, ok, I have these accounts, and because I can get into them all with the same identifier, which shows I’m definitely me (subject to all the reservations earlier), then things are easier and cheaper. Hang on a minute–if you put all my data in one basket doesn’t that mean that you’ve created a sort of super-record about me? You, as the personification of an initially benevolent but ultimately potentially totalitarian government, might want to keep all sorts of other information on that single record. I might not even be aware of half of it.

A: Ah, but if you’re got nothing to hide…

T: Don’t go there. How big’s your “Gentleman’s javelin” again?

A: Right.

T: Right. And if someone gets access to my account, that’s an awful lot of personal data they’re going to be able to get hold of in one place. Is that wise?

A: We can put in all sorts of detailed access controls and permissions to make sure any one of the 12 million people with access to these systems only gets to see exactly what they’re supposed to.

T: Right you are. Hasn’t that sort of minor, niggling detail been one of the main reasons that such projects have consistently fallen on their arse over the last 20 years?

A: Possibly so–I tell you what–we’ll give YOU the ability to partition your data and decide who’s allowed to see what. This simple 59-screen control panel will allow you to do exactly that.

T: Hang on a minute–I have to go to enormous amounts of bother to administer something I might use once a year to check whether a council tax payment’s gone in? No thank you! I have enough trouble with my Facebook settings. Look, do we really have to have all this personal data stuff in there? It’s so risky–sod the convenience bit; there’s some things I really don’t mind logging in separately for.

A: OK, you’re right. It was worth a try. Tell you what–your account can just be one where you don’t keep any personal data–just things you choose to keep there. That takes a lot of the risk away, and you can use it to remember what sort of screen colours you like, who your local council is, that sort of thing. But…

T: But?

A: But you’ll have to get over the constant disappointment when you’re using it that we’ll never be able to take any of the data you put in there at face value, without checking it some other way, I mean.

T: Why not?

A: Because your account is either about the “real Tortoise” or it’s not. There’s no half-way house. We either do the sort of hard authentication you’d do with your bank so that you can move money around online, or we do the sort of self-asserted stuff you do when you buy, say, a bag of teabags online. We don’t really care who you are, as long as you pay us, and give us an address to send the tea to.

T: But that sort of “hard identity” stuff makes sense for things involving money–especially where someone might steal some from me (or steal details that would help them pretend to be me and get money diverted that should come to me). It just seems like complete overkill for finding out when my bins will be emptied.

A: Quite possibly–but you wanted all your government business in one place, didn’t you?

T: Did I?

A: I thought you did. Somebody did. All I hear about is “make government more like Amazon”, “make it all simply accessible in one place” blah blah blah. You mean that might not be the requirement?

T: So far, Achilles, we’ve piddled around changing the requirement through a massive spectrum of parameters including data richness, hardness of trust, ease of use, and personalisation. I’m beginning to suspect that people blithely use this concept of “easy access in one place” without actually thinking through what sort of requirement that implies in practice. Furthermore, this sort of woolly guff is likely to get lots of people spending years dicking about running pilots that won’t really go anywhere, testing technologies that are completely inappropriate, and listening to quite a lot of baloney from vendors who stand to make a great deal of money as long as such requirements are never actually bottomed out. What say you, Achilles?

A: Fuck. Rumbled.

(with apologies to Lewis Carroll, and especially Douglas Hofstadter)

You can read more whimsy from these two here.

Sit down and be counted?

Online interactions between people and government fascinate me. Which is just as well, given I’ve spent a long time working on innovation and programmes that attempt to do this sort of thing.

I’ve written before about some of the challenges behind the “government account” concept: online tools that would help citizens to transact with government in smarter ways. They represent a wicked problem – in that you can describe what such an account does in a single, simple line but nobody’s actually managed to produce one in practice, for all the money that’s been spent trying.

This is because as soon as you endow them with any sort of real usefulness you also need to build in so many safeguards to a) protect privacy, b) be proportionate in what information is shared for what purpose, and c) to guard against misuse (fraud, impersonation etc.) that you quickly render them unusable by real people, and unimplementable by government machinery. Yet the “vast savings in the future” business case sits there, taunting us to try and try again to find a way. And it’s human nature to want to believe (sometimes in the face of very strong evidence) that simple conceptual challenges must have simple solutions. Truly, a wicked problem.

Proposed solutions inevitably gravitate towards two poles: the absolute identity model (beloved by the “nothing to hide, nothing to fear” brigade) where everything is pegged back to a single (probably biometrically-founded) master record. Or non-personal, “opt-in” models. (“Non-personal” in the sense that although you can create your account to look like it’s about you, it’s not evidentially reliable for any form of ‘strong’ transaction. The sort you might later conceivably have a court case about, for instance.)

If you try and get clever, and design hybrid solutions that mix-up trusted and non-trusted areas of information, then you can solve more of the implementation challenges on paper, but you magnify the usability (and security) problems exponentially. And so we go on – that’s another story.

But let’s set aside conceptual discussion for a moment and focus on just one very topical instance of interaction with government: voting.

The scenes of chaos last night at polling stations were quickly followed by cries for a better way. Our Victorian processes and infrastructure can’t cope, say the people – and now we have teh shiny internetz – surely A Way Must Be Found.

(What tickled me a little is that some of those cries for A Better Way came from people who would probably have serious reservations about the unintended consequences of this sort of thing.)

Bear in mind that for any electronic voting solution there are a few core concepts that need to be considered – notably the need to have a referencing method, and a proof process.

A referencing method might be a list of National Insurance numbers, for example – a common index by which people and government agree that they’re talking about the same person. In traditional voting, this is the electoral roll – a list assembled for the specific purpose of enfranchisement. Although it’s shared (and sold) for other purposes, this isn’t generally used to enable other business with government. It’s not (that I know of) connected to your tax or benefit records, for example (other than having ancillary involvement in identity verification, credit-reference-style).

It’s worth bearing this in mind when you consider the referencing method that online voting might use. You want to connect your voting record to other things you do with the state? You’re sure you don’t want to think about that a little more, liberally-inclined Twitter-folk? So, your referencing solution might instead be merely the migration of electoral rolls to an online register, but one that’s not connected to other government interactions. Sensible precaution, or massive missed efficiency opportunity? That’s the sort of real-world difficulty we face with these decisions.

The proof bit is where the voter makes a claim (to an acceptable level of proof) that they are that person. That could be as simple as replying to a letter sent to your house, showing online (or by phone) that you know something about other account records that only the account holder would be likely to know, or as complex as turning up at a government office bearing original birth certificates.

But bear in mind that if the proof bit isn’t done online, there’s an extra level of complexity in sending you whatever you need to then use online to demonstrate you’ve done the proving. Even if you just want it emailed, that means someone has to be responsible for the email addresses, not letting them be used by spammers or left on a disk on a bus (etc. etc.).

Even the simple gets complex. It’s the nature of this territory. It’s all ultimately based on what level of risk, whether of error or malefaction, is acceptable.

You’ll spot at this stage that the relative level of proof required for traditional voting is absurdly small. You need a card in your hand (which you can pick up from anyone’s doorstep or shared mailbox) or, failing that, some identity that can be checked against paper records at the polling station. Can it be fiddled? Of course it can.

An acquaintance of mine received two polling cards in 1992, one at his parents’ address, and one at his student address. Both were in marginal constituencies which changed hands. He happened to be travelling between the two areas that day… And that wasn’t even ‘intentional’ fiddling – just sloppy record-keeping.

There is something – I think of it as channel friction – which comes into play here. It’s relatively burdensome to blag your way into a polling station; to extend a trembling hand full of someone else’s utility bills or to queue for half an hour. It’s a lesser pain to do things on the phone: it might cost you money, it takes time, you need to work harder to cover your tracks. But online, you have a very well-greased channel – register another 50 voters at a time? Sure. *click* Scan the registers for names that can be more easily spoofed? *click* Do all of this on a massive scale without leaving your bedroom? *click* Not to mention all the other service disruption and denial tactics at hand.

And while you’re thinking about the information flows as you design your solution, have a think about the potential impact of e-voting on political volatility. I may be strapping on the tin-foil hat here, but isn’t it conceivable that if we make the tools very easily available then their use might be demanded (by both sides) more and more frequently? For that budget decision, to go into that war, to execute that prisoner? I’m not saying that this level of ‘open’ government is necessarily bad – just that it’s different. And there are serious societal implications, from digital inclusion to softer issues of how online channels can lead to selective participation and extremity of view, to be borne in mind.

Be careful what you wish for; perhaps there are very rational, if unstated, reasons not to modernise some things?

Honestly, I’d love someone to crack this one. I really would. If you believe there’s a potential solution to this one, do please sketch it out below. Let’s have the discussion.

I’d love, as always, to hear a view from the VRM crowd – the self-assertion of the data you want to share is a useful concept when you’re buying things or services, but I’m baffled as to how it would solve either the “who am I saying I am” test, or the “who I am” test.

Personally, I vote postally. Because it makes more sense to me. It strikes an acceptable balance between my time spent, electoral administrators’ time spent, security and emotion. I’d like to have a go at improving the actual design, mind you – those multiple envelopes were bonkers – but it works.

Sure, I don’t get to smell the plyboard booths, and finger the grubby, stubby pencil but it does the job. And I don’t have to avoid eye-contact with rosette-wearers outside (really, why do they do that?) or risk a late-night lock-in with the police and an angry mob.

So, over to you.

If you think there’s a way to improve this electronically, pitch it… And if reading this has been useful, and opened up a few more areas of thought around this, do share it with others.

It’s all about me

I don’t know where this story ends. I know where it starts though.

At various times since the dawn of technology-enabled government – since information about some of the big things in your life was held on computers – the cry goes out: “Why can’t we join all this up?” “Why do I have to keep telling government the same information time and time again?” “Why can’t I get at all the things that are important to me – all about ME – in one place?”

And other such variants. But you get the point – simple, obvious questions.

And as the years have ticked by, the progress made towards answering these questions has been…well, shabby, to say the least. Especially in proportion to the money that’s been spent in this area.

We’ve had talk of passports, of portals, of “Tell Us Once”, of Citizen Accounts. Of Gateways, single identifiers, and now, MyGov.

None of them, with the exception of the last one – for whom it’s too early to tell – have done very well. (Online, anyway. Tell Us Once has apparently being doing quite well in face-to-face service pilots.)

Isn’t that interesting? Simple questions. Obvious goals. But never any progress. Ah – the wise will say – that’s just because nobody in government wants to change. There are all these vested interests. We’d have to rewire the way everything worked. And – say the privacy campaigners – do you realise what you’re also doing here? Creating an environment where a future totalitarian government can control everything you do from that one place – and where the loss of that single picture of you would make your life completely unmanageable until it got sorted out again.

I’ll argue that there’s an even more obvious reason why progress falters and eventually stalls. Time after time.


The temptation to believe that such easy questions must have simple answers, and to keep on searching for them in the same way over and over again. Usually by starting with a simple model, getting frustrated by how quickly it gets complicated, then abandoning the work and starting with another simple model. Rather than the harder task.

Which is to ask: what’s the actual goal of this ‘personalisation’? For it’s really not as obvious as it may seem.

Some of you may stop reading at this point. Or find yourselves wanting to dodge the difficult questions. “Why make this more complicated than it needs to be?” you may think. Why, indeed? “Surely the goal is to make things simpler for the citizen, and less expensive for government? Like, durrr…”

The White Knight of Personalisation (and I’ve met a few over the years) generally says one of several stock things at this point. Here are a few of them: “All your data can be cross-referenced in any case by government: why the hang-up? Just accept this and build everything around one identifier, hey how about the National Insurance number?” “Let’s just do an account that doesn’t hold personal data, then we don’t need to make it too complicated.” “Ok, let’s start from scratch – let people just choose their own identifier, maybe their email address, and use that to log in”. Or the delightful line: “but I have accounts with my bank, and to buy things online – why does government have to be so different?” Believe me, I’ve heard them all. The “why is government different?” question needs a whole post to itself.

White Knights either wear suits and get paid a lot to try and crack the problem afresh, or step forward from the lower orders to show how simple it all is, and try to stick it to these greybeards in government who “just don’t get it”. Isn’t it a bit odd though how the Knights never actually demonstrate a workable solution, no matter where they come from? Shouldn’t that tell us something?

(I owe an honourable mention here to The Tall Knight of Vendor Relationship Management – Google it when you have a moment – who may surface at some point and tell you the whole model is upside down, and people should be choosing what information they share with government, because that makes everything much cheaper and safer to manage. But I’m definitely not taking on that one in this piece.)

I can’t address every twist in this topic in one post by the way. It would become a very long, dreary read indeed, and perhaps detract from my main point. But here are just two of the many simple models of “a personal relationship with government” that you can use to illustrate the point about how it all complicates rather faster than you’d expect.

Case 1: the simple ‘account’. I just want somewhere I can bring together basic information relevant to me. My bin collection dates perhaps. And school terms. Local services for my area, not just generic national information. And reminders about stuff like my next MOT date. No personal data though. I don’t want it to be so secure that it’s hard to access, and I don’t want it holding information about me that will matter if it gets mislaid on a memory stick.

Case 2: the single place to do business online. This is more advanced: it’s an online service that I can log into and then do really useful things. See my tax and benefit account information in one place. Make payments. Change where my benefits are paid into. Find out about eligibility for things I didn’t know I was entitled to, based on what I am already. Correct my address details if they’re wrong. Upload my photo and allow it to be used for several purposes. Notify my change of circumstances. And so on…

Can you see why these two examples are very different? And why it would be next to impossible to morph a Case 1 solution into one for Case 2? Get a blank sheet of paper and a pencil and try that for yourself as an exercise. (Focus on who knows what about whom at all stages.)

Here’s how Case 1 can get complicated: quite quickly we realise that any meaningful personalisation of services actually requires more than just bookmarking things nominally “about us”. We can use personalised portals (netvibes.com, for example) or even just browser ‘favourites’ to bookmark things like that. We don’t actually need government to provide this. So, either our Case 1 solution is a publicly developed version of something we can get elsewhere, or it’s something more. “It’s something more”, we cry – it does the pulling together of the relevant bits based on who we are or where we live. “Who we are?” I respond – but remember we said this wouldn’t deal with personal data? Ok, ok then – how about “where I live” (comes an arbitrary counter). My postcode sits in the account and then my view of services gets ‘localised’ in some way. So it’s not really a personalised service any more, it’s a service about my house. And I haven’t even started on what sort of ‘identity’ you then assert in this account. Do I pick my own (in which case it can never be used for anything secure or confidential) or is it given to me (in which case we have to deal with distribution, record-keeping, level of asserted trust and so on)? We realise soon enough that what we really wanted was stuff to be suggested to us based on who we were, not as a result of us finding it and then bookmarking it. See, it’s really complicating already, isn’t it? We didn’t really understand what we were asking for by a non-personal, personalising service.

Case 2: the other extreme to which solutions usually gravitate – the one strong identifier that lets you prove yourself, be suggested to, self-serve and all the other good stuff. How are you going to get that identifier? In the post? At a face-to-face interview? Sent online in response to a passport number? You get my drift. And if all my data is then linked up around it, will I be able to control who in government sees what? Yeah, sure – you can have this 22 page e-form to fill in allowing for various combinations of permission and restriction. But I only wanted to know when my bins were being collected, isn’t that a bit of overkill? Etc. etc. The problem here being that the usability of the service rapidly complicates at a faster rate than its usefulness.

There are lots more nuances to all this – and many more types of solution. But this post is already longer than I’d have liked for easy readability. I wish I could wrap all this up in 500 words. I really do. It could save millions. But I can’t, and I accept that. This is difficult territory.

I even think one particular type of solution may actually be achievable. But you’ll have to get in touch with me to talk about that one. Clue: it’s neither of the cases sketched out above, nor indeed VRM.

If you bump into a White Knight of Personalisation, here are a few posers to try, just on the topic of the identifier (the equivalent of your account number for online banking, or your Driver Number on your driving license, perhaps).
– Will you have to have one?
– Can you have more than one if you choose?
– Can you end up with more than one by mistake, and if so, what happens?
– What’s the worst case if it’s lost or falls into someone else’s hands?
– Will it be possible to connect it to any service that I might use, or will there be limitations, and if so, what?
– Will I be able to stop it being used to connect up any services to each other if I choose?
– Will it be held in a big database (and who would look after that database)?
– Will it be connected to a register that’s also used for ID cards?
(I did actually ask the Prime Minister that last one at the MyGov launch. Just sayin’. The answer, via Jim Knight, wasn’t terribly clear.)

You’ll probably find your White Knight will go a little whiter when you do ask. And then either charge you another couple of million for another ‘scoping’ study, or turn smugly away saying: it’s so easy, surely we can work this out, stop being so negative…

This is very complicated stuff. But it always looks so simple to begin with.

UPDATE 18 December: MyGov died with the change of government, I think. It was a short-lived initiative (perhaps not even that) to reposition the mythical “single place online where you can do everything”. But it will be back. It always comes back. Google “unsinkable rubber ducks” (Randi) when you have a moment…