Wednesday 22 May 2013

IDAP: the stories our MPs are told

Here in the UK there is an organisation called the Parliamentary Office of Science and Technology (POST):
POST is Parliament's in-house source of independent, balanced and accessible analysis of public policy issues related to science and technology.
On 25 April 2013 POST published Managing Online Identity to brief MPs and peers about Whitehall's plans for the UK's Identity Assurance Programme (IDAP).

In some respects the briefing note is admirable – "A Home Office report estimated that cybercrime costs the UK economy £27bn a year", it says at one point, before adding "this figure received widespread scepticism".

It would have benefited, though, from a bit more scepticism like that.

For example, the briefing note makes two references to Whitehall's digital-by-default plans:
UK Government’s Identity Assurance Programme
Many public services are managed and delivered via online interfaces. This is part of the new ‘Digital by Default’ model for government services ...

Managing who can access personal data is one of the major benefits of personal control over online data and identity. Online accounts may be used by a person or company to identify who may see data, what they may see and what they may use it for. This control supports a shift in many companies and government offices to a ‘digital by default’ model for connecting with customers ...
It might be fairer to MPs to warn them that these plans have been roasted by four professors. Absent that, our MPs might be gulled into thinking that digital-by-default will work or even that it's already working.

An entirely dispassionate briefing note on IDAP might also have recorded the fact that the Government Digital Service (GDS) promised as late as January 2013 that IDAP would be "fully operational" for 21 million claimants on DWP's services by March 2013.

In the event, there is no sign of IDAP and the Department for Work and Pensions have had to make alternative arrangements involving old-fashioned face to face meetings, telephone calls and the post.

"Key features of the identity programme", the briefing note tells us, "are that it must":
  • be designed around the user
  • be both private and secure
  • establish a common level of security and trust between users, identity providers and Government.
It's unlikely, now that no-one any longer bats an eyelid at the phrase "hate crime", the playful invention of a novelist, but there may still be some MPs who believe the phrase "identity providers" should appear in inverted commas.

What is an "identity provider"? The UK has eight of them, "PayPal, Post Office, Cassidian, Digidentity, Experian, Ingeus, Mydex and Verizon", several of them no MP will have heard of, and there is no special reason why anyone would be prudent to trust them with all of his or her personal data, which is the Whitehall proposal.

It is at least questionable how you can enhance your privacy by storing all your personal data with an "identity provider". That step rather looks like the very opposite.

And as to security, is there anyone left in Westminster or elsewhere who takes promises of on-line security seriously?

The newspapers have stories every day of security breaches and on 2 May 2013 Bloomberg had a long report on how the designs for fighter jets have been stolen by hackers from Lockheed Martin and how hackers spent three years camped on QinetiQ's websites, stealing secret designs and using them as a base from which to try to hack NASA.

What is there today to stop the same happening to the UK's eight "identity providers"? POST provides no answer.

No comments:

Post a Comment