The Risk of Identity
The recent tragedy of the Windrush Scandal has unsurprisingly prompted calls for identity cards to be introduced in the UK. The UK, like most English speaking countries, has no existing identity card scheme. This is largely an historical accident. When the Code Napoleon was introduced, it was based on a complete census and included identification numbers for every citizen. The Code Napoleon, and these identification numbers, is the basis for much of the legal code across Europe. From there, id cards have been, through colonialism, exported to many countries around the world. But not to the UK, nor its former colonies.
If you speak to people from countries with an id card system, they will often talk about how convenient it is. These cards make it easier to interact with government services. That’s the logic calling for their introduction now. If everyone arriving as part of the Windrush generations had some form of id, then surely they would have been safe from the hostile environment?
But that ignores the motivation behind that policy: it assumes that policy isn’t racist. It also ignores dark trends like China’s dystopian social credit system.
Once an identity card has been introduced, it will be very difficult to remove. The UK stands as a country that has chosen to limit how much its citizens are tracked. We should be very careful before reversing that.
This care has not been shown with the introduction of GOV.UK Verify.
For those who aren’t aware of that project, here’s the history. To improve the government’s delivery of services, the Government Digital Service (GDS) tried to introduce a central, single sign-on for all government. This was about strong identity, not just usernames and passwords. The government needs a high degree of assurance that the person sitting at the keyboard is who they claim to be. They also need some details about that person to display the right tax records (for example.)
Privacy groups (quite rightly) shut down a centralised, single sign-on as a digital identity card. But it was the implementation that was thrown out, not the concept. The concept has been implemented by GOV.UK Verify, except its components have been smeared across three separate organisations.
The government has decided to create a commercial market for identity. Private companies can now provide identities. Government services use these identities. And a hub connects the two. Privacy groups were satisfied because of the hub. An identity provider (ie. private company) doesn’t know which services you’re using the identity with; a service provider (ie. government agency) does know which identity provider you are using.
The identity providers will assure identities through examining evidence, typically using government and other commercial services. Citizens only need to assure their identities once, and can then use that digital identity across multiple government services.
There are different levels of identity assurance, depending on evidence provided. Services decide what level of identity assurance they require. Identity providers are paid by the government for each identity. Citizens pay the identity providers either by giving up their data, or with actual money. At the time Verify went into beta only one identity provider was charging customers money.
A public-private partnership for creating and assuring identities to access government services should make you very uneasy. At the very least, you should object to paying a private company (either in money or data) to access essential government services. But it’s when they start talking about creating a commercial market for identity that I start to get very uncomfortable.
Here’s how that could play out.
Amazon signs up to allow Marketplace merchants to sell using their UK Gov identity. This is great because merchants with an assured identity can be assessed for fraud risk much more accurately. Amazon decides to pass on some of the savings from reduced fraud to the merchants. This encourages more merchants to use it. Amazon starts promoting ‘Assured Merchants.’
Assured Merchants start to complain about the fraud they’re suffering from buyers. Amazon responds by allowing customers to purchase using their UK Gov identity as well. Even less fraud; savings passed on to both merchant and buyer. Assured Buyers emerge.
The popularity of the programme means that there is fraud even with Assured Merchants and Buyers. Amazon increases the level of assurance required. People are happy with the higher quality of online commerce.
The Guardian, sick of the poor quality of commenting, allows readers to sign in with their UK Gov identity to comment. Assured Commenters are promoted above others. Because they’re promoted and because of the social pressure of having their comments attached to real identities, trolling decreases. People are happy with the much improved comments, and start to hide non-assured commenters.
There is a bombing in Newcastle. The UK government decides to institute more stringent controls. It introduces a new Level of Assurance 4 that requires constant monitoring of bank account transactions.
Under pressure from the government and the Daily Mail, Amazon requires Level of Assurance 4 for marketplace transactions over £1,000 and for all transactions involving fertilisers.
A social network launches that only uses UK Gov identity for sign-in. People love the idea of knowing that everyone is a Real Person.
Another scare. LoA 5 requires continuous access to the GPS in your phone.
Another incident. LoA 6 requires occasional access to the camera in your phone.
How about an LoA 7 with continuous access to the camera in your phone for anyone either in or running for public office? That would make corruption very difficult.
Have you read Dave Eggers’ “The Circle”?
And we sleep walk our way into a dystopian future where any form of anonymity is both frowned upon and results in a significantly lower quality of life.
And remember, none of this required the identity provider to ever know which service you were using your identity with.
And I haven’t even mentioned that all sign-ins flow, unencrypted, through a server and network controlled by GCHQ.
What Do We Do?
Despite the above descent into madness, I am not a paranoid person. I’m also a firm optimist, not a pessimist. To me, the above is an opportunity. In fact, there are a number of challenges that could be addressed.
Interacting with government services digitally is difficult, especially when it comes to asserting who you are.
There are non-government digital services that are also difficult to interact with, especially when this service is government-adjacent — such as accountants filing tax returns.
These problems are compounded for organisations. The organisation can’t interact with anyone; it always needs to delegate to a human. In the case of large organisations, there is a substantial difference between a responsible officer and the person who would actually do some work.
What does this look like for small versus large organisations?
Banks contain a substantial ability to assure identities. Couldn’t that be made available in some way that maintains the interests of their customers?
None of these are UK specific problems, either. Even if a country has a digital identity card, introducing a less intrusive digital identity scheme alongside would be a Good Thing™.
And while you’re at it, can someone do something about the poor quality of commenting while not excluding the marginalised and the historically discriminated against from participating in new communities?
There are a lot of complicated and interesting problems here. I, and the Anthemis Foundry, would love to talk to, and possibly work with, any people or startups looking at these problems. If that’s you, please get in touch.