Jerry Fishenden's Weblog Archives - Oct 2005

October 31 2005, learning from others

As the UK National Identity Card debate continues, there is considerable worldwide technological expertise in this field that can help us ensure the proposals are developed in the best possible way. Of course, no-one claims a monopoly on thinking in this area - but it makes sense to cultivate and capitalise upon this expertise as we think about how technology can help deliver successful identity systems (and equally to be realistic about which aspects of technology will not help).

As Niels Bjergstrom comments:

“… national eID systems bear very limited resemblance to a corporate Identity Management system, and the solutions cannot simply be transferred”

He proposes a list of core values that an electronic identity should adhere to:

• it must be able to bind out to other processes
• it must specifically be able to facilitate an irrefutable link between its user and itself
• it must be able to participate in authorisation procedures, in my view without leaking any identity information - helping to answer the question: is this individual allowed to do this in this context? In most cases you do not need identification to answer this type of question
• it should be able to facilitate authentication processes without compromising identity - allowing anonymity or pseudonymity most of the time is a fundamental requirement of any eID system in a free society
• it should be able to uniquely represent the legitimate holder (and only the legitimate holder) in public key cryptographic protocols - a consequence of the two points above
• it should be able to participate in identification processes if identification is required and legitimate
• it must not depend on irreplaceable personal characteristics, in the sense that the system as such must be able to cope with the problem of compromised or lost/changed characteristics
• the token containing the eID must be replaceable without unwanted consequences, or as a corollary, theft or loss of a token must not enable impersonation
• all its functions, including any disclosure of information in the token, must be fully controlled by the owner

I am reminded of similarities here with Kim Cameron’s “7 Laws of Identity”, which I summarise as:

• users must be aware of what information is being used and revealed, and to whom (the principle of informed consent and user control)
• the amount of personal information held and the disclosure of such personal information must be limited to the least amount necessary for its purpose (eg. proof of age being over 18 to a pub landlord)
• disclosure of identity information must be limited to only those parties who have a necessary and justifiable need for access
• identifying information should not be ‘broadcast’ or ‘leaked’ inappropriately to everyone: for example, standard PKI is unsuitable since it broadcasts the same identifier to every party
• identity systems must enable the interworking  of multiple identity technologies run by multiple identity providers (there will always be a diversity of technologies – and new technologies – needing to be supported)
• the human user needs to become an essential part of the system, ensuring a means of their participation through unambiguous human-machine communications
• the identity system must provide a consistent user experience (to help reduce attack surfaces) and enable the separation of contexts through multiple operators and technologies

One of my concerns with the current UK proposals is that they do not seem to have a clear framework that sets out the basis on which the scheme will operate. It seems to move from political aspiration (the business requirement) to low level technical solutions and models. But we know IT systems that do not clearly set out the basis on which they will operate are systems that fail. This missing layer between business objective and technological solution is what I term the ‘technology policy’ layer. And it’s essential we have this well defined and agreed to before we start contemplating exactly how the system might be designed and what it should contain in order to work. Kim's "7 Laws" seem to be a good attempt to begin to address this technology policy layer (and one which I think has importance for technologists way beyond purely the identity discussion).

It's also useful to look at some of the issues coming to light with the Belgian ID Card: its technological approach has cut across some of the recommendations contained in the thinking of Niels Bjergstrom, Kim Cameron and others. The adoption of a single electronic identifier removes the traditional segmentation that normally provides a bulwark against unlimited compromise of our identity. Perhaps an analogy would paint a clearer picture here. Imagine a ship or submarine that has been carefully designed with a series of water-tight compartments. In the event that part of the vessel is holed and lets in water, that area can be sealed and the damage carefully contained to that one section of the vessel. Without such segmentation, the entire vessel would flood and sink.

The same applies to our identity: we need to ensure that it is maintained in relevant domains that limit the potential impact of any compromise. Moving to a system that no longer restricts identity thieves to a single aspect of our identity gives rise to serious concerns about the scale of the problem that could result. It would be in the UK as if we suddenly decided to hinge all of our identity relationships with Government off of a single number - National Insurance Number (NINO) for instance - rather than ensuring we keep different identity relationships separate. For example, we would not want access to our medical records or other sensitive information to be accessed using the same identifier that provides us with a service to report a faulty street lamp to a local council. Identifiers should be appropriate to their context and for the purpose for which they are being used.

Using a single identifier, such as NINO, also opens up other potential vulnerabilities - since such a common identifier used indiscriminately across all services would enable the likes of service providers to build up a profile of individuals across all their activities. Social engineering (such as the bribing of insiders) and the professional (and incredibly well-funded) criminal hackers would be able to digitally hijack citizens' identities for access to government services - and hence potentially to cause significant identity theft on a scale not seen before.

The UK proposals currently foresee some 265 government departments and as many as 44,000 private sector organisations having access to the identity database. Multiply this by the number of individuals within each organisation requiring access and the suggestion is that hundreds of thousands of people are going to have access to the system. Someone once commented that the UK system would be designed to be as secure as the Trident missile launch sequence codes. It is hard to reconcile such high levels of security with the apparently largely open nature of the proposed system.

It is also foreseen that citizens will be able to update and maintain their records via ‘secure Internet access’ – and, I presume, call centres. Wider issues come into play here, particularly given the scale of both phishing and pharming. And I don’t just mean via Web browsers and the Internet: phishing and pharming are just as likely with voice phone calls too.

Both the scale of external access being proposed and the Internet-based and call-centre access provide potential ways in which the system could be compromised. It will be almost impossible to ensure that such an open system can remain secure, even if we further protect the likes of Internet access through new developments such as InfoCard and the chip and PIN card readers that we may well have within our households in another year or so.

It’s positive that Unisys and a few others have also now entered the public debate about the technology issues and how such a system might best be designed and used. But before we get into that debate in any great detail, let’s first of all sort out that missing layer: the technology policy layer. It seems to me that the ideas of Niels Bjergstrom and Kim Cameron are as good a starting point as any to help us do this.

Oct 25 2005, the public awareness of technology

My Scotsman article on identity and ID cards has produced a very positive response. Although one site I saw claimed I was stating the ‘blindingly obvious’, this is only true for those of us in the IT industry deeply immersed in such topics. Part of my point has always been that our industry has not been doing a good job of communicating on important technological issues in a language that makes sense to the average reader.

The fact that a national newspaper such as “The Scotsman” was prepared to carry so prominently an article dealing with technology is a tribute to them. The same is true of others who picked up on the story too – such as BBC Radio Five who provided me with an opportunity to make the same important technological points on air. This demonstrates a healthy appetite for relevant technology stories – and that we can find a language to communicate with and connect to the average reader and listener.

Of course, one or two of the headlines and straplines around subsequent coverage and secondary reporting are a little sensationalist, as is to be expected - but the core technology messages and concerns remain clear.

There are also some voices of cynicism (“What – Microsoft talking about security!”). But this is to miss a major point. It’s precisely because of our experience and the lessons we’ve learned about identity (particularly the reality of what does and what doesn’t work) and platform security over the years that we have some authority to speak on large-scale security issues. My colleague Kim Cameron has consulted and written extensively on this topic.

My intention is that my Scotsman piece is just the start. I intend to develop many more articles for the mainstream media that tackle this problem of how we bring important technological issues to our wider society. We need everyone to be acting from a position of knowledge and I would encourage my peers and all interested parties working in IT to join me in this endeavour.

Of course, an article like this doesn’t just appear overnight. I’ve been working for some time on the concept of a ‘public awareness of technology’ campaign – to reach outside the technical community to communicate the good, and the bad, of what modern technology makes possible. I believe our industry needs to raise its game in the way it communicates with the general public, the media, politicians, policy officials and others. In the same way that the scientific community is addressing this problem through its PAWS (Public Awareness of Science) initiative, so too should we – as responsible leaders in IT.

Oct 18 2005, the UK National Identity Card

The text below is the full version of my article that appears in today's "The Scotsman".

A well-designed UK National Identity Card could help tackle many problems, including the upward trend in identity fraud and theft. But important technical, security and privacy issues need to be tackled to ensure its success.

One major challenge is that no computer system is 100% secure. We’ve seen various prosecutions arising from unauthorised access to computer systems such as the Police National Computer and DVLA. Putting a comprehensive set of personal data in one place produces a ‘honeypot’ effect – a highly attractive and richly rewarding target for criminals. 40 million users’ personal credit card records were compromised recently in the US – highlighting the very real risks such systems face.

We should not be building systems that allow hackers to mine information so easily. Putting all of our personal identity information in a single place is something that no technologist would ever recommend: it leads to increased and unnecessary risk. And it’s poor security and poor privacy practice. Inappropriate technology design could provide new hi-tech ways of perpetrating massive identity fraud on a scale beyond anything we have seen before: the very problem the system was intended to prevent.

The UK Identity Card also intends to exploit advanced biometrics – technology for measuring and analysing human body characteristics (such as scans of your face, fingerprints and retina). Correctly used, biometrics can provide a useful additional technology to assist with identification – acting as a cross-reference when you need to authenticate yourself.

But as the British Computer Society has commented, “No scheme on this scale has been undertaken anywhere in the world and the technology envisioned is to a large extent untested and unreliable on such a scale. Smaller and less ambitious systems have hit technological and operational problems that are likely to be amplified in a large-scale national system.”

Your biometric scans could be stored on your Identity Card, or on a central database. But the security and privacy implications of storing biometrics centrally are enormous. Unlike other forms of information such as credit card details, if core biometric details such as your fingerprints are compromised, it is not going to be possible to provide you with new ones.

The ID Card itself also needs to be carefully designed to ensure it doesn’t add to identity fraud problems by carelessly “broadcasting” personal information every time it’s used. Using the same identifiers wherever we present the ID Card is a highly risky technical design. Would you be happy if online auction sites, casinos or car rental company employees are given the same identity information that provides you with access to your medical records? It’s unnecessary: we can already design systems that ensure the disclosure of personal information is restricted only to the minimum information required (a pub landlord for example needs only to know that you are over 18). Keeping identity information relevant to the context in which it is used is both good privacy and good security practice.

The US Government has already started to re-think the way it approaches some of their large-scale government IT systems: for example, they actively encourage IT, privacy and security experts to attempt to find flaws and problems in their new electronic passport system so that it can be improved. Frank Moss, Deputy Assistant Secretary for Passport Services at the US Department of State, has acknowledged the benefits of tapping into existing industry expertise – and that privacy experts’ feedback has helped produce a much better e-Passport. This is proving a successful model that should be more widely adopted, to the benefit of projects such as the UK National Identity Card.

To help reduce the risks traditionally associated with the delivery of identity systems, Kim Cameron – one of the world’s leading identity technologists – has evolved a set of ‘laws’ that provide an important benchmark against which projects can be assessed.

“These ‘laws’ of identity,” explains Kim, “Embody everything we’ve learned since the early 1970s. It is possible to achieve good outcomes from projects such as this and deliver systems that are beneficial to the individual and to society. Systems that are safe against attack over very long periods of time. And systems that are likely to leak as little as possible despite all the conspiring forces of time, overconfidence, incompetence and evil.”

Oct 7 2005, public sector IT projects and the “blame game”

There’s an interesting piece in Prospect (October 2005) by Michael Cross on Public Sector IT Failures (available online at the time of writing – click here). The article provides a useful review, looking at how the UK compares with other countries in terms of the relative number of IT-related projects that succeed or fail. There are clear national differences in the approaches used for large scale projects – with the Netherlands for example breaking them into much smaller component parts to control risk and open up project delivery to smaller players in the marketplace.

One key point is I think often missed when failing IT projects are criticised. Major IT projects are fundamentally major business change projects: and often it is the change programme itself at the root of the problems that arise. The IT systems are usually just the most visible evidence of the failures or problems associated with such major change programmes. To understand the real root causes of high profile project failures requires a greater analysis and understanding of the way in which high level government policy is interpreted and executed upon as it passes down the chain of command. The way in which for example manifesto policy aspirations are than encoded into projects and eventually into IT requirements.  All too often inquiries into project failures look at only one component aspect of the problem – the IT systems – rather than the overall project of which those IT systems formed a part. That is why I suspect we see the same problems repeating themselves time and time again.

Looking back at my own time in public service, and the way it continues to operate now, the public sector risk/reward model itself also requires review to help provide an environment better suited to the delivery of major change programmes. There should also be a review of the way in which IT projects still seem to be built on the out-dated and unsuccessful ‘built to function, built to last’ principle: when best practice has moved on to the ‘built to adapt, built to change’ model. Likewise, the old monolithic thinking around waterfall projects should also be pensioned off once and for all: we have far better ways of delivering successful projects represented by the component approach (connected systems and service oriented architectures) and more flexible project methodologies that deliver better results.

It’s important that we learn and apply these lessons now. Look ahead for example at the type of flexibility we will require in the administration of public sector services in the future. We know that the current idea of a fixed retirement age and associated pensions regime is under enormous pressure. It seems likely that the model will change to one where retirement will happen as a gradual process and over a longer time period than at present. Those of my own generation may well find themselves only semi-retiring at first, maybe drawing part-pensions but still also partly working. The demands this will place on our currently functionally silod systems of taxation, benefits and pensions will be immense if we do not both reform the business processes and the IT systems to support the flexibility that is likely to be required.

In order to enable technology and business needs to work more closely together to deliver projects that meet requirements, it is essential that we find some way of communicating the true value of technology to our business decision-makers and policy-makers. We are increasingly reliant at every level of society on new technological innovations in both software and hardware – yet the number of people who understand either the technology or, more importantly, how we can use and manage it to real advantage, to re-think and improve the way we learn, work and live, remains worryingly small.

Unless we can find a way of better articulating the way in which technology and business can interact to truly beneficial effect, we seem likely to continue to see failed IT projects and associated public service change programmes that frustrate both those who provide them and those of us who use them.