On digital identity, the government gets it wrong again

by Jeremy

It’s easy to criticize the government for wasting £175m on one of their many identity systems. Still, the problem of establishing identity online is one of the significant technical challenges of our time. Since the 1960s, we’ve used personal information such as usernames and passwords to link inbound traffic to a specific account. This approach made sense in the 1960s for logging on to one computer, but today the average person has more than 130 online accounts.

identity anonymous security adobe

Along with usernames and passwords, we’re frequently asked for our full name, contact information, payment details, addresses, date of birth, bank statements, utility bills, and mother’s maiden name to establish who we are. Stored on the servers of hundreds of companies, this information is traded both legally and illegally as we’re tracked and profiled by advertisers and targeted by criminals.

In its latest attempt to solve the problem of identity, the Department for Digital, Culture, Media, and Sport (DCMS) recently published its draft rules of the road for governing the future use of digital identities.

Trust framework

The Trust Framework policy paper outlines the government’s commitment to taking “a leading role in developing the digital identity market”.

In treating “identity” as a product or service to be sold by commercial identity providers, DCMS overlooks that “identity” can instead be expressed as the response to a specific question, asked by one organization and answered by another. For example: “Are you over 18?”; “Do you have a monthly income over £1,200?”; “Do you have less than three points on your driving license?”; “Are you a resident of the UK?”; “Can the police identify you if you break the law?”.

Different companies and government bodies hold the data needed to answer these questions and should not be centralized by commercial identity providers.

The Foundation 2 proposal, developed by Demos, argues that these questions can be expressed as standardized requests, developed and maintained by a new standards body and routed between existing organizations.

Each request would perform a specific function while using the minimum amount of personal data – for example, the answer to the question, “Do you have a monthly income over £1,200?” would be either yes or no.

Related Posts

Leave a Comment