I hope by now I’m starting to get through to people about online identity management, because here in the UK a whole lotta folk are about to be forced to sign their life over to an Identity Provider. The UK government has decided to host all of its public services online, to fulfil the ‘Digital by Default’ strategy. The Government Digital Strategy is now expected to be up and running by April 2014. Five companies have been chosen to provide identity management for UK citizens, one of which, the Post Office, will serve as registration centres for biometric smart ID enrolment.
When I try to tell people about this, and how it’s a global scheme, they just don’t seem to hear me. I can only think that the power of the media is responsible – they simply aren’t informing the public properly about this matter, so because you’re only hearing it from me, it perhaps doesn’t seem as real?
Well, it is.
There aren’t any glossy adverts for it yet, but if you wade through the documents, and listen to lectures and webinars aimed at industry professionals, it’s all there on the web.
Educating the public seems to have been ruled out, and instead, people are being drawn in by only being able to access certain services by using an Identity Provider (IdP) – this rules out debate, and the right to be informed. In the US, Obamacare and access to personal electronic health records will kick off national IdM take-up, while in the UK, it’s beginning with access to government services. No matter how private you’re told IdM makes you, there will always be an audit trail, and a host of exemptions from peeking.
Maybe you’re already one of the many victims of the transition to AI government – those wishing to claim Jobseeker’s Allowance must already make their claim online. It is not possible to do this by interacting with a human in any way.
The thing is, the next stage is forcing people to sign up with an Identity Provider (IdP) to prove they are who they say they are, when they use government services which are only available online. It was supposed to start next month, i.e. the transition to Universal Credit (the new benefit which will replace most of the current ones) was meant to introduce identity management to the UK, by requiring all claimants to authenticate themselves online by using an IdP.
However, the plan has now changed, and the latest news is that instead of starting with Universal Credit, there will be 25 government departments moving their services online, and to access these, citizens will need to sign up with an Identity Provider. The services include online driving licences, and other DVLA documents; State benefits, redundancy payments, and tax matters; civil claims; visa applications; electoral registration; and booking prison visits.
In June, the government announced,
“HM Revenue & Customs (HMRC) will become the first central government department to use Identity Assurance (IDA), one set of secure login details to access all online public services, and will be a key component of Pay As You Earn Online (PAYE Online) which is to move to pre-launch mode in October 2013 with ‘wider IDA capabilities becoming available from October 2014′.
The Government Digital Service (GDS), which is developing IDA, has described it such: “Identity assurance is about providing users with a simple, trusted and secure means of accessing public services, so we are working hard to ensure that privacy is at the heart of the service we will provide to users.”
According to governmentcomputing.com, “IDA is set to become the default service for all government departments providing public digital services which require the citizen to confirm their identity.”
The move comes as part of the Cabinet Office’s strategy to move all government services online in order to save between £1.7bn and £1.8bn a year.”
They don’t want to provide staff to man phone lines, or offices – everything will be digitised, and for that you need smart ID.
The UK government (Government Digital Services, or GDS) announced this month they have contracted the services of five companies, and we get to choose which one to sign up with! Gosh, thanks! The five IdPs chosen by GDS for the UK are Experian, Verizon, the Post Office, Mydex, and DigIdentity; the first/beta phase is just about to start. There were supposed to be eight IdPs, but Paypal and Cassidian have deferred their involvement for the time being.
It was reported last week that a government spokesperson has stated, “Universal Credit remains part of the future delivery plans for the cross-government IDa Service in development at the Cabinet Office.”
Last year, (September, 2012), the UK Cabinet Office published the Local Authority Review of “Citizen Online Identity Assurance” which acknowledged one of the issues in enforcing the system is that “citizen trust may be difficult to achieve”. Too right!!! It’ll be even harder once people realise how easily they can be spied on, the fact that biometrics aren’t reliable enough, and that many things can go wrong when allowing a third party to handle your ability to live a life. If your global ID doesn’t work, you can’t do a thing.
“In June the Government and the UK’s National Technical Authority on Information Assurance (CESG) also published new guidance on ‘identity proofing’ and verification. The guide sets out how businesses tasked with verifying the identity of individuals using Government services can achieve various levels of assurance about the identity of such users.”
The ‘Privacy and Consumer Advisory Group Draft Identity Assurance Principles’ were also published in June, and were actually endorsed by Big Brother Watch and No2ID, but all pretense of privacy is washed away by the exemptions (the “Exceptional Circumstances Principle”), which mean privacy can be violated for the following reasons:
- in the interests of national security;
- public safety or the economic well-being of the country;
- for the prevention of disorder or crime;
- for the protection of health or morals,
- for the protection of the rights and freedoms of others.
This list kinda covers every excuse under the sun don’t ya think? Besides, there’s always the audit trail, and a whole variety of types of data about you that will be looked at. According to Mike Bracken, director of the Government Digital Service unit (GDS) in the Cabinet Office,
“Processing” in the context of IA data means “collecting, using, disclosing, retaining, transmitting, copying, comparing, corroborating, aggregating, accessing”… etc
… Subject to any audit or legal requirement, the Minimisation Principle requires any aggregation, correlation or corroboration to be of a transient nature. Any decision that requires a risk assessment of the Service-User will need the correlation of data from possibly a number of sources.”
The UK has contracted its e-Gov services to one company, owned by only one man, who will host the services in the cloud, using software it has contracted from EMC Global Services, an American corporation. Does this mean the UK government is granting control of all her citizens to a private US company?
Identity management enables full personality profiles for each of us, with a unique ID number, which works worldwide, using, for instance, the standards of the Open Identity Exchange (OIX) and ISO certification.
Chris Ferguson, the man in charge of ‘Identity Assurance’ here in the UK, is on the board of directors of the OIX.
In a workshop called ‘Comparing and Contrasting NSTIC with EU Approaches’ at this year’s World eID Congress, Chris Ferguson is due to give a presentation with the provisional title of “UK, a Laboratory for NSTIC in Europe”. this aligns with Ferguson’s commitment to working with his counterparts on his trip to the White House Colloquium on the NSTIC in May of last year, when the Cabinet Office noted,
“The internet doesn’t stop at national borders and nor will the identity ecosystem. Identity services and the technical and legal environments in which they work will need to align internationally over time even if there are differences from one country or business context to another. A step closer, perhaps, to an International Strategy for Trusted Identities in Cyberspace?”
In March, the Open Identity Exchange held a summit at the Microsoft headquarters in London, where Stephen Ufford, the founder of Trulioo(partnered with Verizon to deliver IdM in the UK, the US, and elsewhere) discussed the “problem” in the UK of the five million “unbanked” people – mainly the young and the old – who are classed as being “thin-file” people. Ufford also stated that instead of trying to “educate the public”, citizens could be “eased in” by getting them to use government services online. Trulioo specialises in social ID verification, and Ufford insists the government intends for us to use “social sign-ins” to begin with, such as through Google or Facebook, which would allow them to, “leverage existing consumer behaviour …. to make the verification process more simple”. The social (identity) file, he says, can include an email address, phone number, and even the device ID, and is, “created and aggregated just like a credit file. It’s reported from different identity providers, different instances of your social behaviour….”.
Speaking at the Japan Identity and Cloud Summit, Ufford said that only 5% of e-commerce websites use social log-ins at present, but experts expect that over the next three years, this number will rise to over fifty per cent. He also assured the corporate attendees that they needn’t worry about using Trulioo’s product (called ‘Profile Plus’) because, he said, “… this process (the data we’re using to verify the identities) is completely unregulated so you don’t have to worry about the various types of privacy legislation around the world.” Trulioo gathers all of the bits and pieces of your digital footprint and assembles them as an ID, to provide “internet life verification”, i.e. to ‘prove’ the person is still alive.
Don Thibeau, Founder of the Open Identity Exchange, and involved in setting up the NSTIC, believes the global identity ecosystem could use social and transactional information from the web and “repurpose it for other applications”. Perhaps he’s thinking of how much identity profiles are worth to marketers, financiers, researchers, and politicians.
A webinar by a company (Janrain) partnered with Trulioo (see above), called ‘Leveraging Rich Social Profile Data for Advanced Segmentation’, stated Janrain could get rich profile data, eg photo, address, and psychographics, as well as relationship status, declared interests, movies, sports, and even “explicit access to their friends graphs”- this would give marketing companies “close to a 360 degree view” of customers and “could enable one to one marketing” using “centrally stored personality data”.
The UK government guide for businesses, ‘Identity Proofing and Verification of an Individual’, describes the four levels of identity verification; a social log-in is the lowest level of authentication, as it is only ‘level 1’ and no evidence is obtained to verify the claimed identity; a level 2 identity has “sufficient evidence …. for it to be offered in support of civil proceedings”; a level 3 identity has been physically identified, meaning the owner of that identity has provided “sufficient confidence for it to be offered in support of criminal proceedings”; whilst the highest level of identity verification adds biometrics, “to further protect the identity from impersonation or fabrication.” A level 4 identity biometric is “a measure of a human body characteristic that is captured, recorded and/or reproduced in compliance with ICAO 9303”.
The guide also notes that the following documents may be used, alongside other evidence, to authenticate a level 4 identity:
- Biometric passports that comply with ICAO 9303 (e-passports) and implement basic or enhanced access control (e.g. UK/EEA/EU/US/AU/NZ/CN)
- NHS staff card containing a Biometric
- UK biometric residence permit (BRP)
- UK asylum seekers Application Registration Card (ARC)
- EEA/EU Government issued identity cards that comply with Council Regulation (EC) No 2252/2004 that contain a Biometric
The government’s Midata initiative, which requires businesses to compile “consumers’ consumption and transaction data in a portable, machine readable format” is very close to being made compulsory for all businesses.
Midata was developed by the Department for Business, Innovation & Skills (BIS), “using insights and evidence from the Government’s Behaviour Insights Team in the Cabinet Office”.
The scheme is already compulsory for the energy, credit card, current account and mobile telephony sectors, but if secondary legislation is passed, all companies would have to comply. It is said to benefit consumers, but it will also facilitate ID authentication for thin-file people, since it is transactional data, and will make all audit investigations of ID far simpler.
Our health records will be regularly scrutinised by algorithms trying to understand such things as the spread of disease – for this a full ID profile helps ‘make sense’ of each record. Our profiles will also be collated and spread around by marketers, looking for the golden all-round view of who we are, to create a personalised consumer bubble for each of us.
We’re told the UK government won’t have a database of our IDs, but centralisation is no longer the issue – it is the ability to access and aggregate information from across the world wide web in real-time that counts, and ‘Identity Assurance’ does precisely this. Worse still, it moves our IDs to the cloud, where we are even less protected by law, leaving us vulnerable to companies from the US, a country which believes it has the right to snoop on us for the sake of ‘national security’. IdA just makes it easier for them.
The ‘Privacy Principles’ make it clear our IDs can be checked to ‘prevent crime’, which is effectively giving full clearance for all citizens to be surveilled, just in case.
Spread the word and don’t give in – right?
 They then get you into the Job Centre and inform you that you MUST upload your CV (your identity profile) to a ‘government portal’ (called ‘Universal Jobmatch’) so prospective employers may browse them; so you can be monitored to ensure you really are trying to find work; and so the AI system can ‘match’ you with a job. Not having access to the internet is no excuse, and those who do sign up to Universal Jobmatch at home, are probably unaware that one particular cookie will be placed on their device for a full 1000 days. All this is managed by the Monster Corporation. Nice.
Jobseekers are also told “you must tell us if you leave your home, even if only for a day”.
Delivered by The Daily Sheeple
We encourage you to share and republish our reports, analyses, breaking news and videos (Click for details).
Contributed by Julie Beal of Get Mind Smart.