Central online identity scheme 'will be a target for criminals'
(UK Politics) The Government will announce details this month of a controversial national identity scheme which will allow people to use their mobile phones and social media profiles as official identification documents for accessing public services.
People wishing to apply for services ranging from tax
credits to fishing licences and passports will be asked to choose from a
list of familiar online log-ins, including those they already use on
social media sites, banks, and large retailers such as supermarkets, to
prove their identity.
Once they have logged in
correctly by computer or mobile phone, the site will send a message to
the government agency authenticating that user’s identity.
The
Cabinet Office is understood to have held discussions with the Post
Office, high street banks, mobile phone companies and technology giants
ranging from Facebook and Microsoft to Google, PayPal and BT.
Ministers
are anxious that the identity programme is not denounced as a “Big
Brother” national ID card by the back door, which is why data will not
be kept centrally by any government department. Indeed, it is hoped the
Identity Assurance Programme, which is being led by the Cabinet Office,
will mean the end to any prospect of a physical national ID card being
introduced in the UK.
The identification systems
used by the private companies have been subjected to security testing
before being awarded their “Identity Provider” (IDP) kitemark, meaning
that they have made the list of between five and 20 approved
organisations that will be announced on 22 October.
The
public will be able to use their log-ins from a set list of “trusted”
private organisations to access Government services, which are being
grouped together on a single website called Gov.uk, which will be
accessible by mobile.
A cross-section of social
media companies, high street banks, mobile phone businesses and major
retailers has been chosen in order to appeal to as wide a demographic as
possible.
The system will be trialled when the
Department of Work & Pensions starts the early roll out of the
Universal Credit scheme, a radical overhaul of the benefits system, in
April.
Users who access the Government’s online
one-stop-shop of public services will be asked to identify themselves by
choosing one organisation from a selection of logos. (This feature is
called a “Nascar screen”, in reference to the logo-filled livery of the
famous American racing cars.)
Major web sites are
able to recognise individuals by their patterns of use, the device they
are accessing from and its location. Facebook, for example, asks users
who sign on from an unusual location to take a series of security
questions including identifying friends in photographs.
Privacy
campaigners are not wholly convinced by the programme. “Although this
is a fine scheme in principle and is backed by ministers the danger is
that it could be side-lined and used as a fig leaf by the data-hungry
government departments,” said Guy Herbert, general secretary of No2ID,
which has been consulted by the Cabinet Office.
Details
of the “identity assurance” scheme are being finalised amid growing
concerns over identity theft and other forms of cybercrime. Foreign
Secretary William Hague and Cabinet Office minister Francis Maude, who
is at the head of the Identity Assurance Programme, will today (Thurs)
meet international experts at the Budapest Conference on Cyberspace. Mr
Maude will give a keynote speech.
The Cabinet
Office believes its new identity model will “prevent ‘login fatigue’
[from] having too many usernames and passwords” and save public money by
increasing trust in online services. The system is likely to be adopted
by local authorities nationwide. The Government hopes the identity
system will form the basis of a universally-recognised online
authentication process for commercial transactions on the Internet,
boosting the economy and strengthening Britain’s position as a leader in
e-commerce.
In recent weeks, the Cabinet Office’s
Government Digital Service has backed a UK working group of the Open
Identity Exchange, which was set up in America to bring organisations
including Google, AOL, PayPal and Experian together to find a simple
method of online verification that doesn’t require multiple passwords.
Members
of the Cabinet Office team travelled to the White House in May to
exchange ideas with American counterparts working on the National
Strategy for Trusted Identities in Cyberspace (NSTIC). The heads of the
British and American identity assurance programmes will debate the
subject next week in London at the RSA cyber security conference.
The
first law passed by the Coalition Government was to scrap the national
ID scheme, a move said to have saved taxpayers £1 billion over ten
years. But ministers want to use the Internet to cut the cost of public
services.
In order to limit concerns over
Government snooping, the Cabinet Office has been working closely with a
range of privacy campaign groups and consumer organisations including
No2ID, Big Brother Watch and Which? The programme’s Privacy and Consumer
Group drew up a list of nine Privacy Principles which underpin the
framework of the scheme.
As part of the attempt to
reassure privacy campaigners, a private identity partner (IDP) which
authorises a user of a public service will not know which Government
department is seeking authentication.
The Post
Office’s involvement in the Identity Assurance Programmes was revealed
by a notice placed in the Official Journal of the European Union. The
Royal Mail subsidiary sought a third party provider to help in
assembling consumer data including name, date of birth, address, gender,
passport and driving licence numbers, financial history, electoral roll
status and telephone numbers.
Some commercial
organisations have been concerned that their consumers will react
negatively to their involvement with government. But commercial partners
will benefit from marketing opportunities and the trust that comes with
IDP status.
Without the identity assurance scheme
there are fears that high levels of online fraud will cause the public
to lose confidence in digital channels, undermining the amount of
business done online.
Civil servants acknowledge
that some people will still wish to access public services in person.
They argue that the online scheme will release additional resources to
assist people who lack confidence in making digital transactions.
Q&A: What the scheme involvesQ. Is this just an ID card scheme by the back door?
A. No, it's a way of combating the menace of identity theft.
Q. Will the Government be able to use it to follow our movements online?
A. Authentication is done by trusted third parties and data will not be held centrally by the Government.
Q. But won't the private companies find out personal information that is none of their business?
A. The identity providers (IdPs) don't know for which government agency they are authenticating.
Q. Is a social media log-in sufficiently secure for a major financial transaction?
A. Individual IdPs will need to convince the Cabinet Office that their security checks are enough to meet the Level of Assurance (LOA) needed for the public service being requested. For example, a passport application is a high-security LOA3.
Q. Will it be possible to apply for a passport on your phone?
A. It is anticipated that part of the process will be offered online but some physical ID will still need to be presented in person to achieve LOA3.
Q. Is this just about public services?
A. No, the Government is helping to bring together online companies and create an icon that would enable online payments to be done securely.
Q. What would be the advantages?
A. It would also reduce the need to memorise multiple passwords.
Q. Will it work?
A. That depends partly on the efficiency of the chosen IdPs.
