This post sketches the approach to a National Identity System in NZ, Great Britain and Australia. All countries have an aversion to an ID Number and all are attempting to create an ID system without an Identity Card. It is the opinion of Welcomer that the best way to achieve this is to create an Identity System where the individual looks after and controls their own electronic identity.
As far as is know this is not the current approach of any government. In this post a way of creating a robust National (and International) Identity system is proposed. The proposal is based on the idea of a connected personal cloud where a personal cloud is information held about a person no matter where it is held and includes only those items that the individual and organisations requiring identification deems relevant.
Identity systems have two main parts. The first is establishing a unique id or name for a person when a person first presents themselves. In this paper this is called verification or Identity Assurance. The second is proving that the name represents the same person when ever it is used. In this paper this is called authentication.
Method 1 - Identity Assurance provided by the government - NZ government approach
The NZ government is providing Identity Assurance through the NZ Post Office Real Me service. A person creates a Real Me account and verifies their identity. This is done at no cost to the individual. Organisations pay the NZ Post Office when a person uses Real-Me to verify their identity.
Method 2 - An Identity Assurance issued by for profit organisations for the government - The UK Government Approach
This is a variation on 1 but instead of the government being the only issuing authority private organisations offer the same identity assurance services.
Method 3 - Identity Assurance by giving private organisations access to government credentials - The Australian Government Approach
The Australian government is offering access to government credentials through the Document Verification Service. Approved private service providers can are given access to government credentials and only organisations that have a legislated need can use the system for Identity Assurance. The Identity Assurance income is divided between the organisations supplying the credentials and the service providers.
Method 4 - Identity Assurance by giving individuals access to their own government credentials through approved service providers.
Instead of organisations offering Identity Assurance services, individuals can prove their identity themselves through the use of approved service providers who provide them with access to government and other reliable trusted credentials. The individual uses these services to provide Identity Assurance to organisations who pay for the assurance. The funds received can be divided between the holders of trusted credentials, the service providers and the individuals.
To encourage take up of Method 4, individuals can nominate one or more Community Organisations, to whom they belong, to receive any fees due to the individual when they provide Identity Assurance. The Community Organisations uses the Identity Assurance for their own organisation. This confirms the identity within the Community. Community Organisations will encourage members to use the Identity Assurance service with other organisations, and the government, provided the Community Organisations get a direct cash benefit from the repeated use of the Identity Assurance.
Identity Assurance systems typically do not go beyond Assurance. Every organisation needs to set in place its own Authentication System. In Australia in the Federal Government is doing it using Single Signon Technologies such as myGov or eHealth id.
However if the individual has control over their own electronic identity they can use it to authenticate themselves for their online transactions with organisations who have used a standard Identity Assurance service. The individual can keep track of all their interactions, through approved service providers, and can protect themselves from identity fraud.
Such systems remove the need for usernames/passwords and single sign ons. They achieve authentication of identity with the devices used to connect.
Once an individual has access to multiple organisations the individual can Federate their own data across organisations, as required, and provide a low cost privacy friendly method for the sharing of personal information.
Once an individual has an Assured electronic identity this identity can be attached to any device agreed by any particular organisation for use with the organisation. Identity Assurance is independent of the device used. Devices can be identity cards, such as an Ehealth card, or it can be a passport, or it can be mobile phone, or it can be a credit card, or a travel card or even a national, state, or city identity card.
Deployment of Method 4
The Australian government can deploy Method 4 incrementally for low cost to both the government and the community. The reasons are:
- There is no need for any changes to legislation to deploy it. The new privacy law that became enforceable on March 12th can be used to allow holders of trusted identity credentials, such as Births Deaths and Marriages, to provide the individual access to their own records using the individual's own choice of method and using an agent of the individual's choice.
- There is no need to change any existing identification system to deploy Method 4. Method 4 can coexist with any other existing scheme and can be introduced incrementally to any organisation. Method 4 can use the Federal Government Document Verification Service to provide immediate access to government trusted credentials.
- There is no need to change any existing IT system to deploy Method 4. The only requirement is for organisations using the system to expose an API to service providers. Opening up an API is technically equivalent to creating a webpage that can only be visited by service providers.
- The holders of credentials systems, can, if they choose, charge for access to their credential systems.
- There can be many service providers providing competition.
- There is unlikely to be opposition from privacy advocates because identity will remain siloed and under the control of the individual while providing access to law enforcement through the use of appropriate court orders.
- Community Organisations who have the goodwill and trust of their supporters will drive adoption; provided they benefit from the introduction of the system. That is, instead of the service providers and governments being the main beneficiaries in terms of income and efficiencies the wider community can share in the benefits through support of an individual's community organisations of choice.
- Some Commercial Organisations, such as the large banks, are likely to support the initiatives because they do not compete on Identity Assurance and they gain from a common Identity Assurance System.
Opposition to Method 4
Opposition to Method 4 will come from those who currently benefit from the existing inefficient system or who see ways they can exploit the existing system and obtain a quasi monopoly or duopoly. There may be opposition from foreign security services as Method 4 makes covert spying activities more difficult. There will be opposition from the identity tracking industry who profit from tracking individual behaviour. There will be opposition from centralists who believe the government should monitor the citizenry for the citizen's own benefit. There will be opposition from some IT security providers who believe that security has technical solutions independent of social structures.