To date, most of the benefits of identity management have fallen to organizations rather than individuals, but it doesn't have to be that way, a British associate parliamentary group heard last month.
While the focus has been mainly on needs of organizations, identity management could be used to deliver significant benefits to individuals, says Toby Stevens, managing director of the Enterprise Privacy Group, a cross-sector organization that aims to share best practice on privacy issues. The idea would be to take a radical new approach to identity by engineering identification systems to match the needs of the citizen, rather than that of the state.
The "citizen data substrate" would not be a single database or even a number of shared databases, but a massively distributed, federated layer of data that can be accessed by citizens, state and industry alike
The substrate would not be a single database or even a number of shared databases, but a massively distributed, federated layer of data that can be accessed by citizens, state and industry alike. This would support a model of information sharing where the citizen acts as a gatekeeper to their own personal data, choosing to grant access to other individuals, organizations, and state bodies as they see fit. This could be one of the building blocks of more citizen-focused services.
"The 'citizen data substrate' represents a thin layer of data, shared across government, which can be used as a master index of the population," Stevens told CIO. "Its purpose is not to provide identity data, and as I envisage it, the substrate would not even contain personal information, just a couple of biometrics and possibly some other identifying data to assist systems in matching individual records — for example, height and sex. It may well be possible for us to use template biometric data only, rather than images, but that will depend upon the accuracy of the biometric technologies used."
The purpose of the substrate would be to confirm uniqueness of each enrolled individual. Under Stevens' envisioned model, citizens would be under no compulsion to enrol and face no biographical check at the time of enrolment.
"What the substrate provides is the ability to bind different commercial federated schemes together, since they can have confidence that an individual is not claiming duplicate identities across the systems," he says.
"Government's role in this is simply to provide assurance of uniqueness of a biometric record — government systems that require identity data would hang off it in the same manner as commercial providers."
The downside for government, Stevens says, would be the same as the upside: they don't get to build a massive database of information about their citizens, but nor do they have to maintain the accuracy of the data therein. This approach is far less likely to inflame civil liberties campaigners, and leaves the citizen free to select their own data processors rather than being forced to provide identifying information to the government.
Stevens stresses this is a brand new idea which has yet to be discussed in detail with any government, but which has just been presented to the OECD. "I anticipate some resistance from government, since the concept of proving 'identity' rather than 'uniqueness' is so deeply ingrained in the public service mind-set," he says.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.