International experts in Wellington for a conference on identity last week expressed admiration for the New Zealand government's igovt identity information management scheme and the policy behind it.
One noted Australian ID-scheme critic also appeared won over, saying we benefited from not "catching the terrorism bug".
The igovt scheme signals an assumption of responsibility by government that is lacking in many identification schemes, says former Australian privacy commissioner Malcolm Crompton.
He points to the delineation by State Services Commissioner Mark Prebble of six principles, three of which (security, an all-of-government approach and fitness for purpose) serve government objectives and three (acceptability, privacy and opt-in orientation) explicitly serve the interests of the individual.
Crompton pointed by contrast to the identity provisions of the Medicare scheme in Australia, where clauses supposedly explaining the customer's rights mostly detail exclusions to Medicare's liability.
Identity information management is a question of managing a balance of trust, says Crompton. In many business and government transactions there is currently a "trust deficit" and the customer can credibly ask: "You don't trust me, so why should I trust you?"
Roger Clarke, of Australian consultant Xamax, a seasoned commentator on identity information management and privacy, commended Internal Affairs chief executive Brendan Boyle for referring to identity information management in his presentation.
Government and private industry cannot manage a customer's identity, he says; that is their property.
This is one of several "mythologies" about identity largely promulgated by suppliers of software for managing identity information, Clarke says.
"Everything sold concentrates on the supplier side," he says. "This is the first conference where I've heard about the demand side."
Inherent in the thinking behind the igovt scheme is the ability to dissociate the individual from identity information. The igovt system permits the same individual to assume several different identities. This, says Clarke, lessens the chance of it falling into the trap of the Australian services entitlement card, abandoned by the new Labor government, which everyone knew was effectively a universal identity card.
The push towards this dissociation of identity management service from the person and the management of identity by the person will become stronger, Clarke says. As people acquire more devices through which they do identity-related transactions, they will want all of those devices to talk to a single proxied identity information management service that they control.
The question of compulsion threaded its way through the first day of discussion. Though abandoned Australian and New Zealand schemes were both "opt-in", speakers noted that if enough agencies ask for a verified identity as a condition of business, it will be increasingly hard not to opt in.
Boyle talked about "legitimate public concern" over identity abuse, but other speakers suggested this was exaggerated. There were repeated references to the failure to distinguish in popular conversation between identity fraud, such as the occasional spurious transaction on a credit card, and identity theft -- the systematic assumption of another person's identity with major consequences for the victim's reputation.
According to Clarke, New Zealand has benefited from not "catching the terrorism bug."
Because we have not had a terrorism incident, we haven't fallen into a panic of demanding repeated identity checks, he says, and have been able to approach the question with more deliberation.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.