Let’s create a vision for a 21st-century identity card. Let’s create a vision that we can communicate effectively. Let’s create a vision that is founded on minimising the storage of personal data (Crosby 2008). Let’s create a vision that the public and the government can understand. Let’s create a vision that contains some genuine innovation, some excitement and some potential for future development. But most of all, let’s create a vision that is founded in the mass media, because that’s where the British public get their science and technology education (Lacohee 2007). I would suggest therefore that, as in so many other walks of life, Dr. Who should be our guide.
British readers will be familiar, of course, with Dr. Who’s psychic paper. As any devotee of the BBC’s wonderful series knows, the psychic paper shows the “inspector” whatever it is that they need to see. If the border guard is looking for a British passport, the psychic paper looks like a British passport. If the customs officer on Alpha Centuri wants to see a Betelguesian quarantine certificate, the psychic paper looks like a Betelguesian quarantine certificate. The variant I propose is psychic ID. Unlike Dr. Who’s psychic paper, psychic ID only shows the inspector what he or she wants to see if the holder has the relevant credential.
To see what I mean, let’s begin with the most mundane of the use cases discussed by the Prime Minister in his speech on security and liberty in June 2008 (Brown 2008). You are trying to get into a nightclub and you need to prove to the bouncer that you are over 18. The bouncer is looking for a credential that proves you are over 18. You show your psychic ID to the bouncer and all it reveals to the bouncer is whether you are over 18 or not. (Your name, age, address, weight and driving convictions are none of the bouncer’s business.) Your age qualification is all that the bouncer is entitled to see, so that is all they do see. Provided you are actually over 18, of course. If you are not, the psychic ID remains blank, as shown in Fig. 1. below. The laws of mathematics, rather than ombudsmen, enforce this mode of operation: no matter how devious, untrustworthy or computer-savvy the bouncer may be, he cannot persuade the psychic ID to divulge anything he does not have the key to.
Practical use cases
It is not possible to envisage every single application of the identity utility infrastructure but we can set out some basic categories by considering two axes: the connection to the NIR (ie, either online or offline) and the transaction locus (ie, either attended, unattended or remote). At high level, the infrastructure would need to be able to support all six categories of use case, each of which would require appropriate authentication to be of practical use. The authentication requirements would naturally vary between these use cases (see Table 1). A PIN might be acceptable for logging in to a chatroom, to point out an obvious case, whereas ordering a new passport might require a higher-integrity “three factor” authentication.
This classification means that we can examine the various possibilities in a structured way, beginning with the most prosaic example: the offline attended situation discussed above, where the ID card holder is trying to prove that they are over 18 in order to get into a nightclub.
Since psychic paper does not, in fact, exist, Fig. 1. is merely a simulation: the picture of my good self or the blank red rectangle cannot be beamed directly into the brain of the nightclub bouncer (yet). Therefore some device or contrivance is needed to act as the interface: the picture would actually be displayed not on the card itself but on the bouncer’s mobile phone or a turnstile at the nightclub or a small display next to the door (as shown in Fig. 2), depending on the implementation appropriate to the establishment.
In other circumstances, someone might be entitled to obtain more information from the psychic ID. Perhaps when I visit a polyclinic, the receptionist is allowed to know whether I am entitled to free health care in the U.K. and, if so, what my health service number is. In that case, provided that my psychic ID recognises the receptionist’s authority to ask, the receptionist would see precisely that information. But nothing else, as Fig. 3 illustrates.
The general principle is that if we don’t want personal data to leak (as it inevitably will, the more places it is stored (Learning to live with Big Brother 2007)) then we shouldn’t give it to people unnecessarily. The government currently plans for the ID card to display a 16 digit national identity registration number, full name, nationality, date and place of birth, ICAO machine-readable travel document (MRTD) data, and a black and white photo (Hines 2007). I think this is already too much. Let’s be ruthless about minimizing the display of personal data: the psychic ID will have nothing printed on it except perhaps a photograph of the holder, perhaps some kind of card number for administrative reasons (which is not related to the sector-specific ID numbers that the card stores) and it will divulge nothing except the information that its interrogator is entitled to see.
This means that a key feature of the psychic ID must be that it provides only those unique identifying numbers relevant to the questioner. The polyclinic receptionist cannot see my financial services identification numbers, whatever they may be, any more than a bank can see my health service number. If I want to, I can tell the clinic my financial services number, naturally. Similarly, I may wish to tell my bank my health service number. But that is under my control: the clinic cannot obtain the number from my psychic ID and an unscrupulous financial organisation cannot extract my health service number behind my back.
The reason for insisting on this feature is to partition for privacy purposes but also to minimise the impact of data breaches: If hackers break into the polyclinic database, all they can obtain is my health service number and they cannot use it to set about looting my bank account. We cannot assume perfect security and plan on the basis that disgruntled or incompetent employees will never disclose personal data: Consider the recent case of the Chilean government employee who published their national identity register (well, just over half of it) on the web! Partitioning is a simple defence. Thus, when I go to the bank to open an account, the psychic ID shows the bank only the information it is allowed to see (Fig. 4).
I hope it is clear what is being envisaged. In this vision, the national identity card is a special kind psychic paper (without the display) and it is the component of the national identity scheme that makes life better for citizens because it protects their privacy.
The scheme must improve security as well, and any national identity scheme that is to really deliver more security must be used universally: It must become a kind of utility that both individuals and organisations draw on as and when required. Therefore, organisations would use the same psychic ID system instead of creating their own disconnected, stand-alone versions. By sharing the identity utility infrastructure, the costs are reduced to everyone. The psychic ID works in the same way at the organisational level. If I come along to the Home Office to attend a meeting, then I wave my psychic paper at the guard on the door, who can immediately see (Fig. 5) whether to let me in or not.
The identity scheme that the psychic ID uses must extend across both real and virtual environments. It would be crazy, obviously, to design a system for the 21st century that only works in physical, attended environments. In the virtual environment, however, the requirements are more complicated. One of the simplest ways to demonstrate both how non-intuitive some aspects of the problem are, but also how this use of new technology can deliver new solutions, is to consider what I have called before the Chatroom Paradox. I can state it very simply in this way: My kids want to go into chatrooms to discuss everything from computer games to saving the planet. I will only allow them into chatrooms if I know that the other people in the chatrooms aren’t serial killers, perverts and so forth. In order to make sure of this, I therefore want the name and address of everybody else in the chatroom so that I can validate them against sex-offenders’ registers. However, if somebody else in the chatroom wants my kids’ names and address to check them against a register, I don’t want to give it to them. What if there’s a mistake and they really are a serial killer or pervert? This then is the paradox: In order to harness the power of the Internet, the exponential curve of Reed’s Law and the “Here comes everybody” future, I want full disclosure from everybody else who wants to be part of the sub-group but will refuse any kind of disclosure on my side. Stalemate.
Psychic ID to the rescue! By connecting my psychic ID to the Internet, remote counterparties can “see” the psychic ID in just same way as the receptionist, cashier, bouncer and guard. In the chatroom case, however, it is important that the identity is entirely pseudonymous in case there is a breach or a leak. Thus, as shown in Fig. 6, my kids plug the psychic ID into the laptop and punch in the PIN and then their pseudonymous identities are revealed but the actual identities remain concealed (Birch 2003). I am assuming here that the psychic ID is being used as a component of some form of user-centric identity management systems, so that each persons’ psychic ID card will actually store a handful of different identities, to be used in different circumstances. This is a more sophisticated extension of the psychic ID concept, because in some cases I might be Dave Birch, the UK citizen. In others, I might choose to be Dave Birch the Consult Hyperion employee. In others, Leadbelly Gutbucket, mightiest of the Dwarven heroes of Ravenscrag Pass. Far from seeing multiple identities as a way for undesirables to hide (Harrison 2007), we should celebrate them as one of the great benefits of a national identity management scheme. (I’ve already thought of the tag line for the advertisements: Who do you want to be today?)
Note that in what I would call a “strongly user-centric” identity management system, I ought to be able to tell my psychic ID who I want to be on a “per transaction” basis, presumably defaulting to the “most” pseudonymous identity because, in the general case, identity is not relevant to a transaction. So, just as the typical wallet contains three or four bank cards, the typical psychic ID will contain three or four identitiesFootnote 1. While some, perhaps one, of the multiple identities held in the psychic ID will be “underwritten” by the government, in the general case they will be attested to by private organisations: Barclays Bank, perhaps, or Vodafone or the World of Warcraft.
These examples serve to illustrate the crucial elements of the identity utility: that it can be used in a variety of circumstances, that it protects personal information to enhance privacy, that it delivers security to where it is needed and that it can be understood by an average member of the public (eg, me).