Digital Identity Policy must address Fake (and Fogged) Credentials
Background
The reasoning behind the current DCMS drive for a new Digital Identity policy is as clear and transparent as the political SMOG of conflicting objectives and priorities which choked previous initiatives, from Michael Howard’s Benefit Cards through Tony Blair’s Identity Cards to Frances Maude’s Verify ambitions, into oblivion.
The reasons for confusion have not changed since I first blogged on ID Policy, back in 2009:
- unresolved differences between different departments and agencies from tax collection, anti-terrorism and law enforcement to public service delivery, education, health and welfare.
- failure to understand what the private sector (and most of the public sectors) needs: from levels of trust and security to authentication, dispute resolution and revocation.
Meanwhile Banks and employers cannot afford to trust the credentials (digital or otherwise) issued by Government or mandated by regulators (e.g. Passports, Driving Licenses or Utility Bills) until the issues of FOGGING (the False Obtaining of Genuine), not just those of falsification and impersonation, have been addressed. The problem is not peculiar to the UK. Across the EU it is estimated that 5 – 10% of electronic passports have been Fogged.
There are many reasons for the failure of Verify. Perhaps the most important (and taboo to mention) is that it was/is too easy to use FOGGED credentials to obtain an identity, including in the name of someone else. Meanwhile it was/is too difficult for those who pay cash, have never borrowed or, like married women doing business under their maiden name, have more than one legal identity. We should also add those, like many of the Windrush generation, with a plethora of paper-based public records scattered across Government but no digital profile and no awareness that they might need one.
Ministers and officials are again repeating the platitudes mouthed at regular intervals over past decades – as though the case for a single digital identity was self-evident. It is no more self-evident than the case for a single identity policy across the tribes of Whitehall, on which I recently hosted a guest blog
Why a Public Sector Identity Policy should have priority over a Digital Identity Policy
The UK Public sector has five main identity systems linked to applications and databases which do not share information, whether or not this is in the interests of the individual.
- When you are born, or first register for health care after entering the UK, you receive a National Health Service Number (which references your health care).
- When you first go to school you receive a Unique Pupil Number (which references your education, lapses when you leave school and must not be used for any purpose unrelated to education).
- By the time you reach the age of 14 you should receive a Unique Learner Number which references a Personal Learning Record which will include your exam results for access via the National Careers Service and use by UCAS , College and University. Neither students nor prospective employer have access. Hence the reason for so many other “Skills Passports” (issued by professional bodies, trade associations and others) containing records of achievement or claimed qualifications.
- When you reach 16 or get a job or claim benefit after entering the UK you acquire a National Insurance Number, which It is stated) is proof of nothing.
- If HMRC require you to a self-assessment for tax the process will include assigning you a Unique Taxpayer Reference (UTR) additional to your NINO.
Other Central Government departments and agencies like those involved with the Criminal Justice System, from Police, via the Courts to the Prisons and Probation services have more. Then come those of Local Government.
The Departments currently developing/upgrading their own Digital Identity systems because Verify does not meet their needs include the Home Office, the Department for Work and Pensions, HM Revenue and Customs, the Department for Health and Social Care, the Department for Transport, Business, Energy and Industrial Strategy and HM Treasury.
Others with their own identity systems (sometimes many of them) include the Department for Education, The Department of Health (and NHS), Passport Office, DVLA, Companies House, the Land Registry, Scottish Office, NI Office, and Welsh Office (for different law, borders, and with multi-lingual experience), Local Government (several widely shared systems as well as those that are local and unique) and Electoral registration.
Then there are those who record or authenticate globally accepted “evidence” of identity. The UK regulator for notarised signatures and documents remains the Faculty Office of the Archbishop of Canterbury . Meanwhile organisations like Notary Scriveners , Lloyds Register, DNV and Identrust provide the evidence base for high value transactions across barriers of language and jurisdiction and technology. The General Register Office maintains the authoritative record of Births, Marriages and Deaths.
Globally recognised identity systems range from ICAO Passports and Schengen Recognized Identity Cards , the PCI-DSS standards used for Credit and Debit cards, the IBAN numbers on bank statements, SWIFT, the EAN codes on products through the personal ad business identity and checking services run by players like Experian, RELX , Standard and Poor and GB Group to the Internet Addressing System overseen by ICANN. There are also the attempts by those like Amazon, Apple, Facebook, Google, Microsoft and others to leverage their customer profiles into the status of digital identities. These have been used to support a variety of checking and authorization services to meet legal requirements such as for age checking : examples include the UK Citizencard (now partnered with Yoti for the digital world).
At the time of the consultation over Michael Howard’s proposal for a unified “Benefits Card” I organised a response from IMIS (the UK-based body head Heads of IT which is now part of the BCS). It was based on inputs from members around the world in countries where Identity Cards were commonplace. These tended to function reasonably well as resident cards, giving rights of access to local services, e.g. swimming pools or libraries. They were rarely used for health care. Fraud and fogging were commonly on a such a scale that they were of limited value for financial transactions or law enforcement. Hence the reason for the many other identity and authorisation systems around the world. Our conclusion was that a common “Benefits Card” was a good idea but would not meet most of the Government’s expectations. Many UK Local Authorities now issue benefit cards. One of the first was the Bracknell Forest e+ card .
The problems with siloed UK public sector ID processes came to a head with Covid
Even before track and trace, attempts to identify, contact and support those in need of support as a result of the Covid lockdown indicated the problems with using our current health, welfare and educational systems to do so. Then came the attempt by DWP to use Verify to register claimants for emergency benefits. These had long been known but were (and are) still unresolved.
Now we have the problems caused by the processes mandated by regulators for use by financial services and retailers. These have served to help compound rather than combat the post-Covid Fraud pandemic.
Now the second wave of the Cyberfraud Pandemic is upon us.
The new hot spot is Employment Fraud . It is not new. By last year, before Covid, it was big business. It was costing UK employers £billions , including because overseas recruits did not have the skills “evidenced” by the supporting documentation for their applications. It was also helping create false hopes and expectations that over-whelmed attempts to control immigration.
The fraudsters have now adapted to the termination of efforts by employers to recruit overseas. Instead they are targeting the millions of UK residents whose jobs have gone or are at risk, whether they are looking for work or to acquire new skills to help them do so.
We have a framework for co-operation but need to address the gap between the potential for using on-line digital recruitment and screening to help employers rapidly fill gaps when under pressure and the reality of fragmented sources of often unreliable data.
The Post Covid Employment Fraud Pandemic provides a catalyst for change
There are a variety of employment, education and support scams targeted variously at deceiving and victimizing those seeking:
- new jobs to replace those which have gone or are at risk,
- news skills/qualifications to help them get new jobs
- already competent staff with the skills to run expanded on-line operations,
- help from support schemes,
- to provide support or training to those looking for it.
The scams targeted at individuals looking for new jobs include those to:
- harvest their CVs (and all that is necessary to impersonate them) in order to help them obtain a new job, which may or may not be genuine
- get them to pay for a fake right to work, more common with those wanting to enter the UK to work in, for example, the NHS
Scams targeted at employers, inter alias to get fraudsters into positions of trust, include:
- Fake references, career history, qualifications and accreditations
- Attempts to deceive in terms of past criminal records
Then come those scams targeted at banks and retailers under pressure to ‘know you customer” and/or accept electronic payment instead of cash. These might entail:
- Fake documents (bank statements, utility bills, passports, driving licenses)
- Attempts to deceive in terms of credit related issues
A six point plan for constructive change
We need to understand the current situation, unpack the requirements and identify responsibility for action.
1 We need a survey of the current UK Public Sector ID programs, their objectives, how they work, processes for updating/validation/error correction/revocation, governance and security, reasons why they are different and can/cannot be shared with whom.
2 We also need a survey of the “Know Your Customer” and/or “Audience” routines and sources currently mandated by Departments, Agencies and Regulators: their objectives, how they work, processes for updating/validation/error correction/revocation, governance and security, reasons why they are different and can/cannot be shared with whom.
3 Then we need to unpack the requirements by sector and application, including separate consultations/discussions on information/identity sharing to enable:
- employee vetting and monitoring (including probity and immigration status)
- checking records of education, training and other evidence of skills
- customer identity vetting (including money laundering)
- customer authorisation (including limited access for those not credit-worthy)
- audience checking (e.g. age)
- joined up public service delivery, including education, health and welfare, across central and local government
4 Then comes the hardest tasks: The Identification and agreement of policy and regulatory leads on each of the above.
5 Implementation of the recommendations in each area, including any legislative action necessary to remove legal obstacles to change should be lead by Government – Industry Partnerships driven by the users of the credentials, not the suppliers of the technology.
6 In parallel we need the relevant regulators to help encourage and enable incremental change within existing legislation.