[WG-IDAssurance] Observations on questions to start discussion - NOT draft submission
mhae...@freeuk.com
Creating a digital identity governance framework
1. Do you agree an existing regulator is best placed to house
digital identity governance, or should a new body be created?
The consultation only appears to be asking about the
identification and attributes of people, but the identification of the
other party is just as important for mutual anything, and the governance
of id and attributes of organisations needs to be coordinated, but not
necessarily the same as for people. Since GDS grabbed then disowned
GPG46, it is not clear where policy on that is going. An underfunded new
regulator would be pointless.
2. Which regulator do you think should house digital identity
governance?
The ICO is already grossly over-burdened and underfunded, but
might be appropriate if the FOI aspects of its function are moved
elsewhere. Being Parliamentary rather than Crown seems right and may be
significant when dealing with problems in the civil service.
3. What is your opinion on the governance functions we have
identified as being required: is anything missed or not needed, in your
view?
Any such scheme needs to fit into the international economy and
not be a burden to international trade (in either direction). In so far
as it is merely an instance of something under ISO 17065 it is strange
that ACAS is being presented as the selected body when this is something
already determined by UK’s participation in the International
Accreditation Forum, which would also indicate that various other
country’s (or region’s) certifications must be accepted.
4. What is your opinion on the governing body owning the trust
framework as outlined, and does the identity of the governing body
affect your opinion?
‘Ownership ’ is not an obviously useful concept here.
The certification aspects have not been published but the
“certification against the trust framework should be a requirement
before organisations make checks against government-held data” is
inconsistent with confirming that a service is operating correctly
before it can be ‘blessed’. Certification of relying parties has rightly
been removed.
5. Is there any other guidance that you propose could be
incorporated into the trust framework?
How can guidance (including GPGs) be incorporated in anything?
Guidance is not a standard, is not in normative form. GPG43 seems to
have been ignored. Why no mention of PAS499 PAS1296 or even BS8626?
6. How do we fairly represent the interests of civil society and
public and private sectors when refreshing trust framework requirements?
The methods should use existing processes for legislation and
regulation and not invent new ones. For a start, the whole lifecycle of
standards need to follow the well-established BSI processes. This
process is lacking in the production and amendment of GPGs – note that
GPG45 changed very significantly during the period of the last
consultation. With a completely changed intended purpose and readership
from 10 years ago, perhaps a new name is needed.
7. Are there any other advisory groups that should be set up in
addition to those suggested?
No. Indeed some of those existing should be culled in the their
current form. The privacy advisory group’s mission creep to cover
privacy and consumer interests was unhelpful. Should not rely just on
advice from lobby groups. Critical analysis needs to be faced, not just
brushed aside as trolling.
8. How should the government ensure that any fees do not become a
barrier to entry for organisations while maintaining value for money for
the taxpayer?
If the fees are not a tax then they will presumably be set by
open book accounting.
9. Do you agree with this two-layered approach to oversight where
oversight is provided by the governing body and scheme owners?
This seems like a job-creation scheme to add costs to a system
already struggling to present where the money is coming from.
10. Do you agree the governing body should be an escalation point
for complaints which cannot be resolved at organisational or scheme
level?
If there is one, what other options could there be for such
complaints? The estimated costing for this, including legal fees, should
be identified.
11. Do you think there needs to be additional redress routes for
consumers using products under the trust framework?
More importantly, there needs to be a redress route for people
who are not using such products whose identity has been usurped. This
question talks about ‘products’ not services, but the options appear to
be about services.
If yes, which one or more of the following?:
a. an ombudsman service
Is this a fancy name for what trading standards would do? The debate on
this topic with the US equivalent was cancelled and very little has been
presented since, although the need for address was highlighted in the
2008 Crosby report.
b. industry-led dispute resolution mechanism (encouraged or mandated)
Since the disputes will include criminal and not just civil matters,
despite precedents such as DCPCU, it’s unreasonable to expect industry
to lead.
c. set contract terms between organisations and consumers
This brings up a problem with the structure: the relying parties are the
ones ‘consuming’ the service, and paying for it (a consideration being
an essential aspect of a contract). Individuals cannot be expected to
read these, and would in any case, be covered by the unfair contract
terms act.
d. something else
This will add to the work of the already stretched and misnamed citizens
advice bureau as well as sundry charities which people turn to for help,
including the RNIB.
If no, do you think the governing body should reserve the right to
impose an additional route once the ecosystem is more fully developed?
12.Do you see any challenges to this approach of signposting to existing
redress pathways?
There is no outline for ensuring that these pathways can become the
roads needed for the workload, which could be very peaky.
The requirement to “notify all relevant parties, including the victim”
is challenging as the victim may well not be a participant.
13.How should we enhance the ‘right to rectification’ for trust
framework products and services?
The current demand to “notify any relying parties that consume
attributes you’ve created” assumes that it is possible to identify such
and requires active notification, not a passive ‘advertise’. It is not
possible if there is blinding, not necessarily possible if there is
orchestration/brokering, and impossible for as yet unknown future
relying parties.
It is not clear why it need ‘enhancing’ if it I already sufficient to
satisfy the usual DPA/GDPR requirements.
14.Should the governing body be granted any of the following additional
enforcement powers where there is non-compliance to trust framework
requirements?
All of these sound like ways to encourage industry to set up their own
parallel universe, under contract.
a. Monetary fines
b. Enforced compensation payments to affected consumers
This would suggest that the liability terms are inadequate.
c. Restricting processing and/or provision of digital identity services
Any such powers should only relate to those services coming under the
framework and eligible to use the trust mark (even if choosing not to do
so in some cases). The scope of the services needs a clear definition to
avoid the fate of the eIDAS five which have not aligned with reality.
d. Issue reprimand notices for minor offences with persistent reprimands
requiring further investigation
By whom? As with “send regular reporting and analysis to the relevant
authorities to help manage the threat of identity fraud and identity
misuse” it needs to be much clearer who these bodies are and where the
APIs are defined.
15.Should the governing body publish all enforcement action undertaken
for transparency and consumer awareness?
Would this increase, decrease, or make no difference to consumer trust?
16.What framework-level fraud and security management initiatives should
be put in place?
These should be guided by those with existing experience, such as Cifas.
Details should not be published as it helps the attacker far more than
it reassures a potential user.
17.How else can we encourage more inclusive digital identities?
Who is ‘we’, and is it your role? More identities that happen to be
digital and inclusive or identities that are more inclusive? What about
children?
18.What are the advantages and disadvantages with this exclusion report
approach?
Initiatives to support some particular group will be stymied by...
19.What would you expect the exclusion report to include?
Sophistry.
Enabling a legal gateway between public and private sector organisations
for data checking
20.Should membership of the trust framework be a prerequisite for an
organisation to make eligibility or identity checks against
government-held data?
No. It is not currently required when reading a passport. It would be a
barrier to international collaboration. Checks may also be after the
event (e.g. by auditors, courts, or arbitrators), not just real time. A
monopoly cartel would be an abuse. The point that RPs cannot be required
to be evaluated has already been accepted.
21.Should a requirement to allow an alternative pathway for those who
fail a digital check be set out in legislation or by the governing body
in standards?
Pathway? It is clearly inappropriate for the governing body to dictate
how things that do not fall under their remit should function.
Presumably this question only refers to false negatives? In England
although legal tender can be used for a debt, there is no requirement
for vendors to accept cash. Policies for the public sector may be
guidance for the rest, but should not be more.
22.Should disclosure be restricted to a “yes/no’’ answer or should we
allow more detailed responses if appropriate?
If appropriate then more detail is appropriate. Unlike in Germany, there
is also no indication that government databases have any consistent
character set, nor transliteration of non (US)ASCII names, so some way
of handling near matches is needed. The banks appear to have overcome
the teething troubles with checking payee names, and may have useful
experience.
A much more complex arrangement needs to be made to handle indications
of attempted fraud. E.g. what to do if a passport flagged as stolen is
attempted to be used; a simple NO is insufficient.
23.Would a code of practice be helpful to ensure officials and
organisations understand how to correctly check information?
Isn’t the point of this to take out the officials and automate the
process? The primary issue is the basis for ignoring the purposive data
protection principle. It would also be pertinent to have advice on
handling inadequate or incomplete data sets. No indication is given as
to which datasets are envisaged; the NHS would be good for checking date
of birth. How much will they make from providing this?
24.What are the advantages or disadvantages of allowing the onward
transfer of government-confirmed attributes, as set out?
Transfer by whom?
Establishing the validity of digital identities and attributes
25.Would it be helpful to affirm in legislation that digital identities
and digital attributes can be as valid as physical forms of
identification, or traditional identity documents?
No. The primary requirement is to remove explicit laws that assumed
earlier technologies or capabilities. Having warned at the time that
inclusion of a holograph for alcohol age-checking was going to become
problematic, it is wrong to portray it as unforeseen, just the usual
‘too late in the process to change’.
There is still a lack of basic interoperability specifications, e.g.
limitations on the character sets supported ( by system-wide
specification or by case-by-case identification).
_______________________________________________
WG-IDAssurance mailing list
WG-IDAs...@kantarainitiative.org
https://kantarainitiative.org/mailman/listinfo/wg-idassurance