Thursday, May 25, 2023

Citizen-centric federation of digital services in the UK.

We have a number of services that many UK citizens already access online, and hence those citizens have access to information held about them - e.g.

private

  • School/college/workplace based intranet/cloud/VPN etc
communications
  • Internet Service Provider, mobile/cell, etc
  • Postal address

government

  • NHS
  • HMRC, DWP
  • DVLA

commercial

  • Social media (Meta/Twitter/mastodon)
  • Messaging (email/gmail/hotmail, whatsapp, signal,matrix)
  • Entertainment (Netflix, youtube)
  • Media (bbc, legacy web news )
  • Shopping & delivery (amazon, boots, tescos, ocado, deliveroo/uber)
  • Travel (rail/metro etc)
Financial
  1. Banking (HSBC, Revolut etc)
  2. Mortgage/savings/loans
All of these require secure sign on to use full facilities. So we have multiple digital identities in the UK.
Some share sign-on (e.g. via facebook or gmail) and even via 2FA (Google/Microsoft authenticator or SMS,

Many people now use password managers or wallets to store account info including pass words/phrases etc, so from the human/user experience viewpoint, this complexity can be hidden at the access level.
However, few apps today allow management of data across all these domains, neither for service provider (whether commercial or government) but also not for the data subject, the end user, the citizen.
A few exceptions point the way forward - just for example, lets look at the thirdfort app, used for example by lawyers gathering information about possible mortgage borrowers, including standard information needed to do KYC (no your customer) and anti-money-laundering checks. This app (and any other like it) can use NFC on a smart phone to read your physical driving license  or passport or just use the camera to take a picture and then OCR to get the text data from the id (which might include legacy paper information such as birth, marriage certificates etc), and then uses open banking to access (data minimised Appropriately) credit information (with permission from the client).
Note that these rely on standard interfaces (APIs) for NFC and document formats, and for banking - but they do not need a single, centralised global identity. They build on an eco-system to provide the service.

They work by federating information across services, but are rooted in the end user/subject. It is a relatively easy step to see how such app architectures could be used to combine health )NHS app access to my record) and say, shopping (advice from health on what food for example) or travel and media. or finance and education etc etc

There is simply no need for a national identity - especially not a card. Indeed, one can get smart phones good enough to run the apps I've mentioned for under £50 now.  For inclusivity, giving a smart phone to citizens that cannot afford such a device is massively more beneficial compared with blowing the money on a single purpose centralised service, and less expensive.

The main thing is for the government to grasp the opportunity by publishing APIs for services, and the format (metadata) for the information contained there - we've seen the success of this in transport publication of timetable and live data and in the DVLA case where services for renting/buying/selling/taxing/mot cars are made much smoother for the end user and for traders too. 
By de-coupling the services from the identity by allowing heterogeneity and diversity, we allow adoption and integration of silo-busting applications, based around the end-user/citizen.

Footnotes -

  • An example of such a digital service could have benefitted EU citizens that wished to remain in the UK, but were required to retrieve information from multiple places (border force records of trips in/out of UK were not available, shocking given claims for border control to increase national/travel security) but being able to show tax return and employment status, and residence information was feasible for most people via (mostly) open APIs or at the worst, download of data and printing. So the aggregation of data from multiple government and NGO sources in the app is a compelling case for federation, not a single system.
  • Previous centralised, single system approaches to issuance of foundational Id have dismally failed in the UK, also in Nigeria (3 times each) - the main exception to this observation is, perhaps, the Indian Aadhaar (UIDAI) system, which covers 1.2 billion citizens already there.. However,  this was in a country where a significant fraction of the population do not have smart devices. And the applications of the Indian Identity systems (functional Id) were not in place for some time. In the end, the most comelling has been for payment systems, but this would not be a priority at all in the UK, where most citizens already have (mobile) banking, and so it isn't an incentive for people in the UK to adopt any unified identity. Integration of applications that process personal data is much more persuasive.
  • Couple of caveats - we may want to implement a reliable key management system , but it should be citizen centric, and thus needs careful thought to deal with key recovery - Shamir key sharing would work - one can split the key across multiple (state and private and social) circles, and only need say 3 out of 10 to answer to get a key back. similarly, we can replicate copies our (encrypted) data from the different shards (services) across other services, for high avaialbility, recovery from outage/loss - but need to use this sharded key system to make those copies safe.

No comments:

Blog Archive

About Me

My photo
misery me, there is a floccipaucinihilipilification (*) of chronsynclastic infundibuli in these parts and I must therefore refer you to frank zappa instead, and go home