Identity and identity cards

The LSE has published a report on the Identity Card Bill.  The very short summary is that they don’t like it.  The slightly longer version is:

The Report concludes that the establishment of a secure national identity system has the potential to create significant, though limited, benefits for society. However, the proposals currently being considered by Parliament are neither safe nor appropriate. There was an overwhelming view expressed by stakeholders involved in this Report that the proposals are too complex, technically unsafe, overly prescriptive and lack a foundation of public trust and confidence. The current proposals miss key opportunities to establish a secure, trusted and cost-effective identity system and the Report therefore considers alternative models for an identity card scheme that may achieve the goals of the legislation more effectively. The concept of a national identity system is supportable, but the current proposals are not feasible.

The full, 117 page, expansion of that paragraph is here.

The potentially interesting bit is the research group’s suggestions for an alternative approach, which seems to be based on federated identity:

Technologies such as digital credentials, privacy-friendly blacklist screening, minimal disclosure proofs, zero-knowledge proofs, secret sharing, and private information retrieval can be used as building blocks to design a national ID card that would simultaneously address the security needs of government and the legitimate privacy and security needs of individuals and service providers. The resulting ID card would minimise the scope for identity theft and insider attacks. A Federated solution would also better model and suit existing relationships, whilst ensuring for proportionate data practices.

The key issue for us, of course, is how managing identity is best supported by managing identity cards.