United Kingdom Parliament
HOME
ABOUT
MEMBERS & STAFF
BUSINESS
PUBLICATIONS
A-Z INDEX
GLOSSARY
CONTACT
Publications & records
Advanced search
 HansardArchivesResearchHOC PublicationsHOL PublicationsCommittees
You are here: Publications and Records > Select Committees > Science and Technology > Science and Technology
Select Committee on Science and Technology Written Evidence

Memorandum by PAOGA

What is the nature of the security threat to private individuals and what is the scale of the problem?

  PAOGA believes that the core of the security threat to private individuals centres around their Personal Identity. The loss of control of this data and the large number of databases in which this is held by Government and business makes fraudulent use of this data a very high risk. The current battle for control of our personal identity amounts to nothing less than a fight for the intellectual (?) health and social cohesion of our society. We are, however unconsciously, in the midst of a collective identity crisis. Attacks on our personal identity are coming hard and fast from three distinct areas:

  Loss of Privacy: Levels of scrutiny and intrusion into our private lives are spiralling out of control:

    —  Whether it be corporate spam, junk-mail, nuisance callers and phishing attacks, or the much more dramatic intrusions from the state (eg identity cards), the fact is that in more and more situations our lives are invaded and our integrity questioned. The onus is on the individual to prove who we are, how old we are, what we earn, and where we live—simply to earn the privilege of bombardment with information and interaction we do not want.

    —  Our organisational interactions leave a trail of data across organisational systems and the Internet which cannot easily be erased, leaving us increasingly powerless. Our physical location is almost permanently visible, through mobile phones, credit cards and traffic cameras. We have become easy to target by aggressors of all kinds.

  Loss of Liberty: It is increasingly costly, time-consuming, inconvenient and downright frustrating to engage in everyday life:

    —  Our freedom to operate—to transact, and to maintain relationships is increasingly constrained by rules, regulations and procedures, ossified by government and corporate technologies that make it harder and harder for us to get what we want.

    —  From impenetrable telephone-based customer service systems, to the mandatory face-to-face interview for getting a passport, to the perils of driving down a motorway, to simply buying and selling a house, it's getting harder and more risky simply to go about our daily lives.

    —  Once again, it is our increasingly conflicted relationship with the state that poses the greatest risk.

  Loss of Accountability: We lack any robust and reliable mechanisms for holding organisations to account for what they do with our information:

    —  Legal redress, peer pressure, management standards and good old fashioned ethics have so far been insufficient to persuade organisations to "do the right thing" with our information.

    —  Information about us is often incorrect; and even when correct it is too often lost, stolen or mislaid, or it is sold on legally or illegally—always without our knowledge, and always outside our control.

    —  Simultaneously, the state has ever more power to intervene in our lives without pause or redress, through tools like stop and search, on the spot fines, and extended detention. Meanwhile, corporations send debt collection agencies to your door with no means of recall.

    —  As individuals, we need a better mechanism for making institutions accountable for the ways they contribute to, and act upon our public identity.

  What characterises all three threats is a fundamental shift in the burden of proof of identity, towards the individual. Organisations believe and act as if they, not we, control our identity. It is we, it seems, who must account to them, to prove who and what we are. The stark reality is that we have now lost all influence over what is known about us, how accurate that data is, what decisions are taken on the basis of that knowledge, how our reputation is affected, and critically, how our life options are eroded by its misuse. We have allowed our individuality to be outsourced.

  These issues are of such great social concern that dedicated organisations and lobbying groups have identified themselves explicitly with these issues, namely: Privacy International, Liberty, and Accountability. The trouble is that as things stand these core aims are potentially in conflict. In order to protect our liberty, we are told we must give up privacy. And in order to safeguard our privacy, we must apparently sacrifice accountability. To participate in the modern economy we must tick boxes and sign forms to abrogate our rights to manage our own identity, on non-negotiable terms.

How well do the public understand the nature of the threat they face?

  Individuals are only now waking up to the identity crisis. The fact is that most of us, as individuals couldn't, as yet, care less about these erosions. If they notice these incursions at all, they see them as an inconvenience. Our identity is abused by criminal networks and we just shrug. After all, what can we actually do? Until now, very little. Under the surface, though, the anxiety is building globally, and among affected groups the pain is already acute. In the UK alone, already:

    —  Almost 1 in 10 adults has had their identity compromised.

    —  More than 600,000 lost or stolen passports are in circulation.

    —  More than 500,000 driving licenses are lost or stolen—every year.

    —  More than 14 million households have signed up to the Telephone Preference Service.

  The fact is, as a society we face a growing identity crisis. This crisis lies at the heart of our loss of trust. The old deferential models of trust are increasingly challenged.

  According to a survey by Glasshouse Partnership in 2004, just 23% of the UK population would trust the Government not to abuse their data. But ask them if they'd trust Accenture or EDS to manage it, and just 5% agree. The lesson is: we trust no-one.

  We cannot rely upon the state or corporations to manage our data. We must take charge for ourselves, as individuals. What is required is a totally new means of establishing, sharing and validating our human identity in a social context. We need a new space to build and share our identity, built around the individual and managed by them.

What can be done to provide greater personal Internet security?

  The PAOGA approach to providing greater personal Internet security is to turn the existing system on its head. If we provide individuals with the tools to enable them to share their personal information and intentions safely and securely with their trusted partners, then all of this wasteful expenditure on security, customer surveillance and intrusion marketing can disappear. Billions of marketing dollars can be saved, to be diverted into genuine value-creating activities, like providing search and matching services that work on the individual's behalf.

  Much more importantly, for the individual, the time-consuming and frustrating process of entering, updating, correcting and aligning data, validating and revalidating identity within relationships can be dramatically reduced. Instead of being imprisoned by our identity, it can set it free.

  PAOGA believes that we must rebuild commercial structures around resilient networks of appropriately trusting individuals. Building an identity management eco-system that centres around the individual with dramatically increased accountability, privacy and liberty. Such a system will enhance social capital and mutual trust, and transaction costs will fall across the economy.

  Rethinking the architecture of trust will also redefine the nature of the interface between the individual and the state. In a situation where individuals certify their own and one anothers' identity, individuals' service needs and entitlements can be accurately and uniquely targeted.

  Every Utopian journey must start with a single step.

  For PAOGA, that first step is to enable a new identity system which revolves around the individual.

How much does this depend on software and hardware manufacturers?

  The resolution of these issues is dependent upon the IT Industry creating new Identity Management Standards and software developers creating interfaces within their applications to new Personal Identity Exchanges such as that developed by PAOGA. This will become the new identity architecture. The insights above have, of course, already spawned multi billion dollar businesses, and other smaller ones whose reach and influence are immense.

  Looked at through an identity and individuality filter, we could argue that mySpace is a liberty engine—a giant marketplace of self-expression and projection. eBay is, of course simply a vast accountability system—a tool for trust-building and for direct reputation management.

  Looked at from an identity standpoint, social networking tools like LinkedIn and Plaxo are actually privacy management tools—a tool for constructing self-image and analysing relationship capital.

  But of course none of these systems remotely addresses the promise of fully-fledged identity management. All of them carry risks and trade-offs between liberty, privacy and accountability, and many of these trade-offs are still opaque to users.

  From the analysis of the three identity threats and the corresponding responses to the Identity Crisis above, it follows that a better identity management system must have three key characteristics:

    —  Flexibility: It must enable the individual to express different facets of themselves (multiple personae) in different situations, and to enable rich information such as values, desires and needs to be shared, as well as facts.

    —  Control: It must enable the individual to protect, and analyse their information, including remaining anonymous in social situations so as not to compromise their true identity.

    —  Transparency: It must able to control the social context and rules under which individuals give out information, see what is done with that information, and benefit fairly from the value that the information creates.

  In structural terms, the Copernican centre of the new identity system is the individual's Personal Knowledge Bank (PKB)—the secure and dynamic store of personal information individuals manage about themselves.

  This enables the individual to police the accuracy of what others know about them, to express detailed needs, and help others to make more informed decisions about them.

  Various Personal Information Management Services (PIMS) can orbit around this central data store and support analysis, storage and sharing of personal information with high security. Technologies like flickr and del.icio.us, and even iTunes are early precursors of this raft of services, but they do not, at present exploit the identity or trading potential of this personal content.

  PAOGA is presently developing a portfolio of PIMS, which will enable individuals to share their data in different contexts where they may be identified or anonymous. This can include sharing address book information, creating CVs, managing their health and medical information. Other applications might include management of household information (suppliers and links to local authorities), and a range of financial services.

  The planets in this analogy are Social Identity Marketplaces (or SIMs)—environments where personal information is applied in a social or commercial context to find tailored experience. Again SIMs exist already. Dating and matching sites like friends reunited, or permission-based marketing sites like myoffers.com are early SIMs but are insecure, and make little use of contextual information and the rich data stores that PIMs can produce.

  The missing ingredients in this description are the laws of nature, including the force of gravity, which holds the solar system together. For individual-centric identity management to take off, individuals must be able to connect their information to others, knowing that those transactions are secure and that their underlying identity is not compromised.

  PAOGA is supplying this missing gravity by building the first Person Identity Exchange (PIE) to allow individuals to conveniently & securely exchange their personal information, "under their control, with their consent, for their benefit", with other individuals, suppliers, and government.

  All identity transactions between applications that use the exchange are facilitated through the PAOGA Push Protocol (an extension to WS-Security that provides for the highest levels of security). The identity exchange is a system that verifies the legitimacy of individuals while maintaining anonymity of their data. This is the equivalent of a stock exchange handshake. It uses the minimal amount of data to secure the highest possible level of trust in a transaction.

  Beyond the core exchange functionality, PAOGA is developing a number of technologies which package identity data in different wrappers, for different trading situations.

  Thus, for example, traders who wish to remain completely anonymous (for example high net worth individuals making high value bets) with one another can do so under the system. Equally, those who wish to transact with fully-validated and externally-certified data (for example employers and candidates) may do so.

  The audit trail for all identity transactions will be transparent, and shared between the parties. Unusually, it will not just reflect the history of a transaction, but also specify its future, by proscribing the terms of use for the data. Finally, in line with its vision of reclaiming individual identity and rebuilding social trust, PAOGA will use the social connections. PAOGA is standing up for Privacy, Liberty and Accountability.

  There is a better way. Now it's up to individuals to take action.

Is the regulatory framework for Internet services adequate?

  The PAOGA experience of the regulatory framework around the Data Protection Act would lead us to conclude that this is not adequate to protect the individual in his interaction over the Internet.

  Whilst compliance with the DPA is fairly high on the corporate list of responsibilities, when non-compliance is identified the Government Agencies tasked with monitoring and controlling the compliance find that the penalties available to them do not have any significant deterrent effect. The comment "When we get fined, we will do something about it" is frequently heard.

How well equipped is Government to combat cyber crime?

  The evidence is very clear: Government is not equipped to combat cyber crime.

  The recent incidents at DWP and DVLA where IT systems were hacked and the Personal Information of civil servants and the public have been removed and sold. If the Personal Information of the individual cannot be kept safe by Government then the trust between these parties is very much under threat.

  This lack of trust places Government at a great disadvantage if it is to be seen by businesses as the leader for advice and action in dealing with this type of security threat in the future.

Is the legislative framework in UK criminal law adequate to meet this growing challenge?

  We consider that more informed comment will come from those amongst us with a legal background.


 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index
© Parliamentary copyright 2007