People wishing …

People wishing to apply for services ranging from tax credits to fishing licences and passports will be asked to choose from a list of familiar online log-ins, including those they already use on social media sites, banks, and large retailers such as supermarkets, to prove their identity.
Once they have logged in correctly by computer or mobile phone, the site will send a message to the government agency authenticating that user’s identity.
The Cabinet Office is understood to have held discussions with the Post Office, high street banks, mobile phone companies and technology giants ranging from Facebook and Microsoft to Google, PayPal and BT.
Ministers are anxious that the identity programme is not denounced as a “Big Brother” national ID card by the back door, which is why data will not be kept centrally by any government department. Indeed, it is hoped the Identity Assurance Programme, which is being led by the Cabinet Office, will mean the end to any prospect of a physical national ID card being introduced in the UK.
The identification systems used by the private companies have been subjected to security testing before being awarded their “Identity Provider” (IDP) kitemark, meaning that they have made the list of between five and 20 approved organisations that will be announced on 22 October.
The public will be able to use their log-ins from a set list of “trusted” private organisations to access Government services, which are being grouped together on a single website called Gov.uk, which will be accessible by mobile.
A cross-section of social media companies, high street banks, mobile phone businesses and major retailers has been chosen in order to appeal to as wide a demographic as possible.
The system will be trialled when the Department of Work & Pensions starts the early roll out of the Universal Credit scheme, a radical overhaul of the benefits system, in April.
Users who access the Government’s online one-stop-shop of public services will be asked to identify themselves by choosing one organisation from a selection of logos. (This feature is called a “Nascar screen”, in reference to the logo-filled livery of the famous American racing cars.)
Major web sites are able to recognise individuals by their patterns of use, the device they are accessing from and its location. Facebook, for example, asks users who sign on from an unusual location to take a series of security questions including identifying friends in photographs.
Privacy campaigners are not wholly convinced by the programme. “Although this is a fine scheme in principle and is backed by ministers the danger is that it could be side-lined and used as a fig leaf by the data-hungry government departments,” said Guy Herbert, general secretary of No2ID, which has been consulted by the Cabinet Office.
Details of the “identity assurance” scheme are being finalised amid growing concerns over identity theft and other forms of cybercrime. Foreign Secretary William Hague and Cabinet Office minister Francis Maude, who is at the head of the Identity Assurance Programme, will today (Thurs) meet international experts at the Budapest Conference on Cyberspace. Mr Maude will give a keynote speech.
The Cabinet Office believes its new identity model will “prevent ‘login fatigue’ [from] having too many usernames and passwords” and save public money by increasing trust in online services. The system is likely to be adopted by local authorities nationwide. The Government hopes the identity system will form the basis of a universally-recognised online authentication process for commercial transactions on the Internet, boosting the economy and strengthening Britain’s position as a leader in e-commerce.
In recent weeks, the Cabinet Office’s Government Digital Service has backed a UK working group of the Open Identity Exchange, which was set up in America to bring organisations including Google, AOL, PayPal and Experian together to find a simple method of online verification that doesn’t require multiple passwords.
Members of the Cabinet Office team travelled to the White House in May to exchange ideas with American counterparts working on the National Strategy for Trusted Identities in Cyberspace (NSTIC). The heads of the British and American identity assurance programmes will debate the subject next week in London at the RSA cyber security conference.
The first law passed by the Coalition Government was to scrap the national ID scheme, a move said to have saved taxpayers £1 billion over ten years. But ministers want to use the Internet to cut the cost of public services.
In order to limit concerns over Government snooping, the Cabinet Office has been working closely with a range of privacy campaign groups and consumer organisations including No2ID, Big Brother Watch and Which? The programme’s Privacy and Consumer Group drew up a list of nine Privacy Principles which underpin the framework of the scheme.
As part of the attempt to reassure privacy campaigners, a private identity partner (IDP) which authorises a user of a public service will not know which Government department is seeking authentication.
The Post Office’s involvement in the Identity Assurance Programmes was revealed by a notice placed in the Official Journal of the European Union. The Royal Mail subsidiary sought a third party provider to help in assembling consumer data including name, date of birth, address, gender, passport and driving licence numbers, financial history, electoral roll status and telephone numbers.
Some commercial organisations have been concerned that their consumers will react negatively to their involvement with government. But commercial partners will benefit from marketing opportunities and the trust that comes with IDP status.
Without the identity assurance scheme there are fears that high levels of online fraud will cause the public to lose confidence in digital channels, undermining the amount of business done online.
Civil servants acknowledge that some people will still wish to access public services in person. They argue that the online scheme will release additional resources to assist people who lack confidence in making digital transactions.
Q&A: What the scheme involves
Q. Is this just an ID card scheme by the back door?
A. No, it’s a way of combating the menace of identity theft.
Q. Will the Government be able to use it to follow our movements online?
A. Authentication is done by trusted third parties and data will not be held centrally by the Government.
Q. But won’t the private companies find out personal information that is none of their business?
A. The identity providers (IdPs) don’t know for which government agency they are authenticating.
Q. Is a social media log-in sufficiently secure for a major financial transaction?
A. Individual IdPs will need to convince the Cabinet Office that their security checks are enough to meet the Level of Assurance (LOA) needed for the public service being requested. For example, a passport application is a high-security LOA3.
Q. Will it be possible to apply for a passport on your phone?
A. It is anticipated that part of the process will be offered online but some physical ID will still need to be presented in person to achieve LOA3.
Q. Is this just about public services?
A. No, the Government is helping to bring together online companies and create an icon that would enable online payments to be done securely.
Q. What would be the advantages?
A. It would also reduce the need to memorise multiple passwords.
Q. Will it work?
A. That depends partly on the efficiency of the chosen IdPs.
By Jeremy Bauer-Wolf, The Baltimore Sun

7:17 p.m. EDT, October 2, 2012
 
Instead of paying for their lunches with crumpled dollar bills and loose change, students in Carroll County schools are having their palms scanned in a new check-out system — raising concerns from some parents that their children’s privacy is being violated.

The county is one of the first localities in Maryland to use the PalmSecure system, in which children from kindergarten to 12th grade place their hands above an infrared scanner. It identifies unique palm and vein patterns, and converts the image into an encrypted numeric algorithm that records a sale.

Though the school system does not store those images, some parents have complained about the implications of having their children’s hands scanned. About 20 percent of parents have declined to participate in the program, said supervisor of food services Karen Sarno.

“I didn’t appreciate how they handled it,” said Mike Richmond, who has two children at Westminster’s Cranberry Elementary School. He said that the school scanned their hands before sending the opt-out form. “I’m concerned about it. I know it’s the way of the future, but it’s fingerprinting, it’s palm-printing.”

School officials defend the system, noting that the algorithm is the only piece of data stored; it is used to identify a child’s account. If students opt out of the service, they give their names to the cashier, who manually charges their accounts.

Sarno said the school system’s goal is to decrease the time between transactions. Children have limited time to eat lunch, she said, and she often hears complaints that children don’t like waiting in a long line.

“We’re doing whatever we can to reduce that line wait and make the queue better,” she said.

The PalmSecure system is used in schools around the country, including in Louisiana and Mississippi, where news reports say some parents also complained about an invasion of privacy and the costs of the system. The Pinellas County, Fla., school system was the first to implement the scanner last year.

In Maryland, Cecil County is piloting the system in two schools, according to a spokesman there.

Khaliah Barnes, open-government counsel with the Electronic Privacy Information Center, said that schools should have allowed parents to opt in to the service, rather than out.

“With students, this presents unique privacy threats,” Barnes said. “We’re talking about elementary school students, and that type of technology can make children less inclined to the rights of privacy. Imagine being tracked from age 8 to age 16, and then a university continues to use it, it becomes old hat and makes them less inclined to recognize privacy threats.”

Barnes compared the biometric palm scan to the full-body scans in airports, which became the primary tool for screening passengers in 2010. Through a Freedom of Information Act request, Barnes said, EPIC discovered that, though the body scanners do not record images of passengers, they do have storage capabilities.

The PalmSecure system is currently operating in three Carroll County elementary schools, but should be in every school within a year and a half.

Darryl Robbins, acting principal of Carroll County’s Robert Moton Elementary, which is piloting the system, said that it has helped increase the speed of lunch lines and has shown added benefits.

“Now that we’ve combined everything in point of sale, we don’t have students moving around the cafeteria and in that capacity, it’s helped increase student safety,” he said.

Robbins declined to comment when asked if he had been contacted by concerned parents.

Other point-of-sale systems in state schools use a card reader or a PIN to access a child’s account. Sarno said that the drawbacks of such systems — especially for elementary school students — are that the children tend to lose the card or forget the PIN. The palm-reading system also eliminates the possibility of other students lending out their cards or numbers to others.

An audit released in March said the Carroll County school system’s method of tracking student meal purchases was not efficient. The school system only used a cash register to process meal purchases, which the auditor said could lead to reporting and accounting errors for student meals. Recommendations included researching a new cash register system.

The palm-reading system is a remedy for this problem, Sarno said. In the future, parents should be able to pre-pay electronically on their students’ accounts, as well as monitor when and what meals their children are eating. Currently, they can only pre-pay for meals on a child’s account through a check.

“We have a better cash-handling control centrally,” she said. “And less daily cash being handled and putting more in a lump on the account, there’s less daily pennies and dollars. From a business standpoint, all that documentation is being fiscally responsible.”

The palm-reading system will cost a projected $300,000, according to Sarno, for installation of software and hardware in all 43 schools in the system, as well as in the central office.

Baltimore Sun reporter Erica L. Green contributed to this article.

jbauerwolf@baltsun.com

Copyright © 2012, The Baltimore Sun