eGov monitor | The Information Daily

Identity management requires multiple identifier

By Leonard Anderson
Published Monday, November 20, 2006 - 15:00

Story tools

Print this article

Email to a friend

Your feedback

Socitm Consultant, Leonard Anderson proposes a radical approach to identity management that does away with the need for unique identifiers and replaces it with a solution based on google approach to search

People are unique, but their identifiers across computer systems are not. Historically, government agencies have created their own unique identifiers (UIDs) – meaning that multiple identifiers are inescapable. Joined up government requires accurate matching of many system identifiers against one, and only one, unique person.

Traditional ICT solutions specify a UID, a data cleansing process, explicit data matching and a duplicate-free central repository. Business processes that rely on such perfectly accurate data collection are doomed to fail, or have high cost of administration. Huge amounts of effort are spent on correcting the impact of inaccurate data. All systems contain inaccurate data; errors that can only be resolved with human intervention; errors that are propagated into dependent systems. If this causes problems in a single agency, just imagine the problems of integrating systems across multi-agency environments in local government.

There is an event based paradigm for public sector information sharing. Federated identity management is the critical success factor. It has these unlikely properties:

No reliance on historical UIDs;
Multiple IDs (MIDs) are the solution, not the problem;
No up-front data cleansing, no changing of any supplied identity data;
Potential duplicates are ranked, not discarded;
Identity data is never discarded, only time stamped events are recorded;
Identity is inferred, not proven;
Identity is federated with the expectation of future additional systems;
Identity between unlikely automatic matches can be asserted, as an event, by humans, at any time;
Automatic matches can be downgraded by human assertion at any time;
No control of source system structure or use of identifiers;
Quality increases with volume and over time.

An architecture developed from this may appear to reverse best practice from generations of computer systems developers. But a rationale is to compare it with Google. Google is the most successful Web application. Google is undeniably useful, but look at its attributes. They are not dissimilar to the list above. Google:

Analyses content and hyperlinks without any imposed rules;
Ranks content from unstructured pages without any assumptions of matching;
Retains historical records as long as useful;
Improves the value of searches, retrospectively, as Web size increases;
Ranks results by inferred relationships and usage patterns;
Leaves the final decision to the human whether the results are useful;
Uses a multi-vector approach to rank presentation of results.

It is impractical to give every person a single UID that can be used across all computer systems for all time, including historical records. It would have to include foreign nationals. People are unique, not the identifiers allocated by agencies to assist their business processes. The current UID culture creates projects that fail to deliver benefits to citizens, and wastes resources.

Wouldn’t it be better if someone took up the challenge to prototype a federated Persistent Identity Engine. The call is for a serendipitous approach for managing identity with the following features:

Contribution from any agency;
Any number of aliases and identity tags tracked for all time;
Assertions of identity equivalence, by both automatic and manual means;
Every identity ranked against all probable related identities;
Source computer of all identities recorded with date stamp;
Extensible to any new identity scheme, such as ID Cards;
Any identity schema stored, including unstructured strings, mapped by a time-stamped metadata dictionary;
Accessible as a web service from any compliant application systems;
Continuous improvement of identity mapping;
Authentication of users with a federated trust mechanism;
Access to identity data controlled by role, context, consent of agencies and consent of data subjects;
Compliant with all data protection and privacy legislation.
Cognisant of guidance from Kim Cameron’s Laws of identity;
Scalable to any size and time dimension, in conformance with ISO 18876;
Speed and ease of Google when accessed from a browser – the Google Solution;

Yes, it would be big. But it can start small and grow. It should be open source. A candidate architecture has been completed. Building it should start as an innovative research project. Some things would work well, some would fail, but more knowledge would be spread in the public sector. It could help people specify requirements for identity management in future Multi-Agency integrations. An example is the information sharing required by the Common Assessment Framework for Children, which will present 150 local authorities with interesting problems in 2008.

Dr L.P. Anderson
Leonard.anderson@socitm.gov.uk