% fortune -ae paul murphy

The village cop - in the global village

Here's the introduction from a a "kablenet" report carried on theregister just over a week ago under the headline: "Whitehall to boost identity spend by £5.2bn":

Public sector spending on identity management (IdM) is set to surge by £5.2bn in the next four years, according to a new Kable report.

Spending on IdM is ready to leap by almost 50 per cent next year from £825m to £1.23bn, propelled by major programmes such as the National Identity Card Scheme, e-Borders, the Police National Database, and the National Offenders Management Systems.

Total IdM spend in the period 2008-2011 will amount to £5.2bn. This follows a prolonged period of strong growth since 2000 when total IdM spend was just £135m, and maintains the trend of central government being the biggest spender.

I think the sports speak here is unintentionally symptomatic - they're talking about very nearly 11 billion American dollars and the history of expert mediated big ticket IT projects in Britain is so dismal that you can realistically estimate the final price as three times budget, while assuming that about half the planned functionality will eventually get delivered.

Britain isn't alone in this - both Canada and the United States have similar project sets (and therefore outcomes) in the pipeline - but all of them suffer the same basic problem: they're bureaucratic responses developed and sold on a fundamental mis-understanding of both the identity management issue and the available solutions.

The actual problem is simple: somebody appears somewhere and the local cop needs to know how to react to that person.

The current solution: better personal identification for everything from international travel to internal threat or benefit registries, has long historical roots. In brief, the current system evolved (ultimately from Roman military practice) when Americans, who were too rich to be ignored and too democratic to accommodate within the existing social structure, started touring Europe during the late nineteenth century. Since those people had money the passport evolved as a substitute for the traditional letter of introduction between noble families, attesting to the bearer's ability to pay debts incurred but signed by the American Secretary of State as a kind of faux head of family for Americans.

Today we're still doing exactly that: when you present identification for internal government or travel purposes what you're doing is saying that someone else vouches for you - and what's important isn't that you really are who you say you are, but that the local cop can use this information to determine what kind of record you have and therefore whether he should take some action or not.

Unfortunately the delays built into this process mean that most people confuse the proxy (name based self-introduction) with what it points at: your history. The result, even more unfortunately, is that the more money and effort democracies like the United States and Britain pour into these things the less value they'll have for their primary intended purpose - because those expenditures just increase the credibility afforded state sponsored forgeries like those issued by North Korea and Iran.

So what can be done? Well, returning to the most basic question points at an obvious IT answer: what the cop in the global village needs is what the cop in the local village usually has: the ability to instantly separate bad guys from good guys in context. Thus when he sees Jane enter a bar, he doesn't have to ask for identification because he knows she's 13 and just going in to get dear old dad - and, similarly, when Dick gets a cute little dog the village cop knows it's time to have another talk with him about spending too much time near the school.

We can meet the critical parts of the requirements here through what I think of as a good guy card - a smart device that only works for the person it's issued to and responds minimally to contextually appropriate queries. Thus it responds to a bar tender's query by reporting that you're old enough, but doesn't give him your name, age, address or anything else; responds to an immigration officer's query by telling him that you're a British citizen with no criminal record or out standing warrants against you - and not your name, your business, your address, or anything else that isn't legitimately his business; and responds to a police query with a simple yes or no on outstanding warrants or a particular crime scene DNA match.

We know how to make this technology work and the results would be a lot cheaper, a lot more effective, and a lot less threatening to individual freedoms then today's attempts to impose "papieren" on everyone - but since we don't know how to break past the log jam of traditional thinking, my only hope is that relatively few people die in terrorist incidents before enough of those multi-billion dollar projects fail to force governments to rethink them.


Paul Murphy wrote and published The Unix Guide to Defenestration. Murphy is a 25-year veteran of the I.T. consulting industry, specializing in Unix and Unix-related management issues.