Robin Wilton's esoterica

I see that Sen. John McCain has published the most recent 8 years' worth of his health records in hopes of quashing suggestions that he's too old to run the country. Apparently the dossier runs to over 1100 pages, and supports the candidate's claims that he is in excellent shape for his age.

Goodness knows how many pages it would be if there was actually something wrong with him. 

It's a little disappointing to see that the IPS webpages on "How will ID Cards be used in practice?" perpetuate a privacy model which is not as clean or modern as it could be. Here's what it says on the "Proving your age" section:

"This is one of the simplest transactions and will usually be completed without using a card reader to check information against the National Identity Register (NIR).

Ella is 18 and wants to buy some wine from an off-licence to take to a party. Cynthia is a youthful 70 and is keen to claim an ‘over-65’ discount offered at her local garden centre. In each case the retailer could ask for proof of age. As both Ella and Cynthia have an ID card, they do not need to show:

• - birth certificate
• - pension book
• - driving licence
• - or any other documents that might be requested to prove identity.

Instead each of them can simply hand over their ID card.

In this case the retailers will simply:

• - look at both sides of the card checking for the security features, then
• - compare Ella or Cynthia with their photograph on the card.

If the retailers are satisfied that the ID cards are genuine and that they each belong to the person using them, they will then check the dates of birth to confirm their ages.

It takes just moments for the check to be completed so that Ella can buy the wine and Cynthia can claim her discount."

OK - now the first thing to say is that I acknowledge the opening statement that this is intended to be 'a simple transaction completed without a card reader'... so if that's the starting assumption, it limits the available options. One (as suggested here) is to print the holder's date of birth on the card in human-readable form. Another might be, as I believe is done in other countries, to reissue cards as the citizen reaches majority or reaches retirement age. That way, it could be the kind of card carried which provides evidence that the holder is above or below a given age limit, as opposed to some data item visible on the card.

That said, there's a basic flaw here, in that the IPS page does not distinguish between "proving your age", "establishing an entitlement", and "disclosing your date of birth"... and I'd argue that the design for a 21st-century national ID card system absolutely ought to be capable of reflecting the difference between those things.

Let's not forget that this still stands at Number 3 in the Data Protection Principles hit parade:

"Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed"

If the relying party needs to know that the citizen is over 18, that need is satisfied by a Yes/No answer to the question "Is this data subject over 18?".

If the relying party needs to know that the citizen is old enough to buy a bottle of gin, that need too is satisfied by a Yes/No answer to the question "Is this data subject over 18?" (assuming 18 is the legal age to buy alcohol in this jurisdiction).

In both cases the relying party's needs can be met without disclosing the data subject's date of birth. Cynthia may indeed be a youthful 70-year-old, but she may also think it impertinent that some pimply youth wants her precise date of birth in order to grant her a 10% discount on a tray of begonias. Bearing in mind that - at least until 2015 - having a card at all will be a voluntary matter, it strikes me that this is just the kind of cultural obstacle it would be wise to avoid.

In several of the Liberty Privacy Summits, "ownership of personal data" has often appeared in the top layer of a stack of discussion topics. That stack is something we've taken to calling "The Ladder"; at the top are those second-order concepts like privacy, trust, ownership and so on, which prompt the most interesting discussions. The problem we've found is that if you start straight in with the second-order concepts, it's not long before the discussion is de-railed by differences over what the various participants understand about the rungs which lead up to it.

For instance, if the participants don't share a common vocabulary and conceptual framework, it's easy for the discussion to collapse amid bickering over terms, or mutual misunderstanding over what counts as 'identity data' and so on.

When it comes to "ownership", I have found that people are coming to describe "identity" less as 'a collection of facts or data about you, which you can therefore control or own', and more as a set of relationships between you and one or more other parties.

Just as I don't think we would ever say that someone "owns" a relationship with someone else, I think it may be unhelpful to try and say that someone can "own" their identity.



Certainly, there are many instances where one party exercises much more control over the identity relationship than the other, but that's a much more graduated question of context, negotiability and balance, rather than the more binary one of 'ownership'.



Neither does the concept of 'ownership' map particularly well onto something which you can give away to multiple other people and still have.