The government's plans to tackle digital exclusion - the significant user population that cannot or will not use online services - are essential if we are to achieve 'Digital by Default' targets for service delivery, which in turn form a cornerstone of key reforms such as Universal Credit. Is it possible that the Identity Assurance programme is a means to provide user confidence in access to shared online service that will encourage large new groups of users to venture online? This might be the case, but only if all the key stakeholders engage with marginalised users as they first register for services, and public authorities ensure that services are redesigned to incorporate Identity Assurance across delivery channels, rather than bolting it on as an afterthought.
Getting online, staying online
Digital inclusion is not just about handing out PCs and broadband connections. Whilst numerous capabilities need to come together for an individual to be considered 'digitally included,' three of the critical factors include:
- Connectivity: the user needs to have access to an endpoint device and internet connectivity to online services;
- Capability: the user requires the skills to be able to get online and use online services;
- Confidence: the user needs the confidence to transact online without fear of loss or penalty should they be unable to complete the transaction.
Perhaps the key first step for digital inclusion is persuading marginalised users to ‘give it a go’ – to attempt to use online services for the first time. This may involve obtaining or sharing access through endpoint devices and/or networks (e.g. local libraries, UK Online Centres); building their skills through trial and failure, and being able to fall back on community-based support when required; and having the confidence that if something goes wrong, they will not suffer financial or other losses as a consequence.
Digital by Default
Universal Credit and similar programmes will only succeed if the bulk of interactions with users take place online: the need to drive down costs while improving service means that customers must use online channels in place of face-to-face or telephony. Online engagement is essential, but Digital by Default cannot succeed unless government has a way to trust people online, without going through the expense of registering each user in a face-to-face interview, and managing their credentials thereafter.
The Government Digital Service (GDS) has devised a fresh approach to building online trust: the Identity Assurance (IDA) programme. The aim is to allow users to prove their identity, or other information about themselves, using services from private-sector organisations. In the IDA model, individuals and businesses will be able to ‘reuse’ existing trust relationships to interact with government (and ultimately with each other): for example, a customer might use their online banking credentials to prove their entitlement to a public authority so that they can claim benefits. GDS is working with key authorities to deliver the necessary technical, commercial and regulatory infrastructure to make this new approach possible.
GDS is also developing a market of companies wishing to act as Identity Providers (IDPs), who will have to bid for the right to do so, and undergo rigorous independent certification to ensure that their security and commercial controls are appropriate. Eight Identity Providers have been selected to provide the first set of IDA services in support of pilot activities from October 2013. Those IDPs are working together under the aegis of the Open Identity Exchange (OIX) to deliver the technology, commercial and legal approaches needed to make the service a reality.
Will Identity Assurance support digital inclusion?
Identity Assurance could create an environment that goes a long way towards addressing the needs for connectivity, capability and confidence that would drive digital inclusion for a substantial population of currently marginalized users.
Digital inclusion is about more than just providing digitally marginalised users with access to network connections and endpoint devices: inclusion is increasingly about ‘ambient’ access to online services, available through multiple channels and devices. Truly inclusive connectivity requires trusted access to shared services: users need to be able to share devices and connections without fear of identity-related fraud or security breaches.
IDA could provide the necessary trust mechanism to encourage users to share services. If users have a channel-agnostic authentication token, such as one-time PINs provided by SMS to their phone, coupled with a suitable trust framework to assure them that they will be protected in the event of a problem (in much the same way that credit card customers are protected against fraud by the brand network, e.g. Visa or Mastercard), then they will be empowered to use whatever device or network access they choose, without fear of identity fraud or security breaches.
A key requirement for IDA is the ability for users to prove their identity and transact with government across multiple delivery channels (online, telephony, face-to-face), but if the service is to be inclusive then individual transactions must be accessible across multiple channels as well: rather than users being pigeonholed as ‘online’ or ‘face-to-face’, they should be able to switch channels as and when they choose. For example, a user might start a transaction online, then seek telephone support when they need it, and be returned to an online channel once their problem is resolved.
Making this happen will require action both from the IDPs, who should be encouraged to deliver multi-channel services, and public authorities who need to design their services such that seamless channel changes are supported, rather than having transactions ‘break’ when users need to move between channels. Effective channel shift will only happen when marginalised users can change channels freely as and when they choose.
The diverse and incompatible authentication services used across public services are, for some users, confusing and difficult to use, and are likely to be a contributing factor to their reluctance to use online services. The move to a ‘unified’ IDA solution, where users can select the IDP and credential of their choosing, provides a much more user-centric approach.
Furthermore, the IDA architecture supports the concept of ‘delegated authority’ – the ability for users to delegate trust to other users when required; and to act on behalf of other users when authorized to do so. Appropriate security controls and audit trails ensure that systems can differentiate between the actions of the user and their delegated proxy, and thus the user is protected if the proxy contravenes their instructions. The approach is essential for business identity, where employees and agents (such as accountants) act on behalf of the business.
Implemented correctly, the delegated authority approach could also be an invaluable digital inclusion tool: users could have the ability to delegate trust to the individual, service or organization of their choosing when they require help with a transaction. For example, a user could ask a family member, a voluntary group or a UK Online Centre to assist or act on their behalf, without having to give away their credentials to do so; the user chooses whose hand to hold when they need support, safe in the knowledge that if anything goes wrong, they are protected from fraud or errors committed by their proxy..
Using Identity Assurance to deliver digital inclusion
If IDA is to become a catalyst for digital inclusion, then its implementation must be treated as a strategic change in delivery, rather than just an enhancement to existing authentication mechanisms. Authorities need to re-think delivery workflows to split interactions into smaller transactions which users can control across different sessions, channels, or providers, so that services don’t ‘break’ if the user suspends the session, or changes the delivery channel, IDP, or delegated authority.
GDS, the IDPs and the potential Service Providers (public authorities) need to come together to support the evolution of commercial models which incentivise the nascent IDP market to design services with the needs of marginalised users in mind, and actively engage with and support marginalised users as they register for services. They also need to work together to educate users that they should try to access services online, and ensure that the necessary support mechanisms are in place to help them when they do so.