The Government Digital Service's (GDS) has announced the next round of procurement for the Identity Assurance Programme (IDAP), which will expand the use of a federation of private-sector Identity Providers (IDPs) to enable access to public services. There are few details at this time, beyond the announcement of a supplier event on 28th April.
Four years in, great progress has been made in cracking a very difficult project, but will this procurement be enough to get IDAP through the next year, and what does the future hold for identity assurance? Given that we’re all gearing up for tomorrow’s big oven-ready lasagne race at Aintree, let’s look at the risks associated with bidding for IDAP services.
How does Identity Assurance differ from other government ID approaches?
I've talked at length about identity assurance, and how IDAP differs significantly from ‘traditional’ government ID approaches, but if you're not familiar with the programme then here's a quick summary (and you can find out more at the GDS blog).
In the majority of population-scale identity schemes (including the abandoned National Identity Scheme), the government operates a central population database, which is used to authenticate individuals when they transact with public services. Under IDAP, government provides a federation hub, but IDPs come from the private sector and are responsible for registering and verifying users for the service. Users may hold as few, or as many identities as they wish, from as many providers as they wish, and the system is pseudonymous (i.e. no ‘root’ ID). Relying parties specify the level of assurance they need in a given transaction, and the IDP is paid accordingly, so for a low-risk transaction (e.g. query about library services) there is a low level of assurance; whilst for a major transaction (e.g. applying for a passport) there is a high level of assurance from the IDP.
There are no identity numbers, no identity cards, and no compulsion on users to register, or maintain the accuracy of their data. A 'trust scheme' operators oversees the service and ensures that everyone plays by the rules.
What is the current status of the programme?
The first round of IDAP procurement took place in 2012, and resulted in eight IDPs being recruited to the framework, of whom three declined to go through on the first call-off contract. That leaves us with DigIdentity, Experian, Mydex, Post Office, and Verizon Business. They have been working on the first services, which will connect to a hub provided by GDS. The first private beta services are now running, and will shortly be made public, with selected users being able to enquire their driver records using IDAP. In anticipation of expanding the breadth and depth of the service, and increasing robustness, GDS is now returning to the market to seek additional IDPs.
GDS is hosting a procurement event on 28th April, at which the procurement will be explained, and candidate IDPs can have their questions answered. There is one burning question I'd like to have answered at that event, and in anticipation of the end of the month, I'll outline it here.
The challenge for GDS
This next round of work is not going to be without its challenges: IDAP has to deliver some ambitious objectives, including:
- providing services for multiple central government departments with conflicting needs, architectures, and timescales;
- enabling cross-channel service delivery that enables users to engage with IDAP online, over the telephone, and face-to-face;
- shifting delivery away from the‘traditional’ public-sector providers who are equipped for major project delivery, and instead working with a range of small and large companies, some of whom are not accustomed to working with the UK government;
- rolling out a robust service delivery that does not risk denying services for users if systems face teething problems;
- creating collaborative federation between potentially competing IDPs;
- establishing a trust framework and oversight mechanism that ensures legal protection for all parties;
- building consumer confidence in a new concept which does not yet have a recognised brand, interface or use case;
- growing an ecosystem of IDAP services which is as attractive for private sector providers and relying parties as it is for public authorities.
Each of these is a major change for central government; collectively they are a huge obstacle, and whilst GDS has a track record of delivering 'impossible' projects under challenging circumstances, there is no denying that this next phase of work for IDAP is likely to be the toughest yet.
Commercial challenges for potential IDPs
But the challenges aren't exclusive to GDS - in fact, the current and future IDPs have perhaps the toughest environment of all, since the risks are rising but the possible rewards are a long way off, and we don't yet have a commercially viable IDAP ecosystem. IDPs are currently paid on a “per unique user, per IDP, per annum” basis: that is, for each person who uses an IDP to access IDAP services, the IDP is paid a one-time fee each year, even if that person also uses other IDPs. That means that the IDP must win over users and persuade them to use IDAP if it is going to recoup its investment in IDAP services.
Anecdotal evidence suggests that the minimum cost of standing up an IDP service which could pass muster with the trust scheme, would be in the region of £1.5m - £2m (probably much more for a large company). Add to that the costs of operating, marketing, auditing, etc, and we're probably looking at another minimum £500,000 per annum. This isn't a cheap proposition for the IDP, and the up-front costs drive all the risk to the IDP, with no assured transaction volumes from government.
The transaction payments to IDPs are not publicly available, but if we guess at, say, £20 per user per annum, with an operating cost of £10 to verify and credential each user, that means an IDP would need to run a population of 250,000 users in the first year just to have a chance of breaking even. That's going to be a problem for stretched Sales Directors who are evaluating bid risks and trying to determine where to focus their sales resources. Why bid the high-risk job with the deferred payback, when they could go for safer projects with up-front payment (that is, if any such projects still exist in public sector, but that's another matter).
And the political challenge...
In just over a year from now, Britain will go to the polls. In his Editor's Blog, Bryan Glick considers how GDS is likely to become a focal point for political fighting both before and after the next election. If we end up with a Conservative-led government, then the GDS vision is safe; but if we have a Labour-led government, then there will be those wishing to exact revenge on Conservative policies, including senior political figures who still support the idea of National ID Cards, and in that situation IDAP looks like a pretty easy target for them to cancel and switch back to a more traditional ID approach. Our IDPs would find their contracts cancelled without having made so much as a penny, and potentially having sunk several million pounds into their delivery.
IDAP is therefore a high-risk commercial proposition, not just because of the nature of the service and its commercial model, but because of broader political pressures, and it would be a negligent Sales Director who didn't take that into account when deciding where to focus bid resource. GDS could of course do many things to mitigate this risk, including offering up-front payments to IDPs; ensuring that there are appropriate termination clauses in the contracts; delaying the delivery phase until after the election; or changing the commercial model altogether.
So my question to GDS is: what can GDS do to assure candidate IDPs that the risks associated with bidding and delivery are successfully mitigated by the potential prize and the likelihood of winning it? Until that question is answered, I think I’d rather put my money on a 5-horse accumulator than an IDP bid team.
[Declaration of interests: I am not associated with any of the incumbent IDPs or bidders, although I was part of the Post Office’s bid team. I have an unpaid role in the GDS Privacy and Consumer Advisory Group. And I’d like to see IDAP succeed, because a return to ID Cards doesn’t bear thinking about]