Is it making steady progress towards creating a market framework for inter-operable identity systems?
Or is it muddying the waters by trying to coerce users into new and unproven systems for their dealings with government while the rest of the world moves on?
The alterantive "proven" systems range from the Government Gateway (using by millions, including all small firms for their tax affairs) through the third party services provided by the members of the DCTE, (the European trade association for Digital Trust services) to the identity and access management systems used by industry (from airports through banks to on-line retailers) to identity and give layered access to visitors, customers, employees and contractors.
I find it difficult to understand whether the Government data Service is undertaking genuine voluntary customer trials or whether groups of users are being given Hobson's choice - e.g. use the new system or stop farming in an attempt to get a bandwagion rolling.
I therefore asked Mark King of Broadsail one of the independent consultants who has been tracking UK and EU debate on electronic signatures on behalf of his clients, to comment. Before you read on you might, however, care to begin by viewing the video of his presentation to a BCS-EEMA event last January.
His "observations". Including on how and why UK ID policy has got to where it is today, are below:
"The government programme for identification of people for online public services has been very focussed on be being seen to respect privacy, which covers more than data protection, notably in respect of user control. One of the drivers was a reaction to the previous government's ID card scheme, which also included a national population register, and that has also been cancelled rather than downgraded to fill missing but unfashionable considerations such as people's jury service status.
Instead of adopting a recognised, existing, privacy-friendly model such as that used in Canada, possibly as a result of the empty coffers, the decision was taken to re-use existing credentials, despite the problem that those suitable for consumers weren't built for giving out benefits.
Re-use of employee credentials was also investigated, but Government agencies are reluctant to allow staff ID to be used for purposes other than which they were designed, and with no commercial case for other employers to participate, this was amended. There was no enthusiasm for increasing risk by opening up if there was no benefit for the organization.
After a DWP initiative was announced in the EU official journal (OJEU) and then pulled, a call went out for a framework contract for 'Identity Providers', with the expectation that banks, supermarkets and other familiar organisations would participate. It was initially a DWP lead, but was novated to Cabinet Office when it became clear how gentle the Universal credit roll out was going to be. Far from being a gravy train, it required participants to invest, but also accept very strict terms as to what else could be done with the data. The only responses were from those not on the envisaged list. They must have been prepared to take the considerable risk of investing, unaware of the extent, or had some separate political motivation. As in Ireland, the Post Office was an obvious contender, and it qualified as being technically private, although some people remained confused about being redirected to the Post Office when they were trying to go online and not use the post.
The group of eight in the framework were a disparate mixture, with at most two of them being household names, although they might have used different branding. Only five went through to a delivery contract, and public testing started on 21 October 2014 with just one.
An unpaid group of privacy experts were brought together to agree the principles for the programme. Had this been done before going out to contract it any principles would have carried more weight than putting them out for public consultation three months after the system was due to become operational.
More-over, public endorsement of the principles by a cabinet minister precluded (and still precludes) civil servants from debating the issues in public.
The group's remit was also extended beyond privacy to general user concerns (but, it seems, not non-users); it is not clear if sufficient additional experts were called in, nor who has time to provide unbiased pro bono advice for such an extended period.
The user was not allowed to be able to chose to be consistently associated with a permanent identifier such as a National Insurance or NHS number, but rather a matching data set including 'current address' and date of birth - use of both of which are deprecated by online security advice. Nor is the user allowed ...