TTstudio - Fotolia

Government Digital Service insists Verify safe despite claims of vulnerabilities

An academic paper suggests the Gov.uk Verify system could be used as a spy network, but the Government Digital Service (GDS) insists this is not the case

The Government Digital Service (GDS) has insisted its Gov.uk Verify scheme is safe, despite an academic paper claiming its infrastructure is riddled with vulnerabilities.

The paper, named Toward Mending Two Nation-Scale Brokered Identification Systems, highlights the Gov.uk Verify system uses a central hub through which the identity providers and services providers communicate.

If this central hub were to be hacked, it could be used for “undetected mass surveillance” through user impersonation.

“The described vulnerabilities are exploitable and could lead to undetected mass surveillance, completely at odds with the views of the research community whose scientific advances enable feasible solutions that are more private and secure,” said the paper.

“It is clear that Gov.uk Verify does not adequately consider the need for resilience against a compromised hub and fails to address plausible threats.”

Gov.uk Verify was developed by GDS to give the public a safe way to verify identity when using online government services, such as tax self-assessment or applying for new official documents.

Privacy a priority, says government

The system uses third-party providers – such as Barclays bank, PayPal and Verizon – to verify a user’s identity using unique indicators such as passport or driving licence details.

But the paper claims that, since the Gov.uk Verify hub has visibility of the pseudonym for users created by the identity service providers, anyone with access to the hub – including hackers – can use this to identify where the same user has interacted with different departments.

But the GDS has insisted that Gov.uk Verify is secure, as only a user’s name and date of birth are passed through the hub, and only on occasions where a user is accessing a government service through Gov.uk Verify and is being used to match their record with the appropriate department.

“Gov.uk Verify protects users' privacy. It has been designed to meet the principles developed by our privacy and consumer advisory group. Gov.uk Verify does not allow for mass surveillance.” said Janet Hughes, head of policy and engagement, identity assurance programme in a blog post.

“No data about the person’s interactions or activities in certified companies or government departments passes through the hub.”

GDS claims it is now working with the authors of the paper to clarify some of the claims and has invited one of the paper’s authors to join its privacy and consumer advisory group to further develop ideas around consumer privacy.

Read more about Gov.uk Verify

  • Department for Environment, Food & Rural Affairs first to utilise government’s new identity assurance system Gov.uk Verify.
  • HMRC has denied that problems faced by the public attempting to claim marriage tax breaks are caused by the Gov.uk Verify scheme.

 

CW+

Features

Enjoy the benefits of CW+ membership, learn more and join.

Read more on IT for government and public sector

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

That is not the main vulnerability with Verify. A much bigger risk is the potential ability of fraudsters to "acquire" identities in the name of those who have never been on-line or borrowed money, without them being aware - until their benefits or pension stops coming. The watering down of security requirements to increase the number of participating identity suppliers increases the risk. The "solutions" include enabling "trusted" suppliers to enroll benefits claimants, pensioners, patients and taxpayers (and others with existing government issued credentials) on a rolling (but also VOLUNTARY) basis, perhaps linked to DWP, HMRC and NHS validation exercises and worthwhile incentives (e.g. CASH or a free Health Check/Visit). Those with the new identities might then be offered faster treatments/benefits processing etc.
Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close