Prime minister Boris Johnson and his controversial special advisor, Dominic Cummings, are “secretly” working on a plan to gather citizen data from across Whitehall to be used for targeting communications to people in the run-up to Brexit, according to a report from Buzzfeed News.
Computer Weekly sources have confirmed that Cummings and Number 10 have taken a particular interest in how Gov.uk Verify – the government’s troubled digital identity scheme – could be used to facilitate such a move.
Rumour has it that the Government Digital Service (GDS), which develops Verify, has not been unenthusiastic about an idea that could help to establish Verify, even as its support dwindles elsewhere.
Could such a plan work? If so, how? And is it legal? Below is an entirely speculative theory, but could it potentially happen? If anyone reading has further insights that add to or contradict any of this, I’d be happy to hear from you.
Let’s put aside the legal issues for a moment, and examine the technical infrastructure.
So, you visit a Gov.uk page, and a cookie is dropped that can identify to GDS the device / browser you used, and also to the department that runs the service you accessed, such as tax accounts or Universal Credit.
That cookie doesn’t know who you are – only that this browser has been here before. GDS uses Google Analytics to understand how people are using the website – pretty standard practice for any website (ComputerWeekly.com does this too).
This can tell No.10 what pages, and therefore what topics, are being read the most. Cookies are also used by commercial websites to target online advertising to returning browsers / users. Gov.uk does not run ads, but in theory it would be possible to pop up an advert for a government service, or for the “Get ready for Brexit” promotional campaign already underway.
Then there’s Verify. For all its problems, Verify now has nearly five million registered accounts. The system was designed with privacy in mind – part of its core rationale was to avoid the creation of a central identity database. Verify was created partly in response to the scrapping of Labour’s ID Cards programme – it has, since then, been politically unacceptable to create a citizen identity database, whether by stealth or virtually.
When you create a Verify account, all the data you provide is retained by a third-party identity provider (IDP), and not by the government service you wish to access.
However, when you access that service, the IDP provides a unique identifier to the relevant Whitehall department – which cannot be used to derive any personal information. But it also sends across a set of basic attributes – name, address, date of birth as a minimum – solely for the purpose of matching the user to data already held by the department.
For example, if you’re checking your tax records, HM Revenue & Customs will use those attributes to make sure you are the correct John or Jane Doe for which it already holds a record, so you don’t end up looking at someone else’s financial details.
The Verify data policy states that “You must not use the user attributes for anything other than matching. If you do, you may be in violation of the General Data Protection Regulation.”
Note, “may” not “will”.
It’s therefore technically possible to match a Verify user with the Gov.uk cookies on their device – which means No.10 could derive who is reading which web pages, for up to five million citizens who use Verify.
Once more putting aside the legalities, it would be technically possible to further match the information on who you are and what you’re interested in, with social media data to allow targeting of adverts on Facebook, for example.
That’s still “only” five million people.
GDS has a stated objective to achieve 25 million Verify users by 2020 – a figure that’s been recognised as over-ambitious. There have been attempts in the past to mandate use of Verify for digital identity across government, but these have been resisted. Could a more aggressive approach from No.10 overcome that resistance?
There are rumours that GDS wants to overcome negativity towards Verify by instead mandating that any Whitehall identity schemes conform to a standard called GPG45, upon which Verify is based. Presumably, the hope is that most departments would find that the only GPG45-compliant system available to them in the short term happens to be Verify.
That’s not going to change much between now and 31st October when the UK is currently due to leave the EU, but the Buzzfeed report refers to “a digital identity accelerated implementation plan”, and the prime minister has told departments to “to engage in that work urgently”.
Could Brexit, Boris Johnson and Dominic Cummings yet save Verify?
There are, of course, legal restrictions over data sharing, even between government departments. GDPR is relevant, but more pertinent is the Digital Economy Act (DEA) of 2017, which governs the circumstances under which public bodies can share data.
There are valid reasons for inter-departmental data sharing, which are set out in the Code of Practice for public authorities disclosing information, which is part of the DEA.
“Public service delivery is changing, due to increasing acknowledgement that services are more efficient and effective when they are joined up. Joining up services requires the sharing of information,” says section 55 of the code.
“The Digital Economy Act 2017 creates a mechanism for establishing clear and robust legal gateways which will enable public authorities to share relevant information on the individuals and families they are working with in compliance with the data protection legislation. The primary purpose of this power is to support the well-being of individuals and households.”
A number of situations are included in the code, relating to areas such as fuel and water poverty, debt recovery and fraud.
But the Act sets out the principles and processes for establishing new areas where data sharing can be justified – these are tightly controlled and require approval from Parliament, publication of a privacy impact assessment, and must be listed on the public register of information sharing agreements. There are currently 38 records in the register, mostly involving local authorities seeking data to help reduce council tax debt.
In theory, therefore, there is a mechanism to establish legal data sharing of internet activity data between departments – but it’s onerous, time consuming, and needs scrutiny and approval.
“The public service delivery power gives you the ability to gain access to the data you need to respond more efficiently and effectively to current and emerging social and economic problems. The power allows ministers in the UK government to set objectives in regulations,” says the code of practice.
If you can make the argument that Brexit is an “emerging social and economic problem,” it may just be possible (although proroguing Parliament doesn’t help).
What other sources of data might exist?
Let’s say you were one of the six million people who signed the online petition to revoke Article 50 and remain in the EU, or one of the 1.7 million who similarly petitioned against Johnson proroguing Parliament.
The e-petitions system collects and retains for up to 12 months your name, email address, postcode, the country you live in, and the IP address you use when starting or signing a petition.
Presumably, if you petitioned to revoke Article 50, then government policy on Brexit will be “relevant” to you – and this time they have your email address too.
Of course, it’s not as simple as that. Online petitions are run by Parliament expressly to demonstrate that the data is not being collected by or for the government. This is governed by a cross-party committee that has in the past pushed back hard on any attempts to use the data for any other purpose.
Given the current state of UK politics, it must be unlikely the committee would accede to requests from the government to access that data for Brexit-related purposes.
But nonetheless, it’s technically feasible. The only question is how far any prime minister or their government is willing to push the boundaries of political convention and legality to get access to all that data.