Even GDS is telling GDS to shut down Verify

The ailing Gov.uk Verify digital identity system was given a Frankenstein’s monster-like burst of energy back in April, when the lockdown-induced surge in Universal Credit applications brought hundreds of thousands of new users.

As a result, despite funding that was due to run out at that exact time, HM Treasury offered an 18-month reprieve, on condition that the Government Digital Service (GDS), which develops Verify, made sure all its users found an alternative system in that time.

That would sound pretty terminal, right? Not to some in GDS. It turns out the extra funding led GDS to commission an internal report into the next steps for Verify. Bear in mind that, according to a 2019 National Audit Office report, the £200m Verify system has already been the subject of at least 20 reviews and reports in its troubled lifetime. What’s one more between friends, eh?

I’m told the report was written by former BP CIO and now Cabinet Office IT advisor, Simon Orebi Gann. Its conclusion?

“The Verify programme should now be closed down as quickly as possible.”

Specifically, the report recommended: “Immediately reduce the Verify programme to a minimum operating service,” and “Close down the Verify programme as soon after April 2021 as possible”.

Even GDS is now trying to convince GDS to end the programme that everyone else has been telling it to shut down for at least two years, since the Cabinet Office’s own major projects watchdog said it was time to put Verify out of its misery.

So much time and potential progress has been wasted since then, with the private sector getting increasingly frustrated and angry at the way GDS’s intransigence and reluctance to listen to expert advice has hindered the development of a digital identity ecosystem in the UK.

Boris Johnson – well, his speechwriter, probably under instruction from Dominic Cummings – promised us a future of digital identity for all in his Conservative Party conference speech earlier this week. Surely even Boris would quickly be able to grasp that Verify is not that future.

Computer Weekly understands that GDS considers the report to be no more than a low-level internal discussion paper, that will have no influence on policy.

However, the paper’s first recommendation is “to create and implement a single point for logon” for access to online government services.

“Success in the government digital economy could be greatly simplified by creating a two-part form of digital identity solely for government use,” says the report, titled Access and identity in online government.

“The first is a common, basic logon that can provide access across all government services, and the second would be a shared record of identity assurance across all departments, supplemented as and when needed to assure identity to a higher level.”

Strangely, this is not dissimilar to suggestions made at least five years ago, but let’s not digress.

Since the report was produced, GDS has announced a trial of a new system, Gov.uk Accounts, which could very accurately be described as a common, basic logon that can provide access across all government services.

One can only presume,  therefore, that certain other recommendations in the report will also be pursued.

The latest review described Verify as having “lofty ambitions” at the outset, believing that “firstly, a digital identity was a key to simpler, higher-quality, lower-cost online government services and that secondly, government commitment to this vision could kickstart a vibrant private sector digital economy.”

It goes on to say that, “Delivering either would have been an enormous challenge; attempting a single solution to meet their differing requirements has failed to satisfy either ambition. The vision lacked realistic, deliverable objectives and failed to capture the full requirements of user departments. As a consequence, the major users of Verify have funded programmes underway to replace it with separate solutions.

“The Verify programme should therefore now be closed down as quickly as possible in a managed way, maintaining a simple operational service for the tail of smaller departments until they migrate to the long-term solution.”

The report includes some honest observations that would come as no surprise to many whose path has crossed with Verify in recent years, not least this one: “The Verify team tried a central design with minimal consultation and no expectation that the result would be mandated. The style was described as ‘Tell and Sell’. A different style is needed.”

So after more than £200m spent by GDS on Verify and many millions more by other departments, what’s left that has any value? The report identifies a few, but hardly £200m worth:

  • The Verify identity verification platform, which “may need to be retained/repurposed if UK government decides to remain connected” to the EU’s eIDAS digital identity infrastructure.
  • The 6.7 million digital identities created by Verify – although the report acknowledges that, “Existing identities hold minimal value if Verify is closed”. There appears to be no plan for migrating those identities to any successor systems.
  • The GPG 44/45 good practice guides that underpinned Verify’s trust framework – although the private sector generally sees these as largely irrelevant.
  • The Document Checking Service, which is being piloted for the private sector to allow online checks for passport data. This is the one service that digital ID companies have always said they need.
  • People: “There are several highly skilled individuals working within the Verify team who are well regarded within the digital identity industry. Their expertise should be used to support the plans for the future.” Good recruitment candidates for the private sector, then?

When even GDS recommends to GDS that it’s time to end Verify, perhaps finally GDS will listen to expert advice .

CIO
Security
Networking
Data Center
Data Management
Close