Computer Weekly Editors Blog

Government opens up a gateway to an alternative future for digital identity

Bryan Glick
Bryan Glick
Editor in chief

Yesterday, the UK government slipped out a seemingly minor, technical announcement, published on what is likely to be a minimally read blog, that could have significant implications for Keir Starmer’s most controversial tech policy – digital identity.

The announcement came in a post from the little-known Office for Digital Identities & Attributes (OfDIA), part of the Department for Science, Innovation and Technology (DSIT), and concerned a new service called the Information Gateway.

The Gateway was a legal power enabled by last year’s Data (Use and Access) Act, and it promises to give the private sector digital identity market the one thing suppliers have been crying out for the longest – for over a decade, at least: direct API access to government-held data for the specific purpose of verifying an individual’s identity.

This functionality has been offered, somewhat reluctantly, by the Passport Office for some time – it’s not uncommon these days for people to have to prove their identity through an app or web service, by using their phone to read the chip on their passport and taking a selfie to verify they are the person identified in the passport’s biometric facial scan data.

It’s already used by a range of digital verification service (DVS) providers – for example, when conducting right to work checks. The service effectively tells the app that’s being used to verify someone’s identity, that the person scanning the chip and sharing the selfie matches the attributes held by the Passport Office.

Crucially, it does not confirm this person is definitively who they say they are – that’s left up to the DVS provider, who would typically check other attributes and data sources, such as credit reference agencies, before verifying someone’s identity.

Part of the controversy last year around the impending launch of the government digital wallet was that the extensive identity data held by Whitehall departments would only be available to users of the Gov.uk Wallet app. The Information Gateway is intended to open all that data up to private sector apps too – taking the model used for passports and applying it for other services too.

It would mean DVS apps potentially getting access to driving licence data, for example, or benefits eligibility data (eg, “Does this person receive housing benefit, yes or no?), or income levels (eg, “Does this person’s income exceed the required threshold for this service, yes or no?), or immigration status (does this person have the right to access a particular public service?) or even council data (does this person have a parking permit or a Blue Badge?)

This would open up digital identity services to reduce friction in all sorts of online services – reducing form-filling, delays and the need for physical documentation.

Imagine making a vehicle insurance claim, and the insurer’s app being able to gather all your data about driving licence, MOT and car ownership electronically and automatically (with your permission), along with any publicly available CCTV images or driver-cam footage uploaded to the police by witnesses to an accident. That’s simply not possible in the UK at the moment – it is in some other countries, such as Singapore, which has a highly developed public digital identity ecosystem.

Sounds good, right? But wait, isn’t this sort-of what the government has promised to offer through its non-mandatory national digital identity scheme?

Well, largely – yes. For public services, at least.

So, you may ask, why do we need a government digital identity at all, if the growing market of DVS providers can get access to the same data? And the answer to that is: good question.

It’s never quite as easy as that, is it? For one thing, the Information Gateway doesn’t yet exist, and there’s a lot of bureaucracy that has to take place – not to mention IT work – before it exists. OfDIA reckons parliamentary approval should be in place by the end of the year.

While the new data laws give approved DVS providers the right to request access to government data, and forces the public body that holds the data to consider the request – it does not mandate them to do so.

“Public authorities receiving requests … are encouraged to share information with the registered DVS provider through the information gateway where possible,” says the OfDIA blog post. Those public authorities can charge for the provision of such a service, which may help.

Importantly, public bodies can choose to provide data either through an API or as a digital credential, or both. Developing an API is likely to be a lot cheaper. It’s an important distinction – the upcoming digital driving licence, for example, will currently only be available in the Gov.uk Wallet, not any private sector DVS apps. Those apps may have to make do with an API.

What’s the difference? Flashing a credential in a digital wallet is the same as showing the physical driving licence. Depending on how it’s implemented, verified data through an API could simply be saying, “The last time I checked, this data was correct”. It’s an important difference when it comes to assessing the risk of verifying someone’s digital identity – and in the case of fraud, it gives the public body the opportunity to say, “Well, the data was correct when you asked us. Everything else is up to you.”

So, if you can see the benefits of having a digital identity per se, but you’re uncomfortable with the idea of using a government digital identity app – for all the justified (and sometimes irrational) risks and fears that go with that – choosing your preferred app from a variety of trusted DVS providers could give you all the same functionality, with fewer concerns. Which seems like a pretty good deal.

There’s a consultation underway right now about the government digital identity scheme, which ministers insist will be used to guide development of the system.

Surely, one of the best outcomes of that consultation should be to place greater emphasis and responsibility on public bodies to make their data available to DVS providers, and if they create a full digital credential for the Gov.uk Wallet, that they should also offer it to DVS providers, too.

If the government genuinely wants the public to benefit from the sort of friction-free interactions with public and commercial services that it claims is the rationale for its national ID scheme, then why not start by giving data parity to the private sector, through the Information Gateway?

As ever, one suspects the government would rather avoid that question.