The long-term row between HM Revenue & Customs (HMRC) and the Government Digital Service (GDS) over online identity assurance broke into the open this week. HMRC published a blog post that clearly stated the department was rejecting GDS’s Gov.uk Verify system in favour of developing its own tools for users to login to online tax services such as self-assessment.
However, not long after HMRC and the Cabinet Office were approached for comment by Computer Weekly, the blog post was amended and the key paragraph deleted. This is what it originally said:
“HMRC is developing its own identity solution for individuals, businesses and agents. Other departments will use Gov.uk Verify for all individual citizen services.”
HMRC is now backtracking, and told Computer Weekly that the blog was edited “as it was causing some confusion”. The official line from HMRC now states: “HMRC is committed to Verify as the single identification service for individuals and is fully focused on delivering this. The authentication service that HMRC is developing to replace the Government Gateway will complement the existing Verify service for business representatives.”
That’s materially different – almost the exact opposite – of the original blog post. Our sources say HMRC wanted to declare independence all along, and has only played along with GDS and Verify after prompting from senior levels of the civil service.
It’s also interesting to note that the Cabinet Office took over 24 hours to respond to requests from Computer Weekly for their side of the story. It’s easy – if fanciful – to imagine the shouting that echoed down the street from the Cabinet Office at 70 Whitehall to the HMRC building at 100 Parliament Street, a few hundred yards away.
But why is a seemingly trivial technical spat between two Whitehall departments so important to the future of digital government?
In its new government transformation strategy published last week, the Cabinet Office put Gov.uk Verify at the heart of its future plans, setting an ambitious – some would say wildly ambitious – target of 25 million Verify users by the end of 2020. Currently Verify has just 1.1 million registered users.
HMRC, by contrast, claims 50 million active accounts for its existing identity system, based on the 16-year-old Government Gateway, which is being phased out over the next 12 months. Arguably, Verify cannot hit its target without HMRC’s user base. So why not use HMRC’s system across government, instead of Verify?
The two systems, in fact, treat identity very differently.
HMRC says it needs a lower level of identity assurance than Verify currently offers – although work is underway to address that issue in Verify. HMRC’s system does not require proof of identity – it simply sets up a login and password for users, much as any online shopper would do on Amazon or eBay.
Verify, however, aims to establish a legal proof of identity to a level that would satisfy a court, partly as a means of fraud prevention. It does this by commissioning several independent suppliers to offer a service to establish digitally that you are who you say you are – suppliers include the Post Office, Experian and Barclays.
Those third parties use existing data sources such as credit histories, passport and driving licence records to check your identity – but early experience shows that those easily available sources are not enough to assure a large proportion of the population. For example, some people on low incomes often don’t have a credit history because they can’t afford a mortgage or credit cards, and don’t have a passport.
Online vs offline proof of identity
Currently, more than half (54%) of the people who attempt to register on Verify are unable to create a verified user identity – a figure that in the long term is clearly unfit for purpose. The Verify team are working with the independent identity providers to test new sources of data and new methods of verification to improve on the success rate – but it’s slow progress.
HMRC, however, works mostly on the basis that since you’re logging in to give them money – that is, pay your taxes – it’s assumed to be unlikely that someone will pretend to be someone else in order to pay that someone else’s tax.
Under certain circumstances, HMRC does ask for proof of identity, which is performed offline – either you have to send proof of identity by post, or in some cases HMRC posts a verification code to be used instead. Verify aims to complete the entire process online.
Verify creates an identity that meets a significantly higher level of assurance than an HMRC ID. Verify is designed to confirm to the nine identity assurance principles defined by the independent Privacy and Consumer Advisory Group. HMRC makes no attempt to meet all these criteria.
Business and intermediaries
HMRC’s main justification for preferring its own ID system has always been that Gateway and its successor provide a single service that caters not only for individuals but also for businesses and intermediaries (such as accountants who file tax returns on someone’s behalf).
Verify does not, and has never been designed, to provide identity assurance for businesses. Sources say that GDS investigated using Verify as a standard platform for business identity assurance but found the definitions of what a business is across Whitehall to be too varied and divergent to establish an agreed need. HMRC, Companies House, DVLA and others all define businesses in different ways.
The official line from HMRC and Cabinet Office now – since the amendment of that blog post – is that Verify will be used across government for individuals, while HMRC’s system will be used everywhere for businesses and intermediaries. That still seems like an inadequate fudge, requiring two different identity system to be developed and maintained.
How to get 25 million users onto Verify
GDS will easily meet the target of 25 million Verify users if all HMRC’s users are transferred onto the system – although before that happens, Verify will need to support the lower level of assurance that HMRC uses. It would not be acceptable or feasible to force 50 million HMRC account holders to all create a fully verified account to the levels currently demanded by Verify.
Without HMRC, is that target achievable?
GDS hopes that local authorities, banks and other online companies will adopt Verify. Trials are underway with a number of councils, but Whitehall has no power to force them to use the system.
While there could be an advantage to banks and other private sector businesses to using a government-approved identity assurance system, many will be wary of handing over control of such a critical service to government – and to a set of third-party identity providers. Owning the identity verification of customers is as important to a bank as it is to government.
Another potential source of millions of citizen identities is by using Verify in the NHS. While GDS and NHS Digital continue to discuss the use of Verify, the system is currently seen as not appropriate for NHS needs, where ID is less about proving your legal identity, and more about identifying you through your existing NHS number.
Sources suggest that GDS is considering novel ways of accelerating Verify adoption, such as adding Verify to digital services that don’t really need it, or encouraging citizens to “register in advance” in case they should need a government identity in future. Neither seems realistically likely to encourage 25 million people to sign up over the next three years – meeting that target requires over 600,000 new registrations every month before the next general election takes place.
It seems very unlikely that target will be met without HMRC on board.
Why does this matter anyway?
Identity is important on two counts – as the core of digital public services, and as an ongoing political hot topic.
Online identity is the key to delivering digital government – it’s where every service starts from; it’s the primary way that GDS hopes to make the multitude of government services appear to be an integrated whole. If you’re a Verify user, all of the public sector opens up to you online – or at least, that’s the aim.
That’s perfectly sensible – but highly ambitious. It’s one thing to offer a standard login system – as HMRC has done – but another to say you will have an identity assurance system that works to such a high level of proof that every Verify account stands up legally in court.
Quite simply, nobody has ever achieved such a system, anywhere. GDS is at the leading edge of digital identity assurance with what it hopes to deliver. And as they are learning, it’s a difficult task and it takes time.
It’s relatively achievable to develop Verify to digitally assure the identity of most of the population – let’s say, 80%. But to do so for the remaining 20% is a huge challenge – about one in 10 UK citizens have never used the internet, for a start.
It could be argued that getting 80% of the population to use Verify would be enough – but it leaves the government open to accusations of creating a digital divide and excluding millions of people.
GDS has consistently under-estimated the effort required to deliver Verify – or over-estimated its ability to do so – and as a result has continuously under-delivered and missed its own targets.
As recently as December 2014, a National Audit Office report said: “By March 2016, the [Verify] programme plans that all departments will have integrated the common identity assurance service with all of their digital public services.”
As of February 2017, just 12 services are fully live on Verify.
Whitehall departments are frustrated that Verify is taking so long to develop – it affects their own digital plans. They are concerned about GDS’s ability to deliver – and whether GDS will even be around in the long term.
National identity database
When Verify was first conceived, in the early days of the Coalition government, the former National Identity Scheme under Labour had just been scrapped. Prime minister David Cameron had come to power on a promise to end any plan for a national database of UK citizens’ details. Verify, therefore, had to avoid any accusation of creating a national ID database by stealth – and be seen to do so openly enough to avoid political fallout.
That dictated certain design decisions – such as the involvement of multiple independent identity providers, and the avoidance of a central database. HMRC’s ID system, by contrast, uses the more technically simple solution of a single database.
Were the government to opt to use HMRC’s approach to individuals’ online identity, it risks opening up those old claims of a national ID card by stealth – and that remains politically unacceptable.
Whitehall politics dictates the next steps – whether HMRC can be brought into line and commit fully to using Verify for individuals. Despite its recent positive statement to that effect, it’s common knowledge that HMRC’s preference is to go its own way.
GDS needs to dramatically improve the success rate of user verification from its current level of 46%. Verify stands no chance of being widely adopted unless that figure is significantly higher – ideally towards 80%.
Furthermore, currently only 34% of attempts to access a digital service using a registered account are completed. The best-performing service only reaches a 67% completion rate. Both figures are clearly unacceptable if GDS wants Verify to be more widely used.
HMRC will spend the next 12 months developing its replacement for the Government Gateway. If Verify is not able to fully take over individual identity assurance from Gateway by then, it’s as good as dead.