NAO hammers another nail into Gov.uk Verify

It’s not commonly known outside Whitehall that by the time the National Audit Office (NAO) – Parliament’s independent spending watchdog – publishes a report, it will have been through several iterations. The subjects of the report – government departments and agencies, civil servants and ministers – are offered a chance to comment and object to the contents, which means that conclusions are often watered down.

So as a journalist who has to read through such reports – typically many tens of pages long – there’s sport to be had in looking for phrases that subtly show the real opinion of the auditors that compiled the document.

In the NAO’s latest report, into the troubled progress of Gov.uk Verify, the Cabinet Office’s flagship digital identity system, one line stood out as the reveal for what the NAO really thought:

“It is difficult to conclude that successive decisions to continue with Verify have been sufficiently justified.”

Let’s dissect this masterpiece of Whitehall bureaucrat-speak.

“Difficult to conclude” – in other words, we cannot conclude.

“Successive decisions to continue” – they wouldn’t listen when they were told to stop (the NAO revealed there have been more than 20 internal and external reviews of Verify).

“Sufficiently justified” – not justified.

The highly critical report on Verify offered one other piece of classic NAO phraseology: “On the evidence made available to us, we have not been able to replicate or validate the benefits estimated” by the Government Digital Service (GDS), developer and now perhaps the only remaining champion for Verify.

In other words, you can’t rely on (believe?) GDS’s claim that Verify will generate £217m of benefits – a figure already 75% lower than promised in the original 2015 business case. You can believe that it has spent £154m already, with another £21.5m to come – plus an uncountable amount spent by the few departments that integrated Verify into their digital services. You’ll notice that the total spend comes in just nicely below £217m.

The rest of the NAO report simply catalogued what we already know – that Verify has missed every performance target for verification success rate, service adoption, and user take-up. And missed them by a country mile.

Verify has become tribal in Whitehall digital government circles. Outside GDS, there is widespread disappointment that the project has ended up here – the concept and aims were widely welcomed and plenty of people wanted it to succeed.

Over time, according to critics, GDS withdrew ever further into a bunker, determined to prove outsiders wrong. Still now, criticism is reluctantly received – even when the government’s major projects watchdog recommended the programme be scrapped last year.

GDS is right to say this was a challenging project at the leading edge of its field, with ambitious targets – an attempt to set standards that would create a thriving commercial market for digital identities in the UK. That was always going to be tough – it was brave to take it on. Others can comment on whether it was correct.

Talk to commercial providers of digital identity today, and they will say that Verify has been mostly a hindrance, restricting the market to a small number of providers given a contractual monopoly by GDS over access to public services. Two of the seven chosen providers pulled out when the contracts were recast last year, seeing that their business cases no longer stacked up, leaving 380,000 Verify users to have to go through the whole registration process again at some point to choose another provider.

One Whitehall insider posed an important – if so far rhetorical – question: how can it be right that the private sector was allowed to become the exclusive gatekeeper for deciding whether or not citizens can access online public services?

GDS is determined – convinced – that Verify can and will become the foundation for a standards-based approach to federated digital identity once it is handed over to the private sector in March 2020. The organisation insists that if that objective is achieved, Verify will be a success – even if it may not address whether, at £154m and counting, that success was value for taxpayers’ money.

It’s worth pointing out that, in functionality terms, Verify does exactly what it said it would. This is not one of those government IT systems that failed because the software didn’t work. But GDS was over-optimistic about what that software could deliver. Assurance levels were set too high. Not enough public data is available to prove in a 100% digital process that enough people are who they say they are. And critics say that the developers seemed to forget that the user’s real need was simply to access an online service, not to have to go through an extensive registration process that more than half of them failed.

Verify was originally justified as a means to reduce fraud, eliminate costly legacy technology, remove paper processes, and cut call centre costs – these remain a missed opportunity.

At the core of Verify is the document checking service – an API-addressable system that allows verification of government documents such as passports and driving licences. That’s the real prize for the private sector – that’s what they now want access to. And it’s also likely to be the most obvious success of the Verify programme, once government decides to open it up.

Sources close to GDS point to the behaviour of certain large Whitehall departments that set out to frustrate progress and dictate unachievable goals, setting Verify up to fail. There may well be some truth in that. But it has to be said – and has been, frequently – that GDS did itself few favours along the way.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

  • How do I size a UPS unit?

    Your data center UPS sizing needs are dependent on a variety of factors. Develop configurations and determine the estimated UPS ...

  • How to enhance FTP server security

    If you still use FTP servers in your organization, use IP address whitelists, login restrictions and data encryption -- and just ...

  • 3 ways to approach cloud bursting

    With different cloud bursting techniques and tools from Amazon, Zerto, VMware and Oracle, admins can bolster cloud connections ...

SearchDataManagement

Close