On digital identity in the UK - and the likely future for Gov.uk Verify
Did you know the UK government has a minister for identity? It’s Baroness Susan Williams, whose full responsibilities go under the grander title of minister of state for countering extremism. Perhaps her biggest issue around looking after identity is that so few people have identified her job exists.
But the UK government is increasingly focused on identity – and to be more specific, digital identity. There’s widespread awareness that for a functioning digital economy, this is a nut that has to be cracked, and soon.
We now have a need to register EU citizens, for a start. The forthcoming General Data Protection Regulation (GDPR) also heightens the need for being able to assure that someone is who they say they are when transacting online.
In the banking world, digital identity sits at the heart of two important regulatory developments – the second Payment Services Directive (PSD2) and Open Banking, which aims to increase competition in retail banks by opening up data to allow fintech challengers to emerge. That is before you consider the ongoing challenges of tackling online fraud.
The British Standards Institute is working on a national standard for digital identity which has been under consultation, known as “PAS 499, Digital identification and authentication – Code of practice”
And work is underway in the Government Digital Service (GDS) to make the Whitehall ID system Gov.uk Verify compatible with eIDAS, the EU-wide electronic ID scheme that will be required for enabling cross-border trading and portability of national ID systems within the EU – and more importantly, if the UK wants to continue to be part of that EU digital economy after Brexit.
How lucky we are, dedicated followers of digital government will cry, that we in the UK have Verify to do all this, don’t we? Well, not quite.
What’s going on with Gov.uk Verify?
At the time of writing, it’s been over seven months since the Gov.uk Verify blog was updated. A month before the most recent post, Verify was placed at the heart of the government’s ambitious transformation strategy, with a goal of 25 million users in 2020. About six weeks after that post, Verify was included as part of the Conservative Party manifesto in the snap general election.
But the team responsible for the government’s critical digital identity system has been silent on its own blog ever since, and the performance of Verify continues to disappoint. What’s going on?
The man in charge of Verify, Nic Harrison, director of service design and assurance at GDS, spoke last month at a low-key event organised by Open Identity Exchange (OIX), an industry body co-ordinating collaboration on digital identity across the public and private sectors.
Harrison stressed that the government remains committed to Verify, but its much-discussed problems were hinted at too, in the opening to his speech when he said, “I know first-hand how difficult it is to establish a federated digital identity scheme. How do I know this? Because I took over Verify just over a year ago” – to which the audience of digital identity experts responded with knowing laughter.
“Establishing a common mechanism [for digital identity assurance] is far from a smooth process. In terms of comparative pain, this morning I was having root canal surgery, which gives you an idea of how much work this really is,” he added.
Harrison went on to discuss the importance of collaboration between public and private sectors, saying that Verify is not intended only to be a tool for accessing public services online, but aims to establish a common standard for digital identity across private and public sectors. That’s an objective worth achieving, with enormous benefits to companies, government and citizens.
However, there is frustration among many organisations in the private sector over what they see as delays caused by GDS.
In particular, identity firms are waiting on GDS to release a long-promised commercial framework that outlines how participants in a digital identity market based on Verify will operate. Companies need to understand, for example, where legal liability lies if they accept a user identity assured and created by government that is used fraudulently.
“There have been numerous ministerial statements due but then postponed. Things do not seem to have moved forwards in any significant way since [the general election]. Market participants are becoming very impatient,” said one source.
When asked by Computer Weekly about the delays and private sector concerns, a Cabinet Office spokesman said: “The government is actively planning to roll out Gov.uk Verify to the private sector in line with the commitments made in the government’s transformation strategy. This will enable people to use the same account, which meets high government standards, to prove their identity online for private sector services, such as opening a bank account without having to go into a branch.”
When asked for more details on the delayed commercial framework, the spokesman added: “Government plans to roll out Verify to the private sector are ongoing and more detail will follow in due course.”
So, not much new there. But it is notable that government rhetoric around Verify is changing.
The minister responsible for GDS, Caroline Nokes, talked for the first time about Verify at an Institute for Government event last month, where she was the first Cabinet Office representative to publicly acknowledge the problems around Verify that have been widely discussed elsewhere.
“We have to look at digital identity as an absolute imperative in the 21st century,” she said.
“I am completely candid – there are challenges with Verify, but actually we have done good work so far. What we do know is that there isn’t an off-the-shelf product that you can simply buy and we’ve done a phenomenal amount on the path to digital identity with Verify, but it’s not an end in itself, it’s about the access to services that a digital identity will give people.”
She added: “I acknowledge that [Verify] is not for everyone, but we need to go down the path of digital identity for citizens.”
What’s more, NHS England is now going its own way on digital identity, building its own platform for ID verification, according to its chief digital officer Juliet Bauer.
“As part of this project we are also looking at other identity systems, including Verify, and working with colleagues across government to create the appropriate solution for health. We’ve been talking to government ID services so that if people wanted to use their government ID they could use that to log in to certain low-level services if that’s what they chose to do,” she said at an event last month.
The Department for Digital, Culture, Media and Sport (DCMS) has taken a growing interest in online identity, in respect of its importance to the UK digital economy. Secretary of state Karen Bradley recently visited India to study the country’s biometric identification system, dubbed Aadhaar – the biggest digital government identity scheme in the world, already rolled out to more than a billion citizens.
Computer Weekly has talked to a lot of people around government about Verify in recent months, and it’s clear the mood is changing. The issues of digital identity in the UK economy, and the future of Gov.uk Verify, are increasingly seen as two separate things.
A recent review of digital identity by McKinsey, commissioned by the Cabinet Office, focused on alternative schemes around the world, and what the UK’s future options may be. The delays in progress updates for Gov.uk Verify are likely to be associated with the outcome of that review – and with a fundamental rethink of the government’s approach. This is how it seems likely things will play out:
Verify could become a brand name, rather than a product produced by GDS. That brand name will encapsulate a set of digital identity standards, for use across the public and private sectors. If you want to be part of the UK’s digital identity infrastructure, you need a product that is “Verify compliant”.
What we currently know as Gov.uk Verify will become the government’s implementation of that standard, offered to departments as an optional platform for their own online public services.
HM Revenue & Customs (HMRC), which has rejected Verify in favour of redeveloping its existing Government Gateway ID system, will conform to the new standards and be “Verify compatible”. The new NHS England system will too.
Therefore, anyone who registers with HMRC for self-assessment, for example, gets a re-usable digital identity that can be used to access any other “Verify-compliant” system, whether in government or not.
Similarly, anyone who created a Verify-compliant digital identity to set up an online bank account can use that same identity to register for self-assessment, and vice versa.
Gov.uk Verify continues on as one element of a wider ecosystem – but probably slowly winding down as departments opt for other solutions from the emerging “Verify-compliant” market.
Any questions asked about why £60m or so has been spent on Gov.uk Verify to produce a system that has a meagre 44% success rate will be told that digital identity systems are complex and take time to get right. The story will be that the money has been an important investment in understanding the requirements and getting the UK to a point where we can create a viable digital identity ecosystem.
That’s not wrong, of course, but it’s not what we were told all the times when Gov.uk Verify was presented as the panacea. Ironically, this is where Verify started – and should have stayed. Back in 2012, then-GDS chief Mike Bracken was clear in an interview with Computer Weekly that government’s role in online identity assurance was about “protocols not products”.
“What we have to do, and what we’ve been reasonably successful in doing, is moving away from a [project where we ask] how do we build an IT model, to how do we get a market protocol in place that everyone can sign up to,” he said at the time.
“It isn’t about building a product, it’s about supporting a protocol and a set of discrete services that people can play a part in, and create value from.”
Somehow along the way, GDS seemed to forget that – but it increasingly seems to be the destination we’re heading for. We will not see 25 million users of Gov.uk Verify – ever. But we might just see 25 million citizens using a Verify-compliant digital identity to operate freely in the UK’s post-Brexit digital economy.