Protocols not products: Why identity assurance is central to the new government IT thinking

I recently had a fascinating and wide-ranging chat with government digital director Mike Bracken, looking back at his first six months in the job and the challenges he has faced. You can read the interview here.

Bracken is one of the most senior and vocal supporters of the need to do things differently in Whitehall IT, and at the heart of that is a new approach to the IT market that avoids big supplier contracts and big technology projects.

Perhaps the greatest test of this approach will come in the plans for Identity Assurance (IDA) – the scheme by which citizens accessing digital public services will authenticate that they are who they say they are online.

Identity has a chequered history in government – identity cards, national identity databases and so on – and even as recently as last December was almost blighted by the internally-focused, big-project mentality that is still all too prevalent in the major Whitehall departments.

When Bracken volunteered to take responsibility for IDA, one of his first tasks was to withdraw a £200m tender issued by the Department for Work and Pensions (DWP) for IDA to support the universal credits scheme, and replace it with a £25m project to achieve the same end.

In the four months between those two tender notifications, the focus for IDA changed dramatically. It moved from a product-focused initiative – the sort encouraged by IT suppliers with a product to sell – to be protocol-focused.

That’s a major cultural shift – from the idea that government builds a huge identity system around its universal credit welfare scheme that everyone else will have to conform to; to a market-oriented, collaborative approach that everyone buys into and the private sector sets up and runs.

“What we have to do, and what we’ve been reasonably successful in doing, is moving away from a [project where we ask] how do we build an IT model, to how do we get a market protocol in place that everyone can sign up to,” said Bracken.

“It isn’t about building a product, it’s about supporting a protocol and a set of discreet services that people can play a part in, and create value from.”

That old product-focused approach demonstrates to extent to which Whitehall IT thinking has historically been influenced and infiltrated by IT supplier thinking – that the solution is to buy a product.

Bracken is not the only one decrying the “buy a product” approach of the IT industry.

HM Revenue & Customs CIO Phil Pavitt told IT leaders at a CW500 Club event recently of his rejection of the product-led pitch. He cited as an example thin-client technology, describing it as “the lie the supplier industry gave us.” The IT industry seems incapable of understanding this principle, obsessed as they are with the idea that IT leaders want to buy products. That’s what they sell, it’s not what people want to buy.

For IDA, Bracken has talked to companies that understand identity, not IT suppliers that sell identity products. He and Cabinet Office minister Francis Maude even visited PayPal in Silicon Valley to learn from its approach, ignoring the conventional software firms desperate to sell their products.

“We’re saying [to people like PayPal], how did you do that, because actually there’s some great lessons in that for us, maybe you can help us do that – rather than saying, well let’s go and buy products and let’s go and spend hundreds of millions in implementation. The question isn’t framed in IT, therefore the answer doesn’t come back as an IT answer,” said Bracken. 

The big risk to this approach, and for IDA itself, is universal credits – probably the highest profile IT project in the public sector at the moment, required to support the Coalition’s overhaul of the welfare system. It’s one of those projects that simply cannot fail, but to critics it’s a perfect example of the old approach that has failed so often.

Universal credits is anathema to Bracken’s approach of start small, trial, iterate and build.

“You are not going to get much more visible than universal credit,” Bracken acknowledged. “To be honest, no, we probably wouldn’t [have wanted to] start with something that big. Remember it’s a phasing issue, so it’s [only] phase one of universal credit.”

The protocol-not-product approach will be central to the wider roll-out of IDA beyond universal credit, recognising as it does that a protocol allows for much better scaling, and to make the solution appropriate for user need.

“The idea there is one-size-fits-all service [for identity] is wrong. The idea there is a one-size-fits-all protocol which allows us to choose along the spectrum is exactly where we want to go,” said Bracken.

“We recognise the attributes needed and the validation level needed are not the same for all government services. So, to exaggerate for effect, the submission of multimillion-pound corporate tax and the application to renew a fishing licence should not and probably would not require the same level of identity, validation and attribution. Therefore, we have to scale across services, and that’s why we need lots of examples and pilots to learn how that scaling works.”

The Post Office, banks, perhaps even supermarkets or social media firms, are the intended targets for IDA – they will provide identity services conforming to the IDA protocol (likely to be an open protocol, not a government-owned one) and public services will piggyback off that infrastructure. So, you choose which identity provider will assure, authenticate and validate your transaction, all the government service has to do is ensure it conforms to the protocol.

IDA – in approach, in thinking, in technology – is critical to the new government IT. To deliver the radical reform that government IT needs, it needs IDA to be a success. It would be a terrible irony if an old-school big project like universal credit were to scupper its chances.

Enhanced by Zemanta