Computer Weekly Editors Blog

UK digital identity turns to drama (or farce?) over industry fears and security doubts

Bryan Glick
Bryan Glick
Editor in chief

Government at loggerheads with industry. Warnings of serious security and data protection problems undermining a vital public service. A burgeoning political campaign seeking greater influence. You could write a reasonable drama – or a farce – with all these elements. But it’s unlikely you’d sell the script once it became clear the central conflict was around digital identity.

But here we are.

Anyone who remembers the long debacle of Gov.uk Verify – the UK government’s first flagship digital identity system – will no doubt be seeing echoes in recent developments around the government’s latest flagship digital identity system, One Login.

Verify burned through well over £250m of taxpayers’ money before the Government Digital Service (GDS) finally put it (and the Whitehall departments that hated it) out of its misery by shutting it down in 2023.

The lowest point for Verify came during the pandemic, when people were suddenly forced to apply for Universal Credit (UC) and found themselves in online queues exceeding 76,000 fellow applicants. Only 35% of UC claimants were able to set up an account in Verify, and the Department for Work and Pensions had to draft in 10,000 staff – during a pandemic lockdown, remember – to process claims.

Computer Weekly charted the slow and painful demise of Verify across several years before that point. So it’s disturbing that recent developments around the £400m One Login scheme are starting to raise red flags again. (That’s a further £400m, on top of the costs of Verify, just to be clear).

Let’s review the latest developments.

Private sector digital ID providers are up in arms after technology secretary Peter Kyle announced a Gov.uk digital wallet with a mobile driving licence that will be used for identity verification services such as proving your age – in direct competition with industry products that the government has encouraged into the market for years.

The government promised that One Login would only be used for accessing online public services – but now, it’s been certified against the government’s Digital Identity and Attributes Framework (DIATF), which means it can also be used for commercial services.

An independent study suggests the industry’s fears are well founded. A report from Juniper Research into the UK digital ID market predicts a 267% annual growth in the number of people using digital identity apps, reaching 25 million by 2029. Juniper predicts more than 45% of UK adults will use the official government app (which doesn’t yet exist) – whereas private sector providers (which already have products available) will see just 9% growth over the same period.

Companies House has rolled out its long-awaited digital identity verification service for people setting up a company in the UK – intended to prevent the widespread use of fake identities by directors of fraudulent firms. But the only free digital ID service you can use is One Login.

Earlier this month, the All-Party Parliamentary Group (APPG) on digital identity turned into something of a group therapy session – with no ministers or GDS representatives bothering to turn up, the companies attending vented their anger at the government’s lack of communication over its plans and the threat to their businesses and investors.

And now, Computer Weekly has revealed serious cyber security and data protection issues around One Login – to the extent that the Cabinet Office data protection officer and the National Cyber Security Centre both provided formal warnings to the One Login team. Remember that you will need a One Login account if you want to use the Gov.uk digital wallet. Is the data of over three million existing One Login users at risk? It’s not clear whether the problems identified have been fully resolved – and GDS isn’t saying.

The requests to government from digital ID providers seem eminently reasonable, given how much the government has encouraged them to build a marketplace and invest in DIATF compliance.

They want better engagement with government over its plans, including a working group to discuss technical issues such as interoperability. They want to not be surprised by government announcements like the digital wallet, which came out of the blue. They want secure access to government data and to be able to include services like the mobile driving licence within their own wallets. They want to prevent unfair competition between public and private offerings. They want DIATF to underpin emerging government services such as smart data and the pensions dashboard, to allow them to compete in new markets.

None of these suggestions should be a concern to a government genuine in its desire to encourage an open, competitive market for digital identity. As David Crack, chair of the Association of Digital Verification Professionals, wrote on LinkedIn, “Is government serious about trust, market plurality, data portability, and a regulator with true independence – or is it laying the infrastructure for a state-run monopoly over time?”

Hang on, though. What’s this coming over the horizon – 42 Labour MPs have combined to write an open letter to the government calling for the introduction of a digital identity system for citizens. Their campaign echoes the calls from former prime minister Tony Blair – one of the staunchest proponents of digital ID, who is known to be close to secretary of state for science, innovation and technology Kyle.

Would that group of Labour MPs make such a public statement without tacit support or approval from Kyle’s department?

Several ID providers wrote to Kyle after his digital wallet announcement in January, and at the APPG meeting expressed their dissatisfaction with his lack of reply.

But that may be starting to change.

Computer Weekly understands that two important meetings are set to take place in May.

First, the Office for Digital Identities and Attributes (OfDIA), which runs the DIATF scheme, is meeting with industry leaders to discuss their concerns – or, at least, that’s what the industry hopes OfDIA will do, instead of simply justifying the government’s current approach and leaving them to get on with it.

Then, later in the month, Peter Kyle is due to finally sit down with industry representation in the form of trade body TechUK, which has been supporting digital ID companies in seeking a response from government.

The industry will express its genuine fears that investors will take flight if the government continues its recent approach.

As Richard Oliphant, an independent legal consultant on digital identity who has advised organisations such as Docusign, Adobe and Land Registry, told the APPG: “The simple truth is that investors will not risk further capital in the DIATF if the government wallet monopolises digital verification services in the private sector”.

Is that the government’s hidden agenda in play? No doubt next month’s meetings will attempt to ease industry’s fears.

But as long as security and privacy issues dog One Login – and the longer GDS continues without transparency over the status of the known problems – the more the whole concept of digital identity in the UK will be undermined, for both private and public sector.