The UK government has finally admitted in public for the first time that its flagship digital identity programme, Gov.uk Verify, is dead. This will be no surprise to anyone following the project, who have known it’s over for at least two or three years and were waiting for the Cabinet Office to put it out of its misery.
The Government Digital Service (GDS) has spent around £220m to get this far, a significant proportion of that going on life support to keep the zombified corpse breathing until…
Until what? Until GDS could save face? Whatever the official reasons for flogging this dead horse for so long, it has left a toxic legacy.
GDS is fond of claiming “savings” for its projects by calculating how much money would have been spent elsewhere in Whitehall, were the project to never have existed – a method questioned even by the National Audit Office. If we were to turn that round, and ask how much money had been spent by other departments to make up for Verify being such a failure, what would the true cost turn out to be?
Would it be beyond the realms of possibility to suggest that the nine other digital identity systems being developed across the public sector – namely GDS’s own Identity and Attributes Exchange; NHS Login; the Home Office’s EU Settled Status scheme; DWP’s Confirm Your Identity; the Scottish government’s Digital Identity Scotland scheme; the second iteration of the Government Gateway; an identity verification system rumoured to be underway at HM Revenue & Customs (HMRC); the Digital Business Identity scheme from the Department for Business, Energy and Industrial Strategy; and now GDS’s planned successor to Verify – bring the full cost of Verify nearer to the £1bn mark? We’ll never know.
Apparently DVLA is also working on a digital identity scheme associated with international standards for electronic driving licences, so that would make 10 were it not for the fact that DVLA has always been reluctant to take part in Verify.
So, what next?
As revealed by Computer Weekly, we know that the Cabinet Office is working on plans for a new common digital identity system across central government – which was also confirmed by minister Julia Lopez last week, in a speech to The Investing and Savings Alliance (TISA).
Hilariously, Lopez remarked that “all parties are keen to move on from Verify’s over-elaborate expectations trajectory and cost” – as if it was all someone else’s fault.
The new plans conform closely to the recommendations of an internal review completed in early 2020 by former BP CIO and now Cabinet Office IT advisor, Simon Orebi Gann. The suggestion from GDS at the time was that this report would have no influence on policy, but that always seemed an unlikely framing. Lopez suggested that parts of Verify could be retained, but the Orebi Gann report listed which parts of the system could retain some future value, and it wasn’t much. Not £220m worth, for sure.
Right now, the key questions revolve around the future collaboration between government and the private sector. As part of a Whitehall turf war, GDS is responsible for digital identity across Whitehall, while the Department for Digital, Culture, Media and Sport (DCMS) is responsible for policy across the wider economy.
In February, DCMS published the “alpha” version of its digital identity trust framework, a set of standards and regulations intended to enable the interoperability of government and industry identities. In other words, to allow a digital identity created by (for example) a bank or e-commerce provider to be used to access online public services, and vice versa.
Remember this was the key objective of Verify when it was first mooted 10 years ago. But hey, what’s a decade between friends?
The trouble is, that the private sector really doesn’t like the DCMS proposals. Too prescriptive, out of date, failing to take into account more recent innovations – these are all among the criticisms shared privately with Computer Weekly. But most of all, industry fears that the framework is little more than a Trojan horse for GDS to continue what they see as the toxic Verify model.
At the heart of this concern, is the standards proposed for the framework. GDS uses a set of government standards called Good Practice Guides, or GPG. Verify is currently the only digital identity system in the UK that uses GPG standards, although two others are in the works – Land Registry’s digital house-buying scheme and the much-delayed Pensions Dashboard.
In the private sector, standards are being driven from the financial services industry, in particular the UK Joint Money Laundering Steering Group (JMLSG), which sets the identity rules for anti-money laundering (AML) and Know Your Customer (KYC) regulations. All the banks and finance firms have to adopt these standards, no matter what. And herein lies both the problem and the source of friction.
Government says, if you want to play in the public sector space, you have to be GPG conformant. Banks say, we have to be AML compliant anyway, so why can’t government just use AML standards?
Privately, industry also sees GPG as a continuation of the Verify model – and as such, hates it. They view GPG as outdated and restrictive. There are huge concerns over the DCMS trust framework – to the extent of quiet, back of the room, in a corner with hands cupped over mouths, conversations about withdrawing from the DCMS scheme. In reality, that’s unlikely to happen. But it’s an indicator of how strongly some of these views are held.
A May 2019 report by OIX – GDS’s preferred identity standards body – concluded that “challenges exist” in achieving interoperability between GPG and AML, and that “implementation will not be optimal and barriers will continue to exist”.
OIX has since continued its research to find ways of amending the standards so they map onto each other. A January 2020 report made a series of suggestions about how JMLSG and government could make changes that would allow the two standards to be considered compatible. The general tone was that it might be possible, even if it’s likely to be a bit of a fudge.
But that doesn’t take away from the fact that industry wants to say to government – we’re doing AML anyway, so why don’t you? If GDS were more open to something different to the Verify model, you’d think the obvious answer would be for government to adopt the industry standards instead of imposing its own. As we’ve seen over several years, GDS doesn’t seem to work that way when it comes to digital identity.
TISA – to whom minister Lopez made the latest Verify announcement – is also pushing its own digital identity plans, although some sources suggest the big banks aren’t keen on those either. But it does explain why the Cabinet Office chose a TISA event for the Lopez speech – all the better to try to build bridges.
Other actors are at play here too.
Think-tank Demos has a persuasive and progressive proposal that it recently presented to the All-Party Parliamentary Group on digital identity. No doubt it’s pitching the idea elsewhere too. That plan revolves around an API ecosystem that allows easy, standardised access to data and attributes provided by trusted organisations. It’s a scheme that, arguably, much better reflects the reality of today’s emerging cloud-native applications.
And earlier this month, peer Chris Holmes – Lord Holmes of Richmond – submitted an amendment to the Finance Bill that’s making its way through Parliament. Holmes’ proposal – known as amendment 115 – calls on the government to publish “plans for the development and deployment of a distributed digital identification for individuals and corporate entities in the financial sector” within six months of the bill becoming law.
This led to some in industry fearing this was a backdoor attempt to impose government standards on the financial sector. Computer Weekly understands that’s not the case – it’s more a way of pressuring DCMS to speed up and prioritise the wider issue of digital identity. It’s unlikely the amendment will be adopted. But it shows that even within Parliament, there’s a growing awareness and increasing pressure to sort this out, before the continuing delays further damage the UK’s digital economy.