Identity assurance and the sharing economy

The Department for Business, Innovation & Skills has released Debbie Wosskow’s independent review on the potential of the sharing economy,”Unlocking the sharing economy: an independent review”.

I haven’t had an opportunity to read the document in full yet, but there are recommendations in there for GOV.UK Verify, specifically that the service should be opened up to private sector businesses in 2015. The recommendation is entirely in keeping with GDS’ stated aspirations for Verify, but I would imagine would be difficult to fulfil within the stated time, not because of lack of will or funding, but simply because of the time needed to extend the necessary trust frameworks and hub functionality into attribute provision. That’s a big step for identity assurance, and GDS’ strategy of iterative delivery will want to build up to it over time.
It’s important to understand that attribute exchange doesn’t mean wholesale sharing of personal data between the parties: rather, that an individual can authorise one authorised provider with whom they have a relationship, to release a defined set of personal data to a relying party, with an associated level of assurance so that the relying party understands how trustworthy that data is. In most instances that would be done as a one-off transaction, rather than any ‘gateway’ or similar ongoing sharing capability – indeed, attribute exchange offers the potential to do away with many of the gateways currently used to permit free sharing of personal data between government departments. From a privacy perspective, that has to be a good thing.
I would guess that in the first instance, attribute exchange capabilities will be confined to the selected identity providers and service providers. Identity assurance only works if all parties can trust each other, and therefore be trustworthy for service users. Any organisation that wishes to offer or consume attributes within the identity assurance ecosystem will need to have subscribed to the trust scheme; implemented the technologies needed to interface with the hub; had those certified as fit for use; and then built the relationships needed with relying parties so they are able to ask service users for the appropriate attribute data from the appropriate source. 
It is also worth bearing in mind that by the time an organisation has done all that, it is effectively able to be an identity provider in its own right if it wishes to, as it is then able to issue and consume both identity and attribute data. That means that once there is a business case for doing so, the existing identity providers (and those that will emerge from the forthcoming procurement process) will be the private-sector organisations effectively able to issue and consume identity and attribute data, just as recommended in the review.
Identity assurance has the potential to transform how we exchange personal data, but attribute exchange is not going to happen overnight, regardless of how much money is thrown at it. As business cases emerge for individual private sector organisations to join the sharing economy, the path should be open for them to do so.
[These views are my own and do not necessarily reflect those of any organisation associated with the GOV.UK Verify scheme]

Join the conversation

3 comments

Send me notifications when other members comment.

Please create a username to comment.

(Declaration of interest: I've been working on #diggovreview) Hi Toby, the blog contains a sentence saying "That means that once there is a business case for doing so, the existing identity providers (and those that will emerge from the forthcoming procurement process) will be the private-sector organisations effectively able to issue and consume identity and attribute data" and ends with the sentence "As business cases emerge for individual private sector organisations to join the sharing economy, the path should be open for them to do so". My emphasis. It's useful to keep reminding ourselves of the wider potentials of the business model. The sharing economy (or the collaborative economy as Nesta define it http://www.nesta.org.uk/event/making-sense-uk-collaborative-economy) isn't just a private sector thing - it's open to all sectors. The sharing economy report focusses on private sector but does talk about the public sector sharing their room space. That's a simple public sector sharing economy model. Meanwhile there are many not-for-profit sharing economy companies. The #diggovreview report that I worked on makes a suggestion of building on GOV.UK Verify with attribute exchange and other components to create digital scaffolding for new communities to emerge, see: http://digitalgovernmentreview.readandcomment.com/empowering-people-and-communities-through-digital-services/digital-communities-enabling-and-participating/. Those communities could be collaborative, sharing economy type things. FeedFinder (built by Newcastle Uni) and Casserole Club (built by a private sector company, FutureGov) are just two examples that exist right now. Wouldn't it be great if Verify could enable more things like Casserole Club to get rolled out to more local authorities? I don't know SimonFJ but he may heading down a similar path with his excellent point in this blog about local authorities becoming ID assurance providers ( https://identityassurance.blog.gov.uk/2014/11/05/protecting-privacy-in-gov-uk-verify/). LAs are already calling for attribute exchange. Anyway, back to the main point. Let's not limit ourselves to thinking of the private sector. Let's create capabilities and platforms that let everyone - people, communities, not-for-profit, public sector and private sector - create great services with identity, privacy and trust. Peter
Cancel
Peter, I can't speak for GDS, but I agree that there are good reasons to roll out the service to the organisations you propose. I guess the challenge here is maturity of the solution: until we have a robust service with a significant user base and plenty of relying parties, I would guess that government wouldn't want to be distracted by opening up the centrally-managed aspects of the delivery to a huge range of interested providers. In a mature service, we might see white-label services that allow any organisation, regardless of size, plug its users and data services into identity assurance. That said, all the GPGs and SAML profiles are in the public domain, and membership of tScheme is open to any organisation (and indeed, there is no reason why other schemes shouldn't form independently). That means that anyone wanting to deliver into the programme, or establish an aligned but separate solution, could do so.
Cancel
I think the solution lies in sharing data across multiple services with a technology like TrustCloud. https://trustcloud.com/measure-trust Services like TrustCloud give platforms the data they need to admit or reject a provider with confidence.
Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close