Identity assurance and the sharing economy

The Department for Business, Innovation & Skills has released Debbie Wosskow’s independent review on the potential of the sharing economy,”Unlocking the sharing economy: an independent review”.

I haven’t had an opportunity to read the document in full yet, but there are recommendations in there for GOV.UK Verify, specifically that the service should be opened up to private sector businesses in 2015. The recommendation is entirely in keeping with GDS’ stated aspirations for Verify, but I would imagine would be difficult to fulfil within the stated time, not because of lack of will or funding, but simply because of the time needed to extend the necessary trust frameworks and hub functionality into attribute provision. That’s a big step for identity assurance, and GDS’ strategy of iterative delivery will want to build up to it over time.
It’s important to understand that attribute exchange doesn’t mean wholesale sharing of personal data between the parties: rather, that an individual can authorise one authorised provider with whom they have a relationship, to release a defined set of personal data to a relying party, with an associated level of assurance so that the relying party understands how trustworthy that data is. In most instances that would be done as a one-off transaction, rather than any ‘gateway’ or similar ongoing sharing capability – indeed, attribute exchange offers the potential to do away with many of the gateways currently used to permit free sharing of personal data between government departments. From a privacy perspective, that has to be a good thing.
I would guess that in the first instance, attribute exchange capabilities will be confined to the selected identity providers and service providers. Identity assurance only works if all parties can trust each other, and therefore be trustworthy for service users. Any organisation that wishes to offer or consume attributes within the identity assurance ecosystem will need to have subscribed to the trust scheme; implemented the technologies needed to interface with the hub; had those certified as fit for use; and then built the relationships needed with relying parties so they are able to ask service users for the appropriate attribute data from the appropriate source. 
It is also worth bearing in mind that by the time an organisation has done all that, it is effectively able to be an identity provider in its own right if it wishes to, as it is then able to issue and consume both identity and attribute data. That means that once there is a business case for doing so, the existing identity providers (and those that will emerge from the forthcoming procurement process) will be the private-sector organisations effectively able to issue and consume identity and attribute data, just as recommended in the review.
Identity assurance has the potential to transform how we exchange personal data, but attribute exchange is not going to happen overnight, regardless of how much money is thrown at it. As business cases emerge for individual private sector organisations to join the sharing economy, the path should be open for them to do so.
[These views are my own and do not necessarily reflect those of any organisation associated with the GOV.UK Verify scheme]