If Verify is the answer -what was the question? The politics of digital identities revisited

The design of the Government “Verify” programme predates the European eIDAS regulation (covering the exchange of identities between public sector organisations) government which it supposedly implement. Neither has business models or costed proposals for private sector use although both make claims for applicability the public sector. Meanwhile the private sector identity and access management markets have moved on, driven by a rising tide of on-line impersonation and fraud.

Banks and transaction processing services routinely check the device we are using and our location as well as our password before taking action. Increasingly they also check a voice,   finger or face pattern. Such processes can be linked to routines to check the age of those with access to children’s social and educational networks or to prevent children accessing what they should not (from knives to “adult entertainment”). Some use the routines and want others to do so too. Others (including those with advertising funded business models) do not – and do not wish to be made to. Hence industry splits over Age Checking akin to those over Ad Blocking. . 

The Verify performance dashboard indicated that barely third of applications to acquire an identity in the week ending 6th March were completed and only 2/3rd were successful. The volumes were not reported but the number of transaction authentications had fallen to barely 6,000 after a peak of 120,000 during the last week of January (the deadline for submitting personal tax returns).  The reason for the low take up may be that you are directed to apply via one of the government departments using the service. Most of these, such as Inland Revenue, appear to be quicker and easier for existing users to access via their existing routes, e.g. the Government Gateway account. Any attempt to remove these, as with Farm Payments, seems to trigger a crisis. This raises the question of why anyone should bother to register unless forced to. HMRC, for example, has said that its new Digital Strategy will involve the use of “Verify” for personal taxpayer access, when it is “mature”. When is that likely, given that, so far, under 5% of those submitting tax returns have even tried to do so?  

The on-line world is awash with digital identity and access management systems. Some are robust, reliable and trustworthy. Some are not. Many are unknown quantities from start-ups and consortia of uncertain provenance and/or organisations with no intention of accepting legal liability for fraud or insecurity.  The basis of “Verify” is to enable the Government to similarly avoid liability. So why should it expect others to respect the value of identities based on the possession of a genuine (or fogged – as in the “false obtaining of genuine”) passport, driving license or national insurance number, plus a bank account. Meanwhile the processes of some of those listed as providers are less robust and/or more expensive than those used by the on-line gaming industry to meet current regulatory requirements or by the adult content providers previously co-regulated by ATVOD.  

The law on electronic signatures goes back nearly 150 years (the case involved a telegraph authentication). The national and international routines used by the banks for checking the electronic signatures of each other’s customers (SWIFT, Identrust, Mastercard, VISA, Vocalink etc. etc.) date back to the last century although the European Union and the Foreign and Commonwealth Office appear to have “conspired” to block the decade old attempts of the Notaries to move their processes on-line internationally as well as locally.  From the Scrivener Notaries (not to be confused with “mere” Notaries) , Lloyds Register, to Experian, RELX and organisations like CEDR, the UK hosts most of the world’s globally trusted identity, authentication and disputes resolution services.

The attempts by the technology industries to create electronic identities for which they do not accept legal or financial liability (for example via the OIX group) have yet to gain the confidence of those whose funds, saving or transactions are under growing attack from organized crime.
Meanwhile the market for checking the identities of those seeking to transact on-line has evolved over the past few years as the scale and nature of electronic impersonation has accelerated. The result is good business for those who assemble national and/or global personal and corporate identity databases (Call Credit, Experian, GB Group, Lexis Nexis etc.), those who run services (like IBM Trusteer or the Mobile Operators) to check the location and identity of the access devices commonly used (smart phones, tablets etc.) and those who supply low cost services to marry the two (e.g. Yoti).

Where does that leave the attempt to create a subset of the market for the identities that consenting UK Government bodies can recognize, without accepting any liability. Little wonder the Verify programme, has yet to reach critical mass? Has the time come to drop the pretensions and follow the market – recognising only those identity and authentication providers who are happy to meet the previously stated standards of security and privacy, because they already operate to these, or higher?

The addition of Barclays to the list of Verify providers may indicate that such a decision has already have been taken. If so, the dropping of those who have recently been subject to massive fines for privacy breaches would conform this.        

One can also ask where the need to address the rising tide of electronic impersonation leaves wider public policy, whether or not we Brexit or remain, on:

  • identity: not just Verify/eIDAS, HMRC, DWP, NHS etc but the liability or otherwise of Identity and Access management providers, both public and private sector,
  • privacy: from Data Breaches to Safe Harbours,
  • security: including the deliberate the lack of it with open and “bug” data policies.
  • consumer protection: including enforcement of the e-commerce directive and redress from those who deny responsibility for what happens over their services.

I was recently asked to appear on a panel to discuss government thinking on “cyber-security, identify theft etc.”. I was sorely tempted to be candid:

  • “Yes Minister” is not comedy or satire but a set of training films. The core behaviour patterns, including the inter-actions with the “outside world” (of newspaper magnates and investigative journalists, city magnates, corporate superstars and global industrialists and lobbyists of every shade) are little changed since they were described by Anthony Trollope although CP Snow and C Northcote Parkinson added valuable insights and the days of Empire are long gone. Whitehall and Westminster now kowtow to the lobbyists of corporate decision-takers based in Brussels, Dublin, Luxembourg, Seattle and Silicon Valley, not just those based in New York or Washington.  
  • UK Government policy, on anything, is “a set of compromises between the semi-hereditary feuding tribes of Whitehall (departmental) and Westminster (political) where the objective is the personal prestige/survival/pension rights of the participants”. EU policy adds a layer of Brussels fudge, using amibiguous definitions to enable verbal “harmonisation” to conceal lack of basic agreement between member states and interest groups.

  • Then we have TTIP, trying to conceal fundamental differences between Europe and US while China is coming to dominate the supply of the communications hardware on which the on-line world depends: from smart phones to communications switches. It is as well to note the comments on such deals of US Presidential candidate Bernie Sanders 

It is not enough to say that the time has come to bury the corpse of Verify and look beyond OIX and eIDAS to what is happening in the “real” world. There is a need for to review what should and should not be regulated in the interest of consumers and of business users.