Where is the Cabinet Office Identity Programme going?

Over the past few weeks I have received a flow of e-mails regarding the status of the Cabinet Office IDAP programme.  

Is it making steady progress towards creating a market framework for inter-operable identity systems?

Or is it muddying the waters by trying to coerce users into new and unproven systems for their dealings with government while the rest of the world moves on?

The alterantive “proven” systems range from the Government Gateway (using by millions, including all small firms for their tax affairs) through the third party services provided by the members of the DCTE, (the European trade association for Digital Trust services) to the identity and access management systems used by industry (from airports through banks to on-line retailers) to identity and give layered access to visitors, customers, employees and contractors.

I find it difficult to understand whether the Government data Service is undertaking genuine voluntary customer trials or whether groups of users are being given Hobson’s choice – e.g. use the new system or stop farming in an attempt to get a bandwagion rolling.

I therefore asked Mark King of Broadsail one of the independent consultants who has been tracking UK and EU debate on electronic signatures on behalf of his clients, to comment. Before you read on you might, however, care to begin by viewing the video of his presentation to a BCS-EEMA event last January.

His “observations”. Including on how and why UK ID policy has got to where it is today, are below:

“The government programme for identification of people for online public services has been very focussed on be being seen to respect privacy, which covers more than data protection, notably in respect of user control. One of the drivers was a reaction to the previous government’s ID card scheme, which also included a national population register, and that has also been cancelled rather than downgraded to fill missing but unfashionable considerations such as people’s jury service status.

Instead of adopting a recognised, existing, privacy-friendly model such as that used in Canada, possibly as a result of the empty coffers, the decision was taken to re-use existing credentials, despite the problem that those suitable for consumers weren’t built for giving out benefits.

Re-use of employee credentials was also investigated, but Government agencies are reluctant to allow staff ID to be used for purposes other than which they were designed, and with no commercial case for other employers to participate, this was amended. There was no enthusiasm for increasing risk by opening up if there was no benefit for the organization.

After a DWP initiative was announced in the EU official journal (OJEU) and then pulled, a call went out for a framework contract for ‘Identity Providers’, with the expectation that banks, supermarkets and other familiar organisations would participate. It was initially a DWP lead, but was novated to Cabinet Office when it became clear how gentle the Universal credit roll out was going to be. Far from being a gravy train, it required participants to invest, but also accept very strict terms as to what else could be done with the data. The only responses were from those not on the envisaged list. They must have been prepared to take the considerable risk of investing, unaware of the extent, or had some separate political motivation. As in Ireland, the Post Office was an obvious contender, and it qualified as being technically private, although some people remained confused about being redirected to the Post Office when they were trying to go online and not use the post.

The group of eight in the framework were a disparate mixture, with at most two of them being household names, although they might have used different branding. Only five went through to a delivery contract, and public testing started on 21 October 2014 with just one.

An unpaid group of privacy experts were brought together to agree the principles for the programme. Had this been done before going out to contract it any principles would have carried more weight than putting them out for public consultation three months after the system was due to become operational.

More-over, public endorsement of the principles by a cabinet minister precluded (and still precludes) civil servants from debating the issues in public.

The group’s remit was also extended beyond privacy to general user concerns (but, it seems, not non-users); it is not clear if sufficient additional experts were called in, nor who has time to provide unbiased pro bono advice for such an extended period.

The user was not allowed to be able to chose to be consistently associated with a permanent identifier such as a National Insurance or NHS number, but rather a matching data set including ‘current address’ and date of birth – use of both of which are deprecated by online security advice. Nor is the user allowed …

… to go through the chosen provider to the government service, because theprovider would know the service (although that would be obvious to theuser, indeed could be wanted by the user so there was an independentrecord when things go wrong) and is not necessarily a problem.

As yet the revised principles are still draft – 18 months after go live and weeks after public testing. Significant components that the extended principles called for, such as the Ombudsman, are missing.

Privacyisn’t absolute, but the method of achieving balancing is opaque,particularly when the details of the architecture are to be published’soon’, as they were at the 2012 RSA conference. In particular, thedrive against fraud is touted as a motivator for online services, butthe government has been unwilling to set targets and so engineers havebeen unable to design to meet, justify expenditure, and be judged tohave delivered. Laudable features such as consent have been reduced tothe equivalent of ticking OK with no other practical option, andsometimes asked before the identity has been established – hardlyprotecting the real person’s data during an attempt to masquerade.

Theterm digital has been hijacked in this context to mean online, withpotentially useful digital services such as digitally signed powers ofattorney ignored. The Good Practice Guide (43) – Requirements for thesecure delivery of online public services (RSDOPS)
lists6 steps. There is no evidence that these steps have been followed,possibly as a result of the requirement that everything must be seen tobe ‘agile’. Contracts and agility don’t sit neatly together, althoughagile may be the best way to deliver under a contract. The new round ofIDAP contracts do foresee the need for changes, but any unsuccessfulbidders would have a good case for complaint, especially if substantivechanges were made to include features they had which meant they were notcost-competitive.

The US NSTIC seeks what it calls an ecosystem -at term that the European commission has noted as confusing – involvingprovision by both public and private sector. A political decision wasmade in the UK to use only private sector provision, possibly to avoidcompetition between public and private – although public would inreality be likely to be locally subcontracted to SMEs – but thisexcludes local authorities, who are involved with more front lineactivity than central government in England. There is a separateScottish card for devolved services which are by definition no longercontrolled by Whitehall and follow the laudable earlier Scottish privacyprinciples. No reason has been given for thinking they wereinsufficient.

There are also aspirations for the system to beavailable for private relying parties, but this is mired in issues suchas state aid, and may be trying to present compliance requirementsplaced on business as business requirements. The dynamics of securityand privacy protection can also be different when there is competitionrather than a de jure monopoly.

RSDOPS also makes it clear thatthere is a distinction between identification and authentication, andthe enthusiasm to solve the harder problem of identification whilstcontinuing with processes that use identity when it’s not needed but washistorically convenient has inhibited moving existing services online.Local authorities, but also DWP, are familiar with ‘customers’ theyknow, so going online would involve finding some agreed adequateauthentication mechanism, not a system for identification.

TheManchester ministerial declaration in 2005 called for interoperableaccess to public services across Europe (by 2010) which didn’t happen,and essentially the same aim was reiterated by the current government atMalmö. There is now an EU Regulation covering this topic, and thereport to the parliamentary oversight committee correctly notes that UKnegotiators had been successful in making all the changes that had beenasked for in submissions to the consultation, but does not mention theimpact of last minute changes made by other member states. Work is nowproceeding on implementing acts, but there are features such as theprovision for citizens – as distinct from individuals, for which the UKhas no general method for determining short of applying for a passport.
Ifthere is a choice of matching data sets, then every relying party willhave to cope with all of them – a significant change for most publicsystems across Europe which brings up serious privacy challenges for allcountries who have designed out personal data such as address.

Opennesshas been touted all along, although rather than expanding an existingrecognised British industry-led scheme (tScheme) The Cabinet Officejoined the management board of OIX (Open Identity exchange) which set upan OIX UK (rather than OIX Europe based in UK). This provides a forumfor consultation by a monthly meeting and ‘various discovery/alphaprojects’. Various papers have been published, such as a summary of theexperience of a test by a county council, but nothing from any of thecentral government tests, e.g. on user experience, where commercialconfidentiality was invoked although both companies involved had agreeto publication.

tScheme is, however, invoked to provideindependent assurance that the commercial components, but not the hubnor associated matching services, are doing what they are supposed to.The draft ‘privacy’ principles assert that users will use the systembecause it has been assured. This conflates trustworthy (a worthy andlegitimate aim) and trusted (since tScheme is only known to a very few).Joining tScheme is open to any interested party, but it doesn’t alwayslook good to have those being assessed on the board.

Theprinciples also include “I can use and choose as many differentidentifiers or identity providers as I want to”, although the draftIDAP2 offers only one per person per IdP. They also call for allexceptions to have parliamentary approval, but – whether Utopian or not -they don’t seem to have it.

Although UK is top in private sectoronline purchases, recent Eurostat figures show Italy and UK in bottomplace in take up of online government services since 2008. IdentityAssurance was touted as an enabler, yet many of the 25 exemplars managedto launch without it.

The stated aim is to make the system sogood that people will chose to use it, but the digital (i.e. online)enthusiasts note that the maximum saving comes when everyone is online,so departments are motivated to switch everything and provide assistancefor those who cannot (or maybe in some cases will not) use online.

DEFRAstated that CAP payments need to be made online, and for that one needsto register with an IdP. At roll-out there was only one. This isn’t aconvincing example of customer choice, but also will distort thestatistics on acceptability. An alternative method is promised, but notransition from the existing obsolescent direct.gov used by many hasbeen provided. It has separately been said that some ‘assisted-digital’will be provided.

IDAP is a component of the .gov.uk initiative,so the average user is given the impression of one system rather thanmany silos where information is shared. The stress on keeping separateand not linking databases sits uncomfortably with one front end fits all- and risks undermining the strenuous methods employed to keep thingsapart.

Welsh speakers seem to have also been ignored; the Welshlanguage act requires services in Welsh where appropriate, and so longas there is one Welsh service then it would appear necessary to have thesupporting common service also available in Welsh. This wasn’t inIDAP1, and hasn’t been mentioned in IDAP2. Nor have any other languagesbeen systematically allowed for, although local authorities and the NHSoffer many.

There is talk of having more than one level ofassurance, the technology and system design may cope, but many users maynot understand and be frustrated. Lawyers (and Talmud scholars, but notsecurity specialists) have also questioned if it makes sense. On theother hand, having the one level that is said to be for balance ofprobability in civil cases – is not in line with the criminal lawrelevant for many interactions with government. If the governmentdepartments take risks, they will be sharing at least reputational riskwith providers unknown to them.

Liability discussions have beentidal: sometimes disowned, sometimes explicit (as in the Europeanregulation), sometimes contractual – although many of those who may beinvolved with problems are non-users who have no contract with anyone,or are perhaps users with an agreement with some different provider.

Thesecurity of the system as a whole is separate from the availability toparticular users. It’s possible that those with malicious intent willblock use by one or more people by attempting to masquerade. Ex-spouses,for example, would seem to be well placed to be able to answer thequestions and be successful in masquerading. No figures on such testingof non-happy cases have been published.

Not all departments havethe same requirements, and quite legitimately have different processesfor handling suspected fraud, but IdPs cannot help if they are forced tonot know to whom they have asserted the association between a personand whoever (or whatever) is online. The (conditional) anonymitycompounds the complexity of fixing problems when they have beenasserted.

There were aspirations to extend use to localgovernment, and trials were done, where features not provided in IDAP(by design) were identified as needed by local authorities, not leastbecause they do not work in isolation but in collaboration, particularlywith neighbouring authorities, to ensure that people don’t fall throughthe cracks nor get double provision.

The need for priorauthorization goes against the principles of the current signaturedirective, designed to stop the potential for corruption when a favouredprovider catches all the early adopters and the competition is delayedby administrative inaction. There’s no suggestion of corruption forthose at the bleeding edge of IDAP, but it doesn’t look good if it’ssupposed to be customer choice. However, it’s the government paying sothere is a need to ensure proper use of public funds.

IDAP1 wasoffering less than the price of a 1st class stamp per person, butpresented as the only option for central government services and thuswith a readily estimable user base. Rather than sharing the cost-savingsfor government with those investing in the infrastructure, the proposedIDAP2 model is annual-subscription-based (to the day, not by thecalendar or financial year). £105m estimate to cover 52million adultsmeans £2 per person – considerably less than just the portion of thepassport fee that accounted for by anti-fraud initiatives.

Howmarket forces work when users can have an ID from as many providers asthey want, doesn’t know the cost, and the government pays for each isfar from obvious, and it throws up various perverse incentives. Usersmight be well advised to sign up with two (or more) to ensure continuityif one went down (or didn’t have the government contract renewed). Thiswould instantly at least double the cost to the taxpayer. If thesubscription covers the initial costs then it is in each providers’ interestto encourage its customers to register with a ‘competitor’ since thatwill reduce costs but not income. This is a most unusual ‘market’.

 Open-bookaccounting is being avoided. What happens if there is effectivedominance? That’s presented as a market choice, made by users, notgovernment.

The recent eIDAS regulation requires cross borderacceptance for public sector online services of eIDs from schemes whichhave been ‘notified’, which involves acceptance of liability andfree-of-charge provision of validation mechanisms, at least for thepublic sector. The reason a government would accept liability intransactions in which they were not a party, rather than simply allowingit to work, would seem to be political: being good-Europeans. Thechallenges of getting the envisaged private provision to work with acontinental model are still work-in-progress, and no impact assessmentwas produced. The implication of having different data sets containingpersonal data are significant for all relying parties (i.e. everypublic-sector service in the EU).

Since IDAP has nothing oncitizenship status, as that is seldom relevant in the UK, it isnon-trivial to get it to interoperate with a system where this ispertinent.

IDAP has now pulled in its horns and aspirations forsetting a single approach for the identity of organisations or forhandling activity by agents. Many farmers aren’t sole traders, and manyuse agents. Agents and organisations appear to be left in limbo, or atleast handled by unspecified but presumably unaccredited existingcommercial provision.
The position for acting on behalf of under 18s is particularly unclear, especially those with children and/or married.

Forall the supposed openness and championing of online, it isextraordinary that the primary working tool seems to be the post-itnote, and physical presence in London is essential. Roll-out figuresprovided to OIX have been woefully over-optimistic, and the good newsculture is so strictly enforced that no mention has been made of why itmight be testing 18 months after an 18 month project was supposed tobecome operational. Going public with only one provider does raiseissues over competition, although the competitors may be happy to letthe first one get the bad publicity. The current model also has thegovernment suggesting which IdP(s) might be best for the user – whichis  unusual.

IDAP2 has some peculiar contractual proposals and itis not clear how they could work. It seems that the usual desire to beseen save public up-front spend has been applied and the proposedrestriction on substantive work by sub-contractors is a recipe for verytangled negotiations if they can only work for three primes. This couldput the credit reference agencies in an absurd position, and remove theprimes’ scope for using more than one.

The requirement to offersomething which could work for (perhaps) 75% of the adult population isodd, given that banks could so, but could just serve their customers,whereas some innovative SME with a way to reach 5% who otherwise couldnot get on will not qualify. The help from Slaughter and May must havebeen restricted to whether it was legal, not whether it made sense.

Thesystem doubtless appears to work well for many people: the “happy”cases. Modest targets, e.g. 40% usage, would be consistent with theGerman government’s experience, the Oxford Institute’s research, and theexpectations of many in the ‘front line’ local government.

Localgovernment may be disparate but is where the volume is. The banks (andothers who wish to play) should club together to offer a service togovernment, initially just authentication, with clarity and (genuine)customer choice rather than anonymity as priority) as the first phase,providing for telephone as well as online. This needs to be on thebanks’ terms, which might include per transaction fees and someindication of the nature of the transaction. Liability can be sorted bylittle more than ‘the person online has access to this account (perhapsfor some limited range of transactions)’. Any thoughts in this arearemain commercial in confidence, so public bodies dealing with thepublic may not be factoring these opportunities into their plans.Leaving registration with authorities, possibly involving face to faceto provide personal support but also to arrest imposters, allows them toset whatever level is needed for that service or range of services;subsequent authentication may often need to be less stringent.”

Afterreading Mark’s comments I remain unconvinced of the value of“government leadership” when it comes to identity and trust services  I would therefore like to believe that Cabinet Office is seriousabout building on the experience of voluntary beta tests and enabling agenuine market to evolve, with the new Verify services having to fight formarket share not only the Government Gateway and Local Authority ID systems but also the identity and access management systems of the banks and card companies.

When it comes to the cost- effective handling of multiple identity and access management systems (from those of airlines to catering contractors)  they might like to look at how the airports like Heathrow and Gatwick are handling the problem. The Computer Weekly 500 club recently had a presentation on the approach being taken at Gatwick that was both informative and impressive. The market is moving on. The time has come for govenment to do likewise.