gosphotodesign - Fotolia

Digital identity: Is the puzzle about to be solved?

Solving the digital identity problem is key to the future of the digital economy as a whole – but how close are we? Computer Weekly looks at what is happening with Gov.uk Verify, private sector involvement, and lessons the UK could learn from other countries

This article can also be found in the Premium Editorial Download: Computer Weekly: Tackling the digital identity problem

The UK has a growing digital identity ecosystem, and digital identity is critical to the country’s online future, particularly in a post-Brexit world.

The use of standard IDs for engaging with government online, banking and shopping could deliver a huge boost to the UK economy, as it has in many other European countries.

To the naked eye, it may look pretty straightforward – create a digital identity platform, add any service you need, roll it out and let citizens use it.

However, the reality is that we are faced with a complicated equation with a huge number of variables. The question is: are there too many variables for the problem ever to be solved?

Here Computer Weekly takes a look at what has happened with Gov.uk Verify, the future of the ID platform, how the private sector is getting involved, and what is happening in other countries – and whether the UK could learn from them.

The government began its journey to solving the equation many years ago by attempting to build its Gov.uk Verify identity assurance platform.

The platform was intended as the core of the digital identity ecosystem that could work across private and public sectors and facilitate a marketplace of trusted third parties to identify and authenticate users of online services. The government predicted that there would be 25 million users of Verify by 2020.

But it hasn’t really gone to plan. Uptake has been slow, progress has been limited, and the programme seems to be changing direction.

In 2017, a National Audit Office (NAO) report criticised the programme’s low uptake, saying: “Verify has not achieved the volume of users in the central forecast of the business cases, in part due to slower development of digital services across government, and fewer than expected services being ready to adopt Verify as the primary access route.”

Government departments have indeed struggled to use Verify, with some taking matters into their own hands. Earlier this month, at the Government Digital Service (GDS) Sprint 18 conference, Nic Harrisonthe GDS’s director of service design and assurance, digital identity, said there were “very real reasons why departments found it hard to use Verify on its own, or to just switch to Verify”.

“There were very sound operational reasons,” he said, adding that HM Revenue & Customs’ (HMRC) online tax account platform is “one of the biggest generators of Verify”. However, HMRC has also been seen as one of the biggest critics of Verify and has continued to use and upgrade its own Government Gateway platform.

Harrison said at the Think Digital Identity for Government conference: “It’s true that Verify does not meet all the needs of all departments. HMRC, for example, will always have a need to identify businesses and professional third parties. Verify is just not set up to deliver that. It’s a personal, individual service for citizens.”

He added: “GDS is working very closely with HMRC to help facilitate the transfer of any existing citizen-facing services from the Government Gateway, which is still with us, although it will be closed by March 2019.”

Private sector and other solutions

So what it happening now? The government is sticking to its target of 25 million users by 2020, but at Sprint 18, Harrison conceded: “Those 25 million user accounts won’t all be created by government services – they will come from other places as well.”

He added that this had always been the plan. However, at least publicly, this is a definite shift in policy, and one that has not previously been mentioned.

Verify works by asking users to set up an account with one of a selection of third-party identity providers (IDPs), such as the Post Office, Experian and Barclays, which currently have exclusive access to public sector users. However, there are numerous companies across the UK that doing excellent work on digital identity, but are being shut out of the current arrangements.

Some are already establishing themselves in the market. One of these is digital identity company Etive, which, together with the London Borough of Tower Hamlets, is in the midst of a discovery project on digital identity.

Just as government departments have struggled with Verify, so have citizens, and the platform has suffered a high rate of failure when trying to identify citizens. Many users drop out of the process without success, particularly those from low socio-economic backgrounds who may not have the necessary data held on them to be verified, with Verify requiring information such as passport, bank account or driving licence.

The Tower Hamlets project aims to solve this problem by using other sources of data to help users register with Verify. The project uses locally collected social housing data to “identity” the user, which is suitable for proof of identity at the LOA2 level of assurance, which is recognised in civil court.

Another example is the NHS, which is developing its own citizen identity platform, due to begin live testing shortly. The health service is not using the Verify platform mainly because it is not suitable for very sensitive information, such as personal health records. However, it will use Verify for parts of its service – those “requiring lower levels of assurance”.  

A new direction?

What the government wants now is “a ubiquitous digital identity for service users, both for the public and private sector”, said Harrison, which is good news for identity providers.

It has become clear that Verify is not the only player in the game, and GDS has begun to recognise that, wanting to “take their hands off the controls” and instead focus on standards and interoperability across the ecosystem.

This is good news for identity providers. Identity experts have said several times that Verify’s delays are hindering the development of a proper UK identity ecosystem.

The British Standards Institute is already working on a national standard for digital identity, which has been under consultation. It is known as “PAS 499, Digital identification and authentication – code of practice”.

At the Think Digital Identity conference, Jessica Figueras, chief analyst at GlobalData Public Sector, said the idea of having a central service had not turned out the way the government had planned.

“We have a big, centrally driven, increasingly expensive and increasingly unpopular identity programme,” she said, adding that even if it seems straightforward and “ticks all the boxes”, in reality it is easier said than done.

“There is often an obsession with finding the single tech solution that’s going to meet all of those needs, and often it doesn’t pay off,” she said.

The international horizon

Other countries are way ahead of the UK when it comes to a digital economy, despite the government claiming the UK is one of the best in the world. So what can the UK learn from others?

According to Don Thibeau, president and chairman of the Open Identity Exchange (OIX), digital identity is an issue across both sectors and countries.

The US, he said, has abandoned its version of Verify, and in Finland, uptake of its identity system has been low.

But other countries, such as Norway, Denmark and India, have had success in banking-based systems. Norway’s BankID was launched in the early 2000s, and although it has taken a while, the latest figures show that 2.9 million out of the country’s 5.3 million citizens use BankID – in other words, most of Norway’s adult population.

The GDS’s Harrison said it is important to remember that, in general, “we’ve found that countries that follow this approach have normally taken around six years to achieve a 50% adoption”.

“So let’s not fool ourselves – this is not a quick process,” he said, pointing out that, according to research, there are “key differences between those countries that have ID cards and those that don’t”.

“The poster child for ID card-led countries is obviously Estonia,” said Harrison, adding that for those that do not have identity cards, “ubiquitous digital identity can only be achieved through the adoption of standards”.

Read more about digital identity

Speaking to Computer Weekly earlier this month, former CIO of Estonia Taavi Kotka said you don’t necessarily need ID cards, but you do need a unique identifier to fully achieve digital government. 

“The Scandinavians and the Nordics are so much ahead of [the UK], and there is only one reason – they have a unique identifier,” he said. 

“If you said to me as an e-government engineer, that you want e-government but you can’t use a unique identifier, I will tell you it’s impossible, because if John Smith is in one system, and John Smith is in another system, and you need information from both systems about John Smith, how can you be sure it’s the same person? That’s what the unique identifier actually solves.”

Another problem in the UK, said Kotka, is that digital identity has become a political issue – and he could be right.

Verify was a key part of the Conservatives’ 2017 general election manifesto, which said the government “will set out a strategy to rationalise the use of personal data within government, reducing data duplication across all systems, so that we automatically comply with the ‘once-only’ principle in central government services by 2022 and wider public services by 2025”. 

It is also possible that without the government’s u-turn on ID cards a few years ago, mainly because of the vehemently opposed public NO2ID campaign, the situation around digital identity today could be very different. 

Although not specifically commenting on that situation, Kotka said the UK had made the identity question “an engineering question, a political question”, and that it is simply a fact that “you cannot build a digital government without a unique identifier”. 

He added: “It’s an engineering thing. Don’t make it political. As long as you make it political, there won’t be any digital government or e-society in the UK.”

What does the future hold? 

Kotka’s argument may be controversial to some, but the fact remains that the UK is lagging behind. That isn’t to say that the work GDS and the rest of government has put in is not to be commended, however. 

But it’s time for a new era. Many have long looked on GDS as the bad guys, trying to push a dying platform onto both citizens and departments, and as GlobalData Public Sector’s Figueras said: “I’m pretty sure there are people out there who are pretty sick of hearing all the criticism of Verify.” 

The real issue is that, for a very long time – despite Harrison saying this is not the case – it has seemed like GDS has simply decided to put blinkers on and ignore advice and criticism, instead steadfastly following its own path. 

It is therefore refreshing to see the government now open to working more closely with the private sector to get digital identity right. 

There is often a recurring theme in the public sector, whether it be NHS trusts, local councils or central government, that one place is “so different” from another that there are no lessons to be learned, and if there are, they must be greatly adapted and modified. 

This is not always the case, and although the UK will never have ID cards, that doesn’t mean there are no lessons to be learned or advice to be taken from countries that do. That goes for nations using the banking sector to drive digital identity. It may not be the way we do it here, but the recipe could very well work for the UK. 

So what does the future hold? Will the government’s signal of a shift towards harnessing the digital identity ecosystem improve uptake and development? Will citizens soon be able to use their digital ID across both public and private services? Hopefully, this is the push the sector needed.

Read more on IT innovation, research and development

Data Center
Data Management