Government plans next-generation ID scheme

The government has been coy about the pilot identity system it has been running with Mydex, the East London start-up whose trials with Brent Borough Council created what was dubbed "a Google moment".

The government has been coy about the pilot identity system it has been running with Mydex, the East London start-up whose trials with Brent Borough Council created in March what was dubbed "a Google moment".

Officials are keen the UK should have a Google moment, but they talk about Mydex without mentioning it by name. They have proposed policies that rely on its technology, without explaining their methods. Departments including HMRC, DirectGov and DWP are designing systems that will use it, but have not said what exactly they are doing.

On 14 March, after Brent concluded its Mydex pilot, the government decided this technology would form the bedrock of coalition identity policy, though Cabinet Office minister Francis Maude mentioned neither pilot nor East London start-up when he told parliament about it on 18 May.


Giving citizens control of personal data

The Cabinet Office nevertheless led the Mydex pilot, while Maude's Conservative Party had made Mydex's raison d'etre a manifesto commitment (though not by name) for the 2010 general election: "Wherever possible, personal data should be controlled by individual citizens". The pilot came in the wake of the identity card scheme as a means for people to hold their own personal data and choose their own means of authenticating their identity.

William Heath, chairman at Mydex, is among a clutch of experts who have produced the defining reports of Conservative technology policy before and after the 2010 general election and, as members of the Cameronian think-tank the Network for the Post-Bureaucratic Age, have promoted it as well.

Every strand of that policy comes together in the Mydex proposal: making a host of expensive IT projects redundant, curtailing the government's collection of personal information in "big brother" databases, shifting the balance of power from the state to the individual, and cutting the cost of government by replacing its functions with private sector provision.


Building a network of trusted providers

Mydex and Maude's proposals converge over the provision of a "customer" or user-centric system of identity assurance. They envisage individuals controlling their own identity through an online agent such as Mydex. Individuals establish through their agent a network of trusted relationships within an "ecosystem" of private providers who can vouch for them, assuring their identity and sharing their personal data. If government wants to verify someone's identity, they poll the agent.

The Cabinet Office has started working with industry - banks and credit reference agencies, for example - to create this market-led replacement of Labour's government-centric identity cards system.

Mydex would be just one provider in a market populated by powerful players. But its government pilot puts it at the centre of the action. Maude has promised a detailed identity market proposal by October, a date expected to coincide with Mydex's first production release of software. The DWP, which took part in the Mydex pilots, will also present its solution for identity assurance by the end of the year in conjunction with HMRC, its partner on Universal Credit, their high-stakes £2bn IT project.

Maude's statement to Parliament cited Universal Credit as one of the first places where the new ID system would be installed. DWP told Computer Weekly Mydex was in the mix. The DWP press office telephoned: not retract its previous statement, but to attempt to deny it happened at all.


User-centric model for identity protection

DWP, HMRC and DirectGov have all described how Mydex's user-centric view of the world is precipitating a radical revision of their systems and strategies.

Sharon Cooper, director of product strategy at DirectGov, which was also involved in the Mydex pilot with Brent and two other local authorities, told a conference in April it was "working very closely" with HMRC, the DWP and the Cabinet Office on "a new model for identity assurance" it hoped would remove the barrier government's own attempts at security had erected between it and citizens online.

It had become "a massive problem for everyone", she said. DirectGov had identified 100 government services that required citizens to have a different user name and password. Tracking people's attempts to log in to one particularly laborious government service, DirectGov found half of all people gave up on the first page. By page six of the authentication process, all but 2% had given up.

The trio of departments were working on a federated identity model that would simplify the process by shunting it out to the private sector. A user's agent would handle the authentication direct with government systems. It will be essential to "Digital by Default", the government commitment to shift citizens online.


Excessive security checks

The same ideas are leading to an erosion of ground under the Government Gateway, the bullet-proof authentication service, and the one-size-fits-all security precautions demanded of departments by GCHQ, the computer arm of the security services. Criticism of this regime has come from all quarters. Over-stringent security checks are putting tar in the machinery of government.

Steve Riley, IT director at Job Centre Plus, told the same April conference the level of security verification demanded by GCHQ had become a struggle. But so was benefits fraud. It had to get the balance right. It had considered its options and opted for asking claimants security questions - 75% of people fail their security question.

The user-centric model HMRC and DWP are now developing would allow benefits claimants to simply plug in with their agent, drawing from the ecosystem of identity providers whatever combination of seconders are required to meet a required level of security. It might replace the Government Gateway, Tell Us Once and Single Sign-on in one go. If it incorporates the idea of agent as personal information store, as proposed by Mydex and less directly by the Conservative manifesto, it would remove the need for citizen databases such as the DWP's Customer Information System, which has 90 million records of people's personal details.


Providers of identity protection

Mydex's part in the Cabinet Office plan is obscure. Liam Maxwell, councillor at the Royal Borough of Windsor & Maidenhead, another council that took part in the Mydex pilot, who was lead author of 2010's Conservative Technology policy and is an associate of Heath's in the Network for the Post-Bureaucratic Age, played down the government's connection with Mydex.

A market-led system will create a need for a standard, he told Computer Weekly. If all suppliers used the same ecosystem standard to assure someone's identity, any citizen could use any provider, whether Mydex or their bank. The government would be supplier-agnostic.

Mydex will still be in the mix. But the question for scrutineers of government is now, we are told, whether the Cabinet Office will go far enough. That's what Heath said when asked about the extent to which Mydex was integral to the Cabinet Office plans. Would the Cabinet Office allow citizens to have control of their online identities and personal data? Or were big business interests preparing to step in, deliver the ecosystem, but nudge the individual aside and take over from government as the holder of big-brother power?

He said Maude's commitment on 18 May to a "customer-centric" approach to identity assurance might refer not to an ecosystem controlled by individuals but one "targeted at customers", adding: "I don't think it is yet clear which way government ID assurance plans will go."


Policing power to the people

Two other matters are not clear. One is who gets paid by who. That may determine which way the Cabinet Office swings over the dilemma Heath says it has with the role of industry. The other is from what quarter proper scrutiny of this emerging ecosystem will come.

Maude assured Parliament "NO2ID and other privacy advocates" would be given an opportunity to scrutinise the plans, or at least would be "kept closely informed".

Guy Herbert, NO2ID National Organiser, told Computer Weekly the plans as they stand might not give the individual enough power over their own data. He feared both government departments and private companies were hungry alike for power over identities and personal data.

Like Heath and other members of the Network for the Post-Bureaucratic Age who have played such an important part in formulating and elaborating Conservative policy to date, Herbert and the privacy lobby are concerned to see the government fulfils its policy promise to deliver more power to individuals and not to corporations. More objective scrutiny of the process in the round may have to come from other quarters than those Maude has brought into the fold.

Photo by Hannah Gal

Read more on IT risk management