gosphotodesign - Fotolia
The troublesome saga of Gov.uk Verify
As the government plans to hand over its flagship identity assurance programme to the private sector, Computer Weekly looks at the history of the troubled project and how Gov.uk Verify ended up on the chopping board
For many, the news that the government is ending investment in its Gov.uk Verify digital identity system didn’t come as a surprise.
The signals have been there for a while: increasing private sector involvement, former Verify boss Nic Harrison saying the Government Digital Service (GDS) wanted to take its “hands off the controls” on identity, the Department for Digital, Culture, Media and Sport (DCMS) taking over responsibility for digital identity policy and, most recently, the Infrastructure and Projects Authority (IPA) recommending termination of the project.
It may have been on the cards for a while, but that doesn’t stop the criticism. Shadow Cabinet Office minister Jo Platt said it shows ministers have failed to make the programme a success and that government is simply “abandoning its responsibility to provide a secure and effective digital identification service”, which she finds “deeply concerning”.
“After spending six years and £130m developing the system, ministers have failed to attract the promised number of users, failed to convince their own departments to register, and failed to create a system that actually works,” she said.
On the private sector side, many suppliers in the digital identity market have been pushing for this for a while now, and are delighted with the news and the possibilities it brings for a thriving digital identity ecosystem in the UK.
Whether you see it as a failure, or simply a change in direction for the programme, how did it what was a flagship government digital project end up being wrapped up and handed over to the private sector?
Some may argue that private sector involvement was always the plan. And it was, although perhaps not to the extent currently envisioned.
The process to set up a digital identity assurance programme began in 2012, when the government first went out to tender for identity assurance providers (IDPs). At the time, Verify was due to go live the following year, in 2013, but even back then, things didn’t go exactly to plan.
In April 2014, GDS said it expected to have 600,000 users by the end of the year. In July 2015, the target was revised to 700,000 users by November 2015, with a further three million expected to sign up in the following 12 months.
In early April 2016, Computer Weekly interviewed the then Verify boss, Janet Hughes, who said it was on track to go live at the end of the month.
At the time, she told Computer Weekly that the goal was for Verify to become the standard way for citizens to prove their identity, not just in central government, but for other services as well. She was positive that Verify would be a success, despite struggles having already appeared, with some of the early criticism focused around the datasets used by the IDPs when trying to confirm a user’s identity, raising doubts that, in some cases, they are sufficient to achieve the necessary levels of assurance.
Even before the programme had gone fully live, which happened at the end of May 2016, some were sceptical. In March 2016, Rob Shaw, director of operations at the Health and Social Care Information Centre (HSCIC), now NHS Digital, told Computer Weekly that the NHS wasn’t sure Verify was “quite there in terms of the level of security” needed for health services data.
The NHS has since developed its own digital identity platform.
Criticism ramps up
In November 2016, proud of its achievement in going fully live with Verify, GDS announced it was aiming for 25 million users of the identity assurance programme by 2020. At the time, it had about 911,000 users.
The following spring, the Conservatives were so certain it was achievable, they proudly promised to reach the ambitious target in the party’s general election manifesto. At the time, critics were already calling for a review of the programme.
In March 2017, the National Audit Office (NAO) was one of those critical to the programme’s success. The NAO said in its report that the uptake of identity assurance platform Verify had been “undermined by its performance and GDS has lost focus on the longer-term strategic case for the programme”.
Rumours were also spreading that HM Revenue & Customs (HMRC), in particular, had been reluctant to use the platform, with sources suggesting the department had no confidence in the system. Like the NHS, HMRC decided to develop its own identity service.
Just as government departments have struggled with Verify, so have citizens, and the platform has suffered a high rate of failure when trying to identify citizens, with a success rate of 47%.
Change of direction
Despite the criticism, to the outside world it seemed like GDS was simply putting cotton wool in its ears and refusing to take notice. Instead of acknowledging the difficulties, GDS kept smiling and reiterating its 25 million users target. However, changes were afoot.
Under director general Kevin Cunnington, GDS had already started heading in a “new direction”, helping departments help themselves, rather than building everything for them.
“GDS has been changing the way it works with departments, and we’ve been using an old adage to help us understand how to do that: if you give someone a fish, you feed them for the day; if you teach someone to fish, you feed them for life,” Cunnington said earlier this year.
In May 2018, the then Gov.uk Verify boss, Nic Harrison, admitted publicly for the first time that it wasn’t all going exactly to plan, when he conceded that Verify uptake numbers “still aren’t stellar”. At the time, there were 2.2 million users. He also admitted that the target of 25 million users would not be achieved by government on its own.
“Those 25 million user accounts won’t all be created by government services, they will come from other places as well,” he said, claiming that had “always been the strategy” but it had become one it was now “more actively pursuing”.
Welcome to the private sector
This was perhaps the first signal that the government was planning to hand over the reins to the private sector. The involvement of the private sector had already played a part in some local authority Verify projects. Then came June, and with it, the news that DCMS would now be responsible for digital identity policy. Computer Weekly predicted at the time that the move could be the one to administer the last rites to Verify.
The move was part of DCMS’s proposals for a digital identity ecosystem, where databases containing vital identity information such as passports and driving licences could be accessed through application programming interfaces (APIs) by identity providers.
This, it seems, is exactly where we are heading. In July, the IPA recommended Verify was terminated as costs have risen to £130m and there is little to show for it.
Earlier this week (9 October) came the moment that quite possibly changes everything: Cabinet Office minister for implementation Oliver Dowden told parliament in a written statement that investment in Verify would end within 18 months and “transition to a private sector-led model”.
The government has signed contracts with five IDPs, which will take on the responsibility for further development of Verify, but the platform is now likely to compete with numerous other digital identity providers.
“It will be the responsibility of the private sector to invest to ensure the delivery of this product beyond the above [18-month] period,” Dowden said.
However, only last month, Dowden remained firm on the 25 million users by 2020 target. The current number of users is 2.9 million.
Whether Verify will survive in a sea of private sector investment, competing against numerous other platforms, remains to be seen.
Read more about Gov.uk Verify and digital identity
- GDS aims for path of least embarrassment as it shifts strategy on Gov.uk Verify.
- Solving the digital identity problem is key to the future of the digital economy as a whole – but how close are we?
- Cabinet Office announces 18-month transition to hand troubled identity assurance programme over to private sector.