TTstudio - Fotolia
The Government Digital Service (GDS) has insisted its Gov.uk Verify scheme is safe, despite an academic paper claiming its infrastructure is riddled with vulnerabilities.
The paper, named Toward Mending Two Nation-Scale Brokered Identification Systems, highlights the Gov.uk Verify system uses a central hub through which the identity providers and services providers communicate.
If this central hub were to be hacked, it could be used for “undetected mass surveillance” through user impersonation.
“The described vulnerabilities are exploitable and could lead to undetected mass surveillance, completely at odds with the views of the research community whose scientific advances enable feasible solutions that are more private and secure,” said the paper.
“It is clear that Gov.uk Verify does not adequately consider the need for resilience against a compromised hub and fails to address plausible threats.”
Gov.uk Verify was developed by GDS to give the public a safe way to verify identity when using online government services, such as tax self-assessment or applying for new official documents.
Privacy a priority, says government
The system uses third-party providers – such as Barclays bank, PayPal and Verizon – to verify a user’s identity using unique indicators such as passport or driving licence details.
But the paper claims that, since the Gov.uk Verify hub has visibility of the pseudonym for users created by the identity service providers, anyone with access to the hub – including hackers – can use this to identify where the same user has interacted with different departments.
But the GDS has insisted that Gov.uk Verify is secure, as only a user’s name and date of birth are passed through the hub, and only on occasions where a user is accessing a government service through Gov.uk Verify and is being used to match their record with the appropriate department.
“Gov.uk Verify protects users' privacy. It has been designed to meet the principles developed by our privacy and consumer advisory group. Gov.uk Verify does not allow for mass surveillance.” said Janet Hughes, head of policy and engagement, identity assurance programme in a blog post.
“No data about the person’s interactions or activities in certified companies or government departments passes through the hub.”
GDS claims it is now working with the authors of the paper to clarify some of the claims and has invited one of the paper’s authors to join its privacy and consumer advisory group to further develop ideas around consumer privacy.
Read more about Gov.uk Verify