Back to the future with government ID plans

The government's new identity scheme promises to put citizens at the centre of online public services, says Centre for Technology Policy Research director Jerry Fishenden.

The government's new identity assurance strategy is a significant and welcome change of direction.

Until last year, the Identity Cards Act sought to provide government with monopoly ownership of our identity. But now the Act has been repealed and proposals brought forward to let us choose our own identity provider in an open marketplace of trusted providers. In the future we could find ourselves authenticating to government services using our own choice of ID, such as a bank card or mobile phone - or perhaps even an ID issued by a "Big Society" mutual or social enterprise.

This "new" approach is not in fact entirely new. The UK government tried something similar during the late 1990s, working closely with third-party ID providers such as Royal Mail, Barclays, NatWest and the British Chamber of Commerce. Citizens and businesses could use such third-party IDs to authenticate themselves to online government services. Several "joined-up" service demonstrators were piloted including notifying the whole of government of a change of address once; and registering as self-employed using a single, integrated smart form.

So what went wrong? The lack of a sustainable commercial model led the third-party ID providers to exit from the market. Some providers tried to charge for their cards - as much as £50 a year - and found little appetite among their potential audience to pay for the debatable pleasure of interacting with government online. Another unresolved issue was liability. Who, for example, was liable if a third-party provider authenticated someone and government subsequently suffered fraud as a consequence? Why would you take that risk as an ID provider unless there was also a balancing commercial benefit in providing the service?

While the government continued to support federated, third-party credentials such as smartcards and chip-and-PIN cards at a technical level, the market in ID providers evaporated. Keen to keep its flagship "modernising government" initiative on the digital highway, the government resorted to issuing its own credentials instead. These unfriendly, spook-approved Government Gateway user ID and passwords will be familiar to anyone who has used existing online services such as HM Revenue & Customs' self-assessment tax return. The idea of allowing third-party ID providers anywhere near government services was kicked even further into the weeds during the years of the National ID Card programme.

But now that original vision is back. And if its more open and user-centric approach is to succeed this time aroun,d government has an essential role to play as catalyst, enabler and regulator - but not as a controller or owner of identity. Success will depend on government playing to its strengths, helping establish the right regulatory and enforcement framework. It should stop competing with the private and voluntary sectors, making clear that it will no longer be both an ID issuer and an authentication service provider. Doing so will represent a significant move away from the current system where the Government Gateway fulfils both of these functions for millions of citizens and businesses.

Government will also need to bring on board experienced people with a track record in building, developing and sustaining viable commercial markets. And it will need to demonstrate thought-leadership in the complex and interrelated issues of privacy, security and identity. In this role it will need, for example, to ensure that third-party identity providers cannot exploit the insider knowledge they will be able to acquire about us - at least, not without our informed, active and explicit consent.

But perhaps most challenging of all is that government will need to convince a potentially cynical general public that this latest throw of the identity dice is the right one. To do that, government will need to regain our trust by demonstrating clearly that it now better understands the complex interplay of issues such as privacy, security and identity. Such trust could prove difficult to regain after the roller coaster years of National ID Cards and the many reported breaches of our personal data. A robust, sustainable model that places the citizen at the centre with strong rights and direct control over their own identity and personal data will be as essential to the success of this updated model as getting the commercial, liability and legal aspects right.

We still seem some distance from that idealistic "joined-up" online government vision of the 1990s. In an era that aims to make public services "digital by default", trustworthy identification and authentication remain an essential pre-requisite. And new flagship programmes such as Universal Credit will provide the perfect opportunity for government to demonstrate that this updated approach can help deliver integrated, desirable modern public services, with smart third-party authentication and seamless online execution built around our needs.

"Back to the future" this new ID initiative may be in many ways. But if government now orchestrates the right legal, commercial and technical environment it could finally breathe life into what would prove to be a highly flexible and trustworthy 21st century approach to ID. One that finally places us, the user, where we belong: in control, at the very centre of public service design.

Jerry Fishenden is a director of the Centre for Technology Policy Research and is currently advising Parliament's inquiry into government IT.

Read more on IT risk management