wladimir1804 - stock.adobe.com

The UK’s digital identity policy conundrum

The UK government’s recent consultation on digital identity suggests that past mistakes and assumptions have yet to be resolved – a different, more user-centric vision is required

“If I were you, I wouldn’t start from here.” That well-known phrase has resonated in my head since I saw the description and questions released last month in the consultation on digital identity from the Department for Culture, Media and Sport (DCMS) and the Government Digital Service (GDS).

Those words resonated again as Kantara’s identity assurance working group grappled with its responses to the call for evidence and became deafening when I saw the first few slides at the recent Birmingham roundtable event organised to discuss the consultation after the deadline for responses.

It was well run, make no mistake. Valuable and insightful too, as Hannah Rutter, head of digital identity at DCMS, observed in closing comments. The light attendance and the Midlands location – north of the London bubble – perhaps contributed to produce more people-centred ideas with good discussion for DCMS and GDS to ponder.

The objective for the consultation was spot on – towards a thriving, inclusive, trusted digital economy. References to technology and regulation as potential blockers were on-point too. But not a single mention of policy.

As in the call for evidence questions, the roundtable’s opening slides assumed and accepted the current policy interventions. It seemed this was to be an exercise of titivating around the edges, finding point solutions and other nuggets that would transform the current Gov.uk Verify mess into a world-class exemplar once more. I was stunned.

Policy issues

Afterwards, I asked the GDS and DCMS representatives how long they had been engaged in digital identity. The average came out at less than two years. For sure, GDS still retains a handful of contractors with a good number of years deep into the space and may have been at least present when the current policy interventions in play were created in 2010-2012.

Meanwhile, the career civil servant leadership above them churn every few years, meaning that much of the institutional knowledge is lost.

When I told the story of how the current policy interventions came to be – that it was a product of those times; a firestarter exemplar to fan the flames for more Verify-like schemes, more providers, more solutions, more certifiers and more industry associations to build a vibrant, balanced and trusted ecosystem that could show the world that it could be done in a common law country without a mandatory electronic ID card – they listened so intently that I knew they had never heard it before.

Read more about digital identity

Policy is not like a computer chip or a car part. You can’t just swap it out. You have to know what it was trying to achieve when it was introduced and what factors cause it not to work as envisaged – all before you can fix it.   

My initial sense of the questions asked and then reinforced by the experience at the roundtable is that the underlying policy is not being reviewed – more taken as assumed.

The constant reference to a “market” for digital identity is just one reflection of that. Another is the obsession with digital identity. This may seem a strange thing to read from the executive director of a non-profit community, half of whose mission rests exactly there (the other half rests on agency over one’s personal data).

But in order to drive towards a thriving, inclusive, trusted digital economy, all its components need to be taken forward. Digital identity is an essential one, but not the only one. Attribute exchange, delegated authorisation and permission-sharing, agency over where and how one’s personal data (including digital identity data) are used, are all important too.

It’s really good to see the 2020 pilot for passport attribute exchange, even when remembering that the Passport Office first tried this about 10 years ago. The idea has been copied by Australia, New Zealand and possibly others in the form of document validation/verification services that still operate today.      

Vested interests

A programme to nurture and support just one aspect – and even then only nurture and support those examples selected at the outset of the policy intervention – has had the effect of skewing the components out of balance with each other, adding friction and blockers to the highly desirable economic objective we all want to see achieved.

Next time you hear an industry player say, “Well, to solve [insert digital-related problem being discussed], you need digital identity,” be on the alert for vested interests whose business may be built around that single government-supported component.       

In my view, incorrect policy intervention is where the core of the issues lie. The opportunity now is to redraw the canvas without those policy interventions and start from the person outwards – what they interact with and what potential blockers there might be that government could help remove, then go out one further layer of the onion, do the same, rinse and repeat. Of course, there are factors other than policy in the mix – company identity, cross-border flows and any number of factors not mentioned here simply to get the point across.

Digital identity will certainly appear sometimes. Markets may or may not form, like in any other part of the economy, based on potential supply and demand, investment and return for the risk.

The collection of those potential blockers and potential interventions to mitigate them should become the new government policy baseline. It has nothing to do with markets or decade-old visions of the digital identity landscape, roles and players.

It has everything to do with getting inside the minds of the people government serves, following them on their digital journeys, where digital identity is a means to an altogether different end and working to reduce or remove friction along the way.

Colin Wallis is executive director of the global non-pay-to-play, non-profit community association Kantara Initiative. The views expressed here are entirely his own and do not necessarily represent those of Kantara, its members, or his previous employers.

Read more on Identity and access management products

Data Center
Data Management