A glacial pace and tissue thin. That’s the widespread view of the process and outcome of the government’s response to the Department for Digital, Culture, Media and Sport (DCMS) digital identity consultation, published in early September.
The digital sector is worth £400m a day and contributed £149bn to the UK in 2018 – that’s 7.7% of the UK economy. The UK is capable of far greater performance and will need to deliver, especially as we seek trade agreements around the world from January 2021.
But there’s a simple problem with the DCMS plan for digital identity – there isn’t one. The consultation response contained nothing with any detail, nothing of any substance and no clear strategy.
Even this latest plan came only after considerable urging from the tech industry. Trade body TechUK was the major accelerant for DCMS publishing anything at all, with CEO Julian David in July putting his weight behind a call for action, a move that was widely applauded.
TechUK’s subsequent whitepaper, Digital identities: the missing link in a UK digital economy, was forthright and timely. It highlighted nine recommendations made by industry in 2019 and government progress, or rather the lack of it, since then.
The tech industry retains a healthy scepticism about the government plan for digital identity. Being invited to the table, investing money and resources only to be let down too many times has, quite understandably, taken huge chunks out of our collective commercial appetite to be “screwed over” again.
The promise of a competitive market for digital identity mutated into a monopoly when most of the government-appointed identity providers for its troubled Gov.uk Verify scheme decided not to renew their contracts. As of March this year, this left just two players to fight over the spoils of new registrations for Verify. Remember that one of those players – Post Office – uses the platform developed by the other, Digidentity. If that doesn’t make it a monopoly then it’s certainly a cartel. Observers inside and outside the tech industry look at this erosion of competition as an act of commercial sabotage.
The Gov.uk Verify brand acts as a ball and chain around the ankles of government, not through choice but through mismanagement, and through the abject failure of government to adequately communicate its existence to the general public or even the IT industry at large. Reinventing it as the Identity and Attributes Exchange might, just might, be its salvation. But recent history has made people wary, and we will need persuasion.
Having floated the idea of a Digital Identity Unit last year without any embodiment of it or terms of reference, DCMS now comes up with a Digital Identity Strategy Board instead. The tech industry is utterly bemused by this move.
Tug of war
Is DCMS distancing itself from private sector digital identity after having won the tug of war against the Government Digital Service (GDS)? Or is it shielding itself from what it thinks is to come? Is the department abdicating the remnants of its decision-making powers, handing them over to yet another group with little or no grasp of the nuances of digital identity, what it takes to run a functioning marketplace, or how to achieve it with the cheerful engagement of the private sector?
Digital identity will necessarily become part of critical national infrastructure. It is an inevitability. On that basis, if you are looking for a competent authority for digital identity, then perhaps the National Cyber Security Centre or GCHQ would be better positioned as an arbiter of technical standards. They will know how to hold suppliers to standards rather than spinning up yet another quango at arm’s length to the Cabinet Office or DCMS.
This is too important an issue to be worked through without full transparency. There is far too much at stake. But even taking a long view, the consultation response from DCMS isn’t even a small step towards where we need to be. It smacks of a stalling tactic to buy more time for a department obsessed by the minutiae of a marketplace it is clearly unable to create. If it was able or even willing to create a functional market for public sector digital identities to be reusable by the private sector, as was always the goal, then wouldn’t it have done so by now?
The fear is the public sector will never truly interoperate with the private sector in the way it could. Moreover, the private sector will forge ahead anyway and build digital identity infrastructure on a multiplicity of differing standards, which would be as foolish as building railways with different gauges.
This country is exceptionally well positioned to solve digital identity to prioritise economic growth in the domestic market and as an exportable competitive advantage, enabling Digital UK to compete and win on the global stage in the same way that Greenwich Mean Time acts as the prime determinant of time zones globally. It is an issue with immediate applicability for HM Treasury, the Cabinet Office, the Foreign, Commonwealth and Development Office, and beyond. We’re at the dawn of a new era of the internet. Digital identity is everyone’s business. And in everyone’s interest.
But DCMS publishing an emulsion rather than a substantive response, after the views of the private sector were sought and generously contributed, was met with contempt.
A government plan for digital identity needs to have a strategic horizon beyond the mere establishment of digital identity itself. It needs to consider the endgame. It needs to prioritise the digital economy. When we get it right for the UK it can be a great export product.
We need a competent authority for digital identity that can implement policy action lines to protect and grow the digital economy. That means interoperable, ubiquitous and federated digital identity for use and re-use in digital government, industry and civil society, all based on user consent.
Contrast that with how things are now, with DCMS aiming to develop a UK-wide trust framework while saying they will not support the development of any other trust frameworks.
The digital economy needs to be understood and better represented in Downing Street. With impending appointments of a government chief digital officer and chief data officer, perhaps they will at last be able to provide leadership around digital identity.
Limp platitudes by DCMS are simply not enough given where we are and where we need to be. The secretary of state, Oliver Dowden, could, if he chose to, swiftly get a grip on this and define some prioritisation to try to regain some of the ground that has been lost through departmental vacillation.
“We can do more for less when we get it right in terms of digital,” said Dowden in September 2018. Come on then, let’s do it. It won’t be easy, but it isn’t impossible.
Frank Joshi is director at identity infrastructure engineer Mvine, and a member of TechUK as well as other organisations influential in global identity and privacy technology.