Government-assured digital identity has arrived at a pivot point

GOV.UK Verify must live on and be agile so it can be reset often and easily, argues Frank Joshi

The Cabinet Office plan to have 25m citizen users of GOV.UK Verify by 2020 is an entirely right objective. Digital identity for citizens is essential. Delivering it as a government-assured identity is essential too. There are thousands of private firms who can provide extra attributes if an open market for digital identities can be created.

No matter that the project has met with difficulties and has its critics inside and outside the corridors of power.

Jerry Fishenden is a very decent man and knowledgeable too. News of his decision on May 2 to resign as co-chair of the Cabinet Office’s Privacy and Consumer Advisory Group (PCAG) was understandable. And not totally unexpected, given that PCAG has not met with a minister for the Cabinet Office since December 2015, a fact Dr Fishenden wrote in his blog the following day, May 3rd.

“I can only assume from this lack of engagement that PCAG’s canary function is either no longer understood, or no longer valued. If the group is no longer wanted – well, surely it would be much better all round if someone just said so openly?”

I’ve no doubt he’ll be back assisting Government somehow before too long and welcomed again with open arms. His experience, skill and tech prowess is relevant and is needed.

Reset

I suppose that, in one sense, opening up the GOV.UK Verify scheme to the private sector is being “reset”. Getting this right is necessarily an iterative process. Digital identity is a whole new world. The GOV.UK Verify framework could and should continue. That takes time, money and effort.

The Verify programme is bigger than any single one of us. Many will say that it cannot be allowed to fail. I tend to agree. Not because of what has been invested already in it, but because of what it will give citizens.

Arguing on points such as who and how many Identity Providers (IDPs) there are borders on the kind of industry insider minutiae that’s is likely to delay further citizen adoption of GOV.UK Verify.

To suggest the perfect solution should have been created six years ago misses the point, especially in a technological landscape that moves fast. The key is that it can be changed today and changed again tomorrow as technologies and requirements emerge. Nothing stands still. Doing something rather than nothing is preferable.

Equally, what you can do now is an order of magnitude different from what you could do six years ago. And what the citizen required then isn’t what they require now; take for example mobile devices and mobile apps. Back then, commercial firms supplying goods and services to citizens didn’t have GDPR breathing down their necks.

We mustn’t forget that citizens face an onslaught of cyber attacks of various sorts. It’s their digital identities that the GOV.UK Verify scheme is there to assure.

Okay, so I accept the nirvana might well look like this: a given individual person fully owning their digital identity, and everything about it – from the fundamental so-called Know Your Customer (KYC) data plus all conceivable attributes – as well as being sufficiently techno-savvy to manage it.

But what GOV.UK Verify is trying to deliver isn’t the nirvana nor should it be.

However, it should enable the individual to assert their digital identity to whoever needs it only if the individual receives something in return, and that’s a point I made clear in a previous op-ed .

The Government Transformation Strategy is there to give power back to the citizen not merely streamline the millwork inside Government. And GOV.UK Verify is a vital component part of this.

Part 5: ‘Digital Government’ of the Digital Economy Act 2017 is a legislative embodiment of society’s intolerance on sharing of personal identifiable information (PII) and sensitive personal information (SPI) and on where the red lines are being drawn on privacy.

Cabinet Office is, to my mind, right to hold its ground and not be unduly pushed around by those who advise them, even if that does included the PCAG, as wise as they might collectively be. Cabinet Office walks a tightrope everyday in any case.

Pivot point

Simply by making use of GOV.UK Verify more frequently based on convenience and citizen demand, we’ll see the scheme succeed. This necessitates GOV.UK Verify entering the public consciousness as something that benefits them for transactions with private sector providers.

Identity Hub Services, such as the one my company has deployed in the sandbox for private sector firms to test, should be regarded as a tool to get the job done. An adjustable spanner if you like.

A tool that behaves like an exchange, where no passwords are seen or stored, means trust can be established between service providers and those seven Identity Providers on the GOV.UK Verify scheme.

Moreover, and just as importantly, an exchange tool means citizens’ privacy is respected and defended, not compromised, traded or remarketed. After all, personal identifiable information must be protected; private sector companies will see to that. They won’t want to fall foul of Data Protection Act 1998 (DPA) penalties of up to £500,000, or more seriously, General Data Protection Regulation (GDPR) penalties of up to 4 percent annual global turnover or £20 million, whichever is more.

The citizen gets to choose, and that is exactly what should happen. And it is exactly the sort of facility that any technology should be delivering, especially technology touching sensitive personal data about you. It must be resilient and performant, and be able to withstand ingenious hackers without asking citizens to man-the-barricades every time they need to prove who they are and what they know.

What the Cabinet Office is trying to create is of ubiquitous benefit. Create once and use many times over. The way it is used will be controlled by the user, the person who gives their consent. Attributes can be queried without revealing the actual data. Return on investment can be phenomenal providing a technical starting place can be agreed based on what is available.

To illustrate, let’s look briefly at a few situations from real life.

Proof of Age

Some service providers are required by law to ask if you are aged 18 or over even before you enter their website let alone before you do an online transaction with them. And you’ll be able to verify you are 18 or over easily using GOV.UK Verify without actually giving your date of birth information away to them. This ensures the service provider stays within the law and protects the privacy of your personal identifiable information.

Regardless of card initiatives such as Validate UK or Citizencard people still place more reliance on a Government-assured identity document – a passport.

Just think of the number of passports which are lost or stolen every weekend as young people take their passports out to pubs and clubs purely to assert their age to the doormen or bartenders.

“Losing a passport can be more serious than just the cost and inconvenience of a replacement”, HM Passport Office says. "A passport is a valuable document and criminals can use it to commit crimes like identity and financial fraud, which is why it’s so important to report any loss or theft to Her Majesty’s Passport Office so we can log the details and cancel the passport."

Another example is to prove to a service provider of such as a life insurance company that you’re 50 or over and eligible for a life cover plan without health checks and awkward questions (and no doubt a free pen just for enquiring).

Each of those illustrations depicted verification based on just one criteria: date of birth data. They needed affirmative or negative responses, not your actual date of birth. And it’s on that basis that all other attributes can be used.

Savings

How many times do we currently have to jump hoops required of us by laborious and repetitive processes, which are largely hand cranked for the most part, whereas service providers and citizens could benefit from accessing the number and diversity of applications and systems if you add the ability to be verified on other actual facts about you but without giving out your private details to all and sundry time after time.

Even assuming a citizen earns the average national wage of £26K, what cost would the loss productive time equate to across a year? Aside from the cost, what about the inconvenience and the unnecessary anxiety it creates?

Taking a holiday

Summer is coming so let’s use an example of going on holiday.

From the moment you book your flight online or at a travel agent details about you need to be shared via the airlines, airports, and immigration and customs authorities with the government of the country you’re travelling from and that of the nation you’re travelling to.

Once at the airport, the information you self-asserted at the time the booking was made has to match the actual details on your passport, or you’ll have some explaining to do.

Airlines have to use part of that information for their passenger manifests and in order to issue you with an authority to travel, quite often in the form of a boarding pass. Immigration officials want to see your authority to travel and your passport and any relevant visa documentation.

Retailers located air-side at airports also re-use that as a means of verification, as do other service providers.

Just imagine, if it’s possible for each of these service providers to shave 15 seconds off the time it takes to “process you” simply because you are able to assert your identity once in a digital form that is government-assured and let their information systems take the strain, then that would make for quicker experience and a happier holiday.

Frank Joshi is director of Mvine Ltd an established UK SME specialising in distributed digital identity technologies.

First published by Government Computing