GDS must share the lessons of Verify - good and bad - to boost the digital identity ecosystem
Depending on your perspective, Gov.uk Verify is now either secure in its future at the heart of the UK’s emerging digital identity ecosystem, or it has one foot in the grave and is on the way to its inevitable demise.
The Cabinet Office has produced a carefully worded announcement that leaves room for interpretation, while also giving the Government Digital Service (GDS) a way to save face. You can read the full announcement to Parliament here, but the essence is this:
Capped expenditure
In 18 months’ time, after a “capped expenditure” approved by the Treasury has been spent, government will cease further public investment in Verify – but Verify itself will not cease. Instead, five identity providers (IDPs) will use the technology they developed as part of the Verify programme – and, most importantly, the Verify users they each registered – to offer a private sector digital identity solution, based on “state-backed assurance and standards”.
Whether those providers choose to still call their products “Verify”, or to use some form of Verify branding, will be up to them. As part of the new contracts those companies have signed with the Cabinet Office, they will have permission to reuse their Verify technology without requiring government approval, which they would have had to seek under their previous deals.
What’s important, as far as government is concerned, is that the (so far) 2.9 million citizens signed up to Verify will still have a digital identity they can use that allows them to maintain access to the online public services for which they set up that identity. Those citizens should, in theory, also be able to use that identity in future to access any private sector services that accept the same standards.
GDS will still support whatever in-house Verify technology – and whatever staff – is needed to support users accessing digital public services. But by the time the IDPs take over, this will be done on a “cost neutral” basis to government – in other words, the IDPs will have to pay for it.
It’s not clear – and not yet decided – what services GDS will need to offer those IDPs. It could be none (although that’s unlikely on day one) – or it could slowly decline to none. It remains to be seen how the IDPs will be able to offer a service with only a 47% verification rate as a commercial product – and if they get that rate up to an acceptable figure, why didn’t they do so before?
GDS will continue to advise Whitehall departments on appropriate use of digital identity in their services – but any previous attempts to mandate the use of Verify are over. GDS will keep departments on the straight and narrow, but it’s up to the departments to decide which standards-based identity products they want to use. That includes using suppliers that have had no involvement in Verify.
Digital identity market
The five chosen IDPs will be responsible for helping to build the wider digital identity market in the UK. GDS can then say it has been instrumental in the establishment of a digital identity ecosystem that did not exist before. Others will decide if the £130m and more invested in Verify was justified to reach that end (and that’s not to mention the many millions more invested by HMRC, DWP, NHS and others in building their own digital identity systems because they couldn’t rely on Verify).
The 18 digital services that currently use Verify – along with three others in private beta – will continue to offer Verify to users for as long as they want to, but it’s undecided how new users will select which provider to use after the 18-month transition. Previously, users registering with Verify have been asked to select one of seven (now five) IDPs. It’s yet to be decided what will be offered to users at that point in future – for example, a selection of IDPs, or a preferred IDP per service, or simply a statement that they can use any IDP that conforms to the standards.
Think about how that’s going to come across to any citizens uncomfortable with technology at the best of times. But perhaps there’s a solution yet to be determined.
Two of the existing IDPs, Royal Mail and Citizen Safe, have dropped out. At the start of 2017, those two accounted for approximately 3% of all Verify users, so in the grand scheme of things they’re not much of a loss. But with 2.9 million users, that still equates to 87,000 citizens. Royal Mail and Citizen Safe will continue to support those people for the next 12 months, but after that they will have to re-register with another IDP to continue to access government services – there will be a communications plan to explain and help.
Universal Credit
Verify faces its biggest challenge yet in 2019 – perhaps the reason why the 18-month transition period has that duration. By the end of this year, the digital version of Universal Credit (UC) will be rolled out to all Jobcentres, and next year millions of existing benefits claimants will be told they have to apply for UC. As part of that process, they will have to use Verify.
DWP already knows Verify can’t cope on its own, and has had to develop its own system to work alongside. Verify has consistently struggled to successfully register even half of the citizens who attempt to use it. Early tests on UC suggested that only 35% were able to set up a Verify account online. UC could potentially more than double the number of Verify users – the system has never been asked to work at such scale, and especially not for a service under the intense political and public scrutiny of Universal Credit.
The five IDPs have already been involved with the UC programme, but will be working more closely with DWP over the next 18 months.
Potentially the biggest winners here will be the identity companies that have been excluded from Verify in the past, and whose business growth has been stifled as a result. As long as they conform to standards, the public sector market will finally open up to them.
Those standards will be set, not by GDS, but by the Department for Digital, Culture, Media and Sport (DCMS), which took over policy responsibility earlier this year. DCMS has little interest in supporting Verify, and privately sees its standards-based approach as heralding the end of Verify. Like many other departments, DCMS has simply lost confidence in what was meant to be the government’s flagship digital identity product.
The lessons of Verify
Over the last two or three years, as its critics increasingly claimed that Verify was travelling down a dead-end street, GDS has retreated into secrecy and silence over its plans. It took the government’s Infrastructure and Projects Authority to recommend the termination of Verify to reach this point.
Verify was always an ambitious and important programme – digital identity is just hard to do – and GDS deserves credit for taking it on.
But somewhere along the line, it got lost. Remember that as recently as February 2017, the Cabinet Office set a target of 25 million Verify users by 2020. Only last month, minister Oliver Dowden reiterated that goal. It’s unlikely there will even be 25 million citizens with any form of standards-based digital identity in the UK by that time.
GDS will tell us – and it may be correct – that the time, resources and money invested in Verify has been worth it to help establish a UK digital identity ecosystem. The difficulty is, we just don’t know if that’s true.
GDS has learned a lot – about what works and what doesn’t work – on digital identity through Verify. If it really wants to be viewed as the prime instigator of a market that will be critical to the success of the UK digital economy, it needs to now be fully open and transparent about its Verify journey. There is surely much that the whole ecosystem can learn too.