Industry concerns over government digital identity plans risk a confusing outcome for users

A flurry of recent activity suggests the government is ramping up its plans for the long-awaited demise of Gov.uk Verify, its failed attempt to produce a digital identity system for online public services – and, as the original strategy intended, its wider commercial use.

When HM Treasury extended Verify’s life to continue its use for Universal Credit applications at the start of the pandemic, its developer, the Government Digital Service (GDS), was given until September this year to find an alternative for the departments that had adopted Verify.

Verify’s biggest user, the Department for Work and Pensions (DWP), accelerated its plans to move off the system by accepting Government Gateway accounts and making further improvements to its Confirm Your Identity service, which was remotely supporting 52% of benefit claims by September 2020.

Meanwhile, more than two million Verify users will have received an email from their Verify identity provider – mostly Experian – telling them their account will cease at the end of March, which has probably confused the vast majority of them who thought they had signed up for a government website and why on earth is Experian telling them this?

In the short term, don’t rule out Verify getting another extension beyond September – but is there a longer game in play here?

Recent developments

There have been three important recent developments, targeting private sector ID providers, Whitehall departments, and consumers:

  • The Department for Digital, Culture, Media and Sport (DCMS), which owns policy for digital identity across the wider economy, published the “alpha” version of its digital identity trust framework – a set of standards and rules intended to create an ecosystem of interoperable digital ID schemes that can be used across the private and public sectors.
  • Computer Weekly revealed that Cabinet Office minister Michael Gove wrote to all departments to mandate the use of a new common digital identity system across all Whitehall online services – instructing those departments to cease development on any competing systems.
  • The Post Office – the largest remaining Verify identity provider – sealed a deal to use a branded version of Yoti’s biometric digital identity app. This seems likely to become its core system for signing up people who want a digital ID, to replace Verify as that scheme starts to dwindle.

All sounds positive, right? Hmm. Computer Weekly has been canvassing opinion since the announcements were made, and the responses are not promising for the government.

The industry has been waiting for a long time for the DCMS trust framework. Many industry leaders were disappointed by DCMS’s response to its much-delayed digital identity consultation, but were willing to extend their patience when promised more details early this year.

The release of the alpha framework has been welcomed as an important step, but there remains much eye rolling at the detail – or in some areas, lack of it.

The trickiest parts of the plan have been deferred – areas like legal liability, commercial aspects and how the framework will be governed – while some of the technical details are too prescriptive and restrictive.

There is particular annoyance at the suggestion the framework could mandate use of the GPG standards favoured by GDS, which underpin Verify. This has made some people feel the proposals are another way to impose a way of working on the private sector, rather than working together to find a solution.

In financial services, for example, the development of digital identity is driven by regulations for anti-money laundering, which are incompatible with GPG standards. The Financial Conduct Authority, which regulates the banks, says: “A public-private partnership is instrumental for the success of digital ID”. There are influential figures in the industry who feel that is lacking.

There is a widespread belief that DCMS is still being more influenced by GDS and its attempts to sustain the Verify model, than by the private sector it is meant to support.

Stuck in the past

What does the private sector want? Mostly, for government to get out of the way. Industry figures feel GDS and DCMS thinking is stuck in the past, in a sector that is advancing rapidly through the use of biometrics, NFC chips on passports and in smartphones, and an API-led approach to the sharing of identity data. They want access to the “gold standard” data held by government – passports, driving licences, maybe even local authority data such as council tax – all of which the government is slow and reluctant to provide at scale.

There is a reason why the Government Gateway remains the most widely used digital identity system in the UK after 20 years. This stuff is hard. But, according to industry, the government is making it even harder.

Look, at a much smaller scale, to Jersey. On the Channel island, a free digital identity scheme has been in place for a couple of years, with regulatory approval, in partnership with Yoti. According to figures from the supplier, most 18 to 24-year olds signed up in 2019 and about 50% of adults by the end of 2020. It’s hard – but not impossible.

The Post Office, which has long wanted to be a major player in digital identity, has the advantage of its branch network for registering people whose digital footprint is too thin to sign up to an online-only system like Verify. Perhaps it’s had enough of waiting for the government too, and sees its tie-up with Yoti as a more progressive way forward.

But even that type of arrangement still has the classic problem – why sign up to a digital identity scheme when none of the commercial services you use support it? And why would a commercial service support a digital ID scheme, until it has a critical mass of users? The last thing anyone wants is every website to have to offer customers a dozen or more different login options – it’s not going to happen.

So again, it all comes back to government. There are basically two clear routes to achieving critical mass in digital identity – either through banks offering them to account holders, or government offering them for online public services.

And that’s why Michael Gove’s internal announcement has spooked the industry.

Verify 2.0?

According to the letter Gove sent, “all public-facing central government services should migrate” onto his proposed new digital identity system, and “legacy systems will be phased out”. No further details have been released, but the strong suspicion is this will be some sort of “Verify 2.0”, combined with the recent development of Gov.uk Accounts, which was billed initially as a simple single sign-on tool.

It’s not the first time the Cabinet Office has tried to mandate a common sign-on system – remember the promise that Verify would have 25 million users by 2020? That failed mostly because Verify wasn’t up to the job, but also because major departments – by which you should read DWP and particularly Gateway owner HM Revenue & Customs (HMRC) – were not keen.

Will Gove really instruct those powerful departments to ditch all the investment they have made in their existing systems?

“Work that is substantially driven by any single department providing public services will lead to further disappointment,” he said. He’s not wrong – but he’s going to disappoint the digital identity industry if he goes through with it.

The existence of a common tool for all Gov.uk services means public service users become a closed shop, blocking out commercial providers. Gove was clear that one of the reasons for his plan was to enable the sharing of identity data, and data about people’s behaviour as they move around the Gov.uk estate. You won’t get that if there’s a multitude of privately owned identity systems allowed access too.

Ah, but there were commercial providers involved in Verify, weren’t there? True, but Verify was designed as a “double blind” system – the likes of Experian and Post Office don’t know what service their users are accessing, and departments don’t know any of the identity data held by the commercial provider. That’s not going to give Gove the user tracking he wants.

So, if that is the case – why does government need to propose / impose (delete as applicable) a trust framework on the private sector at all? If industry solutions are denied entry to the public sector, why can’t they just come up with their own standards and rules and simply get on with it themselves?

Well, think of what that might mean.

Industry doesn’t want to adopt GDS’s preferred GPG standards. And if they don’t, every “Verify 2.0” account set up on Gov.uk becomes useless when you also want to log in to a commercial service.

Therefore, a government-backed, UK-wide trust framework that includes the GPG standards – one that’s signed up to by those commercial providers – means private sector services can be accessed by “Verify 2.0” users. But – thanks to Gove’s plan – not vice versa. Game, set and match?

The banks won’t play that game – unless GPG is somehow made compliant with financial regulations, which won’t be easy. The risk is that we end up with a government trust framework designed to give GDS and “Verify 2.0” legitimacy as a general-purpose digital identity system, while the industry goes off and does its own thing.

In such a scenario, almost inevitably, the government system would soon lag in innovation and become unable to keep up with the pace of technological change in the private sector. A bit like Verify 1.0 – but mandatory.

Two digital identities for each person – one for commercial services, one for public services – isn’t necessarily a bad outcome. It’s better than where we are today. But what a missed opportunity it would be.