Daniel - stock.adobe.com

Policy Exchange calls on government to publish digital ID strategy

The lack of reliable digital ID services in the UK is limiting the country’s digital infrastructure potential, according to a report on digital identity, which also recommends the government to clarify the future of Gov.uk Verify

The government should publish a digital identity strategy and a 10-year roadmap to provide clarity on its preferences and plans around digital ID, according to the Policy Exchange think-tank.

Policy Exchange’s report, Verified, said the UK needs a reliable public sector identity model to support the creation of a digital identity marketplace across both private and public sectors.

“The lack of reliable digital ID services is a severe limitation to the UK’s digital infrastructure,” said the report. “At present, the UK is one of the world’s leading digital economies. This progress will be hampered unless there are secure and reliable ways to prove one’s identity when accessing goods and services online.

“To prevent fraud and to comply with regulations, businesses providing services online have to perform expensive, and often unreliable, checks on the information that their customers provide. Creating a viable digital ID ecosystem can help to prevent fraud across both the public and private sectors, as well as reducing administrative costs for businesses.”

The report also called on the government to clarify its plans for its flagship Gov.uk Verify identity platform. The troubled programme has cost £175m to date, and although originally intended to replace the Government Gateway, has struggled with uptake among government departments and services. In April 2020, all but two of the programme’s third-party identity providers left the scheme – no longer accepting new registrations, but supporting their existing users for 12 months.

As previously reported by Computer Weekly, HM Treasury, which was due to end funding for Verify in April 2020, decided to extend funding for the programme for a further 18 months because of the Covid-19 pandemic.

“Verify struggled because it was launched before other government departments had promised to participate in the scheme,” said the Policy Exchange report. “Moreover, its ‘closed’ commercial framework limited the number of third parties who could act as certified companies.

“Furthermore, the UK government missed key opportunities to sign up others to the scheme, for which ministerial accountability was unclear. From the outset, it struggled to balance ease of access (ensuring that users managed to verify their identity in a quick and frictionless way) with the completion of the necessary and important tests that are required to prevent fraud.

“This resulted in poor user experience. It also did not make sufficient use of government data sources during the identity proofing and verification process, which may have made it more difficult for certain demographics with weak digital footprints (known as ‘thin file’ users) to sign up.”

The report added that a digital identity strategy must clarify the future of the programme, as well as whether it is preferable for individual departments and agencies to create their own identity solutions, or using a cross-governmental platform such as Verify.

However, it said there are “clear advantages” to cross-departmental ID systems and warned: “There is a risk that every department will develop separate and siloed approaches to identity assurance, leading to increased costs for taxpayers.”

The report added: “Focusing on the long-term delivery of a digital ID strategy can prevent a situation where progress in the future is hampered by legacy IT problems.”

It also recommended the government to create a ministerial portfolio for digital identity, because a dedicated minister for digital identity “would ensure democratic accountability for government identity policy”.

The report said the UK’s digital identity market is very fragmented, and the government plays a vital role in setting standards and liabilities for digital ID services in the private sector.

“Likewise, the government also has access to large data assets that could be used to verify the identities of those trying to access services provided by the private sector,” it said. “It has a duty to protect consumers and offer them confidence in using digital identities.

“It must support the creation of a fully-functioning digital identity marketplace across both the public and private sectors, and one that is recognised in the EU and internationally.”

Read more about digital identity

  • Government Digital Service put in place “unprecedented measures” in response to the Covid-19 pandemic and built several new digital services, but its Gov.uk Verify programme continues to “pose notable risk”.
  • Scotland’s 10-week test of its digital identity prototype finds that users understand the concept of two-factor authentication and using the same credentials across services.
  • More than a year after first announced, the government has launched a year-long pilot of its post-Brexit digital identity checking service.

The report also said the government should establish a digital business identity programme to help improve access to government business support and make it easier to bid for government contracts.

As previously reported by Computer Weekly, the Government Digital Service has been communicating with private sector identity providers as it prepares to launch the Identity and Attributes Exchange (IAX), which is intended to be the way that ID companies can finally gain access to the public sector market.

IAX aims to establish a trust mark for digital identity products, with organisations becoming members of IAX and being certified by an independent auditor. Only IAX members will be then be allowed to sell digital identity services to the UK government.

Commenting on the report, Benjamin Barnard, head of technology at the Policy Exchange, said that proving your identity in the UK is very difficult, “so we often end up sending sensitive documents, such as passports and driving licences, by post”.

He added: “The government has announced that it is committed to do this without the need for mandatory ID cards, physical or virtual, which will allay some concerns, and it is an important clarification from ministers. But in order to achieve its aims, it must also update legislation to allow citizens to complete contactless ID checks when buying everyday goods, including alcohol. Unless it does so, the development of the digital economy will be hampered and fraudsters will continue to take advantage of outdated technology.”

The report also called for the government to undertake a feasibility assessment for digital vaccination certification, so that when a Covid-19 vaccine is developed, the evidence of a person having had the vaccine could be linked to a verified vaccination certificate, which could be secured and stored on a person’s smartphone.

“Digital ID has a number of potential applications when it comes to fighting the Covid-19 pandemic,” said the report.

“Due to the outbreak of Covid-19, there is a significant risk that coronavirus pathogens could be passed on through the handling of identity documents. Decentralised digital ID apps/wallets could allow people to prove their eligibility to purchase goods or services through their smartphones by scanning a unique QR code.”

But it added that for this to be possible, companies operating the apps have to be able to verify the user data, and the government must amend legislation to ensure companies do not have a legal duty to use physical identity documents.

Read more on IT for government and public sector