How the UK Government should fix Identity

The UK Government fails to understand the fundamentals of Identity, which is why they keep getting Identity projects wrong.

First there was Verify. A program that cost over £130m, and is now having its funding cut after failing to attract users. Verify has failed for many reasons. Probably the first is that the government should not be building technology, they should leave that to tech companies. Secondly, Verify does not use identity, it uses other services that users do not necessarily think of as identity providers, such as banks.

My one experience trying Verify involved me spending 20 minutes trying to remember very random bits of my financial past that corresponded with Experian’s database on me. Experian’s data on me is far from accurate, and is a composite of data provided by other companies, most of whom don’t really know me that well either. So it was no surprise that I nearly failed the Verify process as I didn’t know what Experian thought it knew. It was a total mess.

Now, to make things worse, the government is trying to solve the problem of Verify’s failure by creating multiple, government-built Identity services. When will they learn? The NHS is building one, so is HMRC. What is bound to happen next is a mixture of the government again spending a ton of money on something that either doesn’t work or doesn’t make sense, or creating multiple gateways into government, each of which requires the user to create different identifiers. So you will have your passwords and whatever tokens for the NHS, and different ones for HMRC, and so on. In fact, we’re back to where we started pre-Verify.

The root of the problem is that government doesn’t understand Identity. What makes it more painful, is that the still quite fledgling Identity industry does, and is going in a completely different direction to the government. The industry is heading towards forms of self-sovereign identity. As James Greaves, the founder of one such company, Glyph, recently put it, in the future services will log into you, rather than you logging into them.

With this logic, I would create my own secure identity resource. It would contain all the attributes that define me as me. When I go to NHS, or HMRC, they will challenge that resource and ask if I am me. In that sense they are logging into me. The identity resource would contain the same information currently held by government (date of birth, passport, driving license, biometrics) and used by Verify (banking information, financial history, phone number, address). But instead of this information being randomly scraped from messy third party systems (Verify), or owned by the government agency (future NHS, HMRC system), I would own all the data and keep it up to date. It is validated by the government, because they gave me the passport in the first place, or by a bank, who have my bank statements and address, but then it is mine to share and use as I want.

In this approach, I would receive a notification on my phone saying ‘NHS wants to access your date of birth, address, and password,’ and I would simply authorise it to do so.

So the first thing the government needs to understand is that it should not be building any identity systems. Government does not, and should not build tech. That is a well-established lesson from our recent history. GDS has a staff of 860 people and an annual budget of £128m, Verify cost over £130m. Most Identity startups have a staff of 5–10 people, and build things on hundreds of thousands or a few million pounds, and they work.

Secondly, the government needs to understand that it should not own or manage identity systems. The UK has a unique problem that we do not and will not have identity cards. Without a single identifier like an ID card, we end up with complex workarounds like Verify, which don’t work. The way to get more people accessing government online is to create a healthy, independent market-place of validated identity services, and let people use whichever they choose to access the government.

The role of government in this process would be to validate these services. Only the ones that are deemed safe would be allowed to become government gateways, and would be allowed to plug into the government APIs. Verify held tenders to become one of its gateways. They were done in batches at long intervals. This was wrong, because it restricted the market place to well-funded incumbents who can afford to bid on tenders, and to wait 12–18 months for the next tender.

Instead, there should be a simple, open process to become an identity provider for gov.uk. The process would not be a tender, because the government would not pay for it. It would be a verification process that tests security, trust, and other safety aspects of the system. This would be done on a rolling basis, and quickly.

This would achieve two important things. Firstly, it would support the new Identity industry, helping the good new companies exploring this space to recruit users, because suddenly they would become a gateway to government online services. The government would not pick winners, instead those companies that are good will come out on top, and the ones that are rubbish will fail. Users may try a few of them and will stick with whichever delivers the best service.

Secondly, it would move Identity away from the government, making accessing government and other services online easier and safer. A user will decide which service to use, and in building an identity profile will find they can then also use it to open a bank account, verify their identity online securely, and provide information using zero-knowledge proof. All in all, society would become safer and more secure, which is increasingly important in an age of growing cyber warfare and crime.

The way to achieve this is to drop all government identity projects, and put a fraction of that money into an Identity Sandbox, where identity companies can safely test their product against an array of government APIs. The Sandbox would include input from law enforcement and other government bodies that specialise in cyber security and safety. Companies, government, and law enforcement would play safely until things worked. At that point the company in question would be ready to enter a validation process. If they pass, they become an identity gateway for the government.

This would be far cheaper, and would see many different approaches tried, tested, and either work or fail, but with no risk or cost to the government or to users. The result would be multiple ways to access digital government easily, and a flourishing digital identity sector which would make life easier and safer for everyone.

The author is a former Special Advisor to Estonia’s e-Residency Program, an advisor to Glyph, a Director of BBFA, and a Visiting Fellow at the NATO Cooperative Cyber Defence Centre of Excellence

Tobias Stone @ Newsquare

Written by

www.newsquare.io is an innovation agency founded by Tobias Stone. www.linkedin.com/in/tobiasestone

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade