Verify
show image

Industry ‘cautiously’ welcomes plan to overhaul digital ID, but privacy campaigners warn of weak protections

Industry experts have “cautiously” welcomed the government’s plans to overhaul its beleaguered digital identity programme – but privacy campaigners have warned that principles designed to guide policymaking around the technology currently amount to “very little”.

The Department for Digital, Culture, Media and Sport (DCMS) announced on Tuesday (1 September) that it has set up a new cross-government strategy board to steer legislation on the use of digital identity technology across the public and private sector.

As part of the initiative, the Government Digital Service (GDS) has also launched a one-year trial of a Document Checking Service that will allow up to 11 private sector organisations to confirm the authenticity of passports, using government data, on behalf of businesses that require proof of identity.

But privacy campaigners have hit back at the initiative, describing it as a plot to revive the controversial ID card scheme that was scrapped in 2010 following a public outcry. Big Brother Watch claimed the scheme “would create a centralised database of sensitive records that could span health, tax, travel, welfare + biometric data about each + every one of us”. Open Rights Group warned that without the right safeguards, the government risked creating another “failed identity project to add to the pile”.

The government also published on Tuesday its response to a consultation on the future of digital identity after the GOV.UK Verify programme ends. Last year, MPs on the Public Accounts Committee said the £200m scheme had failed to meet its objectives. Funding for the programme was extended in April – in order to meet the demand for welfare support in light of the pandemic – but only on a temporary basis.

In its response to the consultation, the government said: “Looking beyond GOV.UK Verify, departments have committed to using standards-based digital identity; this will remain critical to the delivery of effective government services online.”

The original rationale behind creating a federated and outsourced approach to identity management, rather than a centralised register, was that it would prevent a re-run of the furore around government ID cards.

But the scheme appears to have been subject to some mission creep. In 2018, the government tasked the identity providers with increasing uptake, as well as providing the verification services. In the period since, a fragmented patchwork of identity services has emerged across Whitehall.

The new digital identity strategy board will attempt to streamline the development of such services. Chaired by the most high-ranking civil servants in DCMS and GDS, which lead on digital identity policy for the private and public sector respectively, the monthly board meetings also include representatives from departments that rely on the technology, such as the Department for Work and Pensions and HMRC, NS Tech understands.

The board has so far produced six principles, including privacy, transparency, inclusivity, interoperability, proportionality and good governance, to underpin the development of new laws around the technology. The board’s description of these principles can be found at the end of this article.

Rob Anderson, principal government analyst at GlobalData, said it’s “great to see the government finally taking an open, inclusive and seemingly collaborative approach to digital identity”.

“It does concern me, though, that there remains friction and some uncertainty over the respective roles of DCMS and GDS,” he told NS Tech. “It is also incredibly frustrating that more than six years work and over £200m of government investment has now apparently been wasted on the Gov.UK Verify service. That is despite the mantra of GDS, who developed the scheme, being ‘What is the user need’.”

Matt Stanley, director of Think Digital Partners, organisers of the Digital Identity for Government conference, said: “Along with other industry stakeholders I welcome this development, albeit cautiously as the ‘devil is always in the detail’ and that is yet to come.”

Commenting on the principles, Stanley said: “[They] seem fine as far as they are described and generally reflect similar sets in Canada, New Zealand and other nations in recent times, though it’s unusual to see ‘security’ missing from the list since all the other principles would rest upon that requirement. But perhaps it is implicitly assumed.”

He added: “The reference to standards is commonplace but without credible assessment and certification of providers, devices and device apps, standards alone can’t move the dial on these principles.”

Al Ghaff, chief operating officer of Open Rights Group, echoed a similar sentiment: “The principles in the response, while encouraging, mean very little until we see the real practice. The Government must not use this as an opportunity to get prejudiced policies like Voter ID through the door or turn it into a personal data grab for commercial exploitation.

“Unless they commit to a system that puts the user in control, building something useful for people, and with legal safeguards protecting privacy firmly in place, this will be another failed identity project to add to the pile.”

The principles, described by DCMS, are as follows:

1. Privacy – When personal data is accessed people will have confidence that there are measures in place to ensure their confidentiality and privacy; for instance, a supermarket checking a shopper’s age, a lawyer overseeing the sale of a house or someone applying to take out a loan.

2. Transparency – When an individual’s identity data is accessed when using digital identity products they must be able to understand by who, why and when; for example, being able to see how your bank uses your data through digital identity solutions.

3. Inclusivity – People who want or need a digital identity should be able to obtain one; for example, not having documentation such as a passport or driving licence should not be a barrier to not having a digital identity.

4. Interoperability – Setting technical and operating standards for use across the UK’s economy to enable international and domestic interoperability.

5. Proportionality – User needs and other considerations such as privacy and security will be balanced so digital identity can be used with confidence across the economy.

6. Good governance – Digital identity standards will be linked to government policy and law.  Any future regulation will be clear, coherent and align with the government’s wider strategic approach to digital regulation. For example, firms verifying your identity will need to comply with laws around how they access and store data.

This story has been updated to include further reaction to the announcement.