Question of trust at the heart of government moves to put public services online

Claws of steel, or a paper tiger? gov.uk

Digitising public services and putting them online to reap the cost and efficiency benefits is something that’s been tried with varying degrees of success. The UK government’s “digital by default” policy has been many years in gestation, partly because a key component – an identity assurance service by which citizens can digitally prove who they are to government services online – has proved a difficult delivery.

The service quietly opened on a limited basis for further testing this month. It is a type of federated identity management scheme, where a user has a strong relationship with an organisation that verifies their identity – and this organisation then vouches to other services that the user is who they claim.

It’s the online equivalent of an identity card, where the identity provider generates a short-lived piece of digital ID on demand. The advantage for users is that one set of strong credentials with their identity provider will be enough to verify them with many services, dispensing with many sets of usernames and passwords. If this sounds familiar, it’s not much different to the way that web sites allow you to log in to their services using your Facebook, Twitter, or Google accounts.

The government scheme began by signing up eight companies in 2012, offering it to the private sector in an effort to quell privacy concerns stemming from the centralised government database of the now-cancelled National Identity Scheme. The spring 2013 deadline passed and only five suppliers remained in the scheme: Digidentity, Experian, Mydex, the Post Office, and Verizon. (Note that Facebook is not among them.)

Based on the first phase of the pilot conducted by Warwickshire County Council using Paypal (which has since dropped out) and Verizon, the public sector IT managers’ organisation Socitm highlighted users’ problems using and trusting these companies.

It does not surprise me that users found it strange to use Verizon, a US telecoms provider, in order to access UK government services. What relationship do most people have with Verizon? Why would anyone have an account there? The answers are “none” and “they would not”. Using Paypal would be straightforward for those who already use it. But people typically use PayPal to pay for goods or services online. Since most government services don’t require payment, then why would PayPal be involved in accessing a government service?

The most sensible choice would be to use the Post Office. Everyone goes to the Post Office many times during their lifetime, it offers familiarity and trust – and would seem to be the most natural choice to provide identity verification for government services.

Identify once, use many times

By way of comparison, the way the academic community tackles this problem is much more natural than the government’s efforts. Here, staff and students are required to log in to their university to use its services. By using a single sign-on system, when users attempt to connect to another service or network the university, as their identity provider, passes on their digital identity card, meaning they are not prompted to log in again. Another example is the academic Eduroam service, which allows staff and students to easily connect to university wireless networks throughout the UK, Europe and beyond.

The problem with which the UK academic federation suffers is that the universities are generally unwilling to release enough details on their users to those services that need them, due to privacy concerns. The digital identity card merely states member of University X. Personally I think this risk is overstated and can easily be solved – for example, by prompting users to confirm that they’re willing to release whatever personal details are needed on an occasion-by-occasion basis. This type of interface is becoming much more common in federated systems.

The limits of trust

So the government has a problem on its hands: that of finding an organisation or body that is capable of verifying a user’s identity and which is trusted by both user and government. Each user may have their own choice of a few they favour, but for the entire UK population this list would run into the thousands – far too many to federate and manage.

Perhaps the banks might offer a solution, since there are only a handful of them yet they provide accounts to almost everyone in the country. Unfortunately not: attending a bankers’ dinner recently, I found myself discussing user authentication. Currently each bank has its own means of authenticating its customers, one for online banking and another for telephone banking. There is no standardisation of these within banks, nor is there any federated identity management between them.

I asked why the banks didn’t join together into a federated system, so that customers could access all their bank accounts with a single, strong authentication mechanism from a single common identity provider. They were horrified at the thought. The risk would be too great – the identity provider would be a honeypot for attackers, as hacking one user’s credentials would provide access not just to one account at a single bank, but to all the customer’s accounts at any bank, and any other services – such as government services – that relied on the system for identity verification.

So the bankers thought it better to keep tight control over user authentication and manage the risk themselves. Banks know how to manage risk. If they are not willing to go down the federated route, then perhaps the government might need to think again.

And where does this leave us users? Still trying to manage dozens of usernames and passwords, perhaps re-using the same password everywhere – hardly a model of safety.