20 years of “online government” 101. Part 3: approaches to identity

This is part 3 in my occasional blog summarising the past 20 years or so of UK efforts to move government online. The previous parts provided summaries on progress towards a single online presence and a similar high-level summary of the overall architectural thinking.

In this one, I’m going to run through some of the key policies and developments around online identity during this same timeframe. So let’s start back in 1996 with the Government Direct green paper, which recognised that:

“…. something like a cash dispenser card is going to be needed for dealing with machines like public access terminals or, in the future, with terminals in the home … for some transactions government may need a higher level of certainty about the identity of an individual than the arrangements used for telephone banking. This could involve the use of “smart cards” … The principle of these cards is the same as the older magnetic stripe cards – a piece of information on the card is combined with another piece of information, like a PIN number, to ensure that the right person is using the service. … The Government intends to carry out evaluations of available systems and conduct trials to find out the type of electronic signature which works best, and which is most convenient for people to use.”

In 1998, the Parliamentary Office of Science and Technology described the two alternative views of identity that have largely defined the debate ever since:

“The first holds that it is the responsibility of government to provide an official ‘citizens card’ once it expects people to use it to access and validate official transactions – just as it provides other documents such as passports and driving licences. The alternative view is that if there is a ‘market’ for ‘identity’, then it can be met by any number of private means and does not need a single official mechanism which could be portrayed by some as the equivalent of a national identification card. If a unitary approach were taken, an obvious candidate to provide the template for a citizen’s card would be the ‘Benefit Card’ already being introduced and which will need to be held by a significant proportion of the population. In favour of this (if this were to be a smart card) would be the likely efficiency gains through allowing broader functions to be built upon it. Against it could be the possible stigma (whether because of its association with benefit claims or the fact that the original motivation for the card was fraud prevention).”

Several demonstrators and pilot programmes making use of smart cards were developed by the Central IT Unit (CITU) during the mid to late 1990s, including one that modelled potential electronic voting in a London-wide election and another that modelled notifying government once of a change of address. These used Royal Mail’s Viacode and Barclays Bank Endorse smart cards. The logical schematic of the change of address demonstrator, which used XML and other open standards such as HTTPS, LDAP and SMTP, is shown below.

change of address demonstrator

The e-Government Authentication Framework from 2000 had as its focus the problems of ensuring that:

    • a given identity actually exists
    • a person or official of an organisation is the true holder of that identity
    • identity holders are able to identify themselves for the purpose of carrying out a transaction via an electronic medium

It identified the need for government to only release personal or commercially sensitive information against reliably verified identity, to provide services and benefits only to those entitled to receive them and to protect people against misuse of their identities. Its key philosophy was that

“Government will encourage the provision of authentication services by a variety of bodies, including local authorities and the private sector, and will seek to make use of these services wherever possible … Where third-party service providers are conducting transactions on government’s behalf, they will be required to authenticate the citizens and businesses they deal with to the same standards as government itself would. Government will in turn accept transaction data from those service providers, who will certify that they have carried out the authentication transaction to the agreed standard.”

So out of the two potential models outlined in the earlier Government Direct paper, a federated identity model was to be the preferred choice, enabling the development of an identity ecosystem that could tap into existing organisations able to confirm online the identity of individuals. Four levels of trust in terms of the quality of identification required were established:

0 — Informal Transactions
1 — Personal Transactions
2 — Transactions with financial or statutory consequentials
3 — Transactions with substantial financial, statutory or safety consequentials

Each of these levels required a progressively more significant level of registration, authentication and verification services — from none required at Level 0, to full face-to-face initial registration at Level 3 together with the use of “a digital certificate. This will preferably be held in a secure token, such as a smart card. Users will demonstrate their right to that credential through the use of a private key and a password or biometric. The system will authenticate users based on the validity of public key / private key pairs, and on the validity of the credential.

In 2001, the UK Government Gateway was launched, providing a range of transaction management and identity-related services to turn policy into reality. As mentioned in Part 2, the Gateway provided the infrastructure required to connect government into the federated identification and authentication services being provided by third parties via smart cards — such as Barclays Endorse, Royal Mail’s ViaCode and certificates being issued by the British Chambers of Commerce. When the smart card market largely collapsed in the fallout from the dotcom boom and bust, the Gateway ended up primarily using UserIDs and passwords — limiting the level of services that could be used (since UserIDs and passwords were not capable of establishing the levels of trust and authentication possible with smart cards).

The Gateway’s core services were designed to meet various needs including:

    • authentication (we know who the person is)
    • authorisation (we know they are entitled to use the service)
    • the capacity they’re operating in (i.e. their role)
    • varied credential types (userID/password, digital certificate, etc.) issued potentially by various (trusted) parties

It also needed to meet the government’s requirement to support delegated rights:

    • to third parties (agents / intermediaries acting on behalf of people)
    • to assistants within an organisation (subsets of user rights, such as those needed for an employee working on VAT returns within a business)

In addition, it provided reliable, secure, two-way transactional synchronous and asynchronous messaging between citizens, businesses, intermediaries and government — including, where appropriate, the authentication of those messages.

The solution adopted the open standards proposed by the UK government as the way to underpin its e-Government programme and formed part of a wider move towards a Service Oriented Architecture (SOA) for government. Key elements of this included:

    • metadata framework: Dublin Core / W3C Resource Description Framework
    • security framework: ISO/IEC 17799:2000 information technology, code of practice for information security management, Common Criteria
    • data interoperability: IETF, W3C, WS-I (including WS-Security), OASIS interoperability standards (eg. XML, SOAP, SAML)
    • management and operations: OGC ITIL

Government Gateway

In 2001, the “E-government strategy framework policy and guidelines: Registration and authentication” addressed security requirements related to the provision of registration and authentication services to support access to e-government services. It defined these two key processes as follows:

    • Registration: This is the process by which a client gains a credential such as a username or digital certificate for subsequent authentication. This may require the client to present proof of real-world identity (such as birth certificate, passport) and/or proof of other attributes depending on the intended use of the credential (eg proof that an individual works for a particular organisation). Registration can be associated with a real-world identity or can be anonymous or pseudonymous.
    • Authentication: The process by which the electronic identity of a client is asserted to, and validated by, an information system for a specific occasion using a credential issued following a registration process. It may also involve establishing that the client is the true holder of that credential, by means of a password or biometric. A client is required to authenticate their electronic identity every time they wish to engage in an UKonline session.

The main purpose of the model was to establish the framework for the federated identity system, setting out the approach to the provision of all or part of e-government services by third parties, including obligations on third parties for registration and authentication. It also set out the various trust models for registration and authentication. It further clarified the requirements both for initial registration and subsequent authentication across a range of government services. An updated version, Version 3, appeared in 2002, and incorporated comments received after a public consultation exercise.

The federated identity model was part of a wider federated approach, one that foresaw a mixed economy in the supply of online government services, with many to be available through third parties (intermediaries) as well as direct from government itself. This was detailed in the 2003 “Policy Framework for a mixed economy in the supply of e-government services” consultation document which aimed to

“… create mixed economy — a marketplace where government, private and voluntary sectors can come together to deliver e-Government services that better meet the demands of our customers. A successful mixed economy will be a force for maintaining the UK’s position as a leading knowledge economy. For this to happen we will need a clear framework for government and intermediaries to participate. This document describes what needs to be done, the opportunities and the principles of intermediary involvement, and the support we are putting in place to drive our agenda … in three years, there will be a mixed economy in the supply of public services, where consumers (citizens & businesses) can engage intermediaries from the public, private or voluntary sectors to use public services in the manner that suits them.”

intermediaries

One such example given is:

“Simple Transaction – Motorist Organisation. A motorist services company might want to add Vehicle Excise Duty (car tax) to their portfolio. Their offer becomes more of a “one-stop-shop” and is likely to increase customer loyalty, or attract new customers to the service.”

(As an aside, this approach is quietly radical in its implications: in this simple example of Vehicle Excise Duty, VED, it has moved the debate from a narrow discussion of better ways of automating current processes within an existing organisational structure, such as DVLA, and is instead evaluating options that would potentially see other players undertake the functions previously done by government. After all, why not let insurance companies collect VED in the same way most other tax collection, such as VAT and PAYE, is already outsourced to retailers, employers etc.? This type of fundamental rethink of how best to achieve outcomes rather than to think within existing constraints has all too often been absent when considering how best to use technology to redesign and re-engineer public services)

Anyhow, back to our story … The Gateway’s identity services were later enhanced to support EMV (the chip and PIN standard developed by Europay, MasterCard and Visa and widely used for for authenticating credit and debit card transactions).

trust framework

trust architecture

In parallel with these developments, and in apparent conflict with the earlier approach to a federated identity model, the government decided to pursue the development of a single national identity card that would be issued by the state. After many years of encouraging the growth of an ecosystem of identity providers and intermediaries, this model would have instead imposed a single identity for use with government services. These proposals for a single identity card formed part of the National Identity Scheme in 2005. It’s outside the scope of these overview 101’s to go into the pros and cons of what was proposed, so for anyone interested in more detail have a look at Wikipedia’s summary. Under the terms of the Identity Documents Act 2010, identity cards ceased to be legal documents on 21 January 2011.

Since the general election in 2010, a familiar model has been proposed, one that returns to the earlier desire for a federated identity system. The Government Digital Service (GDS) is running the identity assurance programme (IDAP) and is both developing the technical standards needed to implement a replacement federated identity model for the Government Gateway (which is due to end providing services in 2016) and putting into place the ecosystem of third party identity providers required to make it happen.

“Identity providers are organisations paid by the government to verify people’s identity so they can sign in securely to government services. Identity providers will have to meet industry security standards and identity assurance standards published by the Cabinet Office and CESG (the UK’s national technical authority). There are currently 5 identity providers — Digidentity, Experian, Mydex, the Post Office and Verizon — eventually there will be more. You can choose to register with more than one of them, and you can stop using an identity provider at any time.”

GDS has also recently announced a further initiative to bring in more identity providers, to further expand the choice open to citizens and businesses in the future.

They have set out 5 reasons for using third party identity service providers rather than doing this from within government:

“1. user choice – you will be able to choose your identity provider(s) and stop using a provider if you want

2. no centralised identity database – instead, to protect users’ privacy, each identity provider will be responsible for securely and separately holding data about the users that have registered with them. Each government department service will only have access to the data it needs.

3. security – using several identity providers is more secure and less vulnerable; there is no single point of failure and no single service that holds all the data in one place

4. developing a market – we’re giving identity providers freedom to design services to meet the standards. This will allow them to develop services that can be used by the wider public and private sector, which will help to reduce costs.

5. making the most of available technology – the technology and methods for identity verification are constantly evolving; specialist private sector organisations are better placed than government to keep up with these developments”

The independent Privacy and Consumer Advisory Group has also been providing guidance and advice to GDS to help ensure they’re designing a service based on user choice, control and privacy — and that there is an easy to use route to fix problems if they arise.

The new identity service is already in live private beta with two exemplar government digital services — HMRC’s PAYE and DVLA’s view driving record service. These are being progressively tested, developed and improved prior to being moved into public beta. The intent is that over the next few years online identity provision will adopt the new federated identity service. Users of the Government Gateway identity services will be progressively migrated to the new service, ahead of the Gateway infrastructure being wound down and eventually decommissioned.

IDAP beta

So, if all goes to plan, over the next few years we should see a modern version of the original federated identity model foreseen back in the 1990s. The technology may have changed from that originally envisaged — of smart cards and PKI — to one of chip and PIN and other potential mechanisms, but the intended outcomes remain largely the same: to enable citizens and businesses to use online government services in a trusted and secure way.

Posted in future Britain, identity, IT, IT strategy, open government, privacy, public services, taxation, technology, technology policy, Uncategorized | 1 Comment

20 years of “online government” 101. Part 2: “e-government” architectures

This is the second part of an ongoing, occasional series looking back over the past 20 years or so of UK efforts to move government online.

In Part 1, I provided a very brief summary of progress towards a single online presence. It looked at the “front-end” of online government — the thinking around a “portal” or single website to act as a “one stop shop” for all digital government services. This helped set a context for Part 2, in which I’ll now provide a similar high-level summary of the overall architectural thinking, of which the portal/website was but one component. As before, this will only skim the surface — but hopefully provides a useful overview of what has gone before.

The open.gov.uk site established in 1994, and outlined in Part 1, was the first step in the evolution of a planned, pan-government architecture. The 1999 Portal Feasibilty Study which built upon this early work identified the need for an architecture to insulate access channels from complexity, proposing a three-tier architecture that would achieve this whilst also providing flexibility. This conceptual model is illustrated below (clicking on any illustration will enlarge it).

3 tier conceptual architecture

Whilst the various front-end channels were to be supported through the portal/website developments outlined in Part 1 (providing publication and syndication services), transaction management services (including related services, such as the identification, authentication and verification of users) were to be provided by a second tier — the services that collectively became known as the Government Gateway. This provided the middle tier, handling the orchestration and management of transactions across single or multiple backend departmental services.

As the report described it, the third tier:

“… provides the connectivity from the Departmental systems, including legacy systems, to the Transaction Management System through appropriate interface systems. This layer will “ring fence” existing systems. Its isolation layer will allow ongoing development of the Departmental systems without a knock-on development requirement on the Portal architecture.”

The report also emphasised the importance of open standards in ensuring that the three tier model was to provide the flexibility in terms of security scalability and resilience required of online service delivery:

“The technical implementation of the three-tier architecture must provide the glue to link existing Departmental services and systems to a wide range of different access channel technologies. This means that open standards need to be proscribed and that the interface standards needed to ensure good interworking must be defined.

An open architecture will maximise the flexibility and opportunities for infrastructure provider competition. Every major interface in the architecture will need to have an interface specification defined for it. This will allow architectural components, services and supplier systems to be replaced easily and a ‘plug and play’approach to be taken to architecture components, services and supplier systems.”

The physical architecture set out by the report to deliver this is shown below.

3 tier physical high level architecture

(For those not familiar with the acronym, ‘GSI’ was the Government Secure Intranet, now superseded by the PSN — Public Sector Network. This is an internal, secure network for private government-internal use only).

The importance of being able to identify a citizen or business when they are online has long been recognised as critical to the success and viability of any online public services. At the time, many smart card developments were in progress, such as Royal Mail’s ViaCode and Barclays Bank Endorse initiatives. The report recommended that “Public Key Infrastructure (PKI) should be provided using certificates and certificate authority solutions from companies such as VeriSign, Thawte or a retail Bank.

Whilst the front-end services were delivered through the various developments outlined in Part 1, the middle tier component was provided by the Government Gateway. This was designed to provide support via open standards interfaces both for the orchestration of transactions, and for federated identification and authentication services provided by third parties via smart cards — as this press release from Barclays from around 1999 makes clear. However, the smart card market largely collapsed in the dotcom boom and bust, and the middle tier defaulted instead primarily to a User ID and password system, with a few businesses continuing to use smart cards for a number of years. These services were later supplemented through support for EMV (the chip and PIN standard developed by Europay, MasterCard and Visa and widely used for for authenticating credit and debit card transactions). However, by far the largest method used was that of User ID and passwords, with the original federated identity model unrealised on any scale.

The middle tier was designed around the use of XML (the eXtensible Markup Language) and SOAP (the Simple Object Access Protocol), and drew upon other internet-based standards such as HTTP/S. Since there were no standard “off the shelf” patterns or templates at the time for the orchestration work required of the middle tier and its interaction both with backend departments and the front-end portal, the necessary XML and SOAP interactions were defined under the “GovTalk” banner, as part of the e-Government Interoperability Framework (e-GIF) initiative which aimed to bring public and private sectors together to agree the open standards necessary to deliver vendor-independent solutions for online government services. Possibly today much of this model would be constructed using JSON (JavaScript Object Notation) and RESTful (representational state transfer) solutions in place of the often rather verbose XML and SOAP requirements. It would also probably avoid the need for the “central hub” model, and provide more of a peer-to-peer services-based approach, such as that adopted by the Estonian government and its X-Road initiative.

By 2004, the overall architecture was looking broadly like the schematic below.

high level architecture 2004In addition to the original core middle tier services of identity and transaction handling, additional service components — such as a payments engine and secure messaging (similar to the kind used for banks to communicate securely online with their customers) — had also been added. The ‘Gateway DIS’ function was the departmental integration service (hence ‘DIS’), providing the bridge between the open standards (XML, SOAP etc) being used in the middle and front-end tiers, and whatever proprietary or bespoke requirements needed to be met within the departments’ existing IT systems estate.

This architectural model remained largely the same over the intervening years. Its open interfaces and specifications enabled, for example, payroll providers to embed support for online government transactions directly inside their applications, automating the interaction of business with government across both authentication and transaction handling systems.

In the meantime, and as I described in my piece for the Register “Can the UK have its identity strategy back, Mr President?” in 2009, the USA adapted the earlier UK federated identification and authorisation model. In turn, the UK has been actively revisiting the desire to move back to a federated identity model as originally foreseen in the late 1990s and away from the dependency on the much-criticised and user unfriendly User ID and password system of the Government Gateway. The Government Digital Service (GDS) has usefully summarised current work on implementing a new federated identity service in their recent blog post “What is identity assurance?”

The middle tier is now in its twilight years, with the Government Gateway due to be terminated around 2016. Given the many changes in technology since the late 1990s, together with the implementation of more up-to-date technology practices within government on the back of the work of GDS, many elements of the overall design of online public services are currently in motion. They will doubtless build upon the recent work to embed open standards in government, the replatforming of gov.uk, the ID Assurance programme, and the work on the 25 exemplars — all within the guiding framework of the Service Design Manual.

The work of Simon Wardley, and his Wardley maps, are of pragmatic significance in the current debate about how “special” or “unique” government is in its user and technical needs, and how they can best be met. As Simon points out, “…  the maps cover activities, practices and data and aren’t limited to a specific field such as technology. They can be used to identify common services, differences, areas of efficiency, potential strategic gameplay, solve communication issues and … a long list.” Even in a complex area such as taxation or welfare, breaking down the needs and the potential means of meeting them quickly reveals that a wide range of both utility and product elements can help meet those needs, with only a small core — such as the nature of the rules of calculations to be conducted — being the unique, one-off elements required in the realisation of UK-specific policy.

There have been multiple detailed analyses and inquiries into the problems of closing the long-standing gap between political aspiration for better public services and meaningful, sustainable delivery on the ground — such as those of the National Audit Office and the House of Commons Public Administration Select Committee. The problems encountered have rarely been exclusively technical — after all, the architectural approaches of the past, described above, would not look particularly out of place in a private sector organisation over the same time period. I’ll aim to review and comment upon some of the wider work analysing the causes of this long-standing gap, and current and earlier work that aimed to fix it, in a future post.

Update: Part 3, approaches to identity, is now available

Posted in future Britain, identity, IT strategy, open government, public services, technology, technology policy, Uncategorized | 1 Comment

‘London Streets’ interactive app

London Streets

Just a reminder, my free app London Streets is now available — for both Apple and Android devices. (Windows Phone 8x is on the way too …)

The app has its roots in my time at City University in the  1980s. Whilst living at Northampton (“Notty”) Hall (RIP) in Bunhill Row, I started to explore the many streets, alleys, courtyards and passageways of the square mile.

I’ve been living in and exploring London ever since, so I guess you could say this app has been a very long time in gestation … work and life have a habit of getting in the way.

All feedback welcome — in fact, essential, as I intend to continue researching and developing both this and some related apps. So please do let me know what you think …

App Store

Google Play

Amazon App Store

It works on most devices (other than those with the very small screens), and is at its best on larger devices, particularly tablets. A little more background and detail in my earlier post here.

 

Posted in computer arts, creative computing, interactive digital technologies, London | 1 Comment

20 years of “online government” 101. Part 1: progress towards a single online presence (including pictures)

I’m going to bring together in a variety of posts (in no particular order and at random times) a very succinct summary of various aspects of the move towards online public services over the last couple of decades. This draws upon research we did at CTPR, along with personal engagement with some of these efforts, and discussions and debates with a whole host of people and organisations who have grappled with the problems and opportunities over the years. This first post isn’t intended to be comprehensive or definitive — it’s more of a quick 101 of work around a single online ‘portal’ or web presence for UK central government services for those not familiar with the story so far.

So it was nearly 20 years ago that open.gov.uk — the first UK online portal for government services — went live.

open.gov.uk

This was the work of the Central Computer and Telecommunications Agency (CCTA), reporting to the Cabinet Office. open.gov.uk acted as a sort of government single point of presence “launchpad” through this new “Government Information Service”, helping users navigate multiple department and agency sites. The CCTA also hosted websites for departments and agencies, aiming to persuade them to work in a collegiate way to provide a more integrated online presence.

In 1996, the ‘Government Direct’ green paper positioned itself as ‘a prospectus for the electronic delivery of government services’.

Government Direct It promised to “… change fundamentally and for the better the way that government provides services to citizens and businesses … Services will be more accessible, more convenient, easier to use, quicker in response and less costly to the taxpayer.”

In 1998, the Parliamentary Office of Science and Technology (POST) conducted an extensive review of progress towards “Electronic Government”. It reported that the Government Information Service site had grown rapidly, but noted some conflicts between the desire for better, open data and the traditional pricing models of many agencies.

GIS

Amongst the many initiatives POST mention are the intelligent form (or iForm) pilot, for enabling notification of self employment through a single intelligent form that updated three separate government departments. It was also around this time the change of address demonstrator was busy being tested.

Change of Address

Then in 1999, the Portal Feasibility Study appeared.

Portal Feasibility

Commissioned by CITU (the Central IT Unit in the Cabinet Office), this explored the feasibility of developing “Government Portals as a potential, single, integrated means of access to Government information and services. This will allow information from different sources within Government to be brought together at one point, allowing the creation of new “joined-up” services with a standardised presentation.”

In 1999, this was followed by the Modernising Government initiative, which included a commitment to develop a single electronic presence aimed at opening up a range of “one-stop-shop” services.

Modernising Government

As a result, in December 2000, the GIS/open.gov.uk presence was replaced with the new UKonline citizen portal.

UK OnlineUKonline didn’t restrict itself solely to an online web presence, but also reached out to other digital channels — including television.

UK Online TV

Rather than limit itself to replicating online versions of transactional paper forms, it also modelled what it called “life episodes” — which aimed to bring together a bundle of services based around events impacting citizens so they could be dealt with in a single place.

UK Online life episodes

In November 2003, a sister government portal for businesses — ‘businesslink.gov.uk’ — was launched to provide access to information and services for businesses.

Business Link

Then in March 2004, we see the first phase of the government’s next portal, ‘Directgov’, launched, revamping and replacing the earlier efforts in its memorable orange livery.

DirectGov

This was followed in 2010 by digital champion Martha Lane Fox’s review of government digital services entitled ‘Directgov 2010 and beyond: revolution not evolution’.  As a result, an initial prototype of a new site, named Alphagov, was launched in May 2011 and invited feedback as part of work building towards a replacement for both the Directgov and Businesslink sites.

Alphagov

In August 2011, Alphagov moved into its beta phase, further refining and testing an all-encompassing single UK government presence. In October 2012, the site went fully live and operational as gov.uk, replacing both Directgov and BusinessLink.

GOV.UK

Work is currently in progress to continue refining and improving the site, with a particular focus on the delivery of an initial 25 exemplar services to demonstrate the art of the possible.

I think the official 20th ‘birthday’ of the original open.gov.uk/GIS site will be in October of this year — but if anyone knows better or has a more specific date, comments are open below………..

UPDATE: Part 2 — “e-government”architectures — is now available here.

Images from my personal collection (how sad), the National Archives, Wikipedia and http://alpha.gov.uk. Sorry, some of them are the best resolution I can find — if you have better ones and are happy to share, let me know.

Posted in future Britain, IT, IT strategy, open government, public services, technology, technology policy | 4 Comments

London Streets

I’ve been taking some of my earlier research into techniques for interacting with the past of place and moving them into the mobile domain. The result is an app, for both Android and Apple’s iOS, named ‘London Streets’.

The app is now live in Google Play — and going through the Apple review process.

This video gives a brief overview of some of what it’s about …

I’ll be providing more details about the work that went into this — on multiple fronts: from sourcing images and maps, the various theories about the origins and history of London street names, the design of sounds (music and sound effects), through to some of the techniques and technical aspects of working across both Android and Apple mobile platforms.

This all forms part of continuing research and development into the past of place, and how we might better interact and engage with it.

Let me know what you think of the app if you download and use it — user feedback is an essential part of helping improve and enhance the user experience, as well as often providing insight into new and better ways of doing things. And if you spot some mistakes — there are bound to be some, the volume of words, images and maps has been no simple matter to research and incorporate — please let me know!

In the meantime, here are a few screen grabs…

London Streets main menu

London Streets - street explorer

London Streets - more details

London Streets - some curios 'Victorian inventions'

Update: also now available on Amazon

Update 2: now approved by Apple and available in the App Store

Link | Posted on by | 1 Comment

escaping government IT groundhog day

Political interest in using information technology (IT) to improve the UK’s public services shows little sign of abating — but it’s also getting a bit long in the tooth. In my December 2013 CIO column Pantomime villains and heroes I used a few political soundbites that show how all the major parties have been broadly in agreement on this topic since at least 1996.

Some people have asked about the sources I reference in my CIO article, so I thought I’d put the list below together — and also add a few more recent political references.

[IT will] provide better and more efficient services to businesses and to citizens, improve the efficiency and openness of government administration, and secure substantial cost savings for the taxpayer.” Year: 1996. Government: Conservative. Source: Government Direct
 
[IT will help us] make sure that public service users, not providers, are the focus, by matching services more closely to people’s lives … [and] …deliver public services that are high quality and efficient.” Year: 1999. Government: Labour. Source: Modernising Government
 
[IT will] allow us to give citizens what they now demand: public services responsive to their needs and driven by them. It provides us with the means to deliver public services in a way that maintains their quality but brings down their cost.” Year: 2009. Government: Labour. Source: Putting the frontline first: smarter government.
 
[IT will enable us to] deliver better public services for less cost. ICT can release savings by increasing public sector productivity and efficiency … [and] will enable the delivery of public services in very different ways to the past.” Year: 2011. Government: Coalition. Source: Government ICT Strategy.
 
… technology can be a powerful tool and reshape how government and citizens interact with each other. We must see digital government as a way of empowering people – service users and public sector employees, citizens and consumers – and enabling cost reduction in the process.” Year: 2013. Labour Party announcement of a Digital Government review – “Digital Britain 2015.”
 

All of these sentiments seem to echo an even earlier political interest in science and technology — Prime Minister Harold Wilson’s 1963 speech, which asserted that:

“The Britain that is going to be forged in the white heat of this revolution will be no place for restrictive practices or for outdated methods on either side of industry.”
(Walden, 2006)

Wilson’s speech is often used today as convenient shorthand for the idea of the “white heat of technology” being harnessed to help modernise and improve the UK. While that’s a useful summary, it risks missing Wilson’s important recognition of tackling out-dated models “on either side of industry” — both private and public sectors. In many ways, the failure to modernise and reform out-dated models in the public sector — and its private sector supply chain — has been a major contributory factor to the failed attempts to use IT as a lever of public sector modernisation.

The lethargic pace of improvements in the public sector compares poorly with the significant revolution in the private sector that has been enabled by IT over the past few decades — everything from on-demand music, films and TV to iPhones and iPads, to ATMs and 24-hour online banking, to Twitter, Facebook, Tripadvisor and Patient Opinion. IT has disrupted and changed beyond recognition numerous industries and businesses, challenging once dominant brands such as HMV, Kodak and Blockbuster and replacing them with organisations such as Netflix, Flickr and Amazon that are byproducts of the digital age. It has also developed a range of IT models — everything from agile to six sigma — rather than the one-size-fits-all waterfall model that has all too often been (poorly) applied to government programmes in the past.

The leisurely progress of the public sector has certainly not been caused by any lack of ambition or public funding — quite the opposite: eye-watering amounts of public funding have been thrown at IT over many decades, yet with remarkably little to showcase in terms of meaningful, widespread improvements in our public services.

This apparent inability to exploit IT in a genuinely transformational way in the public sector sits uneasily with the UK’s reputation as a pioneer in computing. After all, it was the UK that brought the world figures such as Charles Babbage, Ada Lovelace and Alan Turing, and innovations from Colossus to the BBC Micro, Sinclair ZX-80 and most recently the Raspberry Pi. Add to this the fact that the civil service itself was an early pioneer in the use of computers and something has clearly gone seriously wrong.

The cross-party House of Commons Public Administration Select Committee (PASC) report on Government IT (PDF) along with numerous National Audit Office and various Public Accounts Committee reports over many years have identified various reasons for this mismatch between political vision and its implementation. Much of this centres on the dual problem of the way that IT has not been seen as a core competence in Whitehall combined with its wholesale outsourcing to a small group of large suppliers. The cross-party House of Commons PASC report found that:

The lack of IT skills in government and over-reliance on contracting out is a fundamental problem which has been described as a “recipe for rip-offs” … government is currently over-reliant on a small “oligopoly” of large suppliers, which some witnesses referred to as a “cartel”. Whether or not this constitutes a cartel in legal terms, current arrangements have led to a perverse situation … benchmarking studies have demonstrated that government pays substantially more for IT when compared to commercial rates. The Government needs to break out of this relationship.

Earlier, the Digital Britain report of 2009 had recognised that:

Government will need to become genuinely “of the web”, not simply “on the web”. That means designing new services and transactions around the web platform, rather than simply adapting paper based, analogue, processes … Bringing about this scale of change will require significant leadership and focus and a willingness to put this reform at the heart of Government activity as opposed to tacking it onto the side of existing ways of working.

Here was public recognition that it was not IT that was the root cause of itself the problem — but reform of the very nature of our public services, and the way they were designed and operated. Yet how would such a major programme of redesign and improvements in our public services ever be possible if a major part of that programme — the IT — was outsourced and not under expert and experienced public sector control and design?

Martha Lane-Fox was one of several advisors on Labour’s Digital Britain report and went on to develop the influential “Directgov 2010 and beyond: revolution not evolution” report for the coalition government. This led to the creation of the Government Digital Service (GDS) and a move to bring expertise back in-house, moving away from the failed and expensive model of simplistic outsourcing of IT to large suppliers. 

The current programme is effectively a pincer movement that relies on two complementary initiatives to work together in support of each other — and which together seek to bring about the cultural improvements required to deliver on the long-held political vision set out in the quotes above.

On one side are the changes of the past few years that the NAO has examined — the efficiency savings that aim to remove waste and duplication and bad practices, including breaking up major contracts and making them into more competitive lots that more companies, including SMEs, will be able to bid for. The intent is to move the UK away from seeing everything as a procurement problem (and in particular its over-dependency on the handful of corporate IT suppliers that have dominated for so long), and to introduce genuinely open competition and innovation into the marketplace.

On the other side is the equally important focus on improving the design, operation and delivery of public services, spearheaded by the Government Digital Service. If the spend controls are the stick, the digital by default initiative is the carrot — encouraging a renaissance of skills and expertise within the public sector and enabling government to retake control of its own destiny. Although notionally about introducing best practices in user driven needs and the iterative development of solutions, this initiative also carries with it equally important aspirations to improve capabilities throughout Whitehall — including ensuring that Permanent Secretaries and their direct reports do not see technology as something merely to be thrown at a project later downstream as in the past, but as part of the very nature of how modern, twenty-first century services can be entirely redesigned from the ground up. Digital is becoming an integral, pivotal part of both public service and civil service reform — rather than something to be thrown at a large external supplier: its success would fulfil that long-held dual aspiration, of better designed, lower cost digital public services — and the redirection of  resource to our frontline services.

It is this attempt to address what Wilson referred to as the “restrictive practices [and] outdated methods” both within the private and public sectors that will determine whether government and its use of IT can finally succeed in escaping the groundhog day of repeated optimistic visions for its potential and failed implementation. Success relies on re-engineering and rethinking our public services from the ground-up based on users’ needs — not in merely throwing IT at a broken system.

If it is to succeed, this pincer movement requires very careful nurturing and dogged perseverance. The same type of cross-party consensus that has underpinned the vision for IT now needs to be extended to its implementation. Such a cross-party consensus is important to help expedite the necessary structural, organisational and cultural changes across both private and public sectors — finally holding out the prospect of delivering that long-held promise of better designed public services.

This is too important to be allowed to become a party political issue: if that were to happen, instead of meaningful delivery of better public services, we’ll probably find ourselves in another twenty years looking at 40 years worth of wonderful, aspiring soundbites — and regretting what could have been.

Posted in future Britain, IT, IT strategy, public services, technology, technology policy | 1 Comment

UK Government ID Assurance Principles – consultation and feedback

… time to set out a few personal thoughts on the independent Privacy and Consumer Advisory Group (PCAG) — and our work overseeing and advising the UK government on various items relating to privacy, identity and security.

PCAG (which I chair) consists of (unpaid) members from a variety of academic, civil society, business, government and consumer groups. They give considerable time and expertise for free, and bring a wealth of experience and expertise from a suitably diverse range of perspectives.

Sometimes we agree, and sometimes we don’t: the purpose is not so much to reach some kind of pointless “group think” consensus as to ensure a robust and sustainable approach to these complex, interwoven topics that will enable the delivery of better public services whilst respecting the need for strong privacy and security. Neither does participation in the group infer any “endorsement” of any specific aspects of government programmes such as the identity assurance scheme from the individuals or the organisations they represent — they are free to dissent or approve of what is happening, in total or in part, as they see fit.

Our focus is on ensuring that the UK government works to provide users (citizens, businesses and the ‘third sector’) with an easy to use, trusted, secure and privacy-compliant way of accessing public services. This will require users to have control of their own personal information; ensure that information is not centralised into a vulnerable single honeypot; and provide a choice of trusted organisations to use for online identity services. (I’m going to ignore here some macro issues, such as recent revelations about the mass interception of private electronic communications by various government agencies …. that’s a whole encyclopaedia worth of blogs and a subject I’ll return to elsewhere).

The group has worked for some time on developing a draft set of identity assurance principles. In June this year, the latest version was put out for consultation. This was our second round of public, transparent consultation (kindly facilitated by the Government Digital Service, GDS) following on from an earlier draft published in April 2012. This open process is intended to help ensure the principles are designed to the highest standard and that all voices have a chance to make themselves heard.

It was also useful that the Scottish Government provided input via their Identity Management and Privacy Principles, which suggest a close alignment between both the objectives and some of the means by which identity can be made to work in a secure and privacy sensitive way. (On a point of transparency, I should point out I may be hopelessly biased on this point since I was also one of the members of the expert group that earlier helped the Scottish Government develop their principles. Yes, yes, I know – I really must get out more.)

As an independent expert group, PCAG has a mandate to challenge and question, as well as to receive detailed explanations of both the policy intent and the technology being used and the systems and the architectures being developed. To be frank, we have no formal power: the group can advise, question, criticise and comment, but the government’s identity assurance programme (IDAP) team and others we engage with are free to take or leave our advice. In practice, however, we have found the IDAP team receptive to our inputs and critiques.

The principles are to a large extent about re-establishing trust — and build on the premise that personal data should be effectively protected from those who would seek to misuse it either by accident or by design. Whilst an updated version of the principles based on recent feedback will be published as a formal “1.0” release once we’ve had a chance to integrate the recent round of feedback, we have always seen them as a living, breathing entity that will continue to evolve in the light of practical experience.

The range of feedback we’ve received during the most recent public consultation period is diverse, so it’s taking time to collate and action. It also spans numerous categories: some feedback provides material, important clarifications and will be incorporated into an updated draft of the principles. Thank you for this — sometimes it takes others to see the wood when you’ve been standing far too close to the trees examining the intricacies of the patterns in the bark. Other feedback has related to the principles’ wider context, and recommended communicating better where and how they fit; whilst other comments highlighted minor grammatical/presentational aspects.

Many other comments provided a mix of alternative views on the progress of the government’s IDAP programme itself and hence fell outside the scope and role of PCAG. For example, some comments were actually questions about progress of the early alpha and beta services using the new approach to ID, or about the identity providers and the nature of their contracts with government, or about departments and their plans for early adopter services. These questions are for the IDAP team and their work with identity providers and departments on development and delivery, not PCAG. Whilst we take an active interest in the physical realisation of the system, it is the definition of, and compliance with, the principles that concern us — from the low level technical and computational level to the policy and regulatory level. We seek assurance that across all of these levels that the principles are being delivered.

Some other respondents appeared to misunderstand the context of the principles, and sought to cover related, but mature and well understood ground, about the nature of identity systems. It’s therefore worth me restating here that the principles are focused on the operation of a user-centric, privacy-compliant identity assurance service. Their purpose is not to cover the many other, well-worn aspects of identity: much of the foundation for the new service is already well understood and covered in the Good Practice Guides. Likewise, some comments about biometrics having been “missed” for example, seemed unaware that this topic is well covered in GPG 44 (Authentication Credentials in Support of HMG Online Services).

Such comments usefully flag again the important issue of how to ensure a better understanding of IDAP, the principles and the way they will enable users to interact in a trusted way with online public services. We have discussed with the IDAP team the need for better, clearer and simpler communication and some less technical documents that convey the purpose and nature of the programme and the principles — something akin to a Ladybird Book or a  ‘101 on identity, privacy and security’ for those who would like or need to better understand.

I hope that we’ll be able to publish the revised and improved principles early in the new year — and thank all of you who found the time to respond. It’s much appreciated.

Posted in future Britain, identity, IT, IT strategy, open government, privacy, public services, security, technology, technology policy | 1 Comment