the elusive pursuit of outsourced digital identity

Remember when UK banks were innovative, leading the world and always at the top of the polls for brilliant customer service?

No, me neither.

Actually, that’s not entirely fair. There have been brief flashes of innovation. In the late 1990s and early 2000s the UK government hoped that banks would become trusted providers of digital identity for online public services. It was the first attempt at delegating the provision of identity to competing third parties rather than government acting as a provider itself.

I want to revisit that work: it’s often overlooked despite its continuing relevance in terms of what does – and doesn’t – work.

1990s innovation

In the late 1990s and early 2000s I was involved with the Cabinet Office’s experiments with Natwest and Barclays Endorse to see if banks could authenticate individuals to prove who they were when accessing online public services. After all, banks had conducted ‘know your customer’ (KYC) checks and often had long-term relationships with their customers. They were therefore well placed to confirm who somebody was, acting as trusted third parties or so-called ‘identity providers’ (IDPs) for both individuals and businesses.

At least, that was the theory. The reality never lived up to expectations.

In 1997, the government’s iForms pilot with NatWest bank enabled an individual to fill in one single online form and sign it digitally with their NatWest smart card. Appropriate data from the ‘intelligent form’ was then parsed and sent to three different departments: Inland Revenue, HM Customs and Excise, and the Department of Social Security’s Contributions Agency. A pilot change of address service similarly used Barclays Endorse and Royal Mail Viacode smart cards to enable a citizen to inform government (in the shape of Inland Revenue and the Department for Social Security) once of a change of address.

These were early examples of the UK government’s attempt to use third party ‘identity providers’ – namely banks, Royal Mail and the British Chambers of Commerce – to authenticate users accessing online public services. The same approach has been revived more recently by the GOV.UK Verify programme – and with much the same results.

The UK Government has repeatedly attempted to use trusted third parties / identity providers since the 1990s

The iForms trial helped inform the UK government approach to online security and authentication published in 1999. It set out an authentication method for online public services that used digital certificates issued by trusted third parties for use by individuals or businesses. It was part of the government’s authentication framework, the first version of today’s Good Practice Guides, which continue to pursue the idea of using third parties to provide identification and authentication for online public services.

Outsourcing identity is no panacea

The idea of outsourcing identity for public services to third parties never really worked particularly well, something the more recent GOV.UK Verify programme has rediscovered. This wasn’t just because of some of the potential problems inherent in the approach, but a whole range of factors, including the fact that government itself is the source of the most trusted legal status data (such as name, date of birth, nationality, etc) that underpins much of the core data around identity, including banks’ KYC checks. Government is well-placed to identify the users of digital public services using information it already holds without forcing users to register and share their personal information with a commercial organisation.

Citizens disliked a third party being introduced into their interactions with online public services. This really shouldn’t come as any surprise – most citizens wouldn’t be happy if they entered a Jobcentre Plus or their GP surgery and were forced to share their personal information with a commercial organisation before being allowed to speak with a DWP employee or their doctor. The same principle applies online. Similar negative feedback about the role of commercial third parties was received many years later both in the early days of the GOV.UK Verify programme and more recently by the Scottish Government.

There’s also the thorny issue of liability: if it turns out someone isn’t who they claim to be, who is going to be held accountable – the third party provider (such as a bank) or the operator of the government service they’re accessing? In any case, reliably matching someone to their data is often a bigger problem than identifying who they are, as I’ve previously discussed in ‘the identity / data divide‘.

When the UK government launched its cross-government identity and authentication platform in 2001, it supported both third party ‘identity providers’ (via smart cards) as well as its own authentication service (using a login ID and password). Among the smart cards supported were those issued by the British Chambers of Commerce (‘ChamberSign’) and the Post Office (‘ViaCode’). Support was later added for chip and PIN cards.

The result was a mixed environment of both government-issued and private-sector issued credentials – leaving citizens and businesses with the choice of which to use.

Government services offering the option to login either with a third-party credential (via a digital certificate) or to use the cross-government user ID and password

In the end, neither smart cards nor the use of commercial third parties proved popular. Citizens and businesses preferred to use the public sector’s own platform to access online services. The banks ditched their early smart card efforts, and the government relied on its own user ID and password service for user authentication. Royal Mail shut down their smart card efforts in 2002.

Royal Mail’s ViaCode ‘state of the art’ digital identity solution in 2000

Learning from what works – and what doesn’t

So where does all this leave us? I think several issues are worth considering:

• as analyst Steve Wilson has noted, the 1990s theory of relying on third party ‘identity providers’ has never been fulfilled: ‘If Identity Providers are such a good idea, they should be widespread by now in all advanced digitizing economies! … The truth is that Identity Providers, as imagined, can’t deliver. Identity is in the eye of the Relying Party. The state of being identified is determined by a Relying Party (RP) once it is satisfied that enough is known about a data subject to manage the risk of transacting with them.’
• user feedback shows that citizens don’t particularly like commercial organisations being inserted between themselves and their public services, requiring them to disclose personal information to someone who has no obvious place in that relationship. It’s time for this feedback to be acknowledged and acted upon.
• government has an obligation to make sure digital services are as accessible to everyone as our face-to-face public services – inclusion is essential. A range of identification and authentication solutions already exist in the public sector in the form of NHS Login, the Government Gateway, etc. These are perfectly valid solutions to meet citizen and business needs for access to their digital services.
• proof of identity is not a one-off exercise, but a continuing process of risk assessment. Behavioural and transactional analytics have become an important part of ongoing risk management, something which is more effective if identification and authentication processes are not entirely separated from everything else.
• the private sector should be free to innovate and add value around identity, but not to become the exclusive gatekeeper of access to our online public services. If, as initiatives such as Open Banking and digital identity apps and services develop, they have the potential to offer supplementary ways for citizens or businesses to authenticate to public services – as smart cards did in the late 1990s and early 2000s – then that’s all good. But that should be a choice for users, not an arbitrary top-down mandate.

What next?

As we head into 2020, it’s worth taking a step back to review the landscape, reflecting calmly and rationally on the evidence and lessons learned and what’s needed. Some of the theories around digital identity, based around outsourcing it entirely to ‘identity providers’, have undoubtedly impeded progress with improving public services over the last 22 or more years. Government has shown it can provide its own trusted platforms for access to digital public services. Indeed, for the NHS and the way we access our medical records and services it seems unlikely to me that citizens would accept commercial suppliers being forcibly inserted into the mix. We should make time to listen to users and their needs.

The New Year presents an ideal opportunity to reassess where we are and to reset digital identity in a practical, constructive way – to the benefit of citizens, businesses and government alike. There’s space for both government-run services and private sector innovation. Government can play an important role in helping foster the right environment to enable that to happen. An environment that places citizens and their dignity, security and privacy – not tired, decades-old theories about identity – at the centre.