Online identity

This is an attempt to bring together in one place a selection of online identity-related publications and initiatives by the UK Government. Over the past few decades the UK has experimented with various ways for citizens and businesses to prove who they are when using public services.

The developments discussed here draw upon the Digital Government and e-Government Archives, together with other public domain sources. The archives are now quite large, so the aim is to help provide additional context. This isn’t a comprehensive narrative, but intended to provide a flavour of the key developments and policies over the past 20 or so years. It’ll be updated and improved from time to time.

Overview

Online public services often need to have proof of someone’s identity. Personal tax and welfare information for example, or medical records, require assurance that the person trying to access that information is really the person they claim to be – and that they have the right to access those records.

The 1998 Parliamentary Office of Science and Technology (POST) report “Electronic Government: Information Technologies and the Citizen” in February 1998 set out two opposing views of identity (illustrated below) which have essentially defined the issue of identity in the UK: an official government-backed identity card versus cultivating a marketplace of identity providers.

POST Identity 1998.png
The two main opposing views of identity (derived from the POST report of 1998) [source: Jerry Fishenden]

Third parties to help prove identity

The UK has experimented since at least 1997 with the use of third parties to help prove identity. These various attempts to use third party identity providers (IDPs) from 1997 onwards are discussed in more detail in the Key identity policies and initiatives below.

Identity cards to help prove identity

Another approach to identity was developed during the period 2006-2010, when identity cards were proposed as a so-called  “gold standard” to tackle the issue of identity. This was not the first time identity cards appeared – they were introduced in 1939 for the second world war via the National Registration Act, which established both a central register and the cards themselves. The National Registration Act of 1939 was repealed on 22 May 1952, after which it was no longer necessary to have an identity card.

The Identity Cards Act of 2006 saw their reintroduction. However, the out-dated design of the approach (mandating plastic cards in primary legislation, together with a central register continuing a rich mix of biographic and biometric data) generated notable criticism from security experts, lawyers, civil rights activists, IT and computer professionals and politicians.

UK identity card example.jpg
An example of the obsoleted UK identity card showing both front and rear features [source: UK Home Office]
Part of the idea of the central register was that it would hold an extensive set of personal biographical data, and various biometrics (such as fingerprints, digitised facial scan and iris scans). It would also map an individual to the various unique index numbers used in other parts of government – such as a citizen’s National Insurance Number (NINO) – to enable these disparate systems to be interconnected and linked to a “unique identity”. Whilst this was seen as a convenience for promoters of the approach, for others it represented a significant security flaw and breach of citizens’ privacy.

The incoming coalition government in 2010 repealed the Identity Cards Act via the Identity Documents Act. The focus once again swung towards the alternative model, with work starting in 2011 on an identity assurance programme initially called IDAP (it was later renamed “Verify”). However, some elements of the approach taken with identity cards have remained, most notably the biometric residence permit (BRP) which provides evidence of the right to reside for non-UK nationals.

UK BRP sample.jpg
An example of the current UK biometric residence permit (BRP) [source: Home Office]
UK driving licences and passports are the main official documents used to help prove identity, despite this not being the purpose of either of these documents. For those UK citizens without either a passport or driving licence, proving identity can be difficult.

Current situation

Some 20 years after the initial use of third party identity providers, a variety of initiatives are currently in play.

The Government Gateway

The majority of central government online services currently use the Government Gateway, which has been in operation since 2001. It provides a means of accessing services such as HMRC’s Self Assessment online using a UserID and password, more recently also enhanced with two-factor authentication (via a time-based code either texted to a registered user’s phone, or generated by an application running on the user’s mobile phone).

The Government Gateway provides a way for citizens, businesses and intermediaries (those acting on behalf of others, such as accountants or those holding Power of Attorney) to authenticate to government services. The recent National Audit Office report on Digital Transformation in Government noted that it “currently hosts 138 live public sector services, and … is being improved“.

Verify identity assurance framework

In addition, the Government is currently pursuing the Verify identity assurance framework, which aims to establish a means of both private and public sectors being able to trust an online identity so that citizens can re-use it across multiple service providers. It builds on earlier work on the use of trusted third parties.

Verify system

There is also the GOV.UK Verify hub being developed in-house by the Government Digital Service. This system was originally intended to replace the ageing Government Gateway. After 6 years of development, the NAO reported that “In February 2017, 12 services were using Verify” of which nine also allow access by other means. The plans set out in the Government Transformation Strategy of 9 February 2017 aim to deliver 25m users of this system by 2020.

Other online identity initiatives

There is also a variety of other identity initiatives, including Patient Access within the NHS (for patients to access their medical records) and a multitude of approaches by local authorities and others across both public and private sectors.

Key identity policies and initiatives

Having provided a bit of overall context, below some of the main developments around identity assurance since 1997 are discussed.

1997

1997 saw the UK Government attempt to streamline and improve the online experience of government services with the Intelligent forms project (“iForms”). iForms enabled a user to fill in one single online form and sign it digitally with their smartcard. This Smartcard News from December 1997 contains some details about the work.

The smart online form – the iForm – removed duplication and unnecessary bureaucracy from the paper process. For example, the user only needed to enter their personal details once rather than three times. In the case of the initial iForms project, the programme took numerous paper forms related to registering for self employment and re-designed them as a single smart (“intelligent”) online form, significantly reducing the amount of repetitive data previously required from the user. Appropriate data from the form was then parsed and sent to the three relevant departments – Inland Revenue, HM Customs and Excise (both now merged into HMRC), and the Department of Social Security’s Contributions Agency (now part of DWP).

This 1997 work is an early example – possibly the first example? – of the UK government using a third party identity provider, namely NatWest bank, for citizen identification and access to online public services.

1999

The 1999 report e-commerce@its.best.uk set out proposals to use trusted service providers to help identify and authenticate citizens and businesses online. At the time it was assumed that smart cards would play a major role in providing a secure credential for citizens and businesses to use for “e-commerce”. The Smart Card Framework Version 1.0 of December 1999 observed that:

Smart cards can be used for applications such as electronic purses and credit and debit cards, for ID and access control, to hold official documents, for data storage, in mobile phones, and to digitally sign documents to prove integrity and authenticity.

2000

In May 2000, the tScheme initiative was formally incorporated as an independent limited company. tScheme has been an important element of the idea of using trusted third parties to undertake identity assurance. Its members have worked to develop and implement a trusted scheme for industry self-regulation and its work has underpinned both the 2001 Government Gateway initiative as well as more recent work on Verify.

The UK Online Annual Report of September 2000 noted that:

Progress towards higher level services for government electronic service delivery will crucially depend on the development of appropriate electronic authentication and security processes for use by businesses and citizens.

And that:

To ensure that this can take place the Government will need to:

  • work with a range of trusted service providers, to ensure interoperability with government processes; and
  • identify where the marketplace is adopting suitable technologies for secure transactions and access, and ensure that the Government makes full use of these to meet electronic service delivery targets.

The e-government Authentication Framework of December 2000 set out a framework focused on:

the authentication of citizens and businesses seeking to access government services electronically. It applies in circumstances where government needs to have trust in the identity of those it is dealing with to ensure that there is no breach of privacy or confidentiality, or other harm. The Framework provides for those cases where anonymous or psuedonymous access is also acceptable.

And went on to state that:

For most electronic transactions, government will accept authentication provided by accredited third parties, which will register individuals and organisations and issue them with credentials enabling them to authenticate themselves in subsequent transactions.

2001

The e-Envoy’s monthly report to the Prime Minister from 5th February 2001 described the successful launch of the Government Gateway as a:

… piece of secure infrastructure with intelligent routing and authentication …

delivered

… in a compressed timescale, using rapid deployment methods to build a fully functional system in 3 months.

A Cabinet Office press release on 7 February 2001 stated that the Government Gateway would:

… offer citizens and businesses a single authentication service for all government transactions, such as sending in tax forms. Once a user has successfully registered, they will be able to access services from different Departments using a common user ID or digital certificate.

In the Registration and authentication. E-government strategy framework policy and guidelines of 2 November 2001, the Cabinet Office set out guidance for security requirements related to the provision of registration and authentication services to support access to e-government services. It noted that:

Government will encourage the provision of authentication services by a variety of bodies, including local authorities and the private sector, and will seek to make use of these services wherever possible. Government welcomes the proposed T-Scheme for accreditation of trust service providers

And went on to say that:

The Modernising Government white paper makes clear government’s intention to work in partnership with local authorities, the voluntary sector, and with third-party delivery channels such as the Post Office and private sector companies. Where third-party service providers are conducting transactions on government’s behalf, they will be required to authenticate the citizens and businesses they deal with to the same standards as government itself would. Government will in turn accept transaction data from those service providers, who will certify that they have carried out the authentication transaction to the agreed standard.

2002

The Trust Services policy paper of September 2002 addresses security requirements related to the provision of trust services to support access to e-Government services. It sets out a number of trust levels for registration and authentication in e-government transactions. In particular it

is concerned with the registration and authentication of citizens and organisations seeking to access government services electronically. It applies in circumstances where government needs to have trust in the identity (real-world or otherwise) and authority of those it is dealing with to ensure that there is no breach of privacy or confidentiality, theft/misuse of data, or other harm. The framework includes those cases where anonymous or pseudonymous access is acceptable.

It again emphasises that the government approach is to be through the use of third parties, including obligations on third parties for registration and authentication and their associated trust models, with more detail provided in the companion Registration and Authentication paper.

The Channels framework. Delivering government services in the new economy of 30th September 2002 establishes that government services can be delivered either directly by public sector organisations, or indirectly using intermediaries. It states that:

Service delivery in an inclusive and integrated manner is an essential commitment of this programme.

Good channel strategies in the new era will leverage electronic channels to help to:

  • deliver public services that are high quality and efficient
  • make sure that public service users, not providers, are the focus, by matching services more closely to citizens’ lives
  • support the infrastructure to get the UK online by the provision of joined-up services

And emphasises that:

Reaping the benefits of a joined-up channel strategy requires organisations to move to a model where services are built around customer needs and not organisational structures.

2003

Several pieces of updated guidance were published in January, including the second versions of HMG’s Minimum Requirements for the Verification of the Identity of Individuals, and HMG’s Minimum Requirements for the Verification of the Identity of Organisations.

In addition, the Policy Framework for a mixed economy in the supply of e-government services. A consultation document of May identified that the government strategy is to:

… create a mixed economy – a marketplace where government, private and voluntary sectors can come together to deliver e-Government services that better meet the demands of our customers.

and foresaw the desire for

a mixed economy in the supply of public services, where consumers (citizens & businesses) can engage intermediaries from the public, private or voluntary sectors to use public services in the manner that suits them.

2006

The Liberty Alliance – described as “a global organisation for organisations and companies interested in improving online accessibility and security through the development of open standards and related guidance” – recognised the Government Gateway with the annual Liberty Alliance Awards in October. (The Liberty Alliance was succeeded by the Kantara Initiative in 2009).

The Government Gateway was recognised for “outstanding work around open, interoperable authentication in the e-government sector” and for enabling customers to

… sign up for many of the online UK Government services using a single user-identity and password. It also enables online services that are secure and allow people to use the internet for things like filing tax returns and applying for benefits. There are now well over 9 million registered users on the Government Gateway.

Of particular relevance to this review is that

The Gateway architecture and the authentication protocols include the means to preserve the privacy of citizens as they authenticate to different service providers

2006 is also notable for the appearance of a very different approach to identity: the Identity Cards Act, which received Royal Assent on 30 March. The Act specified the creation of UK national identity cards (to serve as a personal identification document and European Union travel document) linked to a database known as the National Identity Register (NIR). The introduction of the cards and NIR represent the other model originally identified by POST, with government assuming control over identity – a very different approach to the efforts since 1997 to use trusted third parties as part of the identification process.

2008

In March, Sir James Crosby, who had been tasked by the Chancellor with looking at the issue of identity in 2006, released his report Challenges and opportunities in identity assurance. It considered how both public and private sectors could potentially work together on identity issues for their mutual benefit and that of citizens and consumers. It commented that

… those countries with the most effective ID assurance systems and infrastructure will enjoy economic and social advantage, and those without will miss an opportunity. There is a clear virtuous circle. The ease and confidence with which individuals can assert their identity improves economic efficiency and social cohesion, which in turn leads to a greater number of transactions being reliant on such ID systems, further enhancing delivery of economic and social goals.

The report set out the case for a “universal identity assurance scheme”.  It also said that:

A consumer-led universal scheme would better deliver on national security goals than any scheme with its origins in security and data sharing.

Its overall tone appears most aligned to the work that had been taking place since 1997 to establish a trusted framework for identity assurance that could work across both private and public sectors. It set the benchmark for such a scheme as being to:

  • meet consumer’s need to assert their identity easily and confidently
  • inspire their trust
  • be seen to offer superior levels of assurance.

In parallel with these various developments , the Government Gateway continued to be iteratively enhanced. The Employee Authentication Services (EAS) (Powerpoint format) was described in May 2008 as a common trust framework able to work across central and local government. And the UK Government Gateway Remote Authentication approach in October 2008 included chip and PIN authentication for the Ministry of Defence. The latter showed the ability of the Government Gateway to enable third party authentication using industry standard EMV chip and PIN cards (such as those used by most banks).

2009

In April 2009, the Identity and Passport Service published Introducing the National Identity Service. How the Service will work and how it will benefit you to explain the purpose of the new UK identity cards and National Identity Register (NIR). It summarised the need for the programme as follows:

Today people have to use a variety of documents to prove their identity: passports, driving licences, birth certificates, utility bills, etc. However, none of these are officially identity documents and, furthermore, you will often need to use more than one of these documents to prove that you are who you say you are. Sometimes, using these documents requires you to give away more personal information than is necessary or desirable – details on your bank statement for example.

An identity card will offer a useful and more convenient way for an individual to prove their identity in a wide variety of circumstances. Depending on the level of identity assurance required for a particular transaction, an individual’s identity will either be checked visually, through entry of a PIN number or by checking fingerprints via a chip on the card, or for the highest level of assurance, a check against the National Identity Register (NIR).

In common with cards in other European countries, the identity card will also allow you to travel within Europe without the need for a passport.

Despite work on ID cards and the associated NIR, work also continued in parallel on the long-standing approach to use of third parties, as the Department for Work and Pensions (DWP) presentation on Authentication (Powerpoint format) from September illustrates.

The presentation shows the various component platforms of the Government Gateway – such as the Payments Engine, Secure Mail, Secure Transaction Engine, Transaction Orchestration, Alerts, and Strong Authentication – as part of a cross-government enterprise architecture. It indicates that there were 17m service users and 90 authenticated services at the time, with authentication services being used by citizens, businesses, government employees and EU and foreign nationals. The presentation goes on to illustrate how online authentication services could include support for the ID Card – notably for what it refers to as ‘Gold Identity’.

2010

This year saw the repeal of the Identity Cards Act with the passing of the Identity Documents Act.

2011

On the 18th May 2011, Francis Maude MP (Minister for the Cabinet Office and Paymaster General) made a statement to Parliament on identity assurance. His statement started with the announcement that:

The Government agreed on 14 March 2011 to the development of a consistent, customer-centric approach to digital identity assurance across all public services. This will allow service users to log on safely to digital public services in a way that ensures personal privacy, reduces fraud and facilitates the move to online public services.

And also went on to say:

Our intention is to create a market of accredited identity assurance services delivered by a range of private sector and mutualised suppliers. A key improvement will be that people will be able to use the service of their choice to prove identity when accessing any public service. Identity assurance services will focus on the key imperative to ensure privacy. My Department is leading the project to develop the design and the creation of the market within the private sector. By October 2011 we expect to have the first prototype of the identity assurance model to test with transactional Departments and public sector identity assurance services, with a date for implementation from August 2012.

2012

A variety of updated identity assurance documents were published from 2012 onwards, replacing the numerous related documentation that had been published over the years since the original e-government Authentication Framework of  2000. These documents on Identity assurance: delivering trusted transactions updated guidance on topics such as Authentication credentials for online government services and Identity proofing and verification of an individual.

2013

The Parliamentary Office of Science and Technology (POST) report of April, Managing Identity Online, provides a useful summary of the state of play around identity. It points out that:

Privacy and security are key concerns of the Identity Assurance Programme. The IDAP is developing a model which aims to address these concerns. It is engaging with an independent Privacy and Consumer Advisory Group comprising external stakeholders to work on this issue. It is also working with the Government’s National Technical Authority for Information Assurance to ensure that the model meets security requirements.

2014

In September 2014, the Privacy and Consumer Advisory Group (PCAG) mentioned in the POST note of 2013 (see above) published version 3.1 of their Identity Assurance Principles. 9 guiding principles for any IDA scheme were set out by the group:

PCAG principles.png
High level summary of the Privacy and Consumer Advisory Group (PCAG) Identity Assurance Principles

2015

The page Introducing GOV.UK Verify was originally published by the Government Digital Service in June 2015 and provided an overview of and introduction to the Verify programme (formerly known as the Identity Assurance Programme, or IDAP). It was updated on 17 February 2017 (the absence of any page history means it is difficult to understand how it has changed since its original publication).

2017

In February, the Cabinet Office published its Government Transformation Strategy. One of the targets listed for 2020 is:

  • making better use of GOV.UK Verify by working towards 25 million users by 2020 and exploring options for delivery of identity services for businesses and intermediaries

It also notes that:

GOV.UK Verify allows people to use one account to prove their identity online securely for government services. GDS will work with the private sector to enable people to use the same account, which meets high government standards, to prove their identity online for private sector services, such as opening a bank account without having to go into a branch.

Summary

As noted in the introduction, there remain a variety of approaches to identity assurance across the public and private sectors. The Verify identity assurance programme aims to establish a common trust framework to help improve this situation, but at present there remain multiple platforms, systems and approaches underway both within the public sector and the private sector. In particular there is the GOV.UK Verify system being built by the Government Digital Service, the existing Government Gateway platforms, Patient Access within the NHS and the multitude of approaches by local authorities and others. There are also a variety of initiatives happening in the private sector which aim to streamline and improve the ease with which consumers can prove who they are when they are online.

As I have commented elsewhere

It’s important for the future of online services that government helps nurture a robust, trusted, secure and viable approach to identity assurance that can work right across our digital economy. So it’s worth making time right now to do an honest, open and public reset to get this right.