Jan 14, 2014 34
Five questions for Identity Assurance
We’re getting closer to the launch of the government’s “identity assurance” (IDA) service – providing a way of confirming that people are who they say they are online, when they interact with government services.
There’s much on the IDA team’s blog about progress to date, and much to like. Such as the upfront decision to separate the confirmation of identity bit from what government’s there to do, and to open up a choice of identity providers (IDPs) who’ll be able to offer different ways of creating and using an online identity.
But there’s still too much that isn’t clear about the scheme. And given its importance – it will be essential if there’s going to be a major improvement in transactional services – here’s some of the detail I’d like to see:
1. how does it actually work? (and I don’t mean at the theoretical level described in the “Good practice guides”, but using real examples of real services, processes and data) It’s all well and good saying that I will be able to choose an identity provider, and be able to set up a trusted relationship with them online…but what’s actually going on to make this happen, and to support me once it has? How will they know I am who I say I am? Will they have access to something that only I would know, and if so, what? If they’re an organisation I’ve never (knowingly) had any dealings with before, what will they know about me? If they’re a new entrant to the identity provision market (as some in the running are) – where are they getting their sources to do checks? And, as ever, what’s being passed around to whom, how’s it held, secured, indexed…and all the rest of the usual, essential hygiene issues around personal data?
I have a feeling that as these details emerge we could be in for some interesting food for thought about what information is being shared by whom. But best we start to see some real examples so we can get our heads round it, and to make sure we’re comfortable with who knows what about us. Given we’re dealing with that most treasured currency of all – personal data – I think we need much more transparency about what’s being proposed. And we’ll only have realistic scrutiny if there are realistic proposals to chew on.
2. will government department x actually hand off the responsibility for identity confirmation to identity provider y? This has to happen for the service to work as intended, yet it has big implications for the accountability of delivery. Will heads of service still take responsibility if things go wrong in the checking process, or if they find they’re transacting with fraudulent or misidentified accounts? Who does the service user contact to fix things that go wrong, now that more than one organisation is involved?
Make no mistake, I’d absolutely love to see it happen – so I’d be reassured if a government department made a clear statement of this intention and, furthermore, that it no longer intends (or needs) to operate its own version of identity checking in favour of that provided by an IDP. It’s relatively easy to do new, parallel things in government. But confirmation that there’s actually been a change is usually only provided by stopping doing an old, superfluous thing.
3. following on from that, how will the service be paid for? The IDPs aren’t in it out of the goodness of their hearts – how are they incentivised, how can we have assurance that they’re being paid a fair rate, and what’s the outcome for them financially if they get things wrong, or provide a poor quality service in some other way?
4. who’s watching what I do? We live in sensitive times – aware that beady eyes are watching all that we do online. Who will be watching our transactional exchanges – as we’re identified, and then as we go on to use services? One of the big selling points of using a layer of IDPs independent of government was that there’d be no creation of a vast, centralised database of identity and activity. What’s the assurance that such data capture isn’t happening anyway – creating just such a central viewpoint, albeit one in which lots of separate things connected to us are being indexed together?
5. and lastly – where’s the big picture here? Where’s all this going? Will an identity be reusable across more and more services? What will happen when services require different levels of assurance? (For example, an identity created using some basic checks to access a relatively insecure look-up service might need to be ‘strengthened’ to access something that’s more complex in terms of money or confidentiality. How?) How clear will it be to the user what level of trust they’ve achieved using a particularly identity?
And if more and more services can be accessed using the same online identity, doesn’t that create the “all eggs in one basket” problem, as well as creating a virtual single “person” that government’s dealing with – reviving lots of the problems that IDA is designed to avoid? Are we expecting people to try and reuse the same identity as much as possible, or to create a few at different levels of trust, or to start from scratch every time they touch a new service? If there’s the ability to reuse an existing trust relationship (for example with a bank or a mobile phone company) what effect might that have on fair competition for new customers? And how will government in general address the lack of provision of an IDA option as IDA’s use becomes more widespread. Customer expectation is going to rise (as it should for any useful, improved service) and at some point it’s going to become unacceptable for an area of government even to try using a non-IDA verification method. Or has that already happened?
They’re tricky questions and, as ever, not complete nor perfectly phrased. Please do comment with anything else you’d like to know more about. But I’d really like the IDA team in GDS to share much more of their thinking in these areas – and where there are still details to be ironed out, to be open about them. This will lead to more robust solutions, less uncertainty about the myth and reality of what’s planned, and a lot of external help in planning for and addressing the issues that will inevitably surface when millions of transactions are being supported by IDA.
UPDATE 23 Jan: The Identity Assurance team have published a blog post that gets into more detail on some of these issues, and points to a number of posts to come, on issues ranging from user research to the outcomes of a private beta that will apply identity assurance to two specific “exemplar” services – HMRC’s PAYE and DVLA’s “view driving record” services.