The UK has long struggled with its digital identity problem, and the lack of inclusive, authoritative identity has been stark during this pandemic. It has left some who fail to pass a credit check unable to get a Covid-19 test, likely complicated the work of de-duplicating testing data, and resulted in lost optionality to test new systems such as mobility credentials (or ‘immunity certificates’), as Estonia has, for example.
We’ve proposed solutions to some of these problems, first in our paper setting out how a secure and user-centric model of digital identity could help states exit lockdowns safely, and then in a roundtable of international policy and industry experts, including Liis Narusk (co-founder of Estonian start-up Immunitypassport) and Udbhav Tiwari (Policy Advisor, Mozilla).
Whether or not you believe that establishing a new digital identity system is appropriate right now (and many of the participants in our roundtable thought mobility credentials should be separated from identity systems), the broader need for secure, user-centric and reusable digital identity has never been clearer.
This piece sets out five key insights for future UK identity policy from the roundtable and our wider engagement with industry and policy experts. We’re interested to receive responses so please reach out on Twitter or email firstname.lastname@example.org.
The economic recovery plan for Covid-19 focuses on the infrastructure of the last economic era, not the next one
Invest in internet-era infrastructure, with digital ID as a priority, to generate productivity boosts and remake the state to deliver better for citizens
Lack of coordinated policy, clear and aligned accountability, and quality data impede progress
Appoint a dedicated, senior minister and decouple identity data functions, such as HMPO and DVLA, from policy departments
Policy has traditionally designed for singular, one-off identity verification, but this model doesn’t meet modern needs
Enable an ecosystem of authentication methods that users control via a digital wallet, underwritten by opening up government identity data
New technical standards are necessary for progress, but are only one part of the puzzle
Government must pass legislation to secure public trust around privacy, inclusion and enforcement, and address novel challenges around data rights and biometrics
Policy is focused on fixing the immature market as it is now, rather than anticipating where it’s going
Where value is being generated in the market is changing. Government strategy must reflect the full array of interconnected business models
How can digital identity help governments tackle Covid-19? - 25th June 2020
In the economic recovery from Covid-19, prioritise investment in the infrastructure of the internet era, with digital identity at the forefront
Policy debates about the Covid-19 recovery are awash with talk of a ‘New Deal’-style ‘infrastructure revolution’, but roads and railways are the infrastructure of the last economic era. More political capital should be spent on building the software infrastructure that will underwrite the next one. For governments, at minimum this means data infrastructure, platforms and, most importantly, digital identity.
Digital identity enables simpler and better public services and can generate significant productivity boosts. For example, e-signatures in Estonia, enabled by digital identity, give back a working week to every adult annually, and the Estonian e-government “would never have been possible in such a way without a digital ID”, according to former Head of Cyber Security, Karoliina Ainge. Similarly, identity checks in financial services are often costly and cumbersome, as set out in the Bank of England’s ‘Future Finance’ report chaired by Huw van Steenis. The report concluded that “digital identities could make this process seamless”.
The UK is a more complicated environment than Estonia, with mixed success in identity, but international comparisons show a high return on investment is possible. “The total spend on e-ID in Estonia has been 40 million euros over 20 years, so approximately 2 million euros a year,” Ainge told us. “This includes all operational expenses, including issuing [ID]”, with 98% of the 1.3 million population registered. In contrast, GOV.UK Verify, the UK’s most recent approach, cost at least £154 million between 2011-2018, with only 3.6 million people signed up by Feb 2019.
Appoint dedicated ministerial leadership and reform structures to tackle misaligned incentives across government
UK identity policy has been held back by a lack of coordination across both policy and delivery departments, with no single part of government accountable for this inherently sensitive issue and risky investment. This has held back a viable market and led to worse outcomes for citizens.
Coordinated structures and a common approach to identity are essential for effective policy. This would make it easier for users to verify themselves; simplify and grow the market for providers; and enable radically more joined-up services – but this requires a senior minister with the authority and accountability to marshal different bodies towards a common goal.
The big parties who rely on identity checks in government have often diverged in how they manage identity. HMRC, DWP, the Home Office and the NHS have failed to see identity as a shared need that necessitates a common approach. GDS and DCMS, themselves trying to work across departmental boundaries, haven't had the power to make it so.
Opening up high-quality identity data is one of the most value-add steps the government can take, but someone needs to be accountable and that could be a poison chalice. For example, in the existing siloed approach, the Secretary of State for Transport might become liable, at least politically if not legally, if DVLA driving licence data were poor quality and checks against it failed to catch fraudulent activity. This risk disincentivises progress. One solution might be to decouple data functions from departmental policy, creating data registers overseen by registrars accountable to Parliament, as Tom Loosemore has proposed.
Finally, recent proposed legislation and regulation show a lack of coherent, long-term strategy. Age verification and age-appropriate design codes proposed by some public bodies would have encouraged growing the market, but these steps have later been walked back. That may ultimately be good for policy, but a challenge for commercial operators who require regulatory clarity and stability.
Design policy to enable persistent, trusted relationships with users, not to create one identity to rule them all
Identity isn’t just about mechanical, one-off verification but enabling a persistent, trusted relationship between multiple parties.
The traditional model of identity policy needs updating. Policy remains focused on a model akin to a special key that unlocks a secure door to a room in which you then have free reign, but this goes against how modern fraud detection operates.
Because trust degrades over time, modern services are built around flexibly escalating trust at specific high-risk moments. For example, some services only need minimal assurance, such as a login or two-factor authentication, to onboard new users, e.g. when making an application for benefits. Only at higher risk moments, e.g. when transferring money, might stricter assurance be needed, like a check against a passport or driving licence.
Identity is therefore about enabling a persistent relationship at variable levels of trust between multiple parties, which requires an ecosystem of different methods of authentication. We need to be able to say: “I trust the government, the government trusts me as much as it needs to for this transaction, and we both trust the system we’re using to establish and regularly reconfirm that trust.” Users need control over a variety of different methods of authenticating themselves, and services must be flexible rather than requiring the strictest method of authentication in all circumstances – which will be sometimes unnecessary and often exclusionary.
Providing a government document checking service, including passport and driving licence data, is therefore one of the most value-adding steps that government can take. Just as modern approaches to identity enable distinct attributes, e.g. ‘over 18’, rather than a single card that exposes personally identifiable data, opening up government identity data would enable distinct identity attributes to be verified quickly and authoritatively. But financial firms and other credential checkers need assurance that government will take responsibility for data quality.
For users, a convenient wallet of credentials remains a promising way to store and manage these reusable, verified attributes. This would enable using different credentials (‘identifiers’) with different bits of government – e.g. tax (NI number), health (NHS number), citizenship (passport), etc. – facilitating joined-up services within domains while preventing a wider state panopticon. In turn, this would address the trilemma at the heart of GOV.UK Verify: users expect different bits of government to connect up, but don’t want government to know everything about them, while not understanding why Verify connects them to third parties like Barclays and the Post Office to verify their identities.
Forthcoming technical standards are necessary, but insufficient; identity policy must be underpinned by legislation
A new certification scheme is likely to replace GOV.UK Verify later this year. But technical guidance can only answer technical questions. Digital identity is politically sensitive and primary legislation is necessary to secure public consent.
Legislation must not only protect privacy and security but also promote inclusion and regulate enforcement. Properly implemented identity can help prevent more immigration debacles such as those of the Windrush and the EU Settlement Scheme, reassuring vulnerable people that with an authenticated way to prove their status. But other authentication ‘gates’ can also easily exclude if implemented unnecessarily or services aren’t required to accept alternative proofs for some users.
Regulation should encourage the market where appropriate, or at least consider the impact. As evidenced by the reversal (or delay) of age verification legislation, governments need to set clear and stable objectives for policy that affects the market. Now, some parts of industry are working to put digital age verification on par with physical ID checks for restricted purchases in shops, given that physical checks contravene social distancing rules. The lesson is that government should lead, not follow.
Covid-19 has introduced novel ethical questions. Legislation may need to set out what health information can be mandatorily disclosed, what rights individuals have to prevent coercion, and the rights of others in case individuals decline to share health information.
Biometrics warrant regulatory inspection and guardrails on use. While useful for security, biometrics cannot be changed or revoked in case of a leak, unlike passwords or cryptographic keys. Requirements such as only storing data on-device may be necessary to mitigate these vulnerabilities.
Bring the principles of openness that exist elsewhere to identity. As Udbhav Tiwari advocated in our roundtable, open ways of working – with due regard to intellectual property and other commercial interests – can help to win consent, especially for sensitive technologies
The identity market remains immature, and making it sustainable requires a strategy that goes beyond government
The opportunity for digital identity has never been clearer but the commercial model remains elusive. Creating a competitive market for identity services beyond government should be a central goal of policy.
Consider how government schemes constrain the market: In order for user-focused identity companies to be viable partners they need a critical mass of users, but Verify impeded this for many. A new certification scheme might enable more providers to access public and private markets that require specific assurance levels, but focusing on ex ante permission may still place artificial limits on market growth. In the modern operating environment, trust is increasingly earned through tools that put users in control and via “transparency and accountability enabled by real-time data”.
The market is bigger than government – and evolving: Alongside start-ups providing single-use services, big US tech companies with large user bases are waiting in the wings (already providing non-government ID services such as logins, e-signatures or digital wallets). To avoid losing the initiative without picking winners, regulation focused on securing public trust can ensure a level playing field of guardrails.
As the UK begins its recovery from Covid-19, identity can help to restart the economy and deliver a more effective state. The pandemic has thrown up novel use cases for identity and shone a light on age-old issues that have been unaddressed for decades. While the political debate is fraught, the benefits for the economy, users and society are straightforward: giving people back time they’d otherwise lose to dealing with state bureaucracy, making public services more personalised and proactive, and enabling fairer and more accountable approaches to public policy, including immigration – beneficial both for states and individuals. The issue is mainly political, not technical. Progress can only come from brave and inclusive leadership.