Edgar Whitley was the research co-ordinator for the influential LSE Identity Report which helped scrap the costly and controversial identity cards scheme in the UK. Here Edgar explains how putting privacy considerations at the centre of the UK’s identity policy has resulted in a radically different way of verifying an individual’s identity (GOV.UK Verify) and how he has come to have a number of verified identities.
I have an official verified identity. In fact, I currently have three verified identities and I can use them to access online UK government services including submitting self-assessment tax returns and other services. Having three verified identities is not the result of error or fraud but is, in fact, a deliberate consequence of how the GOV.UK Verify service has been designed to provide identity services for citizens in an innovative, privacy friendly way.
Conventional identity schemes, such as those that issue official “identity cards”, utilise data from official government databases to provide proof of the identity of an individual, ideally with a very high level of assurance. These databases in turn rely on data from civil registration systems (births, marriages, deaths) perhaps cross referenced against other official records (voter lists, driver licenses, tax records etc.).
Such large databases of identity data are at risk of being hacked, as are databases containing key biographical information that can be used for identity verification purposes such as data used when applying for US government jobs that require security clearance. Additionally, these databases can help enable a surveillance state.
The GOV.UK Verify service approaches identity policy very differently, drawing on the technology specific capabilities. Rather than focusing on maintaining a gold standard of identity data, in a centralised database, providing a single digital identity it takes a risk-based perspective on the whole identity transaction drawing on a broad range of (public and private) identity-related data, assessing the quality of validation and verification processes of that data and processing the data in a way that minimises privacy risks, although not necessarily perfectly.
A series of certified identity providers work with Verify to provide the verification services to enable access to government services. Currently there are four identity providers offering Verify services: Digidentity, Experian, Post Office and Verizon and a further five companies are due to join the service soon.
Verification with an identity provider is a one-time activity. Once an individual has a verified identity, they can use it to access any government service linked to Verify.
During the verification process, each identity provider draws on its own set of data sources to determine whether it has confidence in the identity claims made by the individual. The data sources cover evidence categories related to being a Citizen, Money and Living and can come from both public and private sources. Whilst no single piece of evidence is considered as proof of identity, when combined with other pieces of evidence (particularly from different categories) they can be used to determine a level of assurance as to the identity of an individual. Once a certain level of assurance is reached, the identity is verified and the individual can, for example, file their tax returns.
Some government services (e.g. tax credits) require a lower level of assurance than filing tax returns and the Verify service has recently completed a trial of the use of a basic identity account that provides this lower level of assurance.
The Verify service emerged from the 2010 coalition government as a response to concerns about the surveillance state. It includes various privacy enhancing mechanisms including data minimisation. For example, the verification process does not require identity providers to store details of an individual’s passport. Instead, all they need to store is whether, at the time of verification, the individual’s passport was valid.
To ensure that these privacy principles are being followed in the design and operation of Verify, the Cabinet Office Privacy and Consumer Advisory Group (PCAG) has published a series of Identity Assurance principles that guide the operation of the Verify service.
These nine principles place the user at the centre of identity assurance activities (“I can exercise control over identity assurance activities affecting me and these can only take place if I consent or approve them”) and explicitly discuss data minimisation (“My interactions only use the minimum data necessary to meet my needs”) and the multiplicity of identity providers (“I can use and choose as many different identifiers or identity providers as I want to”) as well as explicitly considering consumer options for dispute resolution (“If I have a dispute, I can go to an independent Third Party for a resolution”).
The Verify service is currently a beta service. This means that whilst it is designed to be easier to use than the services it replaces it isn’t final and explicitly gathers feedback and data on what works and what needs further improvement. As recent press reports have highlighted, some potential users of Verify have had difficulties with the kinds of evidence individuals are required to provide to determine the necessary levels of assurance, for example, when utilities or bank accounts are held by their spouse, or where mortgages and loans have been repaid and either don’t appear on a credit record or don’t provide a “history” of repayment transactions.
However, because Verify supports multiple identity providers, it is possible for new providers to become certified to address these kinds of users as well as for existing identity providers to consider alternative sources of evidence that would still enable them to support identity claims to the level of assurance required by government. Moreover, once these issues are resolved, these individuals will have a verified identity that they can then use for any other government service that is linked in to the Verify service.
As the Verify service supports multiple identity providers, it enables individuals who have problems verifying their identity with one identity provider to use alternatives. Indeed, at the time of writing I don’t have a fourth verified identity because I am having problems with the verification process with a particular identity provider. Additionally, each identity provider is seeking to enhance the customer experience when a verified identity is used to access government services. This means that beyond the privacy benefits of the new service, having multiple verified identities allows me to use the most convenient identity provider available to me.
Disclosure: I have been closely involved in the design and development of the Verify service and helped draft the identity assurance principles described above.
Note: Featured image credit: Kevin Dooley CC BY 2.0
Edgar A. Whitley is Associate Professor (Reader) of Information Systems in the Department of Management at the London School of Economics and Political Science. Edgar was the research coordinator of the influential LSE Identity Project on the UK’s proposals to introduce biometric identity cards; proposals that were scrapped following the 2010 General Election. He is co-chair of the Identity Assurance Privacy and Consumer Advisory Group for the Cabinet Office.