https://gds.blog.gov.uk/2011/11/04/establishing-trust/

Establishing trust in digital services

Monday was a big day for the Identity Assurance Programme. The Minister for the Cabinet Office, Francis Maude, explained to a packed Technology Strategy Board event why a federated identity assurance model is essential for the ‘digital by default’ initiative and how important this digital policy is, not just for public services but for the wider economy.

Identity assurance is a complex subject and a controversial one, not just in the UK. But we need to address it if we are going to take advantage of digital channels. We can transact anonymously in some contexts, but not all. When we disclose personal data we need to do it securely. And we need better ways to protect people from transacting with fraudsters. If we don’t address these problems then people will lose confidence in digital channels.

But most of all we need to develop identity services around the needs of users – if we don’t then people will not trust or use them. Many people have described this subject as ‘identity management’. That is an organisation centric phrase: a notion that organisations hold data about people and have the responsibility for maintaining it. We have to reset the subject around the user and recognise that in the digital age people assert identity in many different ways and contexts.

Thankfully, there is a lot to be optimistic amount as the 24 winners of the TSB ‘Trusted Services’ competition demonstrated at the event. The days of creating different user names and passwords for every new website are numbered, thank goodness. There is a strong desire to work collaboratively across the public and private sectors to develop solutions that meet users differing needs. That desire is international. The USA’s National Strategy for Trusted Identities in Cyberspace and the EU Project STORK pilots testify to the opportunities.

As was pointed out several times during the day, the federated model for identity assurance isn’t new. Indeed, the UK assumed the federated model in the Electronic Communication Act (2000) and built the Government Gateway accordingly. But a lot has moved on in the dozen years since Government Gateway was developed and we have a lot of work to do to develop solutions that work for users in the many contexts that they’ll need them.

Speakers from a number of Government Departments (including DWP, HMRC and BIS) described their programmes and their differing identity assurance requirements. We intend to work collectively through the new Government Digital Service to deliver identity solutions. The £10 million funding for the programme that Francis Maude announced will enable us to do that.

You can read more about Monday’s event and the competition winners showcased. Over the next weeks we will be posting more information about the Identity Assurance Programme on this website. We look forward to your contributions.

18 comments

  1. rolywalter (@rolywalter)

    Some great ideas from the TSB competition. In the past, such innovations have been skewered at the last minute by a fearful minister or PUS. I am, however, hopeful for you guys as you have a minister who seems to know what he’s talking about and a team who command plenty of political goodwill (as well as the expertise to implement innovation safely).

    Reply
  2. Michael Saunby (@msaunby)

    Fraud is of course an important concern, but for most people utility is what they seek. Consider a simple example – a pensioner wishes to obtain a bus pass. Can that be done online?

    From http://www.devon.gov.uk/index/transportroads/public_transport/bus_passes/nationalbuspass/apply-nationalbuspass.htm it doesn’t look like it.

    Realistically what level of fraud is this likely to be subject to?

    Oh, and then consider same pensioner has a fall and is entitled to a disabled parking pass (blue badge), oh more forms and photos required http://www.devon.gov.uk/blue-badges#how_to_apply

    Come on folks. Get your act together.

    Reply
  3. nanas

    So the government gateway is such a success that we’re spending another ten million on it. How much in total has government gateway now spent? Isn’t this the sort of thing alpha.gov (oops not called that anymore) was supposed to end?

    Reply
  4. Despairing

    “The days of creating different user names and passwords for every new website are numbered, thank goodness”

    So that ‘ll be one user id and password combination for everything then?

    Nope, can’t see any possible problems there…..

    Reply
  5. ste williams » UK.gov digital boss defends ID assurance scheme

    [...] a puff piece on the Government Digital Service blog, the ex-Guardianista defended the “federated identity assurance model” by proclaiming [...]

    Reply
  6. ID Rehashed

    ID database by any other name. And a bit of fluff hate against anonymity thrown in. Identity is not the silver bullet you purport it to be. In fact, increasingly rigid the age-old one-identity-each no longer fits how the people use, say, the internet. It previously was less of a problem because various communities maintained their distance. With a single carrier, that carrier must now support multiple identities per person. Yet all the government can come up with, here and elsewhere, is to be more rigid, not less, about enforcing an outdated and no longer suitable model.

    You, sir, evidently assume everyone who doesn’t hand over enough data to be impersonated, is not “trustable”. I deign not to trust such an untrusting government.

    In fact, I cannot even trust you, for you tout “user centric” instead of “organisation centric” “identity management” by… outsourcing core parts of government assurance to commercial third parties. Parties that are potentially not even in UK jurisdiction, instead subject to invasive, even controversial, privacy violating laws.

    Evidently you didn’t do your homework. How is this even close to looking forward?

    “Britain sold to Honda”, only it’s not Honda nor is it funny.

    Reply
  7. maccad» UK.gov digital boss defends ID assurance scheme

    [...] a puff piece on the Government Digital Service blog, the ex-Guardianista defended the “federated identity assurance model” by proclaiming [...]

    Reply
  8. UK.gov digital boss defends ID assurance scheme » WES Computing

    [...] a puff piece on the Government Digital Service blog, the ex-Guardianista defended the “federated identity assurance model” by proclaiming [...]

    Reply
  9. dmossesq

    Mr Bracken, you say:

    “The days of creating different user names and passwords for every new website are numbered, thank goodness. There is a strong desire to work collaboratively across the public and private sectors to develop solutions that meet users differing needs. That desire is international. The USA’s National Strategy for Trusted Identities in Cyberspace and the EU Project STORK pilots testify to the opportunities.”

    “Project STORK” in that quotation links to https://www.eid-stork.eu/ where readers might expect to see a lot of opportunities testified to. Instead, what they find is this:

    “The aim of the STORK project is to establish a European eID Interoperability Platform that will allow citizens to establish new e-relations across borders, just by presenting their national eID.”

    But we don’t have a “national eID”, we Brits, do we. So, question 1, how can we partake of any of these opportunities?

    The UK leg of Project STORK is the UK Government Gateway, the very system that the Cabinet Office want to get rid of. Take away the gateway and, question 2, how are we supposed to take advantage of STORK?

    Reply
    • David Rennie

      Dear Mr Moss

      Apologies for taking so long to reply to your questions. With regard to question 1, national eIDs does not mean an identity card. It means an electronic or digital identity issued within a member State that complies with STORK requirements. So the UK can partake in STORK. re question 2, the Government Gateway is not the UK leg of STORK. There are no current plans to decommission Government Gateway.

      With regard to your other posting, you are indeed correct: Skills Funding Agency is an agency of BIS. Apologies for this error.

      Reply
      • dmossesq

        David

        A pleasure to hear from you, as ever, and thank you for replying on behalf of Mike Bracken.

        I said that the Government Gateway is the UK leg of Project STORK. You say that it’s not. Who’s right?

        As it turns out, both of us.

        The 14 October 2007 press release about STORK states that: “The UK’s Identity and Passport Service (IPS) is leading the pilot project, in close co-operation with the Government Gateway, the UK’s centralised registration service”. There was obviously meant to be some sort of a connection between the Government gateway and STORK.

        James Hall was the Chief Executive of IPS at the time and he had a letter published in the Glasgow Herald in November 2007 stating that: “In the UK, the work [on STORK] is being conducted by the Cabinet Office (the Government Gateway) and the Identity and Passport Service”. There they are again, connected in some way.

        Six STORK pilot schemes are underway. Jim Purves produced a report on one of them, Cross border authentication for electronic services, in July 2010 – D6 1 3 Cross Border Authentication for Electronic Services – Detailed Planning_1.pdf. On p.20 we read:

        The cross-border authentication platform for electronic services WP will build a demonstrator showing that cross-border electronic services can operate in a number of MSs. The applications provided in the cross-border authentication platform for electronic services include the UK Government Gateway, the Belgium LIMOSA, the German “service-bw” portal, the Austrian help.gv portal, and the Estonian integrated citizen portal. These applications have to be connected to the EU interoperability layer defined by the common specifications of WP5.

        Jim Purves is the man who took over the maintenance and development of the Government Gateway from Jerry Fishenden and clearly I was right, the Government Gateway was meant to be the UK leg of Project STORK. At least up to p.20. And even up to p.23. Then on p.25 we read:

        The UK has withdrawn the connection of the UK Government Gateway to the interoperability layer …

        … at which point you become right, the Government Gateway is no longer the UK leg of Project STORK.

        In fact, there is no UK leg of Project STORK. The UK is no longer involved in any of the six STORK pilot schemes, please see Which country participates in each pilot?.

        Without the Government Gateway, we have no way to connect to STORK. Without taking part in the trials, we have no way to connect to STORK. And without a “national eID”, we have no way to connect to STORK.

        But in that case, why do you say “the UK can partake in STORK”? How? That’s question 1.

        You also say: “There are no current plans to decommission Government Gateway”.

        “There are no current plans to” is one of those locutions that get the antennae wiggling, isn’t it. Never believe it until it’s been denied, …

        A lot of Cabinet Office people talk down the Government Gateway. Three of you have denigrated it to me alone. Joan Wood of HMRC took time out at the 31 October 2011 event that Mike Bracken mentions to say how hard people find it to use the Government Gateway. And, as noted above, it’s no longer being used to connect us to Project STORK.

        Is the Government Gateway going to provide the spine for G-Cloud? Given the bad press it’s getting from the Cabinet Office and HMRC, that seems unlikely. Presumably you want to build a brand new replacement. But why? Isn’t that wasteful? That’s question 2.

        Reply
  10. dmossesq

    Mr Bracken

    It’s stretching it a bit to say, as you do, that:

    Speakers from a number of Government Departments (including DWP, HMRC and BIS) described their programmes and their differing identity assurance requirements.

    BIS did not attend. The Skills Funding Agency attended, and they are a partner organisation of BIS, but they are not BIS.

    It is 10 days since your post and there have been 10 comments on it. May we look forward at some stage to a response?

    Yours
    David Moss

    Reply
  11. Directgov « The Great E-mancipator

    [...] further. There needs to be a government-wide channel strategy to ensure channel shift. Given the recent admission that there are different requirements for security across departments (shouldn’t that be [...]

    Reply
  12. Interesting elsewhere – 20 December 2011 | Public Strategist

    [...] Establishing trust in digital services | Government Digital Service But most of all we need to develop identity services around the needs of users – if we don’t then people will not trust or use them. Many people have described this subject as ‘identity management’. That is an organisation centric phrase: a notion that organisations hold data about people and have the responsibility for maintaining it. We have to reset the subject around the user and recognise that in the digital age people assert identity in many different ways and contexts. [...]

    Reply
  13. Identity: One small step for all of Government | Government Digital Service

    [...] Last October Francis Maude announced the move of the Identity Assurance Programme into the new Gover…. We have since built a new team and delivery plan and a working governance structure to implement Identity Assurance solutions strategically across government. [...]

    Reply
  14. Összkormányzati személyazonosság-biztosítás, kis lépésekben | eGov Hírlevél

    [...] step for all of Government, Mike Bracken, Government Digital Service, 2012. március 1. Lásd még: Establishing trust in digital services, Government Digital Service, 2011. november 4. Identity assurance (Wikipedia) Megosztás:Share [...]

    Reply
  15. Identity Assurance goes to Washington | Government Digital Service

    [...] week some members of the UK Identity Assurance team  were invited to the White House to share, learn and collaborate with some of the key individuals [...]

    Reply
  16. Identity: One small step for all of Government - Mike Bracken.

    [...] Last October Francis Maude announced the move of the Identity Assurance Programme into the new Gover…. We have since built a new team and delivery plan and a working governance structure to implement Identity Assurance solutions strategically across government. [...]

    Reply

Leave a comment