The Cabinet Office Identity Assurance Programme (based in the Government Digital Service) aims to help users transact digitally with public services through convenient & secure login mechanisms. Behind this simple objective lies a complex problem: how to ensure the user and the public service have sufficient trust in digital channels. Identity is an important part of the answer.
Trust infrastructure
A number of reports and studies have investigated when we do and when we don't have enough confidence to transact. Systems for establishing trust in the physical world have emerged over a very long time. They include the law and judicial system, of course, but also reputation, brand and marketing tools. By and large, in the physical world we have ways to determine whether we should enter a transaction and have some idea of how to seek redress when things go wrong.
We need to extend these physical world 'trust infrastructures' to cater for digital transactions. The US National Strategy for Trust Identities in Cyberspace envisages an 'identity ecosystem' and many companies are helping to create it. No single organisation can deliver the solution. It requires citizens, organisations and institutions from the public and private sector to work together with a common aspiration to tackle fraud.
Collaboration is king
In the UK we have been developing our approach to the subject over the last few years with wide engagement from many organisations and interested stakeholders. We need to transfer this collaborative spirit from the design phase into practical operation as we start to introduce user selected identity services as the registration and login mechanism for public services.
Viable schemes
We have been working on the concept of 'schemes' as a mechanism to remove the complexity from users who want access to public services - and the Departments who want to deliver them. (After all, you don't have to understand the Telecommunication industry to make a phone call.) Schemes will be a way by which a commercially viable model can be delivered without separate, expensive contractual arrangements being put in place between each and every party. This will reduce risks for all parties – and lower costs.
Schemes will allow the many organisations that have a role to play – large and small – to co-operate , collaborate and compete without creating a confusing choice for users.
Active engagement
This week we have presented the schemes concept at the Inside Government, Cyber Security Conference and been consulting with stakeholders to bring fresh feedback into the development. We have provoked some positive debate, and surfaced some interesting opportunities, issues, opinions and ideas to add in to the mix.
Watch (and help us fill) this space
There is a lot of work to do over the next few weeks and we are grateful to all those people, in the UK and overseas, who have made positive contributions to the thinking. As we build consensus around the details on schemes we will provide them here.
Image: Jeremy Brooks
8 comments
Comment by Identity: Don Thibeau, at large in the UK | Government Digital Service posted on
[...] adherence to the requirements of the Identity Ecosystem Framework. So not dissimilar to the ‘schemes’ concept we blogged about last week, though driven by private sector interest, rather than for Government transactions, as in the [...]
Comment by IDAP Team posted on
Thanks for your comments, David. We are engaging widely with the privacy interest community, including No2ID, via a privacy interest stakeholder group chaired by Jerry Fishenden. They are feeding in to the development of govt proposals, including developing a set of principles which were shared on Jerry's blog on Friday: http://ntouk.wordpress.com/2012/03/23/draft-privacy-principles-for-the-uk-identity-assurance-programme/
Comment by David Durant (@cholten99) posted on
Hi David,
I'm very interested in this area - in particular how government backed identity could be used by NGOs such as mySociety or Unlock Democracy to allow positively-identified citizens to interact with their representatives.
I'm also wondering if you've spoken to the campaign group No2ID about your proposals?
Thanks.
David Durant
Comment by Fraser posted on
A simple and pre-existing form of digital identity is online banking. Some member states dovetail bank authentication (including some British brands!) for government purposes such as signing a petition. The other way to validate an address is to do a quick online credit check using a bank card.
Admittedly only 90% of the adult population in this country has a bank account but now we own the banks we should be putting their technology to good use! Bottom line, let's not reinvent the wheel.
Comment by IDAP Team posted on
Thanks for your comments, Fraser. We're keeping an open mind on the solution, but clearly there are similar schemes in existence that work and will be good examples to refer to.
Comment by JohnB posted on
Fraser;
You are right- it is mad (and a waste of Taxpayers money) to reinvent the wheel. The trick here is to understand the liabilities and entitlements that go with issuing and relying upon credentials in the electronic world- and in having organizations that "vouch for" that credential so that if something goes wrong or the credential is revoked/expired/mis represented, then the relying party has a route of recourse. It is not just a technology issue, and Government "doesn't do liability".... nor should it, except in specific applications (eg see the words inside the front cover of a UK Passport).
This is where (whatever else we may think about them) using regulated financial institutions (aka banks) as delivery channels for credentials under a scheme based approach makes a ton of sense. Visa and Mastercard created back in the 1970's as plastic card based payment schemes are illustrative- and yes they are part of our everyday lives spanning across sectors geographies and multiple purposes- even Government bureaucracies use the card payment Schemes for doings their business more efficiently than paper and pen...
We need to replicate that thinking beyond plastic card payments, in the 21st century world of ubiquitous and instantaneous & largely free-to-use electronic networks. There are solutions that are inclusive, give end-user choice, that are operational and fit-for-purpose and that are out there already... we just need to "see the wood from the trees".
Comment by Thomas Punt posted on
Excellent but it is important that any scheme devised is explained simply to members of the public - not a lengthy technical exposition such as this but something easily understood and therefore trusted
Comment by IDAP Team posted on
Thanks for your comment, Thomas. We are looking at developing messages that can simply explain the principles and benefits to users. For these proposals to succeed they must be understood, so it's a top priority. Moreover, we are adopting a user centric approach to development so that the solutions are not only understood, but have user benefit (and trust) as a primary goal.