Less About Identity, More About Trust

There’s a group of people here at GDS working on a programme called IDA - which stands for Identity Assurance. We’re helping develop a secure service that lets people log in to online government services more easily.

There’s been a lot of press comment about the programme today and we’re delighted to see that we’re (mostly) managing to get our message across - because this can all get quite complicated. The key ideas are these:

There’ll be no big IT programme and no big government database

Instead, users will be able to prove who they are using accounts they already have with a wide range of non-government organisations.

Users will be in control of their own information

By offering people a choice of how to login to services people stay in control of how they verify their identity.

We’re working with the people who know and care most about privacy and trust

The Privacy & Consumer Group who have been helping us create the privacy principles for this service includes experts like No2ID, Big Brother Watch, Which?, London School of Economics, Oxford Internet Institute and Privacy International. They've been instrumental in how we address users needs for privacy and security.

It is, of course, a bit more complicated than this and we’ll be explaining more over the next weeks and months but that’s the essence.

If you’d like to know more the Q&A in The Independent gives a pretty good overview (the only thing we’d really quibble with is the headline).

You can also read the Guardian article and the Telegraph article

EDIT (05/10/12): there's been a short follow-up in The Independent today.


  1. Commentator

    Are there plans to accommodate use case where a user needs to identify themselves on behalf of their employer in order to interact with a 'government' system? E.g. an online system where users are authenticated individually to ensure they get appropriate rights within the system but they are interacting with 'gov' as part of their work. They won't want to use personal email addresses as their ID assurance as next month they may have a different job with a different employer, and not want to carry 'baggage' of their previous job with them.

    Link to this comment
    • steve

      The short answer is, yes. We acknowledge that people have different hats, especially in relation to individual's roles in businesses (CFO, company secretary etc). We have an active workstream looking at the challenges of business identity.

      Link to this comment
  2. Less About Identity More About Trust via Government… « Kind of Digital Exchange

    [...] Less About Identity More About Trust via Government…Less About Identity, More About Trust [...]

    Link to this comment
  3. David Moss

    Dear Mr Wreyford

    Having read the Independent, Guardian and Telegraph articles, we're clearly in for a long haul before the Cabinet Office have to abandon the proposed plans for identity assurance (IdA) in the UK and the US. Let's get the process off to a gentle start.

    As you say, IdA is less about identity, more about trust.

    Question 1. GOV.UK will be hosted on Skyscape servers. Skyscape has never submitted any accounts, it is wholly owned by one man, who is also the only director. Why do you trust Skyscape and why should anyone else trust them?

    Link to this comment
    • Louise Kidney

      Mr Moss,

      Further to your queries and comments regarding Skyscape, we note that you have since received a reply to these over on the G-Cloud blog

      Link to this comment
      • dmossesq

        Dear Ms Kidney

        Thank you for your post.

        The reply from the G-Cloud team advises me to ask GDS why they contracted with Skyscape. Which is what I have done and GDS have not yet provided any answer.

        I have therefore sent an open letter to ex-Guardian man Mike Bracken asking him to respond. In case i got his email address wrong, could I ask you please to forward it to him.

        Yours sincerely
        David Moss

        Link to this comment
        • Louise Kidney

          Dear Mr Moss,

          The reply to your comment on the G-Cloud blog is reproduced here. We would reiterate Eleanor Stewart's recommendations that you contact Skyscape should you require more information.

          "Thank you Mr Moss.
          The presence of Skyscape on the CloudStore and its subsequent purchase by GDS and HMRC break none of the rules of procurement and are entirely in line with the OJEU processes. For more information on procurement rules please see here. If you require more information about Skyscape please contact them directly."

          Link to this comment
  4. dmossesq

    Dear Mr Wreyford

    Judging by the Guardian, Independent and Telegraph articles, we are in for a long haul. It will be some time before the Cabinet Office and the US administration abandon their plans for IdA, identity assurance.

    Let's make a gentle start.

    Question 1. As you say, it's more about trust than identity. The idea is to host GOV.UK on servers operated by Skyscape Cloud Services Ltd. Skyscape has yet to submit any accounts to Companies House. The company has just one director and he owns 100% of the paid-up share capital, which is only £1,000. Why do you trust Skyscape and why should anyone else?

    Link to this comment
  5. frankieroberto

    Reblogged this on Frankie Roberto and commented:
    Getting this stuff (identity, privacy, authentication) right is hard.

    Link to this comment
  6. ID in the News» Blog Archive » National ‘virtual ID card’ scheme set for launch (Is there anything that could possibly go wrong?)

    [...] Wreyford, one of those working on this scheme at the Cabinet Office, comments on the coverage on the Government Digital Service [...]

    Link to this comment
  7. This week at GDS | Government Digital Service

    [...] The IDA team’s work was covered in a few papers, and you can read a bit more from Steve Wreyford about that here [...]

    Link to this comment
  8. steve

    Thanks, We certainly agree with you on that.

    Link to this comment
  9. Facebook Privacy Is Good/Bad (Enough); Just Flip a Coin! | HOTforSecurity

    [...] The vulnerabilities of online platforms do not seem to trouble the UK authorities that much. In fact, they are planning to allow users to sign in on a one-stop website using existing online accounts, Facebook ones included. The third party providing the respective service to the user should, however, have obtained an Identity Assurance certification. [...]

    Link to this comment
  10. Brian Parkinson

    I am re-assured that Privacy International are working with you on this. Perhaps they will post their view on their site.
    I am concerned with who owns this data and where it will be hosted.
    Firstly where will the linked data be held and who controls and owns the 'transactional' data created by this proposed process? Will it be used for commercial gain?
    Secondly where will the service be hosted? Will it be hosted within UK jurisdiction and within the UK? It would be wrong if it were not subject to UK laws. Also will the organisation chosen to host pay full UK taxes and not use loop holes to avoid taxation in the UK (eg Amazon)?

    Link to this comment
  11. UK Government to “Like” Third Party Logins « actiance

    [...] (IDA), which will allow people to access public services using third party logins. Described on a blog as being less about identity and more about trust, this could well prove to be right if rumours of [...]

    Link to this comment
  12. Ritchie G. Somerville

    How do we go about assuring "business to business" identity verification, so both the business and those individuals associated with it in some way are trusted

    Link to this comment