https://gds.blog.gov.uk/2012/10/04/less-about-identity-more-about-trust/

Less About Identity, More About Trust

There’s a group of people here at GDS working on a programme called IDA – which stands for Identity Assurance. We’re helping develop a secure service that lets people log in to online government services more easily.

There’s been a lot of press comment about the programme today and we’re delighted to see that we’re (mostly) managing to get our message across – because this can all get quite complicated. The key ideas are these:

There’ll be no big IT programme and no big government database

Instead, users will be able to prove who they are using accounts they already have with a wide range of non-government organisations.

Users will be in control of their own information

By offering people a choice of how to login to services people stay in control of how they verify their identity.

We’re working with the people who know and care most about privacy and trust

The Privacy & Consumer Group who have been helping us create the privacy principles for this service includes experts like No2ID, Big Brother Watch, Which?, London School of Economics, Oxford Internet Institute and Privacy International. They’ve been instrumental in how we address users needs for privacy and security.

It is, of course, a bit more complicated than this and we’ll be explaining more over the next weeks and months but that’s the essence.

If you’d like to know more the Q&A in The Independent gives a pretty good overview (the only thing we’d really quibble with is the headline).

You can also read the Guardian article and the Telegraph article

EDIT (05/10/12): there’s been a short follow-up in The Independent today.

18 comments

  1. Commentator

    Are there plans to accommodate use case where a user needs to identify themselves on behalf of their employer in order to interact with a ‘government’ system? E.g. an online system where users are authenticated individually to ensure they get appropriate rights within the system but they are interacting with ‘gov’ as part of their work. They won’t want to use personal email addresses as their ID assurance as next month they may have a different job with a different employer, and not want to carry ‘baggage’ of their previous job with them.

    Reply
    • steve

      The short answer is, yes. We acknowledge that people have different hats, especially in relation to individual’s roles in businesses (CFO, company secretary etc). We have an active workstream looking at the challenges of business identity.

      Reply
  2. Less About Identity More About Trust via Government… « Kind of Digital Exchange

    [...] Less About Identity More About Trust via Government…Less About Identity, More About Trust [...]

    Reply
  3. David Moss

    Dear Mr Wreyford

    Having read the Independent, Guardian and Telegraph articles, we’re clearly in for a long haul before the Cabinet Office have to abandon the proposed plans for identity assurance (IdA) in the UK and the US. Let’s get the process off to a gentle start.

    As you say, IdA is less about identity, more about trust.

    Question 1. GOV.UK will be hosted on Skyscape servers. Skyscape has never submitted any accounts, it is wholly owned by one man, who is also the only director. Why do you trust Skyscape and why should anyone else trust them?

    Reply
    • Louise Kidney

      Mr Moss,

      Further to your queries and comments regarding Skyscape, we note that you have since received a reply to these over on the G-Cloud blog

      Reply
      • dmossesq

        Dear Ms Kidney

        Thank you for your post.

        The reply from the G-Cloud team advises me to ask GDS why they contracted with Skyscape. Which is what I have done and GDS have not yet provided any answer.

        I have therefore sent an open letter to ex-Guardian man Mike Bracken asking him to respond. In case i got his email address wrong, could I ask you please to forward it to him.

        Yours sincerely
        David Moss

        Reply
        • Louise Kidney

          Dear Mr Moss,

          The reply to your comment on the G-Cloud blog is reproduced here. We would reiterate Eleanor Stewart’s recommendations that you contact Skyscape should you require more information.

          “Thank you Mr Moss.
          The presence of Skyscape on the CloudStore and its subsequent purchase by GDS and HMRC break none of the rules of procurement and are entirely in line with the OJEU processes. For more information on procurement rules please see here. If you require more information about Skyscape please contact them directly.”

          Reply
  4. dmossesq

    Dear Mr Wreyford

    Judging by the Guardian, Independent and Telegraph articles, we are in for a long haul. It will be some time before the Cabinet Office and the US administration abandon their plans for IdA, identity assurance.

    Let’s make a gentle start.

    Question 1. As you say, it’s more about trust than identity. The idea is to host GOV.UK on servers operated by Skyscape Cloud Services Ltd. Skyscape has yet to submit any accounts to Companies House. The company has just one director and he owns 100% of the paid-up share capital, which is only £1,000. Why do you trust Skyscape and why should anyone else?

    Reply
  5. frankieroberto

    Reblogged this on Frankie Roberto and commented:
    Getting this stuff (identity, privacy, authentication) right is hard.

    Reply
    • F Jackson

      while it maybe technically challenging, the best of the rest have already implemented solutions to digital id assurance and I think it is important that we don’t set about reinventing the wheel (even if we decide it should be square!). For instance Denmark have learnt and applied many lessons on their journey using electronic ID…

      http://www.nyidanmark.dk/en-us/forms/online_help/faq/digital_signature.htm

      Reply
  6. ID in the News» Blog Archive » National ‘virtual ID card’ scheme set for launch (Is there anything that could possibly go wrong?)

    [...] Wreyford, one of those working on this scheme at the Cabinet Office, comments on the coverage on the Government Digital Service [...]

    Reply
  7. This week at GDS | Government Digital Service

    [...] The IDA team’s work was covered in a few papers, and you can read a bit more from Steve Wreyford about that here [...]

    Reply
  8. steve

    Thanks, We certainly agree with you on that.

    Reply
  9. Facebook Privacy Is Good/Bad (Enough); Just Flip a Coin! | HOTforSecurity

    [...] The vulnerabilities of online platforms do not seem to trouble the UK authorities that much. In fact, they are planning to allow users to sign in on a one-stop gov.uk website using existing online accounts, Facebook ones included. The third party providing the respective service to the user should, however, have obtained an Identity Assurance certification. [...]

    Reply
  10. Brian Parkinson

    I am re-assured that Privacy International are working with you on this. Perhaps they will post their view on their site.
    I am concerned with who owns this data and where it will be hosted.
    Firstly where will the linked data be held and who controls and owns the ‘transactional’ data created by this proposed process? Will it be used for commercial gain?
    Secondly where will the service be hosted? Will it be hosted within UK jurisdiction and within the UK? It would be wrong if it were not subject to UK laws. Also will the organisation chosen to host pay full UK taxes and not use loop holes to avoid taxation in the UK (eg Amazon)?

    Reply
  11. UK Government to “Like” Third Party Logins « actiance

    [...] (IDA), which will allow people to access public services using third party logins. Described on a gov.uk blog as being less about identity and more about trust, this could well prove to be right if rumours of [...]

    Reply
  12. Ritchie G. Somerville

    How do we go about assuring “business to business” identity verification, so both the business and those individuals associated with it in some way are trusted

    Reply

Leave a comment