GOV.UK
There’s a group of people here at GDS working on a programme called IDA - which stands for Identity Assurance. We’re helping develop a secure service that lets people log in to online government services more easily.
There’s been a lot of press comment about the programme today and we’re delighted to see that we’re (mostly) managing to get our message across - because this can all get quite complicated. The key ideas are these:
There’ll be no big IT programme and no big government database
Instead, users will be able to prove who they are using accounts they already have with a wide range of non-government organisations.
Users will be in control of their own information
By offering people a choice of how to login to services people stay in control of how they verify their identity.
We’re working with the people who know and care most about privacy and trust
The Privacy & Consumer Group who have been helping us create the privacy principles for this service includes experts like No2ID, Big Brother Watch, Which?, London School of Economics, Oxford Internet Institute and Privacy International. They've been instrumental in how we address users needs for privacy and security.
It is, of course, a bit more complicated than this and we’ll be explaining more over the next weeks and months but that’s the essence.
If you’d like to know more the Q&A in The Independent gives a pretty good overview (the only thing we’d really quibble with is the headline).
You can also read the Guardian article and the Telegraph article
EDIT (05/10/12): there's been a short follow-up in The Independent today.
18 comments
Commentator
Are there plans to accommodate use case where a user needs to identify themselves on behalf of their employer in order to interact with a 'government' system? E.g. an online system where users are authenticated individually to ensure they get appropriate rights within the system but they are interacting with 'gov' as part of their work. They won't want to use personal email addresses as their ID assurance as next month they may have a different job with a different employer, and not want to carry 'baggage' of their previous job with them.
Link to this commentsteve
The short answer is, yes. We acknowledge that people have different hats, especially in relation to individual's roles in businesses (CFO, company secretary etc). We have an active workstream looking at the challenges of business identity.
Link to this commentLess About Identity More About Trust via Government… « Kind of Digital Exchange
[...] Less About Identity More About Trust via Government…Less About Identity, More About Trust [...]
Link to this commentDavid Moss
Dear Mr Wreyford
Having read the Independent, Guardian and Telegraph articles, we're clearly in for a long haul before the Cabinet Office have to abandon the proposed plans for identity assurance (IdA) in the UK and the US. Let's get the process off to a gentle start.
As you say, IdA is less about identity, more about trust.
Question 1. GOV.UK will be hosted on Skyscape servers. Skyscape has never submitted any accounts, it is wholly owned by one man, who is also the only director. Why do you trust Skyscape and why should anyone else trust them?
Link to this commentLouise Kidney
Mr Moss,
Further to your queries and comments regarding Skyscape, we note that you have since received a reply to these over on the G-Cloud blog
Link to this commentdmossesq
Dear Ms Kidney
Thank you for your post.
The reply from the G-Cloud team advises me to ask GDS why they contracted with Skyscape. Which is what I have done and GDS have not yet provided any answer.
I have therefore sent an open letter to ex-Guardian man Mike Bracken asking him to respond. In case i got his email address wrong, could I ask you please to forward it to him.
Yours sincerely
Link to this commentDavid Moss
Louise Kidney
Dear Mr Moss,
The reply to your comment on the G-Cloud blog is reproduced here. We would reiterate Eleanor Stewart's recommendations that you contact Skyscape should you require more information.
"Thank you Mr Moss.
Link to this commentThe presence of Skyscape on the CloudStore and its subsequent purchase by GDS and HMRC break none of the rules of procurement and are entirely in line with the OJEU processes. For more information on procurement rules please see here. If you require more information about Skyscape please contact them directly."
dmossesq
Dear Mr Wreyford
Judging by the Guardian, Independent and Telegraph articles, we are in for a long haul. It will be some time before the Cabinet Office and the US administration abandon their plans for IdA, identity assurance.
Let's make a gentle start.
Question 1. As you say, it's more about trust than identity. The idea is to host GOV.UK on servers operated by Skyscape Cloud Services Ltd. Skyscape has yet to submit any accounts to Companies House. The company has just one director and he owns 100% of the paid-up share capital, which is only £1,000. Why do you trust Skyscape and why should anyone else?
Link to this commentfrankieroberto
Reblogged this on Frankie Roberto and commented:
Link to this commentGetting this stuff (identity, privacy, authentication) right is hard.
F Jackson
while it maybe technically challenging, the best of the rest have already implemented solutions to digital id assurance and I think it is important that we don't set about reinventing the wheel (even if we decide it should be square!). For instance Denmark have learnt and applied many lessons on their journey using electronic ID...
http://www.nyidanmark.dk/en-us/forms/online_help/faq/digital_signature.htm
Link to this commentID in the News» Blog Archive » National ‘virtual ID card’ scheme set for launch (Is there anything that could possibly go wrong?)
[...] Wreyford, one of those working on this scheme at the Cabinet Office, comments on the coverage on the Government Digital Service [...]
Link to this commentThis week at GDS | Government Digital Service
[...] The IDA team’s work was covered in a few papers, and you can read a bit more from Steve Wreyford about that here [...]
Link to this commentsteve
Thanks, We certainly agree with you on that.
Link to this commentFacebook Privacy Is Good/Bad (Enough); Just Flip a Coin! | HOTforSecurity
[...] The vulnerabilities of online platforms do not seem to trouble the UK authorities that much. In fact, they are planning to allow users to sign in on a one-stop gov.uk website using existing online accounts, Facebook ones included. The third party providing the respective service to the user should, however, have obtained an Identity Assurance certification. [...]
Link to this commentBrian Parkinson
I am re-assured that Privacy International are working with you on this. Perhaps they will post their view on their site.
Link to this commentI am concerned with who owns this data and where it will be hosted.
Firstly where will the linked data be held and who controls and owns the 'transactional' data created by this proposed process? Will it be used for commercial gain?
Secondly where will the service be hosted? Will it be hosted within UK jurisdiction and within the UK? It would be wrong if it were not subject to UK laws. Also will the organisation chosen to host pay full UK taxes and not use loop holes to avoid taxation in the UK (eg Amazon)?
UK Government to “Like” Third Party Logins « actiance
[...] (IDA), which will allow people to access public services using third party logins. Described on a gov.uk blog as being less about identity and more about trust, this could well prove to be right if rumours of [...]
Link to this comment» A quiet revolution is going on in Local Public Service websites
[...] If you want to know what ID assurance is a good summary is here: http://digital.cabinetoffice.gov.uk/2012/10/04/less-about-identity-more-about-trust/#more-5536. [...]
Link to this commentRitchie G. Somerville
How do we go about assuring "business to business" identity verification, so both the business and those individuals associated with it in some way are trusted
Link to this comment