Online Identity Assurance
December 6, 2017 by Stewart Hamilton 8 Comments | Category Data
The Scottish Government’s Digital Strategy contains the commitment to work with stakeholders, privacy interests and members of the public to develop a robust, secure and trustworthy mechanism by which an individual member of the public can demonstrate their identity online, to access public sector digital services.
This important work is now up and running and today the Online Identity Assurance project team is pleased to share our Programme Plan, which is our plan of necessary actions to develop a common public sector approach to online identity assurance.
Over coming months – in the spirit and practice of open government – we will work closely with all stakeholders, including interest groups and members of the public, as we seek to achieve the objectives set out in our plan. We’d love to hear your feedback and views on the content of the Plan, as we continue to shape the programme over the coming weeks and months. Dialogue is at the heart of our approach and we look forward to having valuable conversations that will shape this work.
Have a read through our plan, keep following the blog for further updates and get in touch or comment below if you want to share any initial thoughts.
Blog by Ross Clark, Scottish Government, Online Identity Assurance Project Team
- The Programme Plan was amended on 07 December to reflect an update to the membership of the Programme Board.
Looks like the programme plan is to develop a plan. All process and no substance.
I think it would be helpful if the government took a more positive view of online digital identity and explained to people the benefits they might get from having one. Governments of all sizes need to know who people are – it allows them to plan properly and spend money wisely, for the benefit of all; to make sure there are sufficient school places and teachers; to get tax levels right so that social welfare can operate efficiently; to make sure we have the right number of hospitals and nurses and doctors; to protect the public purse, to make it easy for citizens to interact with government at their convenience at times and in ways that suit them and their lifestyle. Taking a paper form and turning it into an electronic form – which seems to be what a lot of digital services consist of – is not especially transformational.
We look at nations that are really pushing online services effectively, like Estonia, and gaze in wonder. Why can’t we be like that?
Then we look at what the Estonians have put in place to deliver this: a national population register, a unique persistent identifier, a national infrastructure, an agreed standard for sharing documents, blockchain technology to record immutable attestations, an identity card for each citizen that includes digital certificates to prove identity and sign electronic documents.
I see no appetite for any of that here and my fear is that this consultation will not address the hard questions that need to be asked and answered. Are we prepared to sell the benefits of this to an increasingly sceptical public and invest in national disruptive technologies or are we resigned to pressing our faces against the shop window wishing we had the courage to buy what was inside? I suspect any kind of ambition in this area will be stifled very, very quickly by a few naysayers raising the spectre of George Orwell and super id databases.
The technologies exist to democratise public services and give Scotland truly world class digital public services but I’m not sure there is the collective government will and leadership to make it happen. And sadly, if we don’t take the opportunity now, we will inevitably see our data fall into the hands of those who treat us as a product rather than a service consumer.
Your Scottish Government Online Identity Assurance Programme Plan looks as though it has the same objectives as myaccount and involves pre-discovery and discovery work that must surely already have been done for myaccount.
In what way has myaccount failed?
It must have failed. Otherwise you wouldn’t be launching a new plan. Given that you are launching a new plan it is surprising that you would look to GOV.UK Verify (RIP) for inspiration.
GOV.UK Verify (RIP) has been rejected by most departments of central government and by local government and by the private sector.
It has a failure rate of over 60% when people try to use it, it can’t handle legal persons, it sprays personal information all over the world to so-called “identity providers”, their subsidiaries and their sub-contractors, its functionality has barely changed since it went “live” in May 2016 and the GOV.UK Verify (RIP) team stopped talking to the public months ago – no sort of an example to the Scottish Government Online Identity Assurance Project Team.
Take a look at ‘On digital identity in the UK – and the likely future for Gov.uk Verify’ [*] and you’ll see that the imminent demise of GOV.UK Verify (RIP) is predicted. Whatever the problems are with myaccount it’s unlikely that GOV.UK Verify (RIP) is any part of the solution.
May I draw your attention to the work of the (then Sir) James Crosby in 2008,
which identified many important aspects of the interplay of identity and the public sector, in particular the need to separate the routinely needed authentication (“It’s me again”) from the much harder and rarely needed identification for enrolment (“I’m new here”). The 2010 ‘Requirements for secure delivery of online public services’ (now called GPG 43) takes note of this, but then appears to have been ignored when the Cabinet Office tried to lead, as has Crosby’s highlighting of the need for a repair service. An honest appraisal of why all this has not been delivered in the last 10 years would be useful, rather than starting with fresh hope.
Although devolved services might claim to be unaffected by the mandated interoperability requirements of EU eIDAS regulation for cross-border services public services requiring substantial or higher authentication, separate consideration should be given to any potential use of foreign ID on Scottish services and use of a Scottish ID abroad, with associated liability if ‘notified’, but also the opportunity for ‘just working’. There are non-trivial challenges, not least on how the mismatch between the EU minimum data set and the GDS matching data set can be overcome if there’s only one point of connection per member state.
This is really horrifying, and poor intentions show through at every turn of the document.
The primary group the Scottish government are concerned with is ‘stakeholders’, i.e. servicing the wishes of businesses.
The secondary group is ‘privacy interests’, which is not a group, nor a person, but an abstraction. It’s still worth noting that making services which identify people in order to protect their privacy warrants explanation; it sounds like using MacDonald’s to promote healthy living.
In last place, the tertiary group the Scottish government claim to worry about is ‘members of the public’.
Members of the public are not pushing to have their identity mandated. When identity is required for transferring money or Reddit’s AMA’s, people have found it trivially easy to confirm their identity.
The rest of the time people on-line are interacting with people they know – so no identity assurances are required – or people they don’t know – so no identity assurances are useful.
Throughout this process, we’re assured that the government will be acting ‘in the spirit of open government’ but the ongoing communication will be with ‘Ministers, Special Advisers, Stakeholders, and Partners’. That’s fine for a company’s board room. It’s not fine for a government.
Some time into the project we are told under the second bullet point of ‘Discovery Project’ that the project, once it’s already underway, can ‘identify the problem that an online assurance solution might address’.
Let’s look at that again – after the project is underway, some group of people will try to understand why it might be useful. But let me be fairer to the document – some group of people will try to identify why it “might” be useful.
Hi Malin, thanks for your feedback. With regard to stakeholders, we are developing a significant process of stakeholder engagement which will shape the development of this project. In our plan, we’ve highlighted several initial groups that we know are taking a close interest and expect to engage with more as this project progresses. Our door is very much open to all who want to get involved. Our plan also states that we are fully committed to developing a solution that is designed with and for members of the public as one of our objectives. Our stakeholder engagement work will seek to engage people in what are important discussions about how public sector digital services are delivered.
Malin Freeborn makes a very apt point:
”Members of the public are not pushing to have their identity mandated. ”
Is there strong evidence that this entire project is grounded in large swathes of the public calling for it? I have to agree with Malin that it is suspicious who is really driving to spend so much time and money on yet another form of ID database project.
I appreciate the engagement via this blog but I always use the internet for everything from shopping to banking and have never even considered to need yet another government effort to generated a centralised ID database. Eager to see what emerges from this, I just hope it isn’t a precursor to a mandatory adoption approach for its requirement.
Hi Mark, thanks for your response. Our work is in response to the increasing use of digital in public services delivery, as noted in the Scottish Government’s Digital Strategy. We recognise privacy is a key consideration and that’s why, in line with our objectives, our programme seeks to design an approach around the needs of people who use services. We appreciate your feedback and will be providing more updates as work progresses.