Quarter 3 2020: Government in Identity – Susan Morrow

Think Digital Partners, Digital Identity Advisor, Susan Morrow gives a round up of some of the key activity over the last 3 months.

Posted 28 September 2020 by

Welcome to my first quarterly post for Think Digital Partners (TDP) on all thing’s identity. As an identity professional, I have to keep my ear close to the digital ID ground. So, as part of my role as advisor to TDP, I will be reporting on any interesting and government-related identity projects and news every quarter. 

TDP Advisory

Government identity news

This first post also coincides with the Covid-19 pandemic. I won’t use the ‘unprecedented’ word, however, the impact of Covid-19 on government cannot be overstated. DWP has arguably taken the brunt of the pain by handling the massive increase in Universal Credit benefit claims. This is all amid the backdrop of the Verify scheme (probably) being deprecated in the next 18-months. World events happen and it must be hard to prepare for such unforeseen events as the last 6-months. However, if government can get identity systems working for all, next time we will be ready.

It seems that government departments are working to get to that point. In the last quarter, several government identity-related projects have been published, albeit as solutions at the department level rather than government-wide. Projects with an ID element include: 

  • HM Land Registry (HMLR): requirements for identity verification during a digital mortgage process
  • Scottish Government: A DIS Strategy to deliver against an ecosystem offering attribute stores, identity provision, and broker capability.
  • HMRC: Open Banking payment platform

This is against a backdrop of a number of initiatives driving a digital ID agenda for the government on several fronts:

Companies House and fast verification

Companies House, who have been looking at the best options in facilitating identification of customers for a while now, put out a statement on tackling fraud to ensure confidence in transactions (more on this later). Fast acting identity verification being the key moving part in this system.

Six principles and IAX

The new principles created by the government’s Digital Identity Strategy Board via DCMS, has completed its Call for Evidence stage; read all about the six principles of the IAX in previous blog from TDP. As far as a replacement for Verify, the Identity and Attribute Exchange (IAX) looks set to create the framework that will dictate the operation of any replacement for Verify. 

The Cummings Card

And, as if by magic the ‘Cummings Card’ has appeared. Various press articles claim that Dominic Cummings has plans for a new national ID card…remember the last time the UK tried this? We will see how this pans out. Last time, pressure groups such as No2ID were very vocal on the security and privacy issues of such cards. Now, privacy is the topic of the moment, and the idea of a centralised bank of citizen data, if true, may not go down well with many. 

The Gov.uk account?

An announcement by Jen Allum Head of Gov.uk offers an interesting read and early stage view of the next identity offering from central government. Clearly, the government realise there needs to be the ability to access gov.uk services when Verify ends. 

We want to unify this experience – not to create an ‘uber CRM’ for the government – but to give users continuity, so that they don’t need to start from scratch each time they need to do something with the government.”

Comments in the blog highlight that some will have concerns around privacy and centralisation of data, stating that they will be “taking a privacy and security by design approach.” To reduce any privacy (or security) fears of users a structure that facilitates consent and control over data will be a key design remit. The ethos behind the idea, also encompasses the ability to use the ID to verify against other services, elsewhere. Restricting sharing of data but enabling verification, would protect user privacy whilst mitigating fraud. 

There has been a callout for many years to the government to do more to enable the use of “gov data” to benefit their citizens in such ways. Hopefully, this is a step in this direction?!

Verify Don’t Store?

Most of the projects mentioned here have, to a large degree, an element of user verification. Checking an individual by cross-referencing data against trusted verification services is a crucial part of creating trust for a transaction or for access. There has been a rapid increase in the scale of fraud during the Covid-19 pandemic. Verification plays a key part in transactions to establish trust between users and relying parties, helping to reduce fraud. However, how to achieve this, whilst maintaining a great customer experience, is a key questions that government needs to solve. As always, there is more than one way to skin a cat (sorry cat lovers for using that awful phrase). 

I want to take this opportunity to talk about a concept that we at Avoco call ‘Verify Don’t Store”. This is a variant on the principle of ‘Verify Don’t Trust’ which is part of a Zero Trust approach to securing transactions and access.  When you decide to apply a principle of ‘Verify Don’t Trust’, the system is configured to set a rule that checks an attribute(s) at the point of an event. Using a ‘Verify Don’t Store’ approach, the same principle is upheld but it takes it to the next level. The result is that the system performs the same types of verification checks, but no data storage is required. It is a neat way to ‘have your cake and eat it’. Storage has many issues for the government, including presenting a nice juicy data store for hackers. In a ‘Verify Don’t Store’ system, privacy issues such as data minimisation are by default. Something to think about during Identity-related RFP creation and bid analysis.

NIST (National Institute for Standards and Technology) recently published a guideline for implementing a Zero Trust architecture: SP 800-207 Zero Trust Architecture.

Turbulent Times in Health and Identity

Clearly, it is turbulent times for our health amid Covid-19 and for our identity as government tackle the thorny issues of verifying us and making the experience fit into a government process. As the next 3-months pan out, we will see where some of the new identity ideas from the government go, let’s hope that we can move on from Covid-19 and make headway with an identity system that works for all. 

About Susan Morrow:

Susan has worked for over 20 years in the cybersecurity and digital identity space. She currently holds the position of Head of R&D at identity data specialists, Avoco Secure, based in the UK.

Susan’s focus is on strategic development and solution architecture. Core areas of her domain knowledge include the use of technology layer linking, usability, accessibility, and data privacy. Her mantra is to make sure that human beings control technology not the other way around.

Susan is the Think Digital Partners, Digital Identity Advisor.