Editorial

Industry reacts to Government’s digital identity trust framework announcement

With the Government calling for feedback to its new trust framework, digital identity experts weigh in with their opinions

Posted 16 February 2021 by

Last week the UK Government published its rules governing the future use of digital identities.

The UK digital identity and attributes trust frameworkfirst announced last year, lays out the draft rules that organisations should follow. It includes the principles, policies, procedures and standards governing the use of digital identity. This, says the government, will enable interoperability and increase public confidence.

Digital Infrastructure Minister Matt Warman called for “industry, civil society groups and the public to make their voices heard.”

Here we have asked digital identity specialist their thoughts on the announcement.

Keith Dear, central govt client executive, ForgeRock: “We welcome this long awaited initiative to set out the rules for the new Trust Framework. Whilst this information is useful for all participants in the new digital identity ecosystem, it omits to mention the anticipated architecture and how this will be orchestrated as a service to government departments and citizens.”

“It is unclear if government intends to build another ‘Verify’ replacement or to take a more modern approach embracing proven security standards such as user-managed access combined with fine-grained attributes based access control. The Trust Framework must be underpinned by a future-proof infrastructure fit for a digital economy that serves the needs of citizens in every aspect of their lives.”

Colin Wallis, director at Kantara Initiative: “It’s good to see the notion of ‘vouching’ added since the November 2020 draft. It indicates a touchpoint where offline and online process flows could synergise wider onboarding.

“In my personal view this draft still reads as ‘top-heavy’ in its detail but more work on the format may improve this aspect, perhaps by presenting the Trust Framework in ‘layers’, with principles and policies applying to all participants giving way to a high level description of the rules, that in turn point to existing or to-be-developed guidelines/standards with the applicable policies, rules and standards reflected in the schemes operating underneath.

“It’s worth keeping in mind the implicit cost and time burden that multiple certifications at each layer may have on service providers, because I think that DCMS would want to demonstrate early adoption success. It is easier to raise the bar on motivated applicants than vice versa.”

Julian Lywood-Mulcock, head of technical practice at Auth0: “It’s encouraging to see private sector companies come together with government to improve processes, security, and ease of use for citizens. The framework is a step in the right direction toward providing easy and secure access to digital applications and services for all.

“We have been fortunate enough to contribute to this initiative, particularly around issues of technical and standards interoperability. We look forward to continuing to contribute to conversations that encourage collaboration across government, and ease citizen access at both a local and national level.”

Rob Anderson, principal analyst, central government, GlobalData: “From an organisational perspective, it’s good to (finally) see an acceptance from government that it needs to work collaboratively across and out with government to come up with a robust framework for universal digital identities. Providers of digital identity solutions will surely see it as a validation of their continued lobbying of government to move away from the previous “we know best” attitude.

“However, it does seem a bit more stick than carrot i.e., ‘if you want to take part, you must comply with all these rules’, but without any acknowledgment of the cost of doing so and how one might recoup that investment, through monetization of any part of the process.

“The document is also very vague on future ownership and governance of the framework, which suggests to me there are still political turf wars going on between Departments. No one wanted to be dictated to by the Cabinet Office (with Verify) and DCMS has arguably fewer teeth as a central body. Without strong and cohesive cross-government leadership, this will fail just as schemes before it have failed.

“I also find it ironic that at long last, the approach appears to have pivoted to looking at what the real user requirement is, not what the government needs to govern access to its own processes. It’s only eight years since Liam Maxwell’s iPhone case bore the words “What is the user need?”

“From an individual’s perspective, I see no communication plan to sell the benefits of the framework, though perhaps this isn’t the vehicle for that. It notes the negative connotations of physical identity cards, but the privacy lobby will surely express concern at the level of access to personal data potentially given to private firms. Whilst personally I understand the safeguards that will be put in place, it needs to be spelled out in plain English that this federated attribute approach does not mean personal information can be used to target consumers.”

Gus Tomlinson, general manager at GBG: “The trust framework is a critical first step, but it simply does not go far enough. As we become increasingly reliant on the digital ecosystem the importance of everybody having access to a trusted digital identity is critical. Without a Digital Identity system that is truly fit for purpose, every day spent online is one fraught with complexity. We must move beyond good intentions to firm and positive action that is inclusive of all.

“The Government needs to move quickly if it is to protect the public in the face of unprecedented growth of the digital economy, with thousands of new customers moving online each week. Right now a patchwork of tech, regulations and approaches is covering the cracks, which is why the government and businesses need to progress fast, and educate consumers in-real time through transparency and honesty.

“What’s needed is urgency and a clear pathway to action to keep customers safe and protect businesses as the economic healing and recovery begins to take shape.”

One supplier, who wished to remain anonymous told TDP: “It is very encouraging that the government recognises the economic importance of this subject and will be creating a stable future for it through legislation. Many will be left perplexed, however: why is this approach better than GOV.UK Verify? Potential private sector investors will want to understand why the Government’s last business case for federated digital identity was not successful and why this new approach will be.”