Digital identity trust frameworks – could ID-free UK show the way?
Details emerged for plans for the UK’s digital identity landscape via a series of talks at London Identity Week on the use of digital ID and trust frameworks. UK government research found, to their surprise, that people trust them with their data and assumed the government’s use of it was more sophisticated than the reality. Digital ID trust frameworks are helping to shape the implementation of ID, but should not be left fully to the government to determine said one panellist, while another believes the regulation will let the sector flourish.
‘Surprising’ levels of trust for government data handling so far
Natalie Jones, one month into her Government Digital Service (GDS) role in the UK Cabinet Office after working on digital ID at the Home Office, set out the vision for the service which “will over time touch most of the people in the UK.”
A single sign-on for all government services through the Gov.UK portal should be “simple, joined-up, and personalized.” The site spans every aspect of government and has more than 17.6 million users per week. Yet users require different sign-ins for different, siloed services. Jones considers the current usage frustrating and transactional and needs to move to more of a relationship with users of years and decades.
While Jones was presenting at Identity Week, the ComputerWeekly.com was reporting that GDS has used Solid technology from Inrupt, the startup of internet pioneer Tim Berners-Lee, to build a proof-of-concept for its One Login single sign-on system. The Solid platform uses personal data storage containers, or ‘Pods,’ that enable users to grant granular permissions.
As a dozen government departments collaborate on the overall plan, Jones says the team wants to remove barriers, but not essential safeguards. Current barriers include a lack of existing ID to access the system.
“In 2020, there were 33 percent of people in the UK who didn’t have a driving license, and 22 percent of UK adults were without a passport,” said Jones, “And we know that it’s not just lack of photo ID which means people can’t currently access government services online. We are developing ways to ensure that no group of users are left behind . . . we won’t stop till we’ve figured it out.”
The team is exploring allowing people to use birth certificates when they do not have photo ID, over-the-counter checks at places like the Post Office, working with passport staff and benefits offices to enable a system of vouching and “delegated access” to allow parents and carers act on behalf of others. This approach should allow anybody access services, no matter their socioeconomic background or address or credit history.
Testing systems via user research has thrown up some interesting findings. “For example, users generally trust government – yes, we were a little surprised, too,” said Jones.
“But they trust us because they think we’re already holding their data across government – more than we actually are – and they’re okay with it. Users think government is more joined-up, sharing data across services already.”
Users assume having set up an account with department means they have an overall government account. And while they are comfortable with the government having their data, “what they tell us clearly is that they want visibility and control – control of what we hold and visibility of who and why data is being shared.”
Jones said that these requirements will be a fundamental part of building something that works for everyone: “We are committed to giving users visibility and control over their data and how and when it is used between government services.”
Digital identity trust frameworks
The British government is also developing a trust framework for digital ID, for government and private sector alike. A set of standards and assessment which would allow a person or entity to trust a certified entity.
“Trust always comes from the independence of the assessing and the auditing to the trust framework,” said Julian Ranger, executive chairman and founder of Digi.me, a service which allows users to control their data and how it is shared.
Competition among assessors helps maintain standards along with a review board, said Ranger.
“We often see that the request for certification or assessment comes towards the end of somebody implementing an identity process in accordance with the trust framework – almost by marketing – because ‘if we don’t have the trust stamp, we’re not going to be able to sell it’,” said Ranger, “Clearly it’s far better to start that process upfront and design with the certification assessment in mind.”
Speaking in the same session, Richard Trevorah, technical director at tScheme, a self-regulatory body for electronic trust approval service, said the British government “is striving to put in place those strict rules and processes that can engender the market, that we can then support.”
“It’s also important to have all members of the community working on the evolution of [the trust framework] . . . anyone involved should be involved in the movement forward of that trust framework,” said Trevorah.
The panelists agreed that the UK’s efforts on a trust framework have been more extensive than elsewhere, but that this still is not enough. Government efforts are setting an example and drawing the community together.
“To get the broadest buy-in, then the government has to be effectively controlled by a broad church of stakeholders,” said Trevorah.
“So although the government is a key relying party, you wouldn’t want it to be the sole arbiter of the rules, you need to maintain that buy-in which means you have to have a good support structure of people who are signing up to compliance.”
Trust frameworks to allow ‘market to flourish’
A subsequent panel on the contribution of digital identity trust frameworks saw panellists disagree as to whether the future for identity systems was centralized, decentralized or a blend.
Caroline France from the UK’s Department for Culture, Media and Sport which is overseeing the digital ID framework, said she thinks “there’s still a myth that any type of regulation or governance is necessarily anti-innovation, but in the case of digital identity, I really think the opposite is true and effective governance structures will allow the market to flourish instead.
“The challenge will be maintaining this pro-innovation stance particularly as technologies change and it will be the role of the governing body to spot and respond to those emerging technologies early.”
The public will need to be educated on the power of their own data and learn how to understand the various roles within digital identity and so know whom to approach when something goes wrong, according to France.
“Another consideration is around having clear lines of responsibility,” said France, including layers of regulation such as data regulators, competition regulators, making it hard at the moment for individuals to know where to turn, “but it’s also bad for businesses as well when they’re having to be accountable to multiple regulators with overlapping responsibilities.”
As fraud rockets in the UK (up 30 percent on 2020) and companies are able to check government databases, they must do all they can to protect this data, says France, and that both public and private sectors play a strong role in identifying identity fraud: “Perhaps the government has the role of convening, but then industry has perhaps an even bigger role in making sure those harmful data flows don’t happen and cost the economy.”