Consultation questions, Companies House incident highlight UK IDV industry’s fears

The consultation the UK government is holding to inform how it builds the national digital identity system raises important questions about the role of private Digital Verification Service (DVS) providers. But neither the announcement in the House of Commons nor the supporting material released by the government last week mention the DVS sector. In the view of the Association of Digital Verification Professionals (ADVP), this oversight not only risks encouraging the misconception that digital ID is synonymous with modernizing government services through the GOV.UK app, it also raises a more fundamental point.

The ADVP writes in a LinkedIn post that the question of who owns the data generated by the identity transactions people carry out has become something of an elephant in the room.

“The Cabinet Office is now in regular dialogue with ADVP and other stakeholders because, like us, they want to ensure the UK gets this right,” the ADVP writes. “That dialogue is refreshing, welcome and positive. Ultimately, however, the consultation needs to resolve a deceptively simple question: is your identity something you own, or something the state owns?”

People accessing services are generally required to share information about themselves, and the ADVP argues they should have choice about who to share it with.

“We would encourage the government to emphasise that people should have a genuine choice of digital identities, of which a government-issued digital ID would be just one. We would also encourage those responding to the consultation give careful consideration to the DVS options, which already enable the private sector to deliver trusted digital identity services at scale — right now, free to the taxpayer.”

With the government determined to stand up its own digital ID, built in-house, the private sector players who have been filling similar roles over the course of millions of interactions should be acknowledged within the framing of the consultation, the ADVP suggests.

Companies House left unlocked

Questions about how the roles of DVS providers fit into the system are made all the more pressing by developments at Companies House.

The organization suspended company detail updates over the weekend, after it was alerted to a vulnerability that Tax Policy Associates says exposed the identity of five million company directors and could have enabled corporate hijacking.

The vulnerability was first discovered by Ghost Mail, according to a LinkedIn post by Yoti CEO Robin Tombs. Ghost Mail attempted to contact Companies House, and when stymied turned to Tax Policy Associates and its founder, tax expert and transparency campaigner Dan Neidle.

The exposure by Companies House gives it an obligation under UK GDPR to notify the Information Commissioner within 72 hours, and to notify all those affected “without undue delay” since it is a “high risk breach.”

“The vulnerability is clearly concerning — but so is the uncertainty as to whether CH responded swiftly when first alerted by a credible person / organization, or only after Neidle’s higher profile intervention,” Tombs writes on LinkedIn.

Companies House has been providing identity verification to company directors for free since last year, essentially passing the cost of verifications from the business incorporating or reporting to the taxpayer while making it impossible for private sector providers to compete in the market.

In other words, Companies House has established a precedent in which an identity check process covered (in theory) by the DVS framework is instead being carried out, arguably incompetently, at taxpayer’s expense.

Article Topics

ADVP  |  Companies House  |  digital ID  |  digital verification service (DVS)  |  DVS Trust Framework  |  identity verification  |  UK digital ID