So, the Labour Party wants free full-fibre broadband for all, and to nationalise Openreach. Cue bedlam on social media as the telecoms industry slams the proposals and the Conservatives scream, “Marxism! State aid! Fantasy economics!”
There was more debate on Twitter alone about the UK’s national telecoms infrastructure in the 12 hours after Labour’s plan was announced, than there has been across the country for the last 12 years. Excellent – that can only be a good thing.
It’s incredibly unlikely Labour’s promise will be fulfilled, but they should be credited for sparking a discussion that should have taken place long time ago, about how to build a digital infrastructure for the 21st century. That doesn’t mean asking, how do we get better at what we already do? That’s the dull, repetitive conversation going on for the past 20 years. It means having a radical rethink of how to support a digital economy for the next 50 years.
But let’s just take a step back and look at some context. First, where we are now.
The UK could and, arguably, should already have a national full-fibre broadband network. That we don’t is down to a mix of Tory ideology, free-market capitalism and – counter-intuitively – a lack of competition in that free-market economy.
BT wanted to start building a fibre-optic network in the 1980s, but prime minister Margaret Thatcher wouldn’t let it happen, fearing that the investment required would prevent a competitive telecoms market developing after BT was privatised. As a result of that decision, a competitive telecoms market failed to develop for 20 years.
When genuine competition did come, it was only around consumer broadband and telephone services. If you didn’t want either from BT, you could go to Talk Talk, Sky or one of several smaller providers. Of course, you were still buying from BT, since most of those ISPs simply resold the BT network.
There was, briefly, a competitive market in cable telecoms, but that quickly consolidated into what is now Virgin Media.
BT was eventually dragged, kicking and screaming, into easing its near-monopoly through what was known as local loop unbundling – basically allowing other ISPs to install their own network equipment in BT telephone exchanges so they could control the “last mile” connectivity to individual premises. It was a big thing at the time, but it hasn’t really changed much.
The benefit from a consumer perspective was that you had lots of ISPs to buy your broadband from, depending on price and customer service (which remains highly variable).
But there remained zero competition at the heart of the telecoms industry – the bit that really matters for building a 21st century digital infrastructure – and that’s in the core network, known in the industry as the wholesale market. If you wanted to buy access to a national broadband network to sell services to consumers, you still had to go to BT. Virgin Media has resolutely avoided entering the wholesale market.
The UK limped along for years, with a structure that allowed for a constructed and heavily regulated form of competition at the consumer level, but an effective monopoly when it came to long-term investment in core infrastructure. It was simply too easy for BT to sweat its copper assets for as long as it could, and so that’s what it did.
Eventually, BT was dragged kicking and screaming (sound familiar?) into upgrading the local loop to deliver fibre to the street cabinet, without touching the copper last mile to the premises. This move only came about after years of regulatory pressure from Ofcom and the promise of government seed-funding for the hard to reach areas where BT said it wouldn’t be able to make a profit.
Today, we talk about moving to full-fibre broadband only because BT has been dragged kicking and screaming (anyone spot a pattern?) into installing fibre to the premises, thanks to pressure from Ofcom, government funding, and the growing influence of ISPs. All the while, BT shareholders have generally done very nicely thank you.
The only reason Labour can talk about nationalising Openreach, is because BT was dragged kicking and screaming (no!) into separating its local loop business into a standalone subsidiary, tasked with creating a level playing field for consumer services between all ISPs including BT.
So, with the exception of the Virgin Media network, we already have a monopoly local network infrastructure provider, that is owned by BT ultimately for the benefit of BT shareholders.
In the last five years, we’ve seen for the first time the emergence of alternative network providers, such as City Fibre and Hyperoptic, largely funded by private capital, which are targeting areas where BT has so far declined to invest in fibre.
So what does this all mean for Labour’s proposals?
For a start, Labour has massively underestimated the cost of nationalisation combined with offering free broadband for all. The National Infrastructure Commission has estimated a cost of about £33bn to build a nationwide full fibre network by the current target of 2033, which Openreach is largely funding itself. Of course, that funding assumes Openreach is still charging for broadband too – with no consumer broadband income, the overall costs would increase significantly.
Free broadband makes for good retail politics, so it’s likely to be popular on the doorstep, and ideologically pleasing to Labour’s base. But it’s very unlikely the proposals will happen. It would need Labour to win a significant majority in Parliament, for a start – which the polls suggest is unlikely. And it’s too controversial and costly to get through for a minority government.
But let’s not ignore it. Already the Labour plan has stimulated some fresh thinking – this blog post by the chief engineer at fibre installer Gigaclear, for example, which discusses an alternative model based around franchising that could deliver a basic free broadband service, a national infrastructure provider, and without having to nationalise Openreach. And here’s another, from former BCS policy director David Evans. There are other possibilities too, that are worth serious discussion without constant heckling from the “we can’t do that” brigade.
What about a minority public stake in Openreach, to use that investment to fund some form of basic free offering?
What are the economic opportunities and the potential for foreign investment in a country where every home and business has access to free internet?
What are the social benefits of such a move? More people working from home; better work/life balance; less commuting (thereby freeing up public funds otherwise needed for road and rail upgrades); less climate-harming long-distance travel thanks to video conferencing and online collaboration; more money going to the local high street because more people work at home; brownfield sites freed up for affordable housing because businesses don’t need so much office space. Maybe we could even scrap HS2 and use those funds to deliver free gigabit broadband to everyone?
If you put aside the current structure of the UK broadband sector, doesn’t the idea of a basic free broadband, from a national utility provider, seem like a sensible consideration if we want to be a global digital leader? It’s easy to say it can’t happen, but if we were starting from scratch, might that be seen as the right answer? Just because the UK has ended up with a messy and complicated broadband market doesn’t mean we have to stick with it to please vested interests, if we can yet build something better.
Labour’s broad and unspecific proposals also won’t work because they raise too many tricky questions, such as:
- What happens to Virgin Media and other ISPs, as well as the startup fibre builders? Most could be put out of business. Third-party investment in telecoms infrastructure would dry up.
- What about telephony? Currently, you can’t have BT broadband without a BT landline and phone service, when more and more people don’t use a landline. Would Labour nationalise the fixed-line phone service too?
- Where does the nationalised network begin and end? Openreach only looks after the last mile – the entire broadband network runs across BT’s core backbone network, which is also used as backhaul by mobile operators as well as thousands of corporates. Does that mean Labour’s British Broadband operator has to buy all its backhaul from the un-nationalised remnant of BT? Surely that’s a private sector monopoly?
- What about BT’s pension fund, which has been a huge financial drain on the telecoms giant for years? Would a Labour government have to take that on for all Openreach staff?
- Feel free to add your own.
In summary, Labour’s proposals won’t be implemented. But they do highlight the opportunity for a radical rethink of the UK’s telecoms infrastructure, and that’s a debate we should be having.
After all, when you think about it, and try to put politics aside, free basic fibre broadband for everyone is actually a pretty good idea. Let’s not dismiss it just because it doesn’t suit the way the industry works today.
IT employers must recognise benefits of flexible workforce and not hit contractors over IR35 reforms
For any IT professional who has managed to make a living as a contractor for the past 20 years, the acronym IR35 must be like a crucifix held up to a vampire. The tax reforms were considered controversial when first introduced in 2000, and now – just when you thought you’d got used to how it works – the taxman is nailing two pieces of wood into a cross once more.
Let’s recap: IR35 is designed to prevent individuals who work in much the same way as a regular employee from unfairly reducing their tax burden. It’s common practice for contractors to set up a company with one employee – themselves – and charge clients for their time through that company. As a result, they avoid PAYE by paying themselves a nominal wage and earn an income by taking dividends as a director of the company, which accrues tax at a much lower rate. But they miss out on benefits such as National Insurance and pension contributions, holiday and sick pay.
Generally, this is seen as a fair exchange – the contractor takes extra risk and so earns more money, while the organisation that procures their services pays more than they would to a salaried employee but without the added costs and can terminate their services at short notice if needed.
IR35 effectively says, this is fine as long as you are not working exclusively for one company, long term, in a job that would otherwise be done by a regular full-time employee, in which case you should be taxed on PAYE and receive employment benefits. Contractors that work for multiple clients are considered outside IR35.
Now, the administrative burden of IR35 is shifting from contractors to the organisations that hire them. HM Revenue & Customs (HMRC) reckons that too many contractors are claiming to be outside IR35, when in truth they are “inside” IR35, and as such are avoiding tax to the tune of £1bn-plus every year.
The reforms have already hit the public sector, and affected thousands of IT contractors, as well as delaying important digital government projects. In April 2020, it hits the private sector too, and employers will have to certify whether or not any contractor they use is IR35 compliant.
For big firms, such as banks, which use thousands of contractors, this will be too much of a burden, and already those companies are reviewing policies to avoid that administrative overhead. Contractors face a choice of becoming employees, with a consequent drop in income, or working for umbrella companies such as recruitment agencies, which will take a cut of their fees.
Contracting is potentially a rewarding move, but it’s also high risk. Contractors are first out the door when budgets are cut. But they also bring great flexibility for IT departments, and especially now when skills shortages threaten to derail digital transformation initiatives.
Contractors claim that HMRC is being heavy handed and unfair, saying it is inevitable that employers will take the easy route to the detriment of freelance workers. Some claim the reforms will backfire, as contractors’ reduced income means the overall tax take will be less anyway.
In uncertain economic times, employers value a flexible workforce, and the agility to respond quickly to business change. Contractors willing to risk the job insecurity offer that – and as such this protects the full-time workforce from the vicissitudes of business. As the private sector reviews how to manage its contractors, they must keep the benefits of that flexibility in mind and not punish contractors for the added complexity demanded by HMRC.
As Computer Weekly readers will know, there are many great reasons for working in tech – it’s fast-moving and creative, it’s changing the way we live and work, and mostly it’s well remunerated. Feel free to add your own.
But IT can also be a highly pressured environment – running critical systems that support huge flows of cash, govern the movement of goods we all rely on in our daily lives, and sometimes even help to make life or death decisions.
And all too often in these strange and troubled times, IT professionals are expected to do all this while under-resourced, over-worked, and to the detriment of their work-life balance.
Mental health is increasingly talked about as a societal issue, but it’s not one that’s had much focus in IT. It’s unsurprising, therefore, to learn that as many as one in five IT professionals have expressed mental health concerns as a result of their work.
A Harvey Nash survey of more than 2000 UK IT workers highlighted problems around excessive working hours as a result of skills shortages, as well as lack of flexibility, and job insecurity.
IT staff are no longer hiding away in a dingy back office staring at screens trying to keep the lights on. They’re on the frontline of business and government, running websites and payment systems and monitoring the security of applications and data that can be under constant attack.
It’s too easy to dismiss all this as part of a stressful but well-paid career. More than four in five IT professionals are male, often more on the introverted end of the personality spectrum, and perhaps less inclined to talk about their feelings and worries in the workplace.
IT still has a worrying lack of diversity, so if you don’t fit the white, male stereotype, then a lot of women and minorities that work in the sector have to deal with their own unique stresses until the sector tackles this problem and becomes more genuinely inclusive.
Nobody in a leadership position in tech should take for granted the mental health of their workforce. Any decent employer will know they have a duty of care to their staff, but how often do IT leaders discuss mental health issues with their teams? Probably not that often.
IT is playing an ever more crucial role in business and society, and it’s time that we all took more consideration of what that means for the health, wellbeing and productivity of the people who work there.
Mental health is a very real issue in technology, and IT leaders must actively seek ways to address the concerns of their teams and to create an environment that allows everyone to achieve their full potential and capability.
Prime minister Boris Johnson and his controversial special advisor, Dominic Cummings, are “secretly” working on a plan to gather citizen data from across Whitehall to be used for targeting communications to people in the run-up to Brexit, according to a report from Buzzfeed News.
Computer Weekly sources have confirmed that Cummings and Number 10 have taken a particular interest in how Gov.uk Verify – the government’s troubled digital identity scheme – could be used to facilitate such a move.
Rumour has it that the Government Digital Service (GDS), which develops Verify, has not been unenthusiastic about an idea that could help to establish Verify, even as its support dwindles elsewhere.
Could such a plan work? If so, how? And is it legal? Below is an entirely speculative theory, but could it potentially happen? If anyone reading has further insights that add to or contradict any of this, I’d be happy to hear from you.
Let’s put aside the legal issues for a moment, and examine the technical infrastructure.
So, you visit a Gov.uk page, and a cookie is dropped that can identify to GDS the device / browser you used, and also to the department that runs the service you accessed, such as tax accounts or Universal Credit.
That cookie doesn’t know who you are – only that this browser has been here before. GDS uses Google Analytics to understand how people are using the website – pretty standard practice for any website (ComputerWeekly.com does this too).
This can tell No.10 what pages, and therefore what topics, are being read the most. Cookies are also used by commercial websites to target online advertising to returning browsers / users. Gov.uk does not run ads, but in theory it would be possible to pop up an advert for a government service, or for the “Get ready for Brexit” promotional campaign already underway.
Then there’s Verify. For all its problems, Verify now has nearly five million registered accounts. The system was designed with privacy in mind – part of its core rationale was to avoid the creation of a central identity database. Verify was created partly in response to the scrapping of Labour’s ID Cards programme – it has, since then, been politically unacceptable to create a citizen identity database, whether by stealth or virtually.
When you create a Verify account, all the data you provide is retained by a third-party identity provider (IDP), and not by the government service you wish to access.
However, when you access that service, the IDP provides a unique identifier to the relevant Whitehall department – which cannot be used to derive any personal information. But it also sends across a set of basic attributes – name, address, date of birth as a minimum – solely for the purpose of matching the user to data already held by the department.
For example, if you’re checking your tax records, HM Revenue & Customs will use those attributes to make sure you are the correct John or Jane Doe for which it already holds a record, so you don’t end up looking at someone else’s financial details.
The Verify data policy states that “You must not use the user attributes for anything other than matching. If you do, you may be in violation of the General Data Protection Regulation.”
Note, “may” not “will”.
It’s therefore technically possible to match a Verify user with the Gov.uk cookies on their device – which means No.10 could derive who is reading which web pages, for up to five million citizens who use Verify.
Once more putting aside the legalities, it would be technically possible to further match the information on who you are and what you’re interested in, with social media data to allow targeting of adverts on Facebook, for example.
That’s still “only” five million people.
GDS has a stated objective to achieve 25 million Verify users by 2020 – a figure that’s been recognised as over-ambitious. There have been attempts in the past to mandate use of Verify for digital identity across government, but these have been resisted. Could a more aggressive approach from No.10 overcome that resistance?
There are rumours that GDS wants to overcome negativity towards Verify by instead mandating that any Whitehall identity schemes conform to a standard called GPG45, upon which Verify is based. Presumably, the hope is that most departments would find that the only GPG45-compliant system available to them in the short term happens to be Verify.
That’s not going to change much between now and 31st October when the UK is currently due to leave the EU, but the Buzzfeed report refers to “a digital identity accelerated implementation plan”, and the prime minister has told departments to “to engage in that work urgently”.
Could Brexit, Boris Johnson and Dominic Cummings yet save Verify?
There are, of course, legal restrictions over data sharing, even between government departments. GDPR is relevant, but more pertinent is the Digital Economy Act (DEA) of 2017, which governs the circumstances under which public bodies can share data.
There are valid reasons for inter-departmental data sharing, which are set out in the Code of Practice for public authorities disclosing information, which is part of the DEA.
“Public service delivery is changing, due to increasing acknowledgement that services are more efficient and effective when they are joined up. Joining up services requires the sharing of information,” says section 55 of the code.
“The Digital Economy Act 2017 creates a mechanism for establishing clear and robust legal gateways which will enable public authorities to share relevant information on the individuals and families they are working with in compliance with the data protection legislation. The primary purpose of this power is to support the well-being of individuals and households.”
A number of situations are included in the code, relating to areas such as fuel and water poverty, debt recovery and fraud.
But the Act sets out the principles and processes for establishing new areas where data sharing can be justified – these are tightly controlled and require approval from Parliament, publication of a privacy impact assessment, and must be listed on the public register of information sharing agreements. There are currently 38 records in the register, mostly involving local authorities seeking data to help reduce council tax debt.
In theory, therefore, there is a mechanism to establish legal data sharing of internet activity data between departments – but it’s onerous, time consuming, and needs scrutiny and approval.
“The public service delivery power gives you the ability to gain access to the data you need to respond more efficiently and effectively to current and emerging social and economic problems. The power allows ministers in the UK government to set objectives in regulations,” says the code of practice.
If you can make the argument that Brexit is an “emerging social and economic problem,” it may just be possible (although proroguing Parliament doesn’t help).
What other sources of data might exist?
Let’s say you were one of the six million people who signed the online petition to revoke Article 50 and remain in the EU, or one of the 1.7 million who similarly petitioned against Johnson proroguing Parliament.
The e-petitions system collects and retains for up to 12 months your name, email address, postcode, the country you live in, and the IP address you use when starting or signing a petition.
Presumably, if you petitioned to revoke Article 50, then government policy on Brexit will be “relevant” to you – and this time they have your email address too.
Of course, it’s not as simple as that. Online petitions are run by Parliament expressly to demonstrate that the data is not being collected by or for the government. This is governed by a cross-party committee that has in the past pushed back hard on any attempts to use the data for any other purpose.
Given the current state of UK politics, it must be unlikely the committee would accede to requests from the government to access that data for Brexit-related purposes.
But nonetheless, it’s technically feasible. The only question is how far any prime minister or their government is willing to push the boundaries of political convention and legality to get access to all that data.
The Government Digital Service (GDS) has published details of the planned pilot project for opening up passport data to companies that wish to offer digital identity services.
GDS recently held a briefing for organisations that wish to participate in the forthcoming private sector trial of the Document Checking Service (DCS) that was first developed to support Gov.uk Verify, the government’s troubled digital identity scheme.
The briefing was attended by a variety of identity providers, standards bodies and suppliers, along with private sector firms – including IAG, the parent company of British Airways, according to sources.
The details of the pilot have caused a degree of consternation among some of those present, although GDS has asked for feedback on its proposals, so the plans may yet be revised.
The stated objectives for the pilot are:
- To test the industry demand for checking information given by a user against government data sources;
- To understand the different ways that organisations could use digital passport checks;
- To test the technical design that would make these checks possible;
- To capture consumer interest and experience of these checks, and perception of this use of passport data;
- To understand if this is commercially viable, for the government and the organisations taking part.
The pilot is intended to operate as follows:
The service offered is for a simple yes/no digital check as to whether a passport is valid, through an API request. Participants are told that they “must only check passport data to prevent or detect crime” and must obtain explicit consent from users for their passport data to be processed in this way.
The passport data check can only be used as part of a wider service – participants are not allowed to develop a service solely for checking passport validity.
That lack of service flexibility will be a concern for some interested parties.
The pilot will begin in April 2020 – after the time when GDS hands over Gov.uk Verify to the dwindling number of identity providers (IDPs) still supporting the service – and will last for up to 12 months.
The trial will be limited to a maximum of six million passport data checks, and the number of simultaneous checks will be throttled, presumably to prevent overloading ageing IT systems at the Passport Office. Companies must submit applications to take part, and specify the minimum and maximum number of passport checks they will make during the pilot.
The six million checks threshold may be too limiting for some. In Australia, a country of about 25 million people, a similar passport checking service attracts over 80 million checks per year.
Participants must conform to a series of legal, technical, security, data protection, records management and personnel checks by GDS, accept audits and demonstrate compliance to GDS’s satisfaction.
Perhaps controversially, participants will have to pay £15,000 up front as a one-off fee for access to the DCS. Each passport check will cost 50p.
It’s worth remembering that GDS has been told by HM Treasury it cannot spend any further money on Verify after March 2020, so it seems that, effectively, the pilot will be funded by the companies that take part.
I’m told there are mixed feelings about the up-front cost – some think it will deter smaller companies or startups, others think it’s not unreasonable but it would be a problem if it became an annual fee for DCS access after the pilot.
One source described the pilot details as a “starter for 10” at best – not awful, but not great. Others feel the limits on volume and data use are too restrictive – hardly an example of opening up a digital identity market that would grow the UK’s digital economy.
There is also no guarantee that the pilot will be taken forward into a live service – which makes developing a business case difficult.
There are also grumblings about the fact that existing Verify IDPs that already have access to DCS for online public services, had their development costs funded by GDS – but everyone else has to stump up £15,000 just to be in the game.
The pilot will only offer passport data checks – and not driving licence checks which are available through DCS for Verify IDPs. DVLA is believed to have refused to take part in the pilot.
Perhaps the most telling observation though, is that the information pack about the pilot that is being sent to interested parties – a detailed 15-page document that outlines the requirements for taking part – does not mention Verify even once.
The Government Digital Service (GDS) insists that its plans for Gov.uk Verify “remain on track” despite the withdrawal of three of the five remaining identity providers (IDPs) supporting the increasingly troubled programme.
GDS faces its March 2020 deadline to hand over the government’s flagship digital identity scheme to the private sector with only two IDPs still involved – and they are in effect only one IDP and a reseller.
The Post Office, which operates on the Digidentity platform, brings much more to the game than simply fronting the Digidentity technology, with its ability to potentially offer a face-to-face element to identity verification through its national branch network and its trusted consumer brand.
But it’s the loss of Experian that will damage Verify the most, and bring a huge additional financial burden to a project that is expected to have already cost £175m by the end of next March.
Do not underestimate the significance of Experian’s withdrawal.
The company has been involved with Verify from the start, one of its strongest supporters. Its director of identity and fraud, Nick Mothershaw, is chair of OIX, the identity standards body that has been largely funded by GDS to establish Verify as an international standard. Experian is serious about digital identity – but is no longer serious about Verify.
We cannot find out why Experian – or the other departing IDPs, Barclays and Secure Identity – decided to ditch Verify, because all the IDPs are gagged by GDS from talking about their contractual arrangements.
But we can work out what losing Experian will cost. Bear with me, there’s maths involved.
According to the National Audit Office (NAO), GDS currently pays to the relevant IDP about £20 for every new Verify account that is set up. These charges were renegotiated as part of the new IDP contracts agreed in October 2018 that last until March 2020, in the hope of reducing sign-up costs by introducing better volume discounts.
The NAO said that for Verify to become cost-neutral by April 2020 – the stated government goal – the cost of verifying identities needs to fall by 95%, which suggests the target is £1 per new user. It’s clear from the NAO’s March report that Verify is nowhere near that.
According to a McKinsey report produced for GDS in October 2017, Experian was the biggest IDP at that time, with 44% of all users. Post Office had 42% and Digidentity 9%. The other IDPs – all of which have now withdrawn – had only about 5-6% between them.
If those percentages are similar today, Experian would be responsible for over 2.1 million of the 4.8 million people signed up to use Verify. The company will continue to service those existing users for 12 months after March 2020, but will not take on new registrations.
This means that 2.1 million Experian account holders will have to re-register with either Post Office or Digidentity to continue accessing online government services after March 2021.
And at £20 per user, that means 2.1 million additional £20 charges – more than £40m in total – that will have to be paid by taxpayers on top of what Verify has already cost.
That’s a nice windfall for the Post Office – not to mention Digidentity, which will get a cut from every Post Office account registration too and have an effective monopoly of Verify users.
There’s a whole other issue to discuss – that a Dutch company will exclusively own the database of all the UK’s online public service users – but I digress.
Even if volume discounts kick in somewhere along the way, Experian’s withdrawal from Verify will mean tens of millions in additional costs. Considering that HM Treasury has already put a block on further spending for Verify, will government be willing to pay that bill?
And who knows, perhaps the tens of millions the Post Office stands to make from taking on all those homeless Verify users might even help to pay its ballooning costs in the High Court case examining its controversial Horizon branch accounting system.
Meanwhile, here’s the official GDS line: “Digital identity remains a key priority for government and we are currently undertaking a call for evidence seeking views on how to support the development of digital identities fit for the UK’s growing digital economy. We are working to create a flourishing, private-sector led marketplace for digital identity and our plans to do so remain on track,” said a spokesperson.
Gov.uk Verify – the government’s flagship digital identity system – faces a critical few months ahead. Again.
As the clock ticks down towards the end of March 2020, when further public investment in Verify ceases and the system is taken on by the private sector, significant questions remain over the viability of Verify.
In particular, three major issues need to be addressed:
- Rules of access to government-held data by external identity providers (IDPs) for non-government transactions;
- The cost of IDP services, once the Government Digital Service (GDS) no longer subsidises the fees paid by the Whitehall departments that use Verify;
- The role of Verify in the mooted digital identity ecosystem that GDS needs to stimulate to justify the £175m invested in the troubled programme.
There was a combination of relief and exasperation last month when GDS and the Department for Digital, Culture, Media and Sport (DCMS) announced a consultation and call for evidence on the future of digital identity in the UK.
Relief, from the private sector companies frustrated by their exclusion from Verify, and which believe that Verify’s problems have hindered their market growth. Exasperation, from digital identity experts who understandably ask why has the consultation been left so late, and what has GDS been doing all this time that it now needs to issue such a back-to-basics request for input?
You can’t escape the fact that a programme that’s been running for six years, has waited until less than nine months before it’s handed to the private sector, before publicly asking for advice on the respective roles of the private and public sectors in creating a digital identity market. And even that has only come about mainly because of pressure from DCMS.
At the same time, the longstanding leader of the Verify team, Jess McEvoy, has shifted sideways to a new role. While the Cabinet Office says she remains involved with Verify, her previous job as programme director has been taken on by Lawrence Hopper, formerly head of policy and strategy. Lisa Barrett, director of digital identity since March, is now senior responsible owner (SRO) for the Verify programme.
Further pressure mounted this month when the Infrastructure & Projects Authority (IPA), the government’s major projects watchdog, raised Verify’s status from “amber” to “red” in its latest annual report. “Red” is defined as having problems that are “currently impossible to manage or solve”.
The IPA rating is based on an assessment conducted in September 2018, only two months after an IPA review recommended that Verify be scrapped.
At an event in June this year, Barrett revealed for the first time that the IPA’s concerns related to doubts in 2018 over whether the existing IDPs would continue to support Verify. Subsequently, two of the seven IDPs decided not to, while five signed up to new contracts that should lead to the companies taking over Verify in April next year – theoretically mitigating the problems the IPA identified.
But it’s that critical role of the IDPs, and their commitment to the programme, that remains one of the big issues to resolve.
Access to government data
The most valuable part of the Verify system, as far as the remaining IDPs are concerned, is the Document Checking Service (DCS), a tool that allows them to check a user’s passport or driving licence against data held by HM Passport Office (HMPO) and the Driver and Vehicle Licensing Agency (DVLA).
Passports and driving licences are the highest standard of identity verification available, and as such are essential to the IDPs’ involvement in Verify. Without the ability to check against that data, the difficulties of assuring an individual’s identity are significantly higher – and the business risk for the IDPs is greater.
Computer Weekly understands that when the DCS was created, HMPO and DVLA agreed to allow access to their data to support Verify for the delivery of government services only. According to insiders, neither organisation has given permission for its data to be used in private sector transactions.
Therefore, if Verify is to be used to support private sector services – which GDS wants to happen, and which the IDPs expect to be allowed to do – HMPO and DVLA need to give their approval.
To that end, GDS is to run a small-scale pilot where HMPO data will be used for existing Verify users, operating through an existing IDP, who wish to re-use their Verify identity to access a commercial service, such as applying for a credit card. This will be an important milestone for the use of Verify in the private sector.
The trial may, or may not, eventually include testing the use of passport data for creating a new Verify identity for a non-government service.
Amazingly, the Cabinet Office told Computer Weekly that the design of the pilot will not be finalised until after the call for evidence has concluded in September – meaning that even the limited wider trial of DCS will not start until barely six months before the March 2020 deadline.
It’s also notable that DVLA is not involved in the pilot. Our sources suggest that DVLA is so far refusing to allow its driving licence data to be used for non-government services at all – not even for a limited trial.
This has major potential implications for the IDPs. Only two of those IDPs really matter – the Post Office and Experian, which between them are responsible for over 80% of all the existing Verify users.
The attraction for IDPs of working with Verify comes from customers that signed up to public services – such as Universal Credit or tax self-assessment, the two highest-volume digital services – being able to re-use their Verify identities for commercial transactions.
If, however, passport and driving licence data cannot be used for commercial services, then the ability to re-use a Verify identity is limited. IDPs would not be able to use the trust levels embedded in HMPO and DVLA data to assure those individual users – which means the assurance levels are likely to fall below acceptable criteria for the commercial service, such as a bank or e-commerce firm.
In such a situation, IDPs would need to rebuild those assurance levels from other sources – which is costly, time-consuming, and likely to be a terrible user experience. For a big IDP like Post Office or Experian, this could even undermine their entire business case for using Verify.
Note that Post Office has a further challenge, in that it is acting as a reseller for another of the Verify IDPs, Digidentity, which means the Post Office is probably operating with thinner profit margins. The loss of DVLA or HMPO data would most likely have a greater financial impact on Post Office than any other IDP.
Rumour has it that IDPs have an option coming up in the next few months to give GDS notice they will no longer be involved with Verify after March 2020. If that’s true, then the issues around access to passport and driving licence details could come to a head very soon.
Cost of user verification
Much of the budget for Verify has been spent on subsidising the cost of registering and maintaining users – according to the National Audit Office (NAO), that’s accounted for 38% of costs, which equates to about £60m so far. GDS has, in effect, been paying much of the private sector IDPs’ development costs.
A fee is charged by an IDP for every user successfully registered – about £20, says NAO – and then a lower annual fee for every user that remains active. The charges were renegotiated as part of the new IDP contracts agreed in October 2018 that last until March 2020, to reduce sign-up costs and introduce incremental price reductions as user volumes increase. The NAO said that for Verify to become cost-neutral by April 2020 – the stated government goal – the cost of verifying identities needs to fall by 95%.
However, the Whitehall departments whose online services use Verify, currently pay significantly less than the IDPs are paid. GDS subsidises the fees to make Verify cost-effective for departments, such as HM Revenue & Customs (HMRC) and the Department for Work and Pensions (DWP). Sources suggest that departments pay only £1.20 for the initial sign-up, with GDS funding the remaining £18.80.
It’s also not clear how IDPs are now paid for subsequent use of a Verify account – specifically, whether they charge a cost per login for existing users. GDS won’t discuss sensitive commercial details, but if such charges are being made, this highlights another important concern.
Imagine you’re a major department relying on Verify – such as DWP, where Verify is used as part of its Universal Credit (UC) welfare system – and you no longer have GDS subsidising costs. Benefits claimants on UC are encouraged to manage their account entirely online – requiring potentially numerous logins per month. If DWP has to pay £20 per user up-front, then a further fee for every subsequent login, that quickly starts to become very expensive, especially when UC is rolled out to millions of people.
Verify is set to reach an important milestone soon – five million registered accounts. That’s a decent number – one which could have been seen as a success, were it not for how poorly GDS managed expectations for Verify in its early days and in the 2015 business case, and set a massively over-ambitious target of 25 million users by 2020, against which success has instead been measured.
It’s a chicken-and-egg conundrum for Verify – GDS needs to increase user volumes enormously to reduce IDP fees by 95% to make the system affordable for government after March 2020. But Universal Credit roll-out has been delayed, and as of the NAO report in March, only 4% of HMRC tax self-assessment users opted for Verify over HMRC’s longstanding Gateway login system.
In a recent blog, GDS touted the January 2019 tax deadline as “having the most Verify users during a self-assessment peak”. Let’s see what that means.
According to GDS figures, in the five weeks leading to the deadline, an average of 50,145 users signed up per week. In the five weeks after the deadline, the weekly average was 45,986 – just 4,159 less. That suggests only an additional 20,000 Verify users during the five-week self-assessment peak – an improvement over previous years for sure, but not exactly a figure to generate hyperbole about.
Since then, about 40,000-45,000 new users have signed up with Verify each week – surely not enough to increase volumes to a level that will cut IDP fees by 95% in the next six months. And especially not if DWP were to waver in its commitment to Verify – on which topic, read on…
Verify and the private sector
There has been a noticeable change of language from GDS recently. Where once we were told that Verify would become a national digital identity system across public and private sectors, now we hear that Verify is simply one implementation of the technical standards, known as GPG45, which will underpin the wider ecosystem.
That £175m programme cost seems even more money if its main outcome is agreement on an industry standard and little else.
Already, there are other digital identity schemes starting to emerge from the private sector that may make Verify redundant. The banks, in particular, are finally working together on identity standards in support of open banking and PSD2 regulations. Banks also have to consider rules around money laundering and “know your customer” (KYC).
When McKinsey was brought in to review the Verify programme in 2017, the consultancy concluded that one of Verify’s biggest failures was its lack of involvement from the big retail banks. McKinsey recommended that for Verify to be a success, it would need to be integrated into multiple banking services and attracting new users through those banks, by the end of 2019. Clearly, that hasn’t happened.
While GDS is engaged with the banks on their identity schemes, the aim is interoperability – for a digital identity created by a bank to be re-usable for government services, and vice versa. It’s not about using Verify as part of the banks’ ID schemes.
So that would leave Verify as the technical implementation of GPG45 used within UK central government. But how long would even that last?
We already know that only a single-digit percentage of HMRC users prefer Verify to Gateway. So what about DWP, and the potentially millions of Universal Credit users?
DWP recently announced a procurement exercise intended to “to reduce its reliance on current identity solutions”. For Universal Credit, users first establish a UC login, and then their identity is assured using Verify – with users subsequently encouraged to use the UC login once they are registered on the system.
According to sources with knowledge of the new procurement, DWP wants to further abstract UC login from the underlying ID assurance system used to prove the identity of benefit claimants – currently Verify. This could allow DWP to quickly plug-in alternative digital ID schemes, to eliminate its dependence on Verify. Existing Verify IDPs and other commercial ID providers could then offer their services in support of Universal Credit.
DWP is also understood to have another issue caused by Verify. When the new IDP contracts were set up last year, and two of the previous IDPs dropped out, that disconnected approximately 380,000 Verify users from the IDP through which they signed up.
Verify uses what’s called a “double-blind” approach to protect users’ privacy. This means that an IDP does not know which government service a user wants to access, and the government department doesn’t know which IDP the user has registered with.
Users who originally registered with the two IDPs that dropped out of Verify will be supported by those IDPs for 12 months – after which they will need to re-register with another IDP. Most likely, those users have no awareness of this fact.
For DWP, this potentially means tens of thousands of benefit claimants who may suddenly find their Verify account no longer works. And because of the double-blind privacy, DWP has no way of finding out who are the affected users, nor even how many of them there are.
Imagine what might happen, if large numbers of those disconnected users can no longer access their UC account, even temporarily, and the strict rules around UC mean their benefit payments get sanctioned or suspended?
If other IDPs pull out, especially those with even more registered users, that becomes a massive issue for Universal Credit. Could anyone blame DWP for wanting to mitigate against such an outcome, with all the negative publicity it would bring?
And without those Universal Credit users, what would be left for Verify?
It’s traditional upon the coronation of a new Prime Minister to write a list of all the things they need to address in the tech and digital sectors. It would be a long list – digital skills, IT education, broadband, 5G, the impact of artificial intelligence, tech startups, e-commerce, regulation, privacy, data protection, digital identity, fake news, social media, and so on. Please, feel free to add your own.
For all her many faults and failures, former PM Theresa May did oversee perhaps the most tech-friendly government there’s been. For all his many faults – let’s see about failures – Boris Johnson is unlikely to diminish his administration’s support and promotion of the digital economy.
Behind his campaign promise to “insert high-speed broadband into every orifice of every home”, there lies the reality and appreciation that the only future for the UK economy is one built on a thriving tech sector and a digitally enabled citizenry. The intent is there – the question marks will continue over delivery, but that would be the same whoever was in charge.
Inevitably, the single most important issue for everyone in technology – as it is for everyone else – is Brexit. The threats to our digital economy from a no-deal Brexit are real – if data flows dry up, it would devastate any UK business that operates overseas. If our ability to sell digital services to the EU is constrained, our digital skills base could be shattered.
But we all know Brexit is the number one for priority for PM Johnson – even if we don’t yet know what that will mean in practice. The only certainty these days is uncertainty.
So what’s the message the tech sector and IT professionals should be sending to Johnson, should he wish to listen?
The next decade will bring greater social, cultural and business changes as a result of the digital revolution, than we have seen even in the last 10 years. All the short-term policies we need are obvious – see the list above – and even the most technophobic minister will understand that.
But with Brexit and the potential for another general election looming, who’s going to think about the long term? Who is going to reshape the education system for a world where children can find out the date of the Battle of Hastings online quicker than a teacher can write it on a whiteboard? Who is going to find the next generation of digitally literate teachers to prepare those kids for a rapidly changing world?
What about transforming the wider skills base to be ready for the wave of automation that will remove thousands of white-collar jobs? Who’s going to ensure that the vast data collection from internet of things devices is harnessed for our greater good and not simply to boost profits?
Who is going to devise a regulatory system that anticipates, not reacts too late, to new technologies and their implications? When our everyday activities are being governed and influenced by a real-time data economy that can work beyond the confines of nation states, who’s going to make sure the average citizen’s needs are looked after?
Here too, you can add your own.
We’re on the cusp of a radical change in the way we live and work. And we need a government that’s preparing for that. We need a prime minister with his or her head up, looking ahead and able to deliver a vision of a digital society that works for everyone.
Our question to the new PM should be: is that you, Mr Johnson?
The latest select committee report by MPs into the progress of digital government in the UK has resurrected a question that has reared its head on several occasions in the past – do we need a unique single identifier for every citizen, to be associated with our online presence?
This debate was most recently quashed in 2010 with the advent of the coalition government that quickly scrapped the outgoing Labour administration’s ID cards scheme and its associated central database. It was widely accepted that the concept of a physical card to prove who we are was a step too far in terms of individual liberty and personal rights.
That political decision led directly to the creation of Gov.uk Verify, the troubled digital identity scheme that has gone out of its way to avoid having a single identifier, instead working on a federated model.
While most experts agree that federated identity is the ideal solution, it’s hard to deliver on a national scale – as Verify has proved.
A single identifier has many benefits, say supporters – it makes identity verification easier, and it could allow citizens to quickly associate all the data government holds on them, to check it is correct and even enable some form of personal control over that data.
Critics, however, point out that a unique identifier could just as easily be used by government to connect personal data together in negative ways – for example, look at how the Home Office used health records to identify immigrants as part of its controversial hostile environment policy.
This is to some degree a peculiarly British debate. Most European countries have a single identifier for citizens – often in the form of a physical card – and the success of digital identity schemes in the Nordic countries is at least in part down to the existence of a unique identifier. The Science and Technology Committee report cited Estonia as a successful digital identity scheme, based also on a unique identifier.
It’s true to say that Scandinavians tend to trust their governments more than we do in the UK – which not an insignificant difference in this debate. And Estonia, as a former Soviet country, has very different cultural attitudes to the issue.
But it’s also relevant to point out that we already have a unique identifier in the UK – two in fact – in your national insurance (NI) number and NHS number.
The NI number, however, is not considered secure enough to use – it’s too easy for people to have multiple NI numbers, and there are more NI numbers in existence than there are people in the UK, partly thanks to historic IT system problems in the past.
The National Health Service in England is using the NHS number as part of the digital ID system it is developing for patients. It’s fair to say the NHS is a lot more trusted by citizens than the wider public sector.
Of course, the reason why MPs on the Science and Technology Committee suggested opening up this topic for discussion is because of the failure of Verify, and the way it has impeded the development of a wider commercial market for federated digital identity systems in the UK. If Verify worked, we wouldn’t be having this debate all over again.
While it’s generally agreed that a single unique identifier is not the right way forward in the long term for digital identity, we nonetheless find ourselves in a position where it is right to have this debate again. Let’s hope it’s for the final time.
Three months ago, the Government Digital Service (GDS) appointed the first ever director of digital identity, Lisa Barrett – tasked with taking on the troubled Gov.uk Verify programme.
Barrett arrived just as the National Audit Office found that “it is difficult to conclude that successive decisions to continue with Verify have been sufficiently justified”.
Barely two months later, MPs on the Public Accounts Committee branded Verify as “failing its users”, not delivering value for money, and added that its leaders have not accepted “proper accountability” for the programme and its difficulties.
Well, now it seems Barrett is going to be accountable. Good luck with that.
On 7 June, she made her first public appearance, at the Think Digital Identity in Government conference in London, to offer an update on what’s next. Clearly, in a short space of time, she has made an impact.
Other speakers described her as “a breath of fresh air”, and welcomed the way she has been reaching out to the many and varied stakeholders in the UK digital identity sector. In her talk, Barratt said that GDS needs to “tell a better story” around Verify, which is certainly true.
She laid out the priorities for Verify and digital identity policy, emphasising the importance of standards and collaboration between public and private sectors to accelerate the use of Verify and other compatible digital ID products. She identified the need for a “clearer set of rules” around digital identity to encourage more private sector investment. She said the user experience for Verify needs to be improved.
Heads nodded around the gathered digital identity experts. There was nothing to disagree with in her talk. The problem – which is nothing to do with Barrett – is that her predecessors could have (and possibly did) give exactly the same presentation at any time in the past five years.
There remain more questions than answers. But Barrett hinted that could change soon – in response to a query from Computer Weekly, she said there were “things that can’t yet be announced”. Which, given the earlier goal of telling a better story, did seem to frustrate her. It’s a shame she wasn’t able to use the occasion to make some of those announcements to a room full of people desperate to hear them.
As an example of the greater openness she wants to establish, Barrett also became the first person from GDS to publicly acknowledge that the government’s Infrastructure and Projects Authority (IPA) recommended in July 2018 that Verify be scrapped. When Computer Weekly revealed this fact, in September last year, GDS declined to comment and has not done so since.
Barrett explained that the reason for the IPA decision was down to doubts whether the existing identity providers (IDPs) involved in the programme would continue to support Verify. Subsequently, two of the seven IDPs decided not to, while five signed up to new contracts. That seems an important piece of information for wider stakeholders to know, and it’s a good example of how badly GDS has communicated about Verify in the past.
The heart of the challenge now facing Verify was clear when the event heard from Martin Edwards, managing director of identity services at the Post Office – one of the two largest Verify IDPs. He listed the four things he needed to see from government:
- More PR and communication – “Be less embarrassed about Verify,” he said – to promote the brand and its purpose. Edwards called for more visible ministerial backing, adding that too many people have never heard of Verify or don’t know what it does, which is a hindrance for a project that once intended to reach 25 million users by 2020.
- Align regulations for identity behind the Verify standards – for example, Edwards pointed out that much government regulation still specifies that people need to give a written signature, which is clearly incompatible with digital solutions.
- Better access to data sources – one of the biggest reasons Verify has performed so badly is the limited datasets available to establish a citizen’s digital footprint, especially for those who don’t have passports, driving licences, credit cards or mortgages. The Post Office is involved in a trial at the London Borough of Tower Hamlets, which looks at ways to use local authority data to assure a digital identity.
- More co-ordination and much faster user take-up across Whitehall – Edwards highlighted the fact that even some of the 19 online public services that do offer Verify, only do so as one option. The attraction for the IDPs involved with Verify was always to get at the millions of users of online tax services such as self-assessment, and Universal Credit. So far, only 4% of HM Revenue & Customs’ (HMRC) online users opt for Verify over the well-established Government Gateway; while the Department for Work and Pensions continues to push back the roll out of its controversial welfare reforms.
These are all reasonable concerns, and none of them are new. But the issue here is that one of the most important organisations involved in promoting Verify and digital identity in general, is still asking these questions barely nine months before GDS hands Verify over to the private sector.
There are rumours that GDS may announce that Whitehall departments will soon be able to bypass GDS and deal directly with the IDPs – potentially a forerunner to allowing departments to choose other IDPs beyond those directly involved with Verify. Such a move would benefit the IDPs, but would remain to be seen if that’s enough of an incentive for the likes of HMRC to put its full weight behind Verify.
Notably, Barrett at times played down the importance of Verify in favour of government’s role in establishing a wider digital identity ecosystem. At one point, she referred to Verify as just “one technology implementation of the standards”. That’s a technology implementation that will cost taxpayers at least £175m, mind you.
GDS wants to broaden the conversation beyond Verify and highlight the goal of stimulating a digital identity market in the UK. That’s always been a worthy objective – but one that cannot be divorced from the widespread criticisms of Verify, not to mention that £175m of spending.
Very few people would complain if GDS were to become more open with its communications around Verify, and if Barrett can deliver on that she will have achieved an early win. Meanwhile, lots of key players are waiting to see what those secret announcements are going to be.
A couple of points mentioned during the event may be of interest to those following the progress of digital identity:
- The Post Office is looking at how it could use its branch network to help create Verify identities face-to-face, instead of purely online, for people with too limited a digital footprint for current digital-only methods.
- There are six digital identity pilots going through the Financial Conduct Authority’s sandbox programme, designed to test new finance-related products for regulatory compliance. If approved, that potentially promises a big boost to the idea of using banking products, and open banking technologies, to enrol millions of people into digital identity schemes.