The Department for Digital, Culture, Media and Sport (DCMS) has been conducting a review of digital identity since taking over policy responsibility from the Government Digital Service (GDS) in June.
Computer Weekly has learned that at the core of the DCMS proposals to boost the UK’s digital identity ecosystem is a plan to open up government databases via APIs to the private sector – a move that could also administer the last rites to GDS’s troubled Gov.uk Verify system.
Under the proposals, databases containing vital identity information such as passports and driving licences could be accessed through APIs by identity providers. Any company seeking to offer digital IDs for online transactions would, in theory, be able to quickly and cheaply validate data against recognised government information – the closest thing the UK has to a “gold standard” for identity data.
Such a system would not mean third parties accessing data directly, only checking that ID data provided by an individual to that third party is correct.
The concept is a reversal of the principles underlying Verify where only a small set of government-selected companies are allowed access to these databases through a GDS-developed document checking service which performs a similar function.
Where Verify is a closed shop, the API approach would allow any suitable provider – including other parts of government – to offer assured digital identities, creating a wider, market-based ecosystem.
DCMS is understood to believe its plan would be significantly cheaper to run than Verify – potentially costing a fraction of a penny per transaction. Using Verify, by contrast, GDS pays its pool of identity providers on average about £5 for each user they successfully register.
Verify is designed around a “hub” where users are directed to one of seven identity providers (IDPs) when they wish to establish a digital identity to access one of the 18 online government services that currently use Verify.
Under the DCMS plan, theoretically any digital government service could choose to accept approved identities from any third-party that has used the database APIs. The department’s review is understood to be based on the principle government should enable a digital identity market using public data, rather than building its own system.
The future of Verify is already in question after government watchdog the Infrastructure and Projects Authority recommended it be scrapped, which would mean writing off more than £130m spent so far by GDS rather than throwing more money at a programme that many in Whitehall see as a failure.
GDS is fighting to keep Verify going – only this month Cabinet Office minister for implementation Oliver Dowden confirmed the government is still committed to its target of for 25 million Verify users by 2020. Whitehall internal politics may yet find a way to rebrand the DCMS plan as “Verify mark two” or something similar, in order to be seen to deliver on a promise that was part of the Conservative Party election manifesto in 2017.
GDS’s existing contracts with the Verify IDPs are understood to be ending soon, and if the DCMS proposal is accepted it seems unlikely those IDP contracts would need to be renewed other than to manage existing users as the service they provide is wound down.
Private sector identity providers have long been frustrated at the way the Verify model has shut them out of government, and will hope that the DCMS plans will kick-start the development of a growing market in an area that’s hugely important for the UK’s digital economy.
Other areas of the public sector could benefit from the API approach too, with HM Revenue & Customs, Department for Work & Pensions, NHS England and the Scottish government all working on their own digital identity systems rather than using Verify.
Long-term GDS watchers will recall that the organisation was set up following a 2010 recommendation by web entrepreneur Martha Lane Fox in a report commissioned by then Cabinet Office minister Francis Maude. One of the main suggestions put forward by Lane Fox was to “mandate the creation of application programming interfaces (APIs) to allow third parties to present content and transactions on behalf of the government. Shift from ‘public services all in one place’ (closed & unfocused) to ‘government services wherever you are’ (open & distributed)”.
There would be a certain irony if the eventual use of APIs through another department brought about the end for GDS’s flagship project.