Let’s start with the disclosure. I voted for the UK to remain in the European Union (EU). My reasoning at the time was that the EU is an over-bureaucratic, dysfunctional organisation that ought to celebrate the difference between European nations not attempt to homogenise them; its leaders are unaccountable and driven by a federalist ideology, not by what’s best for EU citizens. But the UK would be bonkers not to be a part of it – to be leading a process of change to make the EU everything it could and should be; that it would be economic suicide to leave.
Computer Weekly, reflecting the majority of our readers, came out in favour of remaining as well – a choice driven by the team here and feedback from our audience, not by my personal perspective.
But we’re leaving, and that’s that.
Brexiteers tell us to look on today’s invoking of Article 50 as an opportunity – and they might be right. The problem is that we just don’t know – until we see the outcome of the divorce negotiations, it’s impossible to say one way or the other.
The difference in opinion right now lies in whether you have faith in Theresa May and her government to finalise a relationship with the EU that is as good – or at least nearly as good – as we have now.
For the tech sector, that means easy access to skilled workers, open data flows, no tariffs, minimum red tape, common technical and data standards, access to the Digital Single Market, shared research and development, agreements on data protection, copyright and patents – and more. Basically, what we have now.
If you believe the prime minister can deliver all that – then Brexit is an opportunity, not to be feared. If she can’t – we have a problem. We can but hope the pro-Brexit crowd are justified in their faith.
Everything I hear from government insiders suggests that it genuinely wants to deliver what is needed to put the UK at the forefront of the digital revolution – which means delivering on what’s needed with the EU. We can but hope.
But there is little doubt in my mind that few of those leading the Brexit charge understand the context of the digital revolution and it what it means long-term for the UK socially, culturally and economically.
The last 20 years have given us a glimpse of how digital breaks down borders, ignores nation states, creates new global relationships and collaboration, empowers and enables education, generates innovation, delivers transparency and brings people of different cultures together around the world.
The process of societal change introduced by the digital revolution is in its very early days; it is unstoppable and inevitable, just as it was in the industrial revolution. Importantly, it is bigger than politics, and as such it will be resisted – ferociously at times – by the vested interests it threatens.
Those vested interests are largely the beneficiaries of the 19th century hierarchies that were created by the industrial revolution. The internet generation is networked; it rejects hierarchies and will eventually reform societies – well, most of them – on that principle. Tomorrow’s leaders will be part of the network, not apart from the network.
Digital law specialist and blogger Heather Burns wrote an excellent article outlining the complexities and challenges for the tech community from Brexit, but I disagreed with her on one important point. She says Brexit is “anti-digital” and calls it “an attack on digital culture”.
I can’t see that Brexit is a conscious and knowing attempt to prevent the digital revolution, as I think Heather implies. Instead, I see it as a symptom of the wider attempt by those vested interests to prevent or delay the implications of the digital revolution – an attempt that is mostly an instinctive, unconscious reaction to the changes they see taking place in the world around them; changes that threaten their worldview.
Donald Trump and his supporters are another symptom of the same backlash.
Decades from now, historians will explain the tumultuous changes in Europe and the US in the early 21st century in the same way history books now characterise textile riots in the industrial revolution. We use a 19th century word – Luddites – to describe people who resist the tide of digital change. Luddites were the textile workers who revolted against the effects of the industrial revolution. Today, the Luddites are the ones making decisions.
Then, the Luddites could not see or understand the wider changes going on around them, and the inevitability of that process. Today, our modern Luddites are not so different, even if they have greater power to try to delay it.
Brexit’s impact on the UK could last 10, 20 years or more – a generation. The impact of the digital revolution will last far longer and be more profound – a century, perhaps more. For all the amazing and life-changing innovations technology has delivered across the last generation, we are still at a point equivalent to walking in front of a new-fangled motor car waving a red flag to warn passers-by.
Artificial intelligence, the internet of things, bioengineering, genetics – these are in their infancy. Only yesterday we learned that a man paralysed from the neck down moved his hand by the power of thought after scientists bypassed his severed nerves and connected his brain to his muscles electronically. This is only the beginning.
The UK faces two years of uncertainty and division. At its end, we will know whether Brexit is an opportunity or a disaster. If negotiations are successful, its architects will be in power for years to come. If not, they will be consigned to the political scrapheap and the uncertainty and division will continue. It is not going to be easy.
But there is a bigger, longer game at play here, driven by the digital revolution – and it is unstoppable. At worst, Brexit will delay the inevitable. At best, it could accelerate it. We can but hope.
With the UK’s formal Brexit notification due on 29 March, heralding two years of uncertainty, the tech sector’s lobbying for consideration in negotiations with the EU is likely to intensify.
Two high-profile surveys unveiled this week document the challenges ahead, the risks and opportunities, as the government begins a process that will determine UK IT’s future role on the digital world stage.
The TechNation 2017 report, from startup support organisation Tech City UK, gave a positive, cheerleader’s perspective. It determined that the digital sector is worth £170bn per year to the UK, and is growing 50% faster than the wider economy.
The UK remains comfortably the favoured European destination for investment in startups, attracting £6.8bn in cash during 2016, more than twice the amount of the nearest competitor, France.
There is little doubt that tech has been one of the bright spots for the UK during the generally downbeat economic mood since the crash of 2008. The prominence of the digital sector in the government’s industrial strategy shows the recognition – long overdue – that technology is central to the UK’s future success.
But there was a more downbeat note from the Confederation of British Industry (CBI). The business support organisation noted that the UK’s research and development (R&D) spending, at 1.7% of GDP, is “well below the spending of many international rivals”.
The CBI called for R&D spend to be raised to 3% of GDP by 2025, with contributions needed from government and business, to secure the UK’s position as one of the world’s leading science and technology innovators.
The report set out a series of areas where improvement is needed, including public funding and incentives, culture and skills, collaboration, regulation and public services procurement.
The reason for a renewed focus on R&D was highlighted in the TechNation report, which noted a YouGov survey of 1,000 academics where over 44% said they know colleagues who have lost access to research funding as a result of Brexit worries.
UK IT is not along in its uncertainty over what the Brexit process will lead to. You can bet that our European friends and rivals will be eyeing the opportunity to move their digital sectors into any gaps left by the UK. Our industry will be looking for early agreement on EU nationals currently in the UK – who make up a sizeable group of IT employees – and for guarantees around data transfers between UK and EU organisations.
Everyone with a vested interest in the UK’s digital economy needs to make sure the government hears their voices, to secure the future of the great British tech success story
Let’s think about the UK in 2027 for a moment. By then, just 10 years from now, we will have been out of the EU for eight years. We might not even be the UK any more, but if we are, the population is likely to have grown to 70 million, according to the Office for National Statistics – up from about 65 million now. Some 30% of those people will be aged over 60 – one in 12 will be over 80.
Consider the added pressure on public services – especially NHS and social care. Who knows what state the economy will be in – until the terms of Brexit are known, and any subsequent trade deals we manage to agree, it’s impossible to predict. We may still be finding our way in a much-changed economic environment, in a very different world.
In that case, we need to fall back on a few certainties – things that we can state with confidence will be sure-fire hooks upon which to hang our business and public service coats.
We can’t rely on financial services the way we have for the past 20 years – not until we know how Brexit affects the City. We can’t expect to revitalise a manufacturing sector that largely has moved eastwards. We’re already scaling back on clean energy investment – and with a Trump-led US administration seemingly backing away from renewable energy entirely, we may still be making the argument for divesting in fossil fuels.
But we can argue, with confidence, that 10 years from now the world will be vastly more digital. What would we, in the UK, need to assure is in place to exploit the opportunities that will offer?
For one thing, we’d need near-ubiquitous availability of high-speed communications networks – most likely based on full-fibre broadband to everyone that wants it, and a second-generation of 5G mobile technology.
We all know this. The government sort-of knows it, and is making positive – if baby – steps in the right direction. Ofcom’s success in convincing BT to put Openreach at proper arm’s length shows the regulatory environment is moving forward, if slowly.
We can hope that moves to encourage better technology and engineering education in schools and through apprenticeships will have started to bear fruit by 2027 to address skills shortages.
But still it doesn’t feel like any of this is happening fast enough, and two years of uncertainty while we negotiate the terms of our new relationship with Europe will perpetuate caution. And yet we know, with confidence, that our future is assuredly more digital.
Once prime minister Theresa May triggers article 50, we have two years when much of the UK rocks in its chair, worrying for the future. The tech sector has its concerns too, inevitably. But the digital revolution continues apace regardless. Despite all the short-term uncertainty, the next two years can be a time for tech to take confident steps forward – the UK economy in 2027 will depend on it.
The otherwise obscure topic of taxation for the self-employed hit the headlines this week after chancellor of the exchequer Philip Hammond announced in his latest Budget a rise in national insurance contributions (NICs) – but for many self-employed IT professionals, tax laws have been at the forefront of their mind for some time.
The IR35 rules that determine whether an IT contractor should be treated as a company or an employee for tax purposes have been controversial since their inception as long ago as 1999. The aim is to prevent tax avoidance by individuals who effectively work full-time for one organisation, but are paid as a service company, not on regular PAYE. Such contractors typically pay themselves a low wage, but take high dividends after their company is taxed at lower corporate rates.
The new NIC rules – if they survive a Tory back-bench backlash – will hit every IT contractor. But for self-employed IT experts working in the public sector, there’s a bigger concern. As of April, new HM Revenue & Customs (HMRC) guidance comes into force, whereby the public body commissioning services determines if a contractor falls within IR35 – and hence should be treated as an employee on PAYE.
There is no doubt some IT contractors have been stretching the rules by declaring themselves to be outside IR35. You’d be surprised how many names appearing on Whitehall organisation charts, with job titles and permanent desk space, are actually self-employed.
It’s no secret that many IT freelancers are deserting government over the rule changes – which do not apply in the private sector. Moving onto PAYE represents a significant pay cut, when many of those affected claim they should not be classified like staff.
Government already faces a significant digital skills shortage. Many departments struggle to recruit IT experts – especially at senior and middle management levels. As a result, they turn to freelancers in the short term – but the IR35 changes threaten to scupper that route to accessing much-needed skills.
Home Office IT chief Sarah Wilkinson was brutally honest in saying that IR35 reform will have “significant delivery impact” on critical digital projects. “We’re going to have a year of significant pain,” she said.
This is going to be a huge issue across the public sector – just as the new digital transformation strategy takes effect, and right in the midst of Whitehall preparing for Brexit. Many important digital programmes will be delayed, some with political implications.
HMRC shows no sign of backing down, and as a result the public sector risks a mass exodus of contractor resource. For those affected, NICs will be the least of their worries.
The very best thing about the government digital strategy is that it exists.
The areas covered by the strategy are vitally important for the UK’s economic future – not only for our digital economy – and the strategy documents are comprehensive. They mostly tick all the right boxes – skills, startups, broadband and 5G, cyber security, data infrastructure, and digital transformation in businesses and government.
It was seen as a major announcement by the government, and the recognition of its importance extends to the highest levels of Westminster. It is good and right and promising that the government has released such a plan.
If you read through the strategy in detail, you’ll probably find yourself nodding in agreement but not getting especially fired up by plans that minister Karen Bradley said would “make Britain the best place to start and grow a digital business”.
Much of the strategy as released is not new, for a start – it’s simply bringing together a number of previously announced initiatives under one banner.
It contains topical and forward-looking elements such as aiming to make the UK a leader in artificial intelligence (AI). But all it actually offers is £17m for a number of research initiatives and a review of the “critical elements” for building an AI industry.
Meanwhile, the rest of the world is actually building an AI industry. A Silicon Valley AI startup would turn its nose up at a meagre £17m of potential investment.
There’s no vision of a future digital Britain – just a series of initiatives that will, probably, take us in generally the right sort of direction and hopefully will take us somewhere better. There are no measurable targets to aim for – so if any of those initiatives don’t actually change much, nobody is accountable, and nothing much happens about it.
For example, one of the plans is “a commitment to create a Secretary of State-led forum for government and the tech community” – note, not actually creating a forum, just a promise that it will at some unspecified point exist.
While you wouldn’t object or complain about any of the proposals in the strategy, none of it is especially ambitious. It’s all good. There’s nothing wrong with it. But it could have been so much more.
And that’s before you even get onto Brexit and the potential impact of severing digital ties with the European Union.
The government gets that digital is important. It knows where the challenges lie, and it’s taking action to address them. But nobody reading this critically important strategy is likely to come way enthused that it’s going to put the UK at the forefront of the global digital economy for the next 10 years. Let’s hope it is only a start, because we need a more ambitious vision than the digital strategy currently offers.
Here we are, it’s 2017, on-demand and pay-as-you-go software is all the rage, cloud is the rising and soon-to-be dominant IT architecture, and yet we’re still talking about software suppliers stiffing their customers with the fine print in licensing contracts.
SAP users have reacted with understandable alarm to their supplier’s High Court victory over one of its largest customers, drinks giant Diageo, claiming nearly £60m in unpaid fees. The case could set a worrying precedent as firms increasingly adopt application programming interfaces (APIs) as a primary means of interacting with corporate systems.
The Diageo case centred on so-called “indirect access” whereby an external customer software application accesses the core SAP system. The supplier argued successfully that every Diageo customer that could come through this interface – 5,800 of them – should be treated as a “user” under the terms of its software licence.
While this may be legally the case, in practical terms it’s clearly absurd. In effect, the ruling implies that any user coming through a third-party app or a web browser through an API into a back-end software system should be licensed in the same way as a user actively logged in to that system.
Think about the implications here as we move to the internet of things (IoT) – theoretically, every one of tens of thousands of sensor devices feeding data through an API into a database could be defined as a “user” and require appropriate licensing fees.
This is not an issue specific to SAP, but to the increasingly outdated model of software licensing offered by what we might have to call 20th century software vendors. If the SAP case sets a precedent, you can be sure that the Oracles, Microsofts and others of the world will rub their hands with glee.
The judge in the Diageo case subtly acknowledged the absurdity. While she upheld the claim based on SAP’s licence terms, willingly signed by Diageo, she implied that the supplier ought to introduce a new category of user for such a situation – one which is priced more realistically for indirect access to the SAP application.
Nobody is suggesting that software vendors shouldn’t be able to set a fair price for their products and license accordingly. But the “per user” style of pricing is outdated – it was developed for 1990s era technology where every user sat at a PC and connected to a server.
Before long, it’s possible we will see situations where every non-admin user is another app, a bot, or an IoT device, where a per-transaction micropayment model might be more appropriate. Old-style software licensing needs to adapt to modern IT realities.
In all the recent talk about whether HM Revenue & Customs (HMRC) is truly committed to the Cabinet Office’s Gov.uk Verify service, there’s been less said about the commitment of the external providers – a factor that could yet sink the controversial identity assurance scheme.
Verify relies on creating a “market” of independent, third-party ID providers who perform the verification process to ensure that users accessing online public services are who they say they are. Currently there are seven organisations fulfilling this role: Barclays, CitizenSafe, Digidentity, Experian, Post Office, Royal Mail and SecureIdentity.
These ID providers (IDPs) retain or access all the personal data about citizens who wish to have a Verify identity – so the data is never passed to the government service that users wish to access. Instead, the external providers simply inform the online service that the user is correctly verified.
It is politically and technically fundamental to the design of Verify that this market exists. Politically, it avoids the creation of a national identity database; allows companies to make a profit; and offers choice to citizen-users. Technically, it means government systems don’t need to perform the complex assurance process for every login or secure transaction.
The return on investment for an ID provider
The attraction for the IDPs is purely commercial – government pays them up-front for every identity they successfully verify, and pays them again once a year whenever a user accesses a digital service. That’s not to mention the prospect of capturing user information that potentially allows them to market other services.
The providers compete for users, sometimes by offering different verification methods that suit different demographics – for example, some low-income users may not have a credit history; farmers found a similar problem when they were the first guinea pigs for Verify, and the fact many don’t have a mortgage became an issue.
Sources with knowledge of Verify suggest that, on average, IDPs receive about £5 per verified user.
Building a system to assure identities is not cheap – one expert with knowledge of government ID systems estimated “low single-digit millions” to develop an external verification service.
If those figures are even close to correct, it suggests each IDP will need perhaps half a million verified users before they start to reach an acceptable profit. They will have been tempted by the prospect of several million users each, and recurring revenue every year.
The Government Digital Service (GDS) has never published full figures for how much it spends on Verify, either. Sources suggest that the 2016/17 budget for Verify was £47m, of which just £4m was capital expenditure. Most of the remaining £43m was due to cover payments to IDPs for successful verifications. With the number of fully verified users still below one million and rising slowly, it’s unlikely GDS will spend all that budget this financial year even it wanted to.
This is where HMRC comes in. The real prize for the IDPs is the existing user base for the tax self-assessment service and HMRC’s personal tax accounts – currently there are 7.4 million registered users, a figure confirmed in the department’s latest update on its single departmental plan.
In an unwitting dig at Verify, HMRC pointed out that it’s already ahead of its target to have seven million users by April 2017. Earlier this month, Cabinet Office minister Ben Gummer set a target for Verify to reach 25 million users in 2020.
It’s an open secret that HMRC doesn’t want to use Verify, and is being forced to play along. The department is developing a successor to the existing Government Gateway system, which covers individuals, business and intermediaries (such as accountants who file tax returns for clients). Understandably, HMRC has no desire to use two separate ID systems, and Verify will not support business or intermediary accounts.
What’s more, HMRC says it doesn’t need the higher level of assurance for user IDs that Verify offers. As a result, GDS is developing a new way of using Verify that works to a lower standard. A pilot project, called basic accounts, was conducted in 2015 but quietly shelved. Basic accounts were not fully verified, but could be upgraded. IDPs in the trial were used to set up basic accounts, but without the same level of identity checking. Presumably – and this is a guess – an IDP would receive less money for completing this simpler transaction.
Eyes on the HMRC prize
IDPs will all have their eyes on the prize of HMRC’s 7.4 million users – that, in the short-to-medium term at least, is where their profit lies. And they know it – sources suggest that every time HMRC has rattled its cage about not using Verify, GDS needed to reassure nervous IDPs that the expected volumes would be delivered.
But it’s not even as straightforward as migrating those 7.4 million people to Verify and allocating them a basic-level identity. Remember – Verify is a market. Users have to be given a choice of which IDP they want to use. Government cannot give all those users to one IDP, nor can they simply divide them up equally, because some IDPs work better for different demographics.
There seems, on the face of it, no obvious way to avoid forcing 7.4 million HMRC users to have to re-create a new identity from scratch using Verify, even if they don’t need to go through the full verification process.
It’s unlikely IDPs will be allowed to market their services directly to those 7.4 million people, so for every one of them there must be a risk that if they lose out on any HMRC user land-grab (if that’s how the migration takes place) then they will struggle to achieve the return on investment they need.
The question for GDS and Verify is, at what point does an IDP decide it’s no longer worth waiting? And if one IDP quits, do the others see that as an opportunity to gain a larger slice of the HMRC pie, or as a sign that Verify is a failure?
The long-term row between HM Revenue & Customs (HMRC) and the Government Digital Service (GDS) over online identity assurance broke into the open this week. HMRC published a blog post that clearly stated the department was rejecting GDS’s Gov.uk Verify system in favour of developing its own tools for users to login to online tax services such as self-assessment.
However, not long after HMRC and the Cabinet Office were approached for comment by Computer Weekly, the blog post was amended and the key paragraph deleted. This is what it originally said:
“HMRC is developing its own identity solution for individuals, businesses and agents. Other departments will use Gov.uk Verify for all individual citizen services.”
HMRC is now backtracking, and told Computer Weekly that the blog was edited “as it was causing some confusion”. The official line from HMRC now states: “HMRC is committed to Verify as the single identification service for individuals and is fully focused on delivering this. The authentication service that HMRC is developing to replace the Government Gateway will complement the existing Verify service for business representatives.”
That’s materially different – almost the exact opposite – of the original blog post. Our sources say HMRC wanted to declare independence all along, and has only played along with GDS and Verify after prompting from senior levels of the civil service.
It’s also interesting to note that the Cabinet Office took over 24 hours to respond to requests from Computer Weekly for their side of the story. It’s easy – if fanciful – to imagine the shouting that echoed down the street from the Cabinet Office at 70 Whitehall to the HMRC building at 100 Parliament Street, a few hundred yards away.
But why is a seemingly trivial technical spat between two Whitehall departments so important to the future of digital government?
In its new government transformation strategy published last week, the Cabinet Office put Gov.uk Verify at the heart of its future plans, setting an ambitious – some would say wildly ambitious – target of 25 million Verify users by the end of 2020. Currently Verify has just 1.1 million registered users.
HMRC, by contrast, claims 50 million active accounts for its existing identity system, based on the 16-year-old Government Gateway, which is being phased out over the next 12 months. Arguably, Verify cannot hit its target without HMRC’s user base. So why not use HMRC’s system across government, instead of Verify?
The two systems, in fact, treat identity very differently.
HMRC says it needs a lower level of identity assurance than Verify currently offers – although work is underway to address that issue in Verify. HMRC’s system does not require proof of identity – it simply sets up a login and password for users, much as any online shopper would do on Amazon or eBay.
Verify, however, aims to establish a legal proof of identity to a level that would satisfy a court, partly as a means of fraud prevention. It does this by commissioning several independent suppliers to offer a service to establish digitally that you are who you say you are – suppliers include the Post Office, Experian and Barclays.
Those third parties use existing data sources such as credit histories, passport and driving licence records to check your identity – but early experience shows that those easily available sources are not enough to assure a large proportion of the population. For example, some people on low incomes often don’t have a credit history because they can’t afford a mortgage or credit cards, and don’t have a passport.
Online vs offline proof of identity
Currently, more than half (54%) of the people who attempt to register on Verify are unable to create a verified user identity – a figure that in the long term is clearly unfit for purpose. The Verify team are working with the independent identity providers to test new sources of data and new methods of verification to improve on the success rate – but it’s slow progress.
HMRC, however, works mostly on the basis that since you’re logging in to give them money – that is, pay your taxes – it’s assumed to be unlikely that someone will pretend to be someone else in order to pay that someone else’s tax.
Under certain circumstances, HMRC does ask for proof of identity, which is performed offline – either you have to send proof of identity by post, or in some cases HMRC posts a verification code to be used instead. Verify aims to complete the entire process online.
Verify creates an identity that meets a significantly higher level of assurance than an HMRC ID. Verify is designed to confirm to the nine identity assurance principles defined by the independent Privacy and Consumer Advisory Group. HMRC makes no attempt to meet all these criteria.
Business and intermediaries
HMRC’s main justification for preferring its own ID system has always been that Gateway and its successor provide a single service that caters not only for individuals but also for businesses and intermediaries (such as accountants who file tax returns on someone’s behalf).
Verify does not, and has never been designed, to provide identity assurance for businesses. Sources say that GDS investigated using Verify as a standard platform for business identity assurance but found the definitions of what a business is across Whitehall to be too varied and divergent to establish an agreed need. HMRC, Companies House, DVLA and others all define businesses in different ways.
The official line from HMRC and Cabinet Office now – since the amendment of that blog post – is that Verify will be used across government for individuals, while HMRC’s system will be used everywhere for businesses and intermediaries. That still seems like an inadequate fudge, requiring two different identity system to be developed and maintained.
How to get 25 million users onto Verify
GDS will easily meet the target of 25 million Verify users if all HMRC’s users are transferred onto the system – although before that happens, Verify will need to support the lower level of assurance that HMRC uses. It would not be acceptable or feasible to force 50 million HMRC account holders to all create a fully verified account to the levels currently demanded by Verify.
Without HMRC, is that target achievable?
GDS hopes that local authorities, banks and other online companies will adopt Verify. Trials are underway with a number of councils, but Whitehall has no power to force them to use the system.
While there could be an advantage to banks and other private sector businesses to using a government-approved identity assurance system, many will be wary of handing over control of such a critical service to government – and to a set of third-party identity providers. Owning the identity verification of customers is as important to a bank as it is to government.
Another potential source of millions of citizen identities is by using Verify in the NHS. While GDS and NHS Digital continue to discuss the use of Verify, the system is currently seen as not appropriate for NHS needs, where ID is less about proving your legal identity, and more about identifying you through your existing NHS number.
Sources suggest that GDS is considering novel ways of accelerating Verify adoption, such as adding Verify to digital services that don’t really need it, or encouraging citizens to “register in advance” in case they should need a government identity in future. Neither seems realistically likely to encourage 25 million people to sign up over the next three years – meeting that target requires over 600,000 new registrations every month before the next general election takes place.
It seems very unlikely that target will be met without HMRC on board.
Why does this matter anyway?
Identity is important on two counts – as the core of digital public services, and as an ongoing political hot topic.
Online identity is the key to delivering digital government – it’s where every service starts from; it’s the primary way that GDS hopes to make the multitude of government services appear to be an integrated whole. If you’re a Verify user, all of the public sector opens up to you online – or at least, that’s the aim.
That’s perfectly sensible – but highly ambitious. It’s one thing to offer a standard login system – as HMRC has done – but another to say you will have an identity assurance system that works to such a high level of proof that every Verify account stands up legally in court.
Quite simply, nobody has ever achieved such a system, anywhere. GDS is at the leading edge of digital identity assurance with what it hopes to deliver. And as they are learning, it’s a difficult task and it takes time.
It’s relatively achievable to develop Verify to digitally assure the identity of most of the population – let’s say, 80%. But to do so for the remaining 20% is a huge challenge – about one in 10 UK citizens have never used the internet, for a start.
It could be argued that getting 80% of the population to use Verify would be enough – but it leaves the government open to accusations of creating a digital divide and excluding millions of people.
GDS has consistently under-estimated the effort required to deliver Verify – or over-estimated its ability to do so – and as a result has continuously under-delivered and missed its own targets.
As recently as December 2014, a National Audit Office report said: “By March 2016, the [Verify] programme plans that all departments will have integrated the common identity assurance service with all of their digital public services.”
As of February 2017, just 12 services are fully live on Verify.
Whitehall departments are frustrated that Verify is taking so long to develop – it affects their own digital plans. They are concerned about GDS’s ability to deliver – and whether GDS will even be around in the long term.
National identity database
When Verify was first conceived, in the early days of the Coalition government, the former National Identity Scheme under Labour had just been scrapped. Prime minister David Cameron had come to power on a promise to end any plan for a national database of UK citizens’ details. Verify, therefore, had to avoid any accusation of creating a national ID database by stealth – and be seen to do so openly enough to avoid political fallout.
That dictated certain design decisions – such as the involvement of multiple independent identity providers, and the avoidance of a central database. HMRC’s ID system, by contrast, uses the more technically simple solution of a single database.
Were the government to opt to use HMRC’s approach to individuals’ online identity, it risks opening up those old claims of a national ID card by stealth – and that remains politically unacceptable.
Whitehall politics dictates the next steps – whether HMRC can be brought into line and commit fully to using Verify for individuals. Despite its recent positive statement to that effect, it’s common knowledge that HMRC’s preference is to go its own way.
GDS needs to dramatically improve the success rate of user verification from its current level of 46%. Verify stands no chance of being widely adopted unless that figure is significantly higher – ideally towards 80%.
Furthermore, currently only 34% of attempts to access a digital service using a registered account are completed. The best-performing service only reaches a 67% completion rate. Both figures are clearly unacceptable if GDS wants Verify to be more widely used.
HMRC will spend the next 12 months developing its replacement for the Government Gateway. If Verify is not able to fully take over individual identity assurance from Gateway by then, it’s as good as dead.
Less than a week after Cabinet Office minister Ben Gummer announced the new government transformation strategy, its central premise is already in question after HM Revenue & Customs (HMRC) rejected one of the core systems at the heart of the digital plan.
HMRC has been in a fight with the Cabinet Office for months over the use of Gov.uk Verify, the online identity assurance service being developed by the Government Digital Service (GDS) as the standard ID platform for the public sector.
Verify is central to the GDS plan – Gummer set a target of 25 million users by 2020 in the new strategy. GDS’s vision of digital government starts from the basis that every citizen who wants to transact online with public services will use Verify to prove who they say they are. GDS is so confident in the system’s eventual ubiquity that it is courting banks, e-commerce companies and local authorities to take part.
But Verify has now been rejected by the department with the biggest single base of online users. The fight is over and HMRC has declared independence.
A blog post published by HMRC programme director Mike Howes-Roberts reveals that the taxman is going its own way and will not be using Verify.
“HMRC is developing its own identity solution for individuals, businesses and agents. Other departments will use Gov.uk Verify for all individual citizen services,” he wrote.
[Update 1: 14 February 3.45pm – This above quote has mysteriously been erased from the original HMRC blog post since this article was published – the screen grab below shows the original version]
Howes-Roberts added: “We’re exploring options around other government departments also using this replacement service. This would be restricted to business and agent-facing services only as Cabinet Office requires all other departments to use Gov.uk Verify.”
The “replacement service” Howes-Roberts refers to is the successor to the Government Gateway – the identity system used by HMRC for tax self-assessment and business tax submissions, which is also at the heart of the Making Tax Digital project. Gateway was introduced in 2001 and is being phased out by March 2018 – it’s old and antiquated and needs replacing, but GDS intended that replacement to be Verify.
Gateway has survived many attempts to phase it out, but has continued to be used for so long for a very simple reason – it works.
Howes-Roberts says that Gateway supports 123 live digital services across government, 406 million identity authentications a year, and has more than 50 million active accounts.
Compare that with Verify, which after nearly five years of development has just 1.1 million users, has been used for 2.6 million authentications, and is used by only 12 online services – and five of those are HMRC services where Verify has been tested against Gateway and, it seems, has lost.
HMRC has continually sidestepped GDS over Verify. One well-placed source told me late last year that HMRC CEO and permanent secretary Jon Thompson told GDS chief Kevin Cunnington that his department had rejected Verify after another attempt to prove that Verify was the better option.
The same source also suggested that HMRC is working on its own version of Gov.uk Notify – the GDS platform for electronic status notifications – despite being told by the Cabinet Office that it should not.
Presumably, Gummer knew about HMRC’s intention when he launched the transformation strategy last week, and still believes that Verify can expand to 25 million users over the next three years – but surely that figure assumed HMRC’s users would be migrated to Verify?
The next largest government service on Verify should be Universal Credit – but that won’t be fully rolled out until 2022. Trials are underway with local authorities, but Whitehall has no power to mandate use of Verify to councils – clearly it can’t even mandate to its own departments.
And will banks and online companies really adopt Verify at scale, if even the government’s own biggest potential user has rejected it?
HMRC’s main issue with Verify has always been that it is only intended for individuals to use, whereas Gateway also offers ID assurance for businesses and intermediaries (such as accountants who file tax returns on behalf of clients). GDS has stubbornly refused to expand Verify for use by organisations as well as individuals – a decision that may prove to be fatal flaw.
It is patently stupid – not to mention a huge waste of money – for government to maintain multiple identity systems for citizens to use when accessing public services. For the greater good, someone has to lose face and take the inevitable flak. If HMRC is developing a successor to Gateway with a user base nearly 50 times that of Verify, why not simply re-use the HMRC system across government?
It would appear that the Gateway replacement is already going to be used across Whitehall for businesses and intermediaries – but with Verify used everywhere except HMRC for individuals. Seriously, who thinks that make sense?
Gummer talked last week about the importance of “culture change” and “collaboration” in delivering digital transformation across government – and he acknowledged that GDS and departments need to work better together. “When money is tight people have to look for new ways to do things, so it encourages reform. It encourages a degree of collaboration which is new,” he said.
If money is tight, it’s plainly nonsensical to develop two systems for the same purpose. If Gummer has failed to get the biggest potential Verify customer on board, what does that say for future attempts to promote collaboration and shared platforms? If culture change is needed, perhaps the culture in the Cabinet Office must do so first.
GDS needs to swallow hard and change course over Verify, no matter how much it feels let down by HMRC’s intransigence. The new transformation strategy promotes the idea of shared platforms, developed for use across government, and it encourages departments to share platforms wherever possible. GDS doesn’t have to build everything itself – and it doesn’t want to.
If HMRC is developing a new pan-government shared identity platform, it should become the standard. Let’s even call it Verify – that way you don’t have to reprint the new transformation strategy.
Update 2: 15 February 11.30am: After the HMRC blog post was amended, HMRC provided the following statement to Computer Weekly: “HMRC is committed to Verify as the single identification service for individuals and is fully focused on delivering this. The authentication service that HMRC is developing to replace the Government Gateway will complement the existing Verify service for business representatives.”
It’s worth noting that this line is almost the exact opposite of what was originally written in the blog post.
The long wait for the new government digital strategy may have caused frustration in some places, but clearly within the Cabinet Office the extensive delays have brought expectations to a peak of frenzy.
The plan – now renamed the government transformation strategy – is billed as “the most ambitious programme of change of any government anywhere in the world” by minister Ben Gummer.
It will be carried out “at pace and scale”, said Government Digital Service (GDS) chief Kevin Cunnington, and will “deliver meaningful change to the people who need it most, faster and more efficiently”.
Moreover, the strategy will “restore faith in our democracy” and fix “the interface between government and the people [which] has become increasingly fraught”, according to Gummer.
Wow. Who needs elections?
In a masterpiece of mixed metaphor, Gummer further went on to label Cunnington, the man charged with leading this once-in-a-lifetime democratic transformation, as the “Che Guevara of digital”.
This is all lovely rhetoric for journalists to chew on, but to paraphrase one of Cunnington’s predecessors, the strategy will be judged on delivery. Let’s not forget that GDS told us in 2013 that it had “400 days to change government”. This is not the first time we’ve been here.
There is little in the objectives of the strategy to criticise – as a statement of where digital government is in the UK, and where it now needs to go, it makes perfect sense.
The plan identifies five core areas: a back-office technology overhaul; developing digital skills; better IT for civil servants; better use of data; and creating shared platforms.
None of these are new, none of them are easy. All of them have – in some shape or form – been tried before, and have yet to be delivered. So perhaps the key question for this strategy is not what it aims to do, but what it will do differently to make it happen.
The plan is peppered with statements like “culture change” and “collaboration”. Gummer admitted publicly for the first time that troubled relations between GDS and departments – especially the Department for Work and Pensions – has been a hindrance in the past that has to be rectified. To his credit, admitting past problems is the first step to overcoming them, and he’s working on that.
Within each of those five core areas you can write a long list of challenges to overcome, raising questions about the feasibility of delivering the transformation strategy by 2020, its stated aim.
But the one hurdle that more than any other stands in the way of success is the same issue that has frustrated GDS leaders for years – the inertia and cultural resistance to change of the siloed and institutionalised civil service structure.
Gummer understands the problem and hopes that the need to save money and deliver on departmental plans will mean his strategy receives a positive welcome across Whitehall. We have to hope he is right, this time. One of his recent predecessors, Francis Maude, forced departments to work with GDS by bashing heads together – Gummer seems more collaborative – but once Maude left, the civil service reverted to type.
The ambition in the strategy is to be welcomed, but perhaps its biggest flaw is that it is not ambitious enough, nor transformational enough.
Former digital economy minister Ed Vaizey said what many people are thinking, in an interview with the Institute for Government published the day before the strategy was launched.
“I would completely re-engineer government. I would abolish government departments, I would have government by task,” he said.
If you really want to transform government through digital means, Vaizey is right – you do away with existing structures and hierarchies and start from the question of what is best for the citizen.
GDS – and the strategy itself – stress the importance of “user need”. But user need is still defined by the requirements of the civil service first, not of citizens. When developing a new digital service – choose one, whether carer’s allowance or Universal Credit or digital tax or any other – “user need” starts from the perspective of the department that owns the service and how its delivery is structured internally.
If you really start from user/citizen need, you don’t have fixed departmental structures. You start from how a citizen wants to interact with public services – and add the fact that for most citizens, that includes local government.
In reality, the transformation called for by the new strategy is a transformation in the way Whitehall departments work together – with the important digital stardust sprinkled on top – and little more. It relies on departments being nicer to each other (and to GDS) than they have at times in the past. It needs the Treasury to allow departmental budgets to be shared, and permanent secretaries to be incentivised to look beyond their role as accounting officer, and to be jointly responsible for delivery of services that are integrated between departments, not siloed within them.
That’s not a fundamental top-to-bottom, root-and-branch transformation of the way government engages with citizens, by any measure. It’s more of a “come along now, chaps, let’s all play nicely” strategy. But perhaps for Whitehall, that really would be a transformation.