There’s rather a lot going on in government IT at the moment.
Last year’s ambitious transformation strategy set challenging aims of overhauling back-office systems across Whitehall, building an advanced data capability, and having 25 million users of the Gov.uk Verify digital identity system by 2020.
There’s the Universal Credit digital system being rolled out nationwide this year, despite concerns it’s not ready to cope with the scale of benefit applications. There’s the new digital tax system from HM Revenue & Customs (HMRC). There are a whole bunch of aging, costly outsourcing deals to be wound down and replaced.
Oh, and there’s Brexit.
It’s increasingly clear that government does not have remotely enough capacity to do all these projects, and something is going to break. The cracks are already showing.
The demands of Brexit alone are already pushing the most-affected departments hard. MPs have already expressed concerns about the lack of progress on key digital systems that will need to be overhauled to cope with leaving the European Union.
The Public Accounts Committee has highlighted an urgent need for digital skills across Whitehall to cope with Brexit. That’s on top of the 4,000 extra IT staff previously identified as a priority for departments’ digital transformation plans.
Already, important projects are being scaled back. HMRC is stopping or delaying a number of digital initiatives to allow it to focus on the customs system overhaul needed for Brexit. The Government Digital Service (GDS) this week said that Brexit priorities are a major factor in the painfully slow roll-out of Verify – and that wider transformation plans are being affected too.
“[Departments are] worrying about EU exit, so we are frankly just not going to get hundreds of new services being digitised in the next year,” said GDS director Nic Harrison.
And despite years of promises that government was not going to renew its many bloated outsourcing deals, exactly that is happening because there’s too much else going on to explore alternatives.
Oliver Dowden, the latest minister to be put in charge of digital government, said this week he is confident the government will achieve end-to-end digital services for citizens by 2020, in line with the transformation strategy.
He’s dreaming if he believes that. And with all the uncertainty still about Brexit, government can’t even be sure it’s identified all the likely tech implications of whatever future relationship we will have with the EU.
There isn’t a magic digital skills tree from which Whitehall can pluck tech expertise. There are a lot of big IT companies sharpening their contract-signature pencils, and we all know what happens when they get too big a chunk of government IT work.
Nobody wants to see the pace of digital transformation held back in government, but it’s clear something has to change. The current IT workload will soon become unsustainable.
The biggest surprise about TSB’s IT disaster is that people are still surprised when banks’ IT fails
The only real surprise about TSB’s IT disaster this week is that people are still surprised when a retail bank has IT problems.
There are few organisations with a more complex and difficult technology legacy estate than the big banks. For all the online banking sites and mobile banking apps we’ve become accustomed to, these are only modern sticking plasters patched over some of the oldest corporate IT systems in business.
At the heart of most banks you’ll still find a hulking IBM mainframe running software written 20, 30, maybe even 40 years ago, often in programming languages that are so redundant the only people who understand them are retired or quite possibly dead. Cobol is widely used – and is perhaps one of the more modern languages you’d find.
Most of those applications still run as overnight batch processing systems, crunching numbers during the small hours to reconcile all the transactions from the multitude of other systems that feed into them. Your mobile app might show the purchases you made a couple of hours ago – but the master file sitting in the back-end mainframe won’t know a thing about it until that overnight batch run completes.
TSB was forced off the legacy IT of former parent Lloyds Bank only because it was acquired by a Spanish bank, Sabadell. The banking system TSB was migrating onto – a UK version of Sabadell’s in-house Proteo software – was developed in 2000, and that makes it young by banking standards.
Even then, the complexity and scale of the migration floored TSB. There are important questions that need to be answered around contingency planning and the ability to roll back to a stable platform once problems occurred. No doubt we will hear more before long at the inevitable House of Commons select committee inquiry.
But other banks will be looking at TSB and thinking, one day that could be us. The cost of moving from the current patchwork of legacy banking spaghetti to a modern, integrated system would run into the billions of pounds, and be the single biggest risk factor for the entire organisation.
For that reason, banking CEOs and CIOs who rarely stay in post more than three to five years have no desire to be the one who oversees such a high-profile, risky move. And so, the problem perpetuates, handed from one CEO to the next.
But the banks know that the day will come when the cost of doing nothing outweighs the risk of change. TSB needs to be open and transparent about what went wrong, for all of its peers in the industry to learn from its mistakes.
The Windrush scandal has revealed many disturbing things about government policy that have nothing to do with IT. But the issues raised amply demonstrate the importance of technology considerations in driving 21st century political decision-making.
Tony Smith, the interim director general of the UK Border Force between 2012 and 2013, told the BBC’s Today programme on Radio 4 this week that the major flaw in Theresa May’s “hostile environment” immigration policy as home secretary came down to one thing.
“You need an identity management strategy if you are going to have a hostile environment. You can’t have one without the other,” he said.
In the Brexit debate over immigration, one fact that has been often overlooked is that the European Union’s freedom of movement rules have an important exception. The European Parliament and Council Directive 2004/38/EC allows member states to deport EU nationals to their home country after three months if they have not found a job or cannot support themselves.
In order to do this, you simply need to know which EU citizens are in the UK, and whether they have found a job. To do that, you need exit checks at the borders to find out who has left the country and when – the UK knows who comes in, but never knew who subsequently went back out.
Why didn’t we have exit checks? Well, they were scrapped by Tony Blair in 1998, and – in theory – reintroduced in 2015, although a report last month by the chief inspector of borders and immigration said the exit check programme was not delivering what was promised.
Without exit checks, an identity management system for immigration is worthless, so the government never bothered with one – although Labour wasted millions on its identity card programme which was scrapped in 2010 as soon as David Cameron became prime minister.
“It is about getting the balance right between national security and civil liberties,” home secretary Theresa May said at the time.
Today, we have the troubled Gov.uk Verify identity management programme, which continues to under-perform and under-deliver, despite lofty ambitions to have 25 million users by 2020. But even if Verify works, it’s not linked to exit checks, and its federated design means it can’t be used to prove UK residence in support of immigration issues.
If the UK had a working identity management system in place – with suitable privacy and data protection controls, of course – that proved who you are and your right to be in the country, how different might the policy landscape be today?
I met Mike Bracken, the first leader of the Government Digital Service (GDS), in 2011, not long after he had started the job, for an off-the-record briefing about his ambitious plans to overhaul IT in Whitehall.
He asked me which online service I would highlight as an example of best practice and I chose the DVLA’s car tax system. Bracken acknowledged that most people would say the same, and added that his goal was for people to have many more options to choose from when answering that question.
What’s your choice for the best digital public service today? I suspect that for many of you, like me, you’ll still say car tax. Sure, there are better designed web pages for a lot of other services, paper forms have been web-enabled, and there’s Gov.uk, but the dramatic changes we all hoped for are harder to find.
Bracken’s high-profile resignation from GDS in August 2015 came when he lost the belief that Whitehall lacked the culture, organisation or intent to deliver on the vision he set out in 2011.
Many observers – this one included – felt that Bracken’s departure would be the start of the slow process of dismantling GDS, a feeling accelerated when his successor, Stephen Foreshew-Cain, was unceremoniously ousted a year later, replaced by the DWP’s Kevin Cunnington. Given the friction between GDS and DWP, that move was seen as a victory for the Mandarins over the disruptive, pioneering spirit of early GDS.
It’s taken a little longer than anticipated, but Theresa May’s announcement last week that GDS was losing responsibility for data policy confirms that process is underway. It’s going to be inexorable, it will be a gradual diminishing, but it seems increasingly inevitable.
How can any organisation claim to be the centre of digital government, when it is no longer responsible for the core activity – the central plank – of digital services: data.
Perhaps we will find out on 10 May, when GDS hosts its first Sprint conference in two years. The event is billed as a chance “to celebrate all the great work that has been done so far to transform government” and to look at what comes next.
Cunnington wrote a blog in February to mark the one year anniversary of the Government Transformation Strategy – the plan that outlined what GDS would deliver by 2020. If he had published a similar blog six months ago – even a year ago – the wording wouldn’t have been that different.
When the tranformation strategy was launched, then Cabinet Office minister Ben Gummer said “Data is going to be the way we achieve the largest transformation in government.” It still will be, but that policy is no longer led by GDS.
Twelve months after promising at the launch, the Cabinet Office had still not delivered on the first element of that aim, recruiting a chief data officer for government. Can you blame people for doubting its ability to deliver on data?
If GDS is to lead the transformation of government, then without data policy it has to do so wearing someone else’s badly fitting running shoes.
The Department for Digital, Culture, Media and Sport (DCMS), which won the Whitehall battle over data governance, has grown increasingly frustrated with GDS. DCMS fought just as hard to take on policy for digital identity too – GDS seems to have won that argument for now, but widespread disappointment over performance of its Gov.uk Verify service means it’s under ever-greater scrutiny.
It’s illogical to separate responsibility for data and identity. It’s a political fudge intended to minimise further embarrassment for GDS. “OK, you’re losing data, but you can hang on to identity” – you can imagine the conversation that led to that compromise.
GDS staff frustration
Let’s be clear about one important fact though – GDS still employs some excellent digital specialists. Many of its staff do a great job – they’re passionate and committed to improving public services. But they are increasingly frustrated too, about the leadership and direction of GDS, as recent staff surveys have revealed.
GDS was once lauded for a policy of “making things open, it makes things better”. But today it’s hunkered down, secretive, rarely willing to comment using anything more than brief statements or bland, self-celebratory blogs. GDS still has an important story to tell – it makes no sense not to be telling it. Whoever decided to neuter GDS’s public voice has to take a large share of blame for the growing chorus of concern about its role.
People care about GDS. They want it to work. Most of the criticism directed at GDS comes because people want it to be better, they see its potential and the opportunity that exists. Nobody bothers to criticise an organisation they don’t care about. The moment the wider digital community stop caring about GDS, it’s dead.
The Sprint event will need to show – through measurable targets and proven deliverables – that GDS is still actively leading the digital transformation of government. It will not be enough to simply say it is, to claim it is, to speak in press-office approved words that obfuscate and avoid hard commitments.
The fact that the announcement about losing data policy was snuck out in a written statement without any fanfare at the end of the day before the Easter break, just as MPs left for the Parliamentary recess, was a tacit and shameful admission of failure in how digital government is perceived and communicated in Whitehall.
GDS has not even commented on the loss of data policy – not a word, despite press requests for its views. Such silence cannot continue – GDS needs to loudly and publicly address these concerns. People want GDS to work.
Also last week, two of the architects of the digital government strategy that led to the formation of GDS, Jerry Fishenden and Mark Thompson, published a new “manifesto” for the digital reform of public services.
Fishenden and Thompson were also co-authors of a 2010 paper titled Better for less, led by Liam Maxwell, then an advisor to the Conservative Party’s technology policy lead, Francis Maude. As Cabinet Office minister in the coalition government, Maude led the implementation of many of the recommendations in that paper and it served as part of the justification for creating GDS.
Maxwell, now national technology advisor at DCMS, is likely to be the prime mover in whatever DCMS now does with data policy.
If you feel inclined, read that 2010 paper, then read Fishenden and Thompson’s manifesto. The words might be expressed differently, but the principles are very much the same. How much has really changed in the interim?
We all see the potential, the opportunity, for public services designed for the digital age. So many people want GDS to be successful in delivering that goal. GDS, and the government, needs to demonstrate – publicly, openly and honestly – that it still can.
The technology industry is still relatively young, and certainly has a lot more growth to come. But it’s old enough now for us to see the repeating trends that make regulatory and legal restrictions of the big internet companies inevitable.
Google is already under scrutiny by the European Commission, and now Facebook is the focus of political and societal anger for its role in spreading fake news, influencing elections, and its relationship with the controversial data science firm Cambridge Analytica.
We’ve had three major eras in modern technology since the 1960s, and for the first two, the dominant company of the time has eventually been reined back by political pressure.
First, there was IBM in the mainframe age. As long ago as 1969, the US Department of Justice launched an antitrust case against IBM, alleging abuse of a monopoly in the supply of general purpose computers. The legal action lasted for 13 years before being dropped in 1982 – but the move changed IBM as a company and changed the IT industry too.
As part of its attempts to rebut the accusations, IBM for the first time unbundled software and services sales from its mainframe hardware, enabling greater competition and creating a whole new sector in the tech industry.
The forced move eventually proved almost calamitous for IBM. Despite being a pioneer of the PC in the 1980s, IBM’s internal paranoia about further antitrust action contributed to Big Blue missing the full impact of the PC revolution – the second major era of modern IT – leading to what was then the biggest loss in US corporate history, of $8bn in 1992.
The company that made hay while IBM’s profits declined was, of course, Microsoft, which became the dominant player in the PC age. Inevitably, this led to a similar turn of fortune, as Microsoft faced a series of antitrust cases in the US and Europe during the late 1990s and into the 2000s.
Distracted by its legal fights and by the need to change its own culture and sales behaviour, Microsoft was late to the game on the web and online search, and completely missed the rise of mobile, apps and social media. In 2007, then-CEO Steve Ballmer famously dismissed Apple’s new smartphone, saying “There’s no chance that the iPhone is going to get any significant market share. No chance.” The iPhone subsequently generated more annual revenue than all of Microsoft.
Now we’re in the internet era, and firms like Google and Facebook dominate. They are introducing new business models, and pioneering not just new technologies but new working practices. Society is only now starting to understand the implications of the vast databases of personal information these companies are gathering.
As someone once wrote, privacy is one of the defining challenges of the internet age. Facebook and Google are finding they have reached the limits of what people consider to be acceptable and ethical, after years of pushing those boundaries ever further.
Many experts predict that the next era of IT will be artificial intelligence (AI). As the influence of today’s early AI use rises, will changing political and legal attitudes to Google and Facebook ultimately stifle their plans to dominate in AI too? The historic example of Microsoft and IBM suggests it might – although if it does, that inevitably means there will be new AI giants emerging to restart the cycle.
If you happen to be an ardent Brexiteer, a true believer in the UK government’s desire for “innovative solutions” to avoid a hard border with the Republic of Ireland, we have good news for you. The technology exists to do the job and save the day for you.
For a start, there’s what your friends in IT call the “internet of things”, which means sensors on containers transporting goods across the Irish land border; sensors on the delivery vehicles; sensors tracking temperature, humidity, and other essential quality indicators; sensors on the goods themselves; sensors on animals – maybe even sensors on people (which of course they already have in their smartphones).
A well-designed customs and border software system would sit behind all this data, offering simple transactions for companies and individuals that need to cross the border, providing the basis of an infrastructure to deal with the majority of the challenges that a hard border presents. You might even be able to develop an app. Maybe you can use blockchain, and some “artificial intelligence“. You would probably still need some manual elements in the process, but largely, the problem is solvable. (Let’s not worry for now about the dozens of existing government IT systems you would need to interface to or integrate with – you know, details).
This may be admittedly a very high-level description, but the oft-touted (mostly) frictionless border is a technological possibility, of that there is no doubt.
If you are a Remainer, or at least a not-so-hard Brexiteer searching for common sense among the casual frippery promoted by the likes of foreign secretary Boris Johnson, here’s your counter argument to the proposal above.
It won’t work. But you know that already.
Why not? Well, it will probably be able to work one day, but even with the best will in the world – and the best technologists, and a very large amount of money – it’s not going to happen anytime soon.
Technology can do some amazing things. But if government should have learned anything from its various IT woes over the years, to do something new, untried, untested, at large scale, and especially in a two to three year timeframe (assuming the UK and EU agree a transition deal to the end of 2020) – it isn’t going to happen.
Frankly, if they agree a transition deal to 2025, it won’t happen either. 2030? Maybe – probably not though.
Remember the NHS National Programme for IT, which started out as a three-year project? How about Universal Credit, due to be fully implemented by 2016? What about e-Borders, kicked off in 2003 and still not implemented? Let’s not worry for now about the billions of pounds wasted on just those three.
The government will, at some point, have to face the fact that technology is not going to save them. If anything, IT is more likely to sink them.
We already know that HM Revenue & Customs alone needs to update 24 IT systems to be ready for Brexit – and doesn’t yet know what it needs to be ready for. We also know that the average duration of a modern, small-scale, well-defined digital project in Whitehall is two years – excluding large-scale transformation programmes, of which Brexit will require many. Oh, and government is already short of about 4,000 digital workers before even considering Brexit.
Should we also point out that the sort of tech implementation described above has never been done, at such scale, anywhere in the world? Presumably a post-Brexit Britain will develop that ingenuity and capability as soon as we leave the EU. Praise be.
Brexiteers – thanks for your faith in what technology can do for you. Just don’t think for a minute it will be able to do what you want it to do anytime soon.
Computer Weekly writes a lot about cyber security – it’s the easily most popular topic among our readers, and always rates as one of the top priorities in our annual survey of IT professionals. None of that will come as a surprise.
But some weeks certain stories come together to bring an insight into the challenges facing organisations in this area.
A global survey published this week showed two-thirds of 1,300 senior executives interviewed ranked cyber security among their organisations’ top five risk management priorities – approximately double the response to a similar question in 2016.
However, only 19% of respondents said they are highly confident in their organisation’s ability to mitigate and respond to a cyber event, while only 30% said they have developed a plan to respond to attacks.
Consider those findings against a separate survey, that showed the cost of cyber crime is now up to 0.8% of the global economy or $600bn a year – up from 0.7% in 2014, an average rise of 11.3% a year. Note also that Europe suffers the highest economic impact of cyber crime, estimated at 0.84% of regional GDP, compared with 0.78% in North America.
Business executives clearly recognise the importance of cyber security – and are feeling it financially – but have neither the confidence nor the plans to tackle the problem.
Look also to the public sector, where a survey of 500 people in the UK found that 49% were “wary” of sharing their information on public sector websites.
Meanwhile, an investigation by privacy campaigners Big Brother Watch showed that local authorities are being hit by an average of 19.5 million cyber attacks a year. That equates to 37 attacks or attempted breaches every minute on councils that are accumulating growing amounts of sensitive and personal information about citizens.
The report revealed an “overwhelming failure” by councils to report losses and breaches of data, as well as shortcomings in staff training. Over the last five years, 114 councils suffered at least one breach and 25 had a loss of data, but more than half of those incidents went unreported.
Can you blame citizens for being worried about how their personal data is being handled?
Add one further survey to the mix – 70% of organisations said they need cyber security skills, but only 43% said they already had such skills in place.
It’s reassuring to see the growing awareness of IT security risks – among executives and the public. But the gap between understanding and capability is not shrinking in response – in many cases, it’s growing.
Organisations need to turn awareness into action, otherwise the cost of cyber attacks will become a recurring and accepted cost of simply doing business – and it’s the privacy of our personal data that will suffer as a result.
You wouldn’t exactly classify the leaders of the UK tech sector as a bunch of liberal lefties. For all the stereotypes of bearded Shoreditch sandal-wearers that surround much of the nascent startup scene, if you polled the average UK tech conference for delegates’ political views, you would find a sea of blue.
The tech sector likes to make money, and mostly, it’s pretty good at it.
So it tells you a lot when you see the increasingly difficult-to-disguise fury of the sector bubbling to the surface whenever the government talks about Brexit.
“We do not make the UK more attractive to the rest of the world by putting barriers in the way of trade with our biggest market,” said trade association TechUK after a speech by Boris Johnson this week where the foreign secretary attempted – mostly unsuccessfully – to convince frustrated Remainers of the opportunities of leaving the EU.
If you’ve been used to the sort of meek, carefully phrased statements that come from trade bodies over the years, you’ll recognise that line as the industry equivalent of thundering.
When secretary of state for digital, culture, media and sport Matt Hancock – previously digital minister – habitually praises the UK tech sector in speeches, you can’t help but notice he never mentions Brexit. He knows what his audience thinks and he’d clearly rather not go there.
Senior industry figures told a House of Lords committee earlier this month that the prospect of a no-deal Brexit would be unthinkable. There is real fear for the future among the companies that are likely to be the future for the UK economy.
They will still make money, of course. It’s not as if Brexit means the industry will dry up. But UK tech leaders will be operating with one arm tied behind their backs without regulatory alignment to the EU, without easy access to the skills of EU IT experts, without research partnerships across the continent, and without frictionless flows of data, IT services and products.
This is a sector that thinks constantly about the future, that designs our future, that understands the enormous potential for positive change it can bring about. And it’s genuinely fearful for the damage Brexit could cause, and the dithering and uncertainty brought about by the UK government’s hapless approach.
The Lords committee learned that government communication with the tech sector has declined since the start of the year – perhaps our political leaders don’t like what they’re hearing so don’t bother to listen any more. And that’s a huge concern for the UK’s digital economy.
The Department for Work and Pensions (DWP) has been consistently criticised for its lack of transparency since the controversial Universal Credit programme was launched nearly eight years ago.
The department has fought court battles against Freedom of Information campaigners to prevent the release of key documents. It has obfuscated repeatedly to journalists about problems with the IT. And until the House of Commons in December ordered DWP to release a series of project reviews to the Work and Pensions Committee, it had kept these critical progress reports from MPs too.
On the occasions that DWP is forced to reveal its hand on Universal Credit (UC), you can understand why it prefers such secrecy.
The release this week of the committee’s summary of UC project reviews since 2012 shows the scale of the challenge and the potential for calamity as the new digital version of UC is rolled out nationwide over the course of this year.
That’s even without considering concerns highlighted over assurance processes that have seen UC press on even when failing to meet agreed success criteria.
The summary confirmed Computer Weekly’s story that Gov.uk Verify, the identity assurance system developed by the Government Digital Service (GDS), lies at the heart of the risks facing the scaling up of UC to Jobcentres across the UK.
Much of the savings anticipated for the welfare reform programme were based on applications being submitted and processed automatically – with minimal manual intervention. The starting point for this automation is Verify – the way that claimants are expected to prove they are who they say they are online.
As we revealed, barely a third of claimants have successfully used Verify, and in the early implementations of UC this has meant significantly greater involvement from Jobcentre staff than planned – costing £963 per claim, compared to a target of £250.
DWP has even had to develop its own identity system to compensate for the weaknesses in Verify – making the third ID system in use in Whitehall, alongside HM Revenue & Customs’ Government Gateway product – not to mention another being developed by the NHS. Oh, and then there’s yet another underway for the Scottish government.
The committee report highlights fears that the rapid scaling up of UC users due to take place this year will push Verify beyond its already limited capabilities, with potentially significant implications for DWP staff as well as benefit claimants.
Greater transparency throughout a programme with such widespread social consequences might have caused embarrassment for DWP, but more public scrutiny could have helped point this important and much-needed reform in a better direction.
DWP has listened and learned from much of the past criticism of UC, for which it deserves credit. But it is time to deliver greater openness too –not only for the success of Universal Credit, but for wider government digital transformation initiatives too.
There’s a growing body of opinion that the government’s flagship digital identity system, Gov.uk Verify, has now become a major hindrance to the development of the UK’s digital identity infrastructure.
The concerns about Verify have increased to the point where the Government Digital Service (GDS) could be about to lose control of government policy for digital identity.
Computer Weekly understands there’s a battle going on between the Cabinet Office, where GDS sits, and the Department for Digital, Culture, Media and Sport (DCMS), responsible for policy around the digital economy – within which the issue of identity is central.
Senior Cabinet Office civil servants are reluctant to let it go – but industry disenchantment with Verify is growing and DCMS thinks it needs to address the situation.
That same debate between the two departments is also set to see policy for data shifted to DCMS – the Cabinet Office has yet to recruit a chief data officer despite the post being announced a year ago.
But it’s Verify – and its intended role as the core of a UK-wide digital identity infrastructure – where concerns are greatest. Digital identity is core to the UK’s online future – the use of standard electronic IDs for transacting online with government, banks, retailers and other e-commerce providers is expected to deliver a significant economic boost.
As Computer Weekly reported in December, there are already moves afoot to make “Gov.uk Verify” more of a brand and a set of standards, instead of a product that GDS will encourage the private sector to adopt.
This follows ongoing and extensive performance problems with Verify that even now sees barely half of all attempts to create a verified identity through the system being successful. Furthermore, GDS’s own research has shown that success rates for Universal Credit benefit claimants through the Department for Work and Pensions’ new digital service are even worse –only 30% of Universal Credit users have successfully created a Verify account.
But there’s another issue for companies wanting to be a part of a UK identity market. They feel they are being shut out by the commercial structure around Verify, with the existing independent identity providers (IDPs) recruited by GDS having a virtual monopoly.
Sources suggest that even senior figures in GDS acknowledge the current approach leans too far towards the existing IDPs.
The IDPs are protected by a contractual framework that means it will be about 18 months before new providers will have a chance to be approved for identity verification for government services.
The existing IDPs, which include Barclays, Experian and the Post Office, have exclusive access to the market for public sector users. They are protected by a period without competition that, in theory, was meant to allow them to be sure they would recoup their initial investments in developing Verify.
In reality, the roll-out of Verify has been so slow and with such poor performance that their expected financial returns are unlikely to have materialised.
Land Registry recently adopted Verify for its new digital mortgage service – an apparent boost for Verify. But the Department for Business, Energy and Industrial Strategy had to inform Parliament that being responsible for digital identity assurance meant Land Registry needed to take on an at least £300,000 in additional contingent liability in case a Verify user proved not to be who they say they are, meaning taxpayers would have to pay compensation.
Players in digital identity have been waiting for GDS to issue a commercial framework that explains how Verify can be used in the private sector – covering issues such as liability, and addressing questions such as who takes the blame if a Verify account created for government services proves to be fraudulent when used to transact with a bank, for example.
Sources suggest that the commercial framework is being blocked by the Treasury, until a plausible model has been created – this may be a contributory factor in the Land Registry liability commitment.
DCMS wants to accelerate the creation of a digital identity market in the private sector, and sees taking control of policy away from GDS as the way to make that happen. Some people see Whitehall politics in play by the omission of any reference to Verify in the DCMS green paper on internet safety strategy published in October last year.
The increasingly common theme among a growing number of identity experts is that Verify needs a major overhaul. They think it is blocking the creation of a much-needed UK digital identity ecosystem – and GDS is seen by many as the logjam in the middle.
If DCMS does gain control of digital identity policy, it is unlikely to be as stubbornly committed to the future of Verify as GDS and the Cabinet Office continue to be, even in the face of such growing concerns.