Earlier this week the Government consultation on Digital ID closed, Senior Policy Adviser Matt Burrell assesses the fine line the Government needs to tread with the public to ensure their privacy is not infringed.
Proving who we are to others is a process as old as human civilisation, and up until recently the technology by which we do so had not changed a huge amount in several thousand years. An ancient Sumerian trader and a teenager buying a lottery ticket have something in common: they both rely on secure documents to prove their identity and legal rights. Whilst there is a lot of difference between an ancient seal from Sumer and a modern driving licence, they operate in roughly the same way. The complexity of the document confirms its origin and the origin of the document shows that the information it contains can be trusted. The third crucial element is that the fraudulent production or use of such documents carries a penalty heavy enough to ensure that counterfeiting and fraud are not widespread (death in ancient Sumer or imprisonment in our more lenient times).
Like with many things, the digital revolution has made the process of proving our trustworthiness both easier and infinitely more complex. The amount of data in the world has grown at an exponential rate, meaning that there are a vast number of sources against which ID can be checked, and also many more ways that an identity can be stolen.
Between your transaction history and various incremental assurance methods, banks have a pretty solid idea who their customers are. Similarly, Facebook, Google and Amazon feel confident enough in their knowledge to be able to process transactions with far fewer checks than banks carry out, to make for a slick user experience. These are sophisticated systems, but you don’t have to be wearing a tin foil hat to have some worries about putting these institutions completely in charge of how you prove your identity online.
Many other countries have decided to solve this issue by simply making government the default issuer of digital identity. In Estonia every citizen has a digital ID issued to them by the government and this is the default way that you identify yourself to both private and public organisations. Unfortunately for the UK, one of the underlying systems that you need to do this is a unique identifying number or card, which is something we don’t have. National Insurance numbers are not designed for this purpose (and a whole blog could be written about the various problems with trying to use them this way) and there is no obligation for a UK citizen to have a passport of driving licence. It’s not even that we haven’t got around to it - scrapping the implementation of ID Cards was one of the great bonding moments for the coalition government.
It seems that the nation still has a capital “L” liberal view in the vein of John Locke and John Stuart Mill of the state being able to ask you to identify yourself. This has been doubly reflected in the digital space and for good reason. You also don’t have to be a diehard Orwell fan to have some scepticism about the Estonian model and giving government total control of digital identity. With central control you risk a situation that echoes the words of the 90s enfant terrible of rap, Marshall Mathers, “I am whoever you say I am”, where the individual is a passive recipient of digital identity rather than an empowered citizen.
UK public policy makers have therefore had to tread a very fine line to satisfy the requirements of a population that wants to be able to access services securely and easily without having their privacy infringed. This is the environment from which Gov.UK Verify came into existence, a service that was brilliant in theory but which the public have historically struggled to use. That does not, however, mean that the principles that underpinned the service were wrong. Asserting your identity online does not have to come at the expense of your privacy and you should not have to depend on a state service or any one data source to do so.
The response to the Call for Evidence on Digital Identity from DCMS and Cabinet Office confirmed a welcome shift in the UK Government’s approach to a policy based on standards and principles, rather than a single service. The recently formed cross government Digital Identity Board will be tasked with developing the legal framework that will enable a competitive market in digital identity, whilst retaining the crucial privacy principles that made Gov.UK Verify a global standard setter in privacy protection.
It is vital that government and industry work together to find a solution that empowers the citizen online, protects privacy and satisfies the security needs of government and industry. It’s not an easy thing to do but things this significant rarely are.