The British government has released its response to its consultation on digital identity. The media reported, generally speaking, a cautious welcome to what was labelled “efforts to overhaul digital identity services”. These efforts are not, as you might imagine, to create a digital identity infrastructure for the new economy, but to set up a new Digital Identity Strategy Board (DISB) that will look at updating laws to “support the use of digital identities across the UK”. The board will also ensure that suitable privacy and technical standards are in place to allow interoperability and establish individuals’ rights over the use of their digital IDs. We already had a Digital Identity Unit (DIU), a joint effort between the Department for Digital, Culture, Media and Sport (DCMS) and the Cabinet Office that will apparently continue to exist “informally” (I have no idea what this means). As I understood it, the original idea was that the DIU would co-ordinate between the DCMS who would take care of digital identity in the wider economy while the Cabinet Office would take care of it within central government. The DISB will be focused on government departments, with stakeholders including the Home Office, the Department for Work and Pensions (DWP), HM Revenue and Customs (HMRC), the Department for Health and Social Care, the Departments for Transport, Business, Energy and Industrial Strategy, and HM Treasury, together with a representative from the Information Commissioner’s Office (ICO).
With respect to this plan, I read in the London Times, presumably as the result of some off-the-record briefing by some part of the government machine that it intends to “create online ‘ID cards’ for British citizens as Dominic Cummings tries to revolutionise the use of data across government”. The journal of record goes on to report that under the “proposals announced” (there were none, by the way, there were some principles announced, but nothing more than that) each person will be assigned a unique digital identity to help them with such tasks as registering with a new doctor. The paper goes on to say that “the details have yet to be finalised”. No kidding.
(For foreign readers, I should explain that Mr. Cummings is reputed to be the Svengali behind the titular Prime Minister, Alexander Boris de Pfeffel Johnson, and hence some weight ought to be attributed to this comment.)
The six principles, referred to above, are pretty similar the principals agreed by the Privacy and Consumer (PCAG) that I was a member of some years ago. They are:
-
Privacy. When personal data is accessed people will have confidence that there are measures in place to ensure their confidentiality and privacy; for instance, a supermarket checking a shopper’s age, a lawyer overseeing the sale of a house or someone applying to take out a loan.
-
Transparency. When an individual’s identity data is accessed when using digital identity products they must be able to understand by who, why and when; for example, being able to see how your bank uses your data through digital identity solutions.
-
Inclusivity. People who want or need a digital identity should be able to obtain one; for example, not having documentation such as a passport or driving licence should not be a barrier to not having a digital identity.
-
Interoperability. Setting technical and operating standards for use across the UK’s economy to enable international and domestic interoperability.
-
Proportionality. User needs and other considerations such as privacy and security will be balanced so digital identity can be used with confidence across the economy.
-
Good governance. Digital identity standards will be linked to government policy and law. Any future regulation will be clear, coherent and align with the government’s wider strategic approach to digital regulation. For example, firms verifying your identity will need to comply with laws around how they access and store data.
There’s nothing to disagree with here, but reading through the document I was struck by the lack of any indication as to how any form of digital identity might actually come into existence. I think part of the problem is that the consultation and the response lack any fundamental model of what digital identity actually is. Hence much of the commentary is at cross-purposes.
Trigger
Perhaps the trigger for something to actually happen may come from left field. HMRC announced a £3 million tender for the provision of open banking services. This makes complete sense. The HMRC as both an account information service provider (AISP) and a payment initiation service provider (PISP) opens up a whole bunch of services that will make life easier for taxpayers and it’s about time. I am so tired of fiddling about with direct debits and debit card payments for PAYE and NIC. I do hope that they will implement this using standard Request-to-Pay (RTP) and make use of the ISO 20022 data capabilities and not allow an IT contractor to hack up some proprietary nonsense.
But here’s what I think would be the biggest potential benefit of this project if we lived in a country where a technology-savvy joined-up government was functioning efficiently in the public interest: digital identity. What better use case for getting the Open Banking Implementation Executive (OBIE) to implement a British bank ID scheme that HMRC could use for permissioning and consent management? And once it is being used for HMRC, it can be used for other things. And if it designed correctly (eg, by me) using the 3DID model, then it
Faith Reynolds, the independent Consumer Representative at the OBIE said at an open banking event earlier this year that digital identity is a key enabler and could make journeys much more convenient and secure. She also noted that a new regulatory regime needs to be established for data sharing to deal with issues like the onward sharing of data, liability and accessible redress and I couldn’t agree with her more.
Now is the right time to do this. If Brexit means an opportunity to rethink at the national level, but this time involve some expert opinion, I’m all for it. As I have written before at tedious length, we do not need an Indian-style Aadhar identity number or a Chinese social score, but a general-purpose National Entitlement System (NES). Very few people reading either the government’s response to the recent consultation or this blog will remember the long ago days before the last Labour government’s attempts to introduce a national identity card, but there was a time when there were consultations afoot around a much better idea, which was a national entitlement card. As my colleague Neil McEvoy and I pointed out in Consult Hyperion’s response to that consultation, the “card” is only one mechanism for storing and transporting entitlements and in the modern age there might be better ones, such as mobile phones for example, that can not only present credentials but, crucially, also validate them.
Suppose that the vision for national identity (based on the concepts of social graph, mobile authentication, pseudonyms and so on) focused on the entitlements rather than on either the transport mechanism or biographical details? Then, as a user of the scheme, I might have an entitlement to access (for example) health care, Wetherspoons or the Wall Street Journal online. I might have these entitlements on my phone (so that’s the overwhelming majority of the population taken care of) or stored somewhere safe (eg, in my bank) or out on a blockchain somewhere. Remember, these entitlements would attest to my ability to do something: they would prove that I am entitled to do something (access the NHS, drink in the pub, read about Donald Trump), not who I am. They are about entitlement, not identity as a proxy for entitlement.
Snippings 