In Derbyshire, Mr Smith wants to renew his driver’s licence. He does it via the DVLA website, completing an online form that asks for various pieces of personal information. Next, he wants to buy some parking permits from his local council. Frustratingly, to complete this process he has to input much of the same data again – this time into the council’s website. It all takes time; time he doesn’t really want to spend on this rather tedious activity.
Meanwhile, at the other end of the system, staff at the DVLA and the council separately set about verifying that Mr Smith is who he says he is. As public services move online, organisations are producing some savings by reducing their staff in call centres and behind desks – but the traditional departmental ‘silos’ remain firmly in place, reducing the opportunities to cut duplication and make economies of scale.
Wouldn’t it be easier if Mr Smith was able to input his details only once? And wouldn’t it be better if these details were then verified by a supplier of his choice: an organisation that both he and the government know and trust, such as a bank or credit rating agency?
The coalition government certainly thinks so. Since Martha Lane Fox’s 2010 report, in which the digital champion recommended that directgov be made the front end for all the departments’ transactional online services to citizens and businesses, there has been much talk about how to get more government services online and more people using them. It’s a project that has the potential to save millions of pounds; make public services quicker and more effective; clamp down on fraud, error and debt; and enable the government to play a full part in stimulating the digital economy.
One critical component in the success of this service migration is identity assurance: the process of checking that the people making online transactions are who they claim to be. Identity fraud is estimated to cost the UK around £1.9bn a year, according to the Home Office. To avoid inflating this figure still further as public services move online, the government is introducing an identity assurance programme that will see accredited providers verifying citizens’ identities. Service users will be able to choose their own ID assurance provider from a range of suppliers.
Staying one step ahead
“Whenever a new system comes online that allows people to procure funds, claim credits or benefits, it inevitably attracts fraudsters who converge on it and exploit it,” explains Peter Gunning, head of business development at BT Security. “You need to make sure people who are registering for a service are who they say they are. Fraud is like an arms race. You introduce a security measure; someone starts to look for ways to exploit it. The thing to do is to probe the system’s weaknesses and pre-empt [fraudsters’] moves.”
Ease of use is another key consideration for the strategy. To attract visitors, online services have to be quick and simple to use – or as the Cabinet Office’s digital director Mike Bracken describes it: frictionless. “The more we reduce friction, the happier users will be,” he tells CSW.
All well and good, but how do you go about ensuring that services are both secure and accessible? The answer lies with the service users themselves, believes Bracken. The government’s approach to identity assurance “will be market-led so that SMEs and other companies can deliver it, and user-led so that it can change over time,” he says. “It will be co-developed by everyone, and at its heart will be the sense of user-led demand.”
What does this mean in practice? From a user point of view, it means giving citizens the freedom to choose their preferred identity verifier. This may be their bank, the Post Office, a mobile phone operator: companies that have already engaged with an individual and verified their identity, and can thus confirm this person is who they say they are when they interact with government organisations.
“We’re becoming increasingly adept at managing personalities online, even without realising it,” says Bracken. “For example, the way someone manages their Facebook ID is very different to how they manage it with their bank. What we want to do is give people flexibility. If a bank has already identified someone’s identity, why not let them verify that person when they use government services as well?”
As they develop this approach, the government’s digital team is – in-keeping with the shift away from monolithic, centrally-based, rigid IT systems – working flexibly, using a federated model that not only avoids large amalgamations of data, but more importantly opens up the marketplace and gives users more choice.
Bracken is keen to point out this is “not an IT build”; he’s determined not to commit the government to building a new mega-database. Nor is it about reinventing the wheel – in his view there is no point in developing new products, given the range of ID assurance services already available.
Instead, he says that what is needed is for government “to become adept at selecting appropriate protocols and enabling them to interact with providers in the market place.” So government will set the benchmarks that ensure compatibility and security, then let a range of providers build systems that both appeal to different users, and retain the ability to evolve with the regulatory and technological landscape. The protocols will cover factors such as technical architecture, commercial models, and legal requirements, and are currently being developed by Bracken’s team. “If we build a system that is rigid, excludes SMEs and is hard to change, we’re more likely to run into problems in the future,” Bracken comments.
This flexible approach is based, in part, on hundreds of conversations that Bracken’s team has had with businesses, large and small, about the way they verify the identities of their own customers. “What struck me was the scale of different uses of ID, depending on the business. Everyone has a different point of view”, he comments, adding that meetings with Google and PayPal were particularly productive: “They were very good. They opened up their thinking and showed us how they have developed ID platforms.” Observing the range of technologies and approaches on offer, and the preference of different types of service user for different interfaces, Bracken is convinced that the problem of public service ID assurance is best tackled by creating a market of providers and giving service users the power to choose their own favourite.
This is a cross-government strategy, meaning that these ID assurance providers’ systems will offer access to all government online services; so Bracken’s digital team has also been working very closely with other departments. Representatives from the various teams have been brought onto the boards involved with this project, while regular meetings and pilots have helped strengthen knowledge and understanding across the whole of Whitehall, says Bracken.
Brave new world
Some of that knowledge focuses on the technologies required. This is a dynamic landscape, with new technology being introduced to the market all the time. Developments are so fast it’s almost impossible to look too far ahead, reckons BT’s Gunning. He reflects that it was “not that long ago” that he demonstrated the company’s voice authentication software to Cabinet Office minister Francis Maude and work and pensions minister Lord Freud: “I came away wondering if people were ready for it. Then almost the next day Apple released 3GS [with voice control], and suddenly everyone is talking to their phone.”
Voice and face recognition technologies identify people’s unique features, making them ideal for ID assurance systems. But with new technologies come new challenges. “If you’re going to register voice and face for verification purposes, you have to do this in the first instance in front of a valid person, so we can be sure it’s the right person’s voice,” says Gunning, emphasising how this might not always be the most convenient form of ID assurance for the general public.
One organisation that has been looking at the development of innovative but secure information systems is the Technology Strategy Board – a non-departmental public body. Together with the Research Councils, it is investing more than £14m in R&D projects designed – the board says – to develop “trusted and trustworthy tools, technologies and methodologies to combat the risks consumers, business and public sector organisations increasingly face during online transactions”. In its 2011 paper, Ensuring trust in digital services, the board provides case studies from many of these projects, which range from payment cards with inbuilt keypads to voice biometrics (see box, right).
In the Government Digital Service’s blog, there’s optimism about the potential of new technologies. However, when questioned about the range of ID assurance tools currently being considered, Bracken is more cautious. “In certain areas we’re looking at voice and facial, but first we need to look at the different commercial bodies,” he says. The initial challenge is not to get the most sensitive services online, but to get online ID assurance up to the standards required in the majority of face-to-face, digital and telephone channels.
Moving forward
The process of accrediting ID assurance providers began last week, with the release of a new tender document. Published in the OJEU (Official Journal of the European Union), in the first instance it seeks digital ID assurance providers specifically for the DWP and its online benefits system (see news, page 1). However, Bracken explains that it also marks the start of the formal process for contracting a set of suppliers to work across the whole of government.
“The OJEU is a prime example of how all departments are working together. It’s gone out with the DWP name on it, which is the first contracting authority, but in a sense it’s the first cab off the rank,” he says. “The same OJEU will be used [as a template] for all departments. No-one can do this in isolation; in this area we have really collaborated.” Re-using an ID service across many departments, as opposed to building several bespoke systems, is a much more effective way of working, believes Bracken.
There is no limit to the number of potential suppliers the government will work with, as long as they meet the standards required. Nor is there a restriction on size of supplier; indeed, SMEs are actively being encouraged to bid for work, either as sole providers or as part of the supply chain. How providers will be paid, though, is still being worked through.
So does the publication of the tender mean the ID assurance project is close to completion? Not yet. No department wants to be locked into a lengthy contract, so the OJEU has a duration of just 18 months. There will also be a long wait while bids are submitted; and the digital team is planning more pilots, the results from which will be fed into the broader strategy.
Given all this, Bracken won’t be pinned down on schedules. It may be some time yet before Mr Smith can simply log into his chosen provider and leap effortlessly between the government’s online services.
Case studies
The Technology Strategy Board has provided £14m of funding towards projects that are developing ways to make our digital transactions – with both public and private bodies – more secure and trusted. Here’s a flavour of the identity assurance models currently being tested.
Consult Hyperion
With partners Visa Europe and Codes and Ciphers, Consult Hyperion has developed an innovative payment card, ‘CodeSure’: a standard debit or credit card that features a keypad and display window. Once a bank has verified an individual’s identity and issued the card, users can enter a pin number to access Directgov services. The project has tested users’ views and found most people unconcerned about the bringing together of government and financial sector authentication, clearing the way for the company to continue exploring the technology.
Microsoft
Working with partners Health over Internet and Edinburgh University, Microsoft set about trying to improve levels of trust in systems for sharing personal health records. A ‘trust framework’ was developed, modelled on the identity assurance systems used by organisations such as Facebook and banks. The framework, which demonstrated how safely personal records can be shared, highlighted the potential for ‘citizen-centric’ services that will enable individuals to manage their own health information. Microsoft is now looking at how to take these findings forward, with a particular focus on incorporating identity assurance into cloud and mobile phone technologies.
The VoxGen Group
VoxGen believes that the urgent need for improved security around personal data has forced companies to impose onerous security checks that are ineffective at preventing fraud and inconvenient for consumers. As such, it intends to give ordinary consumers the power to create a cache of personal online data protected by voice biometrics. In conjunction with its partner Mydex, VoxGen is working to enhance the traditional approach to voice biometrics by adding a second factor to the verification process: that of personal knowledge, tested by asking a couple of questions. This, it believes, will lead to better security and an easier-to-use customer experience.