Public Services > Central Government

Privacy and identity expert Fishenden calls for Verify rethink

David Bicknell Published 05 May 2017

GOV.UK Verify and other “competing” initiatives such as HMRC’s Government Gateway should be “subject to an open, honest and fundamental reset”; Cabinet Office reiterates Verify's role in transformation strategy

 

Former Privacy and Consumer Advisory Group (PCAG) co-chair Jerry Fishenden has called for a “reset” of the government’s thinking around its GOV.UK Verify identity assurance scheme.

Fishenden, who this week quit as co-chair of PCAG over concerns about the present government’s commitments to its work and a perceived failure to address warnings about data handling in the new Digital Economy Act, called for the rethink, saying that despite the “significant amount of money, time and resource (that) have been sunk into the Verify platform in particular”, it is not “delivering the results desired or the success repeatedly promised.”

Fishenden said, “It’s time that the Verify platform, other “competing” initiatives such as the updated Government Gateway, and the underlying work on an identity assurance framework are subject to an open, honest and fundamental reset.”

Fishenden, writing in a blog , pointed out that the National Audit Office’s (NAO) recent report set out a series of high-level recommendations for the GOV.UK Verify programme, emphasising the importance of establishing a clear case; adequate early analysis or “discovery”; and a consideration and assessment of options.

He went on, “GDS needs to follow the principle of “physician, heal thyself” and rigorously apply its own guidance to itself – from a fundamental and honest re-appraisal of user needs and a thorough (re)discovery process, through to a fundamental review of the original business case and the assumptions it made.

“GDS needs to apply the same discipline to its own programmes that it expects of others. This type of delayed and de-scoped programme is a world away from the welcome vision of improvement and success that GDS once promised – and is certainly not providing world-class digital products that meet people’s needs.”

Fishenden argued that during its reset, government should look to revisit the fundamental question, “What is the problem we are trying to solve and how best might we do it?” as well as revisiting its identity assurance policy requirements, including whether it is appropriate for Verify to mandate commercial third parties to (a) be the exclusive gatekeepers of access to online government services and (b) the controllers of users’ credentials.

The reset, he said, should also:

  • Undertake a full discovery of user needs, including those previously neglected, missed or overlooked
  • Thoroughly map all existing identity initiatives and technologies across both government and the private sector, and then plot these against user needs to identify matches and gaps
  • Consult on and define a clear, cross-sector identity assurance strategy and related standards - work which needs to integrate closely with a related, but currently absent, data strategy and set of standards - including analysing the impact of various options on digital social exclusion
  • Bring together key players such as HMRC, GDS and other public and private sector bodies to openly explore existing services and best future options (without getting hung up on the various favoured projects already in play), including short-term and longer-term costs
  • Apply the principles of “cloud first” and “buy before build”, exploring how the identity assurance framework might be better and much more quickly delivered via commodity cloud-based identity-as-a-service (IDaaS) options, rather than continuing bespoke work on in-house pet projects
  • Consider separating the creation and control of users’ credentials from the identity assurance processes operated by the third-party commercial providers.
  • Consider the benefits of moving the online identity proofing service provided by the Verify platform third parties elsewhere in the process. If external identity proving is required by a public sector organisation it should only take place when needed by a service owner rather than being placed right up-front
  • Review whether the hub-based approaches employed by both the Government Gateway and Verify platform, with the known security and privacy concerns of hub-based models, could be superseded by more secure technical solutions
  • If desired, keep the overall Verify brand. Use it for whatever comes out of the discovery, reset and redesign process

Fishenden concluded, “We urgently need to see credible leadership and a viable strategy in this essential area. It’s important for the future of online services that government helps nurture a robust, trusted, secure and viable approach to identity assurance that can work right across our digital economy. So it’s worth making time right now to do an honest, open and public reset to get this right – returning to GDS’s idealistic first principles of delivering world-class outcomes that meet people’s needs.”

Despite Fishenden’s call for a reset, the Cabinet Office reiterated that Verify remained a key plank in its transformation approach. A Cabinet Office spokesperson said: "The Government Transformation Strategy, released earlier this year, is clear in terms of Verify - it continues to be a key priority for the Government Digital Service."

It also pointed to Verify’s adoption in local authorities for concessionary travel and residential parking permit services, such as at Northumberland County Council, and its inclusion in the UK Digital Strategy.








We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.