The DWP press release* announcing the first seven participants in its Identity Assurance Programme should be read in full: for what it does not say as much as for what it does. The list is almost certainly not that which those responsible for Government ID policy (leaving aside the question of who is responsible and what the policy is) would have wished.
I suspect the missing banks, social media, on-line retailers and high street names have taken the view that the business on offer from HMG (let alone a from modest 18 month non-exclusive trial with DWP) is not worth the cost (including diversion of effort from mainstream paying business), let alone the reputational risk.
That said, the announcement appears to contain an overdue (albeit perhaps reluctant) recognition of reality: that the world of identity systems is a mature marketplace. Unfortunately those who have issued hundreds of millions of electronic IDs (some of which are trusted for sizable financial transactions and/or personal or corporate risks) are not interested in working with HMG (including DWP) other than on their terms. Meanwhile would-be new players are not interested doing so unless bribed with the £billion pound contracts that HMG can no longer afford.
We still have disappointed pundits calling for a comprehensive “solution” at some-one else’s expense. But that “solution” seems even further away than when the International Telegraphic Union met to agree codes and tariffs - over 150 years ago. What has been announced by DWP may, nonetheless, do rather more than “merely” provide a sensible basis for a workmanlike solution to the needs of DWP. It contains what some have called a “perverse incentive”, whereby participants are paid to register and maintain each identity on a per active user, per annum basis while users can sign up with more than one participant and the latter make more operational margin, at least during the trial, when those identities are use via another participant who is bearing the marginal cost of the “free” transaction.
I think it is not “pervrse” but rather clever. It gives participants a very real incentive to ensure that the inter-operability really does work. If the result serves to extend the current UK market lead in identity arbitrage (as practiced in financial services but not understood outside) into the public sector and into mass-market on-line applications, then it will have achieved far more than the £millions spent via the Technology Strategy Board or Framework 7.
Between them the consortia appear to cover most of the bases. Some may even be able to cover all the bases – depending on the partners which which they are working.
Take a look at Toby Stephens Identity Privacy and Trust Blog for background on IDAP but he works for one of the players (arguably the most important) so it may be helpful if I (who do not work for any of them or their competitors) comment on those given modest (in HMG terms) funding to produce inter-operable services:
- Cassidian is one of the biggest security and secure network suppliers you have never heard of. It is part of EADS and the largest private sector employer in Wales (bigger than steel and coal). It understands the issues of identifying trusted and competant individuals (and technology componants) working in the supply chains of defence and aerospace (is this fitter competant to maintain that engine and are the parts “genuine”?). Whether it understands how to identify those drifting in and out of work with “no fixed abode” is another matter.
- Digidentity is a Dutch company supplying operational “third party trust services” in what is regarded by enthusiasts as a successful, competitive market. Others say that the use of these for transactions is still trivial. Their participation means that the IDAP programme has a participant from a market place which has survived a baptism of fire - the Dutch government has had well publicised problems. Their UK operational partner is Atos, which bears the scars of being a major supplier to DWP but is also riding high on the success of the inter-operability of IDs for the Olympics.
- Experian is, of course, far more than credit records. Government’s “flagship” on-line service, that for motor tax renewal, could not work without the on-line collective motor insurance data base which is one of the many “big data” services run by Experian around the world (not just in the UK). These range from millions of “age cards” (used by teenagers to “prove” they are young enough to travel cheap or old enough to buy a drink) to the El Al Frequent Flyer card (arguably the world’s most secure civilian ID token). Some of its operations already help clients track the footprints and aliases of those with no fixed abode, whether they are credit worthy travellers or known fraud risks one jump ahead of bailiffs.
- Ingeus is part of an Australian welfare to work provider with serious experience of helping (as opposed to merely tracking) the socially excluded. The UK CEO was previously Chief Operating Office for the DWP’s Corporate IT Directorate so they should understand the requirements from the DWP perspective.
- Mydex is a community interest company which seeks to put individuals in charge of their own personal data. It will be interesting to see how they plan to handle the challenges of working with those who will give their cards and passwords to who-ever will go to shop or operate the computer for them or are engaged in manufacturing or stealing identities and footprints.
- The Post Office is the only public sector organisation that most of us still trust. Hence the reason we complain so much when its offices close, even though we (the IT literati) go to them as little as possible because of the queues, which include those in whose social exclusion we collude - while claiming otherwise.
- Finally there is Verizon , the US telecoms giant, not to be confused with Verisign which sold its Internet authentication business to Symantec a couple of years ago. They are a member of OIX (a US inter-operability group which Cabinet Office asked to open a UK chapter as an umbrella for ID standards activities for which it no longer had a budget).
But where are the main current UK providers of identity services: including the banks and the operators of credit, debit, cash and loyalty cards or the lawyers who provide notarising services? More-over those running local authority residents cards have been excluded for “legal” reasons whose logic I do not understand.
I therefore hope that this announcement is a step on a journey of exploration.
Meanwhile I was delighted to see that page 10 of the new Fighting Fraud Together Strategic Plan lists the enablers of fraud that need to be addressed – beginning with “Identity Exploitation”, particularly the acquisition of the information necessary to FOG, “fraudulently obtain genuine” identities. At this point I link back to the DWP press release on the IDAP providers and Lord Freud’s comment that “we are working with cyber security experts to ensure we are clear about the threats to the online process and we are confident that the providers announced today will offer and effective, safe and free to use identity service for future online benefit claims.” I suspect there is a lot of nifty footwork ahead in order for the providers to live up to his confidence at a price DWP is willing to pay.
*Department for Work and Pensions