The government urgently needs to develop a coherent strategy to make secure and trusted methods of digital identity widely available to people and organisations, says a report published this morning by Tech UK.
In the report, The Case for Digital IDs, the IT industry trade body says the government has failed to create a digital identity system that works for all government departments let alone the wider economy. The flagship Gov.uk Verify programme, in to which the government has poured hundreds of millions of pounds, has been rejected by various departments including the NHS and HMRC which have gone on to develop their own digital ID systems.
"To ensure the UK does not fall behind other countries, we must create an interoperable framework for digital IDs which spans the public and private sectors," Julian David, CEO of TechUK, told Computer Weekly.
TechUK’s report sets out the case for strong government leadership and governance to link up the public and private sectors to create a universal standard for digital ID authentication and management.
It makes several recommendations for a UK digital identity system including:
Developing government policy around the creation of a "fully functioning digital identity ecosystem which operates across public and private sectors"
Releasing into the public domain the development plans for the Gov.uk Verify programme with a view to creating a framework of universal standards
Enabling examination, membership and utilities organisations to add data to individuals’ digital identities to build up their identity profiles
Creating parity between online and offline identity systems including age-verification systems
Establing a lawful basis for processing biometric data for identity verification
Creating a competent independent authority for digital identity
The paper argues that a strong digital ID is essential to protecting citizens’ data under GDPR as more and more of our lives become digitised. It would give people more control over what data to share and create more transparency over how it is being used, it said.
It would also be an economic boon as it would facilitate the development of open banking and other services by enabling people to log on with a single ID. And it would also help organisations such as banks that have a statutory duty to ‘know your customer’ to stem money laundering.
It would also simplify access to government services and could be used as a proof-of-age through the tokenised sharing of an 18-plus attribute, it said.
"The plea from many in the tech industry is that the issue of identity needs to be joined up to tackle the need to manage multiple digital identities and consumer expectations on ease of access to all types of online service. Tech companies small and large are keen to assist and are coming up with solutions. But they are encountering hurdles in outdated legislation, the complexity of the regulatory landscape and in achieving recognition of their solutions in the market," the report said.
While there is clearly enthusiasm within the tech sector to crack the digital ID nut, there are others who say there are practical and philosophical problems in creating a centralised ID management system, whether it be controlled by the government or the private sector.
Alan Woodward, professor in computer science at the University of Surrey, asks whether the British public would accept a government digital ID given the history around the creation of national ID cards.
"Digital IDs raises the same concerns as physical IDs did," Woodward told SC Media UK. "In the UK there are a very specific set of circumstances where you have to prove your ID in law to a policeman, eg driving. Most of the time we are not obliged to ID ourselves to law enforcement which is why the creeping introduction of things like facial recognition are a concern."
In practical terms, digital IDs create single points of failure which have vulnerabilities as has been demonstrated by India’s Aadhaar biometric identification system which has suffered breaches and in Estonia with the discovery of a vulnerability in its ID card security certificates.
Another point of vulnerability is enrolment onto the system, Woodward said. If a criminal can create a fake physical identity by using false documents, what is to stop him from doing the same with a digital ID, he asked.
"The whole concept of Digital ID is problematic," he said. "In establishing a Digital ID what do you use as your base ID – government issued photo ID like passport and driving licence? What if those are stored and stolen? It all relies upon direct access by the private sector to systems such as the passport office or DVLA to verify an item such that they don’t have to store it. Imagine if that were done over a greater number of private sector organisations. The risk of breach increases and that’s one thing the government has to avoid."
"There is a fundamental question about all of this – why do you need a digital ID?" he said. "This whole area is a privacy minefield which is why I think we need to ask why first. What problem are we trying to solve?"