The United Kingdom’s digital identity verification service GOV.UK Verify is finally going live after years of building and testing — and there are plenty of lessons to be learned as the Digital Transformation Office begins the process of building Australia’s version.
The system allows customers to spend about 10 minutes the first time to verify their identity, then about two minutes for subsequent logins. It gives customers a choice between private companies to carry out verification processes, which are then supplied to the government agency the customer wants to use.
This means the information is not all stored in a single location and the amount of data shared is kept to a minimum. The company you choose doesn’t know which service you’re trying to access, and the government department doesn’t know which company you choose.
— GOV UK Verify (@GOVUKverify) May 24, 2016
Eight companies are currently certified to provide the service, and their processes vary. Information like name, gender, date of birth and address are collected, as well as passport details and bank, credit card or mortgage statements. There is an intention to expand the range of information that can be provided to make it accessible to those without those financial documents.
The move from beta to live “doesn’t mean we’ve finished developing the service”, says identity assurance programme director Janet Hughes, who emphasised it was just one step in an incremental process.
It means we’re ready for larger-scale adoption by departments — we’ve got a lot of services in our pipeline preparing to start using GOV.UK Verify over the next year (it will be a gradual, careful, ongoing process, not a ‘big bang’ switchover) … but live is really just the starting line. We’ve got a huge range of work on the go to iterate and improve the service, and we’ll carry on working as hard as ever once we’re live to make the service as simple and straightforward as possible for users.
The list of agencies planning to connect to the service will grow over the coming year. Current transactions available include checking driver’s licences, filing tax returns and checking state pensions.
Challenges along the way
Getting to the point of going live has taken around four years, a few learning opportunities and some ongoing pain.
Some have raised concerns about the need to provide such detailed identity and financial information to private companies, many of which are based outside the country. There are also privacy worries about the fact that anyone who decides to delete their account will reportedly have their data retained by the private provider for seven years.
Moreover, the system will only allow verification of individuals, not companies, trusts or community organisations, for example. This was a problem in one of the first GOV.UK Verify trials, with farmers. It was thought farmers, living outside cities, would particularly benefit from online services. The test saw low sign up rates, however. The Government Digital Service discovered the problem was that farmers tend to transact with government through a farm company or family trust, so only building the system for individual verification means it wasn’t a lot of use for many potential customers.
This inability to verify businesses has led to a recent embarrassing report that the tax agency, Her Majesty’s Revenue and Customs, have decided to develop their own digital identity system targeted at businesses for when the current one is decommissioned in 2018. This would mean two different systems running concurrently for different types of users.
It appears unlikely the element allowing customers to choose between private companies to verify them will be built into the Australian Digital Transformation Office’s federated verification product, due to be released in alpha form in August along with a framework for how participating agencies will verify customers to different levels of assurance.
Speaking at an event earlier this year, DTO head of identity Rachel Dixon expressed scepticism about the need to give customers a choice between providers. “It turns out in the research that consumers, when it comes to government, don’t care who verifies their identity. The government is making them do it,” she argued. If the government trusts the provider, most people are happy to use whichever service they are directed to.
There are already a few existing government verification services in Australia anyway, she noted, such as those of Service NSW and the Queensland government, suggesting the DTO system will be designed so these customers will not have to go through the process again and can be slotted in.