… The Government Gateway is dead … long live the distributed hub, the attribute providers and the identity providers …
Monday’s “Ensuring Trusted Services with the new Identity Assurance Programme” or #ETSIAP as it became on Twitter was a useful catch up on where things have got to. Disappointingly, for me at least, it didn’t really say precisely where they were going – though there was a clear direction of travel – or, more importantly, when exactly.
HMRC’s Joan Wood said that the business case for a “new hub” to be procured and to replace the GG in HMRC would go forward in April 2012 (Joan, who I worked with at the Inland Revenue and who was a key customer of the Gateway in its early days, is only 3 weeks into a new job, yet still had plenty of insight into the challenges ahead); and DWP’s Steve Dover was firmly of the view that Universal Credits would be delivering in April 2013, complete with authentication provided by the IAP (or possibly by their own procurement that would operate in line with IAP). The Gateway’s support contract has just, I gather, been extended through 2014 – something that may provide a useful contingency plan given that the original concept and design around the Gateway was to provide exactly this distributed capability.
The direction of travel, then, is that Government will now buy its identity verification (and perhaps its mapping of that identity to the various government services) from (potentially) many providers. Francis Maude, Cabinet Office Minister, announced that £10m had been earmarked to staff the IAP (and Mike Bracken went on to say later that this would cover 5 workstreams through to 2012/13 which I took to mean March 2013).
This is a change from current practice, though not actually new thinking. Professor Brian Collins, who chaired the event, said that he had worked on such thinking in 1992. I. in turn, ran the Government Gateway team from 2000 to 2004 when this thinking was at the centre of what we were trying to do. We even got at least a little bit towards that with the digital certificates issued by 3rd parties, though that was an idea ahead of its time and its ability to be implemented.
The current practice is largely that government has a monopoly on both your identity and how you match your identity to a government service. Whilst it’s a monopoly, it isn’t actually done through a single route – the Government Gateway certainly handles a lot of transactions but it doesn’t, for instance, handle tax disc renewals, much of what DWP offers online or the bulk of local authority transactions. The change, then, is that private sector entities will be able to offer an identity service (and perhaps a hub that will match identity to service) and offer that to government.
Right now there isn’t a commercial model defined that would allow anyone to assess the value of that market. That is, there isn’t a known pipeline of transactions that will require authentication (or a commitment that only this route will be used in the future) or an assessment of the price that government would be willing to pay for such identity mapping (which would, somewhere along the line, have to address the risk of a false identity being guaranteed).
Mike Bracken went on to talk about a network of trust – using a series of low value transactions to build up a trusted identity. He used the example of the fishing licence – something that doubtless still raises the hackles of those who were around for the first iteration of online services. This is another transaction that has its own identity engine – especially if you set up an account so that you can easily renew your licence each season.
When we first floated the network of trust concept, we called it the “Green Shield Stamps” theory of identity – you carry out progressively more significant transactions by working up a pyramid of trust; over time your online persona is highly trusted. We had two theories on this – one was that there was a pyramid of trust between relying parties, and two that there was a pyramid of transactions that themselves generated trust (so to use Mike’s example, if you have bought a fishing licence and sent your self assessment return in, then maybe you can claim some benefits, and if that works, you claim tax credits) There was much resistance then, in 2003, but no reason why that resistance should still be there (there wasn’t really good reason for it to be there in the first place).
With the Cabinet Office getting behind the IAP – and, by the sounds of it, resourcing it for the first time in its current incarnation – there is great potential, provided things move fast. One of the first deliverables, then, should be the timetable for the completion of the standards, the required design and, very importantly, the proposed commercial model.
The important thing about the timetable is that if HMRC and DWP are going ahead with implementation as soon as 2013, IAP needs to have provided all of the framework and information long before that date – perhaps a year ahead of it – so that providers have time to put together the necessary capability/platform. The alternative is that DWP or HMRC do what they need to do and the result is either a solution where the first one or two solutions are subsidised by the two largest departments or, worse, a solution that works for those departments but not for anyone else.
The thinking behind the Cabinet Office approach is that private sector companies – perhaps the banks, the credit agencies, maybe BSkyB, Tesco or the Post Office will provide these identity services not just for government transactions but for any and all transactions – whether that be Facebook login, checking your Tesco ClubCard points or seeing if your pay check has hit your account. Francis Maude, to wry laughter, noted at the event that he had two dongles for accessing his two bank accounts within the same bank (HSBC if you’re interested). I wasn’t sure if he was suggesting a future where we might have a single dongle for everything (he was certainly not suggesting that was the only route – the slides from Dave Rennie were clear that it would be an individual choice regarding how much joining up was allowed, with the ultimate sanction being to use multiple identity agents for multiple services).
Whilst plenty of hard work has doubtless been done, the real hard work is in the next few months. There were many people in the room who were around when I was running the Gateway – the denizens of the Liberty Alliance, BT URU and so on were all there – and, whilst their thinking will be important, new thinking will also be needed to get this off the ground, get it widely used and get it delivered at a price point that makes sense for all of the players. Again, the commercial model by which this will work is a critical early deliverable.
I am looking forward to seeing how this plays out and to playing a role, again, in the development of the route to secure identity within UK government and perhaps more widely.