Tomorrow, January 25th, the Government Gateway will be 13. I’m still, to be honest, slightly surprised (though pleased) that the Gateway continues to be around – after all, in Internet time, things come and go in far shorter periods than that. In the time that we have had the Gateway, we rebuilt UKonline.gov.uk with three different suppliers, launched direct.gov.uk and replatformed it some years later, then closed that down and replaced it with gov.uk which has absorbed the vast bulk of central government’s websites and has probably had 1,000 or more iterations since launch. And yet the Gateway endures.
In 13 years, the Gateway has, astonishingly, had precisely two user interface designs. In the first, I personally picked the images that we used on each screen (as well as the colour schemes, the text layout and goodness knows what else) and one of the team made ‘phone calls to the rights holders (most of whom, if I recall correctly, were ordinary people who had taken nice pictures) to obtain permission for us to use their images. If you look at the picture above, you will see three departments that no longer exist (IR and C&E formed HMRC, MAFF became Defra) and five brands (including UKonline) that also don’t exist.
Of course we carried out formal user testing for everything we did (with a specialist company, in a purpose built room with one-way glass, observers, cameras and all that kind of thing), often through multiple iterations. The second UI change was carried out on my watch too. I left that role – not that of Chief UI Designer – some 9 years ago.
My own, probably biased (but based on regular usage of it as a small business owner), sense is that the Gateway largely stopped evolving in about 2006. Up until that point it had gone through rapid, iterative change – the first build was completed in just 90 days, with full scrutiny from a Programme Board consisting of three Permanent Secretaries, two CIOs and several other senior figures in government. Ian McCartney, the Minister of the Cabinet Office (the Francis Maude of his day) told me as he signed off the funding for it that failure would be a “resignation issue.” I confirmed that he could have my head if we didn’t pull it off. He replied “Not yours, mine!” in that slightly impenetrable Scottish accent of his. We had a team, led by architects and experts from Microsoft, of over 40 SMEs (radical, I know). Many of us worked ridiculous hours to pull off the first release – which we had picked for Burns Night, the 25th of January 2001.
On the night of the 24th, many of us pulled another all nighter to get it done and I came back to London from the data centre, having switched the Gateway on at around 5am – the core set of configuration data was hand carried from the pre-production machine to the production machine on a 3 1/2” floppy disc. I don’t think we could do that now, even if we could find such a disc (and a drive that supported it).
The Programme Board met to review what we had done and, to my surprise, the security accreditation lead (what would be called a Pan-Government Accreditor now) said that he wanted to carry out some final tests before he okayed it being switched on. I lifted my head from the table where I may have momentarily closed my eyes and said “Ummm, I turned it on at 5.” Security, as it so often did (then and now), won – we took the Gateway off the ‘net, carried out the further tests and turned it back on a few hours later.
Over the following months we added online services from existing departments, added new departments (and even some Local Authorities), added capability (payments, secure messaging) and kept going. We published what we were doing every month in an effort to be as transparent as possible. We worked with other suppliers to support their efforts to integrate to the Gateway, developing (with Sun and Software AG, at their own risk and expense) a competitive product that handled the messaging integration (and worked with another supplier on an open source solution which we didn’t pull off).
We published our monthly reports online – though I think that they now lost folllowing perhaps multiple migrations of the Cabinet Office website. Here is a page from February 2004 (the full deck is linked to here) that shows what we had got done and what our plans were:
What is happening then?
Two years ago, in November 2011, I wrote a post about the Cabinet Office’s new approach to Identity. Perhaps the key paragraph in that post was “With the Cabinet Office getting behind the [Identity Programme] – and, by the sounds of it, resourcing it for the first time in its current incarnation – there is great potential, provided things move fast. One of the first deliverables, then, should be the timetable for the completion of the standards, the required design and, very importantly, the proposed commercial model.”
There was talk then of HMRC putting up their business case for using the new services in April 2012. The then development lead of Universal Credit waxed on about how he would definitely be using Identity Services when UC went live in April 2013. Oh, the good old days.
DWP went to market for their Identity Framework in March 2012 as I noted in a post nearly a year ago. Framework contracts were awarded in November 2012.
Nearly five Gateway development cycles later, we are yet to see the outcome of those – and there has been little in the way of update, as I said a year ago.
Things may, though, be about to change
GDS, in a blog post earlier this month, say “In the first few months of 2014 we’ll be starting the IDA service in private beta with our identity providers, to allow users to access new HMRC and DVLA services.”
Nine gateway development cycles later, we might be about to see what the new service(s) will look like. I am very intrigued.
Some thoughts for GDS as they hopefully enter their first year with live services:
Third Party Providers
With the first iteration of the Gateway, we provided the capability for a 3rd party to authenticate someone and then issue them a digital certificate. That certificate could be presented to the Gateway and then linked with your identity within government. Certificates, at the time, were priced at £50 (by the 3rd party, not by government) because of the level of manual checking of documents that was required (they were initially available for companies only). As long ago as 2002, I laid out my thoughts on digital certificates.
There were many technical challenges with certificates, as well as commercial ones around cost. But one of the bigger challenges was that we still had to do the authentication work to tie the owner of the digital certificate to their government identity – it was a two step process.
With the new approach from the Cabinet Office – a significantly extended version of the early work with multiple players (up to 8 though not initially, and there is doubtless room for more later) but the same hub concept (the Gateway is just as much a hub as an authentication engine) – the same two step process will be needed. I will prove who I am to Experian, the Post Office, Paypal or whoever, and then government will take that information and match that identity to one inside government – and they might have to do that several times for each of my interactions with, say, HMRC, DWP, DVLA and others. There is still, as far as I know, no ring of trust where because HMRC trusts that identity, DWP will too. Dirty data across government with confusion over National Insurance numbers, latest addresses, initials and so on all make that hard, all this time later.
As Dawn Primarolo, then a minister overseeing the Inland Revenue, said to me, very astutely I thought, when I first presented the Gateway to her in 2001 – “But people will realise that we don’t actually know very much about them. We don’t have their current address and we may have their National Insurance number stored incorrectly“. She was right of course.
Managing Live Service
The new approach does, though, increase the interactions and the necessary orchestration – the providers, the hub and the departments all need to come together. That should work fine for initial volumes but as the stress on the system increases, it will get interesting. Many are the sleepless nights our team had as we worked with the then Inland Revenue ahead of the peak period in January.
End to end service management with multiple providers and consumers, inside and outside of government is very challenging. Departments disaggregating their services as contracts expire are about to find that out, GDS will also find out. There are many lessons to learn and, sadly, most of them are learned in the frantic action that follows a problem.
The Transaction Engine – The Forgotten Gateway
The Gateway doesn’t, though, just do the authentication of transactions. That is, you certainly use it when you sign in to fill in your tax return or your VAT return, but you also use it (probably unwittingly) when that return is sent to government. All the more so if you are a company who uses 3rd party software to file your returns – as pretty much every company probably does now. That bit of the Gateway is called the “Transaction Engine” and it handles millions of data submissions a year, probably tens of millions.
To replace the Gateway, the existing Authentication Engine (which we called R&E) within it must be decoupled from the Transaction Engine so that there can be authentication of submitted data via the new Identity Providers too, and then the Transaction Engine needs to be replaced. That, too, is a complicated process – dozens of 3rd party applications know how to talk to the Gateway and will need to know how to talk to whatever replaces it (which, of course, may look nothing like the Transaction Engine and might, indeed, be individual services for each department or who knows what – though I have some thoughts on that).
Delegation of Rights
Beyond that, the very tricky problem of delegation needs to be tackled. The Gateway supports it in a relatively rudimentary way – a small business can nominate its accountant to handle PAYE and VAT, for instance. A larger business can establish a hierarchy where Joe does PAYE and Helen does VAT and Joe and Helen can do Corporation Tax. But to handle something like Lasting Power of Attorney, there need to be more complex links between, say, me, my Mother and two lawyers. Without this delegation capability – which is needed for so many transactions – the Digital by Default agenda could easily stall, handling only the simplest capabilities.
Fraud Detection and Prevention
Tied in with the two step authentication process I mention above is the need to deal with the inevitable fraud risk. Whilst Tax Credits was, as I said, briefly the most popular online service, it was withdrawn when substantial fraud was detected (actually, the Tax Credits service went online without any requirement for authentication – something that we fervently disagreed with but that was only supposed to be a temporary step. Perhaps in another post I will take on the topic of Joint and Several Liability, though I am hugely reluctant to go back there).
In the USA, there is massive and persistent Tax Return fraud – Business Week recently put the figure at $4 billion in 2011 and forecast that it would rise to $21 billion by 2017. That looks to be the result of simple identity fraud, just as Tax Credits experienced. Most tax returns in the USA are filed online, many using packages such as TurboTax. Tax rebates are far more prevalent in the USA than they are in the UK, but once the identification process includes benefits, change of address and so on, it will become a natural target. Paul Clarke raised this issue, and some others, in an excellent recent post.
The two step process will need to guard against any repeat of the US experience in the UK – and posting liabilities to the authentication providers would doubtless quickly lead to them disengaging from the business (and may not even be possible given the government carries out the second step which ties the person presented to a government identity record, or to a set of them).
We included a postal loop from day one with the Gateway, aimed at providing some additional security (which could, of course, be compromised if someone intercepted the post); removing that (as a recent GDS blog post claims it will), as I imagine will be done in the new process (Digital by Default after all) requires some additional thinking.
Given that “User Led” is the GDS mantra, I have little fear that users won’t be at the heart of what they do next, but it is a tricky problem this time. For the first time, users will be confronted with non-government providers of identity (our Gateway integration with 3rd parties still resulted in a second step directly with government). How will they know who to choose? What happens if they don’t like who they chose and want to move to someone else? How will they know that the service that they are using is legitimate – there will be many opportunities for phishing attacks and spoof websites? How will they know that the service they are using is secure – it is one thing to give government your data, another, perhaps, to give that data to a credit agency? Will these services be able to accumulate data about your interactions with Government? How will third party services be audited to ensure that they are keeping data secure?
Moving On From Gateway
There are more than 10 million accounts, I believe, on the Gateway today. Transitioning to new providers will require a careful, user benefit led, approach so that everyone understands why the new service is better (for everyone) than the old one. After all, for 13 years, people have been happily filing their tax returns and companies have been sending in PAYE and VAT without being aware of any problems. It would help, I’m sure, if the existing customers didn’t even realise things had changed – until they came to add new services that are only available with the coming solutions and were required to provide more information before they could access them; I think most would see that as a fair exchange.
Here’s To The Future then
Our dream, way back on Burns Night in 2001, was that we would be able to break up the Gateway into pieces and created a federated identity architecture where there would be lots of players, all bringing different business models and capabilities. We wanted to be free of some of the restrictions that we had to work with – complex usernames and even more complicated passwords, to work with an online model, to bring in third party identification services, to join up services so that a single interaction with a user would result in multiple interactions with government departments and, as our team strap line said back then, we wanted to “deliver the technology to transform government”.
Thirteen years on there have been some hits and some misses with that dream – inevitably we set our sights as high as we could and fell short. I fully expect the Gateway to be around for another four or five years as it will take time for anyone to trust the new capabilities, for 3rd parties to migrate their software and for key areas like delegation to be developed. It’s a shame that we have gone through a period of some 8 years when little has been done to improve how citizens identify themselves to government; there was so much that could have been done.
I’m looking forward to seeing what new capabilities are unveiled sometime in the next few months – perhaps I will be invited to be a user in the “private beta” so that I can see it a bit quicker. Perhaps, though, I shouldn’t hold my breath.