I am Mike Bracken. I am a particular Mike Bracken, not just any Mike Bracken. I’m the one who used to run the UK’s Government Digital Service, then set up a digital function for the Co-op Group, and is now a partner at a consulting firm called Public Digital. I assert those facts here, and you’ll just have to take my word for it that they’re true. You can either believe that I am who I claim to be, or not.
But it’s no good me asserting something if you cannot be sure who is asserting it. The same rule applies to transactions made online. Whoever the parties involved, both sides need assurance that their counterpart is who they say they are.
The problem might manifest itself slightly differently in different places and circumstances, but the user need is usually the same: how do I prove my identity to a person or an organisation, without having to present myself at their office?
For most commercial transactions, proof of identity doesn’t matter that much. Widgets Inc will be happy to sell me widgets, whoever I claim to be. As long as they get paid, that’s fine.
For governments, identity is a bigger problem. Governments provide services that citizens can’t get from anyone else. Passports, driving licences and benefits all come only from governments. In the past, all of these services could be obtained by presenting yourself, in person, at a government office (or, in the UK, at a Post Office). In the last 20 years that all changed as society changed. More people just want to access those services the same way they do everything else: on their phone.
The systems and processes governments set up to make that possible are known as “digital identity”.
Different governments tackle it in different ways. Across Europe, there is a regulation called “Electronic Identification and Trust Services”, usually shortened to eIDAS. The great thing about standards is that they can be used across local, state and international boundaries. That’s what eIDAS aims to bring about. If one country accepts my proof of identity, so can other countries. This is called “Mutual Recognition”. One state will trust another state’s identity system, as long as it complies with eIDAS.
It won’t surprise any readers when I say that there’s a difference between identities in most European countries and the UK: most European countries have a government-mandated, and culturally-supported identity card. Establishing identity is actually pretty easy because every citizen has a card from birth.
No such card exists in the UK, and there’s no sign of that changing. We are forced to use proxies for identity, such as driving licences and passports, but these are corrupt to a degree. They were never designed to be identity documents, and they’re not that hard to fake.
When I was at the Government Digital Service (part of Cabinet Office), we created a service called GOV.UK Verify. It introduced a trustworthy, eIDAS-compliant digital identity, without creating a central government database of people. The task of verifying identity was outsourced to a set of private companies, each of which had to go through rigorous checks to make sure they in turn could be trusted to keep identity data secure.
This approach reduces the risk of a catastrophic data breach (such as the one that happened in South Korea in 2017). There’s no single central database waiting to be hacked. Digital identity data is distributed across the network. That’s how the internet was always supposed to work.
The good thing about eIDAS is what it enables: services that work for individuals in countries they don’t normally live in. For EU states with workers, employers and citizens constantly moving around, the potential gains are huge.
None of this matters for UK citizens if our government can’t, or won’t, take identity seriously enough to invest in making sure that it works for British citizens. Not just when they’re at home, but when they’re travelling abroad. With the UK’s imminent and tragic departure from the EU, those gains are put further out of our reach.
Last year, control over UK digital identity policy was moved from the Government Digital Service to the Department for Digital, Culture, Media and Sport. Earlier this year, that department reassigned almost all of its digital identity team to work on desperate last-minute No Deal Brexit arrangements. That shows clearly, I think, how seriously our government takes the issue of digital identity.
I assert here, non-verbally, that “I think” that’s true. But it’s up to you to decide whether or not my claim to be me should be backed up by something more trustworthy than that.