Government plans for privatised ID scheme emerge

Leaked documents have revealed details of the government's planned trusted identity scheme, which would let citizens verify their identity online when using public services.

Plans have emerged for an identity assurance scheme that will allow citizens to access online services securely.

According to the Cabinet Office documents, apparently sent to potential suppliers in April, the Identity Assurance (IDA) service would be mandatory across all online government services. The system would offer citizens a range of accredited private identity assurance service providers, and would not involve any new government databases resembling the abandoned National Identity Register.

Government legislation and regulation would ensure an "open, standards-based marketplace is created in which all types and sizes of service provider are able to collaborate and compete to provide a variety of different service offerings to customers as per their differing needs", one of the documents reads.

Those who do not wish to use public services over the internet will still be able to get "face-to-face assisted delivery" or telephone access, also developed by the market, the documents, obtained by Computer Weekly, continued. The scheme was first announced in May, attracting the suspicion of privacy campaigners who said it echoed Labour's failed ID card programme.

Identity verification

According to the documents, the companies providing identity verification services would not be allowed to retain government identifiers, and would only be able to verify correlation with claimed identities while the citizen is online with the identity provider. "The government could potentially charge the private sector for this service," they added.

"The IDA programme is NOT trying to 'reuse credentials' technically; rather it is trying to federate authentications and leave credential management in the hands of the market of [identity providers]," one of the documents read.

The timescale indicated in the documents, which are all marked as "draft" and not representative of government policy, seems quite tight. One-click registration for businesses would appear this year, initially through the Government Gateway portal, the Department of Health would go live in 2012, Business Link and Universal Credit services in 2013 and individual electoral registration in 2014.

"Digital channels... have the opportunity to bring benefits to all parts of society. However, the convenience of remote channels is countered by increased risks from fraud and misuse of personal data," the document read. "Identity is a fundamental principle that underpins the delivery of online transactional services be it online banking services or retail services. The government is moving towards public services that are increasingly delivered online and needs to build an identity trust framework that enables rather than disables 'digital by default'."

The document notes that poorly designed registration and login procedures can deter uptake of digital services, and also place too much responsibility on the customer. The IDA could be used to counteract these problems in the public sector and potentially beyond, the Cabinet Office document said.

Additional benefits

Additional benefits would include digital service providers not having to invest in their own identity assurance schemes, and not having to "issue new customers with security devices and passwords, or reset them for customers that have lost or forgotten them". The hijacking of people's identities would also become more difficult, the document claimed, adding: "Where an identity is discovered as fraudulent it will be possible to close it down at source and stop it from being used to commit fraud in a different context."

A customer's personal data will not need to be centralised in a large database but will become distributed across specialist data controllers.

– Leaked Cabinet Office document

"When a customer's identity data changes, it will be possible to propagate the change at lower cost and with greater security," a document read. "A trustworthy digital identity will enable a customer to unlock and reuse personal data held by organisations. Organisations with these valuable information assets will focus their resources on improving the quality of the personal data that they control and making it available for customers to use as evidence in digital transactions."

Clearly wary of the kind of protests that met the previous government's National Identity Register scheme, the documents are clear that "a customer's personal data will not need to be centralised in a large database but will become distributed across specialist data controllers... this will form a protection against cyberattacks that probe for single points of weakness".

A separate note reads: "No master index of identifiers may be built... No single unique customer identifier shall exist... There shall be no database of identities in the public sector. No database of databases."