Proving who you are online is still a mess. And it's not getting better

The UK government wants citizens to have digital identities. Whether the public will be on board is another question.

istock-1176067266.jpg

Rather than digging through piles of archived paper-based documents, a digital identity would let people instantly prove certified information about themselves.  

Image: Getty Images/iStockphoto

Think about all the scanning-and-printing time you lost the last time that you were asked to prove your address, right to reside or latest exam result. Or worst – the frustration of having forgotten your driver's license when buying a bottle of wine. 

Even as technology achieves new wonders every day, there is a task that remains stubbornly time-consuming and all-too-often frustrating: proving our own identities.  

For the past two decades, the UK government has looked at ways to enable people to easily and reliably identify themselves, with little success. Unlike in other countries, a national ID card to carry around in your pocket now seems to be firmly off the table; but instead, the concept of creating a "digital identity" is gathering pace. 

Rather than digging through piles of archived paper-based documents, a digital identity would let people instantly prove certified information about themselves, flashing their credentials, for instance, through an app on their phone. 

SEE: Building the bionic brain (free PDF) (TechRepublic)

Although the concept is not new, the idea is gaining renewed attention. The Department for Digital, Culture, Media and Sports (DCMS), in fact, recently unveiled plans to create what it called a digital identity "trust framework". The idea? To lay down the ground rules surrounding the development of new technologies that will allow people to prove something about themselves digitally.  

This could take the form of a digital "wallet", which individuals could keep on their devices and fill with any piece of information, or attributes about themselves that they deem useful. The wallet could includes basic information like name, address or age, but also data from other sources, at the user's own convenience. 

When entering a bar, for example, users could easily pull proof of their age from their wallet; when travelling to a foreign country, they could prove their vaccination credentials; when signing for a new job, their employment history and professional qualifications could be sitting at the tip of their fingers – with their permission, and if they desire so, of course. 

A digital wallet is only an example of the possible shapes that digital identities could take; in fact, behind DCMS's new framework lies a call for businesses to invest and developers to innovate, to build a thriving new ecosystem of trusted identity service providers. 

DIGITAL IDENTITIES: A SUCCESS STORY IN THE WAITING 

It may sound like the government is kick-starting a brand-new idea from scratch, but in reality, the new trust frameworks reflect years of previous failures from government to implement digital identities.  

UK citizens already have a way to prove who they are online if they wish to access some government services, such as filing their tax or checking their benefits. Called Verify, the scheme requires users to pick from a list of approved identity providers. Those providers, once they have verified the users' credentials, can confirm the individual's identity every time they want to access certain services on the government's portal.  

The government launched Verify in 2016, off the back of a previous digital identity scheme that started in 2011. But only three years into the program, the scheme was already coming under heavy criticism. Despite the £154 million ($212 million) that was spent on the technology, only 19 government services had adopted Verify by 2019 – less than half the number expected. 

A fraction of the number of anticipated users had signed up by that time: only one-sixth (3.9 million) of the forecast 25 million users were using the system. In addition to low uptake, the technology's performance was brought into question: a report from the Public Accounts Committee (PAC) published in 2019 found that only about half of people who attempted to sign up to Verify succeeded in doing so in a single attempt. 

Public funding for the program was planned to come to an end in 2020; but the COVID-19 pandemic generated unprecedented demand for online services, and Verify operations were eventually extended for a further 18 months.  

The government's shiny new trust framework, and its invitation for private companies to get involved with digital identities, might indicate willingness to learn from the lessons of failed attempts such as Verify. Critics, however, are yet to be convinced. 

"The government's track-record here is shambolic," Chi Onwurah, shadow minister for digital, science and technology, and Labour MP for Newcastle Central, tells ZDNet. "There are two reasons for that: too much ideology and too little investment."  

"The framework is a combination of cliches without any substance. It says they want a trusted digital identity system and hints at how it could work, but it is not driving how it could actually happen," continues Onwurah. "This shouldn't be a matter of political ideology; it should be real points about the technical architecture of the project." 

DCMS has established that the document is a first-stage prototype, to be used as a test by industry. The framework clarifies that it does not intend to provide "ready-made" solutions for actual products; rather, it is about designing the principles, policies, procedures and standards that should govern digital identities. The end-goal is to make sure that the organizations issuing and verifying users' attributes are known and accredited; and that the platforms that will be built, most likely by private companies, to store and share identity information, can be trusted. 

SEE: Digital transformation: The new rules for getting projects done

"I do strongly believe that identity depends on trust, so setting out a trust framework should be a useful first step," concedes Onwurah. "And don't get me wrong, this is a complex area. But the government has had ten years to make more progress than they have." 

Onwurah has been a long-time advocate for digital identities, based on the belief that citizens have the right to prove who they are online. This is not only to remove friction when travelling, filing taxes or buying age-restricted goods: in some cases, digital identities are also key to accessing vital services.  

For example, Universal Credit (UC), a benefit available to those who are on low incomes, unemployed or unable to work because of sickness or disability, requires an online application; a follow-up phone interview needs to be set up if applicants are unable to prove their identities digitally.   

In the four weeks that followed the start of the COVID-19 crisis, 1.2 million people started a UC claim – about a million more than the usual volume of monthly claim starts. The operational pressure on the Department for Work and Pensions (DWP) was huge, and the service soon came under criticism from new claimants regarding the length of time they had to wait to verify their identity by telephone. 

In other words, the crisis highlighted the need to access citizen data in real time to efficiently deliver critical services. "UC is an absolute bottom-line safeguard for people who are sometimes starving," says Onwurah. "Those who don't have a way of proving their identity online can have even longer waits than the five weeks that are currently required to access rights. Making a digital identity that is accessible to all would ease challenges like that." 

DIGITAL IDENTITY IN THE AGE OF ANONYMITY 

Recent events have also seen Onwurah push for digital identities as a tool to fight against an emerging threat that is gathering pace: online abuse spurred by online anonymity.  

Earlier this year, Stroud MP Siobhan Baillie described how having a baby triggered a wave of abuse on social media, including insults and rape threats. Margaret Hodge, the MP for Barking, recently revealed that she received tens of thousands of abusive tweets a month, and highlighted a total 90,000 mentions of her name or Twitter handle in only two months. 

In another high-profile example, Manchester United footballer Marcus Rashford described how he was subjected to "humanity and social media at its worst" after he received racist abuse on social media following a 0-0 draw with Arsenal. 

Onwurah has called for a debate about how a spectrum of identity and anonymity should be implemented online, suggesting that, in the same way that banks have "know your customer" verification imperatives, social media platforms should be required to know their users' identities. 

"There should be appropriate safeguards to protect people from online harms associated with online anonymity," says Onwurah. "We are working with the Labour party on whether you could require a platform like Facebook to hold people's identities without sharing it with others." 

While deterring malicious agents from sending insults and threats, a social media digital identity could also be made available to law enforcement authorities in the event of suspected wrongdoing.  

With all the privacy implications that it carries, the idea is still very much in the making, but the concept is gathering support. Think tank Demos, for instance, has proposed the creation of a British Identity Corporation (BIDC), which would independently verify identities online, to provide more control over users' internet activities and help law enforcement tackle online harms more effectively.  

It's easy to see why the proposal might ring alarm bells with some privacy activists. The ability to be anonymous online is important – indeed vital – for all sorts of people, and removing it could make it much harder for them to express their experiences or beliefs. And for Heather Burns, policy manager at the Open Rights Group (ORG), in fact, the idea of re-purposing digital identities to access social media accounts is an example of one of the biggest risks that comes with the technology. 

SEE: Hiring Kit: Computer Hardware Engineer (TechRepublic Premium)

"We are dangerously close to imposing digital identity checks as a license to be able to access the internet," she tells ZDNet. "You can easily see how a digital identity system that is in place for a straightforward purpose could be re-purposed, with people thinking: 'As long as we have those systems in place, let's make people start identifying themselves before they can post a Tweet'." 

Digital identities, argue activists, open the door to implementing a creeping "Show me your papers" culture that can be applied to a never-ending list of services. This is not only the case in the UK: in Switzerland, fears about the technology's potential impact on privacy led voters to shoot down plans by the government to implement a digital identity scheme similar to the one put forward by DCMS. 

Those concerns are equally as strong in the UK. "There is nothing that this government won't mission creep," says Burns – an observation that is not completely unfounded. 

In 2019, for example, leaked documents seen by BuzzFeed News suggested that the government planned to match Verify data with Gov.uk cookies to derive who was reading which web pages, in an effort to better understand people's online interactions with public services in the run-up to Brexit. 

More recently, it was reported that the COVID-19 contact-tracing app developed by the NHS in response to the pandemic might be re-purposed as a "Covid passport" to allow people to prove that they have been vaccinated or have tested negative. "This is a digital identity nightmare in a nutshell," says Burns. "We need to clarify exactly how all the data being generated for digital identities will be aggregated and re-purposed." 

Whether the benefits of digital identities outweigh the privacy issues, therefore, still comes with a question mark. The potential escalation of digital identity tools to exert more control over citizens will likely remain a privacy sticking point; and activists are already painting the picture of a Big Brother-style system in which citizens come with barcodes. That's an image that will be hard to overcome, even with the most thought-through trust framework.