UK Govt proposal for PayPal identities

It’s been a long time, perhaps too long, since I’ve turned my attention to Government and identity management. Like the somewhat mythical first love, I’ve got nostalgic memories of my first blog Yes2Privacy, the Identity and Privacy Blog. Even today, over five years later, it is rare for a person working for a government department in NZ to blog about their work. In retrospect, it’s amazing that I only once got into (relatively minor) trouble over my posts.

Reading that PayPal has become the eighth accredited provider for the UK Government’s Identity Assurance service, prompted me to investigate what’s going on and if there are any insights from a New Zealand perspective.

Under the Identity Assurance Programme, the UK Government is putting into place “schemes” that federates identity online across the whole ‘identity ecosystem’. It will allow British citizens to verify their identity via private sector partners in order to access online government services. The value of the 18-month framework contracts is £25 million so that’s a decent chunk of money up for grabs.

Perhaps learning from the disaster that was their ID cards scheme, this new identity effort is definitely progressive and based on solid Identity and Privacy Principles. The UK has also clearly learnt from many other good government identity initiatives around the world, including New Zealand’s.

Good or bad?

Clearly it is more convenient for people to re-use their identity information and credentials with both private and government services. Presumably it is cheaper for government and the business case stacks up.

Trying to figure out the downsides turned out to be more difficult than I anticipated. In coverage of the UK approach, terminology and conceptual understanding is very confusing and inconsistent. There is almost no appreciation of what is a cornerstone of the New Zealand approach- ‘authentication’ consists of verifying identity once and then confirming it is the same you each time a person wants to access a service.

The best source of information seems to be a series of Good Practice guidelines on the Cabinet Office website. Great to see the UK adopt a ‘digital by default’ approach.

Turning to identities sourced from PayPal, assuming there is no face to face verification, the Level of Assurance will be limited to ‘Level 2’. This means that government departments would not be able to provide higher risk services to people based on their PayPal identity. This is a sensible, risk-aware, fit-for-purpose approach but does highlight the limitation of PayPal as a source of a person’s verified identity.

There are additional limitations based on a detailed consideration of the Identity Assurance scheme. These range from privacy risks (due to the presence of a unique identifier across multiple identity contexts) to security (escalated identity attacks based on the password reset mechanisms) to legal (can the US Government demand information about British citizens from PayPal under the USA Patriot Act?). I’m curious about how liability is allocated between government and private providers as that killed a bank-initiated scheme in Australia a couple of years ago.

Overall, I’d say it is a good move.

Insights for New Zealand

There are several fundamental differences in the UK and NZ approaches to government identity management. Hopefully, the few people in New Zealand who actually have an interest and stake in understanding these differences and incorporating insights are across it (here’s looking at you CW!).

Of wider interest is the differences in business models and commercial approach.

In New Zealand, government has invested in the start-up phase of strategy, policy principles, frameworks, public consultation, Privacy Impact Assessments, standards, business cases, legislation, and services under the All-of-government Authentication Programme since the year 2000. The services, now branded igovt Services, consists of the igovt logon service and the igovt identity verification service.

I’ve heard publicly quoted figures putting the total government investment in the region of $150 million. So developing and running a whole-of-country identity management system isn’t cheap. Makes sense for government to commercialise its investment to scale up and extend the service to businesses. Once the enabling legislation was kicked off, the Government announced a partnership with NZ Post. Besides acting as a ‘front office’ for the services, NZ Post is rolling it out under the RealMe brand.

On the other hand, after sinking gazillions into the ID cards scheme, the UK Government in the Identity Assurance Programme seems to be going in the opposite direction, i.e. using private sector systems and investments to provide government departments with the front-end identity management capabilities.

These differences in approach flow from the way the UK and NZ have gone about designing their respective identity management schemes.

Which leaves a final question, can and should NZ sign up with the likes of PayPal too?

Answer: it is not possible for identity verification but, in principle, PayPal credentials (username and password) could be used as an additional or substitute to the igovt logon service. However, it would require so much of re-engineering and be so costly as to be impractical. Instead, the best bet for NZ remains to scale up the igovt services under the RealMe brand as rapidly as possible to maximise the return on investment.

Besides that, the government also needs to fill the communications vacuum that exists around these services today and continue to put in minor investments to address the design and usability issues people have with the igovt services.


One thought on “UK Govt proposal for PayPal identities

  1. It’s great to have you back blogging Vikram:-)
    So.. ‘rising to the challenge’ as it were.. to put my *personal* views and my view of the background to yours subject to the obvioous disclaimer – “The following is solely my opinion and does not represent the thoughts, intentions, plans or strategies of any third party, including my employer” – I can summarise by saying that the notion of external identities such as Paypal was raised, argued for, not really accepted, but not completely forgotten, and remains feasible, if not easy. The background goes back years, and is steeped in the differing views between the mgt with an affinity with internet services that saw the logon service as the ‘killer app’ and mgt with an affinity with authoritative sources of identity information and saw the IVS as the killer app. At the outset of the RealMe build, the prevailing view, not surprisingly given the Agency responsible, was in the latter camp, but with the notion of other higher level (e.g. bank identity credentials) eventually being integrated in some form with the logon service. I personally argued for a ‘refresh’ of the logon service before RealMe, such that integration would become a lightweight API effort so that logon credentials at any level from anywhere (with obvious caveats) could be processed by the logon service – and that the logon service retain/remain in part a separate look and feel. While technically this was hardly rocket science and was the prevailing view in my collaborations overseas, what was less understood down-under was the macro-economic/digital economic ‘network’ effect of driving major volumes through the logon service – such volumes that were never going to be enjoyed by the IVS by its very nature. To its credit the mgt at that time (since departed) did check its position against the prevailing view overseas, found it at odds, (privately to me at least) acknowledged that, but by then it was really too late. Fortunately the technical teams have enjoyed reasonable continuity over the years, so the notion was never completely abandoned and the resulting SOA framed, loosely coupled design makes it possible to extend the logon service, albeit not with the click ‘n go slickness I was looking for.
    So to the UK’s IDAP. I know this pretty well (as I do the US FICAM and the Canadian double act – the broker service and govt banded credential service) as I’m joined to their ‘Huddle’ collaboration site (nearly 2 years now). It may come as a surprise to some, but I have never been a formal part of the RealMe programme – rather helping my colleagues that are (‘under the radar’ as it were). I agree with most of your comments, though the ‘hub’ encrypts the identifiers such that it is not visible to other (what we call) privacy domains. Its other challenge is trying to do it all with SAML 2.0. Good as it is, we have the experience that the Brits don’t ,on how far you can push SAML before the user experience gets impacted, and at some point you have to park the browser and resort to back end web services to do some toing and froing. They are coming around to that for a number of reasons, not least of which is that their SAML profile built to do the work is, err, extended beyond a point that you could call it ‘SAML 2.0 compliant’. After that dive into technical (can’t resist the tempatation to point out that I am only seen as technical by my agency, despite very publicly searchable evidence to the contrary) the liability issue has been adressed in that kind of ‘minimum consequence’ way that lawyers are so good at. And while we are on the subject of contracts, there’s rumours of some speed wobbles there (the Brits are doing a kind of US NSTIC but at break-neck speed) so we may see changes, which I guess might result in a change in the IdP line up. So to finish where we started..the logon servce ..and your comment about purported usability issues…have you stood by and watched just how fast these kids are flicking through igovt to their student loan applications? Having been with the programme from 2005, I can tell you it brings tears to my eyes…

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s