It’s been a long time, perhaps too long, since I’ve turned my attention to Government and identity management. Like the somewhat mythical first love, I’ve got nostalgic memories of my first blog Yes2Privacy, the Identity and Privacy Blog. Even today, over five years later, it is rare for a person working for a government department in NZ to blog about their work. In retrospect, it’s amazing that I only once got into (relatively minor) trouble over my posts.
Reading that PayPal has become the eighth accredited provider for the UK Government’s Identity Assurance service, prompted me to investigate what’s going on and if there are any insights from a New Zealand perspective.
Under the Identity Assurance Programme, the UK Government is putting into place “schemes” that federates identity online across the whole ‘identity ecosystem’. It will allow British citizens to verify their identity via private sector partners in order to access online government services. The value of the 18-month framework contracts is £25 million so that’s a decent chunk of money up for grabs.
Perhaps learning from the disaster that was their ID cards scheme, this new identity effort is definitely progressive and based on solid Identity and Privacy Principles. The UK has also clearly learnt from many other good government identity initiatives around the world, including New Zealand’s.
Good or bad?
Clearly it is more convenient for people to re-use their identity information and credentials with both private and government services. Presumably it is cheaper for government and the business case stacks up.
Trying to figure out the downsides turned out to be more difficult than I anticipated. In coverage of the UK approach, terminology and conceptual understanding is very confusing and inconsistent. There is almost no appreciation of what is a cornerstone of the New Zealand approach- ‘authentication’ consists of verifying identity once and then confirming it is the same you each time a person wants to access a service.
The best source of information seems to be a series of Good Practice guidelines on the Cabinet Office website. Great to see the UK adopt a ‘digital by default’ approach.
Turning to identities sourced from PayPal, assuming there is no face to face verification, the Level of Assurance will be limited to ‘Level 2’. This means that government departments would not be able to provide higher risk services to people based on their PayPal identity. This is a sensible, risk-aware, fit-for-purpose approach but does highlight the limitation of PayPal as a source of a person’s verified identity.
There are additional limitations based on a detailed consideration of the Identity Assurance scheme. These range from privacy risks (due to the presence of a unique identifier across multiple identity contexts) to security (escalated identity attacks based on the password reset mechanisms) to legal (can the US Government demand information about British citizens from PayPal under the USA Patriot Act?). I’m curious about how liability is allocated between government and private providers as that killed a bank-initiated scheme in Australia a couple of years ago.
Overall, I’d say it is a good move.
Insights for New Zealand
There are several fundamental differences in the UK and NZ approaches to government identity management. Hopefully, the few people in New Zealand who actually have an interest and stake in understanding these differences and incorporating insights are across it (here’s looking at you CW!).
Of wider interest is the differences in business models and commercial approach.
In New Zealand, government has invested in the start-up phase of strategy, policy principles, frameworks, public consultation, Privacy Impact Assessments, standards, business cases, legislation, and services under the All-of-government Authentication Programme since the year 2000. The services, now branded igovt Services, consists of the igovt logon service and the igovt identity verification service.
I’ve heard publicly quoted figures putting the total government investment in the region of $150 million. So developing and running a whole-of-country identity management system isn’t cheap. Makes sense for government to commercialise its investment to scale up and extend the service to businesses. Once the enabling legislation was kicked off, the Government announced a partnership with NZ Post. Besides acting as a ‘front office’ for the services, NZ Post is rolling it out under the RealMe brand.
On the other hand, after sinking gazillions into the ID cards scheme, the UK Government in the Identity Assurance Programme seems to be going in the opposite direction, i.e. using private sector systems and investments to provide government departments with the front-end identity management capabilities.
These differences in approach flow from the way the UK and NZ have gone about designing their respective identity management schemes.
Which leaves a final question, can and should NZ sign up with the likes of PayPal too?
Answer: it is not possible for identity verification but, in principle, PayPal credentials (username and password) could be used as an additional or substitute to the igovt logon service. However, it would require so much of re-engineering and be so costly as to be impractical. Instead, the best bet for NZ remains to scale up the igovt services under the RealMe brand as rapidly as possible to maximise the return on investment.
Besides that, the government also needs to fill the communications vacuum that exists around these services today and continue to put in minor investments to address the design and usability issues people have with the igovt services.