People wishing to apply for services ranging from tax credits to fishing licences and passports will be asked to choose from a list of familiar online log-ins, including those they already use on social media sites, banks, and large retailers such as supermarkets, to prove their identity.
Once they have logged in correctly by computer or mobile phone, the site will send a message to the government agency authenticating that user’s identity.
The Cabinet Office is understood to have held discussions with the Post Office, high street banks, mobile phone companies and technology giants ranging from Facebook and Microsoft to Google, PayPal and BT.
Ministers are anxious that the identity programme is not denounced as a “Big Brother” national ID card by the back door, which is why data will not be kept centrally by any government department. Indeed, it is hoped the Identity Assurance Programme, which is being led by the Cabinet Office, will mean the end to any prospect of a physical national ID card being introduced in the UK.
The identification systems used by the private companies have been subjected to security testing before being awarded their “Identity Provider” (IDP) kitemark, meaning that they have made the list of between five and 20 approved organisations that will be announced on 22 October.
The public will be able to use their log-ins from a set list of “trusted” private organisations to access Government services, which are being grouped together on a single website called Gov.uk, which will be accessible by mobile.
A cross-section of social media companies, high street banks, mobile phone businesses and major retailers has been chosen in order to appeal to as wide a demographic as possible.
The system will be trialled when the Department of Work & Pensions starts the early roll out of the Universal Credit scheme, a radical overhaul of the benefits system, in April.
Users who access the Government’s online one-stop-shop of public services will be asked to identify themselves by choosing one organisation from a selection of logos. (This feature is called a “Nascar screen”, in reference to the logo-filled livery of the famous American racing cars.)
Major web sites are able to recognise individuals by their patterns of use, the device they are accessing from and its location. Facebook, for example, asks users who sign on from an unusual location to take a series of security questions including identifying friends in photographs.
Privacy campaigners are not wholly convinced by the programme. “Although this is a fine scheme in principle and is backed by ministers the danger is that it could be side-lined and used as a fig leaf by the data-hungry government departments,” said Guy Herbert, general secretary of No2ID, which has been consulted by the Cabinet Office.
Details of the “identity assurance” scheme are being finalised amid growing concerns over identity theft and other forms of cybercrime. Foreign Secretary William Hague and Cabinet Office minister Francis Maude, who is at the head of the Identity Assurance Programme, will today (Thurs) meet international experts at the Budapest Conference on Cyberspace. Mr Maude will give a keynote speech.
The Cabinet Office believes its new identity model will “prevent ‘login fatigue’ [from] having too many usernames and passwords” and save public money by increasing trust in online services. The system is likely to be adopted by local authorities nationwide. The Government hopes the identity system will form the basis of a universally-recognised online authentication process for commercial transactions on the Internet, boosting the economy and strengthening Britain’s position as a leader in e-commerce.
In recent weeks, the Cabinet Office’s Government Digital Service has backed a UK working group of the Open Identity Exchange, which was set up in America to bring organisations including Google, AOL, PayPal and Experian together to find a simple method of online verification that doesn’t require multiple passwords.
Members of the Cabinet Office team travelled to the White House in May to exchange ideas with American counterparts working on the National Strategy for Trusted Identities in Cyberspace (NSTIC). The heads of the British and American identity assurance programmes will debate the subject next week in London at the RSA cyber security conference.
The first law passed by the Coalition Government was to scrap the national ID scheme, a move said to have saved taxpayers £1 billion over ten years. But ministers want to use the Internet to cut the cost of public services.
In order to limit concerns over Government snooping, the Cabinet Office has been working closely with a range of privacy campaign groups and consumer organisations including No2ID, Big Brother Watch and Which? The programme’s Privacy and Consumer Group drew up a list of nine Privacy Principles which underpin the framework of the scheme.
As part of the attempt to reassure privacy campaigners, a private identity partner (IDP) which authorises a user of a public service will not know which Government department is seeking authentication.
The Post Office’s involvement in the Identity Assurance Programmes was revealed by a notice placed in the Official Journal of the European Union. The Royal Mail subsidiary sought a third party provider to help in assembling consumer data including name, date of birth, address, gender, passport and driving licence numbers, financial history, electoral roll status and telephone numbers.
Some commercial organisations have been concerned that their consumers will react negatively to their involvement with government. But commercial partners will benefit from marketing opportunities and the trust that comes with IDP status.
Without the identity assurance scheme there are fears that high levels of online fraud will cause the public to lose confidence in digital channels, undermining the amount of business done online.
Civil servants acknowledge that some people will still wish to access public services in person. They argue that the online scheme will release additional resources to assist people who lack confidence in making digital transactions.
Q&A: What the scheme involves
Q. Is this just an ID card scheme by the back door?
A. No, it's a way of combating the menace of identity theft.
Q. Will the Government be able to use it to follow our movements online?
A. Authentication is done by trusted third parties and data will not be held centrally by the Government.
Q. But won't the private companies find out personal information that is none of their business?
A. The identity providers (IdPs) don't know for which government agency they are authenticating.
Q. Is a social media log-in sufficiently secure for a major financial transaction?
A. Individual IdPs will need to convince the Cabinet Office that their security checks are enough to meet the Level of Assurance (LOA) needed for the public service being requested. For example, a passport application is a high-security LOA3.
Q. Will it be possible to apply for a passport on your phone?
A. It is anticipated that part of the process will be offered online but some physical ID will still need to be presented in person to achieve LOA3.
Q. Is this just about public services?
A. No, the Government is helping to bring together online companies and create an icon that would enable online payments to be done securely.
Q. What would be the advantages?
A. It would also reduce the need to memorise multiple passwords.
Q. Will it work?
A. That depends partly on the efficiency of the chosen IdPs.
Comments