Crazy – millions of citizens offered two competing government identity systems

Posted on 07/03/2017 | 15 Comments

 

From HMRC’s website on Gov.UK … Which should you choose to confirm your identity?
HMRC and other government departments are offering millions of citizens the choice of two “competing” identity systems – the Cabinet Office’s GOV.UK Verify, or HMRC’s Government Gateway.
There’s no guidance offered on which to choose; and no explanation for the absence of joined-up thinking.

By Tony Collins

When Whitehall departments do their own thing, the public rarely notices the duplicated time, effort and cost, at least when it comes to IT.  Now the “silo” approach has spilled out into the public arena.

The Government Digital Service – part of the Cabinet Office – developed GOV.UK Verify to enable people to confirm their identify when they want to use government services online.

At the same time, HMRC continued to work on a separate identity system: Government Gateway.

The cost of the two developments isn’t known.

HMRC prefers its own development work on Government Gateway because it enables companies as well as individuals to identify themselves. Verify is designed for individual use.

But instead of adapting one or the other to serve individuals and companies, or using Government Gateway for companies only, central departments are offering both  – with no guidance on which system citizens should choose; and there’s no explanation for the absence of a joined-up approach to IT.

The BBC’s technology correspondent Rory Cellan-Jones says of the two separate identity systems that GDS and HMRC are engaged in a “bitter turf war”.

Comment

Today I went online to renew a driving licence and was shepherded by DVLA to use the Government Gateway identity system. A few weeks ago I had already successfully registered with GOV.UK Verify.

Government Gateway didn’t work properly, for me at least, although I had all the correct documents.

When I registered to use a different government service a few weeks I had no choice but to use GOV.UK Verify to confirm my identity. Verify was thorough, seamless and worked perfectly. Impressive. It left the impression of a system that had been well thought out, with the citizen in mind.

Putting aside the fact that Government Gateway did not work for me, it seemed dated, much less thorough than Verify, and left an impression of transience – that it was a temporary “make-do” system. For instance, the help screens were not tailored to the particular question being asked. Not impressive.

For me. GOV.UK Verify is the identity system of choice. It could surely be adapted to confirm the identities of companies – unless HMRC would rather continue to do its own thing.

It’s ludicrous that central government is spending billions of IT annually without a joined-up approach. Ministers keep promising it. Officials at conferences keep promising it. Whitehall press releases promise it.

A few weeks ago departments were offering only Government Gateway or GOV.UK Verify. Now many of them are offering both.

That’s progress?

Disturbing

A wider point of Whitehall’s dual IT approach to identity verification is that it’s the tip of the iceberg (apologies for the cliché but it’s apt).

With their ICT budgets, collectively, of billions of pounds a year, central departments are, in the main, doing their own thing.

A politician with the clout of Francis Maude may be needed to bang the heads of permanent secretaries together. But even if Maude’s replacement Ben Gummer had that clout – and he doesn’t – permanent secretaries and departmental boards would complain that the Cabinet Office was interfering.

Complaints along these lines would be made, perhaps, in off-the-record briefings to friendly journalists and to the National Audit Office in departmental responses to NAO surveys of senior officials, with the result that the Cabinet Office would end up backing away from trying to enforce a joined up IT approach.

That a genuine joined-up approach to government IT has been talked about for decades and hasn’t happened is largely because, outside of determining of the size of budgets, it is the permanent secretaries and their senior officials who hold power in Whitehall,  not transient politicians.

And bureaucracies always want to keep their departmental empires as intact as possible.

The current two top Whitehall officials, Cabinet Secretary Sir Jeremy Heywood and John Manzoni, chief executive of the civil service, are consensus-seeking people, not at all confrontational. Probably their lack of a controversial edge is one of the main reasons they were chosen for their jobs.

All of which means there’s no chance of permanent secretary heads being banged together in an effort to cut costs and help bring about joined up government IT .

In 2012, Francis Maude, then Cabinet Office minister,  said, in a speech to the FT Innovate Conference,

“In the last decade our IT costs have gone up – while our services remained patchy. According to some estimates, we spend more on IT per capita than any other government.”

Is government ICT spending much less today? Perhaps HMRC’s Government Gateway officials would let us know.

**

Some Twitter comments





This entry was posted in Campaign4Change, DWP, Government digital Service, Government IT, HMRC and tagged , , , . Bookmark the permalink.

15 responses to “Crazy – millions of citizens offered two competing government identity systems

  1. Matthew Harris | 17/03/2017 at 16:58 | Reply

    This whole distinction between verifying a person and a business seems strange. HMRC need to authenticate that a person is who they say they are and then determine if they are authorised to perform actions on behalf of another person (if acting as an agent) or business (if as an officer of a company or agent).

    Surely the authentication and authorisation are separate concerns?

    Like

    • ukcampaign4change | 18/03/2017 at 21:50 | Reply

      A good point. Thank you for making it. As Government Gateway seems to be able to handle authentication and authorisation, I am not sure why HMRC does not mandate this system for companies and agents (not individuals).
      One problem for citizens is that they’re faced with a choice of two systems without any guidance on which they should choose and the differences between them.
      The reason we’ve two separate systems, it seems to me, is that the Cabinet Office and HMRC have little influence over each other and both have ended up doing their own thing. Not exactly joined-up government.

      Liked by 1 person

      • dmossesq | 19/03/2017 at 00:44 |

        “As Government Gateway seems to be able to handle authentication and authorisation, I am not sure why HMRC does not mandate this system for companies and agents (not individuals).”

        HMRC do mandate it for companies and agents.

        ———-

        “One problem for citizens is that they’re faced with a choice of two systems without any guidance on which they should choose and the differences between them.”

        That is a problem you are well-placed to solve.

        ———-

        “The reason we’ve two separate systems, it seems to me, is that the Cabinet Office and HMRC have little influence over each other and both have ended up doing their own thing. Not exactly joined-up government.”

        Cabinet Office caused the Gateway to be developed. It was launched in January 2001 [1] and it’s still doing its job 16 years later. For reasons that were never explained, Mike Bracken, sometime executive director of the Government Digital Service, decided within a few weeks of joining Cabinet Office in 2011 to replace the Gateway [2]. He’s gone, the Gateway’s still there and GOV.UK Verify (RIP) isn’t [3].

        ———-

        1. http://www.dematerialisedid.com/evidence/gateway_faqs_v2.doc (1.8MB download, please see para.1.1.1)

        2. https://gds.blog.gov.uk/2011/11/04/establishing-trust/ (please see both blog post and comments below it)

        3. https://twitter.com/alan_mather/status/831874559108317188

        Like

      • ukcampaign4change | 19/03/2017 at 14:37 |

        Thank you for the correction.

        Like

    • dmossesq | 20/03/2017 at 23:09 | Reply

      “… authorised to perform actions on behalf of another person (if acting as an agent) or business (if as an officer of a company or agent) …”

      1. Agents do not act exclusively on behalf of individuals/natural persons, they can act on behalf of companies/legal persons, see for example Form 64-8 [1] …

      2. … where you will see that the agent may be a legal person, not a natural one.

      3. Please see ‘Identity assurance for organisations and agents’ [2] for an explanation by GDS, its creators, why GOV.UK Verify (RIP) has a problem authorising people to act for companies. You may not find the explanation convincing but it’s the only one GDS have offered.

      ———-

      1. https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/592157/64-8.pdf

      2. https://identityassurance.blog.gov.uk/2014/10/20/identity-assurance-for-organisations-and-agents/

      Like

      • Matthew Harris | 07/06/2017 at 09:01 |

        That GDS article is exactly what I meant…

        Verify’s purpose is to authenticate individuals and for transactions they perform for themselves that in effect authorises them as well.

        For transactions where there are many-to-many people involved (such as an Agent working on behalf of a Ltd Co for VAT filing) Verify could still be used to authenticate the individuals working for the Agent (they are still people after all) and then HMRC should build an authorisation component to determine if that authenticated individual is allowed to file on behalf of the Ltd Co.

        Verify’s problems notwithstanding, the idea of building two authentication systems just because one doesn’t do authorisation it wasn’t designed to do seems a waste of money and more importantly a terrible user experience [I already have two personal government gateway accounts, one personal Verify account, three HMRC Online Ids (personal SA, personal everything else and a business one)]

        Like

      • dmossesq | 07/06/2017 at 12:45 |

        A reply to Matthew Harris, June 7, 2017 at 09:01

        Dear Matthew

        Thank you for your response.

        You say that GOV.UK Verify (RIP) could be used for company returns as long as “HMRC … build an authorisation component”. HMRC have already built an authorisation component – the Government Gateway.

        GDS say: “we’ve concluded that at this stage there isn’t a case, or a sufficiently developed or proven set of generic needs, for a government-wide business identity service built by GDS and directly linked to GOV.UK Verify” [1]. As I said, you may not find their argument convincing but that’s their conclusion.

        You suggest that GOV.UK Verify (RIP) was never designed to handle legal persons, “the idea of building two authentication systems just because one doesn’t do authorisation it wasn’t designed to do …”.

        I think it was, please see GDS’s Good Practice Guide 46 [2], 18 October 2013: “Our approach, as with citizen identity assurance, is to create the standards which will enable suppliers to devise services”. It looks as though that requirement was quietly dropped from the specification.

        ———-
        1. https://identityassurance.blog.gov.uk/2014/10/20/identity-assurance-for-organisations-and-agents/
        2. https://identityassurance.blog.gov.uk/2013/10/18/good-practice-guide-46/

        Like

  2. dmossesq | 07/03/2017 at 14:53 | Reply

    May I bring to your attention a spreadsheet [1] of some of the attributes of GOV.UK Verify (RIP).

    Seven “identity providers” left, five have pulled out. Why?

    All “identity providers” are said by GDS to be certified but three of them aren’t [2]. They are a front for other organisations doing the work in the background.

    Users are promised control over their personal information. It is impossible to deliver on that promise [3].

    A lot of personal information is collected and it is stored all over the world with a large number of organisations. That doesn’t happen with the Government Gateway.

    —–

    1. http://www.dematerialisedid.com/GOV.UK%20Verify%20(RIP)%20v5.html
    2. http://www.dmossesq.com/2017/01/rip-ida-oix-to-rescue.html#note5
    3. http://www.dmossesq.com/2016/09/rip-ida-privacyidentity-assurance.html#pcag

    Liked by 1 person

    • ukcampaign4change | 07/03/2017 at 15:31 | Reply

      A good point and I am grateful for the links. When I used Verify, I opted for Experian to help verify my identity, in part because it knows a great deal about us anyway. I doubt that I provided any information it didn’t already know. I would be less enthusiastic about involving, say, the Post Office, or some of the other third parties you mention in your useful posts. Tony Collins

      Like

  3. zrpradyer | 07/03/2017 at 09:35 | Reply

    Thank you, Tony.
    It seems that ‘rivalry’ or ‘divide and rule’ is encouraged within all of our institutions. That is indicative of the motivations of those at the top who benefit from such cultures.
    I would also add that, giving the public a ‘choice’ in the circumstances you describe i.e. the public are not given the reasons or data underpinning the choice, is not a freedom but a transfer of responsibility – from those who are paid to take responsibility, to the victims who merely pay for it.
    As usual, thanks.

    Like

  4. Allan Watton | 07/03/2017 at 08:45 | Reply

    Fab article. Well done Tony. If you are OK with this, we’ll do an opinion piece on this for our blog next week and reference your article?

    I hope all else is well. Best regards. Allan

    Like

  5. maryhawking | 07/03/2017 at 08:04 | Reply

    Should everyone be advised to register their ID in all available systems?
    Just in case someone else steals your ID.
    If someone else did, what are the prospects of ever getting it back?

    Like

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.