Is £154m Verify identity system really the IT failure it seems to be?

By Tony Collins

Will £154m spent on Verify be wasted because Sir Humphrey doesn’t like its creator, the Government Digital Service?

Verify is a system millions of people use to confirm they are who they say they are. It is used mainly for claiming Universal Credit but was intended as a cross-government identify system.

This week Verify was the subject of a National Audit Office report. BBC News and other news media had similar headlines:

“Verify: Inquiry criticises government ID scheme.”

The National Audit Office said,

  • Verify was supposed to have 25m users by 2020 and now the estimate is 5.4m.
  • Verify was supposed to be used for Universal Credit but only 1/3 of claimants are able verify their identity online. This means the DWP may need to spend £40m on manually verifying claimants identities.
  • The government will stop funding Verify next year and the scheme will move to the private sector (Barclays, Digidentity, Experian, Post Office and secureidentity/Morpho), which will leave departments that currently don’t pay the full costs having to pay market rates.

The National Audit Office concluded that Verify is “an example of many of the failings in major programmes that we often see, including optimism bias and failure to set clear objectives”. It added,

“It is difficult to conclude that successive decisions to continue with Verify have been sufficiently justified.”

Verify seems to be a £154m disaster. But is it?

Gary Barnett, a chief analyst at GlobalData, said,

“Verify’s woes aren’t so much down to a lack of technical nous as a lack of political ambition. As long as big government departments feel able to plough their own furrow there will never be a single standard for identity across UK government.”

Comment:

It’s hard to build a government ID system that is easy to use and provably secure.

A 100% secure system is one nobody uses; and the easiest system to use is one with no security. A government ID system has to get the balance right: easy to use and resistant to fraud.  Verify worked well when I used it.

The question not being asked about Verify is whether some senior civil servants in departments are trying to kill off the scheme because it is a cross-government initiative that dilutes their autonomy and, worse, is built  by the much-unloved Government Digital Service,  a user-centric organisation that was set up in 2011 and run on non-hierarchical lines by IT professionals who had not come up through the ranks of the civil service.

Top people at GDS in its formative years were different – not the usual life-long civil servants. They were not innately secretive. They were opposed to single supplier mega IT contracts. They believed in learning from mistakes and moving on. They were keen to stop IT in government being seen as a barrier instead of a tool. They focused on the user’s needs instead of the department’s.

Understandably, the Sir Humphreys never liked GDS.

Indeed the National Audit Office report has the extraordinary revelation that some departments refused to pay GDS’s invoices for the Verify service.

The NAO said,

“Moreover, most departments have not paid the Cabinet Office and GDS even for subsidised services. HMRC has paid £6.7m for its Verify usage, but between 2016-17 and 2018-19 no other department paid for using Verify, despite being issued invoices by the Cabinet Office.

“It is unclear why some departments have not paid these invoices.”

Hardly surprising that GDS leaders in the early years – all of them – soon left the civil service, perhaps because they could not acclimatise to its rigid conventions.

Sir Humphrey has indeed had the last word. GDS is not what it was: its culture has been blended into the civil service. Its numbers have more than trebled to around 850 people and its influence across government is limited, to some extent, to that of a standards-setting body that is known for its creation and continuing support of GOV.UK.

GDS’s job applications are now worded in abstract, platitudinous officialise. GDS is a part of government, almost a department in its own right.

Even the Infrastructure and Projects Authority, which is run along Sir Humphrey’s secretive lines, has seemed to dislike GDS and particularly Verify. It has long wanted to kill off the scheme.

Well done Sir Humphrey. You have won the battle to ensure that a new organisation not run on conventional civil service lines merges into the culture it originally avoided. Even if Verify is not dead, the innovative open-minded ground-breaking influence of GDS certainly is.

[So pervasive is Sir Humphrey’s influence on government IT, that “to Sir Humphrey” has now become a verb.]

Thank you to FOI campaigner David Orr for his emailed alerts on Verify

Civil servants ‘Sir Humphrey’ their way through grilling on UK.gov’s digital transformation

Crazy – millions of citizens offered two competing identity systems

National Audit Office report “Investigation into Verify”

 

Advertisements

4 responses to “Is £154m Verify identity system really the IT failure it seems to be?

  1. Like Universal Credit, a great idea but the devil is in the detail and the dogma: e.g. monthly without defining month or not distinguishing enrolment and re-authentication. There was lots of diligent hard work by many trying to get it to work, but inherent contradictions were not tackled. Departments and local government would have jumped at something if it had given them what they needed (such as some common identifiers), but policy decisions about how it worked made it an impossible task. It didn’t balance privacy issues but make a log-jam out of them. It was bad for many users, including not being able to sign up until needing it by which time it’s too late. The threshold for going live was 90% but it was known to be working at 40% despite the over-optimistic https://www.kyrandale.com/static/clients/gds/app/index.html which has gone. Verify’s matching data set was incompatible with European Minimum Data set, and the suggested consent basis not GDPR-compliant. Notification to join the European fold was made not at the start but 7 months before Brexit, and yet not delivered in the allocated 6 months. No fraud was ever found, which either suggests it was missed or there was nothing worth nicking. Scotland was positively ignored. The commercial model is broken; the motley list of providers or would-be providers who have jumped (Royal Mail, GB, EADS, Paypal (twice), Verizon, Ingeus, Mydex) is now the majority, without counting the 80 others who expressed an interest but didn’t bid. The agile evangelists had a good-news-only-culture decried anyone who pointed out inconsistencies as an out-of -date troll. The bespoke levels of assurance are an embarrassment; self-asserted (LoA1) . The NAO didn’t mention the 5 million quarter hours wasted by the public trying to log in, and rightly pointed out the continuing lack of auditable benefits. It did not mention the lack of the ombudsman nor repair mechanism noted as essential by the Crosby report 10 years ago. Any Sir Humphreying is a side-show related to the others need to move forward secretly with something that did work in the context where they needed to deliver. Please look deeper.

    Like

  2. I understand that Verify relies on credit records to identify people. If you follow Polonius’ advice from “Hamlet” – “Neither a borrower nor a lender be” – you don’t exist. This could have a lot more to do with its failure than any internal Whitehall politics.

    Like

Leave a Reply to Mark King Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.