After emigrating to a place where a physical ID card is mandated, and which now has an online counterpart with all the supporting state-managed auth and validation services, it is obvious to someone from the UK and familiar with the mish-mash of ways you have to 'prove x to y' just how many issues it solves, and staggering there is so much resistance to it in the UK.
And as a brexit evacuee, I can prove my rights and entitlements to anyone here in seconds, and I know that this is not a privilege enjoyed by those who have moved in the opposite direction.
State surveillance/overreach etc.? I'm far happier with the state managing this kind of thing than an opaque collection of commerical credit scoring/KYC/AML businesses, many US-owned, which underpin a lot of the 'prove who you are' services. This hacks a lot of their business off at the ankles, and that, frankly, is a good thing.
On X-Road, One Login tracks and displays when you've logged in and what services you've used. For example, I can see the times I've logged in (five minutes ago) and when I requested a DBS check (March 2024). It shouldn't be beyond the wit of Whitehall to broaden it to include when govt departments have accessed/ viewed/ used/ forwarded your data.
> One day I’ll write an ultra-nerdy post about how One Login works behind the scenes, as it is designed in a super clever way, with different levels of confidence for different activities and different types of document
I feel like as long as it's optional, it's brilliant. Much like having my nectar card on my phone instead of a separate card to swipe at the till. Verifiable ID on my phone instead of having to produce my physical passport? Yes please.
Not the core part of your piece - but for general health/disability benefit eligibility (PIP/Universal Credit health), your GP doesn't certify you. That's only relevant for sick leave from work (and sick pay), or for the period before you have the UC health assessment, it can mean the jobcentre doesn't hassle you to look for work etc (but doesn't get you extra money).
Anyway. I am generally quite sympathetic towards the idea of a single ID card/wallet/similar. There could be some read-across to health records as well, and maybe in time to benefit eligbility, although the latter would need financial data-sharing too, and at the household level, so gets trickier.
I do think it would be important to ensure this card was not the *only* way to meet those requirements, and that this didn't stop any efforts to improve other routes to accessing the various proofs/ID that you need. That's partly to ensure people without smartphones aren't left stranded, and partly to reduce the risk of losing your phone!
There's also a centralisation of risk of fraud element (including in a 'mule' sort of way). That seems primarily like a tech problem to solve, but I don't think it's zero.
I genuinely think that UK long term planning would greatly improve if everyone had an ID. Far too many policies are based on guesswork of how many folk are in the country, what residents' needs are etc. Eg. They talked about the 3 million EU citizens trying to stay in UK post Brexit. Turns out that number is nearer 8 million whereas here in Belgium they always knew through ID residence cards exactly how many of us are here & they have provided a pretty good system to help us with our rights & responsibilities under the Withdrawal Agreement to which I am very grateful.
To be fair, the Belgian system isn't perfect either. But anything would be better than the UK's auth-vacuum which has been filled by all kinds of ad-hoc and decentralised processes...?
This whole criticism of the "papers, please" society is ridiculous. Government needs to know who it is dealing with or to at least see an entitlement credential, and doing it through 20th century paper processes or commercial companies is inefficient, time-consuming , expensive and frankly irritating. A major benefit of a secure digital identity and related scoped credentials (I am 18+, I am disabled, I am a citizen, I have a driving licence, etc) is to make existing processes easy, for those who are willing to use a digital method. I certainly am, and there's a real opportunity here for government to create efficiency, and dare I say it pleasantly effective government processes that in some small way improve citizens' impressions of how effective democracy can work to their benefit.
+1 for the Platformland book which is a fantastic vision of how state services can be delivered to benefit citizens, and using existing proven technologies, so not some hazy AI dream of the future.
I'm ok with the government doing this sort of thing, but I'm not ok with data being funnelled off to certain US tech companies or consulting firms. The idea of just a "yup" token without seeing any of the core data sounds like a great idea.
There needs to be some adjustment round the edges of the proposals.
OneLogin: what this does can be achieved commercially today, with tools like 1password (trusted by businesses for password management). Can we just get the government to subsidise accounts on that as a start, or contract 1password to build/run a UK government clone?
Yes getting all government websites to migrate to a common IDP is something that should happen, and with multiple methods of multifactor authentication please, and working towards non government websites offering to authenticate (optionally) via OneLogin (directly or via services like gigya). Make a OneLogin identity as useful as Facebook, Google. Multifactor: allow apps, keyfobs, and biometrics like callback to registered numbers with tone or voice).
Digital identity app. What this also needs to provide is multifactor authentication capability, similar capability as Microsoft authenticator. Maybe the NHS app needs to offer this as an interim.
We also need to resolve how this works when a limited power of attorney is invoked, with full transparency on who is authenticating for whom where a person has lost capacity to identify and authenticate on websites. Also a limited digital authority for service providers like tax accountants to act on behalf of/proxy (with a final request to digitally authenticate remotely in a secure way).
Ideally have a solution that allows a digital way of contemporaneously "witnessing" an authentication (as a replacement for wet signature witnessing as is currently needed for wills--I would not want witnessing to be removed for some important documents)
Finally, I understand that Estonia has best practice which we should review, and we should collaborate with other friendly countries like New Zealand A lot of current gov.uk practice originates from New Zealand.
Alas, 1password is solving the easy part of the problem - looking after a shared secret without checking who is actually entitled to access services or whether they are who they claim to be; the various services don't get any insight into the connections with your identity/entitlement in other departments.
2FA is already a solved problem, there are third-party services which already work well for some government IT...? So there's little benefit in reinventing it, but definitely some advantages to calling an existing 3rd-party service when there's a bigger risk of (some types of) identity fraud.
Good point about power of attorney &c - and at the moment more personal ad-hoc approaches are more common, some dead or dying person's family member is logging in to their account and making important changes, perhaps even taking payments in their name (as any Harry Leslie Smith fan will remember). It causes a lot of DQ problems, really undermines identity.
Just tried to set up my One Login, as requested by the state, so I will be able to access Companies House later when it becomes mandatory. The process stalled at the last hurdle declaring that my identity could not be confirmed. There appears to be no way to restart the registration process or appeal the decision. I must submit Company Accounts etc. on a regular basis, but also I cannot do so because I am now a non-person. Catch 22. Great!
If they are DigitalID only, and *not* a piece of paper one is to obliged to produce on demand to show a policeman, in order to prove ones own identity to police's satisfaction - then fine. See nothing wrong there.
In fact, about the only way we can start separating IRL humans from bots and AI-s on Social Media, is if humans have a DigitalID that social media companies can choose to use. Knowing zero my first thought is: the Registry Office accepts (acceptance == IRL person verification) a deposit of a private key by me. A key I generated as a pair (private,public) keys personaly. From then on, anyone with my public key (that I freely share), and access to the Registry Office API, can verify me.
Having lived for 30yrs in a state with mandatory ID cards first, and now for 25yrs in the UK where there is no national mandatory ID card, I think when all is added and subtracted, the pros- and cons- tallied up - the UK system both works better and obv better from the liberty PoV.
Where no-ID cards: it's police's job and competency to establish my identity (and I can help them; or not). Where must-ID cards: I have to prove my identity to the policeman to their satisfaction. And their threshold for "proof of identity" maybe arbitrarily *high*. The former is trusted by default. The latter is not trusted by default. Trusted by default is better b/c it better corresponds to our reality where most of the public are honest and not crooks nor criminals. It's a bad idea to treat 100% of the public as untrustworthy, even if 1% maybe so. Much better to deal with he consequences of trusting the untrustworthy 1%.
But DigitalID seems very different to that to me. I don't see how we can accurately label "IRL person" or "bot" or "AI" or something else, unless there is ground truth that only the Registry Office can supply.
After emigrating to a place where a physical ID card is mandated, and which now has an online counterpart with all the supporting state-managed auth and validation services, it is obvious to someone from the UK and familiar with the mish-mash of ways you have to 'prove x to y' just how many issues it solves, and staggering there is so much resistance to it in the UK.
And as a brexit evacuee, I can prove my rights and entitlements to anyone here in seconds, and I know that this is not a privilege enjoyed by those who have moved in the opposite direction.
State surveillance/overreach etc.? I'm far happier with the state managing this kind of thing than an opaque collection of commerical credit scoring/KYC/AML businesses, many US-owned, which underpin a lot of the 'prove who you are' services. This hacks a lot of their business off at the ankles, and that, frankly, is a good thing.
I'm not sure if the various papers mention this, but it would also make automatic voter registration easier.
On X-Road, One Login tracks and displays when you've logged in and what services you've used. For example, I can see the times I've logged in (five minutes ago) and when I requested a DBS check (March 2024). It shouldn't be beyond the wit of Whitehall to broaden it to include when govt departments have accessed/ viewed/ used/ forwarded your data.
> One day I’ll write an ultra-nerdy post about how One Login works behind the scenes, as it is designed in a super clever way, with different levels of confidence for different activities and different types of document
Yes please!
Thank you, James, this has helped me start to re-think my views on this, plus the reminder of digital gov.uk developments is useful.
I feel like as long as it's optional, it's brilliant. Much like having my nectar card on my phone instead of a separate card to swipe at the till. Verifiable ID on my phone instead of having to produce my physical passport? Yes please.
Not the core part of your piece - but for general health/disability benefit eligibility (PIP/Universal Credit health), your GP doesn't certify you. That's only relevant for sick leave from work (and sick pay), or for the period before you have the UC health assessment, it can mean the jobcentre doesn't hassle you to look for work etc (but doesn't get you extra money).
Anyway. I am generally quite sympathetic towards the idea of a single ID card/wallet/similar. There could be some read-across to health records as well, and maybe in time to benefit eligbility, although the latter would need financial data-sharing too, and at the household level, so gets trickier.
I do think it would be important to ensure this card was not the *only* way to meet those requirements, and that this didn't stop any efforts to improve other routes to accessing the various proofs/ID that you need. That's partly to ensure people without smartphones aren't left stranded, and partly to reduce the risk of losing your phone!
There's also a centralisation of risk of fraud element (including in a 'mule' sort of way). That seems primarily like a tech problem to solve, but I don't think it's zero.
Just don't call it an ID Card, call it a passport and nobody will mind.
Give everyone a free digital passport
I genuinely think that UK long term planning would greatly improve if everyone had an ID. Far too many policies are based on guesswork of how many folk are in the country, what residents' needs are etc. Eg. They talked about the 3 million EU citizens trying to stay in UK post Brexit. Turns out that number is nearer 8 million whereas here in Belgium they always knew through ID residence cards exactly how many of us are here & they have provided a pretty good system to help us with our rights & responsibilities under the Withdrawal Agreement to which I am very grateful.
To be fair, the Belgian system isn't perfect either. But anything would be better than the UK's auth-vacuum which has been filled by all kinds of ad-hoc and decentralised processes...?
This whole criticism of the "papers, please" society is ridiculous. Government needs to know who it is dealing with or to at least see an entitlement credential, and doing it through 20th century paper processes or commercial companies is inefficient, time-consuming , expensive and frankly irritating. A major benefit of a secure digital identity and related scoped credentials (I am 18+, I am disabled, I am a citizen, I have a driving licence, etc) is to make existing processes easy, for those who are willing to use a digital method. I certainly am, and there's a real opportunity here for government to create efficiency, and dare I say it pleasantly effective government processes that in some small way improve citizens' impressions of how effective democracy can work to their benefit.
+1 for the Platformland book which is a fantastic vision of how state services can be delivered to benefit citizens, and using existing proven technologies, so not some hazy AI dream of the future.
Ok, but when can I get my Welsh fishing permit on my phone?
I would bet that it's one of the first things to launch on GOV.UK Wallet as it'll have a tiny number of users, so will be good for debugging!
I'm ok with the government doing this sort of thing, but I'm not ok with data being funnelled off to certain US tech companies or consulting firms. The idea of just a "yup" token without seeing any of the core data sounds like a great idea.
There needs to be some adjustment round the edges of the proposals.
OneLogin: what this does can be achieved commercially today, with tools like 1password (trusted by businesses for password management). Can we just get the government to subsidise accounts on that as a start, or contract 1password to build/run a UK government clone?
Yes getting all government websites to migrate to a common IDP is something that should happen, and with multiple methods of multifactor authentication please, and working towards non government websites offering to authenticate (optionally) via OneLogin (directly or via services like gigya). Make a OneLogin identity as useful as Facebook, Google. Multifactor: allow apps, keyfobs, and biometrics like callback to registered numbers with tone or voice).
Digital identity app. What this also needs to provide is multifactor authentication capability, similar capability as Microsoft authenticator. Maybe the NHS app needs to offer this as an interim.
We also need to resolve how this works when a limited power of attorney is invoked, with full transparency on who is authenticating for whom where a person has lost capacity to identify and authenticate on websites. Also a limited digital authority for service providers like tax accountants to act on behalf of/proxy (with a final request to digitally authenticate remotely in a secure way).
Ideally have a solution that allows a digital way of contemporaneously "witnessing" an authentication (as a replacement for wet signature witnessing as is currently needed for wills--I would not want witnessing to be removed for some important documents)
Finally, I understand that Estonia has best practice which we should review, and we should collaborate with other friendly countries like New Zealand A lot of current gov.uk practice originates from New Zealand.
Alas, 1password is solving the easy part of the problem - looking after a shared secret without checking who is actually entitled to access services or whether they are who they claim to be; the various services don't get any insight into the connections with your identity/entitlement in other departments.
2FA is already a solved problem, there are third-party services which already work well for some government IT...? So there's little benefit in reinventing it, but definitely some advantages to calling an existing 3rd-party service when there's a bigger risk of (some types of) identity fraud.
Good point about power of attorney &c - and at the moment more personal ad-hoc approaches are more common, some dead or dying person's family member is logging in to their account and making important changes, perhaps even taking payments in their name (as any Harry Leslie Smith fan will remember). It causes a lot of DQ problems, really undermines identity.
With your National Insurance number, and Passport photo too?
Just tried to set up my One Login, as requested by the state, so I will be able to access Companies House later when it becomes mandatory. The process stalled at the last hurdle declaring that my identity could not be confirmed. There appears to be no way to restart the registration process or appeal the decision. I must submit Company Accounts etc. on a regular basis, but also I cannot do so because I am now a non-person. Catch 22. Great!
If they are DigitalID only, and *not* a piece of paper one is to obliged to produce on demand to show a policeman, in order to prove ones own identity to police's satisfaction - then fine. See nothing wrong there.
In fact, about the only way we can start separating IRL humans from bots and AI-s on Social Media, is if humans have a DigitalID that social media companies can choose to use. Knowing zero my first thought is: the Registry Office accepts (acceptance == IRL person verification) a deposit of a private key by me. A key I generated as a pair (private,public) keys personaly. From then on, anyone with my public key (that I freely share), and access to the Registry Office API, can verify me.
Having lived for 30yrs in a state with mandatory ID cards first, and now for 25yrs in the UK where there is no national mandatory ID card, I think when all is added and subtracted, the pros- and cons- tallied up - the UK system both works better and obv better from the liberty PoV.
Where no-ID cards: it's police's job and competency to establish my identity (and I can help them; or not). Where must-ID cards: I have to prove my identity to the policeman to their satisfaction. And their threshold for "proof of identity" maybe arbitrarily *high*. The former is trusted by default. The latter is not trusted by default. Trusted by default is better b/c it better corresponds to our reality where most of the public are honest and not crooks nor criminals. It's a bad idea to treat 100% of the public as untrustworthy, even if 1% maybe so. Much better to deal with he consequences of trusting the untrustworthy 1%.
But DigitalID seems very different to that to me. I don't see how we can accurately label "IRL person" or "bot" or "AI" or something else, unless there is ground truth that only the Registry Office can supply.