It wasn’t announced by the King when he opened Parliament last month, but if you dig into the government’s published briefing notes that accompanied the speech, there was a really intriguing paragraph.

As part of the planned “Digital Information and Smart Data” Bill, the government says that it will support economic growth by establishing “digital verification services”.

The short explanation given reads as follows:

These measures support the creation and adoption of secure and trusted digital identity products and services from certified providers to help with things like moving house, pre-employment checks, and buying age restricted goods and services.

Needless to say, when it was published, it set off a mini-wave of speculation that the new government is attempting to introduce ID cards – something that Tony Blair famously failed to do when he was in Downing Street.

And this speculation was in part exacerbated by, well, Tony Blair himself.

A couple of weeks earlier, only days after Keir Starmer took power, the former Prime Minister wrote an article for the Sunday Times, pitching ID cards once again – this time premised on the idea that they could help control immigration. With Downing Street no doubt thrilled by the intervention, it fell to my favourite Cabinet Minister, Jonathan Reynolds, to “rule out” the idea, as they say in Westminster parlance.

So this raises the obvious question: What is the deal with the government’s digital identity plans? What is it that the government is actually planning to do? And why would it want to wade into an area that is still widely considered to be politically explosive?

The answer is actually out there, but unless you’re an ultra-nerd and technical specialist, or a weirdo who enjoys scrolling through long, boring pages of policy guidance buried on the GOV.UK website, then it isn’t enormously clear.

Which is why this week I’m going to put on my “public service journalism” hat and explain just what the hell the government is planning to do on digital identity – and why this law very definitely isn’t trying ID cards all over again.

Subscribe now (for free!) to get my takes on politics, policy, tech and media directly in your inbox!

Proving yourself

There are many moments in life when you might need to legally prove that you are who you say you are. When you get a job, you need to prove that you’re legally allowed to work. When you rent a flat, you need to prove your immigration status. And when you’re in Tesco buying alcohol, you need to reassure the shopkeeper that you’re a real, functioning adult and not two teenagers in a trench-coat.

As things stand, all of the ways of doing this are pretty annoying.

If the interaction is taking place in real life – like standing at the self-checkout – you need to remember to bring your passport or driving licence with you, and then you’ll have to wait for a member of staff to wander over and verify your age as they judge your choices1.

If you’re a woman queuing for a nightclub, showing your driving license to prove your age may mean revealing your home address to an unscrupulous bouncer, who you don’t want to show up outside your house the next day.

If you’re proving your residency status, then your employer will need to take a scan or photocopy of your passport, which will then be stored on some random hard drive or in some filing cabinet. That’s not a secure way to store a document that could conceivably be used to steal your identity.

And this is only ‘real life’ interactions. Once you need to prove your identity on the internet, it becomes even more difficult.

For example, how can Amazon be sure that when you buy a knife that you’re over 18?2

And what about when you’re doing really serious paperwork online, like trying to buy property? I’ve experienced this annoyance for myself. When my partner and I bought our house a few years ago, for several of the ten trillion documents we had to deal with, instead of signing online, we had to make an appointment with a local solicitor, and drive to their office so they could witness and certify that it really was us signing3.

The good news is that in some limited cases, there are emerging workarounds for some of these problems. For example, when I signed up to a sickeningly modern bank that uses an app and has no physical branches, part of the verification process involved me recording a video of myself, to prove I was real. But aside from the extra hassle, given the advances in generative video, how confident can we be that this will be good enough proof in the future?

So this is basically why the government is wading into digital ID – as an attempt to figure out a better way to prove who we are, both on and offline.

And luckily for our new Labour government and Department of Science, Innovation and Technology Minister Peter Kyle, there is basically a ready-made plan in place.

Though I’m told by people who understand these things that there are some minor changes being made, for all intents and purposes, Labour announced in the King’s Speech that it is basically going to implement what the previous Conservative government already had almost ready to go.

A brief history of identity databases

Given the problems described above, the most obvious thing to do would be to, well, build a massive identity database that’s controlled by the government, and issue physical ID cards. That way, when prompted in shops and bars, citizens could show their card. And online, digital services could be built to connect to the database and verify someone’s identity.

This was basically what was proposed in the aftermath of 9/11: That there would be a National Identity Register, which would give everyone an ID number, and could contain contain their fingerprints, facial recognition data, iris scans and links to other government databases4.

As history showed though, the idea turned out to be utterly politically toxic. The plans were defeated in Parliament, the remnants of the database that was created was permanently deleted by the Tory/LibDem Coalition, and ever since, policy makers have shuffled awkwardly or bolted for the nearest window at the mere mention of ID cards.

At the time, I thought this was a good thing. I was persuaded by the civil liberties arguments advanced by campaign groups like NO2ID5. The idea of the government having one singular database storing everyone’s biometrics seems, well, nightmarish. There’s the downside risk of what a future authoritarian government could do with it, the reasonable concern that mission creep would lead to the database being used for an ever-extending range of things – and the fact that it would be a huge target for hackers.

But even if we ignore all of the civil liberties arguments, the other flaw in the plan was more pragmatic. Could the government actually build such a massive database? It would have to work across government, for all of use cases listed above, and it would adapt as technology changes. Needless to say, such assumptions would probably be optimistic.

What happened next is long and complicated6, but to cut a long story short, eventually the Conservative government arrived at a new plan to do what Conservative governments like to do best: Solve the problem using the market.

And that’s where we are today, with what is called the “UK digital identity and attributes trust framework”. Instead of tearing up the plan and starting again, apart from a few minor changes, Labour is basically adopting the idea in full.

So let’s dig into exactly how it is going to work.

In the market we trust

The idea behind the Trust Framework is that instead of having one identity database, controlled by the government, we instead prove who we are using private companies – “identity providers” which perform the necessary checks to verify our identity.

For example, one company that does this is called Yoti. You sign up with the company ahead of time, and upload all of your identity documents – your passport, a little video to prove you’re not a deepfake, and so on. Yoti then carries out the necessary checks, confirms that you are verified and stores your credentials in its database.

Then the next time you’re buying a knife online, once you reach the checkout and the merchant needs to check your age, once the legislation has been passed, you’ll conceivably be able to click a “Login with Yoti” button. Then all you need to do is type in your login credentials7, and Yoti will give the retailer the thumbs up – without sharing more information than is needed.

The same can process works in real life too. When you’re at the supermarket checkout, the theory is that you’ll be able to fire up the Yoti app and either display an on-screen ID card to the assistant, or have them scan a QR code, so that their system will connect to Yoti and confirm your credentials.

In fact, this system already exists. The company says you can already use the app to buy lottery tickets, cigarettes and energy drinks8 in branches of the Post Office and at other newsagents.

And it is at this point that, though my politics are broadly somewhere on the centre-left, I have to concede that letting the market figure this out may actually be a better solution. As what’s clever about letting private providers verify our identity is that from the government’s perspective, the process is technology neutral. This means that if a new and better technology comes along to do the same thing, the market can adapt more quickly.

For example, having spoken to people familiar with the thinking on this, the expectation seems to be that once the Trust Framework comes into law, then it’s likely that Apple and Google will swoop in and take a big slice of the “identity provider” market, by building identity checking directly into their mobile operating systems9.

So for most of us, it’s likely that proving our identities on an online form could be as simple as the tapping a button on our phones – just as easy as using Apple or Google Pay is now10.

But crucially even if this happens, it won’t be the only way to prove who we are. There will still be other identity providers around, and they may offer a broader range of verification methods, which will be better from a digital inclusion perspective, and will let more vulnerable people manage their lives digitally.

For example, one company I think is pretty great example of this is called Vouchsafe. It’s an identity provider start-up, where the idea is that if you don’t have the right documents to prove who you are, you can instead have another person ‘vouch’ for you.

So you can imagine, for example, a homeless person who needs to prove their residency status to get a job or access to a flat. Because of their more precarious circumstances, they may not have a passport or driving licence, or even a fixed address. But using Vouchsafe’s system, they could have a friend or social worker confirm their details, on their behalf.

Why does it need a law?

Ultimately then, this law won’t create a big government identity database. There will be no ID cards issued by the government – either digital or physical. Instead, what the new law will do is create a regulator to certify the private identity providers.

This will be called the Office for Digital Identities and Attributes11, and it will basically set the rules about what technical measures legally count as identity verification, and it will give a legal thumbs up to the companies that are allowed to verify your identity.

In fact, some companies – like the aforementioned Yoti – have already been certified as part of the piloting process.

It will also be up to the regulator to also determine which companies are capable of certifying different things – because different parts of life require different documentation or levels of rigour.

For example, on the linked list above, there is a company called Credas Technologies, which is allowed to certify whether you have the right to work, or whether you have a criminal record, but it cannot yet certify whether you’re good to rent somewhere to live – because the criteria for each is different, and is set by different government departments.

And this gets at what I think is the big trade-off of this market approach, compared to creating one singular, government identity provider: It will be pretty messy, from a user-experience perspective.

For example, individual identity providers will have to conclude individual deals with individual companies. So Tesco will have to do a deal with Yoti, and then separate deals with Apple, Google, Vouchsafe and whoever else it wants to use12. So every company you need to prove your identity to could still end up handling it in an annoyingly inconsistent way13.

And this means it could end up a bit like parking apps, where drivers currently need to typically have a handful of different payment apps on their phone, because every car park is signed up with a different provider. (Ironically this is an annoyance that the government is actually busy fixing.)

I’ve also spoken to one knowledgable sceptic, who wondered if the proposed “market” of identity providers will actually emerge when the law comes into force, as is hoped14.

But in any case, that’s the current plan. And I think I’m pretty optimistic about it. It seems like a broadly sensible way to find a middle path between the benefits of a massive government ID database, and an Orwellian “papers, please” society.

Which I guess is all just a very long-winded way of saying that, no, this isn’t a plan to introduce ID cards.

If you enjoy ultra-nerdy politics, policy, tech, media and culture takes, then you will enjoy my newsletter. Maybe one day I’ll also dig into a separate identity programme called GOV.UK OneLogin, or explain the… challenging history of the Verify programme? Or maybe I’ll just write more about the Postcode Address File.

Either way, subscribe now (for free!) to get more of This Sort Of Thing direct to your inbox.

Share

Follow me on Twitter

Follow me on Bluesky