What's the issue?
We can now use increasingly precise and convenient digital methods to identify and verify ourselves. While existing laws apply to certain areas, there is no overarching legal or regulatory foundation in place to regulate the use of digital-ID services. Given these span a wide range of technologies including fingerprint matching, facial recognition, voice recognition and behavioural trait scanning, the lack of harmonised regulation is a challenge to growth and trust.
The government has recognised that in order to further support and grow the digital economy, a robust system is needed to simplify and streamline the digital identification verification process. The government's stated key areas of focus in setting up this system are to ensure it unlocks the digital economy, improves citizens' experience and access to services, safeguards privacy and combats fraud in the digital space.
Throughout 2019 and 2020, the UK government undertook an evidence-gathering exercise to assess the need for, and obstacles to, setting up a national digital identity checking service. Questions were asked about the respective roles of government and private industry, how to establish trust in such a service and potential problems.
The results of this study were published in September 2020, and were at least partially reflective of the huge changes to the economy and the need for advanced digital services brought on by the COVID-19 pandemic.
What's the development?
In February 2021, the government released its digital identity and attributes trust framework. Taking into account the responses received in the call for evidence process undertaken in the previous two years, the framework seeks to develop the government's commitments to establishing a governance and oversight function for the rules around creating and using a digital identity service.
The main purpose of the framework is to generate feedback from the companies which may be interested in using the planned trust framework, as well as to gather input from other stakeholders including academia and civil liberty groups on how the framework should operate and the rules which will apply under it.
One of the key aspects of the framework is the 'trust mark'. A trust mark will be granted to an organisation which has been certified as meeting the rules under the framework and is permitted to perform one or more roles in the provision of a digital-ID verification service.
There are rules under the framework which relate to all participants, and additional rules which apply to specific roles. An organisation which wants to perform more than one role would need to comply with the general rules as well as each applicable set of rules.
The rules which will apply to an organisation seeking a trust mark include requirements which are specific to digital-ID services, and rules about information handling. They will set out how an individual's identity can be verified, how a digital identity account can be used (and potentially reused), and details about inclusivity and managing accounts, including deletion. There are rules about security, privacy and information management, complaints handling and record keeping.
The framework also notes that in later versions, it will include more detailed rules and technical specifications. These future rules will particularly relate to interoperability and accessibility. The rules will operate alongside existing laws, including the GDPR.
The framework describes each of the potential roles which an organisation can hold to perform part of a digital-ID verification service:
- identity service providers, which prove and verify an individual's identity, using either offline or online methods, or a combination
- attribute service providers, which collect, create, check or share any piece of information used to build an individual's digital identity (called an 'attribute')
- orchestration service providers, which ensure data can be securely shared between identity or attribute service providers and parties outside the framework.
When an organisation meets the relevant rules and is granted a trust mark, it is permitted to (with the individual's consent) provide the verified digital identity or attributes to a third party. The third party relies on such verification by virtue of the organisation's trust mark.
Use of trust marks and compliance with the framework rules would be governed by a body to be established by the government. This governing body could also assist with issues which can't be resolved by the framework members.
Another important aspect of the framework is 'vouching'. Vouching enables the framework to operate an inclusive system, whereby individuals with limited paperwork or digital skills can rely on personal connections to vouch for them. The vouching concept would see a trusted professional, such as a doctor, confirm to the framework member that the person is who they say they are.
The framework is designed to benefit industry as well as individuals. Organisations outside the framework which are able to rely on providers with a trust mark will save time and money as they won't need to undertake their own identity verification checks, and individuals should experience a smoother, faster service whenever they are required to prove their identity.
What does this mean for you?
The potential use cases of a verified digital identity system are almost endless. Throughout a person's life, they will need to identify themselves to obtain finance, to access services related to housing, employment, health and social needs, justice, education and to travel.
The lack of a national digital verification service is clearly holding things back. It has, for example, been highlighted as one of the key issues preventing the development of the Pensions Dashboard Programme which is being formulated to enable people to access their personal pensions data via a single digital interface.
COVID-19 has likely made the general public more aware of the advantages of digital verification services, and the potential 'vaccine passport' could even be one of the first use cases.
Aside from the legal and regulatory issues which are in themselves significant, one of the biggest challenges to the uptake of digital identification is consumer trust. While consumers want technology-based options to verify their own identities, they are also wary of the potential risks including identity theft, hacking and scams.
The government is seeking feedback on the framework by 11 March 2021, and will issue a further iteration later this year, with a plan to set up sandbox-style testing in the near future. The framework offers opportunities for existing technology companies to expand their services in the digital space and to improve onboarding and customer engagement. It is only the beginning in the UK's journey to establishing a trusted digital identification system.
