If GDS wants a platform government, the Verify market needs to succeed

SUMMARY:

There is growing uncertainty around the future viability of the government’s identity assurance platform, Verify. What does that mean for GaaP?

The Government Digital Service’s identity assurance platform, Verify, has received a lot of negative attention over the past week or so, after it emerged that HMRC was backing away from using the tool for its own services.

A HMRC blog post suggested that it would be creating a new tool using the existing Government Gateway system, which has been in place for over fifteen years, to help identify businesses and citizens. It then later backtracked and said it would just be using it for businesses, after a media storm quickly hit.

Verify has not been designed for business authentication, so HMRC can’t be blamed for needing a modern service for that requirement.

However, its initial claim that it was going to turn its back on the Verify platform for individuals too was an embarrassing one for GDS,. It has long been rumoured that HMRC wanted to go it alone because it was getting tired of waiting for Verify to come of age.

Much has been written in the press since the HMRC blog went live, and then again since it was amended. Which is unsurprising, given that it gives you a clear insight into the turf wars currently going on in Whitehall around technology decisions.

I stayed away from commenting too soon, as I felt like I needed to know more and because I felt like I couldn’t add anything to what had already been said.

However, having had some time to reflect, and some time to speak to some people, here’s my take on why this is an important story.

Verify is flawed

Even those that support GDS recognise that Verify as an assurance platform isn’t performing as well as had been hoped. You only have to look at the service dashboard to see that. Currently only 34% of all users that start on Verify actually end up successfully accessing the service they require.

Even for the most successful service, the success rate is currently at 67%.

GDS has has been fairly open about this (albeit, not for a while), and the Verify team are undertaking new approaches to ensure that people do get verified more often (for example, it no longer asks users for access to their financial records, as A/B testing showed that this caused a drop off).

Identity assurance is complicated and Verify aims to provide a level of assurance that could be held up in court. It’s not as simple as creating a user name and getting a password – it’s proving you are who you say you are as a citizen, all without actually holding any information on you centrally (Verify is a federated service that works with private sector firms to get users assured).

However, Verify currently has 2.6 million users and is aiming for 25 million users by 2020. That’s a lot of additional users for GDS to find in under three years. Many doubt whether that is possible, which is why the (suspected) loss of HMRC was such a blow to GDS .

However, there is demand

Despite the flaws, and the worrying success rates, there is demand for Verify.

As I mentioned above, Government Gateway is over 15 years old and anyone that has used it will know that it’s a horrible digital service. Every time I have to go through the process of logging in, it’s painful. And I don’t think any user would be pleased with the experience.

The National Audit Office has said that there is an “urgent need to find a better alternative” to Government Gateway, as it provides “only limited levels of identity assurance” and that its “weaknesses will be increasingly exposed and under attack”.

But apart from the general public and politicians, there has also been an expressed interest from many local authorities to get access to the platform. Although Verify isn’t yet available to local government (trials are taking place), I’ve spoken to many over the past year or so that believe that Verify could really help them in delivering digital services.

In fact, I’ve spoken to a couple of local digital leaders that have said that they’re holding off on their own investments in the hope that they can get access to Verify soon and then accelerate their plans.

There are also possibilities of using Verify within the NHS, however that’s a slightly more complex discussion because of how the health sector has historically used a patient’s NHS number as an identifier.

Why all this matters

Most of the commentary on this story to date has focused on the in-fighting between HMRC and GDS, and the ongoing Whitehall turf wars that appear to be driven by the digital agenda. And that’s no surprise, it’s a a juicy story.

However, there is a bigger picture here that should be considered, as it relates to the Government-as-a-Platform agenda.

And I don’t just mean because Verify will underpin the identity authentication for all digital services using the platform approach – getting Verify wrong brings in to question GDS’ ability to create a federated, commoditised marketplace, working with the private sector, using open standards.

Whilst the most frequently used description of Government-as-a-Platform goes along the lines of: ‘creating common systems for re-use across government’. There is a slightly more complex long-term plan in place at GDS, which I’ve described before as follows:

When people say GDS wants to build everything, they’re mistaken. Consider Verify, one of the core components of GDS’ vision for GaaP. Has it built any identity authentication systems?

No, it hasn’t. It has built an open-standards based wrap around for a number of payment platforms already in the market, which buyers (departments) can then plug into.

What I don’t think many people have understood is that the open standards nature of the wrap around allows GDS to commoditize those services. There is no lock in and it has the buying power of government at it’s fingertips. Want to charge a premium for a payment mechanism that should be a commodity? Good luck when you’ve got a number of other players using the same standards and when GDS can run a reverse auction for that service.

This isn’t something that has been attempted by a public sector body before, as far as I can tell. The government would be setting the standards it wants to see in the marketplace, forcing all sellers to commoditize, and then it would be driving down the costs by creating an incredibly competitive environment.

GDS becomes the gateway for the buying of digital services in Whitehall. The downsides? Does such far-reaching commoditisation create problems? Maybe. Is there an issue around GDS being such a powerful entity at the centre in this scenario? Possibly.

Nonetheless, this was GDS’s plan for Government-as-a-Platform. If Verify fails, where does that leave the Government-as-a-Platform agenda? The Verify market needs to succeed if it wants to replicate it elsewhere.

If GDS can’t effectively work with the private sector, or design an open standards based marketplace, its brings into question the viability of the remaining elements of the platform approach.

To be fair to GDS, its wading into very new territory here – as I said, I don’t believe this has been done before elsewhere. However, there is a possibility that getting Verify wrong could have wider consequences beyond identity authentication.

If GDS wants to create the type of marketplace described above, then it needs to make it incredibly easy, workable and attractive for buyers. It can’t have turf wars with a heavyweight department every time a new platform component is introduced. And it can’t have such poor service stats for every new component.

Something to consider.

Image credit - Images free for commercial use

    Comments are closed.

    1. Anonymous Coward says:

      There’s one important piece here that people seem to keep missing, even though it’s caused problems for other agencies in the past. (* See below.)

      Verify is about individual identities. It let’s Me do a thing online that affect My interactions with The Government.

      What if I want somebody else to do that for me? I can’t give them My ID. It may provide that third party to other Verify controlled services that it would be inappropriate for them to have access to.

      So they need to have their own ID that I can give permission to access certain services on behalf of My ID, and I need to be able to revoke that permission if I terminate that relationship.

      So, back to HMRC, for whom the interactions of many people are handled by many, many accountants and other financial institutions. HMRC needs to have the capability for Accountant A to handle transactions on behalf or Person B.

      And then there are business transactions. And Verify is set up for individuals, not businesses.

      Several times in the past we’ve seen some positive spin about how Verify has performed well in Beta use with HMRC with, for example, Self Assessment payments. My main takeaway from that news, and from this current kerfuffle, is that (a) it may not have been as successful as was made out (Shocker! GDS in Positive Spin Scandle! 😉 ) and, (b), regardless, the projected uptake is not significant enough for HMRC to be able to handle Verify *as well as* whatever system is developed to handle the many other use cases that they need to deal with.

      Now I’d normally be the last person to defend HMRC over anything, but in this case they appear to be making the correct call.

      (*) Defra had problems with Verify. https://www.nao.org.uk/report/early-review-of-the-common-agricultural-policy-delivery-programme/