A significant relationship has changed for the Open Identity Exchange (OIX).
With the demise of the Verify programme for digital identities it has moved away from a close association with the UK Government, with the Cabinet Office terminating its membership of OIX and the organisation now dealing with it more as a representative of the industry.
But they are keeping up a positive dialogue, according to its chief identity strategist Nick Mothershaw.
“Our relationship with government now is very collaborative,” he says. “Four years ago the UK Government was a member of OIX, but not any more as they didn’t feel it was appropriate as we move forward.
“As a members’ body representing the identity trade we’re spending a lot of time lobbying and influencing government, and it’s not appropriate they should be a paid member.”
Set up 10 years ago, the OIX is a not-for-profit membership organisation focused on the development of trusted digital identities that show not just who someone is but what they are trusted to do. Its members include a range of major companies with an interest in the field, along with the Open Data Institute and the Scottish Government.
Mothershaw says that through its working groups, projects and library it has done a lot to define what good looks like, and since he joined two years ago there has been an effort to bring it into one place with a collection of papers and projects to frame good practice, and the recently published guide, Getting Ready for Digital Identity.
Input for trust framework
A major element of its work over the past 18 months has been in providing input to the Department of Digital, Culture, Media and Sport’s (DCMS) effort to build a trust framework for digital identities. Mothershaw says he believes the department is on the right track with its focus on an ecology of digital ID providers underpinned by trust.
“We’re pleased to see a lot of the comments we’ve been making are appearing in various iterations of the framework and documents adding detail around it,” he says.
“We’ve been calling for it to get the balance right by being deep enough to create a robust framework to prevent fraud, but not too deep that it stifles innovation and market opportunities for the private sector. We’re pleased to see that over the past year there’s been progress towards achieving that, with detail where we need it, statements of broad requirements and the shaping of a trust framework that our members feel they can work with.”
He qualifies this by saying there is still need for further detail in the framework, especially in providing an effective governance body that works not just for government but all the sectors that can benefit from digital IDs.
“We’re keen that governance body should be a collaboration between public and private sector stakeholders, and it should be a new body. We don’t think any existing body in the UK would be competent or appropriate to take on this new challenge.
“In addition, there is a need for communications. The trust framework has 22 sections, all of which need to work together, and it requires a high degree of communication and user support.”
Verify history
OIX had a deeper involvement with the Government in contributing to the Verify programme. Mothershaw says a big reason the service failed to achieve widespread take-up was that too many people were unable to obtain a Verify ID, not having the evidence to satisfy the organisations acting as identity providers.
“That was connected to the fact that when people couldn’t get one it was pushed back on the department they were trying to deal with. It became a departmental problem if you didn’t have a passport, driving licence or credit file.”
He is keeping a close eye on the current initiative from the Cabinet Office to develop a new approach to digital identities through a One Log-in for Government service and an identity check app. The big question around this is whether other departments will be more ready to make use of them than they have been with Verify, with the question intensified by Home Office plans for a generic identity service and the high take-up of the NHS login.
From what he has seen, Mothershaw believes the Cabinet Office is taking the right steps, but again with qualifications.
“Yes, they’re on the right lines, but I’m interested to know how it will be distributed. One of the features they’re talking about is there won’t be one central database of identities, and I’m interested to know how they will achieve that but confident they will.
“They’ve been talking with different people in industry about different ways of doing so, which tells me they’re thinking along the right lines. They’re thinking about it being controlled by the user, that it has data government wants on a user, but that data is not held centrally by government.”
Need for marketplace
He also thinks One Log-in could ultimately be used for private sector services, but that the overall emphasis should be on creating the conditions for a marketplace in which people would be able to choose their providers.
“It’s very important that government can create a digital identity. We see other governments around the world creating a single identity and don’t think that’s the right thing for the UK, but we believe the Government here is in the right place in terms of creating a market for digital identity providers, and within that we want to see the user being able to choose the digital identity that works for them in lots of different situations.
“It may be possible that people would choose a couple of digital identities in the way people have several bank accounts, depending on whether it’s for a business or a personal capacity. That element of choice is very important.”
Among the factors he believes everyone should be taking into account is the role of biometrics. He says a fingerprint, iris scan, facial or voice recognition could be important in proving an ID, but the ideal is that they are paired with a non-biometric, such as a password or digital token, in providing two-factor authentication.
He is also enthusiastic about the potential in a project led by Sir Tim Berners-Lee to create ‘solid (social linked data) pods’ for individuals that remain under their control and could provide data to prove their identities and that they are trusted for a specific service.
Compliance for ecosystem
Another priority is to ensure compliance among digital identity providers with the trust framework DCMS wants to build.
“Compliance is going to be a priority, so as the framework crystallises you need to understand what it involves,” he says. “Having a digital identity ecosystem with providers at one end and users at the other you need the piggy in the middle to service both parties properly.
“So we are working with a number of schemes in the UK at the moment across finance, gambling, home buying and selling and age. All of them are facing similar challenges and we want them to avoid inventing the wheel four times and work together to invent it once.
“There are key areas around technical standards on how data is described and obtained, fraud controls and working together in a consistent way when things go wrong.”
Along with all this comes a need to help people understand the potential in digital identities. It reflects one reason for the failure of Verify to gather momentum, that most of the public had not heard of it and only took steps to obtain an identity when required to do so for a service they wanted to use.
Communications key
“Comms is very important,” Mothershaw says. “If we are going to make digital identity a success, planning and budgeting for communications out to end users is going to be key. They have to understand what digital identity is and why it can be trusted.
“At the other end of that for organisations excited about digital identity there are things to get out, such as what is the trust framework and is a digital ID regulatorily acceptable for a sector. We can deal with those over the next 12 months in contributing to DCMS.
“Then we need to work on why it is a business benefit. Over time we will be talking about the business benefits for more people to get onboard faster.”
While government, largely in the form of DCMS and Cabinet Office, is currently the key player in the effort, Mothershaw emphasises that it can only make it all work in collaboration with identity providers, and that he thinks a lot can be achieved with the right effort.
He concludes: “We’re working hard with people who are trying to make digital identity a reality in the UK.”
Image from OIX