Government struggles with £1bn identity problemby
The government has an identity problem. There are numerous different unique identifiers in circulation, but data quality is inconsistent and frequently duplicated. Bill Mew asks is what we really need is yet another ID solution.
Aside from issues with unique IDs, there are more than 40 ways to log into government systems. The solution to this situation appears to be to add yet another.
Taxpayers struggling with unique taxpayer reference (UTR) and national insurance number (NINO) problems, often due to duplicated records or references, need to understand the wider context of the government’s identity problem.
This is becoming particularly acute as we move to automated digital systems like Making Tax Digital (MTD).
In the UK the fundamental individual identifier is the birth certificate. It can be used to get other documents such as a driving licence or passport, which can then be used to get bank accounts and access government services.
Unfortunately, this system is open to abuse. As Frederick Forsyth famously exposed in ‘The Day of The Jackal’ a loophole (now fixed) meant that copies of birth certificates belonging to people who died as children could be used to create entirely fake identities. There are also examples of such documents either being fraudulently issued by corrupt staff or being stolen and used for identity theft.
Data quality can also be undermined when government departments run systems in parallel and updates to one system are not reconciled across others.
Too many identifiers
Having so many unique identifiers – including NHS number, driving licence number, national insurance number and passport number – increases the chances that they may not be unique. And these concerns becomes more acute as more systems are digitised and citizens are expected to access services online using these identifiers or some other form of primary identification.
The government took a first crack at digital identity with the Government Gateway system that was developed and delivered in three months. It launched in January 2001, using a number of commercial components that were integrated by a really smart team for just £15.8m.
The system worked well and could handle not only individual identities, but also agents and organisations, meaning that businesses could use it as well. It provided single sign-on and authentication and allowed individuals to prove their identity. However, for managing taxpayers, HMRC needed to prove a link between a user identity and a specific unique identifier or data record. The solution was based on an activation PIN which would be sent through the post.
The system is still in use today and an updated Government Gateway is still at the heart of HMRC’s online operation. The gateway upgrade allowed users to reset their passwords and introduced 2-factor authentication (2FA) to improve security.
Subsequently the government introduced a more ambitious identity system called Verify. This system was more secure, but reduced flexibility meant it could not be used by agents and was only for individuals not organisations.
Verify posed a problem for HMRC, which needs to deal with both individuals and businesses and with accountants acting as their agents. Other parts of the public sector such as the NHS have a similar need to support users acting behalf of someone else, for example to look after elderly relatives records using power of attorney. Verify ultimately failed to hit its ambitious adoption targets and became something of a white elephant.
In the meantime, a proliferation of different systems means that there are 44 ways to access government services online. This is about to become 45 as the Government Digital Service (GDS) has just been awarded £400m for a new One Login digital identity project. Along with the cost of Verify and other systems this is likely to bring the overall total spent on identity to around or even over £1bn.
Do we need it?
The question is… do we need a new system? Or could we reuse some of what already exists? And what are we seeking to achieve anyway?
One potential alternative would be to use NHS Login. This has already been rolled out nationwide to provide proof of identity and associated Covid vaccination status. While some would be concerned with health records being shared beyond the NHS, this scenario can be avoided. The system could simply be used to authenticate a user before a handshake with other government systems that provides only basic details like name, address and date of birth and no health data.
Another possible approach would be to work with HMRC. Instead of creating yet another new system in parallel, with all the duplication risks, cost and timescales that this entails, HMRC could scale up its replatformed Government Gateway to provide an identity and authentication system for other government departments.
Indeed, while the new GDS One Login digital identity project does not initially incorporate agents and organisations, the HMRC system, being based on Government Gateway, already does so.
A further option would be to build the new system on commercially available identity solutions which are far more advanced and have far greater functionality than was available back in 2001. Identity apps like Yoti are already used by public and private sector organisations worldwide, including the government of Jersey on the Channel Islands. And commercial cloud providers offer authentication services, avoiding the need for government to develop its own bespoke approach.
We possibly also need to reconsider whether a single identity or identifier is actually essential. Privacy activists fear that this would allow for greater mass surveillance, while security experts fear that it would make identity theft a far greater problem.
Maybe we simply need one system for financial interactions – for say taxes and benefits – which could then be better integrated, and another for health and care – also in need of better integration. Citizens could be encouraged to use a password manager to retain multiple passwords and identities.
All of this however overlooks the need to cleanse the data and crack down on fraud. Whichever system is adopted we will still need to de-duplicate records and provide a means of verification for those either forgetting their password or needing to replace core documents like birth certificates, driving licences or passports. Such systems need to eliminate fraud without being too onerous.
These problems are particularly evident with HMRC and the records it manages. Only a proportion of taxpayers have a UTR, and they are all too easy to fake. The gaps in the system and potential for abuse have been exposed recently with widespread fraud involving furlough funds from poorly documented “entrepreneurs”. This kind of abuse recently prompted HMRC to seize £26.5m in fraudulent CJRS.
The whole MTD system itself will stand or fall on the quality of the data held by HMRC, which is fairly inconsistent and frequently impossible to reconcile.
Aware of its data and identity issues HMRC has put in place new controls to prevent fraud from phantom taxpayers. However, this means UTRs are taking much longer to issue, and that more checks are happening for self assessment. Not only is this slowing down payments, but it is preventing many taxpayers from being able to submit or pay tax at all. With delays of up to six months, this is becoming a real problem.
HMRC is far from alone in having such problems. Benefits fraud is widespread and we are also seeing an increase in property title fraud – which could end up costing you your house. Nor is HMRC the only department with a massive data processing backlog. We saw with the HGV test issues some of the problems that DVLA has, and this is just the tip of the iceberg.
All of this does not necessarily mean that we need to build a completely new identity system from the ground up (at great cost to the taxpayer). Existing systems or new commercially available alternatives could easily be modernised and scaled up to provide a perfectly workable platform. And while HMRC may be central to much of the frustration that we are currently experiencing over data inconsistency and identity, it might also be sitting on one promising solution.
You might also be interested in
Founder and CEO of CrisisTeam.co.uk (SiliconANGLE global Startup of the Week – May 2019), an elite team of experts in incident response, cyber law, reputation management and social influence that help clients minimize the impact of cyber incidents. Previous cloud strategist at UKCloud (the...