Lacklustre leadership from DCMS delays UK-wide biometric identity platform rollout
For years the UK government has longed for a fully functional digital identity system, but it isn't helping those who are crying out to build it
The quality of communication from the UK government has been branded 'unsatisfactory' by experts in the private sector and has been blamed for the slow development of digital identity solutions across the nation.
Speaking at a Westminster eForum panel in January, experts said work on a major, biometrics-driven digital identity system is lacking direction from the Department for Culture, Media, and Sport (DCMS) - the government department overseeing the proposed project.
At present, the proposed system will be built by the private sector but has been tipped to replace passports and other official documentation used to verify identities in the UK.
This could take a number of forms including an app or digital wallet across devices, though many experts call for biometric technology to form the backbone of the system for security purposes.
The political ambiguity around the project means those tasked with building the solution still aren't fully certain about design decisions because the government hasn't confirmed the scope of its use.
The DCMS' perspective is that it will be used primarily for validating identities for government-level services, such as proving one's right to work, but there are ongoing discussions about broadening its use for use cases such as verifying people on social media platforms.
Six steps to machine learning success
The path toward leveraging the full power of machine learning
"Requiring ID verification for all users could create a two-tiered internet," she said. "Those unable or unwilling to give their ID online could be shut out of services online, including underrepresented groups and children."
Industry professionals from the private sector have called for greater leadership and transparency on the issue from Whitehall, and stated that this is necessary in order for development in the public or private sector.
“I salute the work the DCMS has been doing, but we’re not seeing a joined-up approach, and there hasn’t been clear political leadership, particularly at the top for some time," said Andrew Bud, founder and CEO at Iproov.
"If we don’t decide if this is part of UK identity, we’re not going to reach interoperability and we’ll see all kinds of culture wars.”
Bud drew a direct comparison between the UK government’s efforts towards digital identity and the EU’s digital wallet scheme, highlighting the clarity the latter offers to businesses.
The DCMS’ digital identity scheme was announced in March 2022 and was aimed at making official documentation easier to supply and tackling high levels of fraud.
“Because we don’t have a clear setting out of ‘what is the role of helping people with their identity’... we hold ourselves back from actually making progress," said David Rennie, director of market strategy at identity tech firm IDEMIA.
"A clear political policy is required. The risks will change year-on-year but the only way to solve those problems is coherently, between the public and the private sector.”
'Bludgeoning the public into change is failing'
Improving public trust in digital identity schemes is seen by many experts as a crucial step to meet before tech can be rolled out.
However, there is currently a lack of consensus on how this can be achieved and who should be responsible for building this trust.
“Without some degree of education, people are unaware [of inadvertently sharing their data]," said Martin George of the digital identity expert group at Biometrics Institute.
Bud disagreed with this assessment, calling instead for firms to lead by example in creating strong systems, first and foremost, to quell potential fears over the technology.
“The premise that we have to bludgeon the public into a change of behaviour because it’s good for us doesn’t work," he stated.
“The way this is going to work is if this adds value. If it’s attractive, easy to use and makes their lives better. If not, they won’t adopt it, and educating them to death is not going to change that.”
Information campaigns around rollout will vary greatly depending on whether the digital identity scheme is a centralised system managed by third-party organisations, or a decentralised system in which individuals own and look after their own digital identity in a secure wallet.
The scheme is set to be overseen by a new governing body, the Office for Digital Identities and Attributes (OfDIA), which would ensure that companies that handle digital identities meet security requirements.
The DCMS is set to run ‘adoption sprints’ throughout February which will group experts by sector to discuss issues with adoption and other barriers to digital identity.
Speaking to the development and uptake of new digital ID systems, a DCMS official on the panel pointed to the need for the sector to move forward with schemes in parallel with government campaigns to improve understanding of the risks and rewards of proposed technologies.
“I think the market is adopting [digital identities], but it helps for us to mark things out and raise awareness of digital identities as something that is safe to use,” said Erika Lewis, director of cyber security and digital identity at the DCMS.
“Lack of uptake isn’t a matter of technology, but one - I think - of trust.”
There are also problems to be resolved around international interoperability, and how storage of identities will work with data sovereignty. The DCMS has stated that it is aiming for UK digital identities to be used nationally and overseas, but that the transfer of information across borders is difficult and could take years to negotiate.
Lewis pointed to the UK’s digital trade deal with Singapore as holding potential for future data transfer arrangements of this kind.
“We are starting to see working groups align on data transfers and data sovereignty requirements, where through agreements they recognise each other’s data protection mechanisms,” Florian Chevoppe-Verdier, public policy associate at identity verification firm Yoti, told IT Pro.
“In the UK for instance, what we’re waiting for as a company is the ratification of the Australia-UK free trade agreement, which would remove those data requirements.”
How do biometrics compare to alternatives?
There are a number of pros and cons to biometric identification, which have come under scrutiny in recent years amidst growing adoption of the technology.
Chiefly, biometric ID schemes could be far more user-friendly than traditional passwords since they don't require memorisation. Similarly, this convenience doesn't come at the cost of weak security, as is the case with the most common passwords.
“Biometrics are not like a password, a shared secret,” stated Bud.
“The value of a biometric is that the genuine article is unique. It is far easier to check that a biometric is unique rather than check a password has been leaked, or that a phone has been cloned or stolen.”
A clear advantage of using biometric identification over push notifications on handsets, or using a handset itself as a passkey for a system, is that it is completely accessible.
As biometric identification can be established for any individual, regardless of their level of access to technology, it has the potential to cut across class divides.
However, a number of privacy concerns exist around biometrics, including the potential for disproportionate tracking of individuals, particularly without individual consent.
The Metropolitan Police faced widespread criticism in 2020 for its role in operating live facial recognition systems at King’s Cross, for example.
There are also concerns over the accuracy of some biometric systems, which could contain biases and work poorly on marginalised groups if not designed with these concerns in mind.
“Matching technology is a probabilistic exercise that can only be made through rigorous testing,” said George.
“The United States has the National Institute of Standards and Technology (NIST) which is one of the only players which gives regular, published information on the testing of biometric technology.”
In June 2022, an Ada Lovelace Institute report called for urgent new biometric regulation and made the case for the establishment of a national Biometrics Ethics Board. This was in response to worries around the privacy violations of biometric tech that uses live facial recognition and gait recognition.
The report also called for greater transparency around the sharing of information between public and private sector entities, an issue that could continue to draw criticism as the public and private sectors work more closely on digital identity.
Defending against malware attacks starts here
The ultimate guide to building your malware defence strategyFree Download
Datto SMB cyber security for MSPs report
A world of opportunity for MSPsFree Download
The essential guide to preventing ransomware attacks
Vital tips and guidelines to protect your business using ZTNA and SSEFree Download
Medium businesses: Fuelling the UK’s economic engine
A Connected Thinking reportFree Download