Gov.UK Verify: Late, unnecessary and finally launching this week

Campaigners warn the government's identity assurance project is limited and that people will lose control of their identity

Gov.UK Verify, the Cabinet Office's in-house developed identity scheme intended to govern access to public services, has finally been launched - years late.

However, campaigners have argued that not only is it unnecessary and limited, but that the scheme is potentially insecure and that it will encourage users to, effectively, lose control of valuable personal information to the eight private contractors picked to oversee the scheme.

"With Gov.UK Verify, you can only register individuals - you can't register companies, partnerships, trusts, sports associations and all of the other types of legal 'person' that the Government Gateway can handle," said campaigner David Moss.

As a result, HMRC is building its own identity scheme before the Government Gateway is closed down at the end of March 2018, rather than relying on Gov.UK Verify to finally include such functionality into its systems in time, if it can overcome performance issues that still dog the system even after launch.

Campaigners have a number of other objections too. First, they warn that the level of information that users will have to hand over to the third-party organisations handling the scheme, some based overseas, risks losing control of their personal information - who knows with whom it will ultimately be shared or end up?

In addition to name, gender, date of birth and address, "you have to hand over your passport details in minute detail - it's not just passport number, but dates of issue, dates of expiry and, then, even more details about your driving licence", said Moss.

On top of that, he added, users also need to answer a range of largely financial questions drawn from the files that credit reference agencies keep on them - bearing in mind, of course, that those agencies have now started collecting information on bill and rent payments, as well as current and savings account status, and credit card and mortgage payments.

"They've asked the question, 'What is a person?' and their answer is: 'A person is a credit history'," said Moss. "So you have to answer a lot of questions about the balance of your current account or when you took out a mortgage or anything that the likes of Experian or Equifax are likely to know about your core credit."

Moss took out seven identities to test the system. "After a while it started to feel rather intrusive. I was giving very detailed information about myself to Digidentity, a Dutch company. I was giving it to Safran Morpho, a French company trading as SecureIdentity for Gov.UK Verify. Why was I giving them line six on my driving licence details?" asked Moss - especially as all these details were from documents originally issued by the government in the first place.

And, added Moss, having handed over this information to various third parties, whose to say where the data could conceivably end up in the future?

Second, campaigners argue that the whole project is unnecessary. The Government Gateway has been running since 2001, not just supporting access to public services for individuals, but also enabling companies to pay taxes and other legal entities to interact with the government. It works, they say, and does not need to be retired.

Third, they suggest that Gov.UK.Verify will provide a false sense of reassurance, with ultimately only a user name and password standing between the honeypot of personal information and any miscreant that wants to use it.

Furthermore, said Moss, if users wish to cancel their Gov.UK.Verify accounts the private companies holding the information will keep it for seven years - just in case. "You can't delete it yourself. You have to wait for them to delete it," said Moss.

What is more, independent studies have also suggested that the architecture of Gov.UK Verify (as well as its US equivalent) may well be fundamentally flawed.

"Both systems propose a brokered identification architecture, where an online central hub mediates user authentications between identity providers and service providers. We show that both FCCX and Gov.UK Verify suffer from serious privacy and security shortcomings, fail to comply with privacy-preserving guidelines they are meant to follow, and may actually degrade user privacy," claimed researchers from University College London.

Of course, fundamental flaws - whether of security or conception - have rarely been considered a good enough reason for a government to abandon a policy. So Gov.UK Verify will go on, but it will still be some time before it achieves what was originally promised, if it ever does at all.