The UK government is developing a new identity framework that it hopes will unlock the potential of digital identity services without the need for a national ID card. But while there will be no central repository of identity data, there is still potential for ‘widescale chaos’ should the scheme’s infrastructure be compromised, security experts told Tech Monitor. Public acceptance of the framework is by no means guaranteed in a country sceptical of ID schemes, and will require reassurances on cybersecurity.
What is a digital identity trust framework?
In February of this year, the UK’s Department for Digital, Culture, Media and Sport unveiled a prototype for a new ‘digital identity and attributes trust framework’. Matt Warman, then minister for digital infrastructure, outlined the shortcomings of the UK’s current identity systems, which often rely on paper documents. “You may not have recognised physical documents or may not be able to travel to prove you are who you say you are,” he wrote. “Physical documents can also be stolen, falsified or misplaced. They can be expensive to replace and their loss can lead to identity theft and fraud.”
Meanwhile, identity theft is on the increase: instances of identity fraud grew 19% in 2019 compared to the previous year, according to fraud prevention membership body Cifas. After a dip in 2020, they are on track to grow again this year. Digital identity services, therefore, require a high degree of trust and security.
The government wants to enable secure digital identity services for use by both the public and private sector – but, crucially, it aims to do so without creating a national ID card. The trust framework defines a structure for an ecosystem of identity services, and rules that services providers would need to comply with to be certified.
The prototype framework is a complex document. "There are 22 different areas [that] have to work in harmony for the trust framework to be a success," explains Nick Mothershaw, chief identity strategist at the Open Identity Exchange, an industry body that advised DCMS on the design of the framework. These fall under the categories of proofing, identity assurance, authentication and eligibility assurance.
There are 22 different areas [that] all have to work in harmony for the trust framework to be a success.
Nick Mothershaw, Open Identity Exchange
Adding to its complexity, the framework seeks to define both cross-sector rules and industry-specific guidelines. “They [the UK government] are actually going for a two-layer model; defining the framework, which is an overarching cross-sector layer that will define what a digital identity needs to do at a high level, and then within separate sectors, they will have overlays to that, putting on sector-specific rules.”
The DCMS document proposes four roles within the identity ecosystem: identity service providers, which confirm people are who they say they are; attribute service providers, which store descriptive information about individuals; orchestration service providers which "make sure data can be securely shared" between parties; and relying parties, ie organisations that use these services.
The framework also proposes a governing body that will maintain and enforce the rules that service providers must adhere to, handle complaints and disputes, and issue a 'trustmark' for certified services. "We're all familiar with trustmarks like Visa and MasterCard," Mothershaw explains. "They denote that some kind of trust ecosystem is in play."
Depending on how it is implemented, the framework could allow citizens to retain a single digital identity, Mothershaw says, which stores all of their 'attributes' (name, address, date of birth etc.) in one place. This, in turn, could enable greater individual control of personal data. "At its purest, it is about enabling the user to manage movement of data from one place to another," he says.
How will the UK digital identity trust framework be secured?
An initial draft of the framework was met with considerable concern from the public, the government revealed in September. "Concerns around fraud, security risks and breaches of privacy were mentioned frequently, as well as worries that certain groups of society would be excluded by this type of technology in the future, for example, older generations," it said.
However, it also noted that "there was a high level of repetition in the wording of many of these responses, indicating that individuals were being directed by a single source. Misconceptions were also common, with some respondents unsure of the difference between the trust framework approach and a centralised national identity card system."
But security fears are not without cause. Should the core infrastructure underlying the identity ecosystem be compromised, "the potential is there for widescale chaos," warns Phil Thomas, managing director at cybersecurity consultancy Secario Labs. "The wider effect would be a deeply affected relationship between citizens and the state, where people would lose trust in any such programs in future."
The framework sets security rules for all service providers in the ecosystem. These include using encryption, implementing an information management system that adheres to a recognised security framework, and having a security governance framework in place.
The most likely weak point, Thomas says, will be the service providers' employees. "The human side has nearly always been the entry point for significant data breaches, whether that was by phishing emails, misuse of personal machines, duplicated passwords or various other techniques." Additional security checks, multi-factor authentication, and staff security training must be implemented throughout the ecosystem, he says.
Service providers must also incorporate security testing and monitoring into their operations, says Max Heinemeyer, director of threat intelligence at security company Darktrace. "Robust testing will be required, together with centralised security monitoring in the back-end," he says. "It will be important for the platforms to be designed with secure design principles such as zero trust architectures".
The next step for the identity framework is a live alpha test, expected next year. But as well as being technically feasible, the government has acknowledged that the framework will need to be accepted by the public to be successful. The initial consultation revealed "that public understanding is needed to progress this policy and reassure individuals that the trust framework is being developed to protect their data and improve access to services," it said in its September update. That must include reassurance of the scheme's cybersecurity underpinnings.