Finding your identity: solving the digital ID verification challenge

By on 04/03/2020
Lauri Lugna

Governments worldwide are trying to create digital ID verification platforms, offering citizens secure access to public services – but many have struggled to deliver workable, popular solutions. At the Government Digital Summit, Matt Ross heard digital leaders from 16 countries debate the way forward

In some countries, said Lauri Lugna, the data links between government databases are reminiscent of city streets in parts of the developing world – where a tangled, chaotic mass of wires droops from the telegraph poles, linked haphazardly to each building by a random assortment of ageing cables. But Lugna, Permanent Secretary at Estonia’s Ministry of the Interior, is lucky: 20 years ago, his predecessors built the country’s ‘X-road’ network.

This enables data to be transfered quickly, efficiently and securely, using centrally-decided protocols and data formats: “And it’s not just for government databases,” added Lugna. “Private sector databases can also make requests for data through the X-road network” – so citizens can, for example, permit their banks to share information with government, supporting Estonia’s very straightforward system of tax declarations.

Lugna’s audience – 27 national and departmental digital leaders from 16 countries, who’d gathered in London for Global Government Forum’s first Digital Summit – were, it’s fair to say, a little jealous of Estonia’s digital set-up. While the X-road provides hard connections, the country’s universal digital identity verification system and its ‘once only’ principle (of which more later) keep information flowing across and beyond government: the Baltic state appears to have cracked a nut that’s proved too tough for many bigger and richer nations.

A need for networks

But countries worldwide will simply have to get bigger nutcrackers – for the ability to rapidly share data is becoming ever more essential to effective government. And that timeliness is important, pointed out Greg Ainslie-Malik, a Machine Learning Architect at knowledge partners Splunk: “How quickly are you able to share that data for the outcome that your partner organisation is trying to achieve?” he asked. For responsive services and those built around the use of real-time data, he added, a relatively short delay can dramatically reduce data’s value: like radioactive materials, data has a “half life”.

For responsive services and those built around the use of real-time data, a relatively short delay can dramatically reduce data’s value, says Splunk’s Greg Ainslie-Malik

As governments begin to introduce machine learning technologies, Ainslie-Malik continued, they’ll also have to improve the accuracy and consistency of their data. “Most organisations have ‘dark data’: they don’t have visibility of all the data they generate,” he pointed out – but without clarity on data’s origin, quality and formatting, machine learning developers struggle to ensure that their systems don’t produce discriminatory decisions. And civil servants also need confidence in their data’s quality, added Lugna, in order to pursue another fruitful application: by using “behavioural science, and putting that on the same table as the data, we can understand the underlying behaviours that we in the public sector are trying to change.”

Estonia’s journey

To be fair to other nations, Estonia enjoyed certain advantages as it created its world-leading digital infrastructure. Having escaped the Soviet Union’s grip in 1989, “we had to build up the system from scratch,” Lugna recalled, “and that gave us the possibility of skipping some stages. For example, in the banking sector we never had cheques: we went straight to payment cards – so we avoided some of the challenges around legacy systems.”

In fact, Lugna explained, Estonia’s e-identity platform has its roots in the systems introduced by banks 20 years ago. “The private sector was giving us identity management solutions,” he recalled. “The government also opened itself up to this way of authenticating citizens, and when the technology evolved the banks closed their systems down and pushed their customers to use [the government’s] mobile ID solution.”

The country also benefited from its small land area and 1.3 million population: the lack of economies of scale makes capital investments expensive, noted Lugna, but reduces the complexity of change programmes. And Estonians were quick to adopt digital services: “In Estonia, the internet is basically a societal right,” he commented. “There is broadband coverage of about 90%.”

Yet Estonia’s digital success owes much to its first generation of post-Soviet civil servants, such as former Secretary of State Heiki Loot – who had the foresight and drive to lay the foundations for its digital journey. These building blocks include the ‘once only’ principle, which bars civil servants from requesting citizens’ data if that information is already held by another government body; the ‘digital by default’ rule, which requires policymakers to integrate every legislative change with digital policies and systems; and ‘trust by design’, the prioritisation of security and public confidence in all of Estonia’s digital activities.

This last principle can put government in uncomfortable positions, noted Lugna, recalling an incident when cryptographers identified a potential weakness in the country’s digital ID system. “We decided that we shouldn’t fix it ‘hush hush’, behind closed doors,” he said, so civil servants went public about the threat. “It was difficult – but trust comes if you are open and explain what you’re doing,” he commented.

Nowadays, said Lugna, 99% of government services are available online – the only major exceptions being marriage, divorce, and property sales. And the “cornerstone” of Estonia’s digital architecture, he added, is its mandatory digital identity system: providing citizens with a secure, single identity running across government, the system supports secure data-sharing between departments – and beyond. “I was looking at my daughter’s school marks today online; that’s a service provided by a private company,” he commented. “If we didn’t have the e-identity and authentication management in place, our digital society would look like the Wild West!”

Transferable lessons

The delegates were impressed by Estonia’s approach. “I wonder whether you think this is scalable to much bigger populations?” asked one. “Or what challenges would exist if you tried to scale it?”

The X-road certainly is scalable, Lugna responded – “though the ICT companies wouldn’t be that happy, because they’re the ones who code all the connections between different databases.” Technically, the digital identity system is also fairly straightforward to replicate – but much of its value lies in its ability to put citizens in control of their own data, and this principle cuts across the laws and accountabilities governing data management in many countries.

Alison Pritchard wonders whether Estonia’s approach is scalable to much bigger populations

Via their digital ID, Estonian citizens can access a dashboard containing not only all their personal information held by government, but also details of “who has accessed my information, at what time, from what organisation and for what purpose,” Lugna explained. So people can challenge any use of their data that seems improper, and choose to grant real-time access to elements of their data to private companies.

Having built a universal, secure ID system, he continued, Estonia created a digital signatures process that allows citizens to remotely approve documents and decisions – and even to vote: in the 2019 European elections, some 46% of the electorate placed their votes digitally. “Not having papers on the table and writing signatures by hand saves us annually 2% of GDP,” he said.

Under Estonia’s data model, data held by every civil service body flows unhindered across government; but every use of that data is visible to citizens, who are given a sense of control and ownership. In many other countries, however, each department is responsible for the data it collects from citizens, and can only use that data for specific purposes – making them reluctant to share it, while rendering it almost impossible for citizens to get a full picture of how their personal information is being used across government.

Cultural barriers

This latter approach serves neither the interests of public service delivery, nor those of transparency and citizen confidence. But Colin Cook, the Scottish Government’s Director of Digital, noted that in many countries, concerns around the creation of single, central databases mean that the Estonian solution may not be appropriate. “In Scotland, we are developing a solution based around the citizen, using open government principles to ensure that we bring everyone with us,” he said. “Is there an example of a country where the public mood around central ID systems has changed?”

“I have an answer, though it’s probably not the one you’ll want to hear,” replied Tobias Plate, Head of the Digital State Unit in Germany’s Federal Chancellery. “In Germany, the obligation to have a national identity card was introduced a long time ago – and I think the mood has changed since then. If we tried to introduce one now, I think it might be more difficult.”

Tobias Plate: “In Germany, the obligation to have a national identity card was introduced a long time ago – and I think the mood has changed since then. If we tried to introduce one now, I think it might be more difficult.”

Germans rarely use the digital ID verification system linked to their identity cards to access public services, Plate added – in part because the public sector system provides no access to private sector services. “But we are working to change that,” he said – and businesses are keen to use the government platform, attracted by its low transaction costs and high level of security. When citizens can use their government IDs with private companies, Plate said, they’ll make more use of the system – encouraging both public and private actors to build it into their ID verification processes, and creating a virtuous circle that should further expand user numbers.

It’s also difficult to introduce national ID systems in federal countries, commented Edward Hartwig, Deputy Administrator of the US Digital Service. In the States, he said, there are 5600 offices issuing birth certificates, “with no uniform controls on what they look like.” The USA’s predominant ID document is the driving license – issued by 57 state-level authorities, who hold that data. But some of the biggest, accounting for a third of the population, have refused to share it with federal authorities. “The power of the Estonian system is amazing, but we have no capacity to do that,” Hartwig said.

Federal authorities do operate ID verification systems, both in the USA and other countries – but one delegate noted that these are operated separately by individual agencies. “And it’s not entirely clear to me that people want a unified digital identity,” he said.

Edward Hartwig points out that it’s difficult to introduce national ID systems in federal countries

Incentives to participate

Another delegate understood people’s concerns, commenting that people are more willing to share their data with more trusted public bodies and when they can see clear personal benefits. On the whole, they suggested, the creation of “multiple options, all using the same standards, probably feels more sensible.”

In response Simon McKinnon, Chief Digital and Information Officer at the UK’s Department of Work and Pensions, gave an example of how data-sharing can directly improve the services received by individuals – boosting public buy-in. “I’m keen to get hold of NHS data in order to validate people’s eligibility for welfare benefits – and the research we’ve done shows that if it’s being done to support the quicker provision of benefits, people are more happy to share data,” he said. “In a world where data sharing has value for people, they’ll want us to share it. So I think the meeting of user need needs to come before you get a ubiquitous single identity.”

Where there are major barriers to introducing a single, unified government ID system, suggested one delegate, the alternative is to create an identity verification platform with as many applications as possible across the public and private sectors: users should then be attracted by the convenience of a single system that can be used in many aspects of people’s daily lives. “The question is: do we need to build it with the private sector’s needs already built in, or do we build it across the public sector and encourage the private sector to use it?” they asked.

Banking on banks

In Denmark, commented another delegate, the former approach proved effective – after two unsuccessful attempts to build a system within government. Tapping into banks’ interest in having a national, secure ID verification system, they said, government worked with them to build a system that took off: “It was when they got together with financial institutions and moved forward together that it worked,” they recalled.

Sweden has also based its digital identity system around bank services, noted Anna Eriksson, Director General of the Swedish Agency for Digital Government – linking the banks’ system with a single government register of citizens. The country’s next goals, she explained, are to increase the number of suppliers, and perhaps also to build a public sector system – ensuring that those without bank accounts can access digital public services.

Sweden has based its digital identity system around bank services, Anna Eriksson explains

In New Zealand, said its Chief Digital Officer Paul James, officials have been trying to build an ID verification platform in-house; but the country’s devolved public sector system and departmental legacy issues have slowed progress. “I feel much more positive after this conversation,” he commented: other countries’ success in working with businesses to offer a regulated system operating across the public and private sectors, he suggested, offers an alternative way forward.

And as civil servants develop the standards underpinning these systems, said Jessica McEvoy – GDS’s Deputy Director for UK and International – they should keep an eye on the next challenge: that of ensuring citizens can use their digital IDs internationally, making payments, signing contracts and accessing services around the world. “We’re building for the future, and identity is a global issue,” she said. “Within your country, you have to establish a scheme that doesn’t just work for you, but can interoperate with other country’s schemes.”

Estonia’s success is a product of its leaders’ inventiveness, ambition and vision: much of eastern Europe was in a similar position in 1989, and nobody else built such a remarkable digital infrastructure. The country turned its need to start from scratch into an advantage; other countries do not have that awkward luxury. Yet the success of Sweden, Denmark – and Estonia – in building popular systems in partnership with the financial sector seems to offer a way round the legacy, constitutional and public acceptance issues facing many countries. Then, perhaps, civil servants can start clearing away some of the tangled masses of mismatched wires that lie, spaghetti-like, across government.

This is the third part of our series of reports on Global Government Forum’s Digital Summit, held in London late last year. The first part covers delegates’ discussions on how to create central digital units; the second reports their debates on how to build digital skills and capability; the fourth explores the issues around adopting new technologies such as artificial intelligence; and the fifth and final chapter considers a new and more supportive role for central digital teams.

The Summit was an ‘off the record’ event, but we have secured delegates’ consent to publishing these quotes – allowing us to report on the discussions while protecting delegates’ ability to speak freely.

Global Government Digital Summit 2019 attendees

In alphabetical order by surname

Civil servants:

  • Caron Alexander, Director of Digital Services, Northern Ireland Civil Service, Northern Ireland
  • Chan Cheow Hoe, Government Chief Digital Technology Officer, Smart Nation and Digital Government Office, & Deputy Chief Executive, Government Technology Agency of Singapore, Singapore
  • Kevin Cunnington, Director General of International Government Service, United Kingdom
  • Colin Cook, Director of Digital, The Scottish Government, Scotland
  • Fiona Deans, Chief Operating Officer, Government Digital Service, United Kingdom
  • Anna Eriksson, Director General, DIGG, Sweden
  • Edward Hartwig, Deputy Administrator, U.S. Digital Service, The White House, USA
  • Paul James, Chief Executive, Department of Internal Affairs, and Government Chief Digital Officer, New Zealand
  • Lauri Lugna, Permanent Secretary, Ministry of the Interior, Estonian
  • Richard Matthews, Director of CTS and Lead for the Technology Transition Programme, Digital & Technology, Ministry of Justice, United Kingdom
  • Jessica McEvoy, Deputy Director for UK & International at Government Digital Service, United Kingdom
  • Simon McKinnon, Chief Digital and Information Officer, Department for Work and Pensions (DWP), United Kingdom
  • Helen Mott, Head of Digital, Justice Digital and Technology, Ministry of Justice, United Kingdom
  • Maria Nikkilä, Head of Digital Unit, Public Sector ICT Department, Finland
  • Iain O’Neil, Director, Digital Strategy, NHSX, United Kingdom
  • Tobias Plate, Head of Unit Digital State, Federal Chancellery, Germany
  • Ian Porée, Executive Director, Community Interventions, Her Majesty’s Prison and Probation Service, Ministry of Justice, United Kingdom
  • Alison Pritchard, Director General of the Government Digital Service, United Kingdom (Host)
  • Mikhail Pryadilnikov, Head, Center of Competence for Digital Government Transformation, Russia
  • Line Richardsen, Head of Analysis, Department of ICT Policy and Public Sector Reform, Ministry of Local Government and Modernisation, Norway
  • Francisco Rodriguez, Head of Digital Government Division, Ministry of the Presidency, Chile
  • Carlos Santiso, Director, Governance Practice, Digital Innovation in Government, Development Bank of Latin America, Colombia
  • Aaron Snow, Chief Executive Officer, Canadian Digital Service, Canada
  • Huw Stephens, Chief Information Officer – Information Workplace Solutions and Treasury Group Shared Services, HM Treasury, United Kingdom
  • Diane Taylor-Cummings, Diane Taylor-Cummings, Deputy Director Project Delivery Profession, IPA, United Kingdom
  • Rūta Šatrovaitė, Head of Digital Policy, ICT Association INFOBALT, Lithuania (former civil servant)

Knowledge Partners:

  • Neal Craig, Public Sector Digital Lead, PA Consulting
  • Per Blom, Government and Public Sector Lead, PA Consulting
  • Natalie Taylor, Digital Transformation Expert, PA Consulting
  • Cameron J. Brooks, General Manager, Europe Public Sector, Amazon Web Services
  • Chris Hayman, Director of Public Sector, UK and Ireland, Amazon Web Services
  • Greg Ainslie-Malik, Machine Learning Architect, Splunk
  • Ben Emslie, Head of Public Sector UK and Ireland, Splunk
  • Gordon Morrison, Director for EMEA Government Affairs, Splunk
  • Adrian Cooper, Field CTO UK Public Sector, NetApp
  • Alwin Magimay, Chief Transformation Officer, PMI

Global Government Forum:

  • Matt Ross, Editorial Director
  • Kevin Sorkin, Chief Executive

About Matt Ross

Matt is a journalist and editor specialising in public services, policymaking, government and management. He was the editor of trade title Civil Service World from 2008 to 2014, serving an audience of senior UK officials; and the features editor of weekly news magazine Regeneration & Renewal between 2002 and 2008, covering urban regeneration, economic growth and community development. He has also been a motoring and travel journalist, and now combines his role as editorial director of Global Government Forum with writing for other publications including The Guardian and Planning magazine.

One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *