Rest of Government: GDS embraces 1 Great Database State

We started our response to the current GDS consultation with an unanswered question: “Has Gov.UK ‘One Login’ metastasized from a “better login to government” project, to a “one identity to government” project?” The answer appears to be yes.

A recent meeting held during the consultation was told that the Government intent is to actively prevent individuals from having multiple Login accounts. A person may be able to have multiple email addresses – indeed, they may already do –  but Government would attach them to a single “identity”. This regulation allows that database to be shared in bulk.

This turns Login into a weapon of the database state that HMG has previously assured many times that it was not building. Were civil society lied to? Or has Cabinet Office changed its position without bothering to tell anyone?

At a roundtable on the consultation, GDS said about the Regulation that the “first use is one login”, which suggests there will be a second use. It is unclear to what extent DWP embrace one Login for Government for UC, or HMRC’s accountant services, or MoJ’s digital courts, or … Requiring judges or accountants to use their work identity for personal purposes seems an odd thing to do without consulting MoJ/HMRC.

Identities are multi–faceted

Indeed, many of the civil servants reading this will have a “work phone” as well as their own (personal) phone, and use separate work and home email addresses (as they should).

Some users of government services are required by regulatory bodies to use work email addresses, and while the left hand of GDS could require them to route personal use through their work address, the right hand of HMRC/MoJ/etc would tell them not to.

In practice, there will be “many to many” mappings as people are complex (consider an accountant who is also a magistrate and uses their maiden name for some things), and GDS will be unable to keep the “one account” promise to departments. 

Departments will have to assume that individuals will have the ability to have multiple logins (because they do, they will do, and will continue to do so), and can manage that if they know; whether GDS also adds burdens on citizens is something they can choose to impose.

Any attempt to deny this is the database state of the most naïve form.

This database will require people to have a working email and phone number

The GDS account creation process requires both a working email address and an active phone number to login. If you are missing either of them, then no access for you – and they have to work to login each time. 

GDS originally chose to require a UK phone number for refugees fleeing Ukraine who wanted to come to Britain to receive an update by email when the rules changed (since those people by definition were not in the UK, it was blatantly unreasonable to require them to have a UK phone number, which GDS refused to accept in private, and only updated the process after questions were asked in Parliament). GDS also required a UK phone number for Afghanistan refugees seeking email updates on how to come to the UK, but that group are still excluded. The current Government simply didn’t care enough to help that group.

GDS expects everyone to have an account over time, and therefore for this to become a full population database, consisting of verified ID, plus mandatory email and mandatory mobile phone number, whose only statutory basis is this Regulation. 

Creating a big database and taking unrestricted powers to share it 

To avoid digital disengagement for identity verification, we understand Government are expecting to have an “offline” process, which will store a set of identities to avoid offline revalidation each time, and that this caching would be equivalent to the digital system, which suggests that all identity data will be retained by GDS for an unclear period of time. 

The surprise, late and incomplete disclosure of this new identity database in Government raises some additional questions about the sharing of the identity information possible under the power being consulted upon:

  1. How long will “verified” identity information be held by GDS after verification?
  2. How often will someone with a 10 year passport have to revalidate? Does it change for a driver’s licence?
  3. For what purposes does GDS currently believe it will use the database it creates?
  4. This consultation proposes allowing the entire database to be shared, in bulk, to almost anywhere in Government for any purpose; why?
  5. Was anyone outside Government shown this policy before this consultation?

It appears that GDS simply made the decision for itself, with no informed input or discussion with civil society. That relevant information was withheld until after the consultation had opened reflects how recent engagement with PCAG/PIAF could be considered less than “lipservice”.

In some meetings, supposedly informed speakers have demonstrated a clear need to be reminded of the importance of the PCAG principles, and why they’re there, most notably the multiplicity principle where users with multiple identities – such as a work email address and a home email address – may use both without Government requiring them to connect the two. 

This week’s joint Blair/Hague handwaving is emblematic of a Regulation allowing Government to use and share ID databases however it wishes, without democratic restriction, oversight, or transparency, which ends badly.


Addendum 24/2: Some in Government apparently read our final link as suggesting that the HMG decisions on identity in and after 2023 will reflect the policies and practices of the Taliban, rather than as an illustration of the entirely foreseen consequence of HMG decisions from 2003 to 2021. This unexpected choice of affiliation may say more about the reader than the authors.