Authenticating identities is important, but providing proof of attributes people claim for themselves \u2013 such as how long they have lived at an address, what they earn, if they are disabled \u2013 can add extra layers of assurance to make a bigger difference in transforming services. This has prompted research into the potential for \u2018attribute exchange\u2019 (AE) as the next step from identity assurance (IA). Socitm, the public sector IT association, highlighted the potential in a briefing published in October, claiming\u00a0AE can provide savings for government and make processes easier for customers.\nThe idea is that certified organisations collecting specific attributes to verify that an individual qualifies for a services could, with the person\u2019s consent, package and sell those attributes on to another organisation that also wants to verify information an individual has provided. This could present an alternative to credit reference agencies, help people to obtain public services more easily, and the information could possibly sit in a personal data store \u2013 offered by a fledgling line of business to help people control their identities online.\nWarwickshire County Councilhas experimented with using AE in issuing blue badges and permits for disabled driver parking bays. The idea has also attracted the attention of the Government Digital Service, which has been working with Warwickshire to examine the prospects for private sector hubs and design an architecture for AE.\nSocitmsays this has shown an untapped potential for adding AE to identity assurance, and that it can help to provide better electronic services, an important step in responding to the financial squeeze. But it needs an efficient exchange mechanism and will work best in the long term with an ecosystem of attribute providers.\nNeed for ubiquity\nIan Litton, Warwickshire\u2019s strategy, programmes and information manager, says the project raised no serious technical challenges, but AE needs the ubiquitous identity being developed under the government\u2019s Identity Assurance Programme to be available to central and local government and ultimately the private sector.\nIn addition, a number of parties have to get involved to make it work. From a local government perspective this includes the councils as service providers, a hub infrastructure to manage AE requests, and attribute providers. The latter are most likely to be from central government, such as the Department for Work and Pensions, but he says there could be a need for private sector attribute providers, for example insurance companies.\nNext steps are to build an architecture for AE, engage with the attribute providers, and with the suppliers of systems that are used by local government, especially those with a self-service interface for the public. Also, there is a need to work out the trust frameworks and governance mechanisms which would enable everybody in the ecosystem to work together.\nLitton points out that the ultimate aim is that the IA and AE ecosystem should go across the public and private sector, but that work on AE is not as advanced, and that Whitehall\u2019s procurement framework for IA is not yet available for local authorities.\n\n\nDisruptive\nToby Stevens, the director of the Enterprise Privacy Group has been active in IA for several years and sees the work on AE as a significant development.\n\u201cMy gut feel is that identity will become commoditised,\u201d he says. \u201cIt will be driven down in value until a disruptive player forces that value to nil. In other words a market entrant will say they will not charge for identity for the relying party, but all their money will come from attributes.\n\u201cIt could even open up the market for local authorities to become attribute providers, as they know a lot about people, and know it to a pretty good level of confidence.\u201d\nHe describes the attribute ecosystem as an environment in which, for example, a local authority might obtain some information on an individual from a personal data store, some from a credit reference agency and some from central government, all creating the package that they need to deliver a service. All of this would be released with the person\u2019s consent, but the organisations providing the data could levy a small charge.\nAnother element could involve preparing packages of data that are needed to provide different levels of assurance (LoAs), related to their sensitivity and timeliness. For example, an electricity company might know that a person who keeps paying its bill is at an address and could sell an address verification for services at LoA2, often required for self-service applications. But anyone selling data for LoA3, which is used for access to restricted information, would ask a higher price.\nGovernance variations\nThere is also scope for different governance schemes for attribute exchange to emerge. Stevens says these could be relevant to services offered by specific sectors, such as mobile network operators or, at a more sensitive level, healthcare. Another possibility would be a governance scheme for verification on social media.\n\u201cI fully expect to see multiple schemes,\u201d he says. \u201cThere could be some with very little liability protection which are very cheap, and could be others where they are doing industrial grade, \u2018know your customer\u2019 checks or anti-money laundering protocols,\u00a0 and where attributes providers offer equivalent \u2018insurance policies\u2019 against fraud arising from incorrect data. The data for the latter will cost more and they will have different governance mechanisms to keep a grip on it.\u201d\nThere would also be the scope, if there is a will, for some governance schemes to be developed quite quickly.\n\u201cFor very sector specific solutions it could happen very quickly. All it would need is for someone to get them around a table, ask if they are all up for us, and you have a scheme. Then the governance mechanism could emerge very quickly and the number of users could rise very quickly.\n\u201cBut the broader the application of the service, the harder the scheme will be to create.\u201d\nPublic or private?\nThere is a question around whether people are more likely to trust a government or private sector organisation with the attributes. Stevens says that he understands why many people might have reservations about the private sector playing the role, but suggests they would become more open to the idea as understanding of the model grows.\n\u201cThere\u2019s a big user experience challenge, and it\u2019s not necessarily a natural relationship to use a private sector company to prove who you are to government,\u201d he says. \u201cBut I think it\u2019s a very good proposition.\u201d\nThe realisation of all this is still in the distance, and it would need a critical mass to encourage companies to invest services that make use of AE. But a push from the public sector could take it to a tipping point and provide the incentive from the private sector to enter the market in a big way.\nSocitm suggests there is a strong rationale for the public sector push in supporting online services, and Ian Litton says there is a huge potential beyond the initial work on blue badges and parking bays. \u201cAny service that requires proof of eligibility is in the frame for attribute exchange,\u201d he says.