Attribute Exchange will enable government Verify plans

Authenticating identities is important, but providing proof of attributes people claim for themselves – such as how long they have lived at an address, what they earn, if they are disabled – can add extra layers of assurance to make a bigger difference in transforming services. This has prompted research into the potential for ‘attribute exchange’ (AE) as the next step from identity assurance (IA). Socitm, the public sector IT association, highlighted the potential in a briefing published in October, claiming AE can provide savings for government and make processes easier for customers.

The idea is that certified organisations collecting specific attributes to verify that an individual qualifies for a services could, with the person’s consent, package and sell those attributes on to another organisation that also wants to verify information an individual has provided. This could present an alternative to credit reference agencies, help people to obtain public services more easily, and the information could possibly sit in a personal data store – offered by a fledgling line of business to help people control their identities online.

Warwickshire County Councilhas experimented with using AE in issuing blue badges and permits for disabled driver parking bays. The idea has also attracted the attention of the Government Digital Service, which has been working with Warwickshire to examine the prospects for private sector hubs and design an architecture for AE.

Socitmsays this has shown an untapped potential for adding AE to identity assurance, and that it can help to provide better electronic services, an important step in responding to the financial squeeze. But it needs an efficient exchange mechanism and will work best in the long term with an ecosystem of attribute providers.

Need for ubiquity

Ian Litton, Warwickshire’s strategy, programmes and information manager, says the project raised no serious technical challenges, but AE needs the ubiquitous identity being developed under the government’s Identity Assurance Programme to be available to central and local government and ultimately the private sector.

In addition, a number of parties have to get involved to make it work. From a local government perspective this includes the councils as service providers, a hub infrastructure to manage AE requests, and attribute providers. The latter are most likely to be from central government, such as the Department for Work and Pensions, but he says there could be a need for private sector attribute providers, for example insurance companies.

Next steps are to build an architecture for AE, engage with the attribute providers, and with the suppliers of systems that are used by local government, especially those with a self-service interface for the public. Also, there is a need to work out the trust frameworks and governance mechanisms which would enable everybody in the ecosystem to work together.

Litton points out that the ultimate aim is that the IA and AE ecosystem should go across the public and private sector, but that work on AE is not as advanced, and that Whitehall’s procurement framework for IA is not yet available for local authorities.

Disruptive

Toby Stevens, the director of the Enterprise Privacy Group has been active in IA for several years and sees the work on AE as a significant development.

“My gut feel is that identity will become commoditised,” he says. “It will be driven down in value until a disruptive player forces that value to nil. In other words a market entrant will say they will not charge for identity for the relying party, but all their money will come from attributes.

“It could even open up the market for local authorities to become attribute providers, as they know a lot about people, and know it to a pretty good level of confidence.”

He describes the attribute ecosystem as an environment in which, for example, a local authority might obtain some information on an individual from a personal data store, some from a credit reference agency and some from central government, all creating the package that they need to deliver a service. All of this would be released with the person’s consent, but the organisations providing the data could levy a small charge.

Another element could involve preparing packages of data that are needed to provide different levels of assurance (LoAs), related to their sensitivity and timeliness. For example, an electricity company might know that a person who keeps paying its bill is at an address and could sell an address verification for services at LoA2, often required for self-service applications. But anyone selling data for LoA3, which is used for access to restricted information, would ask a higher price.

Governance variations

There is also scope for different governance schemes for attribute exchange to emerge. Stevens says these could be relevant to services offered by specific sectors, such as mobile network operators or, at a more sensitive level, healthcare. Another possibility would be a governance scheme for verification on social media.

“I fully expect to see multiple schemes,” he says. “There could be some with very little liability protection which are very cheap, and could be others where they are doing industrial grade, ‘know your customer’ checks or anti-money laundering protocols,  and where attributes providers offer equivalent ‘insurance policies’ against fraud arising from incorrect data. The data for the latter will cost more and they will have different governance mechanisms to keep a grip on it.”

There would also be the scope, if there is a will, for some governance schemes to be developed quite quickly.

“For very sector specific solutions it could happen very quickly. All it would need is for someone to get them around a table, ask if they are all up for us, and you have a scheme. Then the governance mechanism could emerge very quickly and the number of users could rise very quickly.

“But the broader the application of the service, the harder the scheme will be to create.”

Public or private?

There is a question around whether people are more likely to trust a government or private sector organisation with the attributes. Stevens says that he understands why many people might have reservations about the private sector playing the role, but suggests they would become more open to the idea as understanding of the model grows.

“There’s a big user experience challenge, and it’s not necessarily a natural relationship to use a private sector company to prove who you are to government,” he says. “But I think it’s a very good proposition.”

The realisation of all this is still in the distance, and it would need a critical mass to encourage companies to invest services that make use of AE. But a push from the public sector could take it to a tipping point and provide the incentive from the private sector to enter the market in a big way.

Socitm suggests there is a strong rationale for the public sector push in supporting online services, and Ian Litton says there is a huge potential beyond the initial work on blue badges and parking bays. “Any service that requires proof of eligibility is in the frame for attribute exchange,” he says.