Making tax digital: Will ‘GOV.UK Verify’ work?

Donald-Drysdale By Donald Drysdale for ICAS

18 January 2016

Donald Drysdale shares some practical experience of GOV.UK Verify, the new way to access government services online.

What is GOV.UK Verify?

GOV.UK Verify aims to replace the Government Gateway for accessing government services online. Once fully implemented, it would supplant the existing requirements for a user to register with both the gateway and the multiplicity of online services they want to access. Instead, it would provide them with a unique login credential acceptable (eventually) to all online services offered by GOV.UK.

For further background information, please see last week’s article on this topic.

Verification: How long does it take?

“Verifying your identity takes around 10 minutes, online,” claims GOV.UK. “After that it takes less than a minute to verify your identity each time you need to use a GOV.UK service.”

I would emphasise that the facility is currently in ‘public beta’ testing – available to users of certain services but not yet mandatory. At this point, therefore, any shortcomings might be forgiven. However, with going ‘live’ planned for April 2016, I thought a practical test might be instructive.

Being a Chartered IT Professional might give me an edge on ordinary users, so perhaps I could beat the 10-minute target. On the other hand, my understanding of IT risks might make me more cautious, so I could take a bit longer.

In the event it took me more than seven hours, spaced over two days, to take a proper look at what I was signing up for and register with two of the four current providers. A third company rejected me, and I didn’t like the look of the fourth.

The comments that follow are based on those frustrating hours. They’re not exhaustive, and shouldn’t be read as endorsing or criticising any provider. The circumstances and needs of individual users will vary.

Verizon

Having created a user name and password, I was asked to enter my basic personal details – name, date of birth, address and how long I had lived there. Then I had to accept the provider’s terms and conditions, and this was where I hit a snag.

Verizon’s terms and conditions were viewable onscreen but with no facility for printing them. I wanted to study them offline and retain a copy, necessitating 12 successive screen captures.

The terms and conditions were from a US company (MCI Communication Services, Inc), written in US English, laden with complex and (to me) obscure legal and technology jargon. They allowed the provider to transfer my personal identifiable information to any country, including those that may not provide adequate protection for such information. And the agreement was to be governed by the domestic law of New York and the courts of the State of New York.

Verizon’s UK website seemed to show no contact telephone number.  Elsewhere I found a Verizon page dedicated to GOV.UK Verify, including an 00800 contact number. I believe such international numbers are toll-free in some cases, but can involve very high charges in others. This didn’t sound good for UK-based users, so I abandoned my application.

Experian

Next I turned to Experian. Thankfully I was able to access a printable version of their terms and conditions at the outset. These were from an English company, in UK English, less threatening and easier to understand. The relevant law was that of England, or elsewhere in the UK where the user resides. I felt much better already.

Again I created a user name and password and entered my basic personal data. Within seconds my application was rejected, with no reason given for the failure. I starting guessing where the problem might lie – perhaps in the form I’d shown my address – but a second application was rejected in similar manner.

I called the Experian helpdesk (an 03 number) and my call was answered in an instant. The agent I spoke with was as helpful as she could be. Nonetheless, it was disappointing that neither website nor helpdesk could offer any solution.

Post Office

Disconcertingly the Post Office’s terms of use were for general users of their website, with no mention of identity verification, so I wondered whether they would take my personal data seriously. Only a couple of months ago my local post office was closed for a while, reportedly because someone had hacked into their systems.

The registration process included ‘two-factor authentication’, inviting me to enter a code sent to me separately on my mobile phone, landline or by email. I was surprised that this was offered as an optional facility.  It seemed to me that it should be a mandatory feature of GOV.UK Verify, just as it is in the case of my online banking.

My application proceeded without a problem until I was asked whether I’d had the same name since birth.  I hadn’t, because I’d changed my name without a deed poll many years ago but couldn’t remember in what month and year I’d done so. Through the website’s excellent online chat facility I was advised to enter an approximate month and year for the change, and the system seemed to accept this modest fiction. After I’d entered passport and driving licence details and answered a few financial questions, my application was accepted.

To my surprise I then received an email with a Personal Unlock Key (PUK) code to give me full access to my account if I ever lose my password. An unnecessary ‘back door’ like this could be misused if a data subject didn’t guard their PUK code carefully.

Digidentity

This is a Netherlands company. The terms and conditions stated that Dutch law applied, and references to the Dutch personal data protection act were double Dutch to me. Otherwise their terms and conditions appeared understandable and unobjectionable. I noted that the registration with them would last for one year and would then need to be reactivated.

In a déjà vu experience, I found the application process mirrored that of the Post Office, with identical screen formats. I wondered whether Digidentity had simply supplied the Post Office with their system, or whether the sensitive data apparently held by the Post Office was actually held by Digidentity.

When asked which of five issuers had given me a new credit card or store card in October 1998, seventeen years ago, I surprised myself by answering correctly. How many people could do that?

In this age of online shopping, the final question nearly stumped me – “When did you last open a mail order account with a credit facility?” I had no idea, but a lucky guess seemed to provide an acceptable answer.  On acceptance, I was again sent a PUK code I didn’t want.

Conclusion

I question whether ordinary users would find such stringent verification procedures acceptable. Paradoxically, the company I felt might guard my data most securely had rejected me, leaving me wondering whether those that had accepted me were being rigorous enough.

We’re all accustomed to accepting the terms of online software licences, usually without reading them. But with sensitive personal data, why would it ever be in the best interests of individuals to expose themselves to the jurisdiction of foreign courts?

The government claims that GOV.UK Verify is the new way to protect users from identity theft. With such vast quantities of sensitive personal data being spread among such diverse private sector businesses, I have my reservations.

I accept that I was using a ‘public beta’ version of this new facility, but given the difficulties I encountered and the government’s timescale for roll-out, it clearly has a challenge on its hands to deliver a system we can trust.

Article supplied by Taxing Words Ltd

Topics

  • Tax

Previous Page