‘Serious flaws’ in Verify service highlight the challenge of security vs usability

By Dr. Guy Bunker @guybunker

Verification service

SC Magazine recently reported claims that serious flaws had been found in the government’s Verify identity assurance service, suggesting it could lead to undetected mass surveillance, and identity fraud if compromised.

The service aims to provide a simple way for citizens to prove who they are, and so securely and easily access all Government Digital Services (GDS). If that data is not both private and secure, it would undermine the very trust it is supposed to create.

GDS has long exemplified one of the biggest IT challenges – balancing security and usability.

Whether or not this problem is resolved (and to be fair, the government have refuted the claims), it prompts extremely important questions for those designing secure systems which need to be used by non-experts.

For such systems to work, their designers need to create the best quality of service while not compromising communication. Security must facilitate use, not hinder it.

There is a real challenge in that people designing government (and business) systems don’t always truly understand the ramifications of privacy and security. There is also a problem, particularly for governments, of planning for the lowest common denominator when it comes to usability – as they need to deal with tens of millions of people, and a whole range of capabilities. This can lead to compromises, often on privacy and security!

The alternative is to start with security and privacy requirements. Once you have established the minimum security requirement, then you can build a functional system around it. Find security systems that can be designed to enable collaboration, whilst protecting sensitive data. This will inevitably involve an acceptance that manual processes will be needed to deal with particular challenges – such as those without in-home internet access.

The government could learn what makes for a good identity system, from the likes of the Jericho Commandments on Identity, or other not-for-profit organisations such as the Global Identity Foundation (see my previous Clearswift blog for more on this).

Creating a secure means of identifying users, and ensuring data captured is kept secure, is vital in any system. For the government’s ambitious digital services programme – and the many advantages it could bring – this could be the difference between success and failure.