Who hates passwords?
Passwords are a pain. I have hundreds of them. I try to be good and come up with long, complex, hard to guess ones – but that makes them impossible to remember. So some of mine are just variations of others. I don’t think I am unusual in that regard – in fact I know others who just have a handful of passwords and re-use them on lots of sites, which is highly insecure given that web sites have occasional security breaches, some of which make international headlines. That leaves those people vulnerable to fraud and identity theft.
Surely there’s a better way?
Who hates registering for web sites?
When I register for access to a web site, perhaps to buy something from a store, I find it a pain to have to type in my name, address, email address (twice), phone number etc. each time.
Surely there’s a better way?
Who hates know-your-customer checks?
If I’m applying for a financial services product like a bank account or a personal loan, or setting up an account with a utility company, I generally need to dig out a range of documents that prove who I am. Typically that will include photo ID (such as my driving licence or passport) and proof of my home address (bank statement or utility bill). If applying to a UK-based company I may even need photocopies of those documents countersigned by a person who is in good standing in the community such as my GP.
This paperwork is tedious. Surely there’s a better way?
Avoiding duplication in government
Governments everywhere need to know who a citizen is when they’re dealing with them, so it is common for departments to ask for proof of identity. A States department can’t talk to me about the problem I’m experiencing and look up details about me on their screen until they’re sure who I am. That is the right thing to do, but it doesn’t make for great customer service.
As we re-think our administrative processes to be more efficient (we’re doing a lot of that across SOJ these days) we start with reviewing whether we need a process at all, and if we do we look at how we can simplify it. Often the resulting solution involves making a service available online, such as by turning a paper-based form into an online form. How can we tell who is filling it in? It is important that we are sure who is applying for something, and online versions of services should reduce rather than increase the incidence of fraud.
Each e-form where we need to be certain who the person is will need a logon screen. The person will need to have registered and been issued with a username and password. A department moving a service online will have a modest budget for the project. If they need a solution for registering people and issuing a password, and a login system, they will only concern themselves as to how to make it work for their form. That inevitably means that online registration processes will proliferate, and Islanders will need to remember even more passwords.
Surely there must be a better way, and it is the responsibility of the States’ central IT department – and more specifically the web team (which I manage) to come up with a really good States-wide system for authenticating people when they deal with us online. There are future online services in the pipeline (such as being able to deal with your income tax online) which will bring major cost savings, and be more convenient to use, but cannot move forward fully without this fundamental piece of the jigsaw in place. The lack of a digital ID for Islanders risks holding up parts of government reform.
In government one thing we often hear from Islanders is “why do you ask us for information that you already hold about us?” That is a fair question. Until a few years ago, perhaps most people accepted that the Social Security Department and the Income Tax Department were entirely separate entities and should not share data. In the last few years people have been saying that those structures are no longer fit for purpose. Why? Partly because people are expecting the same level of convenience in dealing with government as they’ve become accustomed to when buying from Amazon, booking travel online or using online banking. National and local governments around the world are working to adapt and meet those new expectations.
It would be unthinkable if every time you bought something from Amazon you had to re-enter your name, postal address and credit card details. And booking a flight online is much quicker and simpler if you log in to the airline’s site first and the site pre-populates the booking form with the information and preferences it stores about you.
Once you’ve logged in to a States of Jersey online service, it should be able to pull the details we hold about you from a database, avoiding the need for you to type in things like your name and address, which we already know.
In the ideal solution, the user will go through the know-your-customer checks only once. The checks would have to be thorough so that each States department was happy that they’d been done properly. That process could involve coming in to a States department with a handful of documents, but if there are say 20,000 people a year that drop in with their identity documents that’s a lot of paperwork and a long queue! There’s got to be a better way. Would it be possible to do the whole registration process online? If so, how would you prove who you are?
If you’ve registered for a digital ID that you can use when dealing with the States of Jersey online, could you use it offline too? It would be useful to be able to very quickly and easily identify yourself when calling a department on the phone, or when attending in person.
Where else could you use your government online ID?
It is now quite common to use an ID issued by one company to log in to the systems of another company. You can use your Facebook or Twitter ID to log in to Disqus, the comment facility we use on this blog, for example.
Would it be a good thing if you could use your SOJ-issued username and password to log on to your bank account? Or how about if you could use your electronic banking ID to log on to SOJ systems?
Perhaps it should be possible to log on to States owned utility companies’ web sites using an SOJ online ID? Or could it be used across the whole private sector?
If you are from an EU country should you be able to use your national ID issued by your home country when you are here? Should a Jersey-issued digital ID be accepted by other countries? At the moment there’s a pan-European initiative eIDAS that will enable someone from one European country to use their digital ID in another European country. Could we participate in that in the future?
You may be starting to feel uncomfortable about the idea of the States of Jersey operating the system that you use to log in to lots of different web sites. If someone wanted to piece together information about all the services you’ve logged into using your digital ID that would infringe upon your right to privacy.
So how about government not operating the system at all, but someone independent? And how about designing the system to make it impossible to know what you’ve logged into, and impossible to merge together information from the various databases that use the same log in details?
This is probably starting to sound like a far more significant project than just the ability to log in to a handful of States websites. Coming up with a digital ID scheme that can be used cross-industry and cross-borders is an exciting prospect, but a big and potentially very expensive project.
In my next post, I will bring you up to speed on the research we’ve carried out so far and explain how we think we could achieve this at an affordable cost and low risk. Stay tuned.