Government “identity assurance” programme Verify contains "severe privacy and security problems" including a major architecture flaw that could lead to "mass surveillance" – according to an academic paper.
Verify was created by the Government Digital Service (GDS) to underpin the online identification of users performing transactions with the government,such as tax self assessment. User uptake of the service so far remains extremely slow.
The original design of the system was intended to provide users with a “federated” method of identifying themselves – i.e. picking a commercial identity provider, such as Experian, to act as a third-party verification agent.
That approach was a deliberate attempt to move away from the big national database projects associated with the Labour governemnt, and the widely hated idea of a national identity card scheme.
However, according to George Danezis, one of the academics who contributed to the University College London paper: Toward Mending Two Nation-Scale Brokered Identification Systems (PDF), those considerations have been "largely nullified."
According to Danezis, the problem lies with the central GDS-built hub, which communicates between the government departments, identity providers and citizens before giving the greenlight to the user.
He said: "The hub sits in the middle, despite different parts of the system being encrypted. The hub can decrypt all the information."
The research paper stated: “If compromised, the hub can even actively impersonate users to gain access to their accounts (and the associated private data) at service providers. This represents a serious danger to citizen privacy and, more generally, to civil liberties.”
“The described vulnerabilities are exploitable and could lead to undetected mass surveillance, completely at odds with the views of the research community whose scientific advances enable feasible solutions that are more private and secure,” it added.
Danezis questioned the reason behind why the system was designed with a single point of failure, but said no explanation has been provided.
He said: "In 2015, it is very strange that this is considered acceptable. If this system had been peer reviewed it would not have been passed even 15 years ago. Perhaps GDS did not have the expertise, or appreciate the need for expertise to deal with this."
Interestingly, the American version of an identity system, the Federal Cloud Credential Exchange, shares similar design flaws, according to the paper. But Danezis said there is no evidence the systems have been deliberately designed in this way by intelligence agencies.
He said CESG, the UK.gov/security services-backed Communications Electronics Security Group, was involved in the process, but said that is to be expected for an identity assurance system.
It was a missed opportunity to not take something that already existed and modify it, said Danezis. "This is a field where a number of solutions already exist," he said, adding: "Maybe it was a case of 'not done here' syndrome."
"I spoke to GDS about this," he said, "and on a personal level they were extremely receptive and open. They even invited me to sit on the advisory board. However, institutionally not has much changed. I was not given any further document access and they did not confirm or deny anything!"
In a blog on the paper published today, GDS, the Government Digital Service, said it welcomes the paper and is working with Danezis: "GOV.UK Verify offers people a convenient, secure way to prove their identity when accessing digital government services. It does not have any other connection with or ability to monitor people or their data."
"I'm not sure if there is a roadmap to address the concerns, or whether they are seen as valid," Danezis concluded. ®