Thursday, 26 May 2016

RIP IDA – GOV.UK Retrench

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
Kirsty Styles edits the New Statesman magazine's B2B tech site. She asks the Government Digital Service (GDS) about GOV.UK Verify (RIP). And back comes a response, possibly from an automaton, something to do with "rigorous onboarding", which looks co-operative but which doesn't answer the question.

You've got to take your hat off to the GOV.UK Verify (RIP) team. They've been doing this day in, day out, for years.

They can still say with a straight face that all their "identity providers" are certified when half of them aren't.

Even after all these years, they still claim to have eight "identity providers" while telling new applicants for a GOV.UK Verify (RIP) account that five of them "probably can't verify you".

They're still adamant that GOV.UK Verify (RIP) is secure and that it abides by all nine of the identity assurance privacy principles – it doesn't abide by a single one and everyone knows that there is no such thing as unqualified security.

And their response to the US National Institute of Standards and Technology's claim that GOV.UK Verify (RIP) doesn't do identity-proofing and offers no more than self-certification is pluckily ... to ignore it.

They look as though they could keep this up forever.

But they can't.

Saturday, 21 May 2016

"Data Science Ethical Framework" – contempt for the public

Housewives as a whole cannot be trusted to buy all the right things, where nutrition and health are concerned. This is really no more than an extension of the principle according to which the housewife herself would not trust a child of four to select the week’s purchases. For in the case of nutrition and health, just as in the case of education, the gentleman in Whitehall really does know better what is good for people than the people know themselves.

That was Douglas Jay in 1937, writing in The Socialist Case. How much has changed 79 years later?

-----  o  O  o  -----

Friday, 20 May 2016

Furtive

The Rt Hon Matt Hancock MP, Minister for the Cabinet Office, gave a speech yesterday to launch the Data Science Ethical Framework. It got off to a wobbly start:
When Alan Turing proposed the Turing Machine and his theory of machine intelligence, he would not have imagined that his early ideas of computing and algorithms would be enhanced and evolved using the quintillions of bytes of data we generate today.
There's no telling what Alan Turing would or would not have imagined.

Wednesday, 18 May 2016

RIP IDA – worse than you thought

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.

The problem you already knew about ...
The point of GOV.UK Verify (RIP) is to assure central government departments like HMRC, Her Majesty's Revenue and Customs, that the person on the other end of the line is who they say they are. GOV.UK Verify (RIP) follows the good practice, we are told, set out in GPG45, Good Practice Guide 45.

Chapter 4 of GPG45, p.9, provides for four levels of assurance, 1-4.

Level 1 isn't much use to a relying party such as HMRC, the identity hasn't been proved at all.

Level 2 gets a bit more useful: "The steps taken to determine that the identity relates to a real person and that the Applicant is [the] owner of that identity might be offered in support of civil proceedings". Level 2 might support identification in a civil court. It might. It might not.

Levels 3 and 4 are successively more reliable. But that's irrelevant at the moment as GOV.UK Verify (RIP) is only offering Level 2.

What's more, it's having trouble reaching even Level 2 according to OIX, the Open Identity Exchange, the Government Digital Service's business partner. If GOV.UK Verify (RIP) could use our personal bank account information, OIX say, that "would help [to] achieve the required standards against the 5 elements of identity assurance at level of assurance 2" (p.11).

To some extent, OIX have now got their wish. GDS tell us that: "In the last few months, we've seen new data sources and methods being introduced, and we've worked with mobile network operators as they've developed a new phone contract validation service that’s now in live use in GOV.UK Verify [RIP] ... It’s also now possible to verify your identity without either a passport or driving licence, thanks to a new method introduced by one of our certified companies which allows you to use your bank account as proof of your identity".

They've got their additional data and it's not helping. The GOV.UK Verify (RIP) account creation success rate remains stuck at around 70%. Young people have trouble opening an account, so do old people and unemployed people and people on low incomes.

Hat tip someone, it's all a far cry from the 16 September 2014 GOV.UK Verify (RIP) service assessment, when the assessors' report called for GDS to "actively work with the market to grow [demographic] coverage to as close to 100% as can be achieved, as early as possible during the Beta".

... may be worse than you thought
But suppose GOV.UK Verify (RIP) achieved 100% demographic coverage and enrolled everyone into GOV.UK Verify (RIP) with a level of assurance of 2. Then what?

Saturday, 14 May 2016

Mind the gap

On the London Underground/Metro/Subway a recorded message tells us all, over the public address system, to "mind the gap". That's the gap between the train and the platform, of course, which we are all supposed to be too stupid to mind unless we're reminded.

There once was a post-nuclear holocaust film the name of which entirely escapes DMossEsq in which empty trains continued to travel the tube system following their programmed timetable, stopping to open their doors at each appointed station and the only voice heard was the PA system mindlessly repeating "mind the gap".

Wednesday, 4 May 2016

RIP IDA – the last rites

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.


We can make a meal of it. Or we can do it the quick way.

Let's try the quick way first. Three steps.

Tuesday, 26 April 2016

RIP IDA – are GDS talking to themselves?

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.

Every week, the Government Digital Service (GDS) publish statistics about GOV.UK Verify (RIP) on their performance platform. A degree of academic rigour is called for. Without that, GDS are just talking to themselves.

As we speak, some of these statistics are complete to the week 11-17 April 2016 while others include the week 18-24 April 2016. We ignore the latter in the paragraphs below.

Monday, 25 April 2016

Willing enthusiasm isn't enough

11:19 a.m., 8 October 2014, 18 months ago, someone saves a copy of the Transactions Explorer page of the Government Digital Service's performance platform:


Then someone updates HMRC digital team plights troth to wrong Liege and forgets about it ...

... until recently.

You will notice that GDS were trying to measure how digital central government is, department by department. The data they used is repeated below. You won't be surprised which department wins ...

Openness should include farmers

One of the standing jokes about the Government Digital Service's identity assurance scheme, GOV.UK Verify (RIP), is the list of public services using it:


How can DEFRA's Rural Payments service be connected by GOV.UK Verify (RIP)? DEFRA don't have a rural payments service, as we always point out, at least not a computerised one – the computerised system GDS tried to build collapsed and farmers are all applying for their money using pencil and paper now, as a result of GDS's failure. There's nothing for GOV.UK Verify (RIP) to connect farmers to.

The gateway to openness

"The annual end submission date for tax self assessment in January is one of the critical events in the year for the Government Gateway, HMRC and government IT systems as a whole". So said David Hargreaves on 25 February 2016 in Managing the self assessment tsunami:
This year was the largest yet. The Government Gateway processed over 2.9 million self assessment submissions in January. This was just part of almost 7.5 million transactions it handled over the whole month, and the 10 million online self assessments processed in 2015.

The volumes topped 400,000 on Friday 29 January. That’s the equivalent of 8.5 submissions per second.
The Government Gateway is clearly quite a substantial cross-government platform. And these are notable transaction volumes.

And yet, if you try to find anything out about the Government Gateway on the Government Digital Service's performance platform, look what you get: