Sunday 28 October 2012

Alarm – adult human being found still working at the Cabinet Office

Thank goodness for Andy Smith. Whoever he is. And even if he isn't.
audio
video (slide to 1:31:30)

Hat tip: Philip Virgo

25 October 2012, and Whitehall held one of its endless conferences/talking shops where people who work for acronyms get together and speak in acronyms. The 9:20 welcome and introduction, for example, were given by John Robertson MP, Chair, apComms and Chi Onwurah MP and Stephen Mosley MP, Co-Chairs, PICTFOR.

All was set fair for a normal day of incomprehensible talk to be minuted and then forgotten when, according to the BBC, Andy Smith, PSTSA Security Manager, Cabinet Office, was asked a question about using social networks:
A senior government official has sparked anger by advising internet users to give fake details to websites to protect their security.

Andy Smith, an internet security chief at the Cabinet Office, said people should only give accurate details to trusted sites such as government ones.

He said names and addresses posted on social networking sites "can be used against you" by criminals.
Andy Smith is quite properly very hard to track down. He's got something to do with security at the PSTSA. The PSTSA has got something to do with the Public Services Network. The security of the PSN is assured in part by the use of PKI, the public key infrastructure, and that, in turn, depends on digital certificates.

In their chart-topping release of 31 July 2012, PSN Certificate Policy IPsec IL3, PSN say:
5.4.8.2 Each CA and RA must ensure that its PKI services are accredited by the PSTSA Accreditation Board (PSAB) to impact levels 4-4-4 and included within an RMADS prior to live operation.
DMossEsq can help a bit here. A CA is a certification authority and an RA is a registration authority but, after that, you're on your own. You could try the glossary at the back of the report where you'll find that RMADS is the Risk Management and Accreditation Document Set but, rather charmingly, under PSTSA it just says "Public Services ???".

So there's Andy Smith, a man who speaks fluent acronym, who works for an acronym so secret that even PSN don't know what it stands for (DKWISF), a man who has something to do with the deepest levels of the security of PSN and when he's asked about social networks, his informed security advice is don't tell them any more of the truth than you have to for your purposes.

Meanwhile, back at the robot Government Digital Service (GDS), the senior boys in charge were getting ready on Monday 22 October 2012 to announce that we should all communicate with the government using our trusty Facebook and Google+ user IDs. But they bottled out of it. It's too ridiculous. Even a child couldn't take the suggestion seriously.

Thank goodness for Andy Smith. Whoever he is. And even if he isn't.

----------

Cribsheet
4 October 2012, IndependentNational 'virtual ID card' scheme set for launch (Is there anything that could possibly go wrong?): "The Government will announce details this month of a controversial national identity scheme which will allow people to use their mobile phones and social media profiles as official identification documents for accessing public services ... The public will be able to use their log-ins from a set list of “trusted” private organisations to access Government services, which are being grouped together on a single website called Gov.uk ... The system will be trialled when the Department of Work & Pensions starts the early roll out of the Universal Credit scheme, a radical overhaul of the benefits system, in April ... Details of the 'identity assurance' scheme are being finalised amid growing concerns over identity theft and other forms of cybercrime ... Members of the Cabinet Office team travelled to the White House in May to exchange ideas with American counterparts working on the National Strategy for Trusted Identities in Cyberspace (NSTIC) ...".

4 October 2012, Government Digital Service, Less About Identity, More About Trust: "If you’d like to know more the Q&A in The Independent gives a pretty good overview (the only thing we’d really quibble with is the headline)".

25 October 2012, Philip Virgo, Government official gives practical security advice - shock horror: "This morning I ... received yet another e-mail covering the latest nonsenses in the ongoing saga of expensive displacement activity that passes for Government (US, EU, HMG etc.) electronic ID policy ...".

25 October 2012, BBC, Give social networks fake details, advises Whitehall web security official: "Mr Smith, who is in charge of security for what he described as the 'largest public services network in Europe', which will eventually be accessed by millions of people in the UK, said giving fake details to social networking sites was 'a very sensible thing to do ... Don't put all your information on websites you don't trust ... When you put information on the internet do not use your real name, your real date of birth', he told a Parliament and the Internet Conference in Portcullis House, Westminster ... 'When you are putting information on social networking sites don't put real combinations of information, because it can be used against you' ...".

26 October 2012, Wendy Goodman, I thought her head was going to explode: "For the record, I think it's clear that Smith gave good security advice ...".

26 October 2012, dropsafe, Andy Smith of the #CabinetOffice is a Epic Fucking #Security Hero: "I have said much the same – worse/moreso, even, by suggesting that folk randomise their personal information so that your mother’s maiden name was F3JlfIrOH8 and your favourite colour is uAfhaR." – kindly includes the links to audio and video of the conference above.

26 October 2012, Daily MailUse fake names on Facebook and Twitter, says the head of government internet security: "... It comes at a time when the government is considering allowing people to use their existing log-ins for social networking sites to access a new government website to apply for benefits, passports and driving licences ...".

26 October 2012, GuardianBeing wary of handing over personal details to websites isn't 'outrageous': "I'm not sure making up data is necessarily the best advice Smith could have given, but you can see where he was coming from: if you are suspicious about why a site is asking for your details, don't give them ... you should be a bit discerning about who you share your details with and how much you give out ... Earlier this year, a report into US identity fraud found it was on the rise, in part because of the incredible amount of personal information being shared on public social media profiles ...".

26 October 2012, Dave Birch, The battle of the internet security experts: "Andy is spot on ...".

From the archives
30 October 2008, Daily Mail, Brown's ID card claims 'absolute bunkum' says Government electronic security expert from GCHQ: "Gordon Brown's claims for the £4.5billion ID cards project have been disputed by one of the Government's own electronic security experts ... The Prime Minister and Home Secretary Jacqui Smith have repeatedly said that ID cards will help thwart terror attacks ... Mr Brown said a national ID card scheme could 'disrupt terrorists' while Miss Smith has claimed ID cards will be a 'robust defence' against terrorists using false identities ... But Harvey Mattinson, a senior consultant at the IT security arm of GCHQ, the Government's listening station, said the claims were 'absolute bunkum' ...".

Harvey Mattinson then. Andy Smith now. Should they decide to accept it, there is another mission for the security services, to save us from GDS and their friends by unwinding the contracts HMRC and GDS have signed with Skyscape Cloud Services Ltd:
CESG have rescued the nation before from other-worldly decisions taken by Whitehall. The Home Office wanted to use DWP’s National Insurance number database as the National Identity Register for the ID cards scheme. CESG pointed out that it was inappropriate and that was the end of that.

Let’s hope that they repeat the trick in their review of Skyscape. I look forward to a small piece appearing in the technical press somewhere out of the way regretting that for security reasons which cannot be given the HMRC [and GDS] contract[s] with Skyscape [have] had to be revoked.

Alarm – adult human being found still working at the Cabinet Office

Thank goodness for Andy Smith. Whoever he is. And even if he isn't.
audio
video (slide to 1:31:30)

Hat tip: Philip Virgo

25 October 2012, and Whitehall held one of its endless conferences/talking shops where people who work for acronyms get together and speak in acronyms. The 9:20 welcome and introduction, for example, were given by John Robertson MP, Chair, apComms and Chi Onwurah MP and Stephen Mosley MP, Co-Chairs, PICTFOR.

Saturday 27 October 2012

Identity assurance. Only the future is certain – doom 3

It's Monday 31 October 2011, and six months after his previous identity assurance meeting DMossEsq finds himself at another one. That's the meeting where ex-Guardian man Mike Bracken spoke and which he wrote up on the Government Digital Service (GDS) blog, Establishing trust in digital services.

Three points.

The event was called Ensuring Trusted Services with the new Identity Assurance Programme and there's a natural tendency to think of it as a Cabinet Office event or more specifically a Government Digital Service (GDS) event. It wasn't.

The event was held under the auspices of the Technology Strategy Board (TSB), which is "sponsored" by the Department for Business Innovation and Skills (BIS). There were eight speakers, of whom two were from the TSB and one was from the Skills Funding Agency, which is a "partner organisation" of BIS. That's three out of eight.

Francis Maude, Cabinet Office Minister, announced a £10 million investment by the Cabinet Office in the identity assurance industry and Iain Gray, chief executive of the TSB, announced a £14 million investment and the winners of that funding were exhibiting at the event.

When you consider identity assurance (IdA) you must consider both GDS and BIS as the sponsors/promoters/investors. That's point 1.

Point 2, there is a natural tendency to associate IdA with the administration of benefits. DWP have been chosen to pioneer IdA on UC, the Universal Credit initiative. But that's just the start. It's meant to go viral and crop up everywhere.

The government's White Paper on Individual Electoral Registration relies on IdA (see for example para.52, p.18):
The draft legislation will allow digital identity assurance to be used in future to verify an application to be added to the electoral register.
The BIS paper on A midata future: 10 ways it could shape your choices adds 10 further applications of IdA to the list being contemplated, including applying for a job, managing your budget, looking after your health and choosing a film to watch. BIS say, for example:
midata' could allow individuals to have access to information held about them by various organisations. When getting a new job, an individual could use verification programmes to send necessary proofs to a new employer. For example, instead of making copies and going to the post office, a new employee could get their driving licence, educational qualifications, CRB check and personal identity [emphasis added] all by ticking a set of boxes and clicking 'send'.
IdA is not just about UC. Its tentacles could reach into every aspect of your life.

And point 3?

After Mr Maude had spoken and debate was thrown open to the audience, Neil Fisher of Unisys said, what is true:
Any project with "identity" in the name is doomed to failure.
Thus the name of this little series of posts. Only one more to go.

----------

Updated three years later, 31 October 2014

That meeting in 2011 was energetic and cheerful and noisy.

What a contrast to yesterday's re-run, no Francis Maude this time and no Mike Bracken, please see Kable/Government Computing's Cabinet Office sets out identity assurance expansion aims.

The failure of IDA, the identity assurance scheme, to expand – or rather, its failure to start – is the fault of DWP's December 2011 framework agreement. It remains their fault to this today despite the fact that GDS took it over in March 2012.

Eight so-called "identity providers" had signed up to IDA by January 2013:
  • Three have already pulled out – Cassidian, Ingeus and PayPal.
  • Four of them have yet to be certified trustworthy and haven't signed up a single user – Digidentity, Mydex, the Post Office and Verizon.
  • Since they only get paid for signing people up, the return on their investment in IDA is nil.
  • Only one "identity provider" is left standing – Experian. They have signed up just under 800 people.
  • Since they get paid just pence per registration, they have something of the order of £8 to show for two years work.
And now GDS are planning a second framework agreement.

They've changed the name from "IDA" to "GOV.UK Verify". Otherwise it's business as usual:
  • Suppose they get five "identity providers" on board and suppose that 45 million Brits register with all five of them.
  • That's 225 million registrations for an estimated £105 million to be offered by the new framework agreement.
  • For approximately 47 pence each, the "identity providers" have to register you in the first place, check your registration once a year and assure an unknown number of relying parties an unknown number of times that you are you.
  • The liabilities are onerous. Nothing is ever GDS's fault. And all for 47p.
Who's going to jump at that opportunity?

No-one.

No-one who values their company, their career and their reputation.

Sauve qui peut.

RIP IDA.

Identity assurance. Only the future is certain – doom 3

It's Monday 31 October 2011, and six months after his previous identity assurance meeting DMossEsq finds himself at another one. That's the meeting where ex-Guardian man Mike Bracken spoke and which he wrote up on the Government Digital Service (GDS) blog, Establishing trust in digital services.

Three points.

The event was called Ensuring Trusted Services with the new Identity Assurance Programme and there's a natural tendency to think of it as a Cabinet Office event or more specifically a Government Digital Service (GDS) event. It wasn't.

Friday 26 October 2012

Identity assurance. Only the future is certain – doom 2 (corrected)

Why didn't the Government Digital Service
make its planned 22 October 2012 announcement about IdA?
Are the "identity providers", sensibly, having second thoughts?

Wednesday 20 April 2011, seven months after his previous meeting, and DMossEsq finds himself at another one to discuss identity assurance (IdA or IDA).

In between whiles, Martha Lane Fox has sent her famous letter to Francis Maude advocating the MLF Prerogative, an amendment to the British Constitution whereby whoever is in charge of GOV.UK will have the power of veto over government policy and will be able to enforce that power using SWAT teams with sharp teeth.

Something of that same aggression has transmitted itself to the Treasury room in which we meet. The testosterone level is oppressive. A roomful of salesmen who were promised no money last September. And yet here they are again. Wolves, howling, scenting money, leaking from a wounded government.

And here, again, the Identity & Passport Service aren't. According to DMossesq's contemporaneous notes:
To someone's dyspeptic eye, IDA looks like a non-starter, another elaborate and expensive plan which turns out to be fantasy, doomed to failure when it confronts reality. The timetable for IDA was presented and described as not over-ambitious. That is perfectly accurate. The timetable is not over-ambitious. It looks more like the psychedelic product of a prolonged session on hallucinogenic drugs. Far from being merely over-ambitious, it is quite simply impossible.

Take for example the claim that by 2014 IDA will be able to support a central N electoral registration application ... Someone asked about that and was told that protocol dictates that, in the run-up to imminent local elections, that matter can't be commented on by the civil service.

Someone not me asked if the Identity & Passport Service are involved in IDA. No, came the reply, IPS are still "reeling" ... That someone may, like me, have thought hmmm, if there's going to be a central N electoral register, that sounds like a job for IPS's GRO (the General Register Office). If the Cabinet Office have their heart set on a central N electoral register, then they must prepare themselves to reel just as much as IPS, because it won't happen, not through IDA at least ...
And:
The Cabinet Office have apparently talked Francis Maude into accepting IDA and G-Digital [digital by default] and G-Cloud. Billions of pounds will be spent. And wasted. Why? To what end? To allow people to communicate with the government digitally. Someone put his hand up and pointed out that we can already do that, through the Government Gateway.

Someone got the distinct impression that certain people wished that hadn't been mentioned ... The GG is old and uses proprietary components and it records too much personal data, we were told. Hmmm, those are insuperable problems. But only if you first decide that they are insuperable. The Cabinet Office and DWP want to kill off the GG, says a dyspeptic of someone's acquaintance, only because otherwise they don't get to play with cloud computing and a lot of shiny new Christmas present data centres.

Most public services are delivered by local authorities. Have they been involved in the design of IDA? No, there are too many of them, we were told. And anyway, they're autonomous, it was said. Like the devolved authorities. Is that a dutiful recognition of the reality of localism? Or maybe a supercilious assumption that the local and devolved authorities will do what they're jolly well told – it's hard to tell the difference. Someone's suspicion is that the move to IDA, G-Digital and G-Cloud is one great big strategy to ensure that Whitehall stays in control, it holds the reins in the centre, it ensures that localisation never happens. If the GG has to be sacrificed along the way, so be it. And if the taxpayer has to spend billions on new data centres, ditto.
It's no fun reeling. Five directors were kicked off the Board of IPS when they finally admitted the ID cards game was up. Sarah Rapson became Chief Executive and Registrar General for England and Wales:
  • Despite being Chief Executive of the Identity & Passport Service she is not invited to help with identity assurance.
  • Despite being the Registrar General, the proposed central N electoral registration will be nothing to do with her.
Obviously the best people leave. Quickly. But then who's left?

Left with "IPS" or "GDS" on their CV. Or an unexplained gap.

It's no fun for the suppliers either.

The biometrics suppliers, for example. They were going to make ID cards foolproof. They haven't been invited back for the identity assurance party. Just because their products don't work. It hardly seems fair.

"1677" it says over the door of each branch of Lloyds Bank. 335 years it's taken to build the brand and it would all go up in smoke overnight if the bank associates itself with IdA. RBS, the Royal Bank of Scotland, similarly. The association would be all downside for Vodafone as well. And any other bank. And any other telco. Or retailer. What would Tesco have to gain? Nothing. They could only lose. Ditto Sainsbury's and the others.

Remember what happened to IPS. And to the biometrics suppliers. And to PA Consulting – banned from government work along with other consultants by Francis Maude despite all PA's hard work helping Whitehall to waste hundreds of millions on ID cards and other projects.

If you're the Chairman or Chief Executive of Boots the chemists, say, and you sign up with GDS to become an "identity provider" – the name really ought to ring alarm bells – the equity analysts will take you apart, your shareholders will rebel and you'll never get another non-executive directorship. You'll be the man or woman who destroyed the Boots brand. Because if my Boots the chemists-issued electronic ID causes me to be defrauded, even if that's the result of Whitehall incompetence, I'm not just going to blame Whitehall, I'm going to blame Boots, too.

It's all risks for Boots and Tesco and Vodafone and Lloyds and no reward. An irrational bet. A reverse arbitrage. A guaranteed loss.

Why didn't the Government Digital Service make its planned 22 October 2012 announcement about IdA? Are the "identity providers", sensibly, having second thoughts?

----------

N It transpires that there is no proposal to create a single, central electoral register and DMossEsq apologies for introducing this error. The government White Paper on Individual Electoral Registration explicitly states in the Foreword that:
No additional information will be placed in the electoral register and the register will continue to be created and held locally – there will be no new national dataase.

Identity assurance. Only the future is certain – doom 2 (corrected)

Why didn't the Government Digital Service
make its planned 22 October 2012 announcement about IdA?
Are the "identity providers", sensibly, having second thoughts?

Wednesday 20 April 2011, seven months after his previous meeting, and DMossEsq finds himself at another one to discuss identity assurance (IdA or IDA).

In between whiles, Martha Lane Fox has sent her famous letter to Francis Maude advocating the MLF Prerogative, an amendment to the British Constitution whereby whoever is in charge of GOV.UK will have the power of veto over government policy and will be able to enforce that power using SWAT teams with sharp teeth.

Something of that same aggression has transmitted itself to the Treasury room in which we meet. The testosterone level is oppressive. A roomful of salesmen who were promised no money last September. And yet here they are again. Wolves, howling, scenting money, leaking from a wounded government.

Identity assurance. Only the future is certain – doom 1

The ID cards scheme made IPS into pariahs in Whitehall.
The same fate awaits GDS.

Monday 20 September 2010, the aftermath of the comprehensive failure of Whitehall's plans to introduce government ID cards to the UK, and DMossEsq finds himself at a meeting to discuss identity assurance:
Attendees included suppliers -- consultants, PKI people, lawyers, telecommunications people, credit rating agencies, defence contractors and retailers -- and civil servants from the Cabinet Office, obviously, and DWP. No-one from the Home Office, HMRC, the Department of Health, the Department for Education ...
According to his contemporaneous notes:
No coherent case could be made for the NIAS [= National Identity Assurance Service, precursor to IdA, now IDAP, the Identity Assurance Programme]. No-one could see what the benefit would be to anyone, whether the assembled suppliers, the citizen consumers or even the government departments. There is no money on the table. The team in charge at the Cabinet Office comprises exactly two people and the Secretary of State, Francis Maude, needs to see private sector interest before there is any question of money being made available.
And:
Further, and quite unexpected, the astonishing degree of No2ID's success, or of the Home Office's failure, depending on how you look at it, became painfully, embarrassingly and almost sadly evident as one supplier after another said that if there was the slightest hint in public that this (non-)project had anything to do with the National Identity Service and the Home Office, then they couldn't possibly be seen to be involved, and as if that wasn't enough, the person from DWP said the same. Any connection would be seen as diseased. A contagion. The Home Office and the Identity & Passport Service have become unmentionable.
The putative suppliers to the Government Digital Service's identity assurance programme may care to remind themselves of the reputational damage they face if they allow themselves to be linked with IDAP. Two years ago, with the example of the pariah IPS [the Identity & Passport Service] in front of them, the banks and the mobile phone companies and the credit referencing agencies understood the risks – all 32 of them. The risks haven't changed.

And GDS may care to take note of IPS's fate. Most of the GDS team imagine that they're working on a noble project to improve the user experience of a public service website. They are. But the other side of that coin, without which the project is pointless, is identity assurance, the same identity assurance sought by IPS.

The same affliction of disease and contagion awaits.

Identity assurance. Only the future is certain – doom 1

The ID cards scheme made IPS into pariahs in Whitehall.
The same fate awaits GDS.

Monday 20 September 2010, the aftermath of the comprehensive failure of Whitehall's plans to introduce government ID cards to the UK, and DMossEsq finds himself at a meeting to discuss identity assurance:

GOV.UK is not Government on the Internet, but of the Internet

Why haven't GDS announced their identity assurance strategy yet?
The suspicion is growing that they haven't got one.

In the absence of any news about the Government Digital Service's plans for identity assurance your gaze may fall upon ex-Guardian man Mike Bracken's blog post about the release last week of GOV.UK, the new single government domain, the partial implementation of Martha Lane Fox's "digital by default".

Why does GOV.UK matter?

Good question.

Local Authority Review – Citizen Online Identity Assurance
September 2012

[IdA = identity assurance
LA = local authority]

... Communication is seen as key and it was suggested that a national campaign run by trusted organizations (e.g. Citizen’s Advice Bureau and other voluntary organizations) would be helpful.

Communications to build citizen trust and highlight the benefits such as a reduction in bureaucracy for both citizens and the LA, are seen as key. Once a proven nationally recognised approach is in place with a recognised and trusted branding, it is suggested that the branding could then be integrated into LA websites. LAs would then feel more confident about communicating the concept at the local level. Through a variety of channels awareness raising could be undertaken. Suggested approaches include citizen training in libraries and other venues with high citizen footfall, contact through third sector and voluntary organizations, articles in free newspapers and council magazines, promotions through the housing advice bus visits and web promotion.

Another important step for LAs is to gain a sound understanding through customer research on how the idea of federated IdA might be received by different sectors of the population6. Usability and accessibility are also a key concern to ensure that processes are not over-complicated – it may be more appealing to undertake repeated simple registrations and sign-ons than one complicated procedure especially when the goal is to undertake a simple transaction ...


Whilst there is some mention of a national agenda, the most common drivers for online citizen IdA are cited as corporate strategy, service needs, cost reduction and efficiencies. Although there has been no explicit demand from citizens (other than around privacy concerns), improvement of the customer experience also appears to be a motivating factor.

In response to these drivers authorities have strategies either in place or in development to take forward service transformation, channel shift and/or improved customer service. Key principles of these strategies include digital by default (or at least by citizen preference), escalation of a self-service culture allowing greater focus on the more vulnerable, multiple channel access, and device independence.

IdA is not always discretely identified within these strategies although a number of authorities articulated its importance in terms of being an architectural building block and an enabler. Business cases do not tend to be written for IdA but rather it is included as an element within business cases for channel shift/service improvement programmes (e.g. Individual Electoral Registration Programme). So whilst it may not be explicitly referenced, there was general consensus that IdA is an important part of the infrastructure and is an integral part of channel shift which will allow a more coherent approach to the citizen.

The developing theme of single sign-on and a standardized approach to IdA is however juxtaposed with emerging imperatives. The advent of adult social care budgeting, and new government policies on troubled families is likely to drive LAs to seek further single service solutions to add to the mix.

”… because of the need to respond to welfare reform the view was that we can’t wait so we’ll do it and then fix it, federate it later.”

Lee Hemsworth, Chief Officer (Intelligence and Improvement), Leeds City Council ...

----------

6. Relevant studies include Group Identity Assurance – User tests results from the Happy Use Case, UCL Department of Computer Science Information Security Research and UC IDA claimant testing Findings, DWP Insight Team

And one which has obviously been occupying the executive director of GDS. In Why GOV.UK matters: A platform for a digital Government he writes:
GOV.UK has been designed with transparency, participation and simplicity at its core. It will always be based on open standards, and is unapologetically open source. This architecture ensures its integration into the growing ecosystem of the Internet. Inevitably, innovation will follow, driven from within and without. GOV.UK is not Government on the Internet, but of the Internet.
"GOV.UK is not Government on the Internet, but of the Internet". Does anyone have any idea what that means?

Would it help to try another preposition? "GOV.UK is not Government on the Internet, but under the Internet", perhaps?

It doesn't help, does it.

That's because whether we're talking about government deeply in debt to the internet or government carried out without even a passing interest in the internet, GOV.UK isn't government. It's a website.

When he uses the words "transparency", "participation", "simplicity", "open standards", "open source", "ecosystem" and "innovation", this is ex-Guardian man Mike Bracken presenting his credentials. It is a homage to what he describes as Tim O'Reilly's "seminal work Government as a Platform".

Mr O'Reilly's seminal work, if you care to read it, is many things:
  • A gratuitous endorsement of President Obama's healthcare legislation.
  • A cod history of commerce and civic action since the days of Benjamin Franklin.
  • An attack on IBM and Microsoft for being monopolies (nearly).
  • Praise for Amazon, Google, Facebook and Apple for being monopolies (nearly).
  • An expression of Mr O'Reilly's fascination with technology.
  • And of his belief that only crowds have wisdom.
  • And that individuals know nothing.
  • Apart, presumably, from Mr O'Reilly.
That's not quite fair, actually.

There has been some news about identity assurance.

Amanda Derrick OBE, a fairly recent addition to the GDS team, an escapee from the Gove Terror at the Department for Education, presented a report yesterday on Identity assurance for local government services.

Who wrote this report?

Someone too bashful to tell us. Someone lacking the assurance to identify themselves.

Whoever it was rang up 16 local government officers and had a chat with them. A long extract from the resulting report is quoted alongside. It doesn't make much difference if you read it forwards or backwards.

Digital by default is about delivering public services. Most public services in the UK are delivered by local government and yet GDS left it until July 2012 to commission this report.

What it tells them is that they don't know much about what is needed, by way of identity assurance, by the people who actually deliver public services and by their parishioners.

Why haven't GDS announced their identity assurance strategy yet? The suspicion is growing that they haven't got one.

GOV.UK is not Government on the Internet, but of the Internet

Why haven't GDS announced their identity assurance strategy yet?
The suspicion is growing that they haven't got one.

In the absence of any news about the Government Digital Service's plans for identity assurance your gaze may fall upon ex-Guardian man Mike Bracken's blog post about the release last week of GOV.UK, the new single government domain, the partial implementation of Martha Lane Fox's "digital by default".

Why does GOV.UK matter?

Good question.

Wednesday 24 October 2012

HMRC and Skyscape 2

The following open letter has been sent by email and by post to Phil Pavitt in his capacity as HMRC Director General Change, Security and Information with a copy to Lin Homer, Chief Executive, HMRC:

[Skyscape has subsequently changed its name to UKCloud: "London – August 1, 2016 – Skyscape Cloud Services Limited, the easy to adopt, easy to use and easy to leave assured cloud services company, has today renamed and relaunched as UKCloud Ltd (www.ukcloud.com), to reinforce the company’s exclusive focus on supporting the UK public sector in the digital transformation of services".]

Open letter [1]

Phil Pavitt          Your ref. CETO /03531/2012
HMRC Director General
Change, Security and Information
100 Parliament St
London SW1A 2BQ          24 October 2012

Dear Mr Pavitt

HMRC and Skyscape Cloud Services Ltd

Thank you for your letter dated 22 October 2012 [2] in response to my letter to Lin Homer dated 11 October 2012 [3].

The point is well taken, of course, that for security reasons HMRC can’t say what data is held where. We're in we-can-neither-confirm-nor-deny territory here. It’s difficult but, given the bizarre nature of the Skyscape contract, HMRC are going to have to find some way to reassure the public about the security with which our tax records, both personal and corporate, are being held.

“The data will continue to be kept in accordance with existing legislation and HMRC security policies”, you say. I should hope so, too – the public want, need, deserve and pay for nothing less.

But your statement begs the question.

The public is bound to assume that the data to be stored at Skyscape’s cloud computing facilities is the tax records of every individual and legal person in the country. What other data does HMRC have?

And the public is bound to assume that our data is intended to be stored at Hartham Park, Corsham, Wilts SN13 0RP because that’s the address of the registered office of Skyscape Cloud Services Ltd and it’s the address of the registered office of its “ally” ARK Continuity Ltd and it’s the address of ARK’s Spring Park data centre as noted for everyone to see on ARK’s website [4]. If that isn’t a breach of security, what is?

Skyscape is a young start-up, it hasn’t yet submitted any accounts to Companies House, it has no track record, it has only one director and he owns all the shares in the company. If the Government Procurement Service (GPS) and HMRC believe that Skyscape is an appropriate company to trust with the care of our tax records, then there is something wrong with GPS’s and HMRC’s selection criteria.

CloudStore make the point that the inclusion of a company and its services in its on-line store is not a warranty of appropriateness. It’s up to the customer – in this case HMRC – to determine appropriateness. Eleanor Stewart, the Assistant Director of G-Cloud, says [5]: “as with everything on the G-Cloud framework the customer can determine whether they are happy with any associated risk at the point of selection”.

The references to GPS and to CloudStore in your letter can provide the public with no comfort.

You mention the Skyscape Cloud Alliance [6] in your letter.

Goodness knows what ARK Continuity is doing in the Alliance. HMRC doesn’t promote itself as being in an alliance with Mapeley. Why does Skyscape expect the public to find it commercially persuasive to include its landlord in the Alliance?

QinetiQ, VMware, Cisco and EMC on the other hand are all industry leaders and if HMRC had entered into a contract with a joint venture company involving them then we wouldn’t be having this correspondence.

But you haven’t.

HMRC have entered into a contract with a one-man start-up. That was the case before you wrote your letter and it remains the case subsequently. The question therefore persists, how can HMRC make such an odd-looking decision? How can they risk the nation’s tax records on Skyscape?

There’s no joint venture company there for a Tax Inspector to get his or her teeth into. Just an “alliance”. What is an alliance in this case?

The contract is to provide cloud computing services. “Cloud computing” means losing control [7]. Whitehall promotes cloud computing on the basis that it turns IT into a utility [8]. That is not attractive, as this month’s news about gas and electricity prices will confirm.

None of us has control over the price our suppliers charge for gas and electricity at home or control over their staff. If HMRC enter into a cloud computing contract with any supplier, big or small, they will have the same problem. How can HMRC risk the nation’s tax records on cloud computing?

Salesmen sometimes unfortunately make over-enthusiastic claims about cloud computing being more resilient, secure and efficient than the alternatives. Lawyers don’t believe them. Lawyers don’t use cloud computing. Lawyers are paid to keep their clients’ data under control and confidential. So are public authorities like HMRC.

As I write, I note that the latest cloud computing débâcle is unfolding. Amazon are the biggest cloud computing suppliers in the world and they’ve just had a 12-hour outage [9].

Our tax records are currently stored on hundreds of servers at “multiple” HMRC offices, you say. Good. That looks secure. Much more secure than storing them all in one place with a one-man start-up in some sort of nugatory alliance. And, since you mention it, the allegedly dainty carbon footprint of cloud computing will be no consolation if our records go up in smoke.

According to HMRC’s press release [10] the Skyscape contract will save £1 million a year on running costs. We need to be guided here by the National Audit Office (NAO) report on HMRC’s on-line filing [11].

The NAO examined HMRC’s £8 billion 10-year ASPIRE contract with Capgemini and said:

HMRC uses a range of indicators to measure the performance of its ICT services, which include online services, and it measures availability that relates specifically to online filing. HMRC has a high-level view of the overall costs of ICT provision through the ASPIRE contract. It has been taking steps to improve that information and achieve cost savings. It does not yet have a detailed breakdown of the costs of online filing services, so it cannot benchmark those costs to assess their value for money. HMRC is currently negotiating with the ASPIRE contractors to obtain a clearer breakdown of the costs of ICT services provided. (p.8)
Also:

[HMRC] should proceed with its plans to identify ICT costs specific to online filing services and ensure that current negotiations with the ASPIRE contractors provide sufficient breakdown of cost information for regular benchmarking of costs. (p.13)
In the circumstances, with the suppliers not even prepared to tell HMRC what they are charging for, some scepticism is in order about claims to be able to identify £1 million of on-line filing costs in among the £8,000 million.

CESG have rescued the nation before from other-worldly decisions taken by Whitehall. The Home Office wanted to use DWP’s National Insurance number database as the National Identity Register for the ID cards scheme. CESG pointed out that it was inappropriate and that was the end of that [12].

Let’s hope that they repeat the trick in their review of Skyscape. I look forward to a small piece appearing in the technical press somewhere out of the way regretting that for security reasons which cannot be given the HMRC contract with Skyscape has had to be revoked.

Yours sincerely
David Moss

cc      Lin Homer, Chief Executive, HMRC
          Chartered Institute of Taxation
          Institute of Chartered Accountants in England and Wales




[7]Cloud computing and the Gadarene lemmings of Whitehall, http://www.dmossesq.com/2012/10/cloud-computing-and-fashion-conscious.html
[8]Cloud computing turns IT into a utility, and that's a good thing?, http://www.dmossesq.com/2012/10/cloud-computing-turns-it-into-utility.html
[9]Amazon outage started small, snowballed into 12-hour event, http://www.networkworld.com/news/2012/102312-amazon-outage-263617.html
[11]HM Revenue & Customs – The expansion of online filing of tax returns, http://www.nao.org.uk//idoc.ashx?docId=cd237708-5c6b-472a-af13-f432f80d80cc&version=-1
Updates:
24.5.12
Phil Pavitt says "we don't currently have ID authentication in UK government".
24.10.12
Letter emailed to Phil Pavitt and Lin Homer
25.10.12
Hard copy of letter posted to Phil Pavitt and Lin Homer, links sent to Eleanor Stewart, CIOT and ICAEW
28.10.12
Re last two paragraphs of letter, see Andy Smith affair.
4.11.12
US government argue that signing a cloud services agreement reduces your property rights in the data stored in the cloud, according to EFF.
13.11.12
Cloud computing, and GDS's fantasy strategy: "To which, all one can say is that there must be something wrong with the Cabinet Office, GPS and HMRC procurement criteria ...".
23.11.12
UK.gov to upgrade buying tool after mega cockup downs £1bn deal – Government Procurement Service computer system incapable of handling tenders for government procurement.
26.11.12
HMRC soon to be Pavittless – will Aviva store all our insurance details with Skyscape?

HMRC and Skyscape 2

The following open letter has been sent by email and by post to Phil Pavitt in his capacity as HMRC Director General Change, Security and Information with a copy to Lin Homer, Chief Executive, HMRC:

[Skyscape has subsequently changed its name to UKCloud: "London – August 1, 2016 – Skyscape Cloud Services Limited, the easy to adopt, easy to use and easy to leave assured cloud services company, has today renamed and relaunched as UKCloud Ltd (www.ukcloud.com), to reinforce the company’s exclusive focus on supporting the UK public sector in the digital transformation of services".]

Is GOV.UK a work of art? With no identity assurance services, that's the best it can hope for ...

... at which point GOV.UK starts to look pointless ...

DWP are waiting for identity assurance services, to make progress on Universal Credit.

We were expecting the suppliers of identity assurance services to be named by 30 September 2012 latest. It didn't happen. Then we were expecting them to be named on 22 October 2012. It didn't happen. We're expecting Universal Credit to make work pay but at the present rate that isn't going to happen either.

Last week's release of GOV.UK was "the start of a new era of digital services" according to ex-Guardian man Mike Bracken, executive director of the Government Digital Service (GDS) – not without identity assurance services it isn't.

We know that GOV.UK is hosted on Skyscape. Or Akamai. But who's going to access it?

25 million hits per month we're expecting on GOV.UK. Maybe more. There's plenty of real estate on screen for Google to serve up ads. But who's going to click on them?

GOV.UK is meant to improve the user experience of dealing with public services. Without identity assurance services, there aren't any users to enjoy the experience.

That's an exaggeration. There will be people browsing the site anonymously. But they've been able to do that on Directgov and Business Link for years.

No users? There's an important way in which that's not an exaggeration. The point of digital by default, Martha Lane Fox's dream, and Francis Maude's too, is to have people registering for services and applying for student loans and paying their VAT using GOV.UK. For that, they need to be identified.

No identity assurance services, no digital by default. At which point GOV.UK starts to look pointless.

The deadlines come and the deadlines go. How much longer is everyone going to have to wait? In particular, how much longer are the millions stuck in the poverty trap going to have to wait?

----------

Update 17.11.13:
A year of departments and policy all in one place
A year of departments and policy all in the same place. A place with no identity assurance.

Update 18.11.13:
HMRC set to go digital:
Mark Dearnley, the new Chief Digital and Information Officer for HMRC, announced ... that HMRC will “become a fully accessible digital business ... The multi-channel digital tax platform will have security at the heart of it. The new Government Identity Assurance Programme platform will be part of that.”
It would help, or at least it should help, but just for the moment there is no identity assurance platform and no sign of it turning up.

Is GOV.UK a work of art? With no identity assurance services, that's the best it can hope for ...

... at which point GOV.UK starts to look pointless ...

DWP are waiting for identity assurance services, to make progress on Universal Credit.

We were expecting the suppliers of identity assurance services to be named by 30 September 2012 latest. It didn't happen. Then we were expecting them to be named on 22 October 2012. It didn't happen. We're expecting Universal Credit to make work pay but at the present rate that isn't going to happen either.

Last week's release of GOV.UK was "the start of a new era of digital services" according to ex-Guardian man Mike Bracken, executive director of the Government Digital Service (GDS) – not without identity assurance services it isn't.

Tuesday 23 October 2012

Reminiscing about IdA while we wait to find out about our identity providers

30 September 2012 has come and gone. Everyone was looking forward to discovering which companies would be the UK's "identity providers" but the deadline passed and we're none the wiser.

Then it seemed as though we would be told on 22 October 2012. That's what it said in the Independent and the Government Digital Service (GDS) seemed quite happy with that coverage but no, still no answer.

While we're waiting, it's tempting to reminisce about the history of GDS's Identity Assurance project (IdA).

IdA started as part of the G-Digital programme. A number of private sector organisations were inveigled into  collaborating on the programme, groups of them were sent away to work on different tasks and in January 2010 a report of their findings was produced.

Worthily written, the report ploughs relentlessly through its ten objectives. Stop for a while at Objective #4 – To determine any gaps in our Business Services on p.9. On-line payments? Got it. Enrolment? Got it. Search engine optimisation? Etc ... All the business services are there, no gaps, including Adserver.

Adserver? In the public sector? In the UK?

Take a look at GOV.UK. Lots of space down the sides on the screen, left and right. Bit of a shock at first to be sure but, think about it, why not, this is the world of Facebook and Google now, and Amazon and eBay, very handy for advertisements.



Extract from G-Digital Market Investigation High Level Analysis & Findings




What would it look like if GOV.UK carried advertisements?

Here, for example, is a serious Simon Jenkins article on the Guardian's Comment is free forum topped off and flanked with advertisements for holidays in Kenya. Suppose you were browsing GOV.UK instead of the Guardian. Suppose it was your tax return on the screen instead of a Simon Jenkins article. And suppose that the same advertisements were there.

That couldn't happen, could it?

Yes it could. There didn't used to be advertisements on Comment is free until someone came along and re-designed it:



The future look of GOV.UK?

Reminiscing about IdA while we wait to find out about our identity providers

30 September 2012 has come and gone. Everyone was looking forward to discovering which companies would be the UK's "identity providers" but the deadline passed and we're none the wiser.

Then it seemed as though we would be told on 22 October 2012. That's what it said in the Independent and the Government Digital Service (GDS) seemed quite happy with that coverage but no, still no answer.

While we're waiting, it's tempting to reminisce about the history of GDS's Identity Assurance project (IdA).

Monday 22 October 2012

Things happen when Lin Homer's in the loop. Fast.

An open letter was sent to HMRC by email and by post asking about the advisability of contracting with Skyscape Cloud Services Ltd.

An acknowledgement was received today by post promising a response within 15 working days.

And then the response was received, as shown below, dated today. Unprecedented.

With thanks to Phil Pavitt, responding on behalf of Ms Homer, and no further comment for the moment:

[Skyscape has subsequently changed its name to UKCloud: "London – August 1, 2016 – Skyscape Cloud Services Limited, the easy to adopt, easy to use and easy to leave assured cloud services company, has today renamed and relaunched as UKCloud Ltd (www.ukcloud.com), to reinforce the company’s exclusive focus on supporting the UK public sector in the digital transformation of services".]

HMRC and Skyscape Cloud Services Ltd

Dear Mr Moss

Thank you for your letter of 11 October 2012 expressing your concerns in respect of HMRC’s recently announced contract with Skyscape Cloud Services Ltd. I am replying on behalf of HMRC’s Chief Executive, Lin Homer.

Skyscape were selected by HMRC and awarded a 12 month contract due to their innovative, inventive and value for money solution. In terms of the suitability of Skyscape hosting HMRC data I can confirm that HMRC procured the services of Skyscape via the HM Government “G-Cloud” Framework, also referred to  as the CloudStore. The G-Cloud was created by the Cabinet Office and the Government Procurement Services (GPS) via a formal competition process through the Official Journal of the European Union under the Open Procedure.

G-Cloud was established to make government procurement easier and more transparent and was, in part, created as a means of encouraging small and medium sized enterprises (SMEs) to compete on a level playing  field with multi-national organisations.

In order to deliver services through G-Cloud, all suppliers on the Framework, Skyscape included, were required to meet a set of mandatory criteria set out by GPS including their financial standing and Experian risk assessments. Additionally, HMRC carried out its own standard taxation and financial compliance checks  before awarding the contract and Skyscape passed the standard set by the G-Cloud Framework and HMRC.

Skyscape’s services are provided through a number of key, or “Alliance”, Partners. These partners are industry leading organisations that provide services in the data centre or “cloud” arena such as EMC (storage  and security services), Cisco (networking) and Ark Continuity (UK based high security data centres). Ark Continuity therefore are one of a number of partners who supply Skyscape with their products and services which are key to Skyscape’s overall assured cloud computing services.

However, data security remains integral to HMRC and a pre-requisite of any of our data being migrated to Skyscape is for their solution, including all the constituent parts, to be formally accredited by CESG (the Communications-Electronics Security Group) to Impact Level 3 (IL3). For more information please see the link below:

http://gcloud.civilservice.gov.uk/2012/03/09/so-what-is-il3-a-short-guide-to-business-impact-levels/

This accreditation is expected imminently, at which point HMRC will be in a position to begin securely moving data over to Skyscape and decommissioning our old servers. Once the data has been moved it will remain there for the contract duration (12 months) during which time any subsequent data storage contract will be re-competed to ensure HMRC continues to take advantage of innovative, secure and low cost solutions, available within the marketplace, which allow HMRC to easily store, manage and transfer its data.

It should also be noted that for security reasons HMRC does not discuss details of the data that it holds, or where it stores it, however we are able to confirm that by using Skyscape HMRC data will continue to be kept in accordance with existing legislation and HMRC security policies.

Finally, I can confirm that the claims within HMRC’s press release of 26 September are fully justified. The data, which will be securely stored by Skyscape, currently resides on several hundred servers, across multiple HMRC office locations. This change will consolidate that data and place it into a small number of secure and highly resilient cloud data centres hence improving the security of the data, the efficiency of managing that data as well as improving HMRC’s carbon footprint.

I trust that this answers your queries in full and I hope that you can now appreciate that HMRC’s decision to contract with Skyscape was not dangerous, ill-advised or irresponsible.

Yours sincerely,
Regards
Phil Pavitt
HMRC Director General Change, Security and Information

Things happen when Lin Homer's in the loop. Fast.

An open letter was sent to HMRC by email and by post asking about the advisability of contracting with Skyscape Cloud Services Ltd.

An acknowledgement was received today by post promising a response within 15 working days.

And then the response was received, as shown below, dated today. Unprecedented.

GDS and their friends

Will HMG really entrust our personal identities and data collected under statutory authority to those who base their ID governance in Dublin, their IT and security staff in India or their files on the west coast of the US? You could not make up the idea that the Home Office might seriously consider outsourcing the running of our immigration and criminal records to an India software company - but this is allegedly about to happen.
Last week, it was GOV.UK. Later today, the Government Digital Service (GDS) should make an announcement about identity assurance (IdA).

GDS want to make all public services digital by default. That will "transform government", they say, it will make it joined up and modern and efficient and trusted and green.

Take Universal Credit (UC) as an example. If people are to register for UC on-line using GOV.UK and receive their benefit payments on-line, DWP need to know who the claimants are, DWP need identity assurance – no IdA, no UC.

DWP lost control over identity assurance to GDS. Today's announcement may come from DWP but it's GDS in the driving seat: "... This approach ensures that, ultimately, HMG-wide Identity Assurance is supplied across central departments via a common procurement portal (to HMG agreed standards) and governed by the Cabinet Office".

Today's announcement will name the UK's "identity providers". (You'll soon get used to the term.) These are the companies who will help to provide DWP among others with the reassurance they need that benefits are being paid to legitimate recipients.

UC is just an example. Digital by default is for everyone. Not just benefit claimants. We'll all need an identity provider in GDS's new world. Even taxpayers. And children. The freshly conceived? The dead. Anyone who wants a passport. Or a driving licence. Or who wants to get married. Or enter into a civil partnership. Or go on holiday. Or vote. Or draw a pension. Or avail themselves of non-emergency state healthcare. Or state education. Or change job. Or submit their VAT return. Or ...

On 4 October 2012 the Independent newspaper published National 'virtual ID card' scheme set for launch (Is there anything that could possibly go wrong?). The article named Facebook, Microsoft, Google and PayPal (owned by eBay) among others as likely identity providers and GDS said: "If you’d like to know more the Q&A in The Independent gives a pretty good overview (the only thing we’d really quibble with is the headline)".

I.e. the Independent article was a leak and is reliable. And it says: "The identification systems used by the private companies have been subjected to security testing before being awarded their “Identity Provider” (IDP) kitemark, meaning that they have made the list of between five and 20 approved organisations that will be announced on 22 October".

As you listen to today's announcement, if it happens, you will be comforted to know that GDS is your friend and that all the hard work on GOV.UK and IdA is for you, it is designed around you and your user experience of digital by default, which will empower you, Facebook and Google and PayPal and Microsoft (and eBay and Amazon and Apple) are trusted third parties and ...
  1. Sunday Times, 21 October 2012 eBay avoids £50m tax
  2. Independent, 21 October 2012 eBay joins list of firms avoiding most tax - and doing it legally
  3. Observer, 21 October 2012 Amazon makes UK publishers pay 20% VAT on ebook sales
  4. Sunday Times, 21 October 2012 Apple downloads another $10bn
  5. Philip Virgo, 20 October 2012 Why is Dublin the on-line capital of Europe ?
  6. Daily Express, 18 October 2012 WHY TAX AVOIDANCE LEAVES A BAD TASTE IN YOUR MOUTH
  7. Guardian, 17 October 2012 Should we boycott the tax-avoiding companies?
  8. Sunday Times, 14 October 2012 Apple avoids up to £570m in British tax
  9. The Register, 11 October 2012 Facebook says it's LOSING money in the UK ... pays hardly any tax
  10. Independent, 11 October 2012 Facebook: The antisocial network branded 'disingenuous and immoral' 
  11. Media Week, 11 October 2012 Facebook paid staff more per head than its entire UK tax
  12. Sunday Times, 30 September 2012 The Untaxables
  13. Daily Telegraph, 20 September 2012 Microsoft 'used offshore units to avoid paying $4.5bn in taxes', Senate claims
  14. The Register, 20 September 2012 Senate hears Microsoft and HP avoided billions in US taxes
  15. Wall Street Journal, 20 September 2012 Senate Committee Questions Overseas Tax Schemes
  16. Daily Telegraph, 13 August 2012 Google to face MPs over tax avoidance scheme
  17. Sunday Times, 5 August 2012 Apple’s cash crisis (it’s got too much money)
  18. Daily Mail, 24 July Yes, I pay builders in cash. But what’s really immoral is billionaires and firms like Google who avoid tax
  19. Sunday Times, 8 July 2012 French tax swoop on Microsoft
  20. Times, 27 June 2012 EU planning cross-border crackdown on tax evasion
  21. PC Advisor, 22 June 2012 Forget Jimmy Carr: check out Google, Amazon and Apple's tax records
  22. Sunday Times, 17 June 2012 How Google turned evil (Apple and Facebook aren’t much better)
  23. Daily Mail, 30 April 2012 How Apple (legally) avoided paying BILLIONS in taxes last year - despite record profits
  24. Sunday Times, 22 April 2012 Apple’s Irish tax ploy
  25. Macworld, 19 April 2012 Claims of Apple's tax dodging are untrue
  26. Which?, 11 April 2012 Is Amazon’s avoidance taxing the UK’s ebook retailers?
  27. Sunday Times, 8 April 2012 Apple’s UK tax dodge
  28. Daily Mail, 8 April 2012 Apple 'made £6bn' in UK... but paid only £10m in tax
  29. Guardian, 6 April 2012 Tim Waterstone warns Amazon tax avoidance could kill off bookshops
  30. Independent, 5 April 2012 Amazon investigated by UK authorities over tax avoidance
  31. Daily Mail, 5 April 2012 Amazon, Google, and the sordid reality of tax avoidance
  32. BBC, 5 April 2012 Corporation tax: Easy for multinationals to avoid?
  33. Daily Telegraph, 5 April 2012 Amazon faces UK corporation tax probe
  34. Guardian, 4 April 2012 Amazon: £7bn sales, no UK corporation tax
  35. Sunday Times, 25 March 2012 Apple’s $100bn headache
  36. Sunday Times, 12 February 2012 The anti-social network
  37. Sunday Tiimes, 5 February 2012 Revealed: Facebook’s network in offshore tax havens
  38. Sunday Times, 3 February 2012 Google pays only 3% tax on foreign profit
  39. Wall Street Journal, 3 August 2011 Amazon Battles States Over Sales Tax
  40. London Evening Standard, 20 July 2011 Britain loses out in Google's tax avoidance
  41. Wall Street Journal, 20 June 2011 British Online Retailers to Face Tax Scrutiny
  42. Sunday Times, 29 May 2011 Google beats £3bn tax
  43. Times, 16 March 2011 No taxation: Amazon declares war on the states
  44. Wall Street Journal, 27 March 2010 The Sales Tax That Comes Back to Bite
  45. Guardian, 23 September 2009 Is Microsoft a tax dodger?
  46. Wall Street Journal, 6 April 2009 Firms Move to Fight Overseas-Profit Tax
  47. Wall Street Journal, 11 September 2008 Street Firms Accused of Tax Scheme
  48. ...
----------

Updated 3.7.14
New Amazon terms amount to 'assisted suicide' for book industry, experts claim

Report says publishers under heavy pressure to make damaging concessions including giving online retailer rights to print on demand

Alison Flood
theguardian.com, Wednesday 25 June 2014 12.08 BST
REVEALED: Google's proposed indie music-killing contract terms

Suicide or death-by-DMCA? Not a great choice...

By Andrew Orlowski, 24 Jun 2014