Wednesday 28 March 2012

Cloud computing is bonkers or, as HMG put it, a "no-brainer"


The failures of government IT projects are well-known and have been for decades, during which the problems have been intractable. Now a solution is being championed by Her Majesty's Government – cloud computing.

What is cloud computing? And is it the answer?

HMG runs a blog called G-Cloud (the government cloud), on which last Friday Adrian Scaife from the Ministry of Justice posted an answer to the first question above, "A No Brainer":
Cloud computing is so easy to understand that even simple folk like me get the idea.
Mr Scaife should know all about the traditional problems of government computing. He works for NOMS, the National Offender Management Service, the travails of which have rarely been out of Private Eye for the past eight years. To pick just one of the hiccoughs suffered, in March 2009 the National Audit Office published a report on the NOMS computer system which includes this:
3.17 At the end of October 2007, £161 million had been spent on the project overall. We have not been able to ascertain precisely what this money was spent on because NOMS did not record expenditure against workstream before July 2007 ...
This patrician insouciance of Whitehall's when it comes to public money is just one of the aggravating features of government IT collected together in a report by the Public Administration Select Committee, Government and IT- "A Recipe For Rip-Offs": Time For A New Approach, a report which with good grace Mr Scaife refers to. It's a long report and readers may care to start with the contribution entitled Whitehall, Red Light District beginning at page Ev w7 to get the flavour of it. Clause 5 deals with cloud computing.

Mr Scaife's post promotes five alleged benefits of cloud computing which he says will help to solve the current problems of government IT:
  • No CapEx – you can stand up services in days, hours or in some cases minutes – try before you buy: spin up an AWS instance, sign up for Google Apps for Business or an Office 365 free trial and touch and feel it for yourself ...
  • Metered Services – you only pay for what you use.  If it doesn’t fit the bill, switch it off.  If it does work you can grow it incrementally ...
  • Scalability, flexibility, elasticity – All baked in.  You want to add a couple of hundred gigs of storage, another 50 or 5000 users, a new tenancy for an application, just switch it on.  And when your business changes and you don’t need it any more – no exit costs, just switch it off ...
  • Cheaper – the economies of scale the global-class cloud providers can realise drive unit costs to a level that can never be achieved through an on-premise approach.  In many cases, cloud services are free at the point of use because of these economies of scale, and because they are typically monetised by advertising – you can normally lose the ads for a paid business version of a cloud service ...
  • Vendor-led Innovation – One of the great things about cloud is that you don’t have to do upgrades, the cloud provider does it.  New features, patches, and upgrades are all part of the package.  Because the global market is a competitive place, as well as getting better, services can get cheaper too: AWS reduced their prices twice in 2011 ...
If there is no CapEx, no capital expenditure, then what Mr Scaife foresees is a new world in which government doesn't buy any expensive computers (any servers) itself. But someone has to buy them. The people buying them are AWS, Amazon Web Services, and other suppliers of cloud computing services. Someone must pay for all the spare capacity which would allow HMG to "scale up" any time it wants to, no delays involved. And someone must keep paying for it when HMG decides at the drop of a hat to "switch off". All that redundancy must be reflected in the costs.

What we're looking at is a return to the 1970s and timesharing. Back then, most companies couldn't afford mainframes or minicomputers and so they rented time on computers provided by the likes of GEISCO – General Electric Information Services Company – and Comshare and other smaller bureau operators. Timesharing costs went through the roof and the whole business was gratefully abandoned when PCs arrived in the 1980s.

HMG is welcoming the timesharing zombie back into Whitehall. And Mr Scaife, at least, offers no reason to believe that costs won't go through the roof again just like the last time.

Mr Scaife's post barely considers the potential disadvantages of cloud computing. The document is more like a piece of sales literature than a balanced assessment.

There are other opinions of the new world being sold to us here:
  • The OECD, for example, recommend that "cloud computing creates security problems in the form of loss of confidentiality if authentication is not robust and loss of service if internet connectivity is unavailable or the supplier is in financial difficulties".
  • ENISA, the EU's information security agency, casts more doubt on the advisability of cloud computing, concluding that "its adoption should be limited to non-sensitive or non-critical applications and in the context of a defined strategy for cloud adoption which should include a clear exit strategy".
  • Larry Ellison, the founder of Oracle, says frankly: "The interesting thing about cloud computing is that we've redefined cloud computing to include everything that we already do. The computer industry is the only industry that is more fashion-driven than women's fashion. Maybe I'm an idiot, but I have no idea what anyone is talking about. What is it? It's complete gibberish. It's insane. When is this idiocy going to stop?"
  • And as for Richard Stallman, he says that cloud computing is a "trap":
... Richard Stallman, founder of the Free Software Foundation and creator of the computer operating system GNU, said that cloud computing was simply a trap aimed at forcing more people to buy into locked, proprietary systems that would cost them more and more over time.

"It's stupidity. It's worse than stupidity: it's a marketing hype campaign," he told The Guardian.

"Somebody is saying this is inevitable – and whenever you hear somebody saying that, it's very likely to be a set of businesses campaigning to make it true."
The Guardian quote one actual user of real live cloud computing services as follows:
We went ahead and moved our business to public cloud computing about 18 months ago. It has been a nightmare, there have been times when the company is down because our collaboration software, Basecamp, is unreachable. We also have an Amazon cloud solution. How secure is this, what if there is a breach? How do you even call Amazon, they don't even have a phone number for us? The level of transparency is not there.
Mr Scaife's assumption is that cloud computing offers greater security than can be achieved in-house. But how do you know? According to the Guardian again:
Despite these efforts, tough issues remain. One is that organisations often cannot perform audits to verify the vendor's claims. Google, for example, does not allow it. "It does more to impede the security, letting everybody in to take a look at everything," Feigenbaum says.
Google is another supplier of cloud computing and Eran Feigenbaum is their director of security for Google Apps. Are we really to believe that Google can provide higher security than HMG?

Maybe. We are used to finding fault with HMG. That doesn't mean that Google are faultless.

Let's be clear what Mr Scaife is talking about here. All our tax records, all our state education records, all our state healthcare records and state housing records, all our National Insurance and state pension records, all our criminal records, ... could be stored on Amazon web servers or Google web servers or anyone else's web servers.

Where would those servers be? Where would our data be? They could be anywhere. Anywhere where Amazon/Google can provide their allegedly scalable and flexible services most cheaply. Who has jurisdiction over the data if it's in Vanuatu (formerly the New Hebrides but now the Ripablik blong Vanuatu)? How do you enforce any British law there?

HMG might or might not be able to keep control. The US have taken steps to do so already, and not just to control their own data:
There is also concern about the US anti- terrorism legislation called the Patriot Act, which gives the US government a right of access to any data stored on US soil, and possibly any data on servers belonging to a US company, if it is deemed necessary for security investigations. In some cases, that is not an acceptable risk.
Mr Scaife acknowledges this problem:
Special needs
The operation of separate and parallel ICT systems for government departments is analogous to operating separate water or electricity supplies for government departments.  It is expensive, often unnecessary, and the benefits are dubious.  At the same time, government is in a unique position in that it must both protect assets of national security, and that it must provide adequate protection of the personal data entrusted to it.
If government is going to protect national security and the confidentiality of personal data, then that surely points firmly against cloud computing and Mr Scaife's putative cost savings won't be available after all. Alternatively, if HMG is determined to try to achieve those putative savings, will the population no longer be relying on HMG? Will we be relying instead on the good will of Amazon and Google? Is the job too difficult, and HMG is giving up on the business of government?

Having asserted that government's responsibilities are unique, three paragraphs later Mr Scaife says:
Government is now beginning to recognising the potential cloud has to help us deliver ‘better for less’, to drive down costs and to improve services.  Our job now is to seize the opportunity to capitalise on that.  Cloud is a ‘no-brainer’, but we need to avoid getting into a tiz about how scary it sounds to us and how ‘special’ we think we are.
Clearly, his point is that government computing requirements are not unique after all – "we need to avoid getting into a tiz about how ... ‘special’ we think we are". He thinks that's an argument for adopting cloud computing. It isn't. It's the reverse.

Anyone using the cloud has lost control of their data and of their costs. Do lawyers store your confidential data in the cloud? Let's hope not. They shouldn't. There's nothing special about government in this respect. HMG shouldn't adopt cloud computing either, any more than lawyers. Not if they're going to maintain national security. Not if they're going to take the confidentiality of personal data seriously. And not if they have a brain.

Public administration in the UK is in a parlous state. No-one doubts that there are real problems. Cloud computing is not the answer.

----------

PS For what it's worth, DMossEsq posted a comment on the G-Cloud blog raising some of the questions above. The comment has been published but the last sentence, including a link to this article, has been removed. It's a small thing but was the comment edited in the UK? Or Vanuatu? How will you defend your position if your tax records are edited? And what if they're copied by Google, at the request of the US government? While framing your answers, please follow Mr Scaife's advice and try to "avoid getting into a tiz about how scary it sounds to [you] and how ‘special’ [you] think [you] are".

Cloud computing is bonkers or, as HMG put it, a "no-brainer"


The failures of government IT projects are well-known and have been for decades, during which the problems have been intractable. Now a solution is being championed by Her Majesty's Government – cloud computing.

What is cloud computing? And is it the answer?

Friday 23 March 2012

Official: stillborn French biometric ID card scheme not just extra-terrestrial but also unconstitutional, 13 times over

Remember France? Remember 6 March 2012 when the French parliament decided to introduce national biometric ID cards? In a scheme reminiscent of Vichy? 60+ members of the National Assembly and 60+ members of the Senate referred the law to the French Constitutional Council. What does the Council make of it?

The Conseil constitutionnel published its Decision no. 2012-652 DC yesterday, 22 March 2012. They're not pleased.

Since it's been re-numbered, the law has 10 articles. Four of them are completely unconstitutional according to the Council. So are bits of two other articles:
Sont déclarées contraires à la Constitution les dispositions suivantes de la loi relative à la protection de l'identité :

- les articles 3, 5, 7 et 10 ;
- le troisième alinéa de l'article 6 ;
- la seconde phrase de l'article 8.
The Council has 10 objections to the way the scope of a law supposedly concerned with identity fraud has crept into terrorism and many other areas. And three objections to the use of the proposed biometric ID cards for eCommerce.

These 13 counts of unconstitutionality are laid out in the Commentary which accompanies the Decision and summarised in the Council's press release, in which the law is judged to be disproportionate and to infringe people's right to privacy:
Eu égard à la nature des données enregistrées, à l'ampleur de ce traitement, à ses caractéristiques techniques et aux conditions de sa consultation, le Conseil constitutionnel a jugé que l'article 5 de la loi déférée a porté au droit au respect de la vie privée une atteinte qui ne peut être regardée comme proportionnée au but poursuivi. Il a en conséquence censuré les articles 5 et 10 de la loi déférée et par voie de conséquence, le troisième alinéa de l'article 6, l'article 7 et la seconde phrase de l'article 8.
When it comes to the use of the proposed ID cards for eCommerce and digital signature, where Serge Blisko considers that the government had taken off into the stratosphere, the Council say:
Par ailleurs, le Conseil constitutionnel a examiné l'article 3 de la loi qui conférait une fonctionnalité nouvelle à la carte nationale d'identité. Cet article ouvrait la possibilité que cette carte contienne des « données » permettant à son titulaire de mettre en oeuvre sa signature électronique, ce qui la transformait en outil de transaction commerciale. Le Conseil a relevé que la loi déférée ne précisait ni la nature des « données » au moyen desquelles ces fonctions pouvaient être mises en oeuvre ni les garanties assurant l'intégrité et la confidentialité de ces données. La loi ne définissait pas davantage les conditions d'authentification des personnes mettant en oeuvre ces fonctions, notamment pour les mineurs. Le Conseil a en conséquence jugé que la loi, faute de ces précisions, avait méconnu l'étendue de sa compétence. Il a censuré l'article 3 de la loi.
In other words – less dignified words – the government haven't got a clue how the cards would be used for eCommerce or, to put it another way, they don't know what they're talking about. Or legislating about.

Yesterday was a bad day for the banks – they continue to be responsible for frauds perpetrated against them, they haven't yet managed to introduce digital signatures to pass that risk off on their accountholders. It was a bad day for the astrologers and stamp-collectors of the biometrics community. It was a bad day for the latter-day leech-farmers of the moribund plastic card community. It was a bad day for industries seeking illegal State aid. And generally a bad day for the attempted resurrection of Vichy.

On the other hand, it was a good day for democratic government and for the French people. A very good day.

Official: stillborn French biometric ID card scheme not just extra-terrestrial but also unconstitutional, 13 times over

Remember France? Remember 6 March 2012 when the French parliament decided to introduce national biometric ID cards? In a scheme reminiscent of Vichy? 60+ members of the National Assembly and 60+ members of the Senate referred the law to the French Constitutional Council. What does the Council make of it?

Thursday 22 March 2012

EXCLUSIVE: Man in shower gets wet

1. In the year to 31 March 2012 public expenditure is estimated to be £710 billion. According to yesterday's Budget, Whitehall expects to spend £683 billion over the next year, a tiny reduction of 2.4% in nominal terms, very slightly more in real terms, taking RPI inflation into account.

Gordon Brown was always very good at hiding expenditure, behind PFIs and peculiar corporate structures like Network Rail – we have to hope that £683 billion doesn't omit any expenditure that is known about but not being declared.

2. Of that public expenditure, £50 billion in 2011-12 was interest on the national debt and that figure is expected to fall a respectable 8% to £46 billion in 2012-13.

If our credit rating falls and interest rates rise, the good news will evaporate. If interest rates double, then £46 billion becomes £92 billion, an 84% increase on 2011-12.

3. The Exchequer was expecting to collect £589 billion of revenue in 2011-12 and expects £592 billion in 2012-13, a tiny increase of 0.51%, which is good, but better would be to see a significant decrease. Individuals and companies are less likely to waste their money than Whitehall.

The attention being paid to tax avoidance could have some surprising victims – that great scourge of tax avoidance, the Guardian, relies for income on its Cayman Islands joint venture with Apax Partners and if they have to start paying the tax they owe – if the GAAR is pointed at them – then the newspaper could go out of business in one year instead of three.

4. In 2011-12, the nation borrowed an estimated £121 billion to keep itself in the manner to which it has become accustomed. The deficit in 2012-13 is expected to fall to £91 billion, a tidy reduction of 24.2%. Do we really have to wait five more years for a balanced budget?

With the economy flat and the national debt little short of £1 trillion – yesterday's figure was £985 billion – the media still manage to sound surprised that people are worse off. How do they do it? Which maths lesson did they miss at school? Addition? Subtraction? Were they asleep throughout the Autumn of 2008?

Just to remind them, Gordon Brown had to fly off from the 2008 Labour Party conference to "save the world", or at least the UK, from the mess he and Ed Balls and Sir Gus now Lord O'Donnell had created. There was a problem then and there still is. Wishful thinking hasn't made it go away.

EXCLUSIVE: Man in shower gets wet

1. In the year to 31 March 2012 public expenditure is estimated to be £710 billion. According to yesterday's Budget, Whitehall expects to spend £683 billion over the next year, a tiny reduction of 2.4% in nominal terms, very slightly more in real terms, taking RPI inflation into account.

Wednesday 21 March 2012

Stillborn (mort-né) French biometric ID card scheme killed by crude mistake in technocrats' design

Remember France? Remember 6 March 2012 when the French parliament decided to introduce national biometric ID cards? In a scheme reminiscent of Vichy? Time to take a look at the quality of the design decisions taken at this early stage. Do the technocrats know what they're doing?

We must start as ever with the immaculate speech given by Serge Blisko on 13 July 2011 ("the speech that just keeps on speaking"):
Le groupe socialiste au Sénat s’est d’ailleurs interrogé sur le fait que cette deuxième puce « services » soit gérée par le ministère de l’intérieur. Avez-vous besoin, en qualité de ministre de l’intérieur, de connaître les habitudes d’achat et de consommation ou les allées et venues de millions de citoyens ? Nous sommes là dans un monde tel que décrit par Orwell dans 1984, et dont l’obsession du contrôle me semble hors de propos s’agissant de la protection contre l’usurpation d’identité. Ce véritable problème ne demande pas un déploiement stratosphérique permettant de tracer les déplacements et les achats des individus !
The new ID card will have two chips (puces) in it, one of them to allow you to deal with the State (the puce régalienne) and the other for eCommerce (the puce commerciale). M. Blisko says that the effect of the latter would be to open your life to minute surveillance, the Minister of the Interior could learn all your buying preferences and he or she could know everywhere you go.

That Panopticon facility goes way beyond the putative objective of the legislation, which is meant to be restricted to identity theft (l’usurpation d’identité). In fact according to M. Blisko, it leaves the planet altogether and launches into the stratosphere.

Source: University of Tennessee, Knoxville
RECIPE: Mix plastic cards (50 million) and surveillance (24/7) into a large pan. Stir in taxpayers' money (several billion Euros) ...

Let's leave those ingredients to simmer for a while.

In the interim, consider instead this point. If each card is 1mm thick and if you need 50 million of them to certify the French population then, if you placed the cards one on top of the other, you would have a pile of plastic 50km high. M. Blisko is right. Your pile of plastic cards would reach from the Assemblée Nationale all the way up to the top of the stratosphere. (NB: Mont Blanc = 4.81km)

If you had been a Tsar of all the Russias, what wouldn't you have given for plastic cards to use in your propiska system! The прописка was an early form of Russian ID card issued in the nineteenth century to help to govern the population. Plastic – that twentieth century invention – would obviously have made propiski more durable than the mere paper that was available to the Tsars. If only plastic had been available, the Tsars would have ordered a 50km high pile of it like a shot.

They would. But we can't. We know that the earth and the seas are already polluted with too much plastic. If there is any alternative, we should use it and not add to the pollution. Is there an alternative?

What are the plastic cards needed for? Answer, to carry the puces which support secure transactions, whether régalienne or commerciale. Couldn't we put the puces in something else, instead of yet another plastic card? Yes. We could put them in a mobile phone (a portable).

As it happens, not only could we put chips in mobiles phones, we already are putting chips in mobile phones, as the redoutable M. Blisko effectively says:
Aux débuts du commerce sur internet, il y avait beaucoup de fraudes. Actuellement, afin de permettre un échange sécurisé, en particulier lors d’achats dépassant certains montants, il existe des mots de passe, des codes à utilisation unique qui peuvent être envoyés sur téléphone portable, des confirmations par mail, etc.
Payment systems – and therefore identity management systems – are moving to mobile phones. Everything is moving to mobile phones. The mobile phone is an ineluctable evolutionary process in society. Nothing can stop it. Anything that gets in the way is mown down contemptuously.

That includes the old 85mm x 54mm plastic card business. It's outdated and irrelevant. It's dead. As dead as leech-farming (la cultivation des sangsues?). And there's no point trying to revive it. Any tax money thrown at it is tax money wasted.

Today's Tsar of all the Russias would issue digital certificates, not plastic cards. And he would transmit them to people's mobile phones, he wouldn't post them. But not, apparently, today's French technocrat.

A true forget-nothing-learn-nothing Bourbon, the modern French technocrat is prepared to ignore the advent in the last millennium of the mobile phone. He is happy to propose a nineteenth century scheme for use today. In the ancien régime he still inhabits, so what if that means polluting the planet? And so what if it means wasting stratospheric amounts of taxpayers' money?

Our dish of plastic cards and surveillance is ready now. And very unappetising it looks, next to mobile phones:
  • People voluntarily pay for mobile phones themselves ...
  • ... and they voluntarily take their mobile phones with them wherever they go.
  • Mobile phones can be tracked. They have to be. That's how the mobile phone networks work. So you can be tracked.
  • The networks record who you call and who calls you. They have to. To connect the calls and to charge for them. The effect is that the networks know who your contacts are ...
  • ... as well as where they are.
  • And what's more, unlike the national biometric ID card, the mobile phone actually exists and has all these facilities for traçage now.
  • As we move around with our mobiles switched on, we are already all of us permanently projecting our identity onto the record, as we have been for years.
Children identify with their mobile phone and their mobile phone identifies them. The mobile phone is an ID card. It just is. It is the culmination of his dreams for any totalitarian (le comble de ses rêves?). It is a rich and succulent main course whereas by comparison the old-fashioned and unimaginative, pedestrian and under-powered plastic card scheme proposed by the French government is a sickly, thin gruel.

Which suggests a surprising conclusion. Inattendu (unexpected) but just for once, perhaps M. Blisko is wrong?

Perhaps the Interior Minister isn't interested in the ID card as an instrument of surveillance as M. Blisko alleges? The Minister's already got mobile phones for that.

The plastic cards are a mistake. They mean that the scheme cannot work for surveillance or for anything else, including the fight against identity theft. The national biometric ID card scheme is not yet born but it is already dead. So why does the Minister want it? It's a mystery.

When in doubt, follow the money. Then it can become clearer.

There are two big transfers going on:
  • Firstly, with the introduction of digital signatures under the Minister's scheme, risk is being transferred from the banks to the accountholders, and money therefore is being transferred the other way.
  • Second, a collection of suppliers, including astrologers and stamp-collectors and as we now know latter-day leech-farmers, will be paid public money to create a new identity management network that's not needed – it's not needed because France already has several mobile phone networks.
More and more, this Vichy law of 6 March 2012 looks like nothing more than an illegal State subsidy to a number of favoured industries, at least one of which (85x54 plastic cards) is already dead.

Stillborn (mort-né) French biometric ID card scheme killed by crude mistake in technocrats' design

Remember France? Remember 6 March 2012 when the French parliament decided to introduce national biometric ID cards? In a scheme reminiscent of Vichy? Time to take a look at the quality of the design decisions taken at this early stage. Do the technocrats know what they're doing?

Tuesday 20 March 2012

Brodie Clark has been silenced, several months too late for the Home Office

The Brodie Clark affair is closed. Normal service is resumed, it's as though it never happened, there's nothing to see here, folks, move along please:

Brodie Clark receives £100,000 over Border Agency row - but no one is to blame

The senior civil servant at the centre of the passport checks fiasco has received more than £100,000 after settling his damages claim against the Home Office, with neither side admitting fault.

Brodie Clark stood down last year as head of the UK Border Force after being publicly blamed by Theresa May for relaxing entry checks at airports in order to reduce queues.

He denied he was a “rogue officer”, claimed the Home Secretary had made his position untenable for “political convenience” and began a claim for constructive unfair dismissal.

But on Friday it was announced that the parties had settled before the case reached an employment tribunal.

The amount of public money paid to Mr Clark to settle the case was not disclosed, but it is thought to be more than £100,000.

Neither side admitted fault and while the settlement may save time and legal costs for the Government, it also means the full account of what happened – which let to the UK Border Agency being split in two – may never be disclosed.
It sounds as though Brodie Clark has received substantially the same offer made to him and accepted by him in early November 2011. The offer was quickly withdrawn and as a result the public was treated to a series of media and Westminster battles, three Home Office internal enquiries and a Home Affairs Committee enquiry.

The powers that be must regret withdrawing that November offer because in the interim we have learnt that:
  • For several years successive home secretaries in successive governments have not, in their own estimation, exercised proper control over the UK Border Force and neither have their understrapper immigration ministers.
  • The officials are no better than the politicians. Successive permanent secretaries at the Home Office – and the cabinet secretary himself – might as well not have turned up to the office for all the good their presence did. Again, that is in their own estimation.
  • Ditto successive chief executives of the UK Border Agency and the rest of the Board of UKBA, executive Directors and non-executive Directors alike, their presence on the payroll seems to have added no value. Either that, or Brodie Clark wasn't doing anything wrong.
  • The Home Office is happy to thumb its nose at Parliament's efforts to discover the truth, in this case first promising and then refusing to disclose documents to the Home Affairs Committee.
  • The Home Office don't know how to conduct a trial properly, whether that is a trial of new intelligence-led/risk-based procedures or a technology trial. If pharmaceutical trials were conducted to the same standards, we'd all be dead. Ditto airworthiness trials for new airplanes.
  • The face recognition technology deployed at the border makes no contribution to security whatever and ditto the flat print fingerprint technology.
  • The "technology" that does work – human beings – is being decommissioned. Fast. Hundreds of members of the UK Border Force have already been laid off and hundreds more are still to go, all to be replaced by technology that doesn't work.
  • Their lay-offs are not to save money. The government deems it preferable to spend ten times as much on contractors – a motley band of astrologers and stamp-collectors.
And what have the government learnt? Judging by Damian Green's speech to RUSI the other day, nothing. Everything carries on as before. The border remains secure. It remains the case that the 2012 Olympics will be safe.

Brodie Clark has been silenced, several months too late for the Home Office

The Brodie Clark affair is closed. Normal service is resumed, it's as though it never happened, there's nothing to see here, folks, move along please:

Monday 19 March 2012

The French parliament wants to comply with the European Commission by making France more like Pakistan

Remember France? Remember 6 March 2012 when the French parliament decided to introduce national biometric ID cards? In a scheme reminiscent of Vichy? Time to take a look at the journey France is making – where did this scheme come from and where is it going to?

The recent history of biometric ID card schemes in Europe begins with the European Commission. In 1999, as part of the eEurope five-year plan, the Commission initiated a project to specify a system for pan-European biometric identity management. The specification job was given to eESC, the eEurope Smart Card forum and in 2003 they delivered OSCIE, the open smart card infrastructure for Europe.

It's a bit daunting, there are 2,000 pages of OSCIE, but perhaps the best thing is to concentrate on the paper on electronic identity, a mere 66 pages. That is the tune that France is marching to. The tune of 27 unelected and unaccountable satraps in the Berlaymont who have given up the job of governing people, it's too difficult, and decided instead to govern electronic identities.

The advocates of biometric ID always say that the cards are intended to make your life easier. With a biometric ID card, it will be easier to get a passport or to open a bank account or to move jobs, they say. But we can already get a passport and open a bank account and move jobs without a biometric ID card.

What the advocates of biometric ID cards mean is that, once we have OSCIE, life without a card will be impossible. The card will be required for every transaction, every communication, every state benefit, including healthcare and education. No card, no life. Life's optional and so the card is optional. The logic is impeccable.

That's where the project is coming from. And where's it going?

As it happens, there is a country that has been issuing multi-biometric ID cards since the year 2000. 120 million of them have been issued by NADRA, the National Database and Registration Authority. With their multi-biometric ID cards, 120 million people can now enjoy the pleasures of ePassports, electronic access control and attendance records at work, electronic driving licences, eCommerce, eVoting and many more.

And which is this country?

Pakistan.

The French parliament have fallen in with the European Commission plan to make France just that little bit more like Pakistan.

Why? What reason can the French government possibly give to explain this desire to become more like Pakistan?

They can hardly say that it's because they find governing people too difficult. Even if it's true. Nor can they get the population on-side by arguing that they are putty in the hands of the Commission, the Commission can mould them into any shape they please, France has to do what the Commission tells them to do. Even if it's true.

Instead, the French government deploys the identity theft gambit. In his 13 July 2011 speech, Serge Blisko (politely) pours scorn on this move:
Ficher potentiellement 45 à 50 millions de personnes – cette estimation a été avalisée par tous les interlocuteurs auditionnés en commission – dans le seul objectif de lutter contre l’usurpation d’identité qui touche quelques dizaines de milliers de Français par an, peut-il être considéré comme proportionné?
A moment's thought reveals that you don't fingerprint 50 million people just to try to reduce the incidence of identity theft which affects maybe 10,000 people, i.e. 0.02% of the people. It's not proportional.

Two moments' thought suggests that the incidence of identity theft is more likely to rise if you collect everyone's enrolments together in a national population register – if you create a single point of weakness, identity theft won't go down, it will go up.

And three moments' thought reveals that under the French scheme identity theft will become legally impossible anyway, not because cardholders won't be defrauded but because when they are, thanks to digital signatures, they'll be irrevocably liable for the loss themselves.

So identity theft can't be the reason. Not the real reason.

The acceptable reason for biometric ID cards according to the government is given in another part of M. Blisko's speech:
Il est vrai que la lutte contre l’usurpation d’identité est un enjeu industriel et commercial important pour la France puisque les entreprises dont nous avons auditionné les dirigeants sont championnes du monde dans ce domaine et qu’elles travaillent à 90 % à l’exportation.
France has plastic card manufacturers and chip manufacturers and biometric technology suppliers who are "world champions" and who contribute mightily, it is said, towards the country's exports. If the French people themselves will only agree to become walking advertisements for these industries, then exports will be assisted. It is every patriotic Frenchman's duty, according to this way of thinking, to become a human billboard in the marketing campaign of a few illegally subsidised companies. (No point complaining to the Competition Commissionner, of course, about that "unlawful state aid". It is the Commission's bidding that France is doing.)

Normally, advertisers pay for space. In this case, the tables are turned, and the mobile advertising space is paying the campaigners. The national biometric ID card scheme will cost billions of Euros. Those billions will not come out of thin air. They will be paid from the tax contributions of every French citizen and company.

It has a sort of Mephistophelean logic. It might work in some countries. But not France. Not in a nation with 246 different cheeses (© 1962 C. de Gaulle).

The French parliament wants to comply with the European Commission by making France more like Pakistan

Remember France? Remember 6 March 2012 when the French parliament decided to introduce national biometric ID cards? In a scheme reminiscent of Vichy? Time to take a look at the journey France is making – where did this scheme come from and where is it going to?

The French people kindly volunteer to pay for any mistakes their banks make

A quoi ça sert la ... signature électronique?

Remember France? Remember 6 March 2012 when the French parliament decided to introduce national biometric ID cards? In a scheme reminiscent of Vichy? Time to take a look at one aspect of this scheme – digital signatures (signatures électroniques). Someone needs to tell the French people what their government is letting them in for.

Serge Blisko, député de Paris, has tried to tell them. Bravely. No British MP would try to talk about PKI (the public key infrastructure) and digital certificates. But M. Blisko did. In his immaculate speech of 13 July 2011. Three times:
Cette proposition de loi prévoit, dans son article 2, la création d’une carte d’identité biométrique, comprenant notamment les empreintes digitales des personnes, outre d’autres éléments tels que la taille et la couleur des yeux. L’article 3 crée une fonctionnalité supplémentaire qui pourrait être activée, de manière facultative il est vrai, par le détenteur de la carte nationale d’identité pour ses transactions commerciales sur internet et dans ses relations avec l’e-administration. Cette fonctionnalité lui permettrait de s’identifier sur internet et de mettre en œuvre sa signature électronique. Concrètement, la personne devra tout de même disposer d’un boîtier connecté à son ordinateur, ce qui n’apparaît pas très simple. Elle sera libre de choisir les données personnelles qu’elle veut transmettre ...
En 2005, malgré la technologie de l’époque, le débat était le même qu’aujourd’hui : la création d’une carte nationale d’identité électronique, contenant donc des données biométriques, était déjà envisagée ; elle ouvrait la possibilité de prouver son identité sur internet et de signer électroniquement ...
Dernier aspect déplaisant, sur lequel vous avez glissé un peu rapidement, monsieur le rapporteur : cette proposition de loi est une opportunité pour faciliter les échanges commerciaux. Je ne suis pas contre le fait de sécuriser la signature électronique sur internet pour déclarer ses impôts ou payer une amende au Trésor public, mais la proposition de loi va au-delà du domaine régalien et de ses extensions budgétaires.
France's new ID cards will include facilities for identifying yourself over the web and for signing documents digitally. Let's take an example. Let's say you're buying a car for €30,000. And the document you're signing digitally is the contract for sale.

As M. Blisko says, the exact process for digital signature remains undefined but, having once taken their leap in the dark, the French will find that however it works, it's "pas très simple".

That's a charming understatement. Implementing PKI properly is extremely complicated.

But suppose the French manage to do it. They're good at infrastructure. They've got good people working on the problem. They've got the will. It's a matter of national pride. Marianne, la patrie and all that. Let's assume that France can get a PKI system up and running with 50 million users. No-one else has ever managed that. But, just for the sake of argument, if and when France manage it, what then? What is the effect of signing a document digitally?

M. Blisko doesn't answer that question, for the good reason that he doesn't ask it. Perhaps he assumes that everyone already knows what digital signatures mean. Just in case they don't, though, here is the answer in one word – non-repudiation.

If you sign a document digitally, you cannot repudiate your agreement. You are committed. Irrevocably.

Further, the fact that the document is digitally signed means that you signed it. You cannot claim that someone else signed it. Even if it's true. Even if it is a case of identity theft/l’usurpation d’identité, that is no longer legally relevant. Legally, you signed the document and you owe the car company €30,000. That's the law, as far as digital signatures are concerned.

Without digital signatures, if your credit card is misused, by your daughter's dogy boyfriend for example, a fraud is perpetrated against the bank that issued the card, the bank made a mistake, they shouldn't have authorised the payment, it's their problem. With digital signatures, it's your problem. The risk has been moved from the bank to you.

Is that what you wanted, vous les autres les français? Is that what your parliament told you would happen? Are you happy to change the law and end up underwriting the banks? If the answer is yes, in each case, then my apologies for disturbing you with this irrelevant post, excusez-moi de vous avoir dérangé. But if the answer is no, you might like to have a little word with your député and ask him or her what on earth they think they're doing.

The French people kindly volunteer to pay for any mistakes their banks make

A quoi ça sert la ... signature électronique?

Remember France? Remember 6 March 2012 when the French parliament decided to introduce national biometric ID cards? In a scheme reminiscent of Vichy? Time to take a look at one aspect of this scheme – digital signatures (signatures électroniques). Someone needs to tell the French people what their government is letting them in for.

Thursday 15 March 2012

Vichy redux

Nine days ago on Tuesday 6 March 2012 the French National Assembly enacted a Bill to protect people from identity theft. The proposition de loi relative à la protection de l’identité is now French law.

You might think that this Act is just like the UK's now repealed Identity Cards Act 2006. Wrong.

There are similarities. Everyone over a certain age will be enrolled in a French population register (a fichier) and will be issued with an identity card. The card will have microchips in it (puces). The chips will somehow use your biometric data (données) to support identity verification. I.e. they will allow you to prove that you are who you say you are. The French are even using the same misinformation – the cards will be "optional" (facultatives), according to an article in Le Monde.

But there's a big difference. The UK ID card scheme was going to use flat print fingerprint technology (empreintes posées) which is cheap, easy to use/no expert required, clean and utterly unreliable. The French know that. They're not stupid. It's French companies that provide this waste of money/snake oil biometric technology. They're hardly likely to make the same mistake.

What they propose instead is to use the same high quality rolled print fingerprinting technology as the police (empreintes roulées), forensic quality technology acceptable as evidence in a court of law. On the whole population. The whole of France is going to be issued with what the FBI call a "Ten Print Rap Sheet" or TPRS, just like Al Capone.

Serge Blisko is the MP (député) for Paris. Here he is speaking on the Bill last year in Parliament:
Intervention de Serge Blisko sur la proposition de loi de protection de l'identité
mercredi 13 juillet 2011 15h31
Catégorie: Société , Interventions
Motion de rejet préalable de Serge Blisko, député de Paris

... tous les citoyens seront désormais contraints de donner leurs empreintes digitales à l’une de ces 2 000 antennes de police administrative que vous avez décrites, monsieur le ministre. Il s’agira, en plus, d’empreintes très particulières. Je me réfère aux auditions des hauts fonctionnaires du ministère de l’intérieur : il faudra donner les empreintes de huit de ses doigts par la technique des empreintes roulées et non pas posées. Elle est très différente de celle de l’empreinte posée car c’est une technique criminologique. Nous ne sommes plus alors dans une démarche de reconnaissance d’identité, mais dans la logique d’un fichier de recherches criminelles ...
It is almost unprecedented for a government to tell its parishioners that they are all regarded as criminals. In fact, Mr Blisko can think of only one case – Vichy France:
Monsieur le ministre, j’ai le regret de rappeler que la France n’a créé qu’une seule fois un fichier général de la population, c’était en 1940. Il fut d’ailleurs détruit à la Libération.

Voici un extrait de la loi du 27 octobre 1940 de l’État français : « Obligation de détenir une carte d’identité à partir de seize ans, comportant les empreintes digitales et la photographie, et de déclarer tout changement d’adresse. Institution d’un fichier central de la population et d’un numéro d’identification individuel. »

Ce fichier central, disais-je, a été détruit à la Libération. C’est donc bien depuis la période de Vichy que la France n’a pas connu et n’a pas voulu un tel fichage de sa population.
France. Our partners in the EU. They wouldn't do that, would they? They wouldn't reintroduce Marshal Pétain's law of 1940. Would they?

They just did. Nine days ago on Tuesday 6 March 2012.

Vichy redux

Nine days ago on Tuesday 6 March 2012 the French National Assembly enacted a Bill to protect people from identity theft. The proposition de loi relative à la protection de l’identité is now French law.

You might think that this Act is just like the UK's now repealed Identity Cards Act 2006. Wrong.

There are similarities. Everyone over a certain age will be enrolled in a French population register (a fichier) and will be issued with an identity card. The card will have microchips in it (puces). The chips will somehow use your biometric data (données) to support identity verification. I.e. they will allow you to prove that you are who you say you are. The French are even using the same misinformation – the cards will be "optional" (facultatives), according to an article in Le Monde.

But there's a big difference. The UK ID card scheme was going to use flat print fingerprint technology (empreintes posées) which is cheap, easy to use/no expert required, clean and utterly unreliable. The French know that. They're not stupid. It's French companies that provide this waste of money/snake oil biometric technology. They're hardly likely to make the same mistake.

The whiff of cordite in Whitehall

Rt Hon Margaret Hodge MBE MP is making a speech today at Policy Exchange. This is the latest battle in her war to make Whitehall accountable to Parliament. Whitehall wastes our money with impunity, as it says at the head of this page. In the attempt to put a stop to this state of affairs, traditionally, Whitehall has always won hands down. Perhaps we should expect history to repeat itself.

Or perhaps not. Never has the ancien régime been led by a general as vulnerable as Sir Gus now Lord O'Donnell, the man to whom we owe the present parlous state of our national finances.

The whiff of cordite in Whitehall

Rt Hon Margaret Hodge MBE MP is making a speech today at Policy Exchange. This is the latest battle in her war to make Whitehall accountable to Parliament. Whitehall wastes our money with impunity, as it says at the head of this page. In the attempt to put a stop to this state of affairs, traditionally, Whitehall has always won hands down. Perhaps we should expect history to repeat itself.

Or perhaps not. Never has the ancien régime been led by a general as vulnerable as Sir Gus now Lord O'Donnell, the man to whom we owe the present parlous state of our national finances.

Sunday 11 March 2012

Cabinet Office using cyber security budget to increase risks to the public

Can someone advise, please, is there a polite way of asking can any British government tell its arse from its elbow?

The Cabinet Office want to deliver all public services over the web. Public services should be "digital by default", as they say.

The web is a dangerous place to be if you want to maintain secrecy/privacy and if there's any money around. The web is perfectly adapted to breach confidences and to steal money. Let today's Sunday Times make the point. In Chinese steal jet secrets from BAE they tell us that:
CHINESE spies hacked into computers belonging to BAE Systems, Britain’s biggest defence company, to steal details about the design, performance and electronic systems of the West’s latest fighter jet, senior security figures have disclosed.

The Chinese have exploited vulnerabilities in BAE’s computer defences to steal vast amounts of data on the £200 billion F-35 Joint Strike Fighter (JSF), a multinational project to create a plane that will give the West air supremacy for years to come ...

Professor Anthony Glees, director of the Centre for Security and Intelligence Studies ... said: “It seems the Chinese were getting plans which allow them to undermine the defence capacity of the country. It’s deeply unsettling that GCHQ [the government eavesdropping centre in Cheltenham] didn’t spot this for so long because they are the people who are meant to be leading the fight against cyber crime.”
There's a wide selection of cock-ups to choose from here:
  • With £200 billion at stake, the Sunday Times reported on 12 January 2012 that Royal Navy’s new jet cannot land on aircraft carriers. Never mind, you may say, it's only £200 billion and we haven't got an aircraft carrier anyway.
  • And three years ago, the Sunday Times reported that BT had bought equipment from China's Huawei telecommunications equipment company despite warnings that it could be used to "shut down Britain by crippling its telecoms and utilities" and that "government departments, the intelligence services and the military will all use the new BT network". Patricia Hewitt, trade and industry secretary at the time the contract was being negotiated, declined to intervene because it was "a competitive tender between two commercial companies". How very upright of Ms Hewitt not to let security interfere with competition.
But put those cock-ups aside. For current purposes, consider instead the following.

Rt Hon Francis Maude MP is the Cabinet Office Minister and according to his entry on the Cabinet Office website:
He leads on:

• Public Sector Efficiency and Reform
• UK Statistics
• Civil Service issues
• Government transparency
• Civil Contingencies
• Cyber security
• Overall responsibility for Cabinet Office policy and the Department
With his cyber security hat on, Mr Maude disposes of a budget of £650 million. Much-needed, judging by the success of GCHQ and BAE's attempts to fend off the Chinese.

With his public sector efficiency and reform hat on, Mr Maude wants to put Whitehall on the web. That's what "digital by default " means and that requires him to ignore his cyber security hat.

But it's worse than that. Digital by default requires something called identity assurance, a service which doesn't exist yet but is supposed one day to allow us all to prove who we are, over the web, while we're busy communicating with the government. The development of this service was unfunded until 31 October 2011 when Mr Maude announced that he'd found £10 million of public money to give it.

And where did he get this cyber security-busting £10 million from?

You can have 650 million guesses.

----------

Updated 23.6.14

Whitehall considers security shake-up

The government is understood to be carrying out a review of Whitehall organisations with a remit for electronic and computer security to determine any possibility of consolidation.

Informed sources say that one of the suggestions being considered is that CESG, the government's National Technical Authority for information assurance, should be separated from GCHQ, the signals intelligence agency.

That could mean the Cabinet Office taking over responsibility for CESG, with whom it has an ongoing relationship.
 "That could mean the Cabinet Office taking over responsibility for CESG". Oh God.

    Cabinet Office using cyber security budget to increase risks to the public

    Can someone advise, please, is there a polite way of asking can any British government tell its arse from its elbow?

    Friday 9 March 2012

    You know you've arrived when ...

    Towards the end of a long and illustrious career, already garlanded in the seats of power the world over, what bauble could possibly further crown his achievement? This was the conundrum perplexing DMossEsq.

    The Governership of Hong Kong? Too late.

    The Order of the Garter? All things considered, no.

    Could he be the next Pope? His lips are sealed.

    The answer recently came to him. At last. As so often in today's global world, it was thanks to Google.

    Enter "david moss" "cabinet office" into Google, go down to the bottom of the page, click on 3 or above and, when the page has refreshed, towards the bottom of the page you will see:
    In response to a legal request submitted to Google, we have removed 1 result(s) from this page. If you wish, you may read more about the request at ChillingEffects.org.
    One hit has been removed from Google's list. Which one? You want to know. You click on the read-all-about-it link and you get:
    Notice Unavailable

    Defamation Complaint to Google
    Sent by: [individual]
    To: Google

    The cease-and-desist or legal threat you requested is not yet available.

    Chilling Effects will post the notice after we process it.
    Defamation? What defamation? This could be fruity. Who is the individual who complained? There is a certain dignity in these matters. Pray God it's not someone dull.

    ChillingEffects.org? No, me neither.

    Some sort of a kangaroo court? No. According to their website, Chilling Effects is:
    A joint project of the Electronic Frontier Foundation and Harvard, Stanford, Berkeley, University of San Francisco, University of Maine, George Washington School of Law, and Santa Clara University School of Law clinics ...

    Chilling Effects aims to help you understand the protections that the First Amendment and intellectual property laws give to your online activities. We are excited about the new opportunities the Internet offers individuals to express their views, parody politicians, celebrate their favorite movie stars, or criticize businesses. But we've noticed that not everyone feels the same way. Anecdotal evidence suggests that some individuals and corporations are using intellectual property and other laws to silence other online users. Chilling Effects encourages respect for intellectual property law, while frowning on its misuse to "chill" legitimate activity.
    Mystifying. Has DMossEsq defamed someone? Allegedly. Has someone allegedly defamed DMossEsq? Who knows? It's not clear. Let's hope that Chilling Effects hurry up and process the "cease-and-desist or legal threat" submission. The suspense waiting for them to post their notice will be hard to bear. Is DMossEsq at last the subject, or even the object, of that must-have for a career to be complete, a superinjunction?

    You know you've arrived when ...

    Towards the end of a long and illustrious career, already garlanded in the seats of power the world over, what bauble could possibly further crown his achievement? This was the conundrum perplexing DMossEsq.

    The Governership of Hong Kong? Too late.

    The Order of the Garter? All things considered, no.

    Could he be the next Pope? His lips are sealed.

    The answer recently came to him. At last. As so often in today's global world, it was thanks to Google.

    Wednesday 7 March 2012

    The behaviour of the Cabinet Office is infantile

    The Government Digital Service operate a blog so that we can all see what they're up to.

    GDS is part of the Cabinet Office and what they're meant to be up to is making public services more efficient.

    On 6 March 2012, one Bob Kamall published a post on the GDS blog called Engaging With The Hard To Reach. It's all about his visit to a charity in Southwark, St Mungo's, which provides care for the homeless.

    You can read Mr Kamall's post. But you won't believe it.

    The following comment has been submitted in response. Will it be published? Will the Cabinet Office pay any attention?
    Mr Kamall

    In the circumstances, the Riot Act will now be read.

    You say:
    We recognise that if we are to succeed in driving channel shift to digital then services and transactions need to be developed with a relentless focus on users. We want to make use of the most innovative and versatile technology to deliver products that match industry leaders while ensuring that no-one is left behind.
    You mean:
    We recognise that if we are to focus relentlessly on users then concentrating on driving channel shift to digital is to miss the point. In public services we are the industry leaders and there is no comparison with the Facebooks and Amazons of this world – they can leave people behind, we can’t. Our job cannot be achieved by the use of innovative and versatile technology. That is for children. We are grown up and responsible. People depend on our services and we know it.
    You say that you want to show how GDS can engage with the hard to reach. There are nine or ten million of them, Bob. All that you actually offer in your post is oiling bicycle chains in the basement of St Mungo's.

    In 18 months time DWP's Universal Credit goes live. When the public realises that nine or ten million people have been excluded from the universe by default there will be fury in the land. DWP will be blamed. And DWP will blame GDS, pointing to ex-Guardian man Mike Bracken's post Identity: One small step for all of Government in which he unwisely pretends to have control over DWP.

    The Cabinet Office will then look like a branch of St Mungo's in Whitehall, a junior school feeding the main one in Southwark. A junior school housing a roster of unfortunate derelicts incapable of dealing with reality. Derelicts in need of care, expensively provided by taxpayers whose patience has run out.

    People will re-read Paul Downey's Blurring Boundaries post:
    I joined GDS because there's nothing cooler than working on something that touches so many peoples lives ... sitting on one part of the floor can feel a little like being in a bouncy castle. There's a nice kitchen that's only missing one essential bit of kit: we could really do with a dishwasher! ... Rather impressively by lunchtime of my first day I'd been given a Cabinet Office Email address (accessible using Google Apps for Business), a laptop (a security hardened 13" MacBook Air) ... Just before heading home we decided to create a commemorative Valentine's Day homepage for GOV.UK. A Kanban card was added to the sprint wall and Ben quickly came up with a design. I sat with James Weiner and Dafydd Vaughan whilst we built, tested and deployed the new ‘heart-shaped wood’ homepage, meaning I witnessed concept to delivery all in the space of half an hour.
    And through the blur they will see an expensive Eton in SW1 housing the Potemkin equivalent of the privileged children of the aristocracy, but without Eton's success rate, more like the op-ed team of the Guardian, forever insulated from reality, or at least until the money runs out, also in 18 months time:
    On my first day I hung my satchel on a peg with my name on it. Me and Pete did a potato print of a flower. It was cool.
    No wonder Universal Credit didn't work, people will say, looking back in 18 months time. And even if the front end had been delivered it couldn't have worked because some hippy teaching assistant in the second form had switched off the Government Gateway, promising to replace it with a cloud, the answer is blowing in the wind, man.

    And even before that, before October 2013 – which to us old people by the way is just around the corner, like tomorrow – GDS and DWP are promising to have provided 21 million Brits with an electronic identity by the Spring of 2013. That's what it says in the OJEU ITT. What drugs are you dealing in that bouncy castle? After eight years of unstinting political support and an unlimited budget IPS had issued just 4,000 ID cards. And GDS think they can equip 21 million people with working accounts six months after awarding the IdA contract, do they? Including nine or ten million who have never used the web? On which planet?

    And who is the contract going to be awarded to? Not the chicklets in the Technology Strategy Board incubator. They haven't got the scale. Not the banks. Why would they want their brands destroyed by confessing to any connection with this train crash? Who does that leave?

    Facebook and Google. Take a look at ex-Guardian man Mike Bracken's asinine what-I-did-on-my-holidays post, Thoughts on my recent trip to the West Coast with Francis Maude, Minister for the Cabinet Office:
    Andrew Nash, Google's Director of Identity, ran us through the current issues facing identity.He explained how Google aim to grow and be part of an ecosystem of identify providers, and encouraged the UK Government to play its part in a federated system. The UK ID Assurance team and Google agreed to work more closely to define our strategy – so look out for future announcements. Andrew also took the opportunity to walk the Minister through the Identity ecosystem.
    There is no trust in Google. Or Facebook. GDS's claims that they can create trust are laughable, like the magician at a children's party who claims to have pulled a white rabbit out of an empty top hat. GDS can't create trust at the throw of a switch. They can't create a market where there is none. They can't create an ecosystem.

    Do you have any idea what these infantile delusions look like to the grown-ups not yet in St Mungo's? Can you imagine what they make of it in Brazil? Or the US? Or Russia or China?

    They must look on amazed that a once-adult country has entrusted its public services to a group of imbeciles in a nursery school chanting the word "agile".

    What does Ian Watmore think he's doing?

    Why does Francis Maude put up with it?

    If I don't tell you, someone else will. You're making fools of yourselves. At public expense. There will be tears before teatime, Bob. You're facing disaster and public humiliation, quite properly, unless you guys wake up quickly, come out of your privileged little bubble, sort yourselves out and shape up.
    Cribsheet:
    • The Cabinet Office have failed before with this plan. It was called "transformational government" then. Only the name has changed. There is no reason to believe they can succeed this time.
    • As the name suggests, the Government Gateway is the computer system that many adept individuals and organisations in the UK currently use to communicate with the government. Unlike the "open source" code on which GDS's dreams depend, the Gateway actually exists. GDS want to throw it away and replace it with a government cloud, G-Cloud, that will look more like their juvenile heroes' websites – Amazon and eBay and Google and Facebook – replete with an ad server (see p.9) so that we can all book a holiday while submitting our tax returns.
    • GDS are acting under the influence of Martha Lane Fox's "digital by default" initiative. All public services are to be delivered over the web and only over the web. They ignore the problems of cyber security. And they ignore the fact that between nine and ten million people in the UK have never used the web and will be excluded by default.
    • GDS depend on IdA, a putative identity assurance service somewhere in the currently non-existent G-Cloud, a sort of private sector ID card scheme without the cards. IdA doesn't exist. There is no such thing as IdA. Another hole at the heart of their plans, along with security, and accessibility by their parishioners.
    • Any lawyers present might like to consider whether IdA requires primary legislation. There isn't any and there's no time left before the IdA contracts are to be awarded in the Summer of 2012 to fill the hole.
    • The problems of large computer systems persist. GDS's modish references to "cloud computing" and "agile" systems development methodologies have not made them go away.
    • Anyone with any energy left after getting to grips with the Cabinet Office and DWP could use it up looking at the related Department of Business Innovation and Skills midata project.
    • As for the Guardian, on 8 August 2011 they wrote in their own paper: "Andrew Miller, the GMG [Guardian Media Group] chief executive, has warned that the group could run out of cash in three to five years if the business operations did not change, adding that the newspapers would aim to save £25m over the next five years, releasing funds to be reinvested in other activities". The Daily Telegraph's 16 December 2011 article reported the closure of some Guardian supplements, the curtailment of others, several hundred redundancies and a so far unimplemented plan for the Guardian to get out of printing paper altogether.
    ----------

    Updated 22 November 2013:

    Ex-Guardian man Mike Bracken made a speech on 16 October 2013, Redesigning Government, in which he argues, among other things, that you've got to have fun at work. No argument with that.

    But what do you call fun?

    The clip below, from his speech beginning at 26'17", suggests that it's a pretty infantile idea of fun at GDS and confirms that the infantilism identified in the post above was built in to the human resources management policy right from the start:


    How do you motivate adults? The finest minds in digital? This generation? The GDS answer is apparently bunting, stickers, fluffy mascots, animal costumes and cake.


    Updated 29.4.15

    It's over three years since the post above was published. DMossEsq had forgotten about it. Then it was cited linked to in an ElReg special report yesterday, The Government Digital Service: The Happiest Place on Earth.

    It's over 18 months since DMossEsq added the update immediately above, dated 22 November 2013, with its reference to GDS's human resources management policy.

    Then lo.

    And behold.

    ElReg's special report quotes extensively from an external consultancy report on GDS's human resources management policy commissioned to "examine staff morale and high turnover at the Government Digital Service". The special report includes the following and three more pages like it:
    The most scathing findings are reserved for the top management, who GDS' own staff say created a “chumocracy”. This would have consequences for morale, contributing to a high turnover of staff.
    Far from being the happiest place on earth, GDS bears an uncanny resemblance to the island in Lord of the Flies, if the external consultants are to be believed. The Northcote-Trevelyan principles which have governed Whitehall for 161 years now seem to have been ignored when GDS was established and in its operation thereafter.

    The consultancy in question is The Art of Work and they have a spectacular client list. There's no reason not to believe their report and there has been no rebuttal from GDS.

    GDS are meant to tell the rest of Whitehall how to organise their IT. There are suggestions that they should in future also have the right to tell local government how to do its IT job. GDS's instructions may henceforth carry a little less weight.

    The attractions for respectable organisations to risk their brand by becoming associated with GDS's GOV.UK Verify (RIP) may similarly be reduced.


    Update 30.4.15

    A number of people are doing their best to be fair, in light of the criticism GDS are currently facing, particularly this report on staff unrest. Quite right too, of course.

    GDS can't respond themselves. They are currently in purdah. True. But they haven't responded to criticism in the three or four years of their existence. Nothing new there. And that's one of the observations of the report, an institutional inability to imagine that GDS is ever wrong.

    GDS is constrained by civil service pay scales. True. But many people work for less. And perhaps part of the need for GDS to "transform government" arises from the fact that the rest of the civil service is also constrained by civil service pay scales.

    Purdah, the dangers of groupthink and the problems of a limited budget affect the whole civil service. GDS are being accused of something special:
    Last year, the UK's Cabinet Office asked an external management consultancy to examine staff morale and high turnover at the Government Digital Service. After interviewing more than 100 civil servants, its scathing confidential analysis described an organisation beset by low morale and run by a “cabal” management of old friends, who bypassed talent in favour of recruiting former associates – while Whitehall viewed GDS as “smug” and “arrogant”.
    No-one is going to try to defend GDS if they really are operating an unmeritocratic old boys' network. Not even the esteemed editor of Computer Weekly, Bryan Glick, who yesterday published If not GDS, then what?, where he is clearly playing devil's advocate.

    Mr Glick quotes extensively from a paper written by Alan Mather in 2003 predicting that the attempt to transform government will always meet an aggressive response. True.

    Many people will know, from his Tweeting if nothing else, that Mr Mather is an exceptionally pleasant person. Others will know how modest he is and how very effective he was in making the Government Gateway a reality.

    The Gateway has provided a way for individuals and companies to transact with the government on-line for the best part of 15 years now. It continues to operate despite being starved of resources. Its replacement, promised by GDS, is nowhere to be seen.

    No-one could imagine Mr Mather operating a cabal of old friends, mushroom-managing the rest of the staff and strutting around the world sneering at his Whitehall peers. The special merit of Mr Glick's article is that he provides an answer. There is an alternative:
    Q. If not GDS, then what?
    A. Alan Mather.