Tuesday 29 October 2013

GDS – who's silly now?

A correspondent kindly sent a link this morning to an article in the US press, U.K. Official Urges U.S. Government To Adopt A Digital Core. Ex-Guardian man Mike Bracken, executive director of the Government Digital Service (GDS), was over there recently to talk at a meeting of the Presidential Innovation Fellows, presumably about public service IT.

The gist of the article is that what the US needs is something like GDS and someone like ex-Guardian man Mike Bracken to save them from cock-ups like healthcare.gov but the article also includes this: "Parliament ... appointed Bracken, a tech industry veteran, as the first ever executive director of digital – a Cabinet-level position".

Cabinet-level?

Really?

"These journalists", you can't help saying to yourself, "they're so silly, can't they get anything right?".

Except that later in the day, a new post by ex-Guardian man Mike Bracken appeared on the GDS blog saying: "This morning I attended the weekly meeting of Cabinet ministers at Number 10 ...".

----------

Updated 16 December 2013:

We know what ex-Guardian man Mike Bracken told the Cabinet. And we know what he told Code for America.

But what, you will have been asking yourself for the past seven weeks, did he tell the Presidential Innovation Fellows?

Thanks to a short post on DigitalGov – "Your source for new media in government" – we now know. "Citizen Needs Come First for UK Websites", says Darlene Meskell:
Starting with the needs of users, [ex-Guardian man Mike Bracken] said, the UK radically shifted the way the government provides services. “That’s a huge thing,” he said. “It means an end to big IT, it means smarter and cheaper services that meet users’ needs, and it means digital sitting at the heart of teams all around government.”
That makes it sound like a long-established change. A fait accompli. Did the Presidential Innovation Fellows ask when the "UK radically shifted the way the government provides services"? Did they get an answer? If so, could they tell us in the UK?

Did they ask whether "starting with the needs of users" really does mean "an end to big IT" or "smarter and cheaper services" or "digital sitting at the heart of teams all around government"? That's not what it says in the dictionary. Not in the English dictionary. Nor the Korean dictionary.

Did they ask how you find out what the users need? Presumably they must have done because we read that:
He advised against using focus groups or surveys for user feedback, preferring to look at user behavior and other indicators of trust in government.
So GDS don't use focus groups. And they don't use market surveys. They just know what the users need. All 60 million+ of us. At some stage we must all have indicated our trust in government. As Darlene Meskell says: "he offered a key lesson for designing and developing 'democracy' websites".

Focus groups? Market surveys? That's not all that GDS don't use. In addition:
“We just don’t outsource,” he said, referring to the UK’s Government Digital Service. “We do what we need with our skills in-house.”
This will come as news to all the suppliers signed up to GDS's CloudStore and to their Digital Services store, the purpose of which had previously been understood to be precisely that – to outsource government IT requirements. But that's our ambassador's message – don't outsource.

It will come as news to the Government Procurement Service as well. But he had a very special message, an almost mystical message, for them:
"Tackle the hard stuff by routing around" the barriers. For instance, "don’t procure, commission."
Don't procure. Commission. What?

Any elucidation the Presidential Innovation Fellows can offer to Bill Crothers will be gratefully accepted.

Updated 18 December 2013:

"Parliament ... appointed Bracken, a tech industry veteran, as the first ever executive director of digital – a Cabinet-level position" – that was Elise Hu writing on 23 October 2013.

One month later, 18 November 2013, Alexander B. Howard wrote: "political leaders acted by creating a Government Digital Service (GDS) and hiring Mike Bracken as Executive Director of Digital to run it, and putting him at the table in a cabinet-level position".

By now it's probably too late and it just is an established fact in many people's mind that ex-Guardian man Mike Bracken is a member of the British Cabinet. Even though he's not.

It is probable that both Elise Hu and Alexander B. Howard are Americans and write for Americans. They do things differently over there. They keep the legislature fairly well separated from the administration. We here in the UK have the two utterly mixed up.

How has the confusion arisen?

There couldn't be more causes of this confusion in a French farce.

Firstly, ex-Guardian man Mike Bracken's Government Digital Service (GDS) is part of the Cabinet Office. The Cabinet Office is not the Cabinet. The Cabinet Office is a department of the civil service and might better be called the "Swiss army knife department" – it does a bit of everything, it picks up the jobs that don't for the time being fit into any other department.

Second, the Permanent Secretary at the Cabinet Office used also to be the Cabinet Secretary. That was in the days of Sir-Gus-now-Lord O'Donnell, who had a third string to his bow – he was also head of the home civil service. Since he stepped down, the three jobs are done by three different people.

Third, ex-Guardian man Mike Bracken was asked to attend a Cabinet meeting on 29 October 2013 and allowed to make a presentation about GDS. He's a website designer wedded to an unproven hypothesis about the internet. That invitation is pretty well unprecedented.

Fourth, although his civil service boss is the Permanent Secretary at the Cabinet Office, his political boss is the elected politician Francis Maude, who is the Cabinet Office Minister and who is regularly allowed to attend meetings of the Cabinet without actually being a member of the Cabinet, the members of which are listed here and which comprises almost exclusively elected representatives which is utterly verboten in the US.

The confusion is entirely venial but it is a confusion nonetheless.

Chances of getting the record put straight? Slim.

But if there is any chance, can we get another confusion cleared up at the same time?

Mr Howard writes, charmingly: "It’s not clear whether the United States will be able to follow the lead and pace set by the United Kingdom here". That makes it sound as if GDS do a lot.

It's a bit like Darlene Meskell writing on 9 December 2013: "Starting with the needs of users, [ex-Guardian man Mike Bracken] said, the UK radically shifted the way the government provides services", which makes it sound as if the way public services are provided in the UK has already been "radically shifted". It hasn't.

GDS have partially re-written some of the government websites we already had, and that's it. There are a lot of promises on the table about how this will one day improve public services. There have been a lot of problems. There's a long way to go. But for the moment, the US have no problem keeping up with the pace. Estonia might give them a run for their money. But not the UK.

GDS – who's silly now?

A correspondent kindly sent a link this morning to an article in the US press, U.K. Official Urges U.S. Government To Adopt A Digital Core. Ex-Guardian man Mike Bracken, executive director of the Government Digital Service (GDS), was over there recently to talk at a meeting of the Presidential Innovation Fellows, presumably about public service IT.

The gist of the article is that what the US needs is something like GDS and someone like ex-Guardian man Mike Bracken to save them from cock-ups like healthcare.gov but the article also includes this: "Parliament ... appointed Bracken, a tech industry veteran, as the first ever executive director of digital – a Cabinet-level position".

Cabinet-level?

Really?

"These journalists", you can't help saying to yourself, "they're so silly, can't they get anything right?".

GDS & assisted digital – the project that keeps on starting

When Martha-now-Lady Lane Fox decreed that all public services should be digital by default (14 October 2010) she created a problem – how do you avoid all the people unversed in digital ways being excluded by default?

The problem was given to the Government Digital Service (GDS) to solve. A strange choice. GDS's expertise is in building websites, not helping old ladies to fill in attendance allowance forms. What special knowledge would they bring to bear? None. GDS's natural inclination would be to devise a digital solution. That's their approach to all problems but in this case it's definitively inappropriate. It's strange that GDS accepted the rôle.

But accept it they did and they gave the problem a name – "assisted digital" – and they started blogging about it (28 July 2011). Nearly a year later (30 May 2012) they published Getting started on assisted digital.

Assisted digital keeps on starting. Another year later (23 May 2013) GDS published Starting the conversation about providing assisted digital support. It started again a month later (20 June 2013), Engaging the market: "Last week we held our first ‘market engagement’ event for suppliers interested in providing assisted digital support for government services. It was really popular ...".

Then (2 August 2013) they held a workshop to answer the question What about people who aren't online?. Yes, that is the question, that was the question on 14 October 2010, what is the answer?

What is the answer? Consultants.

Peter Ziegler from the Helen Hamlyn Centre for Design was called in and blogged (12 August 2013):
My research has been a very fruitful introduction to the problems older people may face when accessing digital products and services. There have been two key early observations that keep coming up:

1. People who do not have much confidence in their digital skills are more comfortable conducting a one-way search query than a two-way personal information transaction.  For example, people may very well be confident with searching the Internet for a shop’s location, but they would not feel comfortable going to that shop’s website to make a purchase to be delivered to their home.

2. Older people who do not have access to computers or who lack the skills to confidently navigate the Internet are concerned about where they will get help to access the services they need. As services are increasingly administered online, there is a requirement for assisted digital provision to be in place and be adequately publicised to ensure these people know where to go for help.
Who knew?

A few weeks later (2 September 2013) Mr Ziegler produced Early design ideas for assisted digital from the Helen Hamlyn Centre for Design:
Digital bike delivery
And now, three years after Lady Lane Fox fired the starting pistol, where are we?

GDS have launched a new assisted digital blog.

It's a new blog but the same people are blogging. Including the indefatigable Peter Ziegler (22 October 2013), Exploring assisted digital for electoral registration with the Helen Hamlyn Centre for Design:
I asked myself questions such as:
  • what is already in older people’s wallets?
  • what do older people already do at home?
  • where do older people go during the day?
----------

Updated 12 December 2013:

Ex-Guardian man Mike Bracken has produced his December 2013 quarterly report: "GDS has been running a research project with the Helen Hamlyn Centre for Design on how assisted digital support can meet the needs of older people".

That's true.

The question is why? According to the quarterly report, "the project has helped government to understand the reasons why older people are completely or partially offline, and with exploring potential design solutions".

It's because they're old. And they're not confident with computers. And they don't have computers at home. That's what we've learned from Peter Ziegler of the Helen Hamlyn Centre for Design. But we already knew that. That's why we have an assisted digital project.

And here's another "potential design solution" – this time, not a cargo bike in sight:

Digital dialogues

The quarterly report tells us also that: "We’re benchmarking the success of digital inclusion initiatives, sharing what works and what doesn’t work, to help people go online. We will publish digital inclusion principles, developed with help from our departmental colleagues and our cross-sector partners, early in the new year. We will be consulting the public on these principles as a first step towards a digital inclusion strategy that we will publish later in the spring. This will say what departments, partners and GDS will do to help people go online".

"First step towards a digital inclusion strategy"? "Publish later in the spring"? Assisted digital's not going to be started again, is it, re-re-re-started?

Updated 29.8.14

"What", you ask, "has been happening to assisted digital since your last update?".

Good question.

One answer came yesterday, with the publication of Assisted digital user personas on the Government Digital Service's assisted digital blog:
We have developed a set of 8 personas that reflect the citizens who need help to use digital government services as they lack either the means, ability or confidence to do so independently. One of these represents the needs of service providers and the challenges they may also face with the move to digital by default. Collectively the personas highlight the range of complex and hidden assisted digital needs we identified through our research.
And?
... we looked at the persona ‘Greg’, a farmer with no internet access and low digital skills. The challenges he faces when he completes his application for a Common Agricultural Policy (CAP) payment are largely the same as when he buys a fishing rod licence or completes his self assessment tax return. Presenting the challenges through this persona gave departments the opportunity to see how they could work together to be more efficient in delivering support and to provide a better service for Greg.
"Buying a fishing rod licence isn't even remotely the same as applying for a CAP payment", you may say, "but, be that as it may, how is 'Greg' being helped by GDS's efforts?".

Answer:
The personas have really helped us to explain, in an engaging and empathic way, who assisted digital users are and what their key concerns are in accessing digital services. Sticking their pictures on the wall and using them in workshops has also helped to open up wider discussions about what assisted digital support could look like.
'Greg' still doesn't have any internet access and his digital skills are still low but, never mind the user needs, GDS are now engaging and empathic, whatever that is.


Updated 11.11.14

GDS have had so much experience now, starting assisted digital, that they're offering consultancy advice to other organisations, please see How to get started with your assisted digital user research.


Updated 17.11.14

From The Register:
UK digi exclusion: Poor families without internet access could 'miss out' on child tax credit
By Kelly Fiveash, 16 Nov 2014

Brits who aren't online but are entitled to access to the Tory-led Coalition government's childcare tax break could lose out, it has been reported.

According to the Independent on Sunday, which was handed a leaked letter to MPs from Exchequer Secretary Priti Patel, up to 200,000 families could be affected when the new tax is brought in next year ...

Updated 3.8.15

GDS's assisted digital project started, remember, on 28 July 2011. And on 30 May 2012 and 23 May 2013 and 20 June 2013, please see above.

1,464 days after the first start, it's started again. On 31 July 2015. Please see GDS puts out feelers for inclusion support:
The Government Digital Service (GDS) has stepped up the effort to get more people going online with the first stage of a procurement for training services.
This is just the "first stage" of procurement. Not even that, really, more a case of putting out feelers before the first stage.


Updated 19.11.15

GDS's assisted digital project, which started on 28 July 2011 and 30 May 2012 and 23 May 2013 and 20 June 2013 and 31 July 2015, will next start some time after 18 January 2016 – that's the date when tenders must be submitted to join "a framework agreement for suppliers to provide training and digital support services to help reduce digital exclusion".

That's what the Government Computing website tells us today in GDS and BIS tender aims to tackle digital exclusion. Unchanged since 28 July 2011, the idea 1,575 days later is still to "reduce the number of digitally excluded people in the UK".

We learn that "around 10.5m people in the UK lack basic digital skills" and what's more Rachel Neaman, chief executive of Go ON UK, says: "Our latest research tells us that there are still 12.6 million adults in the UK without the Basic Digital Skills they need".

This Rachel Neaman gets about a bit. She's also the Chair of Digital Leaders. If you've ever wondered what you have to do to be called a "digital leader" in the UK, it's easy. Sponsor Digital Leaders. 16 companies have worked that one out, including our old friends Skyscape, Kainos and Methods.

Wasn't Martha Lane Fox going to sort out digital exclusion with her DotEveryone idea, floated at this year's Dimbleby Lecture? You may well ask.

Whatever, the Martha Lane Fox/digital-by-default problem remains unsolved. The unwebbed are excluded by default. All 10.5 million of them. Or 12.6 million. But at least GDS have made a start. Again.


Updated 30.1.16

This assisted digital lark isn't as easy as it looks. Yesterday's Rollercoaster recruitment ride - A story of recruiting participants with Assisted Digital needs tells us just what a rollercoaster it can be trying to find/recruit anyone who needs assistance with their digital.

The Government Digital Service's crack user research team tried farming out the work to recruitment agencies. There are problems with that approach. Problems which lead GDS to conclude that:
Our key learning point was that it might have been better to do the recruitment ourselves. We discovered that the agency’s recruiter had gone for the obvious options, which we could potentially have covered more effectively ourselves as well as searching further afield. Some services have found this to be more effective as well as better value for money.
"It might have been better to do the recruitment ourselves"? Nothing gets past them ...

... except that it might have been even better to start "recruiting" research subjects 1,646 days earlier on 28 July 2011 or 30 May 2012 or 23 May 2013 or 20 June 2013 or 31 July 2015 or any of the other dates on which the assisted digital project was meant to have started.

Presumably there's no hurry. Presumably the assisted digital team don't expect digital-by-default to start for a long while yet.


Updated 31.3.16

It looks as though GDS's assisted digital may at last have had its final start. It hit the ground running we learn today, five weeks after the event, fittingly enough with ... a retrospective, Back to the future - assisted digital retrospective workshop,

The assisted digital blog started on 28 July 2011. Since then "a lot has been learnt about researching user's assisted digital needs and developing support to meet those needs". For example, we already know that "a range of capability currently exists".

Lots of assisted digital suggestions were elicited at the workshop ("all captured on a sea of post it notes of course!") and "the key finding from the day was that departments and services need to work together to make these ideas happen".

"All in all it was a great day and a brilliant example of what can be achieved with everyone working together".


Updated 8.4.17

It's just over a year since GDS published Back to the future - assisted digital retrospective workshop, In all the time since then they've managed just two posts on the assisted digital blog, one in May 2016 and one in October.

No-one is asking GDS to do anything hasty about digital assistance. And in the 2,078 days since the assisted digital blog started on 28 July 2011, they haven't.

There again, we do have a census coming up in the UK in four years time – 2021 – and there's some hope among the powers that be that maybe it could be conducted largely on-line. You know the sort of thing ... filling in forms on screen rather than on paper ... the sort of thing you might expect GDS to have achieved after 10 years ... the sort of thing that will be difficult if we still have 12½ million adult residents incapable of using the web ...

... which is no doubt why the baton has been passed to the Office for National Statistics (ONS), please see It’s all about inclusion: how ONS plans to support the digital have-nots. GDS can't be expected to do everything.

GDS & assisted digital – the project that keeps on starting

When Martha-now-Lady Lane Fox decreed that all public services should be digital by default (14 October 2010) she created a problem – how do you avoid all the people unversed in digital ways being excluded by default?

The problem was given to the Government Digital Service (GDS) to solve. A strange choice. GDS's expertise is in building websites, not helping old ladies to fill in attendance allowance forms. What special knowledge would they bring to bear? None. GDS's natural inclination would be to devise a digital solution. That's their approach to all problems but in this case it's definitively inappropriate. It's strange that GDS accepted the rôle.

But accept it they did and they gave the problem a name – "assisted digital" – and they started blogging about it (28 July 2011). Nearly a year later (30 May 2012) they published Getting started on assisted digital.

Friday 25 October 2013

Kofi Annan, the NSA and GCHQ – maybe this time

NSA monitored calls of 35 world leaders after US official handed over contacts it said in the Guardian yesterday and in every other newspaper.

That comes as news to most of us.

But then we remember: "News that Kofi Annan and other senior UN figures may have been routinely bugged by US or British security services has caused a huge political row around the world. But it will also have caused alarm among other people in the public eye who deal with sensitive information - or anyone, indeed, who values their privacy" – that's from the BBC News website, 2 March 2004, 9½ years ago.

It didn't cause "a huge political row around the world" then.

Maybe this time. Maybe the penny is beginning to drop.

Individuals complaining about invasions of their privacy have little traction.

With companies, it's different. Once they realise that it is questionable whether any of their dealings can be conducted in confidence they will take action. And unlike individuals, they have money and lobbying power and politicians listen to them.

Kofi Annan, the NSA and GCHQ – maybe this time

NSA monitored calls of 35 world leaders after US official handed over contacts it said in the Guardian yesterday and in every other newspaper.

That comes as news to most of us.

But then we remember: "News that Kofi Annan and other senior UN figures may have been routinely bugged by US or British security services has caused a huge political row around the world. But it will also have caused alarm among other people in the public eye who deal with sensitive information - or anyone, indeed, who values their privacy" – that's from the BBC News website, 2 March 2004, 9½ years ago.

It didn't cause "a huge political row around the world" then.

Maybe this time. Maybe the penny is beginning to drop.

Next week's news

Just to remind you, some time over the next 168 hours, as promised, we shall see the first ever fruits of the Government Digital Service's identity assurance programme. We shall all be able to amend our tax codes through an on-line connection to HMRC.

Extraordinary, but they won't have the field to themselves.

Remember midata, the latter-day South Sea Bubble being blown by the Department for Business Innovation and Skills? They've been "fanning the flames of innovation" round at the midata Innovation Lab and some time over the next 168 hours we are promised a glimpse of the fruits of their labours, too.

At last, new apps to empower us and improve our lifestyles and make the economy grow.



There's not a single mooncalf left in the world who believes that these apps will be free, is there?



Suppose, just for the sake of argument, that the DMossEsq blog is right and that there is no such thing as a secure website.

Then it would be a mistake for any supplier to try to sell you a service on that basis – the secure website sales pitch undermines trust in any supplier using it. At least two of GDS's "identity providers" do just that. Mydex and Verizon both promise you security. That's a mistake. There are no unicorns for them to deliver.

Better, surely, to say that every effort will be made to keep your personal data secure, but security can't be guaranteed.

We have a sad new example of the problem. Experian Sold Consumer Data to ID Theft Service. It should be made clear that Experian didn't mean to sell consumer data to ID thieves and that they're co-operating fully with the police investigations. But it happened.

Experian, like Mydex and Verizon, are UK "identity providers", on whom GDS's identity assurance programme depends.



The best you can hope for is that security breaches will be kept to an affordable minimum. How do you achieve that? Answer, you make the supplier of the on-line service responsible for losses.

How have the UK retail banks managed so well to maintain public trust in on-line banking? By paying – when you are defrauded, the banks have to compensate you.

That works (para.6).

Next week's news

Just to remind you, some time over the next 168 hours, as promised, we shall see the first ever fruits of the Government Digital Service's identity assurance programme. We shall all be able to amend our tax codes through an on-line connection to HMRC.

Extraordinary, but they won't have the field to themselves.

Remember midata, the latter-day South Sea Bubble being blown by the Department for Business Innovation and Skills? They've been "fanning the flames of innovation" round at the midata Innovation Lab and some time over the next 168 hours we are promised a glimpse of the fruits of their labours, too.

At last, new apps to empower us and improve our lifestyles and make the economy grow.



Tuesday 22 October 2013

Cloud computing and the sizzling Stephen Fry

Mr Fry has made only one appearance on this blog so far. That was in connection with the UK government's vile bid to introduce press regulation.

Many more posts have covered the inept marketing device of comparing cloud computing with the utilities:
The reputation of the utilities for the past year and more has taken a beating and it defies logic how anyone could believe that comparing it to a utility would make us want to buy any service.

Utility prices keep going up. Large numbers of people already find themselves in fuel poverty. Now we are promised that it will soon cost £1,500 a year to supply our homes with gas and electricity. What kind of a model is that for cloud computing? Not an attractive one – IT poverty, anyone?

The analogy is inept. When you buy gas, say, you pay money and the gas company supplies gas. Done. With cloud computing, you pay money and you hand over all your data and the cloud computing company supplies some service. You are paying to lose control of your data.

It's a simple point. And irrefutable.

But Databarracks, the cloud computing company, cannot be numbered among the millions of readers of DMossEsq. Because, you won't believe it, they've just scored an unenviable double. Stephen Fry and the cloud computing-utility analogy all in one.

A treble, really, when you see that they employ the tiredest trick in the marketing armoury, a six-minute history of the world suggesting that the progress of civilisation has been leading ineluctably to this point, where you have to have whatever goods or services the marketing company's client is trying to flog:

Cloud computing and the sizzling Stephen Fry

Mr Fry has made only one appearance on this blog so far. That was in connection with the UK government's vile bid to introduce press regulation.

Many more posts have covered the inept marketing device of comparing cloud computing with the utilities:
The reputation of the utilities for the past year and more has taken a beating and it defies logic how anyone could believe that comparing it to a utility would make us want to buy any service.

Hyperinflation hits the unicorn market

We live on a diet of data hacking stories fed to us by the media. Have done for years.

There's no defence. Not for us mooncalves. Not even for US defence contractors, who should know all about cybersecurity but who nevertheless managed to lose, among other things, the designs for the F-22 and F-35 fighter jets.

"Every day, all around the world, thousands of IT systems are compromised", says Iain Lobhan, the Director of GCHQ. He should know.

The upshot is clear – there is no such thing as a secure website. Secure websites are like unicorns. They don't exist.

When the Department for Business Innovation and Skills, for example, talk about work on their midata initiative and tell us that "this work is still in development by the midata programme participants, but broadly the proposal is that to gain access to their Personal Data Inventory, the customer would have to log-in to a secure website where ..." they might as well advise us to log in to a unicorn.

The suppliers whose business depends on selling us secure websites know this. How are they going to convince us to carry on paying for unicorns?

They've got a tough job.

One approach is to stop talking about mere secure websites and to offer instead super secure websites, as we saw the other day: "Mydex is providing the super secure Personal Data Store (PDS) for identity verification that will ...".

Superunicorns?

That's a bit weak. Either these resources are secure or they're not. It's like being pregnant – indistinguishable from being superpregnant.

But having embarked on that course, there's only one way to go: "The Mydex Trust Framework is a set of legal and technical rules by which members of a network agree to operate in order to achieve trust online. At its core it delivers a trusted digital identity, a hyper secure personal data store and platform from which individuals can connect to each other and organisations for the bi-directional exchange of information in a secure and verified manner".

Hyperunicorns?

What next?

No unicorns, no trust
Judging by that last example, what's next is a thoroughgoing mangling of the concept of trust. Unless you believe in unicorns, when someone offers you a trust framework or a supertrust framework or a hypertrust superframework, be warned. Be superwarned. Be hyperwarned.

----------

Updated 11.4.14

The day before yesterday Murad Ahmed warned us in the Times:
Bug puts internet passwords at risk

... Security researchers said they have discovered the “heartbleed bug”, which is a problem in the way the majority of websites encrypt their sensitive data. About 60 per cent of websites use the affected software, known as OpenSSL – a way of protecting information such as names, passwords, messages and financial information as it passes between computers ...
How important is that?

In a crowded field of experts, readers are recommended to believe Bruce Schneier when he says: "On the scale of 1 to 10, this is an 11":
Basically, an attacker can grab 64K of memory from a server. The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This means that anything in memory -- SSL private keys, user keys, anything -- is vulnerable. And you have to assume that it is all compromised. All of it.

"Catastrophic" is the right word. On the scale of 1 to 10, this is an 11.

Half a million sites are vulnerable, including my own. Test your vulnerability here.
To reiterate. If someone promises you a secure website, remember, whether they know it or not, it's really not in their gift, it doesn't exist, it's a unicorn, be hyperwarned.


Updated 19.11.14

The CloudStore has been re-written for the second or third time and re-named the Digital Marketplace. No surprise to DMossEsq's millions of readers.

The Government Digital Service (GDS) have written about it on their blog, please see Digital Marketplace: building a digital by default service. They have nothing to say about digital marketplaces.

They just bang on about their digital by default service standard.

That's the standard they were following, presumably, which meant that we now apply to register to vote in the UK using a system which has to work without GDS's identity assurance (IDA).

Not ideal but perhaps just as well since the first public service which incorporates a public test version of IDA seems to be unusable, despite satisfying all 26 criteria of the digital by default service standard. Bad luck DEFRA.

And good luck to all those G-Cloud suppliers who will rely on the Digital Marketplace and to the central and local government departments who try to buy services from them – just look at the logo GDS have chosen.


Updated 23.2.15

Some people never learn.

The media have stories every day about internet security breaches. The latest story that has burrowed through DMossEsq's thick skull concerns the US State Department.

Blomberg report that the State Department's email service was infiltrated several months ago and that, despite the most expert efforts, it remains infiltrated.

If the State Department can't deliver security there is no reason to believe that the UK's chirpy little Government Digital Service can. And yet, refusing to learn, these dinosaurs continue to offer the unicorn of internet security.

If you are tempted to sign up for their GOV.UK Verify identity assurance service (RIP), the first thing GDS tell you is that that it's secure. Who is there left on the planet who might believe that?


Far from helping to prevent identity theft, GOV.UK Verify is more likely to promote it by centralising the entire population's personal information in the databases of just a few "identity providers".

Not only do GDS want to centralise all personal information, they also want you to give up the relative safety of multiple logon IDs and passwords and replace it with a single key to your kingdom.

If against all the odds you pursue this wild goose chase and choose Digidentity as your GDS-sponsored "identity provider", they go even further:


"Infallible security"?

This is the sales pitch of an unreconstructed mountebank. It might have worked in the 20th century. It can't work in the 21st.

Hyperinflation hits the unicorn market

We live on a diet of data hacking stories fed to us by the media. Have done for years.

There's no defence. Not for us mooncalves. Not even for US defence contractors, who should know all about cybersecurity but who nevertheless managed to lose, among other things, the designs for the F-22 and F-35 fighter jets.

"Every day, all around the world, thousands of IT systems are compromised", says Iain Lobhan, the Director of GCHQ. He should know.

The upshot is clear – there is no such thing as a secure website. Secure websites are like unicorns. They don't exist.

1st cloud in Skyscape Cloud's sky

Readers will remember the immaculate conception of Skyscape Cloud Services Ltd, the company incorporated on 3 May 2011 which won four government contracts, some of them before the company had submitted its first set of accounts to Companies House.

The Government Digital Service (GDS), HMRC, the MOD and the Home Office all chose Skyscape in preference to long-established cloud services companies.

Now GDS have parked their harp on another cloud.

Government signs cloud hosting contract with Carrenza for GOV.UK, they tell us in ComputerWorldUK magazine:
The Government Digital Service (GDS) has signed a £100,000, one-year contract with Carrenza to help host the GOV.UK goverment services portal ... The infrastructure-as-a-service (IaaS) contract was awarded via the government's G-Cloud framework ... Carrenza replaces previous suppliers Skyscape and SCC, which provided hosting for GOV.UK over the last 12 months.
And Carrenza have issued a press release:
Carrenza, the award winning UK based cloud services provider, today announced that it had signed a contract with the Government Digital Service (GDS) to be one of the primary suppliers hosting GOV.UK. The Infrastructure as a Service (IaaS) contract was awarded via the G-Cloud iii Framework, created to deliver fundamental changes in the way the public sector procures and operates ICT.
Will HMRC, the MOD and the Home Office follow suit?

1st cloud in Skyscape Cloud's sky

Readers will remember the immaculate conception of Skyscape Cloud Services Ltd, the company incorporated on 3 May 2011 which won four government contracts, some of them before the company had submitted its first set of accounts to Companies House.

The Government Digital Service (GDS), HMRC, the MOD and the Home Office all chose Skyscape in preference to long-established cloud services companies.

Now GDS have parked their harp on another cloud.

Sunday 20 October 2013

GDS and the Electoral Commission

Have you recently received your voter registration form?

If so, you may have noticed that, depending on where you live, you can now register on-line via www.elecreg.co.uk. This website is operated by a company called Halarose Ltd, who have contracts with 80 UK local authorities to provide "democracy through technology", as they call it.

The briefest of investigations on the Companies House website suggests that Halarose has a paid-up share capital of 9¼ pence, which looks like the start of an interesting story, but that's not why we're here today.

What follows in this paragraph and the next would be correct if NSLOOKUP was correct ... NSLOOKUP suggests that the IP address of www.elecreg.co.uk is 54.247.162.156 and if you look that up on RIPE you draw a blank. Which is odd, because RIPE is where you'd expect to be able to find the details of a European website.

... but NSLOOKUP isn't correct so, in the event, there's no UK-electoral-rolls-stored-in-the-US story here ... But the electoral rolls of these 80 UK local authorities aren't being stored in Europe. They're being stored in the US, on Amazon servers, according to ARIN, the Regional Internet Registry for North America. That looks like the start of another interesting story but, again, that's not why we're here today. ... please see update below 

"You do not have to vote", it says on the back of the form, "but by law you have to give us the information we ask for in this form". It is now a legal requirement to register. That's all to do with the Electoral Registration and Administration Act 2013. Interesting. But not why we're here today.

"Important information about how you register to vote", it says on an accompanying sheet of paper, which mentions individual electoral registration (IER), can be found if you trot along to http://www.electoralcommission.org.uk/voter-registration/individual-electoral-registration. Don't bother. You get "Page not found". Boring. And not why we're here today.

That's four topics we're not interested in just at the moment. And there's a fifth. The password – or "security code" as they call it – to log on to www.elecreg.co.uk is printed in plaintext for all to see at the top right corner of the voter registration form. Bad practice, securitywise. To put it mildly. But that's still not why we're here today ...

Working with GDS
... no, the object of interest today is GDS, the Government Digital Service, the "elite team of digital experts" as the Guardian called them, tucked away in the Cabinet Office, where they have "sparked a radical shake-up in the way the government does its business".

"Some of the UK's best designers and developers" are working at GDS according to the Guardian and they have a lot to teach Whitehall. They are busy producing 25 exemplars, and in GDS's own words:
We are running this programme of continual iteration in the open. You can follow our progress at www.gov.uk/transformation, where we’re regularly publishing information about every exemplar. You’ll see performance data, screenshots and status reports of where each service is at, and we’re going to add more to it as each service progresses ...

It’s important that we continue to publish these updates in public, that we report on the services we’re transforming, and that we blog about our progress. Publishing this means more of our colleagues can see what’s happening and what part they play in the process. It’s also the best way to make sure that we’re accountable for the things we build. As our design principles say, if we make things open, we make things better.
Exemplar #1 is devoted to IER and, it's odd, but the development of this exemplar isn't open, you can't follow GDS's progress, there's no performance data, there are no screenshots, there's no status report and you have no idea how GDS are transforming the electoral registration service, which makes it hard to hold them to account and hard to know if they're making things better.

But then, you're just the public.

The Electoral Commission are a different kettle of fish. They've had the pleasure of working with GDS on two pilot exercises to see if matching electoral roll data against the National Insurance Number database, and other databases, would make it easier to compile a complete and accurate roll.

Back to the Electoral Commission website.

In their July 2013 report on the second data-matching/data-mining pilot, they say (p.2 onwards):
• There were considerable delays to the original timetable for establishing this pilot. A significant cause of the delays was the lack of capacity and resources within Cabinet Office (and the Government Digital Service (GDS), which is part of Cabinet Office) due to their workload related to the transition to IER ...

• For the national data mining, Cabinet Office’s original intention was that pilot areas should adopt a fairly standardised approach to checking the data received and contacting the individuals identified, to ensure that results were comparable. In practice, however, the nature and extent of follow up work varied widely.

• Much of this variation was caused by practical difficulties, for example the need to spend more time than expected in ensuring the accuracy of the data received. However, some of the variation could have been avoided if there had been fewer delays and a greater level of support provided by Cabinet Office to pilot areas. In particular, a few areas told us they felt unsupported and were unclear about what to do ...

• It is not possible to produce an overall figure for the cost of this pilot. This is because we do not have final costs for all pilot areas or any costs for Cabinet Office (including GDS), who conducted much of the work.

• We are also therefore unable to estimate the cost per new elector registered or the likely cost of any national rollout. Any estimates of these would need to include the cost of coordinating and managing the pilot (the role taken by Cabinet Office in this pilot), as any future work with data mining would require some form of central coordination ...

• The reasons that so many existing electors and ineligible individuals were returned on the data include poor data specifications from Cabinet Office ...

• Inconsistent address formatting and incomplete addresses are likely to have contributed to the significant numbers of existing electors returned in the data (Cabinet Office could not provide the data which would have allowed for a definitive assessment) ...

• In order to answer this question [Is data mining a cost effective way of registering new electors?], we would need to assess the cost benefit of data mining by, for example, calculating the cost per new elector registered. However, we are unable to do this as Cabinet Office could not provide details of their expenditure on the pilot. As they managed the process and conducted much of the matching and data processing, their costs could be significant and are crucial in reaching any realistic assessment of cost effectiveness ...

– The addresses appeared to be more complete than those held in other national databases but a poor data specification from Cabinet Office meant that the format was inconsistent ...

The findings from this pilot do not justify the national roll out of data mining ...

In addition, there were numerous issues in this pilot with the communication and support provided by Cabinet Office ...

Cabinet Office need to ensure that they maintain good communication between themselves, the data holding organisations and EROs [electoral registration officers] throughout the process, including after data from the national databases has been returned to EROs ...
Four professors, as we have already seen, found GDS's performance to be less than exemplary. Now GDS have lost the Electoral Commission's vote. And along the way, Francis Maude's faith in data-matching has been undermined. That voter registration form that landed on your doormat has a weighty story to tell.

----------
Update 21 October 2013
Halarose contacted DMossEsq today and asserted that, contrary to the suggestion in the post above, their UK electoral registration service is hosted in the EU, as it is legally required to be, and not in the US.

Normal people will fall asleep reading the following paragraphs but as long as they wake up understanding that DMossEsq accepts Halarose's assertion and that this update is intended to make amends for his mistake, then all will be well.

How did the mistake arise?

Let's take it that RIPE and ARIN are correct and that 54.247.162.156 is the IP address of a website on some Amazon server in the US. Why did DMossEsq think that it was the IP address of http://www.elecreg.co.uk?

Ask most responsible adults how you find out what the IP address of a website is and they'll head for the door.

Quite right, too.

Of the remainder, some will say "PING it" and others "use NSLOOKUP". If you enter "PING www.elecreg.co.uk" or "NSLOOKUP www.elecreg.co.uk" at the command prompt, you'll be told that the IP address is 54.247.162.156. Try it. You'll see. DMossEsq didn't make the whole thing up.

The trouble is that PING and NSLOOKUP are wrong.

If you browse www.elecreg.co.uk and you use Chrome to "View page info", then click on the "Connection" tab, then click on "Certificate information", then click on the "Details" tab and then click on the "Subject Alternative Name" field, you'll find that there are eight names for the certified website – electorregistration.co.uk, www.electorregistration.co.uk, www.elecreg.co.uk, www.herainteractive.co.uk, www.halarosews.co.uk, elecreg.co.uk, herainteractive.co.uk and halarosews.co.uk.

PING all eight names, and eight times you're told that the IP address is 54.247.162.156. Ditto if you use NSLOOKUP. Now you've got 16 pieces of evidence pointing one way and one communication from Halarose pointing the other.

So you look for an alternative to PING and NSLOOKUP. And you find NetworkSolutions. And what do they say?

They say that:
  • the IP address of both elecreg.co.uk and www.elecreg.co.uk is 213.166.13.58
  • the IP address of both electorregistration.co.uk and www.electorregistration.co.uk is 213.166.13.40
  • the IP address of herainteractive.co.uk, www.herainteractive.co.uk, halarosews.co.uk and www.halarosews.co.uk, all four of them, is our old friend 54.247.162.156, in the US
Check 213.166.13.58 and 213.166.13.40 on RIPE and you find that they are both in Europe.

Given that NetworkSolutions can, why can't PING and NSLOOKUP get their IP addresses right? No idea. Infuriating.

Updated 23.11.13:

GDS continue to provide IER with all the help they can, see Reaching all our users:
Our project is aimed at around 47 million people who are eligible to vote in UK elections ... I put up two large, colourful banners to attract attention.

GDS and the Electoral Commission

Have you recently received your voter registration form?

If so, you may have noticed that, depending on where you live, you can now register on-line via www.elecreg.co.uk. This website is operated by a company called Halarose Ltd, who have contracts with 80 UK local authorities to provide "democracy through technology", as they call it.

The briefest of investigations on the Companies House website suggests that Halarose has a paid-up share capital of 9¼ pence, which looks like the start of an interesting story, but that's not why we're here today.

What follows in this paragraph and the next would be correct if NSLOOKUP was correct ... NSLOOKUP suggests that the IP address of www.elecreg.co.uk is 54.247.162.156 and if you look that up on RIPE you draw a blank. Which is odd, because RIPE is where you'd expect to be able to find the details of a European website.

... but NSLOOKUP isn't correct so, in the event, there's no UK-electoral-rolls-stored-in-the-US story here ... But the electoral rolls of these 80 UK local authorities aren't being stored in Europe. They're being stored in the US, on Amazon servers, according to ARIN, the Regional Internet Registry for North America. That looks like the start of another interesting story but, again, that's not why we're here today. ... please see update below 

Tuesday 8 October 2013

Identity assurance, GDS and HMRC – the tension mounts

Here in the UK, this month is Identity Assurance Month. This is the month that the Government Digital Service have to deliver.

It's the 8th of the month and there's no news. Will we soon be able to alter our tax codes on-line? The tension is mounting.

Are you starting to wilt?

Here's a little mental stimulation to divert you and keep you going.

Public Administration Matriculation Board


October 2013

120 minutes


Candidates should read the attached source document carefully
before attempting the following questions.


1
Ten years ago, according to the source document, many UK councils/local authorities “welcomed the benefits that online services would bring but equally they mistrusted data security, and feared the ‘big brother’ State”.

The mistrust and the fear still exist and the source document asks “how can councils and their partners allay citizens’ mistrust and fear of Big Brother that have been present for over a decade?”.

Answer the question.
10 marks

2
(a) “The only way is digital ...” – is that true?
1 mark

(b) “The vision of the European Union’s DG Connect is ‘to make every European digital’ ...” – so what?
1 mark

3
UK local authorities “have shifted from ‘doing more with less’ to the reality of ‘less with less’ and becoming ‘smarter’ ... it’s about smarter councils leading smarter places, and giving smarter citizens smarter spaces to shape smarter services with you”.

(a) Explain the connection between Lord Brown of Madingley, “more” and “less”.
2 marks

(b) Beginning with the Hayes Smartmodem, trace the history and success of the word “smart” and its cognates as a marketing device over the past 32 years.
5 marks

(c) First we learn that “individuals will drive local councils’ digital transformation”, then it’s “smarter councils” who will be “leading smarter places”. Who is in the driving seat, the council/local authority or the individual/citizen?
2 marks

4
The more adventurous councils aren’t following Whitehall’s charge towards digital by default – they’ve overtaken it!

(a) In what sense is Whitehall charging towards digital-by-default?
1 mark

(b) The source document is published by Mydex, one of the nation’s eight “identity providers”. As such, Mydex is integral to the Government Digital Service’s Identity Assurance Programme which is in turn integral to digital-by-default. And to midata. Mydex are poking fun at GDS for being overtaken by “the more adventurous councils”. There was no need to do that. Why did they?
1 mark

(c) Will “the [smarter and] more adventurous councils” come to regret their early lead? Will all the stupid timid councils have the last laugh?
1 mark

5
Mydex is providing the super secure Personal Data Store (PDS) for identity verification that will take the [Wombwell] project to the next level and unlock a myriad of services for this previously off-line, ‘cash in hand’ community”.

Is there any such thing as a “super secure personal data store”?
5 marks

6
This can ultimately manage demand out of the service” – what does this mean?
2 marks

7
“How can councils and their partners allay citizens’ mistrust and fear of Big Brother that have been present for over a decade? ... One of the most effective ways is to be more open, and to give control over personal data back to individuals using personal data stores”.

How does storing your personal data on the web, in the cloud, with a third party you've never heard of, give you control over that data?
5 marks

8
(a) “A personal data store allows for automatic personalisation” – what does this mean? Note that the quotation is taken from the start of a paragraph by the end of which people are having to do their own personalisation, it’s stopped being automatic.
2 marks

(b) “It really changes how the future can be” – what doesn’t?
2 marks

9
Five times in the source document people are “empowered” by personal data stores. Or are they? Is power actually being relocated in the apps people will depend on? These apps will process the personal data that has been “permissioned” for sharing. Given that even members of the Zuckerberg family who work for the company can’t understand Facebook’s own permissioning system, what chance do the rest of us stand of understanding Mydex’s system? These apps will not be free – how much will dependency cost personal data store owners? These apps are meant to do the jobs currently done by human beings – are public servants inviting redundancy? What is the difference between downloading an app and downloading a virus?
10 marks

10
Imagine how powerful it would be if by 2020 the 16m people currently off-line or with low on-line skills had developed the digital confidence and trust in digital public services to permission the sharing of their personal data for councils”.

That’s one possible scenario. There are many others.

Briefly describe four more possible scenarios, taking the total to five.

Allocate a probability to each one, giving your reasons.

Under what circumstances would it be logical, businesslike and responsible for either central or local government to spend public money inveigling people and businesses into storing their data with companies they have no reason to trust, on the web, in the cloud, where it will be at the mercy of hackers, GCHQ and the NSA, among others?
20 marks