Friday 31 May 2013

Dematerialised ID

Ten years (and one day) ago, someone posted a policy proposal to the Home Secretary. Ditch ID cards, the proposal said, they're guaranteed to fail, take a look at mobile phones and digital certificates instead – try dematerialised ID.

Cut a long story short, dematerialised ID hasn't exactly taken off.

Someone sees politicians and civil servants in a very different light ten years later.

But not the mobile phone. The mobile phone still looks singularly important. There's before the mobile phone. Then there's an energetic wrench in history and there's after the mobile phone.

"Any organisation which issues any voucher conferring any entitlement on the bearer could become a certificate authority and issue digital certificates instead of material vouchers" – that's the catchy theme of dematerialised ID placed bang in the middle of p.20 where the Home Secretary couldn't miss it.

He's not the only one to miss it.

Does your gym issue you with a digital certificate as proof of membership? Or your trade union? No. You still get a card to vouch for your entitlement to use the cross-trainer. Or your entitlement to pensions advice.

You still swipe a card to cross the border and get into your office building and your cinema ticket is still a piece of material paper, not a dematerialised digital certificate. As is your degree certificate.

You have a material passport and driving licence. They could both be digital certificates stored on your mobile and managed by passport and driving licence apps. Ditto your credit and debit cards.

At which point a lot of the vouchers that say to a stranger that you're you would be dematerialised. Thus dematerialised ID.

Clearly none of the instances of dematerialisation that someone was touting ten years ago was attractive enough.

Ten years of failure probably means it's a dead end. But just in case, don't forget, dematerialised ID – check back in 2023.

----------

Updated 29.3.16

Forget the passport, just bring a phone, says the Times newspaper today, only 4,687 days after someone posted his proposal to the Home Office. We live in such a fast-moving globalised world, sometimes it's hard to keep up with the pace of innovation.

Dematerialised ID

Ten years (and one day) ago, someone posted a policy proposal to the Home Secretary. Ditch ID cards, the proposal said, they're guaranteed to fail, take a look at mobile phones and digital certificates instead – try dematerialised ID.

Cut a long story short, dematerialised ID hasn't exactly taken off.

Wednesday 29 May 2013

SCOOP? IER, sackcloth, ashes and Rip Van Winkle

In the past seven months since 26 October 2012 the DMossEsq blog has published 12 posts whose veracity relies entirely or in part on the contents of the Individual Electoral Registration Bill (IER). Attention is drawn in particular to Identity assurance – shall we vote on it?.

Properly sourced, the assertions made in the 12 blog posts were based on Hansard, parliamentary business news, explanatory notes on the parliament.uk domain, the text of draft Bill, its impact assessment, and a draft statutory instrument.

Quite good.

Not good enough. The Rip Van Winkle of bloggers, DMossEsq missed the fact that (a) the Bill changed its name and (b) it is no longer a Bill, it was enacted on 31 January 2013. The Electoral Registration and Administration Act 2013 is now law.

The Bill provided for electoral register records to be matched against the National Insurance Number database (NINO), among others, to check for completeness and accuracy (integrity). The impact assessment (p.2, Key assumptions/sensitivities/risks) noted that primary legislation would be needed to make this national data-matching legal: "Data matching – national rollout would require primary legislation". That legislation has presumably now been passed and in that case data-matching is no longer illegal.

It is in principle impossible to make an unfair criticism of the Government Digital Service (GDS).

Gallingly, that is precisely what DMossEsq did in a post published yesterday. Assuming that the primary legislation required has been passed, it is no longer illegal for GDS to do data-matching and hasn't been for the best part of four months. In that respect, yesterday's post was factually wrong and misleading, and DMossEsq's apologies are offered without reservation.

----------

Now that the electoral registration legislation has been passed, the UK moves from registering household-by-household to individual registration. Why? Because, in the words of the Cabinet Office on GOV.UK, that is "more easier":
The Electoral Registration and Administration Act has received Royal Assent. The Act allows Individual Electoral Registration to be introduced in 2014 to help tackle electoral fraud and paves the way for online registration from 2014, which will make it more easier and more convenient for individuals to ensure they are registered to vote.
With a view to enhancing integrity, each individual's entry on the new electoral register will be checked – legally – against NINO and other databases.

The new electoral register will be used for the 2015 general election.

Registration is now compulsory. It's a "civic duty". Failure to register is a criminal offence:
The government believes that it is a civic duty to register to vote, and to support registration officers in their duties a small civil penalty, akin to a parking fine, is being introduced which could only be applied to those who refuse repeated invitations to register. There will also be safeguards to ensure that EROs take specific steps to encourage an application. Under the current system of registering to vote, failure to provide information to an Electoral Registration Officer (ERO) is a criminal offence punishable by a £1,000 fine, leaving a criminal record. This will be maintained under the new system for information about households, to help ensure that the inaction of some does not lead to others being disenfranchised.
The Major Projects Authority tell us that:
The Electoral Registration Transformation Programme will speed up implementation of Individual Electoral Registration (IER) to tackle electoral fraud and improve the integrity of the electoral register. This will include legislation to bring forward implementation of compulsory IER to 2014, ahead of the next general election. Instead of one person filling in the annual registration form and including everyone's details, individuals will be expected to complete their own details and give supporting information - i.e. a national insurance number. Ensuring that the electoral register is as full as possible (i) will lead to increased democratic participation; (ii) gives a “voice” to local people leading to a legitimate political mandate; (iii) assists local people by supporting identification and residence, and (iv) is used as a basis for the collection of national statistics.
Along with legalising data-sharing, increasing "democratic participation" (i), giving a "voice" to local people and legitimising the "political mandate" (ii), note that we will be taking the first step towards an on-line national identity register (iii) and a new way of compiling the census (iv), as promised by Francis Maude, Cabinet Office Minister, please see Alan Travis – Whitehall, the Guardian newspaper and Lord Leveson.

To any other Rip Van Winkles out there, some of that four months-old news may amount to a scoop.

SCOOP? IER, sackcloth, ashes and Rip Van Winkle

In the past seven months since 26 October 2012 the DMossEsq blog has published 12 posts whose veracity relies entirely or in part on the contents of the Individual Electoral Registration Bill (IER). Attention is drawn in particular to Identity assurance – shall we vote on it?.

Properly sourced, the assertions made in the 12 blog posts were based on Hansard, parliamentary business news, explanatory notes on the parliament.uk domain, the text of draft Bill, its impact assessment, and a draft statutory instrument.

Quite good.

Not good enough. The Rip Van Winkle of bloggers, DMossEsq missed the fact that (a) the Bill changed its name and (b) it is no longer a Bill, it was enacted on 31 January 2013. The Electoral Registration and Administration Act 2013 is now law.

Tuesday 28 May 2013

GDS? Who?

Whitehall has a pitiful record when it comes to investing public money. Think of the National Programme for IT, the NHS black hole into which £6 billion of our money disappeared without trace. Or possibly £12 billion. No-one seems to be sure.

Mindful of which, we now have something called the Major Projects Authority (MPA), a Whitehall unit which keeps tabs on where the money's going and how likely we are to see any return. The MPA issues red-amber-green verdicts on our investments. Green is good news. Red means kiss goodbye to the money.

These verdicts have been kept secret until now but following lobbying, not least by Tony Collins, in the spirit of open government, the MPA have recently published their verdicts on 191 major government projects with a combined lifetime value of £353.7 billion.

The verdicts are categorised by department. Looking at the Cabinet Office projects:
  • We see for example that the Electoral Registration Transformation Programme gets an amber light.
    – An old friend on this blog, this is the programme which seeks to compile a national identity register, which is the opposite of the Coalition government's stated policy.
    – It seeks to ensure that the register is complete and accurate by illegally matching electoral records against National Insurance Number records, among others. N [please see update below]
    – The data-matching pilots were a complete failure – in one ward in Ceredigion, only 18% of electoral records could be matched (Table C1, p.31).
    – There will nevertheless be a value-for-money illegal national data-matching exercise carried out this summer and apparently a new electoral register in time for the next general election. N [please see update below]
    – Lifetime budget: £218 million. MPA verdict? Amber.
  • We see also that another old friend, G-Cloud, gets an amber/red signal.
    Strange. Only the other day, G-Cloud won an award, the prestigious public cloud project of the year award.
    – Cloud computing, remember, is the quickest way of losing control of our data yet discovered.
    – It's not as though there's a lack of customers for G-Cloud – public bodies are pretty well being ordered to use it, through the Cloud First policy. It's unlikely that the project can fail for lack of take-up, so why the amber/red?
    – Any sign of a lack of spending on G-Cloud, and the programme director, Denise McDonagh, can simply buy something herself as she happens to be IT Director at the Home Office and disposes of a considerable budget. Only the other day (it may have been the same other day), she did just that and bumped up the sales figures by handing Skyscape the £1.5 million contract to host the heir to the Criminal Records Bureau.
    – That's Skyscape, the one-man band that barely existed a year ago but somehow beat the long-established competition in a completely fair selection process.
    – Lifetime budget, according to the MPA: £0.58 million. MPA verdict? Amber/red.
  • Which brings us to our oldest friend, the Government Digital Service (GDS).
    – They've got their award-winning GOV.UK project. 24 ministerial departments have been pointlessly and only partially transferred to GOV.UK and several hundred other government bodies are yet to be pointlessly and only partially transferred.
    – They're working on Individual Electoral Registration. Illegally. See above. N [please see update below]
    – They promised to have identity assurance fully operational by March 2013 for 21 million benefit claimants and failed. That leaves DWP's Universal Credit flailing and ditto the BIS midata nonsense.
    – We have eight "identity providers" in the UK with nothing to do as a result.
    – GDS's digital-by-default plan is holed below the waterline (fatally according to four professors) not least because millions of us Brits have never used the web.
    – On 28 July 2011, GDS promised to sort this out with their assisted digital sticking plaster. The best part of two years later, on 23 May 2013, they finally got round to starting to chat about the problem.
    – 56 members of parliament have signed an early day motion to debate digital-by-default.
    – GDS are also meant to replace the cumbersome-but-functional Government Gateway at some point, although what with, they've never said.
    – The mandarins keep expressing their support for GDS, Lord knows why.
    – But what about the MPA verdict, you ask? There isn't one. There just isn't one. None of these GDS projects is major? Or maybe GDS doesn't exist? Or the MPA ran out of colours? One way and another, if you're looking for openness, hard cheese.
----------

Updated 29 May 2013 12:35
N Data-matching was illegal. With the passing of the Electoral Registration and Administration Act on 31 January 2013, it is assumed to be no longer illegal. The suggestion that it is illegal is now presumably false and misleading. Please see SCOOP? IER, sackcloth, ashes and Rip Van Winkle.

Updated 28.5.14

The other day, the MPA, the Major projects Authority, published their second report, for 2013-14.

Projects don't come much more major than GDS's mission to transform the UK government. GDS (the Government Digital Service) are the show, they tell us, the only solution to the delivery crisis and if it wasn't for them there'd be riots in the streets.

In the interests of openness, what is the MPA's verdict on GDS? How are GDS getting on? Red? Surely not. Amber? Green? That's more like it.

Sadly, no. There's not a mention of GDS. HS2, yes. GDS, no.

GDS? Who?

Whitehall has a pitiful record when it comes to investing public money. Think of the National Programme for IT, the NHS black hole into which £6 billion of our money disappeared without trace. Or possibly £12 billion. No-one seems to be sure.

Mindful of which, we now have something called the Major Projects Authority (MPA), a Whitehall unit which keeps tabs on where the money's going and how likely we are to see any return. The MPA issues red-amber-green verdicts on our investments. Green is good news. Red means kiss goodbye to the money.

Sunday 26 May 2013

Biometrics – the tiger the Center for Global Development has caught by the tail (updated)

Conclusion
The case for investing in the nationwide deployment of biometrics has not been made.


Background
In their 7 May 2013 report Performance Lessons from India’s Universal Identification Program one of the lessons that Alan Gelb and Julia Clark (G&C) draw from UID (also known as "Aadhaar") is that ...
UID’s performance suggests that accurate, biometric-based, identification is quite feasible for large countries, including the US. (p.8)
... restated a page later as ...
UID shows that countries with large populations can implement inclusive, precise, high-quality identity systems by using existing technology. (p.9)
In his 12 May 2013 blog post Biometrics: will the Center for Global Development reconsider? DMossEsq suggested that this conclusion of G&C's needs to be qualified in at least six ways and should read "the US could safely deploy an identity management scheme based on biometrics":
  1. "subject to an annual audit"
  2. "apart from the possibility of cyberattack"
  3. "and as long as we've got our maths right"
  4. "and as long as you realise that it's not identity that's being managed"
  5. "and as long as you're relaxed about the fact that anyone could have any number of entries on the population register"
  6. "and the fact that the discipline of biometrics is out of statistical control"
On 21 May 2013, Alan Gelb posted a comment, which includes this:
... we hold to our conclusion that the data released provides a very significant benchmark on the capabilities of biometric systems in developing country conditions and one that should be studied carefully by other countries.

Some evidence of reconsideration
But that wasn't their conclusion.

Their conclusion was that the usefulness of biometrics to the US and other countries has already been "shown" or demonstrated or established by Aadhaar.

They're not holding to that.

Now, it transpires, the evidence of Aadhaar is insufficient. Something more is needed – careful study – before the usefulness of today's biometrics to the US is established. We cannot yet say, pace G&C's earlier report, that its usefulness has been demonstrated.

What was G&C's original conclusion based on if not careful study?


Audit
In his comment, Mr Gelb ignores the point about the need for an audit of the biometrics performance figures published by UIDAI, the Unique Identification Authority of India.

A striking omission, G&C are endorsing India's investment in biometrics and recommending the same for the US without first getting an independent expert audit of the performance figures. That would be imprudent behaviour for a responsible investment manager.

G&C are convinced that Aadhaar will be beneficial to the millions of Indians whose prospects of escaping poverty are limited for lack of an official identity. Why are they convinced? Is it any more than a hunch or a hope?

They're not convinced because of any government programmes which depend on Aadhaar – as Mr Gelb says:
It is far too early to assess the UID program record in delivering more effective and inclusive services.
Their conviction relies exclusively on the enrolment of people into UIDAI's population register, where they are identified by their biometrics:
... we see the data that it [UIDAI] has released on inclusion and accuracy as a very significant benchmark for biometric systems in developing countries, and a major advance on the use of laboratory data. These appear to be the most extensive field data released so far.
Without an audit, how do G&C know that India's excluded millions really are being granted an identity? Has a benchmark been established? The US doesn't have the same social exclusion problem as India according to G&C so why the interest in using biometrics to identify all Americans?

The Indians and the Americans and everyone else would be well-advised to insist on an audit before any more of their money is invested in biometrics.


Statistical control
G&C cite a paper by three world-class experts, Messrs Wayman, Possolo and Mansfield (WP&M), which argues that the study of biometrics is out of statistical control – biometrics isn't a scientific discipline.

Their case rests on audits of biometrics systems that the three of them have conducted.

You can examine all the test results you like, WP&M say, but those results will tell you nothing about how biometrics systems will perform in the field, in operational use.

They discuss the implications for US homeland security. The National Institute of Standards and Technology (NIST) has a duty under the USA PATRIOT Act to audit biometrics systems and to certify them. The best NIST can manage is to say that the results of the tests they performed are the results of the tests they performed. They can't predict how the systems will perform in the field. No benefits to homeland security can be assured.

The same audit report on Aadhaar's performance figures would dissipate the will to invest in biometrics, whether in India, the US or anywhere else.

G&C rest their pro-investment case on the Aadhaar figures for False Positive Identification Rate (FPIR) and False Negative Identification Rate (FNIR). It is on the basis of two statistics that they recommend investment in biometrics, a technology which WP&M say is out of statistical control.

Look again at the back end of the quotation above:
... we see the data that [UIDAI] has released [as] ... a major advance on the use of laboratory data. These appear to be the most extensive field data released so far.
That is simply false.

You can't measure FNIR in the field. For the reason noted in the DMossEsq blog post – impostors don't come back and tell you that they fooled the system.

So where does UIDAI's figure of 0.0352% for FNIR come from?

They tell us. In their report, Role of Biometric Technology in Aadhaar Enrollment. On pp.18-19. It's the result of a laboratory test:
False accept (FNIR): To compute FNIR, 31,399 known duplicates were used as probe against gallery of 8.4 crore (84M). The biometric system correctly caught 31,388 duplicates (in other words, it did not catch 11 duplicates). The computed FNIR rate is 0.0352%. Assuming current 0.5% rate of duplicate submissions continues, there would only be a very small number of duplicate Aadhaars issued when the entire country of 120 crores is enrolled.
UIDAI's figure of 0.057% for FPIR is also the result of a laboratory test (p.18).

What Mr Gelb calls "field data" three times in his comment is, in each case, laboratory data – data which WP&M say tells us nothing about how Aadhaar will work in the field.

It's not just WP&M who cast doubt on these statistics. So do G&C themselves, when they note that UIDAI have to "relax" the FNIR to keep the FPIR down to manageable proportions, to avoid "drowning in a sea of false positives". With their butcher's thumb on the scales, UIDAI can make the meat weigh whatever they want. Or, dropping the butcher analogy, by varying the matching threshold, UIDAI can choose whatever FPIR they like.

Whatever these FPIR and FNIR statistics are, one thing is clear – they're not a benchmark. UIDAI have chosen 0.057% for the FPIR and they're sticking to it. It doesn't matter how well Aadhaar performs or how badly, the FPIR will always be 0.057%.


Maths
Mr Gelb says in his comment:
To correct the record, we do not assert that the number of bilateral comparisons is the square of the population, n. It is 0.5*n*(n-1) which rises (as we note) with the square of n.
He is saying that the number of matches rises with 0.5*n*(n-1) and that it rises with n². Since 0.5*n*(n-1) is not equal to n² that must be false.

He also says:
...since no identification system will cover 100% of population, we rounded n off to 1 billion for India.
Why 1 billion? Why not 0.8 billion? Or π/5 billion?

Mr Gelb's aim is to prove that the number of false positives generated by Aadhaar is and will remain manageable. There's no need to do any maths to prove that – not when you know that UIDAI have already decided that the FPIR is and always will be 0.057% and therefore is and always will be manageable. It's a management decision and not a scientific observation.


Multiple identities
G&C acknowledge that there is a trade-off between FPIR and FNIR.

In his comment, Mr Gelb says that:
If we accept the field estimate of 0.057% false positive rate against a data base of 84 million, the rate for a 1:1 comparison would have to be very small, in the range of 7 in one trillion.
Hard to understand, it looks as though he is saying that there will be only 7 false positives for every trillion matches. That can't be what he means but, roll with it for the moment, if he is saying that false positives will be at any sort of rock bottom level like 7 per trillion, then he must accept that false negatives will be sky high. That's what the trade-off means.

It means that Aadhaar's population register will be crammed full of people with multiple identities.

If any government programmes do start to rely on Aadhaar, then some individuals will be entitled to multiple votes, multiple food rations, multiple fuel allowances, multiple temporary jobs and multiple bank accounts. And if the banks start to rely on biometrics alone to authorise payments, then some individuals will be entitled to multiple benefit payments.


Cyberattack
That means fraud. Large-scale multiple identities in Aadhaar means large-scale fraud. If Mr Gelb is right about the statistics, then Aadhaar is a machine to automate corruption.

The Indian media openly acknowledge the high incidence of corruption in India's current food security and other welfare programmes. Not just the Indian press. The Economist, too. In a staggeringly awful article they wrote:
Armed with the system [Aadhaar], India will be able to rethink the nature of its welfare state, cutting back on benefits in kind and market-distorting subsidies, and turning to cash transfers paid directly into the bank accounts of the neediest. Hundreds of millions of the poor must open bank accounts, which is all to the good, because it will bind them into the modern economy. Care must be taken so mothers rather than feckless fathers control funds for their children ...

Mr Nilekani [UIDAI chairman] harnessed the genius of Indians abroad, including a man who helped the New York Stock Exchange crunch its numbers and one of the brains behind WebMD, an American health IT firm ...

India plainly needs better data-protection laws, but even if the existing rules remained unchanged, the threat to liberty would be dwarfed by the gains to welfare: to people who live ten to a room, concerns about privacy sound outlandish.

Some of the resistance is principled, but much comes from the people who do well out of today’s filthy system. Indian politics hinge on patronage—the doling out of opportunities to rob one’s countrymen. [Aadhaar] would make this harder. That is why it faces such fierce opposition, and why it could transform India.
Indian fathers are feckless? Emigré Indians are clever and the stay-at-home ones are dim? Poor people don't need privacy the way Economist journalists, for example, do? "Today's filthy system"? This is the case for Aadhaar put by someone who despises India.

Along with the Economist's contempt for the Indians goes a crippling naïvety. Why would Aadhaar make corruption harder? Aadhaar could simply automate corruption. It could increase the incidence of corruption, not reduce it.

At the limit, with their butcher's thumb on the scales, UIDAI – or whoever controls Aadhaar, perhaps a cyberattacker – could choose whatever party they like to be the winner of a general election. Please see for example this cautionary tale in the Washington PostHacker infiltration ends D.C. online voting trial.


Investment
It is wrong to insist on 100% accuracy, Mr Gelb says:
On multiple identities, no system will be able to guarantee 100 percent accuracy. Certainly not the systems in place in the rich countries where identity theft is hardly unknown! The question is not “whether it works or not” but the precision of one system versus another and relative cost-effectiveness. For some applications, such as access to a health insurance program, one might accept a modest level of duplicate or false identities. For others ...
The question is not whether it works or not ...

This looks like a call to be pragmatic.

This is the case you make for investment when you have had to abandon all the unconvincing statistics and unfulfilled promises that bedevil the biometrics industry.


Risk
There is no need whatever for G&C to take the risk of endorsing biometrics. So why take it?

Their report is published by the Center for Global Development (CGD). What are G&C committing CGD to?

Publishing the bald assertoric statement "UID shows that countries with large populations can implement inclusive, precise, high-quality identity systems by using existing technology" opens CGD to the risk that biometrics salesmen will plant stories in the press with lurid headlines like:
"The time has come for the US to do its duty and deploy biometrics for all", biometrics experts Gelb and Clark, of the internationally respected Capitol Hill Center for Global Development
To be clear, that headline is invented to make a point.

This one isn't – Paper highlights positive biometrics role in developing countries:
The research underpinning the paper was performed by Alan Gelb and Julia Clark at the Center for Global Development. According to Gelb and Clark, civil registration systems are often absent or cover only a fraction of the population. In contrast, people in rich countries are almost all well identified from birth. This “identity gap” is increasingly recognized as not only a symptom of underdevelopment but as a factor that makes development more difficult and less inclusive.
That article appeared on the Planet Biometrics website on 15 February 2013 and, to be clear again, it concerns an earlier report by G&C, not the one being discussed here.

Planet Biometrics is a marketing organisation for the biometrics industry. CGD is already being co-opted, thanks to G&C's product endorsements, into the worldwide (planetary?) promotion of the biometrics industry.

"Caught in a dragnet", said the headline, 17 July 2011:
John H. Gass hadn’t had a traffic ticket in years, so the Natick resident was surprised this spring when he received a letter from the Massachusetts Registry of Motor Vehicles informing him to cease driving because his license had been revoked ...

It turned out Gass was flagged because he looks like another driver, not because his image was being used to create a fake identity. His driving privileges were returned but, he alleges in a lawsuit, only after 10 days of bureaucratic wrangling to prove he is who he says he is ...

At least 34 states are using such systems. They help authorities verify a person’s claimed identity and track down people who have multiple licenses under different aliases, such as underage people wanting to buy alcohol, people with previous license suspensions, and people with criminal records trying to evade the law. Lisa Cradit, a spokeswoman for L-1 Identity Solutions, the largest developer of the software, said it can reduce fraud by 80 percent.
With CGD's name associated with biometrics, next time the headline could read:
Caught in Center for Global Development biometrics dragnet
You may say that that won't happen. G&C/CGD endorse composite fingerprint/iris scan biometrics, not face recognition. They're quite different propositions.

Two problems with that.

Firstly, to the mainstream media and the general public, not to mention legislators and public administrators, a biometric is a biometric is a biometric – the distinction won't come across.

Second, US-VISIT uses face recognition and fingerprints, not iris scans. How long before you see the headline:
"India has better security systems than Uncle Sam", Center for Global Development. Napolitano erupts
No doubt CGD has enough staff to defend its reputation if and when the tulipmania passes and the world falls out of love with biometrics. But why get involved in the first place?

----------

Updated:

5 June 2013, 19:02
Remember what Mr Gelb said, quite rightly:
It is far too early to assess the UID program record in delivering more effective and inclusive services.
That hasn't stopped the IT magazine ComputerWorld going for broke in the product endorsement stakes:
Computerworld Honors 2013: ID program empowers citizens in India
Government program, the 21st Century Achievement Award winner for economic development, uses biometrics to assign unique identity numbers, allowing residents of India to participate more fully in society.
ComputerWorld have jumped the gun. UIDAI are getting an award for doing something they haven't done yet. Aadhaar hasn't empowered the citizens of India. UIDAI promise that it will, one day, in the future. Even they don't claim that it already has. What possessed ComputerWorld?


18 June 2013

Premature: Computerworld Honors 2013: ID program empowers citizens in India

Not for India either: The Indian experiment is not for us

Biometrics – the tiger the Center for Global Development has caught by the tail (updated)

Conclusion
The case for investing in the nationwide deployment of biometrics has not been made.


Background
In their 7 May 2013 report Performance Lessons from India’s Universal Identification Program one of the lessons that Alan Gelb and Julia Clark (G&C) draw from UID (also known as "Aadhaar") is that ...
UID’s performance suggests that accurate, biometric-based, identification is quite feasible for large countries, including the US. (p.8)
... restated a page later as ...
UID shows that countries with large populations can implement inclusive, precise, high-quality identity systems by using existing technology. (p.9)
In his 12 May 2013 blog post Biometrics: will the Center for Global Development reconsider? DMossEsq suggested that this conclusion of G&C's needs to be qualified in at least six ways and should read "the US could safely deploy an identity management scheme based on biometrics":
  1. "subject to an annual audit"
  2. "apart from the possibility of cyberattack"
  3. "and as long as we've got our maths right"
  4. "and as long as you realise that it's not identity that's being managed"
  5. "and as long as you're relaxed about the fact that anyone could have any number of entries on the population register"
  6. "and the fact that the discipline of biometrics is out of statistical control"
On 21 May 2013, Alan Gelb posted a comment, which includes this:
... we hold to our conclusion that the data released provides a very significant benchmark on the capabilities of biometric systems in developing country conditions and one that should be studied carefully by other countries.

Some evidence of reconsideration
But that wasn't their conclusion.

Thursday 23 May 2013

CloudStore and OJEU

The question was asked yesterday Is CloudStore entirely legal? and an impressively prompt response was received which deserves equal prominence:
Anonymous said...

*sigh*

The G-Cloud framework *is* procured through the OJEU process (every 6 months, hence we are on G-Cloud III now - see the official notice here: http://ted.europa.eu/udl?uri=TED:NOTICE:14199-2013:TEXT:EN:HTML&src=0). Once a framework has been established, public sector organisations can procure from that framework without the need for OJEU (because the suppliers on that framework have already been through the process). Page 7 of the document you quote has the relevant guidance (note that a mini-competition can be run by the buyer against the framework).

This is exactly the same as any one of the 104 framework agreements that the Government currently has in place (see: http://gps.cabinetoffice.gov.uk/i-am-buyer/find-a-product-or-service). Also note that this isn't just the UK - in 2010, 21,500 framework agreements were awarded across the EU (see: http://ec.europa.eu/internal_market/publicprocurement/docs/modernising_rules/cost-effectiveness_en.pdf)

22 May 2013 15:38
The Page 7 citation leads to:
Framework Agreements - These can be used for repeat but irregular purchases for example stationery supplies, legal services, building repairs. Generally they are of no more than four years’ duration.  There are four main types, single-supplier, multi-supplier, single user, multi-user.  Suppliers are selected following an initial OJEU notice, in the case of multi-suppliers (no less than three) subsequent mini-competitions are used to select winning contracts.  The same selection and award criteria used when setting up the framework agreement must be used when procuring services from this agreement.  Provided the agreement is compliant with these requirements, pre-existing framework agreements may be used to select suppliers to the project.  Contracting Authorities utilising a framework agreement need to ensure that they are eligible to make use of it and that the framework agreement has been properly established
There may be all sorts of problems with Whitehall's cloud computing strategy but so flagrantly infringing OJEU that even DMossEsq can spot it doesn't seem to be one of them.

----------

Updated 23 May 2013 12:04 p.m.
That is the case, at least, as long as you first agree that arranging to host the entire public administration of the country in the cloud is like making "irregular purchases for example stationery supplies, legal services, building repairs".

Take an example. See Skyscape bags biggest deal on G-Cloud EVER. Skyscape will be hosting the heir to the Criminal Records Bureau. How much like ordering the paper clips is that?

Updated 24 May 2013 19:45 p.m.
Even if the definition of "irregular services" is being stretched a bit, clearly OJEC think it's legal. So they won't object.

Who would?

Answer, maybe some of the long-established cloud services suppliers with impressive track records whose bids lost against Skyscape, a company that won contracts from GDS, the MOD and HMRC almost before it existed, please see Skyscape – would you invest £4 million? Thousands haven't., and who have now won a big contract from the Home Office. How did Skyscape manage to be accredited, let alone win?

CloudStore and OJEU

The question was asked yesterday Is CloudStore entirely legal? and an impressively prompt response was received which deserves equal prominence:
Anonymous said...

*sigh*

The G-Cloud framework *is* procured through the OJEU process (every 6 months, hence we are on G-Cloud III now - see the official notice here: http://ted.europa.eu/udl?uri=TED:NOTICE:14199-2013:TEXT:EN:HTML&src=0). Once a framework has been established, public sector organisations can procure from that framework without the need for OJEU (because the suppliers on that framework have already been through the process). Page 7 of the document you quote has the relevant guidance (note that a mini-competition can be run by the buyer against the framework).

This is exactly the same as any one of the 104 framework agreements that the Government currently has in place (see: http://gps.cabinetoffice.gov.uk/i-am-buyer/find-a-product-or-service). Also note that this isn't just the UK - in 2010, 21,500 framework agreements were awarded across the EU (see: http://ec.europa.eu/internal_market/publicprocurement/docs/modernising_rules/cost-effectiveness_en.pdf)

22 May 2013 15:38
The Page 7 citation leads to:
Framework Agreements - These can be used for repeat but irregular purchases for example stationery supplies, legal services, building repairs. Generally they are of no more than four years’ duration.  There are four main types, single-supplier, multi-supplier, single user, multi-user.  Suppliers are selected following an initial OJEU notice, in the case of multi-suppliers (no less than three) subsequent mini-competitions are used to select winning contracts.  The same selection and award criteria used when setting up the framework agreement must be used when procuring services from this agreement.  Provided the agreement is compliant with these requirements, pre-existing framework agreements may be used to select suppliers to the project.  Contracting Authorities utilising a framework agreement need to ensure that they are eligible to make use of it and that the framework agreement has been properly established
There may be all sorts of problems with Whitehall's cloud computing strategy but so flagrantly infringing OJEU that even DMossEsq can spot it doesn't seem to be one of them.

----------

Updated 23 May 2013 12:04 p.m.
That is the case, at least, as long as you first agree that arranging to host the entire public administration of the country in the cloud is like making "irregular purchases for example stationery supplies, legal services, building repairs".

Take an example. See Skyscape bags biggest deal on G-Cloud EVER. Skyscape will be hosting the heir to the Criminal Records Bureau. How much like ordering the paper clips is that?

Updated 24 May 2013 19:45 p.m.
Even if the definition of "irregular services" is being stretched a bit, clearly OJEC think it's legal. So they won't object.

Who would?

Answer, maybe some of the long-established cloud services suppliers with impressive track records whose bids lost against Skyscape, a company that won contracts from GDS, the MOD and HMRC almost before it existed, please see Skyscape – would you invest £4 million? Thousands haven't., and who have now won a big contract from the Home Office. How did Skyscape manage to be accredited, let alone win?

Wednesday 22 May 2013

IDAP: the stories our MPs are told

Here in the UK there is an organisation called the Parliamentary Office of Science and Technology (POST):
POST is Parliament's in-house source of independent, balanced and accessible analysis of public policy issues related to science and technology.
On 25 April 2013 POST published Managing Online Identity to brief MPs and peers about Whitehall's plans for the UK's Identity Assurance Programme (IDAP).

In some respects the briefing note is admirable – "A Home Office report estimated that cybercrime costs the UK economy £27bn a year", it says at one point, before adding "this figure received widespread scepticism".

It would have benefited, though, from a bit more scepticism like that.

For example, the briefing note makes two references to Whitehall's digital-by-default plans:
UK Government’s Identity Assurance Programme
Many public services are managed and delivered via online interfaces. This is part of the new ‘Digital by Default’ model for government services ...

Benefits
Managing who can access personal data is one of the major benefits of personal control over online data and identity. Online accounts may be used by a person or company to identify who may see data, what they may see and what they may use it for. This control supports a shift in many companies and government offices to a ‘digital by default’ model for connecting with customers ...
It might be fairer to MPs to warn them that these plans have been roasted by four professors. Absent that, our MPs might be gulled into thinking that digital-by-default will work or even that it's already working.

An entirely dispassionate briefing note on IDAP might also have recorded the fact that the Government Digital Service (GDS) promised as late as January 2013 that IDAP would be "fully operational" for 21 million claimants on DWP's services by March 2013.

In the event, there is no sign of IDAP and the Department for Work and Pensions have had to make alternative arrangements involving old-fashioned face to face meetings, telephone calls and the post.

"Key features of the identity programme", the briefing note tells us, "are that it must":
  • be designed around the user
  • be both private and secure
  • establish a common level of security and trust between users, identity providers and Government.
It's unlikely, now that no-one any longer bats an eyelid at the phrase "hate crime", the playful invention of a novelist, but there may still be some MPs who believe the phrase "identity providers" should appear in inverted commas.

What is an "identity provider"? The UK has eight of them, "PayPal, Post Office, Cassidian, Digidentity, Experian, Ingeus, Mydex and Verizon", several of them no MP will have heard of, and there is no special reason why anyone would be prudent to trust them with all of his or her personal data, which is the Whitehall proposal.

It is at least questionable how you can enhance your privacy by storing all your personal data with an "identity provider". That step rather looks like the very opposite.

And as to security, is there anyone left in Westminster or elsewhere who takes promises of on-line security seriously?

The newspapers have stories every day of security breaches and on 2 May 2013 Bloomberg had a long report on how the designs for fighter jets have been stolen by hackers from Lockheed Martin and how hackers spent three years camped on QinetiQ's websites, stealing secret designs and using them as a base from which to try to hack NASA.

What is there today to stop the same happening to the UK's eight "identity providers"? POST provides no answer.

IDAP: the stories our MPs are told

Here in the UK there is an organisation called the Parliamentary Office of Science and Technology (POST):
POST is Parliament's in-house source of independent, balanced and accessible analysis of public policy issues related to science and technology.
On 25 April 2013 POST published Managing Online Identity to brief MPs and peers about Whitehall's plans for the UK's Identity Assurance Programme (IDAP).

In some respects the briefing note is admirable – "A Home Office report estimated that cybercrime costs the UK economy £27bn a year", it says at one point, before adding "this figure received widespread scepticism".

It would have benefited, though, from a bit more scepticism like that.

Is CloudStore entirely legal?

Hosting GOV.UK in the cloud to cost GDS record-breaking £600,000

Government Digital Service signed a deal with Skyscape last month

By Derek du Preez | Computerworld UK | Published 10:29, 10 October 12

(GDS) infrastructure-as-a-service (IaaS) deal with Skyscape to host single domain website GOV.UK, which was procured through the G-Cloud, is worth an estimated £600,000.
There are rules for us members of the EU. Procurement rules. Procurement rules we have to abide by:
EC Procurement Thresholds
The European public contracts directive (2004/18/EC) applies to public authorities including, amongst others, government departments, local authorities and NHS Authorities and Trusts. The European utilities contracts directive (2004/17/EC) applies to certain utility companies operating in the Energy, Water, and Transport sectors.
Click on the link and you'll see that above certain threshold values, contracts can't be awarded without competition. They have to be announced – an onerous business – in OJEU, the Official Journal of the European Union, and all suppliers have to be able to bid. Please see also ERDF National Procurement Requirements – (ERDF-GN-1-004), a document issued jointly by the European Union and the Department for Communities and Local Government (p.2):
Robust and transparent procurement is required to ensure that Grant Recipients:
  • Consider value for money (VFM)
  • Maximise the efficient use of public money and;
  • Maintain competitiveness and fairness across the EU.
The above considerations should be applied on all occasions, regardless of whether or not the value of the procurement is above or below the OJEU thresholds and regardless of whether or not the Grant Recipient is a contracting authority subject to public procurement rules.
There are various thresholds:

PUBLIC CONTRACTS REGULATIONS 2006 - FROM 1 JANUARY 2012

SUPPLIESSERVICESWORKS
Entities listed in Schedule 1£113,057
(€130,000)
£113,057
(€130,000)
£4,348,350
(€5,000,000)
Other public sector contracting authorities£173,934
(€200,000)
£173,934
(€200,000)
£4,348,350
(€5,000,000)
Indicative Notices£652,253
(€750,000)
£652,253
(€750,000)
£4,348,350
(€5,000,000)
Small lots£69,574
(€80,000)
£69,574
(€80,000)
£869,670
(€1,000,000)
Is GDS's £600,000 contract with Skyscape above the relevant threshold? If so, is the award of the contract through CloudStore illegal? Should the invitation to tender have been published in OJEU?

The UK's G-Cloud team are currently having a bit of a purple patch, congratulating themselves on government departments and local authorities now beginning to use CloudStore for millions of pounds-worth of procurements:
G-Cloud celebrates three major milestones

Posted on May 4, 2013 by denisemcdonagh

A little over a year since we launched the CloudStore, we are starting to see sales gain a real head of steam, with nearly 1,000 invoiced purchases, sales of over £18.2m to the end of March, and many more going through. At the Home Office alone,  where I am IT director, we are in the middle of putting through more than £6m of orders, and I’m expecting to see those numbers keep on rising, both in my department and across government. For getting us this far, I’d like to say a huge thanks to my team and to all you G-Cloud supporters out there, not least our growing number of suppliers.
Are all these contracts legal or are some of them side-stepping the European public contracts directive (2004/18/EC)?

Is CloudStore entirely legal?

Hosting GOV.UK in the cloud to cost GDS record-breaking £600,000

Government Digital Service signed a deal with Skyscape last month

By Derek du Preez | Computerworld UK | Published 10:29, 10 October 12

(GDS) infrastructure-as-a-service (IaaS) deal with Skyscape to host single domain website GOV.UK, which was procured through the G-Cloud, is worth an estimated £600,000.
There are rules for us members of the EU. Procurement rules. Procurement rules we have to abide by:
EC Procurement Thresholds
The European public contracts directive (2004/18/EC) applies to public authorities including, amongst others, government departments, local authorities and NHS Authorities and Trusts. The European utilities contracts directive (2004/17/EC) applies to certain utility companies operating in the Energy, Water, and Transport sectors.

Biometrics: a response from the Center for Global Development

Biometrics: will the Center for Global Development reconsider? was published on this blog 10 days ago on 12 May 2013.

A response from the Center for Global Development has now kindly been sent.

On the principle of equal prominence, their response is reproduced here:
Alan Gelb said...

We agree with a number of points raised by David Moss. One is the importance of releasing field performance data; other programs should be held to this standard. We recognize that biometrics is not a panacea. Our previous working paper that reviewed some 160 cases noted several problematic examples, particularly in the area of elections. It is far too early to assess the UID program record in delivering more effective and inclusive services. Where we differ from Moss is that we see the data that it has released on inclusion and accuracy as a very significant benchmark for biometric systems in developing countries, and a major advance on the use of laboratory data. These appear to be the most extensive field data released so far.

The UID data are of interest for other countries; the hypothetical example of Ughana illustrates what such a system should be able to achieve for a “typical” country with about 30 million people. It is easy to scale the results for country size. We estimated that for a country as large as India there would be somewhat over 3 million false positives during enrolment, a large number for manual follow-up but probably doable. For a small country like Haiti the number would only be around 300.

On multiple identities, no system will be able to guarantee 100 percent accuracy. Certainly not the systems in place in the rich countries where identity theft is hardly unknown! The question is not “whether it works or not” but the precision of one system versus another and relative cost-effectiveness. For some applications, such as access to a health insurance program, one might accept a modest level of duplicate or false identities. For others, such as access to a nuclear facility, we want to minimize them – just as we would want very high standards for aeroplane safety, to take the example cited by Moss. These might involve different biometrics and also passwords or other identifiers; the most demanding applications can apply whatever other additional checks they choose outside the scope of national identification. For a national ID system the reported rate of 0.035 percent for UID seems low enough to discourage most deliberate efforts to acquire multiple identities.

Any identification system will have to cope with people who are unable to enroll using biometrics and with identification and authentication errors. The UID data offer useful pointers to likely numbers.

UID does not, therefore, provide answers to every question -- it is far too early for that and we do not claim that it does. It remains to be seen how the program is or is not picked up by various applications and how it negotiates the political winds that arise with any system of identification. But we hold to our conclusion that the data released provides a very significant benchmark on the capabilities of biometric systems in developing country conditions and one that should be studied carefully by other countries.

To correct the record, we do not assert that the number of bilateral comparisons is the square of the population, n. It is 0.5*n*(n-1) which rises (as we note) with the square of n. As n becomes large, it approaches 0.5*n*n; since no identification system will cover 100% of population, we rounded n off to 1 billion for India. If we accept the field estimate of 0.057% false positive rate against a data base of 84 million, the rate for a 1:1 comparison would have to be very small, in the range of 7 in one trillion. The implied precision can only be possible with the combined use of multiple biometrics, which is another of the lessons from the UID exercise.

Alan Gelb,
Senior Fellow,
Center for Global Development

21 May 2013 22:17

Biometrics: a response from the Center for Global Development

Biometrics: will the Center for Global Development reconsider? was published on this blog 10 days ago on 12 May 2013.

A response from the Center for Global Development has now kindly been sent.

On the principle of equal prominence, their response is reproduced here:
Alan Gelb said...

We agree with a number of points raised by David Moss. One is the importance of releasing field performance data; other programs should be held to this standard. We recognize that biometrics is not a panacea. Our previous working paper that reviewed some 160 cases noted several problematic examples, particularly in the area of elections. It is far too early to assess the UID program record in delivering more effective and inclusive services. Where we differ from Moss is that we see the data that it has released on inclusion and accuracy as a very significant benchmark for biometric systems in developing countries, and a major advance on the use of laboratory data. These appear to be the most extensive field data released so far.

The UID data are of interest for other countries; the hypothetical example of Ughana illustrates what such a system should be able to achieve for a “typical” country with about 30 million people. It is easy to scale the results for country size. We estimated that for a country as large as India there would be somewhat over 3 million false positives during enrolment, a large number for manual follow-up but probably doable. For a small country like Haiti the number would only be around 300.

On multiple identities, no system will be able to guarantee 100 percent accuracy. Certainly not the systems in place in the rich countries where identity theft is hardly unknown! The question is not “whether it works or not” but the precision of one system versus another and relative cost-effectiveness. For some applications, such as access to a health insurance program, one might accept a modest level of duplicate or false identities. For others, such as access to a nuclear facility, we want to minimize them – just as we would want very high standards for aeroplane safety, to take the example cited by Moss. These might involve different biometrics and also passwords or other identifiers; the most demanding applications can apply whatever other additional checks they choose outside the scope of national identification. For a national ID system the reported rate of 0.035 percent for UID seems low enough to discourage most deliberate efforts to acquire multiple identities.

Any identification system will have to cope with people who are unable to enroll using biometrics and with identification and authentication errors. The UID data offer useful pointers to likely numbers.

UID does not, therefore, provide answers to every question -- it is far too early for that and we do not claim that it does. It remains to be seen how the program is or is not picked up by various applications and how it negotiates the political winds that arise with any system of identification. But we hold to our conclusion that the data released provides a very significant benchmark on the capabilities of biometric systems in developing country conditions and one that should be studied carefully by other countries.

To correct the record, we do not assert that the number of bilateral comparisons is the square of the population, n. It is 0.5*n*(n-1) which rises (as we note) with the square of n. As n becomes large, it approaches 0.5*n*n; since no identification system will cover 100% of population, we rounded n off to 1 billion for India. If we accept the field estimate of 0.057% false positive rate against a data base of 84 million, the rate for a 1:1 comparison would have to be very small, in the range of 7 in one trillion. The implied precision can only be possible with the combined use of multiple biometrics, which is another of the lessons from the UID exercise.

Alan Gelb,
Senior Fellow,
Center for Global Development

21 May 2013 22:17

Monday 20 May 2013

Shakespeare on duty

Stephan Shakespeare, Constitutional expert, writing in An Independent Review of Public Sector Information (p.5):
Consider the role of government: it exists to decide the rules by which people can act, and to administer them: how much, by what method, and from whom to take resources; and how to re-allocate them.
Bit more to it than that, surely, but let's see where this bleak definition takes him.

Shakespeare wants the government to adopt a strategy for public sector information (PSI):
The strategy should explicitly embrace the idea that all PSI is derived from and paid for by the citizen and should therefore be considered as being owned by the citizen. It is the therefore the duty of government to make PSI as open as possible to create the maximum value to the nation. (p.11)
We already know that Shakespeare doesn't believe it when he says that PSI is owned by "the citizen". The citizen's property is to be expropriated and given to "businesses, especially SMEs". The citizen doesn't reap the benefit of their intellectual property. Businesses do, especially SMEs.

More or less reluctantly, the idea is forced on him, it's the government's "duty", no less. It's the government's duty to collect PSI and give it to businesses. And it's the duty of citizens to provide this data (p.14):
We should have a clear pragmatic policy on privacy and confidentiality that increases protections for citizens while also increasing the availability of data to external users. We can do this by using the developing ‘sandbox’ technologies, or ‘safe havens’ ... that allow work on data without allowing it to be taken from a secure area.
"Data should never be (and currently is never) released with personal identifiers", but you never know with Shakespeare, there might be another duty along any minute.

A duty which requires, for example, the identity to be revealed of all women who have had more than one abortion. For insurance purposes, perhaps, increased risk of cancer – one way and another, for the greater good of society.

There are all sorts of "protections" available, as Shakespeare says, like anonymisation and pseudonymisation and encryption but, with the best will in the world, they don't always work, you can't trust them. That shouldn't stop Shakespeare's plan to increase "the availability of [personal] data to external users", he says.

"A National Data Strategy for publishing PSI should include a twin-track policy for data release, which recognises that the perfect should not be the enemy of the good", we see on p.11, followed by "public sector bodies should commit to publishing all their datasets (in anonymised form) as quickly as possible without using quality concerns as an obstacle" on p.12. So when it comes to publishing your medical data, and when all the "protections" have unfortunately failed, just remember (p.15):
We currently have an unrealistic degree of expectation of any data controller to perfectly protect all our data - an attitude that inhibits innovation. Following 'best practice' guidelines should be enough, so long as we are willing to prosecute those who misuse personal data. otherwise we will miss out on the enormous benefits of PSI. [What enormous benefits of PSI? He never tells us.]
Fat lot of use it is to you if the miscreant is prosecuted after the event. It's too late by then. Your privacy has been irreversibly ruptured. Too bad. You had an "unrealistic degree of expectation". That's your problem. The National Data Strategy must proceed.

Suppose the security breach is achieved by someone abroad. Someone beyond the jurisdiction of English law. Then the miscreant can't even be prosecuted. Still the National Data Strategy must proceed. Prosecution is as irrelevant to Shakespeare's purposes as his claim that all PSI belongs to citizens.

He's not entirely ruthless, old Shakespeare. He does grant that ...
We should encourage continuing vigorous debate to achieve the right balance between the benefits and risks of open data (including whether citizens might in certain cases be enabled to opt out of open data).
... but only in brackets and only for some citizens (unspecified) in some cases (unspecified) where they may be able to opt out but, by default, everyone is opted in, it's our duty and any socially irresponsible person trying to opt out will be accused of standing in the way of Shakespeare and finding the cure for cancer. (Shouldn't that be "cures" plural and "cancers" plural? Ed)

That's personal data taken care of. No outstanding problems there. What about university research data? Back to p.9, where Shakespeare says that data scientists must ...
... recognise in all we do that PSI, and the raw data that creates it, was derived from citizens, by their own authority, was paid for by them, and is therefore owned by them ... This should be obvious, but the fact that it needs to be constantly reaffirmed is illustrated by the way that even today, access to academic research that has been paid for by the public is deliberately denied to the public, and to many researchers ... aided by university lethargy ... thereby obstructing scientific progress.
We can't have that. We can't have scientific progress being obstructed.

But it's going to be tricky.

Nigel Shadbolt is a professor at Southampton University. He has started several companies to put his research findings to work including one called Garlik, which he sold to Experian. He is paid a salary by citizens, the university is funded by citizens, you'd think that would be enough but, no, he earns more money by writing and by acting as the consultant to a TV series.

"This should be obvious", the company sale proceeds, the royalties and the fees all properly belong to citizens. The tricky bit, when Shakespeare dutifully asks for our money back, is that as the chairman and co-founder of the Open Data Institute, Nigel Shadbolt is the leading character in Shakespeare's dramatis personae.

A few questions there for the National Data Strategy but let's move on. What about data that belongs to private sector companies, rather than mere individuals or state-funded universities? Shakespeare wants that data as well, to feed to his apps.

This is all to do with evidence-based policy (p.17):
Each government department and wider public sector body should review whether the PSI that they currently hold is being used to maximum effect in developing, evaluating and adapting policy. It should explain what data it used to support any new policy and above all what data will be collected (and published) for continuous measure of its effectiveness.
Government has a duty to act responsibly with public funds, in a businesslike and rational way, and openly. No-one would disagree. The government and the civil service don't always achieve these aims. Come to that, neither does Shakespeare. Never one to let the perfect drive out the good, he's devised his National Data Strategy/Policy and now, back to front, he wants someone to go out and find the evidence to support it (p.16):
Recommendation 7
We should look at new ways to gather evidence of the economic and social value of opening up PSI and government data ...
Never mind Shakespeare, back to private sector companies and their data (p.17):
Where there is a clear public interest in wide access to privately generated data, then there is a strong argument for transparency (for example in publishing all trials of new medicines) ...

A company working with government should be willing to share information about activity in public-private partnerships, as information about activity in public-private partnerships held by private companies is not currently subject to the Freedom of Information Act. This could be greatly enhanced without the need for legislation by creating a field in procurement forms asking for the company’s open data policy regarding the sought contract.
No "need for legislation"? Just a new "field in procurement forms"? Here, Shakespeare's musings come up against a tough and unrelenting reality. He'll find the opposition from private sector companies a lot harder than anything he evidently expects from individuals and universities.

Take an example.

The UK government has a number of policies which depend for their success on mass consumer biometrics being reliable. The government's own trials proved that they're not reliable but they proceed anyway, despite the evidence and despite the admonitions of the House of Commons Science and Technology Committee. Hopelessly un-Shakespearean.

Among others, there is the government's Immigration and Asylum Biometric System (IABS). That was pursued on the basis of a successful trial of biometrics conducted on behalf of the government by IBM.

Could the public see the IBM trial report, please, asked Citizen Moss? No, said the Home Office, and the Information Commissioner's Office (ICO) agreed, citing several exemptions to disclosure under the Freedom of Information Act.

Citizen Moss appealed against the ICO's Decision, it's all set out here, and two years later the Information Tribunal did its duty and upheld the Decision – the IBM trial report should not be published.

IBM said the report belonged to them and not to the Home Office and if it had to be disclosed then they might never be able to work for the Home Office again. The Home Office agreed that the report belonged to IBM even though the Home Office had provided the test data (five million pairs of fingerprints) and specified the acceptance tests and awarded IBM a £265 million contract. They also agreed that they wouldn't be able to do their job if IBM and other private contractors refused to help them. It is their duty, therefore, to withhold the report.

As a clincher, IBM and the Home Office said that the report doesn't prove that the biometrics chosen meet IABS requirements anyway.

That's the law, Citizen Moss was refused permission to appeal, it's not in Shakespeare's gift to change the law and IBM, or whoever, will not be fooled by Shakespeare's schoolboy ruse of "creating a field in procurement forms". They may simply point out that either he means it when he says that "businesses, especially SMEs" can enjoy the benefits of their intellectual property or he doesn't. Either way, they have duties to their shareholders and to the biometrics companies who participated in the trial.

According to the acknowledgements in Shakespeare's report (p.3), he polled, among others. Dixit Shah and Craig Summers of IBM UK. What did they tell him? Was he listening?

Shakespeare on duty

Stephan Shakespeare, Constitutional expert, writing in An Independent Review of Public Sector Information (p.5):
Consider the role of government: it exists to decide the rules by which people can act, and to administer them: how much, by what method, and from whom to take resources; and how to re-allocate them.
Bit more to it than that, surely, but let's see where this bleak definition takes him.

Sunday 19 May 2013

The traditional Shakespearean line

He gets off to a cracking start, Shakespeare. The cure for cancer. And happy children:
Is that exciting? It couldn't be more exciting: from data we will get the cure for cancer as well as better hospitals; schools that adapt to children’s needs making them happier and smarter; better policing and safer homes; and of course jobs.
That's Stephan Shakespeare, not the other one, and he's chatting about Phase 2 of the web revolution on p.5 of An Independent Review of Public Sector Information. "The size and coherence of our public sector", he says, "combined with government’s strong commitment to a visionary open data policy means that we have the opportunity to be world leaders in the enlightened use of data". "Strong"? "Visionary"? "Enlightened"? "World leaders"? Flattery?

Some of us remember the 1970s and the invention of the computerised management information system, MIS, which became a decision support system in the 1980s, DSS.

But that's just its age in the benighted computer world. The discovery that you need data to make decisions is a lot older than that – isn't there a bell ringing somewhere at the back of your ur-memory, recalling the first vizier telling an early Ptolemy that collecting a few facts might be a good idea, before risking life and limb running up a pyramid in the middle of nowhere? And the pharaoh's ageless response?

Is you-need-facts-to-make-a-decision the most frequently re-discovered nostrum in history? (No. "Ne'er cast a clout till May is out". Ed)

Any salesman hawking his wares with this tediously familiar and groan-inducing line had better have a breathtakingly convincing story to tell.

Does he? Stephan Shakespeare – what is his story?

Is he promising to find the cure for cancer? No. Is he promising that your children will be happy? No. What about apple pie – golden brown pastry every time? No.

His story is purely speculative. Government, he says on p.5, "has a strong institutional tendency to proceed by hunch, or prejudice, or by the easy option". That is an exact description of the way Shakespeare is proceeding.

"In our consultations", he says on p.11, consultations about public sector information (PSI) ...
... business has made clear that it is unwilling to invest in this field until there is more predictability in terms of supply of data. Therefore without greater clarity and commitment from government, we will fail to realise the growth opportunities from PSI.
Never mind government, we could do with a bit more clarity from Shakespeare:
  • What are these "growth opportunities" he keeps banging on about?
  • What is this "greater economic benefit" that we read about on p.14?
  • "To promote and support a more beneficial economic model" there should be a review, Shakespeare says, of how organisations like Companies House, the Land Registry, the Met Office and Ordnance Survey are "rewarded for their activities to stimulate innovation and growth" (also p.14). In what way is his "economic model" more "beneficial"? What "growth" will it "stimulate" and how?
  • "Following 'best practice' guidelines should be enough, so long as we are willing to prosecute those who misuse personal data. Otherwise we will miss out on the enormous benefits of PSI", he says on p.15 but what "enormous benefits" is he talking about?
  • "There is huge potential here for building social and economic value if we are willing to invest smartly" (p.16). That doesn't become true simply by repeating it. What is this "huge potential"? How much "social and economic value"?
Shakespeare is threatening the country with missing a great opportunity but he doesn't tell us what it is.

We've been here before. 293 years ago, to be precise, in 1720 when, according to the Department for Business Innovation and Skills (BIS):
A company was promoted “For carrying-on an undertaking of great advantage but no-one to know what it is”. After receiving £2,000 from subscribers the promoter emigrated.
And more recently, last month, April 2013, when Mr James McCormick was found guilty of selling novelty golf ball finders as bomb detection devices. They worked, he said, but he couldn't say how.

Shakespeare needs to tell us what the difference is between him and Mr McCormick and he needs to tell us what this "great advantage" is – "no-one to know what it is" is less than convincing.

Even less so when we read on p.15 that:
We cannot rely only on markets and government departments and wider public sector bodies to maximise the potential of this relatively new and fast-developing field in which we are positioned to be a world leader.
But these are precisely the parties he's told us we can rely on.

What's more, we already have thousands of researchers in the universities and in industry and in charitable foundations and in government doing precisely the job he is promoting. Does he think he's invented the idea of cancer research? What difference is he trying to make?

Apparently, not a lot (p.6):
This review does not call for any significant increase in spending on a national data strategy, nor any additional administrative complexity; rather, it calls for a broadening of objectives together with a sharpening of planning and controls.
How much "broader" can the "objectives" of the Office for National Statistics, for example, be? And what is a "sharpening of planning and controls" when it's at home?
We should look at new ways to gather evidence of the economic and social value of opening up PSI and government data ...
... he says on p.16. But surely his claim that "opening up PSI" will be of enormous "economic and social value" is based on evidence. Isn't it? He says not. Cart before the horse, he's had the idea and now he wants someone else to find the supporting evidence. No need to wait for the evidence, though, his hunch should become government policy immediately. A strange approach for a political pollster, which is what Shakespeare is.

(So strange that you have to wonder. Market research/political polling is normally very precise and very logical. All the results are strictly categorised and any inferences are made minutely carefully. Did Shakespeare write this absurd farrago of a report? Or was it Bacon?)
Currently we can measure the costs of producing and publishing data, but we have no model for evaluating the economic or social benefits 'downstream', and so we may be undervaluing these activities, leading to under-investment of resources. (also p.16)
What's happened to the "huge potential" he was so sure about, and the "enormous benefits of PSI" he was promising? They've just gone up in smoke. It was just a hunch all the time. Shakespeare doesn't even have a "model" for "evaluating" them.

You need facts, Shakespeare. Facts. To make a decision, you need facts. Everyone knows that. You haven't given us any. Cracking start. Poor follow-through. No cigar.