Wednesday 2 July 2014

RIP IDA – "we're building trust by being open"

No need to say it, it goes without saying, it should be obvious to all but, just in case it isn't obvious to all, IDA is dead.

IDA is the Cabinet Office Identity Assurance programme. And it's dead.

----------

"This week a small group of people became the first users to sign in to a government service using identity assurance". That's what Steve Wreyford of GDS said. The best part of five months ago. 11 February 2014, Identity assurance goes into intensive care beta.

The beta test was a private affair. Close family only. GDS (the Government Digital Service), with just HMRC (Her Majesty's Revenue and Customs) and DVLA (the Driver & Vehicle Licensing Agency) in attendance.

GDS turned up at a funeral for conference on the mooncalf economics of identity on 9 June 2014 where they tried to attract new investors, for all the world as though IDA was still alive. The book was dutifully talked up by GDS's brokers, OIX (the Open Identity Exchange) and KPMG. They even got Francis "JFDI" Maude to say:
Rt Hon Francis Maude MP is the Cabinet Office minister and, as such, the political boss of GDS. Despite all this openness, sunlight and transparency, GDS's trusting public had still not seen IDA for themselves. Ever.

And then on 30 June 2014 we were advised that there is at last a Private beta demonstration available to the public. It was Steve Wreyford again, linking us to OIX and to a video made at the mooncalf conference. A video of GDS's Janet Hughes talking us through IDA:



The video is worth watching. Several times. The presentation comprises 16 slides and there is a set of screen shots available.

The idea is that we shall all need one or more on-line IDs to use public services. Public services should become digital by default. No on-line ID, no services.

What Janet Hughes is presenting is the current thinking on how we mooncalves might go about obtaining on-line IDs (or "profiles", as GDS have taken to calling them).

The idea is that our on-line IDs should be provided to us by so-called ... "identity providers".

We were led to believe until recently that there are five "identity providers". Judging by this presentation, there are only four left, please see slide #1, Mydex has disappeared.

GDS want to recruit more "identity providers". Thus the mooncalf conference. It's a brave candidate who will put his name forward now, in a field that started with 80 runners and riders/expressions of interest, which then shrank to eight, and from which competent experts like PayPal and Cassidian have subsequently withdrawn.

The application procedure for an on-line ID as demonstrated on 9 June 2014 raises a few hundred questions. Let's make a start with slide #5, which includes this:

To check your identity we need to securely connect to your bank, your credit record, your government records [and] your utility suppliers. This information is not stored by Post Office [one of the four remaining "identity providers"] – it is only used to confirm your identity. I give permission – continue.

By this stage in the application procedure, slide #5, you haven't told GDS who your bank is or who your utility suppliers are. You certainly haven't handed over any logon IDs or passwords to access your accounts.

And yet here's an "identity provider" warning you that they're about to connect to your bank, your utility suppliers, unspecified government departments and unspecified credit referencing agencies to check your details.

Does that mean what it says?

Have the banks and the utility companies and the credit referencing agencies and government departments granted access – access to your personal information – to four companies, the "identity providers", without asking your permission or even, until now, telling you?

"We're building trust by being open"?

----------

Updated 9.9.14

"GDS want to recruit more 'identity providers' ...", we said above, back in July, "it's a brave candidate who will put his name forward now ...". It's September now and this has just arrived, Procurement 2: timeframes and market briefing event, an invitation to a briefing for brave candidates to take place on 30 October 2014.

Book early to avoid disappointment. DMossEsq has. No more than two brave representatives per brave organisation.

NB
The identity assurance team have got their identity wrong.

They say to book by sending an email to idap_procurement_2@digital.cabinet-office.gov.uk. But if you click on the link, your email goes to idap_procurement_2@digital.cabient-office.gov.uk, an address which doesn't exist, an "invalid domain", as they say.

"We're building trust by being open".

(The NB above was added at about 10:00 a.m. The link has now, about 11:55 a.m., been corrected.)

Updated 8.10.14

From AccountancyLive.com, 17 September 2014, hat tip Toby Stevens:
Identity Assurance: online accounts for all taxpayers

Government plans to create individual online identity accounts for all taxpayers, including individuals and businesses, to be called Identity Assurance, is moving forward rather quietly under the radar, reports Jaimie Kaffash, but awareness levels are low and a wholesale review of interactions with HMRC will be required according to tax advisers
We raised the question in the post above how the "identity providers" can have enough personal information about you to assure your identity on-line. This question arises in the AccountancyLive.com article above:
As Stephen Checkley, commercial director of TaxCalc, puts it: ‘In the long term, the aim is that identity thieves will be thwarted because it’s impossible for them to know everything personal and pertinent to someone.
Identity thieves don't know everything "personal and pertinent" to you. But clearly the "identity providers" and/or the credit referencing agencies do. Or claim to. Otherwise IDA doesn't work.

Do you remember being consulted about Digidentity, Experian, Mydex, the Post Office, Verizon and other unnamed organisations collecting all your personal details and then selling them to the government?

"We're building trust by being open".

Updated 9.10.14 #1 of 2

How would IDA work if it existed?

IDA is the Government Digital Service's mythological identity assurance scheme, also known for the moment as GOV.UK Verify, which is meant to allow everyone to communicate with the government on-line, e.g. to apply for benefits. With IDA, the idea is that the government will know that you really are who you say you are.

How could they know that?

GDS blogged about this matter yesterday, How certified companies verify your identity, and also published a Guidance Note, GOV.UK Verify: checks identity providers must perform.

The companies referred to in the blog post are the spookily named "identity providers" that GDS is trying to saddle us with – Digidentity, Experian, Mydex, the Post Office and Verizon. Experian are certified by tScheme. None of the other IDPs are. So much for the blog post.

Moving on to the Guidance Note, GDS say that IDPs will need to confirm your name, address, date of birth and gender. They may also need your driving licence or bank account details. Do you want to give your bank account details to Digidentity? Do you have any idea who Digidentity is? Is that really Digidentity collecting your answers on-line or is it a website pretending to be Digidentity's?

There's no answer to those questions. And there are more. More questions. A lot more.

The IDPs need to "verify" your identity by checking your biometrics or by checking that you look like your photograph or by doing a knowledge-based test. That's what it says in the Guidance Note.

You can forget about biometrics for the next couple of decades. No-one has been collecting them in sufficient quantity and mass consumer biometrics don't work anyway. The physical verification against a photograph, for example, can't work on-line. So that leaves us with the knowledge-based tests.

What could they be?

There is no hint of an answer in the Guidance Note.

But as luck would have it DMossEsq has three times had to undergo such tests, twice when his bank account was defrauded and once when he lost his credit cards.

There were lots of simple questions, on the phone rather than on-line but it comes to the same, about his address and his age and whether such-and-such a bank account was in joint names or not.

And then, this: "I'm going to read out a list of names and I want you to tell me which if any of them has been a tenant at <address>". The person at the other end of the line knew that DMossEsq owns a house at that address, and knew that it was tenanted and knew the names of some of the ex-tenants going back years. How? What else did they know? DMossEsq's bank wouldn't be party to that information. Where were they getting it from?

That is the kind of knowledge-based verification which you may expect IDA/GOV.UK Verify to rely on.

Digidentity just can't have that sort of information about people who live in the UK – they're a Dutch company. Similarly, Verizon is American. Mydex is too small. The Post Office has no reason to have that sort of information about DMossEsq nor, possibly, about you either. So where is this information supposed to come from?

The only answer that DMossEsq can come up with is ... the credit referencing agencies, such as Experian. The other IDPs must go to the credit referencing agencies for this information. Otherwise IDA/GOV.UK Verify just can't work.

We know that the credit referencing companies – or "data brokers" as they call them in the US – collect data from a large number of sources to establish credit ratings for individuals and for organisations. They also help political parties to target selected types of voter. And they help marketing organisations generally to target their campaigns. That's their job.

They don't provide their services for free. Quite right, too. So Digidentity, Mydex, the Post Office and Verizon must pay for them. Either that, or GDS must pay on their behalf and, indeed, GDS say that they are the only people paying the IDPs. In effect, GDS are aiming to buy the use of remarkably "personal and pertinent" information about us all.

Despite GDS's claim that "we're building trust by being open", this may well be the first you've heard of knowledge-based verification. It would be a monumental change to the way we live. GDS have done nothing to prepare the public. And according to GDS, the first IDA/GOV.UK Verify services are due to go live this month.

You can forget that obviously. RIP IDA.

But you may still have some questions about GDS relying on the IDPs and the credit referencing agencies and Google and Facebook and Amazon and Apple and PayPal and the banks and the insurance companies and the utilities and the travel companies and the mobile phone companies collecting huge quantities of information about you and then trying to make money out of it.

Germany certainly has questions. They've banned Verizon from government contracts, please see German government terminates Verizon contract over NSA snooping fears.

And the US has questions about Experian, please see What Information Do Data Brokers Have on Consumers, and How Do They Use It? or, if you haven't got time to watch it all, try RIP IDA – 16 June 2014.

Do GDS have any answers?

Updated 9.10.14 #2 of 2

"Do GDS have any answers?", we were asking.

Some.

They've published a post on their blog, Information for companies interested in becoming identity providers. That has links in particular to:
It may look as though it's possible to "game" the contract the draft of the executive summary of which is now available. That's not an upright option. For the upright companies "interested in becoming identity providers" the downside looks spectacular while the upside is ... parsimonious. Would you advise your mother to invest?

What is now clear to the public for the first time is that IDA/UK.GOV Verify depends crucially on credit referencing agencies and other data aggregators/brokers. The public have not been prepared for that by GDS and the reaction may be shock.

The chairman or chief executive of any company interested in becoming an "identity provider", interested in protecting the brand that company has established over the years and interested in one day becoming the chairman or chief executive of another company is recommended to sit this one out – the shocked public includes shareholders and equity analysts and, in some cases, your mother.

Updated 10.10.14


Now you see it ...

GDS, the Government Digital Service, are famous for their ambivalent attitude to security. They don't really like it. It's inconvenient.

It came as no surprise, therefore, when they published the Identity Proofing and Verification Operations Manual despite the fact that it is clearly marked "Commercial In Confidence". As we said at the time:
... the document is marked "Commercial In Confidence". So don't read it. Even though it's been published. On the web.
What did come as a surprise was the thousands of readers who contacted the DMossEsq blog to say that no, au contraire, the document is not marked "Commercial in Confidence".

They changed it.

GDS changed the document.

The first version DMossEsq saw is available here with "Commercial in Confidence" at the top of each page. And here's the later version, with that text removed.

Is the content confidential or isn't it?

Is the content commercial or isn't it?

Don't ask GDS. They just want it to be convenient. We know that. They've told us. Repeatedly. Just to reinforce the point, Tom Loosemore, the deputy head of GDS, derided the mythology of security in his recent speech to the Code for America conference (7'00"-8'25").

Any prospective "identity providers" will just have to learn to take the rough with the smooth, securitywise, in their dealings with GDS. Sometimes an agreement will start the day confidential and end it published on the web.

And anyone using IDA/GOV.UK Verify who finds that their confidential personal details have leaked out of one of the IDPs' databases will have the devil of a job getting their security complaints taken seriously by GDS. Why take a myth seriously?

"We’re building trust by being open"


... now you don't.


Updated 17.10.14

Three days ago GDS's Identity Assurance team celebrated a milestone: "we've completed all the work we need to do to go into public beta".

Trust
They're looking to inspire trust in IDA.

They've only got one certificated "identity provider" – Experian, who need to explain how a fraudster acquired the personal details of several million Americans from them,

Four other "identity providers" – Digidentity, Mydex, the Post Office and Verizon – have yet to be approved by tScheme, the certification agency. "As we go into our public beta, we will have one identity provider that’s certified for wider public use. By the end of the year we’ll have 4", say GDS. How do they know that three more "identity providers" will be certified? That's up to tScheme, not GDS. And which one will fail?

Verizon, of course, have been banned from contracts with the German government following the revelations of Edward Snowden. If the Germans don't trust them, why should the British?

Just because tScheme say an organisation is trustworthy doesn't mean that they will be trusted.

Delivery
IDA starts with something of a mountain to climb trustwise. And deliverywise.

"GOV.UK Verify has been in private beta since February", they say, and "We’ve built GOV.UK Verify based on more than a year of user research, iteration and development". The timeline doesn't go back to February or even to a year ago, October 2013. GDS and the Cabinet Office have been promising for years that IDA will soon be ready. IDA was part of the G-Digital Programme once, According to their January 2010 report, G-Digital Market Investigation High Level Analysis & Findings, the Cabinet Office were actively seeking "identity providers" five years ago. So far, they've got just one and there's still no sign of IDA.

Users
So there are no IDA users. There are no IDA-enabled services to use. GDS tried testing IDA in Warwickshire. "Users often struggled as they sought to understand how this method of signing in to government services worked", says the Warwickshire report, and "some aspects of the registration processes proved annoying to the users".

Meanwhile, GDS have been letting services loose on the public with no identity assurance. You can apply to register to vote in the UK, on-line, with no on-line identity assurance. You can apply for a student loan and for a power of attorney ditto. Are GDS to be praised for releasing those services or criticised for doing so with no identity assurance?

Delivery is GDS's watchword – the strategy is delivery. By that token, tiger or no tiger, for the past five years or so there seems to have been something wrong with the strategy. No trust, one "identity provider", no services, no users and nothing delivered. RIP IDA.

Updated 18.10.14

Back in the old days, July 2002, the Home Office issued a consultation document, Entitlement Cards and Identity Fraud – A Consultation Paper. The suggestion was that, as far as the government is concerned, when it comes to public services, a person is a set of entitlements. You are your entitlements? It didn't really work, and as a result of the consultation the Home Office changed the name from "entitlement cards" to "ID cards".

Eight years later, the scheme collapsed. In the interim, the answer to the question "who are you really?" had become "you are a set of biometrics, particularly your fingerprints and your facial geometry". At the scale required for 60 million Brits, the mass consumer technology then available was so wildly flaky as to be utterly unreliable.

Any ID scheme must take a view on how you first register someone and on how you subsequently verify that that is the person you're dealing with again, now that they want to register to vote or take out a power of attorney or whatever. What is the view of IDA/GOV.UK Verify? How do GDS hope to identity us and subsequently verify our identity?

Take a look at the 16 September 2014 report, GOV.UK Verify – Service Assessment. That's the report issued on the assessment of IDA on the strength of which GDS were allowed to proceed to a public beta. IDA is meant to make it such that "people can safely access their data and perform transactions when using digital public services, and government services can be confident to a defined level of assurance that a user is who they say they are".

How is IDA supposed to achieve that? "The [IDA] service team said that the twoIDPs [identity providers, only one left a month later] currently available cover around 75% of the UK population in terms of the evidence users are required to provide (users need to have a UK credit history or a passport/driving licence to verify their identity through GOV.UK Verify)".

GDS's answer to the question "who are you?" is "you are your credit history". "What is a person?", you may ask. "A person is a credit history", according to GDS.

Is that true? Can you see any problems with this definition of a person?

Updated 21.10.14 #1

The original post above was written over three months ago and finished by asking whether the banks and others had ever asked your permission to share data with GDS's "identity providers":
... here's an "identity provider" warning you that they're about to connect to your bank, your utility suppliers, unspecified government departments and unspecified credit referencing agencies to check your details.

Does that mean what it says?

Have the banks and the utility companies and the credit referencing agencies and government departments granted access – access to your personal information – to four companies, the "identity providers", without asking your permission or even, until now, telling you?

"We're building trust by being open"?
Let's take an example. Let's go back to GDS's blog post GOV.UK Verify public beta, where they announced the accomplishment of their milestone public beta test of IDA/GOV.UK Verify. There's a comment there, submitted by Annette Cuthbertson, presumably one of the people involved in the private beta:
I tried to register on GOV.UK Verify but had to cancel at the end as I did not have my Bank Statements to hand to verify monthly credit agreement figures ...
Point #2, the registration process failed.

But point #1, what on earth is Ms Cuthbertson's bank doing, giving Experian or whoever the details of her standing orders and direct debits? Who said they are allowed to do that?

Why isn't Ms Cuthbertson furious?

If the "identity provider" was someone you'd never even heard of like Mydex, would you be a bit miffed if they knew how much you paid each month for your mortgage?

Even more so if, like Ms Cuthbertson, they knew and you didn't know or at least you couldn't remember?

Where have GDS got the idea from that this sort of intrusion is acceptable?

IDA/GOV.UK Verify won't work without it. GDS's identity assurance depends on intrusion. That doesn't make it acceptable.

The question hasn't even been raised yet in public. Are GDS hoping that it won't be raised? That everyone will just roll over and accept it? Is there a law somewhere that we haven't noticed that legitimises GDS's model based on intrusion or surveillance or the sharing of personal information with strangers?

So much for "we're building trust by being open".

Updated 21.10.14 #2

GDS are offering us a service which is supposed to allow us to transact with government departments safely. These government departments are sometimes known as "relying parties" or RPs. They rely on what the "identity providers" or IDPs tell them.

Identity assurance or IDA or GOV.UK Verify is supposed to allow the IDPs to give us a secure on-line ID with which we can deal with the RPs.

What happens when it goes wrong?

Never mind how it could go wrong, you know that somehow someone will manage to get hold of someone else's on-line ID – perhaps yours – and make money out of it.

What happens then?

We have quite a robust system at the moment whereby, subject to audit, the banks accept that the fraud has been perpetrated against them and that they are liable to compensate you.

That's the baby in the bathwater that GDS seem to want to throw out.

Under GOV.UK Verify, we have been told that all transactions will go through GDS's ID hub, please see RIP IDA – Obama fails to consult Maude. David Rennie of GDS announced that the ID hub is all the work of GDS and that the hub will be possessed of a property known as "unobservability":
... the ID hub is designed so that IDPs don't know which RP is asking for identity assurance and RPs don't know which IDP has responded ...
As a result, when something goes wrong with your Department for Work and Pensions benefits, DWP (the RP) won't know which IDP assured them of your identity and your IDP won't know who they were assuring.

That's unobservability for you and it means that IDA/GOV.UK Verify is unauditable.

When something goes wrong, there will be no way to assess liability.

Will GDS compensate you?

Why would they?

Perhaps David Rennie would like to explain. After all, "we're building trust by being open".

Updated 21.10.14 #3

It's not just individuals who deal with government. So do companies and partnerships and trusts and other organisations. And if public services are all to become digital by default, then they all need on-line IDs so that government departments can be assured as to their identity.

Identity assurance for organisations and their agents, it now transpires, is not a job for GDS's IDA/GOV.UK Verify. It's beyond them.

That's what GDS tell us in a blog post published yesterday, Identity assurance for organisations and agents.

That post contains one of the world's great contributions to the art of understatement.

Suppose you work in the accounts department at Royal Dutch Shell and t's your job to submit that company's VAT returns. You must be authorised by Shell to do that job. And HMRC have to know that Shell have authorised you to do it.

Hands up who thinks that Shell would agree to appeal to GDS for that authorisation.

As GDS themselves say:
... organisations expect to be able to manage their own delegations of authority, rather than them being managed by a government service ...
Too right.

Which means that IDA/GOV.UK Verify can only be at best one among many identity assurance schemes. One that depends, it seems, on the information that the credit referencing agencies compile about us and depends on sharing that information with a bunch of strangers over an unauditable ID hub.

What are GDS contributing?

RIP IDA.

Updated 30.10.14

Verizon:
"Ultimately, we don’t see ourselves as a data provider;
we see ourselves as an ad platform
that helps brands and consumers connect"

We noted above that GDS have published the Executive Summary of the draft contract between them and the "identity providers". 94 clauses spread over 12 pages, it constitutes a veritable cornucopia of interest. A feast.

Let's start with a snack – clauses 85 and 86:
Marketing and Cross-Selling
85.The Supplier is entitled to provide Supplier Own-Offering Services to Users, provided that the Supplier shall:
a. not advertise the Supplier Own Offering Services on any material seen by Users on a User journey through the Supplier's assurance service;

b. obtain the User's informed consent; and

c. ensure that the requirements of the Ts & Cs (including requirement for Informed Consent) are met.
86.The Supplier will not be allowed to provide Third Party Identity Assurance (that is, assurance of identities for a private sector customer) which rely in any way on the Evidence Checking Services or on any other aspect of the Services provided by the Supplier, or which refer to or make any reference to the fact of the Supplier's role under the Framework or to the Supplier having registered or assured a User's identity under the terms of the Framework Agreement, unless the Authority in future consents to this. In giving any such consent, the Authority may impose conditions at its discretion.
For the avoidance of doubt:
  • The Supplier here is any "identity provider". At the moment, that means Experian. In future it may include Digidentity, Mydex, the Post Office or Verizon or any other company gung-ho enough to bet the farm and join them.
  • The Authority is the public authority, in this case GDS.
This is just a snack, let's forget the other "identity providers" for the moment and concentrate here on Verizon. How do clauses 85 and 86 affect Verizon's business?

Come to that, what business is Verizon in?

The answer is given in an article published three weeks ago on AdExchanger.com, hat tip @NoDPIsigma: "Verizon bills itself as a triple threat. It’s got mobile, it’s got television, it’s got broadband ... it’s up to 103.3 million wireless customers, 6.2 million Internet users and 5.3 million TV subscribers. It’s a wealth of potential data that Verizon can use to power its advertising business".

IDA/GOV.UK Verify could add 60 million Brits to Verizon's collection.

Colson Hillier is Vice President of Verizon's Precision Markets Insight group and he says: "Ultimately, we don’t see ourselves as a data provider; we see ourselves as an ad platform that helps brands and consumers connect".

They don't work alone: "Verizon has partnerships with marketing data providers like Experian Marketing Services and Oracle’s BlueKai to enable anonymous matches between the Precision ID identifier and third-party data".

Having identified people and classified them using their own information or third party information from Experian and others, Verizon sell access to these people to organisations targeting particular segments. That may be for commercial campaigns or political campaigns.

It happens in the US, as the Times were telling us the other day, in connection with the mid-term Congressional elections, please see US parties harvest web data to tailor adverts for voters: "Voters in America are being served up millions of tailored online adverts as the political machines gather more data than ever". It could happen in the UK.

Precise marketing is not sold to the people registered under the auspices of IDA/GOV.UK Verify and so it is not constrained by clause 85.

Verizon and Experian are not offering identity assurance to the companies and political parties with the big marketing budgets and so this business is not constrained by clause 86.

The advertisers and the political parties pay good money for well-classified targets for their campaigns – please see for example Martin Sorrell: if you don’t eat your children, someone else will. That could explain why Verizon and Experian are interested in IDA/GOV.UK Verify, which pays very little.

GDS: "we're building trust by being open"

(See also When it comes to privacy, mobile carriers must choose whether they serve customers or advertisers. The telcos/carriers could offer to enhance their customers' privacy. The customers might even pay for it. Gratefully. But that idea "falls apart if the carrier has skin in the ad game – a change in role that makes it no better than Google or Facebook, from a privacy perspective at least".)

Updated 31.10.14

Old people, born before yesterday, will remember James-previously-Sir-James Crosby's March 2008 report on the Home Office's ID cards scheme.

The Home Office wanted to insert ID cards into the nation's payment systems. Crosby was asked to report on the views of the banks and the major retailers.

What do the Home Office know about operating payment systems?

The explosive and profane answer from the banks and the major retailers was rendered into perfect Mandarin in Crosby's report (p.8):
Quite legitimately, the Government may not regard its ID cards scheme as the best way to stimulate the creation of the universal ID assurance system as envisaged in this report.
It's all written up in DMossEsq's contemporaneous account, Crosby, Smith, Kelly and Brown.

Now roll forward six years to Rt Hon Francis Maude MP's speech at yesterday's Payments Council cyber security seminar:
The more we spend our life online, the more important it becomes that someone signing in to use a service is who they say they are. Until now, we’ve had to rely on offline methods, or on digital systems that that don’t give a high enough level of confidence for modern, sophisticated services.

That’s why we’re developing GOV.UK Verify [known until recently as "identity assurance"]. For the first time it will allow people to prove their identity in an entirely digitally way. And it will allow government – and eventually private sector services too – to trust that a user is who they say they are.
GOV.UK Verify "will allow government – and eventually private sector services too – to trust that a user is who they say they are".

What do GDS know about operating payment systems?

Come back Crosby.

Updated 31.10.14

“This couldn’t be more complicated if you tried.
We are farmers not computer experts.”

According to yesterday's Computer Weekly, Problems surface as first users attempt to use Gov.UK Verify:
Defra was the first department to utilise the government’s new identity assurance system last week ...

Gov.UK Verify has been incorporated into the rural support (Common Agricultural Policy – CAP) online service ...

But within days of the system being introduced, several users have been unable to register with Experian – the only company currently certified to confirm identity – meaning those users risk not receiving their CAP payments ...

One commenter, Davina Emmett, said: “This couldn’t be more complicated if you tried we are farmers not computer experts.”

Another user, Simon Caudwell, commented: “Unable to register with Experian. Been through the whole process twice now and talked to Experian help line on both occasions but they are still unable to make it work. Latest advice is to leave it until next week and try again!” ...
Who are these people? Who is Davina? Who is Simon?

If they can't use the combined efforts of GDS and Experian to create an on-line identity, then they don't exist. And if they don't exist, then they can't have any problems, either with IDA/GOV.UK Verify or with the CAP.

In which case, there aren't any problems, either with IDA/GOV.UK Verify or with the CAP.

It's like that Rory Cellan-Jones at the BBC. He doesn't exist either.

Digital by default – the humans cancel out of the equation.


Updated 3.11.14 #1

Here is a short extract from Mr Bracken's speech to the Code for America Summit 2013. That speech was delivered a year ago on 16 October 2013:


He's talking about IDA, the identity assurance service, currently known as GOV.UK Verify, and he says "We have about eight or nine companies already providing identity to us". That statement was false at the time and remains false today, a year later. GDS have one "identity provider" – Experian – and only one.

"The first services run out with our tax system this month [October 2013]", he says. Again, false. The planned pilot of PAYE Online didn't take place then and it still hasn't done.

We were in need of veracity assurance a year ago, the reliability of statements about IDA needed to be verified. We still are and it still does.


Updated 3.11.14 #2

IDA/GOV.UK Verify has been in private beta for some months, so we are told, and is now in public beta, ditto. It remains hard to find any reliable information about the system.

IDA is apparently operating at DEFRA (the Department for Environment Food & Rural Affairs), where it has something to do with payments to farmers. Emily Ball is the customer communications lead on CAP, the EU's Common Agricultural Policy, and her blog posts are the nearest thing we have to a handle on IDA.

On 17 October 2014 she published Introducing GOV.UK Verify, replacing Government Gateway for new CAP schemes. The two opening paragraphs read:
The CAP Information Service is the new application and payment service for CAP schemes. Customers wanting to apply for the new Basic Payment Scheme will need to be registered on the service.

Before you can log in to the CAP Information Service and apply for CAP schemes, so that we know that it is really you, customers will need to verify their identity on GOV.UK Verify.
That seems pretty clear. Anyone wanting to use the CAP Information Service needs to use IDA/GOV.UK Verify, TINA – there is no alternative.

In the comments below her post, that clarity disappears. Three times, she says there will be an alternative:
There will be an alternative way to access the CAP Information Service for people who for some reason are not able to verify their identity, and we will be publishing more information about that soon here.
Which is it? Will customers/users/farmers need to use IDA/GOV.UK Verify or will there be an alternative?

She obviously realises that this is confusing and she published a new blog post on 30 October 2014, The CAP Information Service – continuous improvement, where she says:
We know from customer feedback not everyone is getting through GOV.UK Verify at this stage – we’re using feedback from customers to continue to develop and improve the service.

Nobody is excluded from the service if they can’t register. The certified companies have telephone helplines you can call if you have problems. The registration packs also have helpline details ...

We have produced some ‘hints and tips‘ to help customers prepare.
Nobody is excluded, apparently. They can ring Experian's helpline on 0344 481 8192. (Despite her referring to "certified companies" plural, there is only one. Experian.) Or they can read DEFRA's hints and tips (where DEFRA again pretend that there are several "identity providers" when actually there is only one). Those hints and tips are aimed at helping people to use IDA/GOV.UK Verify.

Which suggests that there is no alternative and anyone who can't get themselves an on-line ID using IDA/GOV.UK Verify jolly well is excluded – people like:
  • Mrs Trilby J Crewes and EM Wilson "I was not able to register as Experian could not verify my identity"
  • Davina Emmett "This couldnt be more complicated if you tried we are farmers not computer experts"
  • Simon Caudwell "Unable to register with Experian. Been through the whole process twice now and talked to Experian help line on both occasions but they are still unable to make it work"
  • WJ Willcocks "I was also unable to register as the Experian identity verification process couldn't be completed. They seem to think I have credit card numbers which I do not have. I have discussed this on the phone with them and have been unable to resolve this"
  • E Davey "Like many others I have had difficulties trying to verify my identity"
  • GC Braithwaite "I have had four goes at registering but cannot get past the address stage"
  • Chris Curry "An absolute waste of time! I've now been through the process three times (an hour and a half) and Experian still can't verify my identity"
  • Mary Godfrey Charity "We have tried multiple times to register/verify identity but Experian is not able to verify our identity"
  • Tim Watson "I have been unable to register with Experian as they claim we have a credit card which we do not have. The first time I tried, I called Experian and the outcome of 30 minutes on the telephone was the implication that they were right and I was wrong and suggested I get one of their reports (£14.99) which would show all the cards we had. I refused to do this. They then said the only option they had was to cancel my account and said I could try again in 24 hrs"
  • F Campbell "Like WJ Willcocks I have been unable to register as the Experian identity service asked me to verify the card provider of a card I do not have. Then their helpline were unable to help me"
  • Andrew Green "I have endeavoured to verify my identity FOUR times with Experian, wasting hours in the process. Each time I have been unsuccessful I have contacted Experian's helpline, who then cleared my account and asked me to try again. FINALLY, today, I have established that despite living at my address for 24 years, paying taxes and all my other bills, I do not have a "Credit Footprint" to verify my existence and this is why I am not succeeding"
Instead of leaving poor Ms Ball to field these problems on her own, perhaps GDS and/or Experian will publish a definitive ruling on whether there is an alternative to IDA/GOV.UK Verify.

Other government departments, please note the IDA/GOV.UK Verify treatment in store for you.

And perhaps GDS and Experian would like to explain at the same time how the system was let loose on an unsuspecting public with so many faults despite months and years of agile testing.

Meanwhile, any supplier considering joining Experian in the "identity provider" club, take note.


Updated 3.11.14 #3

Some of the early users of DEFRA's implementation of IDA/GOV.UK Verify have been spooked by the "identity provider", Experian, asking them about credit cards the farmers didn't even know that they had. If they don't know, how does Experian know? And how come Experian knows the day the farmers moved into their house several decades ago?

This is all to do with the "knowledge-based verification" we referred to above.

Collecting this sort of information is Experian's business. It is provided to them by the banks and other suppliers – among other things, Experian get the electoral rolls for every UK local authority.

Experian then sell the information back to the banks and other customers, in the form of credit ratings, market analysis and contact details for commercial and political campaigns.

That may come as a surprise to some people. Understandably enough. But it has been going on for decades, it is probably legal and you'll probably find that you signed an agreement at some point, in the small print of which you authorised it.

Suppose that GDS one day manage to get a second, certified "identity provider" to operate IDA/GOV.UK Verify. Digidentity, for example. It is highly unlikely that you in the UK have ever signed any agreement with your bank or with Experian authorising them to disclose information to Digidentity in the Netherlands.

So what on earth is Emily Ball of DEFRA talking about when she says, in The CAP Information Service – continuous improvement:
The security questions asked by certified companies are all based on information they already hold about you and they are just asking you to confirm these details are right, so they know it is you sitting at the computer. In answering the questions customers are not providing the companies with new information about themselves. The questions are varied and detailed in order to meet modern security standards suitable for the levels of financial transaction involved in making payments under CAP schemes.
Digidentity wouldn't hold this sort of information on Brits. They would have to get it from Experian or one of the other credit referencing agencies. But who would have given Experian permission to pass this information on to Digidentity (or Mydex or the Post Office or Verizon)?

The answer, in GDS's mind, is you.

Go back to the presentation of the Post Office's registration dialogue above. The bit where it says "To check your identity we need to securely connect to your bank, your credit record, your government records your utility suppliers. This information is not stored by Post Office – it is only used to confirm your identity. I give permission – continue".

That is GDS's and/or the Post Office's idea of you giving your informed consent.

Either you give your consent. Or you go without your CAP payments. It's not informed consent. And it's not free consent.

Also, Emily Ball says "the security questions asked by certified companies are all based on information they already hold about you" and the Post Office say "this information is not stored by Post Office". Which is it?

Welcome to GDS's new digital-by-default world.


Updated 3.11.14 #4

Apparently:
Our job at GDS is to make sure that before they go live, services have the right support in place for those that need it – and that this support is designed based on research and testing with real users.
In connection with DEFRA's service, why aren't they doing their job?


Updated 3.11.14 #5

"The GOV.UK Verify service allows users to prove their identity when accessing digital services". That's what it says in the GOV.UK Verify – Service Assessment. It's the opening sentence. And it's false.

The service was reviewed on 16 September 2014 and "after consideration the assessment panel have concluded GOV.UK Verify ... has shown sufficient progress and evidence of meeting the Digital by Default Service Standard criteria and should proceed to launch in Beta". There are 26 of those criteria. And GOV.UK Verify passed the lot.


Updated 9 November 2014 #1

The Times newspaper's lead story on 4 November 2014 was Virtual IDs for everyone.

Traditionally, GDS leads with the Guardian, but it took that newspaper until 6 November 2014 to come out with Charles Arthur's Gov.uk quietly disrupts the problem of online identity login.

They hit the ground running. The opening paragraph reads:
A new "verified identity" scheme for gov.uk is making it simpler to apply for a new driving licence, passport or to file a tax return online, allowing users to register securely using one log in that connects and securely stores their personal data.
That is simply false.

GOV.UK Verify is not available for use when you apply on-line for either a provisional licence or a replacement licence. Take a look for yourself at Apply for your first provisional driving licence and Replace a lost, stolen, damaged or destroyed driving licence and Renew your driving licence.

All three take you to Directgov pages (which aren't supposed to exist any more, but there they are) and none of them offers the facilities of GOV.UK Verify.

There is no sign of GOV.UK Verify there and the same goes for passport applications and tax returns.

Mr Arthur is simply wrong with his opening paragraph and the article never recovers. It was trivially easy to verify the accuracy of GDS's briefing and, like the Times two days before, he didn't bother.


Updated 9.11.14 #2

Mr Arthur has responded to the point made above. What does he say about failing to check GDS's briefing and misleading his readers as a result? Answer – nothing. He avoids the issue:



DMossEsq doesn't understand how GOV.UK Verify works? Undoubtedly true. GDS have told us very little about it. Some of what they have told us is false. Some of it is self-contradictory.

Has Mr Arthur helped his readers to understand how GOV.UK Verify works? You must be the judge of that. Suppose you had 30 seconds on BBC Radio 4's World At One to explain GOV.UK Verify. On the basis of his article, what would you say?

Does Mr Arthur understand how GOV.UK Verify works?

"Banks now following gov.uk’s lead", he says in his Guardian article. Nonsense. Wrong way round.

The banks have been using the credit referencing agencies to verify identity for years. The banks have been sending us one-time passwords on our phones for years, whenever we try to set up a new payee on our on-line current accounts, for example.

GOV.UK Verify is copying the banks. A point which Mr Arthur has misunderstood.

Is Mr Arthur so happy with the credit referencing agencies storing our personal data and selling it to GOV.UK Verify's "identity providers" to verify our identity that he doesn't think it worth highlighting this business? What does he have to say about GDS's knowledge-based verification (KBI)? Nothing.

GOV.UK Verify only works even in theory if the credit referencing agencies are allowed to keep us under surveillance by storing details of all our transactions. That's where the quasi-secret information comes from on the basis of which GOV.UK Verify is supposed to be capable of giving low-grade identity assurance to DEFRA and HMRC and DWP and other "relying parties" (RPs). Mr Arthur considers this to be of no interest to his readers.

We already have a way for people and companies to undertake authorised transactions with government – the Government Gateway.

Mr Arthur doesn't mention that. Instead, in the tweet above, he says that GOV.UK Verify is "like OAuth for identity".

If it's exactly like OAuth, then we don't need GOV.UK Verify. Why haven't GDS used OAuth? Why have they wasted their time and our money developing GOV.UK Verify?

GOV.UK Verify is "a world first" according to Mr Arthur's article. Here's a list of 59 users of OAuth. If anything, GOV.UK Verify must be "a world sixtieth".

If after all GOV.UK Verify isn't exactly exactly like OAuth, then in what way is it different? Or better? Mr Arthur doesn't tell us. Does he know? Or was the answer omitted from the GDS briefing pack which he so cravenly reproduced?

GOV.UK Verify "could have as many as half a million users with a year". Mr Arthur probably means "within a year". He mentions that possibility. He doesn't mention the problems Rory Cellan-Jones had, trying to obtain an on-line ID through GOV.UK Verify. Mr Cellan-Jones is the BBC's esteemed technology editor and he couldn't make GOV.UK Verify work.

And if he couldn't, what chance the farmers being forced by DEFRA to use GOV.UK Verify?

We know the answer to that. But Mr Arthur doesn't mention these problems. As far as his readers know there are no problems:

"we're building trust by being open"

Updated 11.11.14

The putative attractions of GDS's GOV.UK Verify identity assurance scheme include the independent assessment of the "identity providers" by tScheme.

Take away tScheme's independence, and GOV.UK Verify looks even less viable, RIP.

Back on 17 October 2014 we had a question:
Four other "identity providers" – Digidentity, Mydex, the Post Office and Verizon – have yet to be approved by tScheme, the certification agency. "As we go into our public beta, we will have one identity provider that’s certified for wider public use. By the end of the year we’ll have 4", say GDS. How do they know that three more "identity providers" will be certified? That's up to tScheme, not GDS ...
How do GDS know that three more "identity providers" will be certified by the end of the year? By 4 November 2014 Government Computing had the answer, please see GDS to expand approved identity providers by December:
"Working with the Cabinet Office, tScheme said that the Government Digital Service (GDS) had set out the key elements it required identity providers to include in their assurance services, which are then assessed by independent auditors.

As this is a developing process, the auditors have been working very closely with GDS and [the five identity providers] to ensure that there can be confidence in the delivery of the identity assurance process and, ultimately, in their production of a compliance report that recommends to tScheme that a service can be approved - as happened with Experian last month," said a spokesperson for the scheme.
tScheme are "working with the Cabinet Office" and rely on the recommendations of "independent auditors" who "have been working very closely with GDS".

So much for independence.


Updated 13.11.14

"I work as a user researcher for GOV.UK Verify", says a person writing today on GDS's Identity Assurance blog, Using evidence from user research to redesign GOV.UK Verify.

The idea behind GOV.UK Verify is that it would be up to us users to choose our "identity providers". At least, that was the idea, but apparently research evidence now suggests that we really want to be told which "identity provider" to choose. That's what the blog says.

The reaction of the "identity providers" is not recorded. More research needed, no doubt, although we can surely guess in advance that if they're supposed to be operating in a free market they're not going to take too kindly to having their competitors recommended.

The "user researcher" for GOV.UK Verify says that there will be a couple of simple questions asked of us users and then "based on someone’s answers to these questions, we recommend a certified company that is likely to work for them". The example given in the blog recommends "Choose Verizon" – an odd choice, as Verizon hasn't been certified yet.

In fact, the lower quality, second recommendation – Experian – is the only answer possible as they are the only certified "identity provider".

Notwithstanding which, the blog says "we have contracts with 5 certified companies in total".

Which five "identity providers" does the blog have in mind? They're listed – Digidentity, Experian, the Post Office and Verizon. But that's only four.

Yet more research needed, but it's beginning to look as though Mystic GDS's prediction that one of the five companies will fail to be certified by the entirely independent tScheme is correct and points to the excommunication of Mydex.


Updated 14.11.14

GDS have a problem with security. They can't take it seriously.

Ditto privacy. All data should be shared. It's for our own good. Apps can make recommendations for the quantified self better than humans can decide for themselves. That's the Estonian thinking round at GDS Towers.

GOV.UK Verify is supposed to be subject to identity assurance privacy principles. Nine of them.

How well does GOV.UK Verify score? 0. 0 out of 9. And lucky to get that many.


Updated 18.11.14

No man is an island.

And no country either, as GDS reminded us the other day in Identity assurance in the European Union:
European member states want people to be able to identify themselves online for digital services in other countries. Recently, a regulation has been passed in Europe to allow this – the eIDAS Regulation ...

The European Commission’s work in this area is is part of a wider programme to create a digital single market. Identity is an important part of the digital single market because there are some services that can only be offered digitally if providers can reliably know who the user is.
OK so far?

Now try this:
The regulation means that it will become possible for people in the UK to use GOV.UK Verify for online public services in other countries. This could include car registration, paying taxes or setting up a business in another country.
Wrong.

The regulation doesn't mean "that it will become possible for people in the UK to use GOV.UK Verify for online public services in other countries". Other countries will only let us Brits loose on their public services if they first believe that GOV.UK Verify works. And so far there is no reason for us to believe that. So why should the Bulgarian equivalent of Companies House, for example, believe it?

GOV.UK Verify currently offers low-grade assurance that you are who you say you are. Will Bulgaria accept that? Why would they?

Conversely, GDS are going to have to work out whether they accept the identity assurance of 27 other countries. How are they going to do that? And when?
Now the regulation is agreed, we’re working on the technical infrastructure to make this all happen. This will take a little time whilst both public and private sector service providers adapt and develop cross-border services.
"This will take a little time" – another contribution to the UK stock of vintage understatement.

Incidentally ...

... we've been here before. Project STORK:
EU/UK: EU pilot to boost compatibility of eID kicks off in the UK, 15 October 2007

The ultimate goal of the STORK project is to implement an EU-wide interoperable system for the recognition and authentication of eIDs [electronic identities] that will enable businesses, citizens and government employees to use their national eIDs in any Member State.
We've been here before, and we've pulled out before. The auguries are not good.


Updated 2.12.14

Farmers who have trouble registering for their CAP payments are going to be angry with DEFRA.

In a way, that's unfair.

Registration requires the farmers to use GOV.UK Verify, Whitehall's identity assurance scheme.

Identity assurance is not a big enough project for the Major Projects Authority to worry about. Apparently. Even though it could affect every person and every organisation in the country.

But it is big enough to warrant its own blog, https://identityassurance.blog.gov.uk/:


Take a closer look at that block of text bottom right:

It is GDS – the Government Digital Service – who are "responsible for GOV.UK Verify and other related products and services" and not DEFRA.

The fair criticism is that DEFRA let GDS threaten DEFRA's own parishioners. They shouldn't have done.

DEFRA is the Department of the Environment Food and Rural Affairs and they're meant to look after farmers. Not expose them to impossible computer systems with no alternative method of registration provided.


Updated 3.12.14 #1

How does a certified company establish that it’s really you?, they were asking 10 days ago, over on the GOV.UK Verify blog.

GOV.UK Verify will give access to your passport and driving licence records, we are told, to a bunch of identity providers certified companies, many of whom you've never heard of, many of whom are already under contract even though they haven't been certified.

These certified companies will check your credit reference. Remember, in GOV.UK Verify, you are your credit history. A person is a credit record.

It's not clear how the economics work. Experian is an "identity provider". It is also a credit reference agency. It can access your credit history for free if that's how it cares to account for its GOV.UK Verify business. But suppose Mydex want to access your credit record. Do they have to pay Experian? Or Equifax? There's not much money in the GOV.UK Verify pot. And there's no reason for Experian or Equifax to give Mydex free access. How is this tension going to be relieved?

The certified companies will also make use of quasi-secret information about you:
One commonly used method involves asking the person a range of questions it’s likely only they would know the answer to. The company can generate these questions from a range of data sources. These might include, for example, data they hold themselves (eg if they already know you because you have an existing relationship with them), data provided by another service provider, or credit reference agency data ...
Do you remember giving permission for that data to be shared? Did you do so freely? Was your consent informed? Did you even know that this data was stored in the first place? Should it be? Whose data is it? Shouldn't it be under your control?

That's certainly the view of Mydex. They are the champions of giving people control over their own data. So they say. Although they can never explain how they can give you control over your own data.

How are they going to stop Verizon from selling your data? Remember Verizon's words: "Ultimately, we don’t see ourselves as a data provider; we see ourselves as an ad platform that helps brands and consumers connect". What sanction do Mydex have over Verizon? None.

Mydex and Verizon are both "identity providers". But not certified companies. tScheme haven't finished evaluating them yet.

But there was big news yesterday – GOV.UK Verify has a second certified company. Digidentity.

Who?

You may well ask.

They're a Dutch company. So they're unlikely to have much data about 60 million of us Brits. So where are they going to get the data to verify our identities? And how are they going to pay for it out of GDS's modest budget?

Remember, in this strange market in identity assurance, which people keep referring to as an "ecosystem", GDS are the only people allowed to pay.

You've never heard of Digidentity and Digidentity have never heard of you. But somehow they're supposed to assure HMRC or whoever that you're you.

Lots of questions. No answers. And yet GDS expect people to make an informed choice between Experian and Digidentity when it comes to choosing their "identity provider". How? Why do GDS expect that?

Don't think the questions stop there.

Two days ago, GDS published How we’re working to increase the range of data sources available for GOV.UK Verify:
We’re working to identify more government data sources to add to the document checking service. We’re hoping to be able to say a bit more about our plans on this in the new year.

The use of any additional official data sources would be subject to formal agreements on how the data can be used, and government data sources will only be used on the basis of informed user choice and consent.
The document checking service currently covers passports and driving licences. What kind of "data sources" are GDS hoping to add to these two? If you can't wait until next year to find out, here's a guess.

Remember midata? The Department for Business Innovation and Skills initiative that was going to "kickstart an inflection point in business"? They wanted to use your education, travel and health records. You mustn't mind. It's all for your own good. And to help the economy to grow.

If you've forgotten, and you don't mind being spoken to like a cretin, watch this – you lose control of your education, travel and health records about two minutes into this 2'57" video for mooncalves:



But surely, you may say, midata is all over, finished, washed up. It's more than a year now since we last heard from Craig Belsham and his midata Innovation Lab, 28 November 2013.

But that's not how it works. Do try to keep up. Now we have midata studios, please see the recently released MiData Studio Feasibility Summary Report November 2014. Lab? Studio? Who cares? Just so long as we all freely give our informed consent to have our passport, driving licence, education, travel and health records shared with everyone.

David Gauke MP thinks it's a good idea. So does Rt Hon Francis Maude MP. And presumably Vince Cable, President of the Board of Trade. Not to mention the Information Commissioner. And Stephan Shakespeare and Tim 'long live the database state' Kelsey. And Nigel Shadbolt, the chairman of the midata programme and chairman of the Open Data Institute. They all think that open data is magic.

If you disagree, that means you want children to be unhappy and you want people to die of cancer. That's what Stephan Shakespeare says. So you will let certified companies establish that you're really you, won't you.


Updated 3.12.14 #2

You may be reluctant to share all your personal information with GDS's "identity providers". Even if they are now known as "certified companies".

You shouldn't be so insular.

Through the good offices of Project STORK, your information will actually be shared with every country in the EU:



Updated 4.12.14

Remember two days ago? When Digidentity joins GOV.UK Verify public beta as it says on GDS's identity assurance blog?
We’ve reached another important milestone this week on the identity assurance programme – the second certified company (or ‘identity provider’) has joined the GOV.UK Verify public beta.
What do we know about certified companies? They have to be certified.

And who certifies "identity providers"? tScheme.

And if we check the tScheme website, do Digidentity appear on the directory of approved services? No. So they'e not a certified company.

So how did GDS reach this "milestone" of theirs? GDS, who, remember, are "building trust by being open"?

And what do Digidentity have to say on their website about GDS, tScheme and GOV.UK Verify? Nothing. Not a single mention. Google it.


Updated 12.12.14

There we were on 4 December 2014 pointing out that what the Government Digital Service said was wrong.

They said:
We’ve reached another important milestone this week on the identity assurance programme – the second certified company (or ‘identity provider’) has joined the GOV.UK Verify public beta.
And that's not true.

Digidentity are not a certified company.

Companies are certified when tScheme say so and Digidentity do not appear on tScheme's directory of approved services. Digidentity remain on tScheme's directory of registered applicants, where they have been since 24 February 2014.

Not sure about the importance of tScheme?

GDS published What it means to be a ‘certified company’ yesterday:
Certified companies have to be ... certified by an independent body (such as tScheme) to confirm that they meet government standards for identity assurance ...

Certified companies also have to be certified by an independent certification body such as tScheme to assure that their service meets the published government standards for identity assurance.
That's what it means to be a certified company and that means that Digidentity is not a certified company. GDS have misled people by referring to Digidentity as a "certified company" when in fact it isn't.

GDS have undermined tScheme, whose independence must be unquestioned if their certificates are to inspire trust.

GDS have undermined Digidentity, who must be seen to speak for themselves. Instead, here's GDS speaking for them.

GDS have undermined themselves. "We're building trust by being open"? That's not what it looks like.

GDS are trying to attract new certified companies (previously, "identity providers") to join their identity assurance initiative, GOV.UK Verify, please see Making sure we have a range of certified companies. The reputational risks any new recruits would be taking are mounting by the day.

GDS hosted the first meeting of the D5 this week. The UK, Estonia, Israel, South Korea and New Zealand all joined together to "celebrate" digital government, including GDS's two-years-late-and-still-not-working GOV.UK Verify public service. They've all just signed a charter of principles. What kind of a principle is demonstrated by pretending that you've got two "identity providers" when in fact you've only got one, Experian?

Come to that, what was GDS's executive director talking about a year ago when he told a conference that GDS had eight or nine "identity providers"?


GDS have been asked to comment on the Digidentity question:


It's not up to GDS to say that Digidentity are "fully compliant". It's up to tScheme.

"Formal certification due shortly", say GDS. So it hasn't been granted yet. They were wrong to say 10 days ago that it had already been granted.

If this is the "normal process" for GOV.UK Verify, as far as the public is concerned, RIP.

"we're building trust by being open"


Updated 18.12.14

GDS only have one certified "identity provider" for their GOV.UK Verify identity assurance service (RIP). They need more. Yesterday, they announced details of their invitation to tender, Procurement update. There is a summary on the Guardian newspaper's Government Computing website, GDS launches second GOV.UK Verify framework.

GDS are offering up to £150 million for up to 10 "identity providers" to verify the identities of up to 60 million Brits for up to four years. Suppose everyone registers with all 10 suppliers. That's 600 million registrations. 25 pence each. 6 pence-and-a-farthing p.a. For that, GDS expect to buy Level of Assurance 2 (civil courts) and may ask for Level of Assurance 3 (criminal courts).

There may not be that many registrations, of course. On the other hand, the number of verifications that have to be performed after verification registration could be huge. Suppose we all use our "identity providers" to transact with the government 10 times a year on average. That's 600 million verifications p.a., 2.4 billion verifications over the four-year period – 2.4 billion times the "identity providers" put their head on the block and assure the government that you are who you say you are.

600 million registrations. 2.4 billion verifications. Any supplier responding to this invitation and submitting a tender must explain to their shareholders how they and their sub-contractors can take on the onerous liabilities of the identity assurance contract and make a profit out of 6¼ pence. Those explanations should make interesting reading.

It's not just the investors in private sector "identity providers" who will need to be convinced of the reality of this dream. If GDS are to be believed, 27 other EU governments are going to have to buy into the fantasy, please see STORK: a practical way to access services across borders. Do you see Germany, for example, relying on 6¼ pence-worth of identity assurance?


Updated 22.12.14

For two weeks or so now, we have all watched as Sony's private and confidential correspondence has been published by hackers, personal details about the stars of their films have been revealed and the value of the company's intellectual property has been destroyed.

It's not the first time it's happened to Sony and Sony aren't the first organisation it's happened to – we are fed a daily diet of on-line security breaches with stories coming from all over the world. Banks, retailers, government departments, ..., they all, like Sony, make their best efforts to preserve on-line security and they all fail. Even defence contractors get hacked. And they're meant to be the experts.

Salesmen keep on trying to ply their on-line wares on the basis of secure websites. Sometimes they go further and offer supersecurity. Even hypersecurity. But it must finally dawn on them, as it has on everyone else, including Sony, that there just is no such thing as a secure website. Unicorns don't exist. And neither do secure websites.

On 9 November 2014, GDS offered us all GOV.UK Verify, "a new 'verified identity' scheme ... allowing users to register securely using one log in that connects and securely stores their personal data". Who is ever going to believe that tired old marketing line again? Remember Sony. No-one.

Here's a prediction. By the turn of the year, it will look suspicious to offer secure websites. Any sales organisation relying on that offer will be a laughing stock. 2014 will prove to be the last year any respectable organisation tries to maintain the pretence.


Updated 28.12.14

Father Christmas may or may not exist but secure websites certainly don't.

Sony PlayStation struggling to restore network after Christmas hacking attack, the Telegraph newspaper told us yesterday, and followed it up with Hackers 'leak details of 13k users of PlayStation, Xbox and Amazon':
A group of hackers, calling themselves Lizard Squad, took credit for the attacks, with a man claiming to speak for the group claimed they had done it for the “public good” to “raise awareness” about shortfalls in security systems.
While the hackers are interrupting children's games-playing to make a serious point, our ninnyish government continues to inveigle us into playing their games. midata, for example. And GOV.UK Verify.

In a reversal of the classical model, only the adults believe in web security – the children know it doesn't exist. The so-called "modernisation" of government, making all public services digital by default, is more properly termed "infantilisation".


Updated 19.1.15
As every fule kno, "UKGovcamp is the free, annual 'unconference' for people interested in how the public sector does digital stuff". The hashtag for this year's unconference is #ukgc15, obviously, and the following plaintive call has been issued:


Campers may care to inform themselves in advance of the festivities by taking a peek at GDS: We might miss our digi-goal. Quick, MAKE IT BIGGER in today's ElReg:
The government has admitted it will fall significantly short of its original target to make 25 digital services live by March …

The exemplars were supposed to showcase a new "agile" way of doing IT for Whitehall departments; however, as services in their own right, they are largely peripheral to the main workings of government …

It also has the pressing deadline of getting all departments to have integrated its identity assurance system "Verify" with their digital public services by March 2016 …

Verify has taken four years and is behind target by two years. The system underpins the online Common Agricultural Policy (CAP) exemplar application service for farmers, which according to the Farmers' Guardian has largely been abandoned ...
Will that plaintive call be answered? Why weren't UK.GOV Verify invited in the first place? What will they sing round the camp fire? (Answer)


Updated 20.1.15

There's a lot to think about in Neil Merrett's latest Kable/Government Computing article:
Five ID providers to support GOV.UK Verify by April
Neil Merrett
Published 20 January 2015

Existing contracted providers expected to be accredited for service before new framework award, as efforts continue to improve 60% verification success rate

All five identity providers currently contracted to support the GOV.UK Verify service are expected to obtain accreditation required for the programme by the anticipated award of a second ID assurance framework in April, the Cabinet Office has said.

The Cabinet Office's efforts to expand the number of companies providing ID assurance for Verify, as well incorporating a wider number of data sets such as phone bill or bank details to identify users, form part of planned improvements to the service, which it says currently has around a 60% success rate during beta testing.
Let's deal with the easy bit first.

The Government Digital Service now claim that all five "identity providers" will be accredited by April 2015. Whereas, on 14 October 2014, GDS told us that:
More identity providers
As we go into our public beta, we will have one identity provider that’s certified for wider public use. By the end of the year we’ll have 4. These certified companies will offer a range of ways for people to verify their identity, with each method having been developed to meet the same level of assurance but using different approaches to get there.
What was initially the "Identity Assurance Scheme (IDA)" is now "GOV.UK Verify". What were "identity providers" three months ago are now "certified companies". There were going to be four of them by the end of 2014 according to GDS but in the event there was still only one. And now we are to believe that there will be five by April 2015. GDS were wrong about December 2014. Why should they be right about April 2015? No reason.

Remember, you can keep score yourself via the tScheme website. "Identity providers"/certified companies are only certified if tScheme say so. It's up tScheme to certify their trustworthiness, not GDS. tScheme are meant to be independent and GDS impugn that independence every time they predict the numbers and the timing of certification. Right now, tScheme show just one approved service for IDA – Experian's. The other four "identity providers" – Digidentity, Mydex, the Post Office and Verizon – are still firmly on tScheme's registered applicants list and thus not accredited or certified or ... trustworthy.

Next on Mr Merrett's list, note that the five "identity providers" left in the running, down from eight originally, are contracted under the current IDA framework. Soon there will be a new IDA framework. And then the "identity providers" will have to apply all over again for accreditation. And they may face competition from any number of other prospective suppliers.

Why bother to apply again? Why would anyone else bother to apply? Why did Cassidian, Ingeus and PayPal pull out? What will the equity analysts make of any company applying under the new IDA framework? What will their shareholders make of it? There's very little money on offer – £150 million to register everyone in the country and every organisation. Where's the profit supposed to come from? What are the risks? What about all the other competing identity schemes? Why haven't GDS provided identity assurance for electoral registration? (Show, don't tell, how's that going?) Why has the identity assurance GDS provided to DEFRA been abandoned? Can you do identity assurance business with an organisation – GDS – that is simply uninterested in security? To repeat, why bother?

Mr Merrett has an elliptical way of writing. His clear and sparse prose includes all the questions above and more.

Finally, Mr Merrett tells his readers that GDS intend to find more ways to register us all and make it easier to identify us on-line. Sticking to the credit rating data held by Experian gives GOV.UK Verify a 60% success rate or, to put it another way, a 40% failure rate. Perhaps if we give GOV.UK Verify access to our bank accounts as well, and our mobile phone records, that might improve the successful registration rate.

It might.

In which case, why not open up completely? Why not throw confidentiality and privacy to the winds? And caution and dignity and maturity. We could add our health records. And our educational records. And our travel records. As noted above. That ought to make life easier for GDS. And for the hackers.

And that's dealt with just Mr Merrett's opening paragraphs.

Read him early. Early and often.


Updated 1.2.15

Read Mr Merrett early, we suggested immediately above, and read him often. As if to help with reading him often, Kable/Government Computing re-published his 20 January 2015 article nine days later under the title GOV.UK Verify constrained by need for more datasets.

GOV.UK Verify will work – that's the suggestion – if and only if you open up more and more of your life to GDS's so-called "identity providers". We know that that's false. You could reveal everything about yourself and yet Whitehall and local government could still fail to provide adequate public services.

Just ask the victims of the Child Support Agency, for example. The CSA had access to financial, medical, educational, social services and police records and yet they still managed to inflict misery on millions and failed to get children supported.

You would keep your part of the bargain only to find GDS renege on theirs.

Mr Merrett repeats, with an admirably straight face:
... the five approved providers working under the existing framework - only two of whom are currently accredited to support the public beta service - were primarily reliant on credit reference agencies' files ...
There is still only one accredited "identity provider" to GOV.UK Verify – Experian. Not two. Check it yourself on the tScheme website.

When you check, you'll see that tScheme have added a new member to their club of approved services – Equifax, another credit referencing agency, like Experian.

Equifax are not on GDS's list of "identity providers" to GOV.UK Verify. What does that tell you?

It tells you that GOV.UK Verify is just one identity assurance scheme among others, GDS face competition, other organisations like BT and RBS and the Metropolitan Police and the Home Office have been doing the job better and for longer than GDS. Why would a prospective new entrant to the identity assurance market sign up to GOV.UK Verify's list of "identity providers"? They don't need to. It would impose an unnecessary constraint on their perfectly viable, independent service.

It also tells you that when you look at the class of "identity providers", you're looking at organisations like the police and the Home Office. You may not have thought of the credit referencing agencies like that before, as an arm of the state, but there you are, there's the evidence.

What was that we were saying back on 18 October 2014? Oh yes:
GDS's answer to the question "who are you?" is "you are your credit history". "What is a person?", you may ask. "A person is a credit history", according to GDS.
N GDS do have another credit referencing agency on their dwindling list of five "identity providers". Not Equifax, but Verizon. Nonsense. Editorial failure. Verizon is not a credit referencing agency. N And how do Verizon see themselves? Not as an arm of the state. Oh no:
Ultimately, we don’t see ourselves as a data provider; we see ourselves as an ad platform that helps brands and consumers connect
That's your part of the pact with GDS – to be neatly wrapped and sold to the marketing men – the part you will keep even when GDS fail to meet their obligations.

Confusing, isn't it. Read Mr Merrett. Read him early. And read him often.


Updated 13.2.15

This time it's Submissions for new GOV.UK Verify framework to close on Monday. Neil Merrett. Read him early. And read him often.

Will any organisations be reckless enough to submit applications to become "identity providers" in GDS's new GOV.UK Verify framework? If they do, sell them short. (NB DMossEsq is not licensed to give investment advice.)

Mr Merrett repeats some of his favourite material, e.g. "At present, only Experian and Digidentity are accredited to provide ID assurance as part of the service's public beta". Experian's service has been approved by tScheme. Digidentity's still hasn't, it is still a mere registered applicant. In what sense is the "identity provider" Digidentity "accredited to provide ID assurance"? None. That accreditation is a figment of GDS's imagination (a figment repeated on their brand new service dashboard on the performance platform).

Mr Merrett again warns his readers that GDS want GOV.UK Verify to be able to process more of your personal information than just credit history, passport and driving licence: "Janet Hughes, programme head for GOV.UK Verify has previously explained that a key focus of the second assurance framework was to extend the number of datasets currently available to prove a user's identity through the platform".

Would it be wise to open yourself up in this way? What benefit do you get by letting GOV.UK Verify have access to your banking records, and mobile phone and energy usage and health and education and travel records? Would that improve public services? In what way? Would it transform government? Into what?

There are obvious dangers in allowing access to all this information about you through one framework.

You could become entirely dependent on GOV.UK Verify to do anything. That is the objective of Mydex, for example, one of GDS's "identity providers" – no Mydex, no transactions. Mr Merrett does warn you: "Mydex, which today said it expects to gain required accreditation to support Verify in the 'near future', also confirmed it would be submitting documentation to tender for the second iteration of the ID provider agreement before Monday's deadline".

You could open yourself up to fraud. All those personal details which identify you on-line equally allow fraudsters to pretend to be you on-line. There seems to be no defence against cybercrime. Remember Sony. Anyone offering you security on the web is locked in the last millennium.

And here we see Mr Merrett at his very best: "Sources involved in the accreditation process for GOV.UK Verify have previously suggested that GDS had perhaps been too rigorous in setting security standards required for ID providers wishing to support the first framework".

Never has humour been drier.

Which "sources" are these? No-one has ever accused GOV.UK Verify of being too secure. No-one ... with the possible exception of GDS themselves, who can't take security seriously and who seek to elevate usability above all.

Security breaches are guaranteed. People are going to suffer. Even security experts are helpless. What chance do you stand? In that case, when it happens, which it does every day, what happens?

If your bank account is emptied by fraudsters and it's not your fault it's deemed in the UK to be a fraud against the bank. Not against you. They suffer. But they have to compensate you. And they do. Again, it happens every day. That is the liability model we have got used to in the UK.

Do you think the same applies to GOV.UK Verify? If so, why do you think that? You've made an assumption. And you're wrong. Mydex gave evidence to the House of Commons Science and Technology Committee on 5 June 2013 during which they asserted that since their users hold the private key to their own personal data store, if there is a fraud perpetrated, it is unlikely to be Mydex's fault. No liability on Mydex's part, the fault lies with you (para.5).

This issue of liability has been taken up by the law firm Pinsent Masons: " ... financial services litigation and compliance expert Michael Ruck of Pinsent Masons ... said that although regulated firms [e.g. banks] can rely on third parties' due diligence, the approach carries risk as 'responsibility and any liability for failures remain' with those regulated businesses ... 'The bank, or any other regulated firm, can rely on third party checks but this does not escape any liability on the bank’s behalf,' Ruck said. 'Therefore any such reliance would require the bank to check, observe and review the activities of any such third party and be sure that it was conducting the appropriate due diligence' ...".

GDS's approach is insouciant not only about security but also the law and market practice. Out of that insouciance GDS hope to build trust. Can that work? RIP.

Read Neil Merrett. Read him early. And read him often.


Updated 22.2.15

Suppose that you sign up to the Government Digital Service's identity assurance scheme, GOV.UK Verify (RIP), and that as the result of a security breach at your chosen "identity provider" you lose money – e.g. your state benefits are paid to someone else. Two questions:
  • Who do you claim compensation from?
  • Where do you claim it?
There are only two "identity providers" to choose from at the moment, Digidentity and Experian:


Suppose you choose Digidentity. Take a look at their terms and conditions of business.

Question 1, who do you claim compensation from? Not Digidentity:
10. Liabilities
10.1. We do not accept any liability going beyond the liability that we bear by law.

10.2. We cannot be held liable for damages resulting from the fact that the identity service does not result in the confirmation of your identity and/or the validation of documents and data.

10.3. In any event we shall not be held liable for damages resulting from events beyond our reasonable control or not caused directly by our actions.

10.4. We shall not be held liable for indirect damages or damages caused due to the fact that you do not take appropriate measures to i) limit the damage immediately after an event causing such damage has occurred, ii) prevent further damage or damage resulting from the initial damage causing event, iii) immediately inform us about the occurrence of damage and all relevant information related thereto.

10.5. In all cases our liability shall be limited to the usual and foreseeable damages with a maximum of € 500,-. We shall not be held liable for any business damages, if you have used the identity service in your capacity as a consumer.

10.6. We shall never be held liable in respect of any damages resulting from:

a. unauthorised or improper use of the data, the identity service and/or the materials by you; b. incomplete and/or incorrect data provided by you, or data not provided to us in a timely manner; c. loss of data by you; d. any failure to abide by any of your obligations as stipulated in the terms and conditions, including insufficient cooperation in the implementation of the contract and the terms and conditions; e. the late, incorrect, or incomplete accessibility of the identity service; f. miscommunication or loss of messages and notices resulting from the use of a mode of communication selected by you or resulting from the disfunction of any materials used by you, including improper functioning of the internet; g. the use of materials selected by you; h. the unauthorised use, loss or theft of log in details that have been provided to you; i. improper functioning or not being available of online tools of third parties.

11. Limitation of Action
10.1 Any claim for damages against us must be brought within one year after the damage has occurred.

12. Force Majeure
12.1. We are not obliged to perform any of the obligations under the contract or the terms and conditions in case of force majeure. Force majeure is understood to include but is not limited to force majeure on the side of our suppliers, incomplete or faulty fulfilment of our requirements by our suppliers, improperly functioning materials provided by you, requirements under the law, power cuts, improper functioning of the internet, or of computer- and telecommunication facilities, extreme weather conditions, fire, flooding, war, strike, general problems of transportation and the not being available of one or more employees ...

14. Warranties
14.1. We do not provide for any other guarantees, undertakings, and/or commitments than those explicitly provided for in the terms and conditions.
Question 2, where would you claim compensation from Digidentity? Not in the UK:
7. Personal Data
7.1. You acknowledge that the identity service is an authentication service and you agree that we will use your data to undertake a search for the purposes of verifying your identity or the validity of any data or documents. In order to do this we may compare and check your data to any database (public or otherwise) to which we have access. A record of the search will be retained.

7.2. By entering into the contract you agree that your personal data will be processed according to the Dutch personal data protection act. The Dutch personal data protection act refers to the act under Dutch law regarding the protection and processing of personal data (Wet Bescherming Persoonsgegevens). Should this approval be revoked, we shall be entitled to withdraw the access to the identity account immediately.

7.3. As far as we process (verwerken) personal data in the sense of the Dutch personal data protection act, we shall be deemed to do so for the relying party. The relying party shall be the responsible person for such data processing (verantwoordelijke) and we shall be deemed the processor (bewerker) in the sense of the Dutch personal data protection act, unless the circumstances unmistakably point to the fact that we must be regarded as the responsible person.

7.4. Any Data processing will be done in order to fulfil our obligations under the contract ...

13. Applicable Law and Disputes
13.1. The contract and the terms and conditions are governed by Dutch law and by all applicable European law provisions.

13.2. Any dispute that cannot be settled amicably will be brought before the competent judge of the place where we have our statutory seat (The Hague). If applicable Dutch or European law provisions determine that another judge is also competent, then the case may also be brought before this judge. If applicable Dutch or European law provisions determine that another judge has exclusive competence, then the case may only be brought before this judge.
Always supposing that you have the nous to nip over to the Hague and bring a Wet Bescherming Persoonsgegevens case, what are your chances of winning any compensation?

Slim.

It's not just that when you registered with GOV.UK Verify you clicked the button to confirm that you had read and understood the terms and conditions of business.

In addition, your case would rely on a breach of the contract between you and Digidentity. And there isn't one. Because you haven't paid for the service. As far as you're concerned, it's free. "You can't have a contract without consideration" – any stockbroker will tell you that, for free.

By all means, go ahead and sign up with Digidentity. But on your own head be it.

Perhaps there's no need to worry, though. If you click on the About Digidentity link in the screen above, you read:
Digidentity makes online identification easier, quicker, and more secure.

We enable safe digital communications between individuals and government both in the United Kingdom and the Netherlands, and are continuously developing new and improved services.

Our rigorous approach to privacy and security means that not even Digidentity employees will be able to access your user data.

We consider good service to be as important as infallible security, and we are available via email and telephone for support, so any complaints or problems will be resolved swiftly.
Digidentity's identity assurance service still isn't certified trustworthy by tScheme. It's still just a registered applicant, not an approved service. Nevertheless, they're offering "infallible security". Not to mention "safe digital communications"and a "rigorous approach to privacy and security".

Infallible? That's beyond the US State Department. And everyone else. But not, apparently, Digidentity. Believe that if you will.

This situation is often called "putting you in control of your own data" or "empowering you". You may believe that as well.


Update 23.2.15

Any brave soul who, despite the risks, tries to register with the Government Digital Service's identity assurance scheme, GOV.UK Verify (RIP), is presented with this:


15 minutes?

You're going to have to be a spectacularly fast reader.

In 15 minutes, you're going to have to get to grips with the Digidentity terms and conditions of business, 2,347 words, some of them Dutch.

That and the Experian documentation. Experian is a proper FTSE-100 company. Not for them the relatively casual Digidentity offering. Experian have terms and conditions (2,986 words, which they advise you to print and keep), they have a privacy policy (2,249 words) and some FAQs (1,008 words) and a Public Service Description of their Identity as a Service product (1,733 words).

You may enjoy question 11 in the FAQs:
Q11: In the Identity Check section in Registration, why are you asking me personal questions about my financial matters?

A: When you first register for the Experian identity service we need to prove who you are and we need to make sure it's you and not someone pretending to be you. In order to do this we ask you questions that only you would know the answers to. These questions are based on information that you have previously agreed to share. For example, if you agreed to share information when you took out a mobile phone contract, we will be able to ask you who your mobile phone contract is with and know the correct answer.

By answering these questions correctly, this confirms that it is really you.
They can't mean that only you would know the answer to these questions. Otherwise Experian wouldn't know whether the answer was correct, please see identity proofing and verification above. Do you remember agreeing to share this information? Does a correct answer prove that you are who you say you are – surely Experian are begging the question?

You may also enjoy this extract from the Experian privacy policy:
Where we store your personal data?

The data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area ("EEA"). It may also be processed by personnel operating outside the EEA who work for us or for one of the Experian Group. Such personnel maybe engaged in, among other things, the fulfilment of the identity service and the provision of support services to us. By submitting your personal data, you agree to us transferring, storing or processing. your personal data in this way. How do we protect your personal data?

We endeavour to take all reasonable steps to protect your personal data. We restrict access to your personal data to those employees, and third parties, who need to know that information to provide products or services to you, or for who you have agreed can have access to your personal data (for example, in connection with the authentication of your account). We maintain physical, electronic, and procedural safeguards to protect your personal data.

Experian protects your personal data over the Internet by using secure web server technologies, which allows web browser programs (Netscape or Microsoft Internet Explorer) to interact with Experian's web server via an encrypted session. Experian employs a Secure Sockets Layer (SSL) connection that provides an encrypted connection between your computer and Experian. The 128 bit encrypted connection scrambles ordinary text or data into cyphertext to safeguard sensitive information during its journey across the Internet. The information is decrypted, or put back into a readable format, when it reaches its intended destination.
Register with GOV.UK Verify, and you more or less willingly give more or less informed permission for information about you to be spread all over the globe. What is a "reasonable step" for Experian to take in protecting your data? How secure is SSL these days? Don't you know? You've got 15 minutes to decide.

And there's this in the terms and conditions:
9.8 Except as otherwise stated in these Terms and Conditions, our aggregate liability to you arising out of or in connection with the Identity Service shall not exceed £100.
Bit mean. Even little Digidentity quote €500.

And this:
11. Third Party Websites and Content

11.1 The [Experian Identity as a Service] Website may contain links to other websites and Third Party Content in respect of products and services, either directly or indirectly through frames. Where possible, we will make it clear where such links are being made. We are not responsible for Third Party Content or the availability of Third Party Websites.

11.2 We do not endorse or take responsibility for any Third Party Content or any offers, arranging or advice (including but not limited to the comment, opinions, or recommendations) provided by third parties. You will need to validate the information and check the details of what is being offered by such third parties for yourself.

11.3 Third Party Content and third party products and services available on the Website or linked to from the Website (including any services provided by the Post Office) are subject to the separate terms and conditions and privacy policies of the relevant third party (in the case of privacy policies where the third party is collecting information from you, otherwise, where we collect information from you then our relevant privacy policies will apply).
What are Experian talking about? They're warning you that when it comes to advertisements, you're on your own (YOYO). Advertisements? GOV.UK Verify? Surely not. Although, that would provide an income stream and make GDS more comparable to their heroes, Google.

But look, the minutes are ticking by, you haven't got time to cavil. Let's say you choose Experian rather than Digidentity and you click on About Experian. This is what you see:

"Experian holds secure personal and financial information on over 45 million individuals in the UK". Feeling secure? "The UK Government chose Experian as one of the first companies to help you access their services online". More secure still? "... you can trust Experian to hold your information", except that you can't. Experian unwittingly supplied a criminal with personal information for nine months. They only stopped when the US Secret Service brought it to their attention, please see Experian Lapse Allowed ID Theft Service Access to 200 Million Consumer Records.

DMossEsq warned you about this nearly a year ago. Data goes missing, even in the best of companies. These things happen. You know that. You've got about a minute left. Do you want to make sure that they go on happening? Do you want to increase the risk that they will happen to you?

Why? 57 seconds, 56, 55, ... What is the benefit to you?


Updated 24.2.15

Because we don't care about his future, because he doesn't have one, we sacrificed the shortest, fattest, ugliest, oldest and smelliest member of the DMossEsq editorial team yesterday and, purely in the interests of science, we made him register with GOV.UK Verify, choosing Digidentity as his "identity provider".

He has now given his name, address, date of birth, telephone number, passport number, driving licence details, email address, and so on to a completely unknown company claiming to be based in Holland.

Digidentity asked him for his bank account number and, incredibly, he gave it to them. Digidentity seemed to know that it was the correct number. How?

They also knew that he had taken out a mortgage in December 2001 and asked him to confirm the outstanding balance, which he did. How did they know that he had taken out this mortgage? How did they know what the outstanding balance is?

How did they know that he had taken out a Vodafone contract just over a year ago?

There is no way that Digidentity had this information at their fingertips. They must have got it from another organisation. Possibly Experian or one of the other credit referencing agencies. Our ex-colleague's personal information has clearly been flying all over the web.

Why bother to have Digidentity in the middle if the registration work is really being performed by the credit referencing agencies?

How much did Experian or whoever charge Digidentity for this information? How can Digidentity afford to pay for it and still have any profit to show, given the microscopic amount that the Government Digital Service are paying these "identity providers"?

As soon as the registration process was complete Digidentity started trying to sell the short, fat, ugly, old and smelly one (SFUOS) SSL certificates for his website and digital signature apps for PDFs. Understandably enough, they must need the money.

But that's Digidentity's problem. It's not SFUOS's fault that Digidentity signed up for this commercially nonsensical GOV.UK Verify deal.


And what's SFUOS got out of it?

He can use his new GOV.UK Verify on-line ID to sign into HMRC's website and play with his self-assessment. But he's been able to do that for years, using the Government Gateway. And without telling the Dutch about his mortgages.

What level of assurance do HMRC have as a result of this entirely on-line registration process that the person on the other end of the line really is SFUOS?

Not a high one.

As Digidentity themselves say, if you want adequate assurance, you need face-to-face meetings:
Applying for an SSL certificate


You can apply for an SSL certificate through our SSL Store. This requires that a certificate administrator be appointed, someone who will be able to generate keys and a certificate signing request (CSR) for each certificate. Your organization contact will be asked to confirm the request and, if needed, to send an authorization. Upon delivery of the certificate to the requested address, a face-to-face check will take place to verify the certificate administrator's identity.
Obviously DMossEsq doesn't care about this ex-employee. But if you care about your future, you might think carefully before transmitting it away.


Updated 2.3.15

Last week's Guardian says:
Scottish plans for central identity database spark privacy criticism

Campaigners alarmed after ministers quietly publish plans they say echo doomed ID card scheme

Privacy and civil rights campaigners have urged the Scottish government to drop plans for a new identity database which could allow public bodies, including tax authorities, to share every adult’s private data.

Scottish ministers have been accused of introducing a central database by stealth after civil servants quietly published plans to expand an NHS register to cover all residents and share access with more than 100 public bodies, including HM Revenue and Customs (HMRC) ...
Apparently "HMRC has found it harder than expected to identify every Scottish-resident taxpayer for the new Scottish income tax system, which comes into force in April 2016 as Holyrood’s tax powers increase. The [NHS] database would be used to find taxpayers missed using current HMRC records".

You may be inclined to put this down to the hard left tendencies of the Scottish National Party (SNP).

You may console yourself with the thought that it could never happen in England.

You may be wrong.

Hidden away on the web where anyone can see it is a project called NHS Citizen:
NHS Citizen is a project that aims to answer a simple question: what is the best way for NHS England to take into account the views of all the public when it makes decisions?

NHS England wants you to be actively involved at its very heart. To help solve long-term problems, deal with ongoing issues, and take part in its decision-making.
It's not as though this is a new idea. There are already many ways for the public to make our views known to the NHS.

Still, let's take a look at NHS Citizen's ideas about this "simple question".

Their answer is set out in a draft paper, punchily entitled Developing technology infrastructure for NHS Citizen: Discussion paper looking at the technology platforms and standards needed to support the NHS Citizen system design.

Where do citizens live? In countries. And what do countries issue? Currencies. What do we read on p.7 of the NHS Citizen paper, para. 2.3? "Do we need a social currency?" No.

Next question.

Apart from currencies, what else do countries issue to their citizens? Passports. What do we read on p.27 of the NHS Citizen paper, para.5.1? "Why do we need a participation passport?" We don't.

The NHS isn't a country, we aren't citizens of the NHS and the analogy has been pushed too far.

Who's doing the pushing?

There are many hints as you plough your way through to p.27. "Digital by default" turns up three times. As does "agile". And the citizen having "control" over his or her own data appears 19 times, for example here::
One of the areas where NHS Citizen will need to break new ground is with respect to the use of user generated content within the evidence process and how this can remain under the control, or at least within sight, of the individual who has generated this content.
Even at that early stage of the draft paper on p.11 at para.2.5.2 the promised control is being diluted and in the next paragraph users/NHS citizens are warned that, once given, they may not be allowed to revoke their permission to use information about them. So much for control.

Is there anyone left in the world who can't predict the contents of section 5/p.27 et seq. of the report?

Here's one last hint before the inevitable dénouement, p.26, para.4.7.2:
As NHS Citizen stores only the minimum viable data needed to evidence issues that have been flagged-up – with other sensitive data held inside the personal data stores – it is designed to allow public, community and commercial organisations the same access to the evidence-base.
Yes, that's right, the doomed answer to the "simple question" we opened with is a personal data store for everyone, often, but not necessarily, in the company of the Government Digital Service's GOV.UK Verify (RIP):
5.2.3 In developing this part of the technical infrastructure the team is referencing the work being carried out by Gov.UK.Verify programme but exploring how this might be applied to support democratic rather than simply transactional interactions. It is worth noting at this stage that Gov.UK Verify as a source of verified identity may be available to the NHS within the next two years but is not currently planned to be available to wider community of relying parties for some time ...

5.3.1 NHS Citizen has been working with Mydex CIC to develop this part of the thinking as their organizational values are closely aligned with the NHS Citizen design principles and as a CIC there are fewer commercial sensitivities than might have been found in working with the other named identity providers on the current gov.uk.verify framework. All of the work being developed for NHS Citizen will be portable across any of the identity framework providers (currently Mydex CIC, the Post Office, Digidentity, Verizon and Experian) ...
A little more scepticism from the NHS Citizen team is in order:
  • Control over the use of your personal information is quite simply not in the gift of Mydex.
  • Nor is it desired by NHS England – the national director for patients and information at NHS England is Tim Kelsey and he will countenance no opt-outs.
  • It's not clear why Mydex being a CIC (Community Interest Company) makes them more trustworthy to the NHS Citizen team than the other four "identity providers" in GDS's GOV.UK Verify ...
  • ... nor is it clear how, if they don't trust the Post Office, Digidentity, Verizon and Experian, they are happy to see NHS data being "portable across" them.
Without that scepticism, NHS Citizen may as well have done with it, go the whole hog and embrace the SNP.


Updated 4.3.15

Routing round GDS

"Scottish plans for central identity database spark privacy criticism", we said the other day, only to ignite an inferno of anguished enquiries to DMossEsq's Pyongyang-based call centre.

"What Scottish plans for a central identity database?", people wanted to know. "Why aren't the Scots using GOV.UK Verify (RIP) like every most a lot of some other right-thinking Brit/Brits?" And "what happened to Government as a Platform – why have we got two identity management systems instead of one?".

Callers are reminded that they are recorded for training and quality control purposes. There's no need for language like that. Nevertheless, these are good questions.

The fact is that the Scots have got their own identity management system, myaccount. Users of Scottish public services can register on-line. 10,000 of them had done so by some time last July, 2014. myaccount has terms and conditions, just like GOV.UK Verify (RIP), only shorter, and it even has a privacy impact assessment, unlike GOV.UK Verify (RIP).

And you never knew, did you. GDS never told you.

GDS said they were the first to come up with a way of creating identities entirely on-line. They're not.

The Scots aren't using GOV.UK Verify (RIP) because (a) they don't want to and (b) they don't have to and (c) because myaccount works with Scottish local authorities and the Scottish NHS and a number of other service providers, whereas GOV.UK Verify (RIP) doesn't. At least, that's what the Scots say.

We haven't got one identity management system in the UK and we haven't got two of them either. We've got hundreds and that's a Good Thing, it constitutes a good solid platform – GOV.UK Verify (RIP) is just one amongst many.

The Scots have got their own GOV.UK as well. It's called gov.scot (or possibly Riaghaltas na h-Alba).

GDS are great advocates of "routing round Whitehall". They can hardly be surprised that other people route round GDS, and neither should you be.

GDS announced their invitation to tender for a new GOV.UK Verify (RIP) framework last year, noted here on 18 December 2014. Were any suppliers recklessly uncommercial enough to bid by the 16 February 2015 deadline? Not long to wait now, you'll find out this month or next, March or April 2015, when contracts, if any, are awarded.


Updated 10.3.15

Here we go again.

How many certified companies are there in the GOV.UK Verify (RIP) framework?

Last week, the following tweet appeared:


So there are three certified companies.

Or are there?

On 15 April 2013, when certified companies were still called "identity providers" and GOV.UK Verify (RIP) was still called "IDA" or "IDAP" – identity assurance or the identity assurance programme – GDS's Steve Wreyford published Delivering Identity Assurance: You must be certified:
We need to be sure that before any of the identity assurance framework suppliers begin providing services to departments, they are certified as being capable of delivering proof of identity as defined in the Government’s Good Practice Guides.

The Cabinet Office has joined a standards certification organisation (tScheme), who will be one of the initial certification bodies to provide the necessary independent assessment of the framework suppliers for compliance with the guides.
That makes it look as if certified companies have to be certified by tScheme. That's definitive – "certified company" means certified by tScheme.

Of the three certified companies named in the @GOVUKVerifyRIP tweet above, Experian offer two services which appear on tScheme's list of approved services, Digidentity and the Post Office offer none. So there is one certified company. There aren't three.

Or are there two?

Verizon have a service on tScheme's list of approved services. But according to GOV.UK Verify (RIP) they're not a certified company. Why not?

Perhaps the definition of "certified company" has changed since 15 April 2013. In that case, perhaps GDS would like to tell us what the new definition is.

Make that 11 December 2014. That's when GDS's Janet Hughes published What it means to be a ‘certified company’:
Certified companies also have to be certified by an independent certification body such as tScheme to assure that their service meets the published government standards for identity assurance.
The new definition must explain why Experian, Digidentity and the Post Office are certified companies but Mydex and Verizon aren't. What's wrong with them?

So far we've been restricting ourselves to the five "identity providers" left on GDS's list after Ingeus, Cassidian and PayPal resigned from the first IDA framework. But now there's a second framework heaving into view:
  • Can we expect all five "identity providers" to be certified trustworthy for the second IDA framework?
  • Will they be joined by ComSign Europe Limited, who appear on tScheme's list of registered applicants along with Digidentity, Mydex and the Post Office?
  • Will they be joined by Equifax and GBGroup, whose services appear on tScheme's list of approved services along with Experian and Verizon?
  • And why aren't all the other operators of approved services certified companies as far as GOV.UK Verify (RIP) is concerned – the Royal Bank of Scotland Group, trustis, BT, HSCIC, Registers of Scotland, citi, the MOD, the Home Office and the Metropolitan Police?
  • Is it because they don't want to be associated with GOV.UK Verify (RIP)? Why not?
  • Is it because GOV.UK Verify (RIP) don't want to be associated with them? Why not?
  • Why did Ingeus, Cassidian and PayPal resign?
  • If they had good reasons to resign, should the other certified companies resign for the same reasons?
Each time we come back to this matter of certified companies we get more questions. And no answers.

Trust is being demolished through lack of openness. And yet GDS claim to be building trust by being open. It's rum.


Updated 12.9.17

There we were, 1,060 days ago on 18 October 2014, mulling the question of identity:
GDS's answer to the question "who are you?" is "you are your credit history". "What is a person?", you may ask. "A person is a credit history", according to GDS.

Is that true? Can you see any problems with this definition of a person?
We'd already known since March 2014 that Experian had been conned into selling masses of personal information to a fraudster. Experian is a credit rating agency. And who compiles your credit history? The credit rating agencies. Like Experian.

Experian are an "identity provider" for GOV.UK Verify (RIP). Can you remember GDS's announcement about Experian being fooled into divulging personal information to a conman? No of course you can't, GDS made no announcement at the time and they still haven't.

There's open for you.

And now Equifax have been hacked. "Up to 44m Britons at risk in Equifax cyberattack", as they put it in The Times newspaper. And who are Equifax? A credit rating agency. And you'll never guess, do they have anything to do with GOV.UK Verify? Yes they do. They are sub-contracted to three "identity providers" – Barclays, GB Group and the Royal Mail – and one ex-"identity provider", Verizon.

And have you heard GDS's announcement about Equifax being hacked? No of course you haven't, they haven't made one.

Can Barclays, GB Group and the Royal Mail keep going without Equifax? Can GOV.UK Verify (RIP) keep going based on its a-person-is-a-credit-history model while the credit rating agencies haemorrhage our personal information?

We have no advice on these matters from GDS. They don't seem to care.

Any trust you credited GDS with must surely now be history.

No comments:

Post a Comment