Saturday, 23 August 2014

RIP IDA – gander rejects goose's sauce

No need to say it, it goes without saying, it should be obvious to all but, just in case it isn't obvious to all, IDA is dead.

IDA is the Cabinet Office Identity Assurance programme. And it's dead.


There are 23 problems with UK government IT, Chris Chant told us, and they could all be solved by the adoption of cloud computing, he said.

You may or may not agree but the Government Digital Service (GDS) certainly do. They're all for cloud computing. Like all go-ahead people.

GDS have been responsible for the CloudStore for just over a year now. It's been a patchy service, admittedly, but central and local government departments were enjoined to buy all their IT requirements there. Or from the Digital Services framework, a rival website that suddenly appeared, or from the Digital Marketplace, which is due to replace the CloudStore at the end of next month.

"Help test the Digital Marketplace alpha - your comments will be used to design the beta version of the Digital Marketplace", said GDS. So someone did. You can, too. Just nip in to the beta version, enter "identity" in the Show services box, and look what you get – 518 hits.

That's 518 identity-related services available to any users of the Digital Marketplace. No need to reinvent the wheel, someone else has already done the hard work, just buy the components you need and assemble them into the identity assurance service you need. It's quick, it's cheap and it's open.

That's the spirit of cloud first. Don't pretend that government is different from other IT organisations. Don't waste years developing your own solutions. Take advantage of the products and services that already exist. All 518 of them, in this case.

That's what GDS say.

Except that, although that's good enough for everyone else, it won't do for GDS and their identity assurance service. Oh no.

No, they're different, they need to write their own identity hub. Because of course there aren't any available off the shelf. And they need to pay five "identity providers" to develop bespoke dialogues to create on-line digital identities as though no-one's ever done that before.

23 well-known mistakes to choose from, they're trying to make them all, with the predictable result that IDA is years late and probably over budget ...

... but we don't know that because the Major Projects Authority ignore the development of an identity assurance system for 60 million Brits and don't report on it, not major enough, ...

... the whole project is shrouded in secrecy by GDS, an organisation which claims to promote openness: "As our design principles say, if we make things open, we make things better".

What would Chris Chant say?

Oddly enough, we know the answer. He says it's a waste of time. The "trust framework" on which IDA relies cannot be achieved. That's the 24th problem. "Truth, not trust", he says. You'll never achieve trust. It's a "doomed strategy". RIP.


Updated 24.6.15

Government as a Surveillance Platform (GaaSP)

In the ten months since the post above was published IDA has made little progress:
  • Its name has been changed to "GOV.UK Verify (RIP)".
  • "Identity providers" have become "certified companies".
  • The word "registration" and its cognates have been lopped off IDA's vocabulary – now, people "have their identity verified for the first time", they no longer "register" with GOV.UK Verify (RIP).
  • Ditto the word "secure" and its cognates. GDS now offer "safety", not "security".
In particular, nothing was heard of GDS's identity hub – that part of GOV.UK Verify (RIP) which securely safely connects government departments and "identity providers" together with us proles.

Nothing, that is, until the other day when The Register magazine ("ElReg", to its friends) spotted an article by four academics,  Toward Mending Two Nation-Scale Brokered Identification Systems.

As most sentient beings will know, the academics first define several properties which it is desirable for an identity hub to possess and then demonstrate that GDS's identity hub doesn't. They conclude that as it stands the hub is not secure, it does not protect our privacy, it could provide the platform for mass surveillance and it "conflicts with the political sensitivities that arguably lead to the rejection of identity cards".

Unlike most of us, ElReg have actually talked to one of the academics, Mr George Danezis, and they quote him as follows: "This is a field where a number of solutions already exist ... maybe it was a case of 'not done here' syndrome". Or as we might say, it's alright for the dumb geese to go out and buy a hub off the shelf, but we ganders need our own special one.


Anonymous said...

What a load of nonsense!

David Moss said...

Thank you for that helpful and anonymous comment

Anonymous said...

Are you sure that any listing that contains "identity" in its description on the digital marketplace is suitable for identifying 60 million people?

This one?

This one?

And how do you know that GDS aren't using any of those services?

David Moss said...

Thank you for your comment, Anonymous @ 14 November 2014 16:10.

1. It is GDS's position that there is nothing special about government, government isn't all that big, government shouldn't reinvent the wheel but should re-use existing code, preferably open source, preferably "commissioned" (the new word for procured) from the "Digital Marketplace" (the new name for G-Cloud's CloudStore). GDS's position, and not mine.

2. "GOV.UK Verify" (the new name for IDA) comprises (a) registration and verification services supplied currently by Experian and (b) an ID hub, which GDS confirm was developed entirely by them, i.e. by GDS.

Post a Comment