Wednesday, 17 September 2014

RIP IDA – notes to editors

... the unveiling
does not coincide
with the availability of the service ...

No need to say it, it goes without saying, it should be obvious to all but, just in case it isn't obvious to all, IDA is dead.

IDA is the Cabinet Office Identity Assurance programme. And it's dead.


1. All the rest of you editors have been scooped by Bryan Glick, the esteemed editor of Computer Weekly, who published GDS unveils 'Gov.UK Verify' public services identity assurance scheme yesterday:
The Verify brand will be unveiled tomorrow (Wednesday 17 September 2014) as the public-facing name for the Identity Assurance Programme (IDAP), which the Government Digital Service (GDS) has been working on for the past three years.
You didn't know it was happening today (17.9.14), did you. And you didn't know that IDA had become Verify.

What's more:
In an exclusive interview, Government Digital Service (GDS) executive director Mike Bracken told Computer Weekly that three departments – including HM Revenue & Customs and the DVLA – are close to launching services using Gov.UK Verify ...
While you're still trying to catch up on whether IDAP is IDA and IDA is Verify, Mr Glick is going to be getting the goods straight from the horse's mouth. Why Mr Glick? Why him, and not you? Why not the Guardian or the BBC?

2. Of course, the claim that HMRC and DVLA and a third mystery department will be using IDAP IDA Verify isn't exclusively exclusive.

Not if you've read GDS's 2014-15 Business Plan, where they told us on 4 July 2014 that (p.33):
  • DVLA would start using Verify IDA by the end of June 2014,
  • the Rural Payments Agency and the Ministry of Justice by the end of September 2014,
  • HM Passport Office and DWP by the end of December 2014, and
  • HMRC by the end of March 2015.
3. So take heart. And start asking questions.

Who's in charge of IDA? You know the answer to that because Computer Weekly told you back in February 2012:
Bracken is now the senior responsible owner for IDA. “It’s something that I put my hand up for because it’s so important. Unless we have better and wider used security protocols, it will be hard to identify users, allow transactions and link up services ...”
When was IDA meant to go live? You know the answer to that because Computer Weekly told you three years ago, back in September 2011:
A prototype for IDA will be completed by the end of the year [2011]. The first services will be developed and tested by February 2012, with IDA due to be rolled out for initial public services by autumn 2012.
That didn't happen, of course, but then you were told that IDA would be "fully operational" for DWP's 21 million claimants in March 2013.

That didn't happen, of course, but then you were told in HMRC's December 2012 digital strategy that ...
A pilot IDA service, using point in time verification (a necessary part of the PAYE online exemplar) to make things simple and easy for one-off transactions will be used in October 2013 ...
... and that didn't happen either.

Then GDS unloaded a digital system on us for applications to register to vote. Quite important in a democracy, the system lacks any identity assurance worthy of the name.

Next question, therefore, why should you believe GDS this time?

4. Mr Glick says that "the Verify brand will be unveiled tomorrow (Wednesday 17 September 2014)". He also says, in fluent Mandarin, that:
... the unveiling does not coincide with the availability of the service ...
There are at least seven veils in this dance and what you're seeing today is just a tease. The service isn't being unveiled at all. It still isn't available.

Why go through this exercise, you may care to ask? Is it to disguise the fact that IDA is once again behind schedule? Is it to make it look as though something is happening even if it isn't? Is it to try to retain the confidence of the new subscribers GDS are trying to sign up with the help of OIX (who?) and KPMG?

5. Precisely what is it that is not being unveiled today?

According to Mr Glick, channelling GDS:
GDS's Verify system will make it possible for citizens to prove who they are online to safely and securely access digital public services.
Safely? Securely?

The media are full of stories of hacking and fraud and theft on the web. No-one is immune.

As one cyber security expert put it, "When it comes to cyber security QinetiQ couldn’t grab their ass with both hands" – and QinetiQ is one of our top defence sector cyber security companies.

On 5 September 2012, the Foreign Office, the Department for Business Innovation and Skills and the Cabinet Office got the Director of GCHQ to address the massed ranks of FTSE 100 chairmen and chief executives, Business leaders urged to step up response to cyber threats. To summarise, what GCHQ said was, cyber security, you're no good at it.

If these people can't do safe and secure websites, who can? GDS? Who says?

6. Take another look at that last quotation of Mr Glick's:
GDS's Verify system will make it possible for citizens to prove who they are online to safely and securely access digital public services.
IDA will allow you to "prove who you are"? This is an ID scheme. As the name would suggest. Like the atrocious ID cards scheme that the Home Office couldn't get off the ground despite eight years (2002-10) of top-level political support, an unlimited budget and the best consultants money can buy.

Is GDS's parent, the Cabinet Office, heading for that same veil vale of tears as the Home Office?

No, you will be told, this is quite different:
Gov.UK Verify is designed to overcome concerns about government setting up a central database of citizens’ identities to enable access to online public services – similar criticism led to the demise of the hugely unpopular identity card scheme set up under the Labour government.
Instead, users will register their details with one of several independent identity assurance providers – certified companies which will establish and verify a user’s identity outside government systems.
These companies are the IDPs – the "identity providers" – Digidentity (who?), Experian, Mydex (who?), the Post Office and Verizon.

How "independent" are they?

Go back to the GDS business plan (p.32):
Cabinet Office is the sole government authority for identity assurance services. Centralised contracts are developed and paid for by the programme.
Who is paying the IDPs? GDS. And no-one else. Who are they under contract to? GDS. And no-one else. In what sense are they independent?

And in what sense are they "certified"?

GDS have told you in the past that IDPs must be certified by tScheme (who?), Delivering Identity Assurance: You must be certified. And are they? Experian is. None of the others. You can check for yourself on the tScheme website.

7. What's more, Experian are waiting for the US courts to sentence Mr Hieu Minh Ngo, an ID fraudster who stole the data he needed from ... Experian. The court is due to sit some time this month and the US Senate is ready to pounce then on the whole "ID broker" sector. Senator Rockefeller in particular doesn't seem to trust ID brokers like Experian.

What's even more, Verizon have now been banned from any German government contracts, see Computer Weekly's German government terminates Verizon contract over NSA snooping fears. If they're not good enough for Germany, how can they be good enough for the UK?

When Mr Glick tells us that ...
Government digital chiefs hope Gov.UK Verify will become a well-recognised and trusted brand as public services increasingly move to the digital-by-default model ...
... you may care to ask, why? Why do government digital chiefs hope that IDA will be trusted?

8. There could be a major PR blitz today to launch the non-unveiling of IDA. Francis Maude may say a word or two. Interviews on Radio 4's World at One. Swooning coverage in the Guardian. Some of the more biddable think tanks. Log-rolling by US journalists, recommending that the White House should emulate GDS. You'll probably find that IDA/Verify has already won an award of some sort. That kind of thing.

One last question before you fall prey to the Folies Bergère razzmatazz.

These IDPs. They're meant to be able to confirm that you are you. How do they do that?

By checking with your bank.

Do you remember authorising your bank to confirm your details when asked by any old IDP, many of whom you've never heard of? No? How does that work?

9. The questions go on:
  • Ask GDS about the ID hub they've built. See what you get.
  • Why did the executive director of GDS give the Americans the impression last year that IDA is already up and running for 45 million users?
  • What happened in Warwickshire?
  • Are GDS interested in security or is convenience a greater priority?
  • Is the concept of a trust framework shot?
  • Is IDA agile?
  • Who is Sylvia?
  • ...
But you can take it from here.


Updated 20.9.14

16 September 2014 – Computer Weekly tells us that the Government Digital Service (GDS) will "unveil" a new service called "GOV.UK Verify" the next day, and that that's got something to do with identity assurance and using public services.

Next day, 17 September 2014 – nothing is unveiled. OK, there's a guidance note published on GOV.UK, Introducing GOV.UK Verify. And a post appears on the IDA blog, GOV.UK Verify. But that's it. There's no demonstration of the system. None of the questions above are answered. This is not an unveiling in any normal sense of the word.

18 September 2014 – nothing is unveiled GOV.UK Verifywise.

19 September 2014 – the promised Computer Weekly interview is finally published, Government digital chief Mike Bracken on the next five years – there is one mention of GOV.UK Verify but otherwise all we learn is that everything would be different if only the world was different. No unveiling there.

And, hat tip Mrs DMossEsq, there's a two minute and 52 second item on BBC Radio 4's You and Yours programme (25'50"-28'42") about identity assurance. There is no mention of GOV.UK Verify by name.

But Peter White, the presenter, does manage in that time to make the link with the hated and abandoned ID cards scheme, he asks whether we should be worried about the banks and "identity providers" bandying our data around, he asks what happens to the 17% of people who can't or won't use the web and he elicits the tentative suggestion that it will be about a year before the system is available to the public.

Prospective investors in IDA or GOV.UK Verify or whatever it's called behind the veil of appearance will note the clumsiness of this non-unveiling and ask themselves what went wrong. Why bother to announce an unveiling and then not unveil?

No idea.

Experian and Verizon are on the hook. Prospective investors invited to become "identity providers" like Experian and Verizon might be wise to leave them dangling there and to see what happens, before signing any contracts and leaving their brands exposed, at the mercy of the GDS public relations unveiling team.

from Introducing GOV.UK Verify, © Crown copyright
What happened to the other three "identity providers"?
The Post Office and Digidentity and Mydex?
Where are they?

Updated 23.9.14

It may seem as though last week's unveiling of IDA/Verify was not an unveiling at all, in that no-one saw it.

Not quite true. One person did. IDA/Verify was unveiled to the estimable Rory Cellan-Jones, the BBC's Technology Correspondent, please see Cracking the problem of online identification – hat tip @CyberSecKent:
As the system is gradually rolled out across various public services, there are bound to be stories of angry users unable to make it work. There will also be plenty of questions of trust - do we really want a credit agency or a bank intervening in our relationship with the government?
Mr Cellan-Jones is not an "angry user unable to make [IDA/Verify] work". He is a resigned user who has seen it all before and who can't make it work. For him, IDA/Verify didn't work. Not with Verizon. And not with Experian. Neither of them. He has not been able to acquire an on-line ID. The problem remains uncracked.

If and when GDS/Experian/Verizon manage to make IDA/Verify work for Mr Cellan-Jones, then there remain the unanswered questions he raises about trust.

It's early days. Very early days. But IDA/Verify is off to a wretched start. Or as DMossesq readers will recognise, a long death. RIP.

Updated 26.9.14

Is there any hope for IDA/Verify?


DVLA say so.

That's the Driver and Vehicle Licensing Agency and in today's blog post, View Driving Licence – access and services for third parties, they say:
GOV.UK Verify

Over the coming months, driving licence holders who use VDL to access their driver details will do so via the new GOV.UK Verify service. GOV.UK Verify is the new way for people to prove who they are when using digital services. The service will authenticate users based on a number of identity questions and allow them to set up a unique account so they can access other government services. In time GOV.UK Verify will become the only way to access VDL.
VDL is DVLA's View Driving Licence service (previously VDR/View Driving Record).

Are they right? Do they know what they're talking about?

We must assume that the answer in each case is Yes. DVLA's chief executive, Oliver Morley, attended an event called "SPRINT BETA" the other day and according to him transparency is the bedrock of change:

Updated 28.9.14

Who said:
The GOV.UK Verify platform provides people with a way to prove who they are online, so they can use Government services safely.
It's an assertoric statement in the present tense. It implies that GOV.UK Verify exists and is available today and allows anyone to prove who they are and allows them to use public services safely.

GOV.UK Verify does not exist today. It does not allow anyone to prove who they are. It does not allow anyone to use public services. And it is only safe in that sense – in the sense that it can't harm you because it doesn't exist.

Only Sir Jeremy Heywood, Cabinet Secretary and Head of the Civil Service, that's who, writing two days ago on Friday 26 September 2014, please see More than just websites.

Why did he write that? It's not true.


Anonymous said...

?Has this Government and all their partners carried out their own independent Due Diligence in relation to the possibility that IDAP actually infringes existing UK intellectual property rights (IPR).

David Moss said...

Good question, Anonymous @ 18 September 2014 22:30.

You wouldn't happen to know the answer, would you?

Anonymous said...

I believe that the Government and their partners may be infringing at least two granted UK patents.

Anonymous said...

Page 42/43

"Given the continuing delays and the significance of this component of the digital strategy, we have to recommend that if the identity assurance programme is not in a more stable position before the next government takes office that it investigate the reason for the delays before committing to how to proceed."

David Moss said...

Thanks for that comment, Anonymous @ 25 November 2014 17:39.

Post a Comment