Thursday, 23 April 2015

RIP IDA – consensual registration

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.

Here's a selection of Government Digital Service (GDS) posts and a film in the week leading up to purdah:

Janet Hughes
Chris Mitchell
Janet Hughes
Janet Hughes
Janet Hughes and Stephen Dunn
Mike Bracken
David Rennie
Mike Bracken
Mike Beavan
Mike Bracken
Mike Bracken
Mike Bracken
Liam Maxwell
Martha Lane Fox

We've already taken a couple of looks (here and here) at Janet Hughes's 24 March 2015 film, Introducing GOV.UK Verify (RIP). Let's take another.

When you register with GOV.UK Verify (RIP)'s "identity providers" you have to confirm a selection of confidential/private/personal information about you which is held some of it by the UK government and some by the credit referencing agencies.

The government information comprises passport and driving licence details. The credit referencing agency information comprises bank account details, credit cards, loans and electoral roll details. (Remember, the credit referencing agencies like Experian are in the special position of holding the entire, consolidated, UK national electoral roll.)

You know all that.

Any averagely bright teenager will ask some obvious questions – and DMossEsq has, repeatedly – about who gave the government and the credit referencing agencies permission to disclose this information to the "identity providers" during the registration process.

If they don't have permission, they're breaking the law.

The DMossEsq position was that you give permission. It may not be informed permission and it may not be freely given but you do give it and so the question of breaking the law doesn't arise.

"Think again", says Mark King.

His point is, in DMossEsq words, that the whole object of the registration process is for the "identity provider" to decide whether, on the balance of probabilities, the applicant exists and is who they say they are.

Before the process is finished, the "identity provider" doesn't have a clue who's on the other end of the line.

Whoever it is, they're in no position to give the government and the credit referencing agencies permission to disclose any information to anyone.

Without that permission, the registration process can't start. Not legally. And if it can't start, it can't finish. Can it.

GOV.UK Verify (RIP) relies on permission being given. That permission can't be given. So GOV.UK Verify (RIP) can't work. RIP IDA.

Who is Mark King? You may not know. But GDS do. Mr King made the point above to GDS several times. A light year or two ahead of the averagely bright teenager, Mr King is an acknowledged expert in identity assurance with decades of experience in the UK and abroad. And GDS ignore the point.

GDS ignore the possibility that they are asking Her Majesty's Passport Office, the Driver and Vehicle Licensing Agency, the credit referencing agencies and the "identity providers" to break the law.

Information which should be held confidential is being disclosed – illegal.

Information that was provided for one purpose is being put to a different use – also illegal.

DMossEsq has consistently made the point that it is commercially reckless for any organisation to involve themselves with GDS in GOV.UK Verify (RIP). It seems that it may also be illegal.

What's that got to do with Janet Hughes's film? Nothing. Which frames in the film should you skip to for illumination? None. She doesn't mention the issue, it's always what's omitted from the obituary that matters ...

It's that very absence which is noteworthy and which needs to be corrected in the forthcoming GOV.UK Verify (RIP) public information campaign.

On 25 March 2015, in GOV.UK Verify and Mydex CIC, Ms Hughes told us that Mydex will continue to work "on the policy and delivery areas within specific areas of [their] expertise around verified attribute exchange and consent management for data sharing ... Mydex CIC goals for citizens – the community they serve – remain aligned with HMG policy on respecting privacy and offering consent driven identity assurance and data sharing".

Four years GDS and Mydex worked together. Mydex still didn't become an "identity provider". And there's clearly still a lot of work to do on "consent driven identity assurance and data sharing".


Updated 17:45

 I give permission – continue 

As things stand, Verizon are not even a public "identity provider"
Q. How many "identity providers" does GOV.UK Verify (RIP) have today?

A. Three:
  • Experian
  • Digidentity
  • the Post Office
So why did Ms Hughes choose Verizon's registration process to demonstrate in her 24 March 2015 film about how GOV.UK Verify (RIP) adds you to the register?

It's a mystery. An undefined undefined mystery.

And why did she make the film at all, given that she's already done it once, last year, on or about 9 June 2014, when she demonstrated what it would be like to register with the Post Office as an "identity provider":

DMossEsq reported on this earlier film back on 2 July 2014. Just to remind you, her presentation then comprised 16 slides. There is a set of screen shots available. Slide #5 looks like this:

Who is "I"?
It's hard to read. What it says is:

To check your identity we need to securely connect to:
  • your bank
  • your credit record
  • your government records
  • your utility suppliers
This information is not stored by Post Office – it is only used to confirm your identity.

 I give permission – continue 

Clearly the question how to give your bank, the credit referencing agencies, HM Passport Office, DVLA and the utility suppliers permission to disclose confidential/personal/private information about you to the "identity providers" had occurred to GDS, or at least to the Post Office.

What's the answer? It's another mystery. GOV.UK Verify (RIP) proceeds to this day with the mystery unresolved and with GDS knowing that it may be illegal.

No comments:

Post a Comment