Sunday, 19 April 2015

RIP IDA – Mydex flies over the cuckoo's nest

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.

Here's a selection of GDS posts and a film in the week leading up to purdah:

24-03-2015
Janet Hughes
25-03-2015
Chris Mitchell
25-03-2015
Janet Hughes
25-03-2015
Janet Hughes
26-03-2015
Janet Hughes and Stephen Dunn
26-03-2015
Mike Bracken
27-03-2015
David Rennie
27-03-2015
Mike Bracken
27-03-2015
Mike Beavan
28-03-2015
Mike Bracken
28-03-2015
Mike Bracken
29-03-2015
Mike Bracken
29-03-2015
Liam Maxwell
30-03-2015
Martha Lane Fox

If there's a tricky job facing the Government Digital Service (GDS), or indeed an impossible job, what do they do? Call for Janet Hughes.

Let's take a look at her 25 March 2015 offeringGOV.UK Verify and Mydex CIC.

As we were saying, GDS have managed to appoint nine "identity providers" for the second phase of the GOV.UK Verify (RIP) obsequies.

Mydex Data Services Community Interest Company "will continue to work with the Identity Assurance Programme", Ms Hughes tells us. They will work not only on IDA but also with "the government more broadly". They will work "on the policy and delivery areas within specific areas of [their] expertise around verified attribute exchange and consent management for data sharing".

She goes on to say that Mydex have been "an important partner for GOV.UK Verify ... that partnership is ongoing and they are already an approved G-Cloud 6 supplier for their live ISO27001 certified services". Chris Ferguson, Director of the Identity Assurance Programme, is quoted as saying: "Mydex CIC has made a fantastic contribution to the development of GOV.UK Verify and we’ve greatly benefited from their input. We look forward to continuing to work with them through the OIX forum".

There's more where that came from: "Mydex CIC goals for citizens – the community they serve – remain aligned with HMG policy on respecting privacy and offering consent driven identity assurance and data sharing".

And more, but you get the picture – it's hard to overstate how marvellous Mydex are. The only thing is:
Mydex CIC will not be a certified company in the next framework for identity providers.
Why not?

No explanation is advanced. Did GDS refuse to have Mydex on board? Did Mydex refuse to join? We have no idea and there's no point guessing.

Mydex will not be "identity providers" to GOV.UK Verify (RIP) but Digidentity will. So will GB Group. And Morpho. How come? Why them, and not Mydex?

Ms Hughes's post is extraordinary. Nothing similar was written when Cassidian pulled out of the first framework agreement. Nor Ingeus. Nor PayPal. They're not worth memorialising but Mydex are? Why? And nothing similar has been written for all the organisations which applied to join the second framework and then didn't. Just Mydex. Why?

Why bother to write anything at all about Mydex not becoming an "identity provider"? Why bring attention to the matter? Who cares?

Clearly someone cares, for some reason, and that someone thinks that the non-appointment of Mydex needs to be written about. But who could possibly do the job? Only Janet Hughes. And she's succeeded. The perfect result has been achieved. The non-appointment has been documented and yet no-one (other than DMossEsq) is asking any questions in public. Well done, Janet.

The DMossEsq position, incidentally, is that it is commercially reckless for any organisation to get into the GOV.UK Verify (RIP) bed with GDS. In which case this is a good result for Mydex ...

... and a rotten result for the nine "identity providers" that have been appointed. They will look back with envy at Mydex's timely escape.

----------

Updated 21:41

2 comments:

Anonymous said...

Isn't this just a category error? Mydex isn't an IDP. It's a user-centric proxy for controlled disclosure. That may not fit neatly into the IDA partnership model, but it's no less important for that.

David Moss said...

Anonymous @ 5 May 2015 at 10:54, thank you for your comment.

You said "Mydex isn't an IDP".

They said, 13 November 2012: "Mydex, the personal data store provider, has been approved by the UK Government as an official identity provider, enabling citizens to establish trusted online identities which can be used to access government services online".

"... a user-centric proxy for controlled disclosure"? That's one name for Mydex. But just calling them names doesn't answer the question why 2½ years later we can't sign up with Mydex in IDA's Framework #1 and why Mydex aren't even on the list in Framework #2.

Post a Comment