Tuesday, 20 September 2016

RIP IDA – agile identity, now you are you, now you're not

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
"Congratulations!", they said in the email, "You have completed the registration process":

There he was, DMossEsq, all kitted up with a brand new on-line identity, provided by GOV.UK Verify (RIP) via Digidentity, one of the Government Digital Service's "identity providers".

Digidentity had collected all the details of DMossEsq's passport and driving licence, among other things, and here they were confirming that he is him, the person he claims to be. "Your registration has been completed" – that's what the email says. And polite to a fault, Digidentity even said: "Thank you for registering".

And yet yesterday, when DMossEsq tried to log in for the sixteenth time since that email, he couldn't get through to his personal tax account. There has been no communication from Digidentity since the email above but Digidentity now want more passport details before they'll confirm that DMossEsq is DMossEsq:

Digidentity want an image of the passport uploaded, using an app of theirs which has to be downloaded onto DMossEsq's mobile phone first:

The GOV.UK Verify (RIP) team make it all sound so easy. Register once and they'll vouch for you, they know who you are because you've already proved it and they'll tell HMRC or whoever yes, this is DMossEsq. You have to hand over an inordinate amount of personal information about yourself but at least you'll then be able to use public services on-line.

Not true.

The bargain has been broken. You've handed over the personal information. You still can't use public services on-line.

It seems that an "identity provider" can without warning decide that you aren't you after all and demand further proof without which you can't communicate with any government departments using GOV.UK Verify (RIP).

That could be serious. Suppose you were away from home without your passport, on a sales trip to the Northern Powerhouse, for example, selling gluten-free cupcakes to digital entrepreneurs, and you needed to pay your tax bill. You sit down in your hotel room confident that you can make this payment because you've got your trusty Digidentity on-line identity already set up ...

... only to find that your on-line identity has been taken away from you. Result? You have to pay interest on your tax and a penalty in addition. And there's no compensation. Thank you, GOV.UK Verify (RIP).

Even if you do have your passport with you in the hotel, why should you have to download an app from Digidentity? That's tantamount to deliberately installing a virus.

You never know where you are with GOV.UK Verify (RIP). That could be one reason no-one's using it.

How does this come about? How have the Government Digital Service (GDS) acquired the attitude that they can change the rules behind your back?

The answer is "agile".

Their agile software engineering methodology assumes that they can iterate. They can make changes to live public services all the time. That's what Google do with Chrome, for example. And Google embody the internet era. GDS want to transform government so that it becomes digital by default. And what does "digital" mean? Answer: "digital means applying the culture, practices, processes and technologies of the internet era to respond to people’s raised expectations". So that's what GDS can do with GOV.UK Verify (RIP).

They were warned about this, in January 2013, when four professors told them that: "there are risks that rapidly changing services will deter the takeup of digital services, not encourage it". They didn't listen.


Updated 22.9.16

The matters above have been brought to Digidentity's attention and the Government Digital Service's.

GDS never respond, of course.

Digidentity have responded, please see tweets alongside.

In addition to those tweets, Digidentity also sent two identical emails saying "your identity document is accepted" (please see copy below).

Which document? They don't say.

Whatever their emails say, DMossEsq's GOV.UK Verify (RIP) account registered with Digidentity still doesn't work. He still can't use it to access his personal tax account.

Why doesn't the account work? It used to.

What's changed?

Are Digidentity allowed to withdraw the right to access public services from people to whom they have previously granted that right?

Should they notify people first?

Are they allowed to demand more and more intrusive access to people's personal information such as insisting on their app being installed on our mobile phones?

Can they change the rules as they're going along so that one day you are you and the next day you're not?

Are GDS comfortable with Digidentity creating people on-line and deleting them, wiping them out, so that they don't exist any more?

Do GDS even know it's happening or have they lost track?

These are general policy questions of interest to everyone. Digidentity's offer to discuss them in private won't do.

"We're building trust by being open" – that's GDS's claim. Time to prove it.

What identity document? No new document has been submitted.

No comments:

Post a Comment