Tuesday, 20 September 2016

RIP IDA – agile identity, now you are you, now you're not

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
"Congratulations!", they said in the email, "You have completed the registration process":


There he was, DMossEsq, all kitted up with a brand new on-line identity, provided by GOV.UK Verify (RIP) via Digidentity, one of the Government Digital Service's "identity providers".

Digidentity had collected all the details of DMossEsq's passport and driving licence, among other things, and here they were confirming that he is him, the person he claims to be. "Your registration has been completed" – that's what the email says. And polite to a fault, Digidentity even said: "Thank you for registering".

And yet yesterday, when DMossEsq tried to log in for the sixteenth time since that email, he couldn't get through to his personal tax account. There has been no communication from Digidentity since the email above but Digidentity now want more passport details before they'll confirm that DMossEsq is DMossEsq:


Digidentity want an image of the passport uploaded, using an app of theirs which has to be downloaded onto DMossEsq's mobile phone first:


The GOV.UK Verify (RIP) team make it all sound so easy. Register once and they'll vouch for you, they know who you are because you've already proved it and they'll tell HMRC or whoever yes, this is DMossEsq. You have to hand over an inordinate amount of personal information about yourself but at least you'll then be able to use public services on-line.

Not true.

The bargain has been broken. You've handed over the personal information. You still can't use public services on-line.

It seems that an "identity provider" can without warning decide that you aren't you after all and demand further proof without which you can't communicate with any government departments using GOV.UK Verify (RIP).

That could be serious. Suppose you were away from home without your passport, on a sales trip to the Northern Powerhouse, for example, selling gluten-free cupcakes to digital entrepreneurs, and you needed to pay your tax bill. You sit down in your hotel room confident that you can make this payment because you've got your trusty Digidentity on-line identity already set up ...

... only to find that your on-line identity has been taken away from you. Result? You have to pay interest on your tax and a penalty in addition. And there's no compensation. Thank you, GOV.UK Verify (RIP).

Even if you do have your passport with you in the hotel, why should you have to download an app from Digidentity? That's tantamount to deliberately installing a virus.

You never know where you are with GOV.UK Verify (RIP). That could be one reason no-one's using it.

How does this come about? How have the Government Digital Service (GDS) acquired the attitude that they can change the rules behind your back?

The answer is "agile".

Their agile software engineering methodology assumes that they can iterate. They can make changes to live public services all the time. That's what Google do with Chrome, for example. And Google embody the internet era. GDS want to transform government so that it becomes digital by default. And what does "digital" mean? Answer: "digital means applying the culture, practices, processes and technologies of the internet era to respond to people’s raised expectations". So that's what GDS can do with GOV.UK Verify (RIP).

They were warned about this, in January 2013, when four professors told them that: "there are risks that rapidly changing services will deter the takeup of digital services, not encourage it". They didn't listen.

----------

Updated 22.9.16

The matters above have been brought to Digidentity's attention and the Government Digital Service's.

GDS never respond, of course.

Digidentity have responded, please see tweets alongside.

In addition to those tweets, Digidentity also sent two identical emails saying "your identity document is accepted" (please see copy below).

Which document? They don't say.

Whatever their emails say, DMossEsq's GOV.UK Verify (RIP) account registered with Digidentity still doesn't work. He still can't use it to access his personal tax account.

Why doesn't the account work? It used to.

What's changed?

Are Digidentity allowed to withdraw the right to access public services from people to whom they have previously granted that right?

Should they notify people first?

Are they allowed to demand more and more intrusive access to people's personal information such as insisting on their app being installed on our mobile phones?

Can they change the rules as they're going along so that one day you are you and the next day you're not?

Are GDS comfortable with Digidentity creating people on-line and deleting them, wiping them out, so that they don't exist any more?

Do GDS even know it's happening or have they lost track?

These are general policy questions of interest to everyone. Digidentity's offer to discuss them in private won't do.

"We're building trust by being open" – that's GDS's claim. Time to prove it.

What identity document? No new document has been submitted.


Updated 12.6.17

DMossEsq has made no attempt to use his Digidentity GOV.UK Verify (RIP) account since 19 September 2016, please see above. Today, the following email was received:


"We're sorry but we couldn't verify your identity". Very odd. DMossEsq hasn't asked Digidentity to verify his identity. Perhaps someone else has. Who? Why?


Updated 14.6.17

It looked as though someone was trying to use one of DMossEsq's GOV.UK Verify (RIP) accounts, the one maintained by Digidentity, please see above.

An email to Digidentity elicited several prompt responses, please see below, for which they have been thanked.

In the event, it was not a third party but Digidentity themselves who were accessing the account, they were trying to do one of their periodic checks that the account is still kosher. It might improve the user experience in future to make that clear in the email automatically sent to the accountholder.
From: Support [mailto:helpdesk@digidentity.co.uk]
Sent: 13 June 2017 17:00
To: DMossEsq
Subject: [Digidentity] Re: Registration Query

##- Please type your reply above this line -##
Your request (8209) has been updated. To add additional comments, reply to this email.

Liz (Digidentity UK)
Jun 13, 18:00 CEST

Dear Mr Moss,

We have investigated your account further and it appears that our system went through some recent verification checks. These were automatically made on your account without you needing to log in. We require these checks from time to time in order to continue proving who you are.

As you did register quite a long time ago however, what I needed to do is reprocess your information so that we could still be sure that it was definitely you registering online. Now that I have done this, you are still fully verified.

I wish to apologise for any cause for concern. You should now be able to log into your Digidentity account in future and be redirected to the service you require.


Liz (Digidentity UK)
Jun 13, 17:24 CEST

Dear Mr Moss,

Thank you for your message.

What I have done is passed your account to the relevant team at the company in order to investigate further. I would like to thank you for your patience in the meantime. I will get back to you as soon as I have more information.


David Moss
Jun 13, 14:40 CEST

Sirs

I received the email below, “Your registration couldn’t be completed”. It’s a mystery. I have not attempted to use the account for many many months now. Is there any way you can investigate to see who was trying to use it?

Yours faithfully
David Moss

----------
From: noreply@digidentity.eu [mailto:noreply@digidentity.eu]
Sent: 12 June 2017 15:52
To: DMossEsq
Subject: Your registration couldn't be completed.

We’re sorry but we couldn’t verify your identity

Unfortunately we couldn’t verify your identity

Unfortunately your identity can’t be verified right now. Please go back to the GOV.UK Verify webpage or contact our helpdesk if you have any questions regarding your registration.

Kind regards,
Digidentity
Copyright © 2017, All rights reserved | https://www.digidentity.eu


This email is a service from Digidentity UK. Delivered by Zendesk
[N8O6PO-EPKO]
"CEST" turns up a lot in the correspondence with Digidentity. It stands for Central European Standard Summer Time, the timezone chosen by Zendesk, who provide user support services to the Government Digital Service and, so it appears, to Digidentity as well. As we were saying in March:
While claiming to put the user in control, GDS like us to spray our personal information all over the world when we register with GOV.UK Verify (RIP). Their heart really isn't in this privacy lark, is it. They use Eventbrite to organise events. They use Zendesk for user support. They use StatusPage for network monitoring. They use Survey Monkey for user feedback. All the personal information involved is stored and used beyond your control and now GDS want you to upload your CV to Jobvite.

No comments:

Post a Comment