Monday, 26 September 2016

RIP IDA – however you cut it, GOV.UK Verify (RIP) is no more. It has ceased to be. It's expired and gone to meet its maker. This is a late identity assurance scheme. It's a stiff. Bereft of life, it rests in peace. If GDS hadn't nailed it to GOV.UK, it would be pushing up the daisies. It's rung down the curtain and joined the choir invisible. This is an ex-identity assurance scheme. RIP.

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
We have seen how Digidentity, one of the Government Digital Service's "identity providers", can unilaterally revoke your on-line GOV.UK Verify (RIP) identity. In GDS's projected digital-by-default "internet era" world, with no on-line identity you won't exist.

We have seen how users of GOV.UK Verify (RIP) who registered with Barclays and the Post Office may find it impossible to access public services.

We have seen how Safran Morpho/SecureIdentity make you download an app to your mobile phone if you want to use their GOV.UK Verify (RIP) services. Not a good idea. (Digidentity also now want their parishioners to download an app. Ditto, not a good idea.)

We have seen how GOV.UK Verify (RIP) flouts every one of the identity assurance privacy principles. Again, not a good idea.

Cassidian, Ingeus, Mydex, PayPal and Verizon have all pulled out as "identity providers" to GOV.UK Verify (RIP).

Who does that leave?

It leaves CitizenSafe/GBG/GB Group plc or whatever they're calling themselves these days, Experian and the Royal Mail.

That looks like three "identity providers" but it's really only two. The Royal Mail's name is being used as a lure but GBG are doing most of the identity assurance work: "Under the terms of their agreement, GBG will manage all technology for the service, with Royal Mail handling call centre services where users may need to clarify technical issues over the phone" (please see 11.3.16).

DMossEsq can choose between GBG (who do criminal records checks and who have international expertise in postal addresses, please see Loqate) and Experian (who are a trusted FTSE-100 credit rating agency with decades of experience, some of it unfortunate). That's if he wants to access on-line public services via GOV.UK Verify (RIP).

Alternatively, he can access on-line public services using his Government Gateway accounts.

How to choose between those two? GOV.UK Verify (RIP)? Or the Government Gateway?

At first, the choice seems easy. The Government Gateway is old, it's been starved of funds for years, you have to wait for an activation code to arrive through the post before you can use the service, you need to maintain several sets of user IDs and passwords and it's fashionable to dislike it.

On the other hand, who is it convenient for, to have just one password as advocated by GDS? It's certainly convenient for hackers.

And relying on the post does act as a check of sorts that you are the person you claim to be. GOV.UK Verify (RIP) doesn't perform that check. Is it really possible to establish someone's identity entirely on-line? With how much confidence?

Can GOV.UK Verify (RIP) prove your identity?
  • OIX, the Open Identity Exchange, GDS's business partner, don't think so. They say (p.11) that it's hard for GOV.UK Verify (RIP) to achieve even level of assurance 2 (civil courts), let alone the level of assurance 3 required for criminal courts.
  • And the US National Institute for Standards and Technology are even more scathing. They say that GOV.UK Verify (RIP)'s registration work amounts to no more than self-certification.
  • The NHS isn't impressed ...
  • ... neither is DWP ...
  • ... nor are the Scots.
  • All sorts of demographics are excluded from GOV.UK Verify (RIP), which last seen was allegedly stuck on about 70% potential penetration, miles short of its 90% target. What use is a national identity assurance scheme that excludes 30% of the nation?
  • One of its supporters says that the original plan was for GOV.UK Verify (RIP) "to provide low to medium security ID assurance for citizens, and this hasn’t changed". We should avoid "wildly unrealistic expectations", she says.
It is mystifying how GDS can believe that GOV.UK Verify (RIP) has anything to offer the finance sector, please see The value of digital identity to the financial sector. Of course digital identity is valuable. Not just valuable. Crucial. But the finance sector needs a lot more than the "low to medium security ID assurance" on offer from GOV.UK Verify (RIP).

GOV.UK Verify (RIP) needs the banks. Not the other way around.

The banks do in-person identity-proofing. For know-your-customer and for anti-money laundering. It may not be very good but it's better than relying on entirely on-line proofing. The banks feed the credit rating agencies with (an extraordinarily large amount of) our personal information. GOV.UK Verify (RIP) depends on the banks.

It's circular to pretend that the banks could in turn depend on GOV.UK Verify (RIP).

Similarly there is nothing in GOV.UK Verify (RIP) to attract UK local government. Why should local authorities accept HMRC's rejects and DWP's and the Scots'?

GOV.UK Verify (RIP) requires us all to spray masses of our personal information all over the world. There must be better ways to enjoy the benefits of GDS's "internet era".

We're handing over our personal information. More and more of it. And GDS have their eyes on even more. Bank data, mobile phone data, health data, travel data, education data, social media data, ..., all in the interests of identification and attribute exchange. That's in addition to our passport data and our driving licence data and our credit rating data. And yet GDS still can't do their job and fill up GOV.UK Verify (RIP)'s population registers.

It's a privacy nightmare as noted above, a nightmare that we are to a large extent spared with the Government Gateway. Let's wake up.

The Americans have ditched connect.gov, their equivalent to GOV.UK Verify (RIP). The Australians are tying themselves in knots. And meanwhile here in the UK, for whatever reason, given the choice, millions of people are choosing the Government Gateway over GOV.UK Verify (RIP). So much for four or five years of user experience testing and agile software engineering. GDS have made the prototype of a product that no-one wants.

Without an identity assurance scheme, GDS have a hole at the centre of their digital-by-default strategy. Which means they have no strategy.

We can kiss goodbye to the unrealistic plans for attribute exchange. And to GDS's sinister and religiose plans for single-source-of-truth registers supporting fantasy Government as a Platform. The desperate pretence that GOV.UK Verify (RIP) is viable is understandable. But no excuse. It's still misfeasance.

That hole could be plugged by using an "internet era" system provided by Google, say. God forbid.

Or by using a descendant of the Government Gateway, best developed by the most successful digital transformation team – HMRC, and not DWP, God forbid – leaving GDS to concentrate on running the National Agile Polytechnic, as per their new director general's plan, with a syllabus set principally by HMRC.

(The bank-based Nordic alternative is not available to the UK, where we don't have the strong municipalities needed.)

Companies have identities, too, not just people. And GOV.UK Verify (RIP) doesn't even pretend to be able to prove the identity of a company. HMRC will continue to rely on the Government Gateway to collect tax from companies for the foreseeable future. The Government Gateway supports billions of transactions every year and collects the hundreds of billions of pounds of Exchequer revenue (p.6) needed to fund public services (p.5).

The Government Gateway has a future. GOV.UK Verify (RIP), by contrast, is no use to HMRC or anyone else.

In the course of five posts over the past week we have now looked at 12 "identity providers" – Barclays, Cassidian, CitizenSafe/GBG/GB Group, Digidentity, Experian, Ingeus, Mydex, PayPal, the Post Office, the Royal Mail, Safran Morpho/SecureIdentity and Verizon. Only two or three of them work. Which ones do we like? None of them. We don't like models with "identity providers" in them.

The Government Gateway may be a pretty awful system. GOV.UK Verify (RIP) is worse.

----------

Updated 20.10.16 1

Government Computing:
Government Digital Service (GDS) director general Kevin Cunnington has been laying out some of his thinking on the direction’s organisation at a briefing this morning ...

Cunnington outlined that GOV.UK Verify remains a key element of GDS’s ambitions ...


Updated 20.10.16 2

Government Computing:
GDS new director general Kevin Cunnington has been giving further information about how he sees the organisation developing under his leadership. The overall GDS strategy is still being worked on, he said, but is expected to be out by Christmas.

He indicated that he plans to create a profession for digital, data and technology and he is also going to get a grip of the GOV.UK Verify [RIP] identity assurance scheme.

“Two things that the [GDS] Advisory Board asked us to concentrate on are sort out Verify and get it to scale and the other is to tackle the really hard data issues” ...

On the future of Verify, he indicated that GDS was beginning to think bigger about it, asking why it was necessary to limit Verify to simply government services. He suggested that banks and gambling organisations could see the benefit of using it.

The thinking behind this, Cunnington suggested, had made GDS actively look at whether it can change the business model for Verify.

He also insisted that DWP had been a strong supporter of Verify ...

No comments:

Post a Comment