Sunday, 25 September 2016

RIP IDA – privacy/identity assurance principles

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
We have seen how Digidentity, one of the Government Digital Service's "identity providers", can unilaterally revoke your on-line GOV.UK Verify (RIP) identity. In GDS's projected digital-by-default internet era world, with no on-line identity you won't exist.

We have seen how users of GOV.UK Verify (RIP) who registered with Barclays and the Post Office may find it impossible to access public services.

Cassidian, Ingeus, Mydex, PayPal and Verizon have all pulled out as "identity providers" to GOV.UK Verify (RIP).

Who does that leave?

Among others, Safran Morpho/SecureIdentity:

As you can see, back in February 2016 DMossEsq managed successfully to register for GOV.UK Verify (RIP) with Safran Morpho/SecureIdentity.

GDS's registration dialogue has been updated since then. They try to point new applicants at the "identity providers" most likely to be able to register them. That means pointing them away from the "identity providers" least likely to be able to register them.

Day in, day out, for months now, since at least 12 April 2016, Safran Morpho/SecureIdentity have suffered the humiliating indignity of being fingered by GDS as useless:

Quite why Safran Morpho/SecureIdentity put up with this astonishing behaviour is unclear.

Whatever the answer, DMossEsq was registered with Safran Morpho/SecureIdentity but when he tried to log on to HMRC's on-line self-assessment service the other day through Safran Morpho/SecureIdentity, he failed. Just as he had already failed with the Post Office. And Barclays. And Digidentity.

Like the Post Office, Safran Morpho/SecureIdentity is not properly a certified company. They were supposed to be certified by tScheme by May 2016, but it's never happened. When GDS tell you that all their "identity providers" are certified companies, they're wrong:

But that isn't the problem in this case. DMossEsq closed his account with Safran Morpho/SecureIdentity almost as soon as he opened it. That's why he can't log on to HMRC via Safran Morpho/SecureIdentity.

Why did he close the account? Because DMossEsq doesn't approve of downloading apps onto his mobile phone and Safran Morpho/SecureIdentity insist that you do.

You might as well deliberately install a virus – look at the functions Safran Morpho/SecureIdentity's app can perform on the mobile phone screen snapshot alongside.

Do you want Safran Morpho/SecureIdentity modifying your system settings? Or finding and using your other accounts?

No. This is utterly intrusive. And quite unnecessary for the job in hand – in this case, to look at HMRC's on-line self-assessment service.

Which brings us to the nine identity assurance principles promulgated by PCAG, the Privacy and Consumer Advisory Group. GDS repeatedly claim that they abide by these principles which are designed to guard our privacy. But they don't.

The PCAG identity assurance principles for GOV.UK Verify (RIP) are shown below in black with comments in red:

Identity Assurance Principle
Summary of the control afforded to an individual
1. User Control
I can exercise control over identity assurance activities affecting me and these can only take place if I consent or approve them
Not true.
• How would you know if your identity was being checked by someone tomorrow morning at 9 a.m.?
• When did you give your consent for the credit rating agencies to share your personal information with GDS's "identity providers"? Or the banks or the mobile phone companies ditto? What about your health records? And your travel records? And your education records? And your social media accounts?
• Is your consent informed? Is your consent given freely or do you rather feel that you have no alternative?
2. Transparency
Identity assurance can only take place in ways I understand and when I am fully informed
Not true. Do you understand how GDS's identity hub works? Are you fully informed on the matter of security?
3. Multiplicity
I can use and choose as many different identifiers or identity providers as I want to
Not true.
• DMossEsq has found himself subsequently unable to use Digidentity, Barclays and the Post Office despite having previously registered with them.
• And GDS warn that Safran Morpho/SecureIdentity are unlikely to be able to prove the identity of new applicants.
• Who can make these choices? GDS decided back in April 2016 that, with some exceptions, applicants for a GOV.UK Verify (RIP) account have to be at least 20 years old. What are 19 year-old voters supposed to do? They're excluded. Ditto 19 year-old taxpayers and benefits claimants. Ditto 20 year-olds with little credit history. GOV.UK Verify (RIP) is not for everyone. Some people can't choose any identifiers at all, nor any "identity providers".
4. Data Minimisation
My interactions only use the minimum data necessary to meet my needs
Not true.
• Registration, which is an "interaction", requires more and more personal information, far more than is required for the Government Gateway and therefore far more than the minimum.
• When it comes to verification, another sort of "interaction", who knows how much personal information is exchanged?
• The quantity of personal information seems to be determined by the needs of GDS and the "identity providers" and the relying parties like HMRC. Not the needs of the mere users.
5. Data Quality
I choose when to update my records
Not true. Digidentity decided that DMossEsq had to upload an image of his passport. Without that, they decided, he can't use his Digidentity account.
6. Service User Access and Portability
I have to be provided with copies of all of my data on request; I can move / remove my data whenever I want
Not true.
• You can't remove your personal information whenever you want. All "identity providers" keep it for at least seven years.

• Digidentity, like other "identity providers", share your personal information with unnamed suppliers. You don't know who they are. You don't know what personal information of yours they have. How can you remove it?
• There has been talk for a long time of "signal sharing" to detect and prevent fraud. Who would perform this function? Could you remove your personal information from them?
7. Certification
I can have confidence in the Identity Assurance Service because all the participants have to be certified against common governance requirements
Not true.
• Some "identity providers" are certified by tScheme. Others aren't. The governance requirements aren't common.
• Nor are they obviously effective – Verizon are certified by tScheme but their services have nevertheless been withdrawn: "Recent changes to Verizon’s contracting structure mean that the service in its current form has not yet fully completed the external certification process. Verizon is working with Cabinet Office and independent auditors to make sure their service meets the contractual requirements, is fully accredited, and gives the best results possible for users".
• What about Zendesk? That's a company GDS have got participating in GOV.UK Verify (RIP). Are Zendesk certified? No. Ditto – can you be confident about the uncertified who participate by logging all activity in GOV.UK Verify (RIP)?
8. Dispute Resolution
If I have a dispute, I can go to an independent Third Party for a resolution
Not true. Can you name this independent third party? There was supposed to be a GOV.UK Verify (RIP) ombudsman. None has been appointed.
9. Exceptional Circumstances
I know that any exception has to be approved by Parliament and is subject to independent scrutiny
Not true. Do you know that parliament approves all exceptions? How do you know? What independent scrutiny? There is none.

Principle #6 promises that "I can move / remove my data whenever I want". This is false. When DMossEsq closed his Safran Morpho/SecureIdentity account his data wasn't removed. It will be kept by Safran Morpho/SecureIdentity for seven years.

DMossEsq can't remove his data whenever he wants. Principle #6 is being flouted, please see Safran Morpho/SecureIdentity's privacy policy:
1.4 How long does Morpho keep your personal data

Morpho will keep your data for as long as necessary in order to provide you with the services available on our website and applications.

Morpho may also keep your contact details to send you service-related information. Morpho might use your contact details for direct marketing in connection with the service provided.

Morpho may keep records of your activities for seven (7) years after the date on which your identity account is closed, to handle complaints or disputes that may arise.

Morpho will keep your personal data to the extent necessary to comply with all applicable laws, regulations and code of practices.
It's not just Safran Morpho/SecureIdentity. All the "identity providers" keep your data whether you want them to or not. The "control afforded to an individual" is nil.

And it's not just Principle #6. GOV.UK Verify (RIP) flouts all nine privacy principles. It doesn't abide by a single one (6 May 2016 1). How GDS can claim that they do abide by these principles is a mystery.

That is what they say: "GOV.UK Verify [RIP] protects users' privacy. It has been designed to meet the principles developed by our privacy and consumer advisory group". But it's not true, is it.


Updated 11.11.16

Check the GOV.UK performance platform and you'll find that nine government services can be accessed using GOV.UK Verify (RIP). That's what GDS say. There are many qualifications that should be added to that claim of theirs.

Let's let that drop for the moment and instead note here that two more services are to be added to that modest list, please see GOV.UK Verify [RIP] welcomes 2 more DVLA services:
You can now use GOV.UK Verify [RIP] to access the DVLA’s Driving with a medical condition service and Renew your medical driving licence service.
That looks like one service, not two, but don't let's cavil. Note rather this claim:
GOV.UK Verify [RIP] has been designed to minimise storage of personal data, so drivers can be assured that their personal information remains safe and private.
It does not follow from personal information storage being kept to a minimum that your personal information is safe and private.

And the design of GOV.UK Verify (RIP) requires your personal information – in this case including medical information – to be sprayed all over the world. Nothing could make it less likely that your personal information is "safe and private".

Then there's this claim:
With GOV.UK Verify [RIP] connected to Driving with a medical condition, the DVLA can be sure be sure [doubly sure?] applicants are who they say there [they?] are ...
The US National Institute for Standards and Technology disagree. They say that GOV.UK Verify (RIP) offers relying parties like DVLA nothing more than self-certification. Spraying your data all over the world is all downside.

DVLA is the Driver and Vehicle Licensing Agency. GDS have driven a coach and horses through their identity assurance principles, please see main post above. The National Health Service don't think that GOV.UK Verify (RIP) meets the standards required for medical records. You might be well advised to listen to them.

Updated 4.1.17 1

Late last year the Government Digital Service (GDS) published three articles about the GOV.UK Verify (RIP) privacy assurance principles:

Applying Failing to apply
the identity assurance principles

to GOV.UK Verify (RIP):
30 November 2016 Part 1
9 December 2016 Part 2
20 Decmber 2016 Part 3
"We’ve blogged a lot about how user security and privacy is [are] at the heart of GOV.UK Verify [RIP]", GDS say in Part 1. True enough but blogging about them doesn't demonstrate that GOV.UK Verify (RIP) really does provide security and privacy.

"We’ve also talked about the Privacy and Consumer Advisory Group (PCAG)", GDS go on, "and one of their key outputs: the Identity Assurance Principles. These exist to inform and guide the privacy-related aspects of identity assurance, especially in GOV.UK Verify [RIP]". Agreed. That's the idea ...

... but of course it's our contention above that GOV.UK Verify (RIP) doesn't abide by the identity assurance principles. And that's precisely what GDS themselves demonstrate, at length, over the course of these three articles.

Take principle #8, for example, treated in Part 3: "If I have a dispute, I can go to an independent third party for a resolution".

What do GDS say?

"If a user wants to raise a complaint, then they can do so through the certified company’s user support". That's not an independent third party.

Also, "if the user is not satisfied with the result, then they can get in touch with the GOV.UK Verify [RIP] user support team. They can look into the user’s problem to help offer a solution, and they can also raise the complaint with Verify’s Privacy Officer". Neither the user support team nor the Privacy Officer is an independent third party.

Also, "user support has the ability to share anonymised and statistical outcomes with the independent PCAG for further investigation, if required". But principle #8 says that you can go to an independent third party. That's not the same as GOV.UK Verify (RIP)'s user support team going to PCAG.

Does GOV.UK Verify (RIP) abide by principle #8? Manifestly, no.

Principle #9 is: "Any exception has to be approved by Parliament and is subject to independent scrutiny".

What does that mean?

GDS say: "An exceptional circumstance within the privacy principles is defined as a situation where it’s agreed that the privacy principles we’ve just covered are not followed".

We've just seen that principle #8 isn't followed. So that's an exception. Has it been approved by Parliament? No. So principle #9 isn't followed either.

Neither are principle ##1-7.

GDS may have succeeded in convincing themselves that GOV.UK Verify (RIP) complies with PCAG's identity assurance principles. But no-one else.

Updated 4.1.17 2

The following comment has been submitted on GDS's blog post Applying the identity assurance principles to GOV.UK Verify: Part 3:
David Moss
Your comment is awaiting moderation.
"It’s worth noting that all of our certified companies are certified by tScheme ..."
Morpho, the Post Office and the Royal Mail are not certified by tScheme [*].
"... but not necessarily separately. This is because when a certified company uses the same system as another company that is already tScheme certified, then there is no need for a second certification of the same system".
Does that mean that Morpho, the Post Office and the Royal Mail are not doing any real identity assurance work? The work is really being done behind the scenes by someone else?
Who is doing Morpho's work for them?
Who is doing the Post Office's work for them?
Who is doing the Royal Mail's work for them?
Link to this comment

Update 5.1.17 1

The DMossEsq comment above on the GOV.UK Verify (RIP) blog has been deleted and the following email response has been received:
From: Emily Ch'ng
Sent: 04 January 2017 14:49
To: DMossEsq
Subject: Your comment on the GOV.UK Verify blog

Dear David,

Thank you for your comment on the GOV.UK Verify blog. I am the blog's moderator.

I would like to let you know that I am unable to approve your comment as we do not discuss the subcontracting details of GOV.UK Verify's certified companies in the public domain as this is commercially sensitive and thus confidential information.

If you would like to find out further details about certified companies and tScheme, you are free to contact the certified companies themselves.

Many thanks for your interest in GOV.UK Verify.

Kind regards,

Digital Engagement Manager

Government Digital Service

Update 5.1.17 2

The following response to GDS has been sent:
From: David Moss
Sent: 05 January 2017 11:40
To: 'Emily Ch'ng'
Subject: RE: Your comment on the GOV.UK Verify blog,

Dear Emily

Thank you for your email.

In her blog post Applying the identity assurance principles to GOV.UK Verify [RIP]: Part 3
Orvokki Lohikoski, the GOV.UK Verify (RIP) privacy officer, writes:
"It’s worth noting that all of our certified companies are certified by tScheme, but not necessarily separately".
In other words, all of our certified companies are certified by tScheme except that they're not ...

... a museum quality example of self-contradiction that she attempts to resolve by saying:
"when a certified company uses the same system as another company that is already tScheme certified,
then there is no need for a second certification of the same system".

That inevitably raises the question in the mind of the public
which uncertified certified companies
rely on which certified certified companies,
a question which the Government Digital Service raise
but which you then say in your email that they will not discuss.
So why raise it?
It looks as though GDS are teasing the public.

Given that the service operated by Morpho – one of the certified companies – is not approved by tScheme,
which tScheme-approved company is really doing the work?
The same question needs to be raised in the cases of the Post Office and the Royal Mail.
Their services also are not approved by tScheme.
People think they are dealing with the Post Office, say, but in reality they're not.
People are being deceived by GDS's GOV.UK Verify (RIP).

Not only will you not answer the question on the GOV.UK Verify (RIP) blog which you moderate,
you won't even publish it – my comment on Ms Lohikoski's blog post has been deleted.

"Make things open: it makes things better", it says in the GDS Design Principles.
It would make things better in this case but,
for reasons of commercial sensitivity and confidentiality,
GDS are not being open.
The public are being lured into handing over sensitive personal information
in the hope that it will be treated confidentially
by certified companies that may not be certified.
But despite having to pay for the privilege, we are not allowed to know how the system works.

You recommend that I should raise the question
which non-tScheme-approved companies rely on which tScheme-approved companies
with the "identity providers" themselves.
Thank you for that recommendation, I shall do so.

That leaves the public and the certified companies to sort out their relationship with no assistance from GDS.
It cuts GDS out of the loop
in the identity assurance ecosystem/market
that GDS say they are trying to promote and regulate.
A market which relies on self-contradiction.
A market which moderates/suppresses public discussion of its workings
on the very forum which invites comments.
A market predicated on an openness which is not available precisely when it is needed.
A market which everyone acknowledges depends on trust.
What are the public to make of that?

Ms Lohikoski has the impssible task of convincing the public
that GOV.UK Verify (RIP) abides by the identity assurance principles
laid down by the Privacy and Consumer Advisory Group.
It manifestly doesn't.
And PCAG have undermined their own credibility by pretending that it does,
last March and in Ms Lohikoski's December blog post.

GDS have no experience of creating and operating a market and it shows.
GOV.UK Verify (RIP) is a mess.
By comparison, the stock market is a model of openness.

Yours sincerely
David Moss

No comments:

Post a Comment