Tuesday 29 March 2016

RIP IDA – not good enough for the NHS and not good enough for you

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.


This is what the Government Digital Service (GDS) have to say about the security of GOV.UK Verify (RIP). It's secure. And it stops someone pretending to be you. And it fights the growing problem of on-line identity theft.

The splash screen you see if you bravely register for one of GDS's GOV.UK Verify (RIP) accounts

HSCIC
Health and Social Care Information Centre
We are the trusted national provider of high-quality information, data and IT systems for health and social care.
But it's not quite as clear-cut as that. According to Computer Weekly magazine, Gov.uk Verify [RIP] not secure enough for NHS, says HSCIC.

Not only that, but "The government’s Verify identity verification platform isn’t secure enough for the NHS, so Liverpool Clinical Commissioning Group and HSCIC are working to add extra levels of security".

NHS Liverpool CCG
National Health Service Liverpool Clinical Commissioning Group (CCG) is responsible for planning and buying most NHS services for the people of Liverpool …
And "Liverpool Clinical Commissioning Group (CCG) is working to make the government's identify authentication platform secure enough for the NHS to use".

Why do Computer Weekly keep banging on about security? Because Rob Shaw of HSCIC told them there is a security problem with GOV.UK Verify (RIP), "we absolutely have to make sure it’s secure enough" and "Verify is not quite there in terms of the level of security we’ll need in terms of the health services" and "we’re likely to take it to the next level in terms of security".

The Cabinet Office helpfully chimed in with "We take our users’ privacy and the security of their data very seriously and the new system is safer and more secure than previous ways of proving who you are online".

Followed by Dave Horsfield of the Liverpool CCG, "the programme is about giving patients access to their records for whatever purpose they want, securely and easily".

Apparently "the NHS is worried that Verify won’t be, or won’t come across as, secure enough for people’s health records ... we’ve got an extra layer in health where people are very worried about security".

In case you haven't been counting, that's ten 12 occurrences of the word "secure" and its cognates. Anyone would think there's a security problem with GOV.UK Verify (RIP). The sheer weight of repetition must have overwhelmed most readers into believing that.

But not Jim Gumbley. This Liverpool business is not an example of a security problem, Jim says. It's an identity-proofing problem. And that 's different.

It's wrong in that case to say that GOV.UK Verify (RIP) isn't secure enough for the NHS. Better to say that it's not good enough at stopping people from pretending to be you. Or that it's lost the fight against the growing problem of on-line identity theft.

Mr Horsfield thinks he may be able to solve the GOV.UK Verify (RIP) problem with a combination of social media and biometrics – the triumph of hope over experience.

Jim's right. As usual. Identity-proofing and security are two different things and shouldn't be confused.

It remains the case that GDS's splash screen is wrong and that GOV.UK Verify (RIP) isn't "good" enough for the NHS. So it isn't good enough for any other "relying party" like HMRC or DWP either. Or for a bank. Or for a criminal court. Or even for a civil court. And it's certainly not good enough for you.

RIP IDA – not good enough for the NHS and not good enough for you

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.


This is what the Government Digital Service (GDS) have to say about the security of GOV.UK Verify (RIP). It's secure. And it stops someone pretending to be you. And it fights the growing problem of on-line identity theft.

The splash screen you see if you bravely register for one of GDS's GOV.UK Verify (RIP) accounts

HSCIC
Health and Social Care Information Centre
We are the trusted national provider of high-quality information, data and IT systems for health and social care.
But it's not quite as clear-cut as that. According to Computer Weekly magazine, Gov.uk Verify [RIP] not secure enough for NHS, says HSCIC.

Friday 25 March 2016

RIP IDA – Verizon

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.


The Government Digital Service (GDS) claimed until recently that they had nine "identity providers" through whom we proles could register an account with GOV.UK Verify (RIP).

Then PayPal bolted. One minute you see them. Next minute they're gone.

PayPal gave no explanation. Neither did GDS.

Whatever, GDS were then down from nine to eight "identity providers". Or should that be seven?

Some time on or before 7 March 2016, Verizon disappeared from GDS's list of GOV.UK Verify (RIP) "identity providers". They'd been there before. Then they weren't.

Why?

On 8 March 2016 GDS tweeted their first and last attempt at an answer: "Verizon are preparing their service under the new contract. More news on this soon. They remain available for existing users".

The "new contract" referred to is Framework 2. It's been well over a year since the terms of Framework 2 were known.

GDS presumably expect us proles to believe that Verizon are so incompetent that, unlike any other "identity provider", they have to take their service down for several weeks just to change their terms and conditions.

That looks so unlikely by way of an explanation that the unsatisfied mind starts to look for other explanations.

On 7 March 2016 ElReg reported Verizon fined just $1.4m for stalker supercookies.

Verizon were fined for using supercookies. What? "That means that over time, it is possible to ... build a strong profile on a particular individual, which advertisers then use to show you so-called relevant adverts".

Is that why Verizon had gone dark GOV.UK Verify (RIP)-wise? "Nah", said security expert Peter Bance, par for the course, already priced in, that's just how Verizon operate, bit of an eye-opener for us proles maybe but not for GDS, Her Majesty's public officials in the know.

GDS tell us that GOV.UK Verify (RIP) is needed to help us view our driving licence details. So Verizon are involved because they want nothing more than for us to view our driving licence details?

Not exactly. Verizon are quite open about it: "Ultimately, we don’t see ourselves as a data provider; we see ourselves as an ad platform that helps brands and consumers connect".

But if Verizon haven't bolted like PayPal, and if it isn't the Framework 2 terms and conditions, and it isn't the shame of being caught using supercookies and the derisory fine of $1.4 million, then what is the reason for Verizon's temporary absence from the host of "identity providers"?

Note first that Verizon already have their GOV.UK Verify (RIP) service approved by tScheme, the experts in trustworthiness. What's more (hat tip: someone), they've applied for tScheme certification of a second identity proofing service. It doesn't look as if they intend to bolt.

Note also that Verizon's GOV.UK Verify (RIP) problems go back to before 7 March 2016. "Verizon have identified an issue within their environment", it said on 26 February 2016 (hat tip: someone), "there will be a short period of downtime to implement an emergency change". That's on GDS's GOV.UK Verify (RIP) status log,

The emergency was over 102 minutes later according to the log and Verizon were fully operational again. Except that four weeks later they're not.

Note finally security expert Brian Krebs's latest revelation, Crooks Steal, Sell Verizon Enterprise Customer Data: "Earlier this week, a prominent member of a closely guarded underground cybercrime forum posted a new thread advertising the sale of a database containing the contact information on some 1.5 million customers of Verizon Enterprise ... Buyers also were offered the option to purchase information about security vulnerabilities in Verizon’s Web site".

That's more like it. That's more like an explanation for Verizon taking their GOV.UK Verify (RIP) registration site down for four weeks. Their security has been breached and 1½ million of their customers are now at more risk than usual as a result.

GDS are always blithely optimistic about security:


GOV.UK Verify (RIP) – "It's secure". No qualification. It's secure and that's all there is to it.

No. No-one believes that and it's a mystery why GDS keep saying it.

It's a false prospectus. Just ask Verizon. GDS's claim amounts to luring in the innocent. GOV.UK Verify (RIP) would never be admitted to the London Stock Exchange's Daily Official List if their broker came along with a whopper like that.

Mystery cleared up, Verizon have gone dark because they've been taken to the cleaners.

Don't let the same happen to you.

According to Verizon's GOV.UK Verify (RIP) privacy policy (hat tip:someone), "... it will also be necessary, in order to provision the service to you [prole] to share the personal information we [Verizon] collect, as described above, to companies that perform services on our behalf as follows ... The identity service product is owned by Zentry LLC. Zentry LLC is a US based company who will receive your information in order to issue the identity credential on your request ...".

Verizon will share your personal information with Zentry. And who are Zentry? According to Bloomberg:


And according to FindTheCompany, "Zentry Technology LLC is a small organization in the business services industry located in Salt Lake City, UT. It opened its doors in 2010 and now has an estimated $90,000 in yearly revenue and approximately 2 employees".

When Verizon reappear in GDS's GOV.UK Verify (RIP) firmament you can entrust all your personal information to them and to Zentry if you like so that you can view your driving licence details. It's up to you.

----------

Updated 29.3.16

GDS's claim that Verizon have stopped registering new GOV.UK Verify (RIP) account-holders because they have to update their terms and conditions of business is cheeky. The other Framework 1 "identity providers" all managed to convert to Framework 2 on the fly.

Is the theory that Verizon are still off air because they've been hacked any better as an explanation?

Not necessarily.

Experian were taken to the cleaners, too, like Verizon, please see RIP IDA – 16 June 2014 and Brian Krebs's Experian Lapse Allowed ID Theft Service Access to 200 Million Consumer Records. Experian are still happily registering new GOV.UK Verify (RIP) victims.


Updated 5.4.16

Here's a snapshot from Verizon's contract with GDS, the bit dealing with key performance indicators:

Before you ask ...
"Availability" means that the on-line Customer facing Services described in paragraph A (Overview) of Schedule 1 (Services) shall be operational and available 24 hours a day, 365 days a year, excluding Scheduled Downtime and shall be samples [sampled?] at intervals of no more than 5 minutes.
... a "measurement window" is seven days and those customer-facing services include:


Verizon haven't provided those services since 7 March 2016, at least four measurement windows ago. This is no mere KPI failure. This is a critical KPI failure, as defined.

And what happens when a provider like Verizon suffers critical KPI failures? Answer, the authority, in this case GDS, may terminate their contract:
The Provider shall at all relevant times meet or exceed the KPIs set out in Table 1 (KPIs) below in performing the Services. The Authority may terminate this Contract under Clause H2 (Termination for Default) in the event that the Provider commits three (3) Critical KPI Failures.
The authority may terminate the contract. They have that right but it's not a duty. Would GDS terminate Verizon's contract just for suffering at least four critical KPI failures? Apparently not.

There's all sorts of other interesting detail available in the Verizon contract. But before we get too excited, this is their Framework 1 contract, which must by now presumably have been replaced with a Framework 2 contract.

The Framework 2 contract is likely to have similar service availability conditions in it. In which case it is relevant to note that, yes, Verizon are still not registering new GOV.UK Verify (RIP) victims.


Updated 6.4.16

Some time today, Verizon reappeared:


"Did you know", they ask, without ever reaching a question mark, ...
... Verizon has customers in 150 countries and manages identity programs for 25 governments. Millions of people across the globe trust their security and personal data to Verizon every day, so you can be confident that we know how to protect you to the highest standards.
"You can be confident that we know how to protect you to the highest standards"? Not very confident. Don't forget Crooks Steal, Sell Verizon Enterprise Customer Data.

Verizon have been closed to new GOV.UK Verify (RIP) victims for the past month or so. Why?

It's because they've been "preparing their service under the new contract", GDS told us on 8 March 2016.

That's not what Verizon told Neil Merrett yesterday:
"We have been working to make sure that the platform gives the best results possible. We have been introducing two new mobile features to make our service more mobile friendly."
Neither proposition explains taking Verizon's registration service down for a month.

If you want to register with Verizon, you're on your own. Even though "there's no charge for this service" and Verizon has "met security standards set by government", DMossEsq couldn't find a single volunteer prepared to try it out:
GDS may want to lure you in but why take the risk?

Especially if next time Verizon go on holiday you might find your identity, and thus your existence, suspended for a month.


Updated 9.12.16

Verizon is one of the "identity providers" for GOV.UK Verify (RIP).

At least, they're meant to be.

Nine months ago, Verizon disappeared without convincing explanation. A month later, they re-appearaed without convincing ditto.

That doesn't inspire confidence.

We, the public, need to feel that GOV.UK Verify (RIP) is stable.

So do the "relying parties", i.e. the likes of the Driver and Vehicle Licensing Agency (DVLA). They need to know that we are who we claim to be when we connect to the on-line public services they operate.

How are the relying parties supposed to feel confident in the assurances of the "identity providers" that we are who we say we are when "identity providers" themselves can just whimsically come and go.

Verizon – now you see them …
You might get away with it once. But not twice. And you know what? Verizon disappeared again, in July. What's more, they still haven't re-appeared five months later.

… now you don't.
Will Verizon be back again?

In time for Christmas?

Will the Government Digital Service ever deign to explain to us, their parishioners, what on earth is going on?

And can you see why sensible relying parties are sticking to the Government Gateway?

RIP IDA – Verizon

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.


The Government Digital Service (GDS) claimed until recently that they had nine "identity providers" through whom we proles could register an account with GOV.UK Verify (RIP).

Then PayPal bolted. One minute you see them. Next minute they're gone.

PayPal gave no explanation. Neither did GDS.

Whatever, GDS were then down from nine to eight "identity providers". Or should that be seven?

Thursday 24 March 2016

An open address register

First he was the director of open data and transparency. Then director of open data and government innovation. Now Paul Maltby is director of data at the Government Digital Service (GDS) and yesterday he blogged about An open address register:
The UK government is regularly recognised for being a global leader in making public data openly available. Ministers have committed to being the most transparent government ever. We are determined to make sure that we keep producing high quality data and that we make it as accessible as possible ...

Data has become a part of our core national infrastructure, and a huge driver of innovation ...

Registers, canonical lists of core reference data, are at the forefront of the government’s effort ...

GDS Data Group and the Department for Business, Innovation and Skills (BIS) are working in conjunction with a range of other stakeholders to explore how to fully exploit the benefits of open and freely available address data ...
All these predicates may have disappeared from his job title but Mr Maltby wants us to know that he's still in favour of openness and transparency and that he still sees a connection between making data open and inspiring innovation, which in turn will cause the economy to grow. That reference to registers also alerts us to his support for Government as a Platform (GaaP).

We know that GDS believe that GaaP would reduce the budget deficit by £35 billion p.a. and that GaaP could get rid of 1½ million useless public servants. All that's needed is for there to be a set of "canonical" registers, which constitute a "single source of truth".

We also know that GDS fall in with the belief that innovation is caused by data being open, a belief we refer to as "the magic of open data".

They're hypotheses really, not beliefs. There's a lot of evidence to the contrary about both GaaP and the magic of open data and little evidence in favour. We know that, too.

So why is Mr Maltby re-affirming his commitment to these unproven hypotheses now? Answer, there's money at stake, please see para. 2.324 in the UK's 16 March 2016 Budget: "The government will provide up to £5 million to develop options for an authoritative address register that is open and freely available".

We already have an "authoritative address register". It's called the "postcode address file" (PAF) and it's maintained by Royal Mail plc.

The public sector doesn't need to spend £5 million of our money "developing options" to create another one.

But a lot of people want to.

Professor Sir Nigel Shadbolt of the Open Data Institute and Stephan Shakespeare of YouGov, for example.

They're both convinced that it was a terrible mistake to let Royal Mail take the PAF with it when it was privatised. They even managed to convince the normally sensible Hon Bernard Jenkin MP, chairman of Public Administration Select Committee, that it was a mistake.

Why do they think it was a terrible mistake? Because, if postcodes aren't freely available to everyone who wants them, then there will be no innovation and the economy will shrivel. Not proven.

ComputerWorld UK also are up in arms:
The government’s (now defunct) Open Data User Group described national addresses as “the single most fundamental set of core-reference data we can identify” in a February 2013 paper.

It argued making the data openly available would improve transparency, boost public sector efficiency, improve economic growth as the data can be used by businesses and reduce the cost and complexity of licensing ...

It will unlock an estimated £110 million of value for UK businesses, charities and government.
Before it was closed, the Open Data User Group (ODUG) was of course entitled to describe the PAF in any hyperbolic terms it chose. The fact remains that the PAF is still available to the nation. Take a look. We haven't been deprived of it.

The claims made for transparency, efficiency, economic growth and complexity are still unproven. And ODUG's estimate of the value it could unlock is no more than an estimate.

If we go back to 2013 and the glory days of ODUG we find the claim made that Royal Mail's monopoly of postcodes would increase its profits. Also:
... a potential investor is likely to view the persistent debate about the ownership and future of PAF as a risk factor which will deter them from investing in the Royal Mail.
While you're trying to work out whether ODUG thought Royal Mail was a high return investment or a low one, let's move on to bank account numbers, mobile phone numbers, email addresses and IP addresses, four more of the "single most fundamental set[s] of core-reference data" that should be under government control.

“When the UK Government privatised the Royal Mail it lost control of address data". That's what Peter Wells of the Open Data Institute told ComputerWorld UK. Presumably he would prefer to see bank account numbers, mobile phone numbers etc ..., also under government control.

Him and Mr Maltby, too. Those registers. They want everything in there. And in their view it all has to be under government control.

GDS have established a Register Design Authority, they tell us. If some ghastly profit-making organisation happens to create a useful register, GDS could exclude it from the single source of truth.

They think they can control the truth.

They also think they understand markets and that they know how to create them and regulate them.

They also think they're experts on property ownership. They think they can take property away from one person and give it to another without causing anxiety – anxiety in the recipient, for example, that if the Lords of Truth can expropriate once they might develop a liking for it and do it again. And anxiety among innovators generally. If their invention works, will it be taken away from them and added to the single source of truth? In which case, what's the point?

And the Chancellor thinks he knows how to allocate resources. £5 million to fund an unnecessary competition between the public sector and the private sector.

----------

Updated 25.3.16

Tony Collins and others have just won a Freedom of Information case brought against the Department for Work and Pensions (DWP).

Instead of hiding the sad truth for years, DWP should now disclose a lot of the Universal Credit project management documentation.

DWP may continue to behave as though it is above the law and unbound by common sense and common decency. But if not, then one of the documents it should publish is the Universal Credit risk register.

And where better to publish it than on Mr Maltby's open, transparent, innovation-causing, economy-expanding canonical register platform?

Updated 31.3.16

Sir Jeremy Heywood, head of the UK civil service, devoted a lot of his 2015 review to diversity and inclusion.

Work on D&I has been going on for years throughout Whitehall, not least in the Cabinet Office, please see LGBT – history, religion and faith:
As the Cabinet Office LGB&TI Diversity Champion, making the department one of the most inclusive and diverse organisations in government is something I care passionately about; and that sentiment is shared by my executive committee colleagues.
That was written by Stephen Foreshew-Cain, executive director of the Government Digital Service (GDS), who later wrote GDS and gender diversity at conferences and events:
... no-one from GDS will take part in a panel discussion of two or more people unless there is at least one woman on the panel, not including the chair ... This is not tokenism. This is important. This is us doing our bit, and taking action.
Far from tokenism, yesterday GDS pulled out of an international conference on agile software engineering:


"We will not attend events that don't reflect our values". Who is we? What does attendance amount to? What is an event? What is reflection? What are our values?

Sometimes the answers are just obvious. When they're not, there will be disagreement. That will divert resources away from meeting user needs, which is GDS's lodestar.

How to avoid that dissipation of resources? How to make it clear whether GDS will attend a conference or not? Should GDS appear on platforms like Twitter alongside people who don't "reflect our values"?

GDS need a definitive list of "our values". An agreed, authoritative and complete list. Curated and canonical. GDS need a register of values.

And not just GDS. The whole civil service. Will Sir Jeremy's 2016 review include the promulgation of Whitehall's values register?


Updated 1.4.16
"Smash the silos"

More on "our values" on Twitter today, please see the valorous manly tweets alongside.

Looking back at GDS's Getting from data to registers, we see:

The Register Design Authority

And that’s the focus of the Register Design Authority, which sits in the GDS data group - making sure that registers accurately and helpfully reflect the interconnectedness of government data.

This team has domain control for the register.gov.uk domain. It will work with the register custodians who are responsible for running registers and are the domain experts, to ensure that the data in their registers is modelled in ways that meet users’ needs, and work with other registers in the government data ecosystem.

This is how we will avoid unhelpful and confusing replication of data and ensure that registers really are trustworthy.

That Register Design Authority, sitting in the GDS data group, with its domain control and responsibility and expertise, claiming in the name of trustworthiness to avoid unhelpful and confusing replication in the ecosystem – it's a classic Whitehall silo and needs presumably to be smashed. That's "our values".

An open address register

First he was the director of open data and transparency. Then director of open data and government innovation. Now Paul Maltby is director of data at the Government Digital Service (GDS) and yesterday he blogged about An open address register:
The UK government is regularly recognised for being a global leader in making public data openly available. Ministers have committed to being the most transparent government ever. We are determined to make sure that we keep producing high quality data and that we make it as accessible as possible ...

Data has become a part of our core national infrastructure, and a huge driver of innovation ...

Registers, canonical lists of core reference data, are at the forefront of the government’s effort ...

GDS Data Group and the Department for Business, Innovation and Skills (BIS) are working in conjunction with a range of other stakeholders to explore how to fully exploit the benefits of open and freely available address data ...
All these predicates may have disappeared from his job title but Mr Maltby wants us to know that he's still in favour of openness and transparency and that he still sees a connection between making data open and inspiring innovation, which in turn will cause the economy to grow. That reference to registers also alerts us to his support for Government as a Platform (GaaP).

Wednesday 23 March 2016

RIP IDA – UK First Government to Offer U2F-Secured Digital ID

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.


We told them. On 16 April 2015. Please see RIP IDA – what they omitted from the obituary:
Where's the nationwide information campaign?

Normal people have never heard of GOV.UK Verify (RIP). GDS want the system to be live in a year's time, by April 2016. Some time soon GDS are going to have to tell 60 million people what GOV.UK Verify (RIP) is. And how it works. And why they should use it.
GOV.UK Verify (RIP) is due to go live next month. April 2016. Maybe nine days away. And still there's no attempt to tell the public what's going on.

Why this reticence?

Google never mounts a campaign to launch a new service. So the Government Digital Service (GDS) shouldn't either. But GDS isn't Google.

-----  o  O  o  -----

We told them. On 3 February 2016. Please see RIP IDA – interview tips:
Do not be embarrassed by the fact that you have never created an ecosystem in your life and do not be embarrassed by the fact that you don't have a clue how to regulate a market. Your interviewers won't ask you about that and you shouldn't ask them about their experience either.
GDS have never created or regulated a market in their lives. And it shows.

-----  o  O  o  -----

The London Stock Exchange regulates its market. Among other things, they operate a regulatory news service, RNS. GDS could have learnt from that.

Instead, they rely on the haphazard use of Twitter to tell the public what's going on in GOV.UK Verify (RIP)'s intensive care unit.

Sometimes new "identity providers" are fulsomely welcomed on board, e.g. Barclays. Sometimes GDS forget to welcome them, e.g. Morpho. That wouldn't happen with an experienced RNS.

There are 100 companies in the FTSE-100. When a new one joins and an old one leaves, that's big news on RNS. For a long time now, there were supposed to be nine GOV.UK Verify (RIP) "identity providers". Then PayPal pulled out. Explanation from GDS? None.

GDS still list eight GOV.UK Verify (RIP) "identity providers" – Barclays, CitizenSafe, Digidentity, Experian, Post Office, Royal Mail, SecureIdentity and Verizon. But Verizon have been closed to new business for over a fortnight now. "More news on this soon", said GDS on 8 March 2016. Since then? Nothing.

A London Stock Exchange marketmaker has to promise to make a market. Otherwise, they lose their membership of the Exchange. They can't just suddenly stop trading. There have to be bid and offer prices on which they will trade at all times. Verizon have stopped "making a market" for over a fortnight. And the consequences? As far as we know, none.

All companies with a full listing on the London Stock Exchange have to abide by the same Exchange rules. That's how you run an orderly market.

With GOV.UK Verify (RIP), some "identity providers" are certified trustworthy by tScheme and some aren't. Why should the certified companies bother to go to all the hard work of obtaining approval if GDS, their regulator, lets other companies operate without approval?

Digidentity, Experian, GBGroup and Verizon are certified trustworthy by tScheme. Barclays, Morpho, PayPal, Post Office and Royal Mail aren't. It's a recipe for creating unhelpful tension in what should be an orderly market.

If you open an account with a London Stock Exchange member to buy and sell shares, you expect it to be straightforward – what you see is what you get. Your account with Barclays Stockbrokers, for example, is an account with Barclays Stockbrokers, not someone else.

Far from straightforward, if you register with GOV.UK Verify (RIP) using Barclays as your "identity provider", it turns out that they rely on Verizon. And if you think you've registered using Royal Mail as your "identity provider", think again. Royal Mail have their accounts managed for them by GBGroup. There's some sort of a tie-up between Digidentity and Post Office as well.

Just who are you dealing with? It's far from clear.

That's not helped when Morpho call themselves "SecureIdentity" and GBGroup call themselves "CitizenSafe".

You've never heard of most of them, have you. Because GDS have never told you anything about them. And yet GDS expect you to trust them all equally, all nine eight seven "identity providers". GDS expect you to trust them with your identity.

The public are being lured into a chaotic identity assurance system, GOV.UK Verify (RIP).

Take for example a tweet that appeared this morning out of nowhere from a company no-one had ever heard of, Yubico.

Apparently, if you're registered by Digidentity, you could also be dealing with Yubico, did you but know it.

Some of the time, GDS think we're all idiots. Some of us can't handle apostrophes or even capital letters and GDS promise that in everything they write no-one will be excluded.

These same people, defeated by capital letters, are meant to be able to make a sensible choice between Royal Mail/GBGroup/CitizenSafe, Barclays/Verizon and Digidentity/Post Office/Yubico.

Here's what Yubico had to tell us this morning. With no public information campaign by way of preparation, who knows what the capital letters-challenged members of the population or anyone else is supposed to make of it?
The UK has spent the past five years on a digital transformation that is setting a world standard [only time will tell, the rest of the world may say thank you but no thanks] for how citizens securely interact with government online services.

The UK’s Government Digital Service (GDS), which came online in 2011, will add in a few weeks a new verification service called GOV.UK Verify [RIP] to this impressive project [this impressive project described by the ex-deputy director of GDS as putting lipstick on pigs].

Digidentity is one of the original identity providers (IdP) for GOV.UK Verify [RIP] and will offer support for the YubiKey and the Universal 2nd Factor (U2F) protocol [what's that then?]. UK citizens can now use a YubiKey as a second authentication factor to access their Digidentity accounts [but GDS said GOV.UK Verify (RIP) is already secure, do you need a YubiKey as well to make it really secure, are the other IdP services less secure because they don't use YubiKeys?], while the country rolls out the first government service in the world to support U2F.

This is an important milestone for both citizens and governments looking to leverage identity data [you weren't looking to leverage identity data, were you, you just wanted to submit your tax return] to secure services while safeguarding privacy. The combination of secure authentication and federation/single sign-on is required for digital services to scale.

GOV.UK Verify uses a host of identity providers who validate a citizen’s personal data, store that data [and share it out of your control with several other organisations anywhere in the world], and verify the user is who they say they are when they attempt to access government digital services. The IdP’s [bit of apostrophe trouble there] are part of an identity federation established as part of GDS.

The GOV.UK Verify program has been running in beta for the past 18 months [25 months]. The program supports 13 services [9 services according to GDS, 8 if you discount rural payments, which doesn't exist] spread over five government departments, but it will have 50 services [time will tell] and 10 departments signed up when GOV.UK Verify goes live in early April. The service will support 90% of the UK’s adult population [66% account creation success rate at the moment but there are a few days left for that to improve], according to the UK government.

“UK citizens can easily purchase a FIDO U2F device online and register it with Digidentity, [how easily? how much does a FIDO U2F YubiKey cost?]” says Marcel Wendt, Digidentity CTO and co-founder. “With a quick online process, the user’s identity is verified [does Digidentity not work, then, without a YubiKey?] and tied to the U2F device, and the data is encrypted to safeguard a user’s privacy [otherwise we have no privacy?].”

Today, verifying identity is mostly done via manual processes [possibly because, when it's important, that's how it has to be done], such as asking people to send identity evidence via snail mail or show ID in-person at a counter service. Those are cumbersome and time-consuming tasks [no snail mail involved when you opened your Amazon account, was there? What are Yubico talking about? There was no snail mail because Amazon piggy-back on the work done by your credit card supplier who piggy-backs on the in person work done by your bank] for people needing access to online services using their digital identity credentials.

To authenticate to GOV.UK Verify using Digidentity with FIDO U2F, the user inserts a U2F YubiKey device into their computer’s USB port, and then touches the device [if I insert your YibiKey and touch it, does that mean I am you?]. There are no drivers or client software to install [but will it fill in your tax return for you?]. Later this year, U2F authentication via Near Field Communication (NFC) and Bluetooth will be supported by Digidentity for secure login from mobile devices.

Digidentity’s ground-breaking IdP service with strong authentication is another example of how Yubico helps secure online identities and innovates to make those identities easier to use and and available to everyone [do you want to be available to everyone?].
Best of luck to Sir Jeremy Heywood. And the British public.

----------

Updated 31.3.16

One of the goals of the GOV.UK Verify (RIP) identity assurance programme is to "grow a new market for identity services in the UK".

CitizenSafe announced the other day that GOV.UK Verify (RIP) is replacing the Government Gateway. In an orderly market the case of the Government Gateway, that announcement should come from a politician or from an official, not from a £2 dormant company no-one has ever heard of.

The Government Gateway is used by companies to submit their annual returns and accounts to Companies House and to submit their tax returns to HMRC. GOV.UK Verify (RIP) can't verify companies. GDS confirm that doing so is "not currently on our roadmap". So CitizenSafe are wrong – GOV.UK Verify (RIP) can't replace the Government Gateway.

Is the announcement made by UKAuthority.com any more reliable?

They suggest that the introduction of two-factor authentication (2FA) by using YubiKey (please see above) with GOV.UK Verify (RIP) is a good thing. It puts GDS up there with Google and Dropbox. ieg4, whoever they are, are equally enthusiastic.

But GOV.UK Verify (RIP) has had 2FA from day one. Copied from the UK retail banks who've been doing it for years, account-holders have to enter a one-time password texted to their mobile phone. Why are UKAuthority.com and ieg4 and Digidentity pushing the unknown YubiKey?

Do GDS endorse YubiKey?

Even if they do, Yubico's terms and conditions of business say, in capitals: "F. Warranty Disclaimer. EXCEPT AS EXPRESSLY PROVIDED HEREIN, YUBICO PROVIDES THE PRODUCT AND THE YUBICLOUD “AS IS”. BY USING THE PRODUCT AND/OR YUBICLOUD, USER ASSUMES ALL RESPONSIBILITY AND RISK OF USE OF THE PRODUCT AND/OR YUBICLOUD WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT".

The wrong people seem to be making the wrong announcements in GDS's new market for identity services in the UK.

GDS have lost control before their market has even opened and long after everyone else like the banks is/are up and running with tens of millions of account-holders and years of successful experience.

For some reason GDS want to drop millions of people who can't handle apostrophes or even capital letters (please see above) into this pit. How are they supposed to decide whether to buy a YubiKey? Is it unsafe to use GOV.UK Verify (RIP) without a YubiKey?

When? When do GDS think it's sensible to go live with GOV.UK Verify (RIP)? "Early April". That could be as early as ... tomorrow.


Updated 8.4.16

GDS have never created or regulated a market in their lives.
And it shows.

GDS are forever changing the GOV.UK Verify (RIP) registration dialogue.

They have recently introduced the following screen:

Three of their "identity providers" can verify you now, they say. The other five are useless – they are unlikely to be able to verify you based on your answers.

This is blatant nonsense – DMossEsq has been verified by no less than four of the "identity providers" deemed by GDS to be useless.

Talking nonsense doesn't help GDS to operate an orderly market. Neither does promoting the interests of three of its suppliers ahead of the other five.

If you're in any doubt, incidentally, which are the useless five "identity providers" according to GDS, click on Show all companies and you'll see:

Five useless GOV.UK Verify (RIP) "identity providers"


Update 12.4.16

This morning, Computer Weekly magazine told us that UK cyber crime growing exponentially. This afternoon, the BBC told us that Security snapshot reveals massive personal data loss.

No news there. Everyone knows the web is a dangerous place to do business.

And everyone knows that the security measures adopted to protect us users can themselves breach our security – there was ElReg last Friday, telling us that US taxmen pull plug on anti-identity-theft system used by identity thieves:
When the IRS [US Internal Revenue Service] admitted last month that 700,000 people's old tax returns – which are full of sensitive personal information – had been sent to scammers, it enrolled those affected in the PIN system.

In total this year, the IRS has issued 2.7 million PIN codes. But the scammers got wise, and used 800 of them to file fraudulent tax returns to redirect people's refunds to the criminals' bank accounts. Now the IRS has stopped the system.
How long before the YubiKeys (please see above) being sold to protect users of GOV.UK Verify (RIP) over the YubiCloud turn out to be used by fraudsters to unlock your personal information?

And how long before the UK's Government Digital Service stops luring victims into GOV.UK Verify (RIP) with its irresponsible claim that it's "secure"? Without qualification, just "secure":


RIP IDA – UK First Government to Offer U2F-Secured Digital ID

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.


We told them. On 16 April 2015. Please see RIP IDA – what they omitted from the obituary:
Where's the nationwide information campaign?

Normal people have never heard of GOV.UK Verify (RIP). GDS want the system to be live in a year's time, by April 2016. Some time soon GDS are going to have to tell 60 million people what GOV.UK Verify (RIP) is. And how it works. And why they should use it.
GOV.UK Verify (RIP) is due to go live next month. April 2016. Maybe nine days away. And still there's no attempt to tell the public what's going on.

Why this reticence?

Google never mounts a campaign to launch a new service. So the Government Digital Service (GDS) shouldn't either. But GDS isn't Google.

-----  o  O  o  -----

Thursday 17 March 2016

RIP IDA – to lose one "identity provider" may be regarded as a misfortune

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.


Why did PayPal jump ship?
And when will Verizon climb back aboard?


The Government Digital Service (GDS) operate GOV.UK Verify (RIP) under a framework agreement. First there was Framework 1. Then there was Framework 2.

The eight Framework 1 "identity providers" were Cassidian, Digidentity, Experian, Ingeus, Mydex, Post Office, PayPal and Verizon.

Cassidian, Ingeus, Mydex and PayPal all pulled out. Why? We don't know. Which is odd. GDS say "we're building trust by being open – the sunlight of transparency is making things better". There's no transparency here, no sunlight and no openness. So, by GDS's logic, there's no trust.

Why did these four suppliers abandon ship? What did they know that the remaining four didn't? Why did the remaining four stay on board?

Framework 2 replaces Framework 1. The nine Framework 2 "identity providers" were Barclays, Digidentity, Experian, GBGroup, Morpho, Post Office, PayPal (back on board again), Royal Mail and Verizon.

GDS didn't like being stood up like that. It doesn't look good. It doesn't inspire confidence. It doesn't show respect. So when Framework 2 came along, the "identity providers" had to promise to bring an identity assurance service to market.

But PayPal have bolted again. GDS didn't tell us that. Neil Merrett did.

That's what PayPal think of GDS and of GOV.UK Verify (RIP). So much for PayPal's promise to deliver. And so much for GDS's ability to enforce that condition of the contract.

"To lose one parent may be regarded as a misfortune; to lose both looks like carelessness", as Oscar said. To lose five "identity providers", one of them twice, smacks of downright sloppiness.

Is it only five?

Or is it six? It's 10 days now since DMossEsq noticed that Verizon had disappeared from GDS's list of "identity providers".

GDS promised more news soon. That was nine days ago. Since then there's been no sunlight, no transparency, no openness and no news from either GDS or Verizon.

The Barclays GOV.UK Verify (RIP) service depends in some unspecified way on Verizon. "We may share your personal information with [lots of other organisations and] Verizon, our technical services partner, so they can perform certain parts of the Identity Service on our behalf", it says in the Barclays privacy policy. Can Barclays keep going if Verizon have disappeared?

GDS, 15 April 2013

We need to be sure that before any of the identity assurance framework suppliers begin providing services to departments, they are certified as being capable of delivering proof of identity as defined in the Government's Good Practice Guides.

The Cabinet Office has joined a standards certification organisation (tScheme), who will be one of the initial certification bodies to provide the necessary independent assessment of the framework suppliers for compliance with the guides.
All GOV.UK Verify (RIP) "identity providers" are meant to be certified as trustworthy. The Post Office's application for certification lapsed a year ago. Barclays, Morpho and Royal Mail all have applications extant and none of them have been certified yet. PayPal never even applied for certification.

GDS didn't tell anyone about that. DMossEsq did. And, once again, Neil Merrett.

GOV.UK Verify (RIP) is currently down to just three certified "identity providers" and it's due to go live in a fortnight ...

... about time too. It's been in beta for over two years ...

... and once upon a time it was "due to be rolled out for initial public services by autumn 2012".

Back then the identity assurance programme had a senior responsible owner (SRO), Mike Bracken: “It’s something that I put my hand up for because it’s so important". He departed the civil service last September. No replacement SRO has been nominated.

Meanwhile:
  • The GOV.UK Verify (RIP) account creation success rate keeps going down whereas GDS promised that it would be going up.
  • And the remaining "identity providers" are having trouble achieving even the lowly level of assurance needed by a civil court that account-holders really are who they say they are, let alone the level required by a criminal court.
  • And some of the departments of state that are supposed to rely on GOV.UK Verify (RIP)'s assurances are distancing themselves from GDS's programme and developing their own.
  • And some members of the public may not understand why, under GOV.UK Verify (RIP), just to see their driving licence details on-line, it is necessary to hand over reams of personal information to "identity providers" who promptly share it, beyond your control, with other organisations here in the UK and abroad.
It's looking a bit shaky. Which is not what you want in what is supposed to be a platform for cross-government public services – and especially not the platform embarrassingly earmarked by the Cabinet Secretary himself for increasing public trust in the civil service.

----------

Updated 12.4.16

Since the blog post above was published, Verizon have returned to the fold ...

... and GDS have published another blog post in their GOV.UK Verify: Technical delivery update series. Yesterday, 11 April 2016, saw the seventh episode so far. And once again, GDS's technical contribution to GOV.UK Verify (RIP) occupied centre stage: "To improve GOV.UK Verify [RIP] and make it better for end users, since our last update we’ve ... added new journeys to the hub to reflect the new features released by the certified companies ...".

Let's take a look at this new improved journey which GDS have made better for end users. There are nine steps involved. A bit long for modern attention spans but the dénouement is so dramatic that it's well worth investing the effort to concentrate.

The first four steps in your user journey may look like this:

First, you say this is your first attempt to register with GOV.UK Verify (RIP) ...

... then you take in the news that GOV.UK Verify (RIP) is secure (no qualifications) and stops someone pretending to be you (no qualifications) ...

... at the third step, you discover that there are eight "identity providers" and that they are all without exception certified and that the service is free ...

... and at the fourth step, you start your journey

At this point in your journey, the style of the screens changes. These are the screens GDS are modifying like mad to improve them for user needs:

Step 5 is a bit of hand-holding, GDS are going to help you choose the right "identity provider" for you ...

... at step 6 you confirm that you have your up to date passport and your driving licence with you, you're going to hand over all the details on those documents to the "identity provider" GDS help you to choose ...

... next you confirm that you can install apps (viruses) on your smart phone ...

... and nearly finally, at the eighth step, you confirm that you're over the age of 20 and you've lived in the UK for the past year.

Eight steps and we're nearly there. At the ninth step, when you press Continue, GDS are going to recommend which "identity provider(s)" you should use. Wait for it:


Nine steps into your registration, and what are GDS telling you?

They're telling you that even though you've lived in the UK for the past year and you're over 20 and you can install apps on your smart phone and you've got your up to date passport and driving licence with you ...

... even though all of the above ...

... no less than five of their "identity providers" are "unlikely to be able to verify you".

You weren't expecting that, were you. You thought the answers you gave to GDS's finely crafted dialogue made you one of the easiest candidates for registration.

If the five "identity providers" who are "unlikely to be able to verify you" can't verify you, who on earth can they verify? No-one.

Those five "identity providers" – Barclays, CitizenSafe (GB Group), Royal Mail, SecureIdentity (Safran Morpho) and Verizon – must be, according to GDS, useless.

GDS started Framework 2 with nine "identity providers". First they lost PayPal. Now they've lost five more. They're left with just three.

And having seen the public humiliation meted out to Barclays, CitizenSafe (GB Group), Royal Mail, SecureIdentity (Safran Morpho) and Verizon, using a laboriously reiterated GDS improvement process, "unlikely to be able to verify you", how long will the three survivors hang around?

The directors of Digidentity, Experian and the Post Office have their reputation to think about. And their future. They have shareholders to satisfy. And equity analysts to convince.

How long will they hang around?

As little time as their lawyers tell them they have to.

GOV.UK Verify? RIP.


Updated 14.4.16

Last seen, GDS were impugning the commercial prospects of Barclays, CitizenSafe (GB Group), Royal Mail, SecureIdentity (Safran Morpho) and Verizon. The GOV.UK Verify (RIP) services offered by these five "identity providers" were described by GDS as deficient. They were "unlikely to be able to verify you". Given that that's their job, these services were useless.

This changed some time yesterday. Barclays and CitizenSafe (GB Group) were re-admitted to the useful camp:


Three "identity providers" are still useless – Royal Mail, SecureIdentity (Safran Morpho) and Verizon. "They're unlikely to be able to verify you". Keep away from them. That's GDS's advice.

What has changed in the services offered by Barclays and CitizenSafe (GB Group)? How did they move from useless (according to GDS) to acceptable (according to GDS)? What are Royal Mail, SecureIdentity (Safran Morpho) and Verizon still missing (according to GDS)?

In an orderly market, the public would know the answers to these questions. As it is, we don't know. GDS haven't told us.

GDS are meant to be operating this identity assurance market. It's looking disorderly at the moment. Which isn't what you want in your transactions with government. Nor with anyone else. And certainly not what you want in the management of your identity.

GDS no doubt have the right to praise or damn any or all of their suppliers. In this case their "identity providers". And like the worst civil servants they can do so without giving anyone the reason why. It's their train set.

But they can't declare GOV.UK Verify (RIP) live all by themselves. Not if "live" means anything.

Going live, relying on GOV.UK Verify (RIP) as part of the UK's national infrastructure, inflicting the system on the public at large, is a decision for the Cabinet and the most senior officials in Whitehall.

And as that senior decision-making team looks on, with GDS publicly recommending that the declaration should be made in April 2016, with GDS saying that GOV.UK (RIP) is ready to go live any time in the next 16 days, what do the team see?
  • They see a system which was meant to be able to register at least 90% of the population but which can't. As at last week, the figure was 67%. 33% of the population would be excluded by default from on-line public services.
  • They see an unstable system in which the suppliers come into favour at GDS's whim and fall out of favour just as mysteriously.
  • They see a public which hasn't been prepared for the new system by any national information campaign.
  • They see the public being lured into a system which GDS say is "secure" but which everyone knows can't be.
  • They see the public being lured into a system which claims to protect the privacy of our personal information but which doesn't.
If you think GOV.UK Verify (RIP) should go live this month, you go on television and say so.

You face the press.

You sit there looking confident while Scotland laughs at you – they've got their own system, they don't need GOV.UK Verify (RIP) and they don't want it.

You grin hopefully as every responsible department of state leaves you twisting in the wind as they pursue their own alternatives to GOV.UK Verify (RIP).

You do it. Because you're not going to get any member of the Cabinet to do it. Nor any Whitehall mandarin.


Updated 15.4.16

The day before yesterday, GDS said there were three "identity providers" who could verify your identity when you try to register with GOV.UK Verify (RIP) – Digidentity, Experian and Post Office.

Yesterday, please see above, that number went up to five with the addition of Barclays and CitizenSafe (GB Group).

Today?

Barclays and CitizenSafe (GB Group) have been struck off again. Anyone who chose Barclays or CitizenSafe (GB Group) as their "identity provider" yesterday must be feeling pretty sick today:


You don't know where you stand with GOV.UK Verify (RIP). GDS have created a machine for making uncertainty.


Updated 20.4.16 1

Barclays, CitizenSafe/GB Group and Verizon are still out in the cold, "unlikely to be able to verify you" as GDS say. Yesterday morning, so were Royal Mail and Safran Morpho/SecureIdentity. Now those two have been admitted to the fold:


CitizenSafe/GB Group must be feeling a bit peeved. They use the same registration system as Royal Mail but they're out and Royal Mail are in. Why?

Verizon also must be feeling a bit peeved. They've got the highest marks awarded by tScheme to any "identity provider" and yet here's GDS doing their best to exclude them.

A bit rich when you consider that tScheme haven't yet approved the services offered by Royal Mail and Safran Morpho/SecureIdentity (or Barclays) and the Post Office's tScheme application lapsed over a year ago. Some certified companies are a lot less certified than others.

For the moment, your five-way choice of "identity provider" is between three uncertified companies, a Dutch company you've never heard of (Digidentity) and Experian, who have experienced the odd security problem and who reserve the right to store your personal information anywhere in the world.


Which "identity provider" to choose?

You don't have to make that invidious choice. Not according to HMRC you don't. You can use the Government Gateway instead. That's what HMRC say.

Unlike GOV.UK Verify (RIP), the Government Gateway's been working for 15 years. It went live in January 2001. GOV.UK Verify (RIP) might go live, according to GDS, some time in the next 10 days.

The most popular government website is Universal JobMatch. And how do you register there if you want to find a job? With the Government Gateway.

Suppose you help your mother to register with Safran Morpho/SecureIdentity today and tomorrow GDS cross them off the list again? What are you going to tell her then?

GDS have got a lot on their plate. They're trying to work out where they're at. And where they're going. And they've only got until September 2016 to work out a strategy. They've got enough to think about. They're trying to find themselves. Make life easier for them. They're searching for an identity. Go on, be kind, use the Government Gateway.


Updated 20.4.16 2

Unbelievable.

21:48, later that same day, and Royal Mail and Safran Morpho/SecureIdentity have been dropped again. Banished to the same wilderness as Barclays, CitizenSafe/GB Group and Verizon. We're back down to three "identity providers".

The "identity providers" don't know where they stand. One minute they "can verify you", next minute they're "unlikely to be able to verify you". They won't hang around for long if this is the way GDS treat them.

We the public don't know where we stand. Is it prudent or recommended to register with Royal Mail, for example, or isn't it? Faced with this uncertainty, entirely of GDS's own making, the only sensible option is not to register with any of the "identity providers".

The "relying parties" are meant to be able to rely on the affirmations of the "identity providers". If Barclays say that DMossEsq really is who he says he is, HMRC are meant to be able to rely on that. How can they when GDS themselves say they can't?

And the private sector. They're meant to be attracted to this new approach to identity assurance? GOV.UK Verify (RIP) could underwrite payments?

Certainty?

Trust?

Gone.


Updated 21.4.16

A heavy-hitting financial technology conference started in London yesterday, Consult Hyperion's Tomorrow's Transactions Forum 2016.

Barclays Bank were in attendance. They were flying the flag for GOV.UK Verify (RIP).

All the while, the Government Digital Service (GDS) were undermining them, as they still are, displaying a message to anyone who tried to register for GOV.UK Verify (RIP) to the effect that:
  • Digidentity, Experian and the Post Office are OK.
  • Barclays and the other four "identity providers" in the doghouse are no use.
If you had had to guess in advance which of GDS's eight "identity providers" would be best at registering new victims for GOV.UK Verify (RIP), Barclays would surely have been at or near the top.

Unlike GDS, they've got all the qualifications. They're used to registering people. They verify identity all day every day, that's their job, that's what retail banks do. They know about identification and verification and authentication and authorisation. They're undaunted by the huge numbers of people involved. They're used to on-line systems and security and the subtleties of design for comprehensibility and trust. After several centuries of experience, they know how to maximise the probability that those are the right counterparties at each end of a financial transaction.

And yet, according to GDS, Barclays are "unlikely to be able to verify you". What's gone wrong?

Suppose that's the wrong question. Suppose nothing's gone wrong. Your first impression was that Barclays would be among the best at doing the registration job – suppose you were right.

Barclays might not be getting enough punters through the door for GDS's untutored liking but they might be doing the job properly.

Barclays live and breathe the skills of KYC and AML (Know Your Customer and Anti-Money Laundering). When they've broken the rules of KYC and AML they've paid the fines and they've suffered the loss of reputation, see Private Eye. That's not a million miles away from another reason you know that Barclays know how to do registration properly.

GDS set a target of 90% coverage for on-line registration. Where did that figure come from? Thin air? What's it based on? Wishful thinking? Callow insouciance?

90% may be unattainable. It may be a political requirement but that doesn't mean it's realistic. It may simply be that GOV.UK Verify (RIP)'s exclusively on-line registration is not feasible. Perhaps that's what the disappointing account creation success rate is telling us.

What is the percentage of GOV.UK Verify (RIP)'s target population which can have its identity verified on-line with an adequate level of assurance? Null hypothesis: whatever percentage Barclays can achieve.


Updated 25.4.16

GDS seem to have got rid of the ants in their pants. The list of recommended "identity providers" has remained stable for a few days now.

No changes, Digidentity, Experian and the Post Office are the goodies. They "can verify you now".

And Barclays, CitizenSafe/GB Group, Royal Mail, Safran Morpho/SecureIdentity and Verizon are, according to GDS, a waste of space, they're the baddies, they're "unlikely to be able to verify you".

One of the touted benefits of GOV.UK Verify (RIP) is the wide choice of competent "identity providers". It is unfortunate that in the week when GDS are likely to declare the system to be "live", whatever that means, the wide choice has fallen from nine to eight to three.

That's GDS's opinion, of course – others might recommend that the number of "identity providers" it is wise to register with isn't three at all, it's zero.


Updated 26.4.16

Barclays and CitizenSafe/GB Group have now been added to GDS's list of recommended "identity providers".


The list of GDS-approved "identity providers" for GOV.UK Verify (RIP) @ about 15:00 on 26 April 2016

People expect the government-provided identity management system to which we are entrusting a colossal amount of personal information to look dependable and stable. With "identity providers" coming into favour and falling out of favour every few days and, sometimes, every few hours, GOV.UK Verify (RIP) looks anything but stable.

It looks a bit frantic. A bit desperate. A bit amateur.

GOV.UK Verify (RIP) looks like a public service that it would be irresponsible to declare to be ready for live use.


Updated 27.4.16

Keep up, you at the back there. Yesterday, Barclays and CitizenSafe/GB Group were on GDS's list of competent "identity providers" you could feel confident about. Today, they have re-joined the company of the clueless and you're advised not to bother trying to register with them. If you did register with them yesterday, that's not GDS's fault. Nothing is.

The list of GDS-approved "identity providers" for GOV.UK Verify (RIP) @ about 16;30 on 27 April 2016

Updated 1.5.16

Here we are, four days after the previous update, and the Government Digital Service (GDS) are still recommending the same three "identity providers" to people who wish, for whatever reason, to register with GOV.UK Verify (RIP).

This marks a welcome period of calm predictability and stability. Much needed after the frenetic farce-like action over the past few weeks when "identity providers" appeared on stage unexpectedly for a few hours and then inexplicably fell down stairs or out of windows and retreated to the wings.

To keep on changing the list of competent "identity providers" makes it look as though GDS aren't sure what's going on, they're event-driven, nervously reacting to new percepts over which they have no control.

That is no way to inspire trust in the population who are meant to sign up for GOV.UK Verify (RIP). It must be slightly giddy-making for the "identity providers", too. Not to mention the relying parties like HMRC and DWP who are meant to rely on the affirmations of the "identity providers".

If Barclays, for example, tell HMRC that, yes, this man who claims to be Abraham Lincoln really is Abraham Lincoln, can HMRC rely on it? When Barclays were acceptable to GDS one day and unacceptable the next? If GDS can't make their mind up about Barclays, how are HMRC supposed to?

Far better to make a decision and stick with it. Digidentity, Experian and the Post Office are acceptable to GDS as "identity providers". And Barclays, CitizenSafe/GB Group, the Royal Mail, Safran Morpho/SecureIdentity and Verizon aren't. That way we all know where we are.

Unfortunately for GOV.UK Verify (RIP), that's not the only area of farce.

For months now, GDS have said that GOV.UK Verify (RIP) would go live in April 2016. As late as 26 April 2016, Computer Weekly magazine reported: "With the official 'live' date for the programme set for 29 April 2016, Hughes is confident everything is on track".

That's Janet Hughes, programme director of GOV.UK Verify (RIP) and three days later her confidence had melted away and she found herself writing "we’re very nearly there". Nearly. But not quite. In fact, we're not there.

Here we go again. Now you see it. Now you don't. GOV.UK Verify (RIP) is live, yes it is, no it's not.

On the same day, 29 April 2016, Neil Merrett tweeted "GOV.UK Verify tomeet live service requirements 'shortly'" together with a link to one of his excellent articles, giving a selection of reasons for the latest hold-up.

It doesn't matter what reasons are proffered. We can't believe them any more.

If GDS change their mind daily about who is an acceptable "identity provider" and whether GOV.UK Verify (RIP) is live, they are just as likely to change their mind about the reasons.

Two days later, today, 1 May 2016, Mr Merrett tweeted again, "GDS to 'shortly' confirm a rescheduled date for when GOV.UK #Verify platform will switch to a live service" with a link to the same article.

It would clearly be a mistake to do what the first tweet suggested and claim that GOV.UK Verify (RIP) will "shortly" meet the requirements to be declared live. First it's ready to go live, then it isn't, then it is, all in a matter of days? Not confidence-inspiring.

Better perhaps to stick to the second tweet and make an announcement "shortly" that GOV.UK Verify (RIP) will be ready to be declared live in six months time or whatever – six months is GDS's traditional interval on GOV.UK Verify (RIP) progress reports going back to 29 October 2014.

It's not as though there's any hurry. No-one wants GOV.UK Verify (RIP). No-one needs it. We've got the Government Gateway and scores of other identity management schemes. Any haste now will just make GDS look as though they're not in control again, and don't know what they're doing.


Updated 23 June 2016

It was 12 April 2016 when we noted that the Government Digital Service (GDS) were telling new applicants for GOV.UK Verify (RIP) accounts that only three of their "identity providers" were likely to be able to do the job.

DMossEsq has been monitoring the situation ever since. For most of the past two months, Digidentity, Experian and the Post Office have been promoted by GDS, and GDS have been warning applicants not to use the other five "identity providers" – Barclays, GB Group/CitizenSafe, the Royal Mail, Safran Morpho/SecureIdentity and Verizon.

Sometimes Safran Morpho/SecureIdentity appears on the recommended list for a few hours. Then it drops off again. Ditto GB Group/CitizenSafe.

Yesterday, the recommended list grew to six "identity providers". Today we seem to be back down to four. For the moment.

What do the shareholders of Verizon, say, think about this peculiar business. Verizon have signed up with GDS to provide a public service that GDS tell the public Verizon are incapable of providing. If you were a shareholder in Verizon – or Barclays or Digidentity or Experian or GB Group/CitizenSafe or the Royal Mail or Safran Morpho/SecureIdentity – wouldn't you be asking the directors "what on earth are [you] up to wrecking the brand like this?"


Updated 9 July 2016

As at 00:30 this morning, we are back down to just three "identity providers" who can register us with GOV.UK Verify (RIP) – Digidentity, Experian and the Post Office.

As there are eight "identity providers" signed up to GOV.UK Verify (RIP), does that mean that the other five are no good?

No.

GDS told us at 00:30 that only four of them are no good – Barclays, GB Group/CitizenSafe, the Royal Mail and Safran Morpho/SecureIdentity.

Verizon are no longer mentioned. They've gone missing again:


Two questions:
  • The Barclays service relies on Verizon. If Verizon are no longer operating, can Barclays survive?
  • Why haven't GDS told the public that GOV.UK Verify (RIP) has lost an "identity provider"?