Saturday, 28 May 2016

Government Gateway 1 - 0 GOV.UK Verify (RIP)


18 April 2016, RIP IDA – it tolls for thee:
In the lethal custody of the Department for Work and Pensions (DWP), the Government Gateway has been neglected for years. Now someone seems to have paid it a bit of attention. An innovation, it sent DMossEsq's mobile phone a one-time password when he logged in to take a look at his personal tax account.

We have suggested recently [1 April 2016] that the Government Gateway should be taken away from DWP and given to HMRC. Perhaps it has been.
24 May 2016, Don't tell the Cabinet Office: HMRC is building its own online ID system.

25 May 2016, HMRC plans extra authentication channel.


Thursday, 26 May 2016

RIP IDA – GOV.UK Retrench

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
Kirsty Styles edits the New Statesman magazine's B2B tech site. She asks the Government Digital Service (GDS) about GOV.UK Verify (RIP). And back comes a response, possibly from an automaton, something to do with "rigorous onboarding", which looks co-operative but which doesn't answer the question.

You've got to take your hat off to the GOV.UK Verify (RIP) team. They've been doing this day in, day out, for years.

They can still say with a straight face that all their "identity providers" are certified when half of them aren't.

Even after all these years, they still claim to have eight "identity providers" while telling new applicants for a GOV.UK Verify (RIP) account that five of them "probably can't verify you".

They're still adamant that GOV.UK Verify (RIP) is secure and that it abides by all nine of the identity assurance privacy principles – it doesn't abide by a single one and everyone knows that there is no such thing as unqualified security.

And their response to the US National Institute of Standards and Technology's claim that GOV.UK Verify (RIP) doesn't do identity-proofing and offers no more than self-certification is pluckily ... to ignore it.

They look as though they could keep this up forever.

But they can't.

Saturday, 21 May 2016

"Data Science Ethical Framework" – contempt for the public

Housewives as a whole cannot be trusted to buy all the right things, where nutrition and health are concerned. This is really no more than an extension of the principle according to which the housewife herself would not trust a child of four to select the week’s purchases. For in the case of nutrition and health, just as in the case of education, the gentleman in Whitehall really does know better what is good for people than the people know themselves.

That was Douglas Jay in 1937, writing in The Socialist Case. How much has changed 79 years later?

-----  o  O  o  -----

Friday, 20 May 2016

Furtive

The Rt Hon Matt Hancock MP, Minister for the Cabinet Office, gave a speech yesterday to launch the Data Science Ethical Framework. It got off to a wobbly start:
When Alan Turing proposed the Turing Machine and his theory of machine intelligence, he would not have imagined that his early ideas of computing and algorithms would be enhanced and evolved using the quintillions of bytes of data we generate today.
There's no telling what Alan Turing would or would not have imagined.

Wednesday, 18 May 2016

RIP IDA – worse than you thought

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.

The problem you already knew about ...
The point of GOV.UK Verify (RIP) is to assure central government departments like HMRC, Her Majesty's Revenue and Customs, that the person on the other end of the line is who they say they are. GOV.UK Verify (RIP) follows the good practice, we are told, set out in GPG45, Good Practice Guide 45.

Chapter 4 of GPG45, p.9, provides for four levels of assurance, 1-4.

Level 1 isn't much use to a relying party such as HMRC, the identity hasn't been proved at all.

Level 2 gets a bit more useful: "The steps taken to determine that the identity relates to a real person and that the Applicant is [the] owner of that identity might be offered in support of civil proceedings". Level 2 might support identification in a civil court. It might. It might not.

Levels 3 and 4 are successively more reliable. But that's irrelevant at the moment as GOV.UK Verify (RIP) is only offering Level 2.

What's more, it's having trouble reaching even Level 2 according to OIX, the Open Identity Exchange, the Government Digital Service's business partner. If GOV.UK Verify (RIP) could use our personal bank account information, OIX say, that "would help [to] achieve the required standards against the 5 elements of identity assurance at level of assurance 2" (p.11).

To some extent, OIX have now got their wish. GDS tell us that: "In the last few months, we've seen new data sources and methods being introduced, and we've worked with mobile network operators as they've developed a new phone contract validation service that’s now in live use in GOV.UK Verify [RIP] ... It’s also now possible to verify your identity without either a passport or driving licence, thanks to a new method introduced by one of our certified companies which allows you to use your bank account as proof of your identity".

They've got their additional data and it's not helping. The GOV.UK Verify (RIP) account creation success rate remains stuck at around 70%. Young people have trouble opening an account, so do old people and unemployed people and people on low incomes.

Hat tip someone, it's all a far cry from the 16 September 2014 GOV.UK Verify (RIP) service assessment, when the assessors' report called for GDS to "actively work with the market to grow [demographic] coverage to as close to 100% as can be achieved, as early as possible during the Beta".

... may be worse than you thought
But suppose GOV.UK Verify (RIP) achieved 100% demographic coverage and enrolled everyone into GOV.UK Verify (RIP) with a level of assurance of 2. Then what?

Saturday, 14 May 2016

Mind the gap

On the London Underground/Metro/Subway a recorded message tells us all, over the public address system, to "mind the gap". That's the gap between the train and the platform, of course, which we are all supposed to be too stupid to mind unless we're reminded.

There once was a post-nuclear holocaust film the name of which entirely escapes DMossEsq in which empty trains continued to travel the tube system following their programmed timetable, stopping to open their doors at each appointed station and the only voice heard was the PA system mindlessly repeating "mind the gap".

Wednesday, 4 May 2016

RIP IDA – the last rites

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.


We can make a meal of it. Or we can do it the quick way.

Let's try the quick way first. Three steps.