Thursday 29 September 2016

"Stale" and "self-legitimising" public administrators

"... we foster a user-centred culture in GDS and across government by getting everyone involved in user research", it says in a Government Digital Service blog post today, Don’t forget! 2 hours every 6 weeks. "We have user researchers as part of agile teams, for example. That's part of our DNA ... Our natural state can be to look inwards [horror], towards our teams [awful], not outwards towards our users [that's better] ...".

This is all part of putting user needs first, rule #1 in the GDS Design Principles: "Service design starts with identifying user needs. If you don’t know what the user needs are, you won’t build the right thing. Do research, analyse data, talk to users. Don’t make assumptions. Have empathy for users, and [you] should remember that what they ask for isn't always what they need".

This initially clear picture is clouded by the genetically modified Government as a Platform (GaaP) team at GDS, who said in May 2016: "Everyone knows we start with user needs. Except we don't. We start with the needs of our team ... When we don't do this our research isn't useful to our team and they ignore it. There's nothing more pointless than doing research that no one listens to". That's one of their Eight principles for user researchers on Government as a Platform.

Should GDS "look outwards towards [their] users" and start with "identifying user needs"? Or is that "pointless"? Should they rather "start with the needs of [the GDS GaaP] team"?

Confusing, isn't it. Which one is the doctrine? Outwards? Or inwards?

"... remember that what [the users] ask for isn't always what they need" suggests that GDS can ignore their research data and revert to their prejudices on the grounds that the users don't know what they're talking about whereas GDS do.

We've been here before, in November 2013: "What does 'putting the user first' mean? Nothing? Whatever you want it to mean?".

We're not the only ones. See also June 2016's Digital Government: overcoming the systemic failure of transformation, where two Brunel University academics, Paul Waller and Professor Vishanth Weerakkody, point out that: "not much of a government or public administrative function directly involves citizens so a focus on the interface misses the point about 'transforming government processes' ..." (p.8).

And they're not the only ones. Our old friend Mark Thompson of the Methods Group and the Judge Business School at Cambridge University popped up in Computer Weekly magazine this month with Digital government isn’t about user needs – it’s more fundamental than that where he refers to the "stale, self-legitimising talk by public administrators about how they are building stuff to 'meet user needs' ...".

Have GDS already become stale and self-legitimising public administrators?

Are GDS part of the systemic failure of digital government transformation?

Are GDS going to be teaching the right syllabus in their new National Agile Polytechnic?

A bit of agile discovery work on the oldest rule in GDS's design principles book might help them and the rest of the world to get the user needs story straight.

"Stale" and "self-legitimising" public administrators

"... we foster a user-centred culture in GDS and across government by getting everyone involved in user research", it says in a Government Digital Service blog post today, Don’t forget! 2 hours every 6 weeks. "We have user researchers as part of agile teams, for example. That's part of our DNA ... Our natural state can be to look inwards [horror], towards our teams [awful], not outwards towards our users [that's better] ...".

This is all part of putting user needs first, rule #1 in the GDS Design Principles: "Service design starts with identifying user needs. If you don’t know what the user needs are, you won’t build the right thing. Do research, analyse data, talk to users. Don’t make assumptions. Have empathy for users, and [you] should remember that what they ask for isn't always what they need".

This initially clear picture is clouded by the genetically modified Government as a Platform (GaaP) team at GDS, who said in May 2016: "Everyone knows we start with user needs. Except we don't. We start with the needs of our team ... When we don't do this our research isn't useful to our team and they ignore it. There's nothing more pointless than doing research that no one listens to". That's one of their Eight principles for user researchers on Government as a Platform.

Should GDS "look outwards towards [their] users" and start with "identifying user needs"? Or is that "pointless"? Should they rather "start with the needs of [the GDS GaaP] team"?

Confusing, isn't it. Which one is the doctrine? Outwards? Or inwards?

Monday 26 September 2016

RIP IDA – however you cut it, GOV.UK Verify (RIP) is no more. It has ceased to be. It's expired and gone to meet its maker. This is a late identity assurance scheme. It's a stiff. Bereft of life, it rests in peace. If GDS hadn't nailed it to GOV.UK, it would be pushing up the daisies. It's rung down the curtain and joined the choir invisible. This is an ex-identity assurance scheme. RIP.

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
We have seen how Digidentity, one of the Government Digital Service's "identity providers", can unilaterally revoke your on-line GOV.UK Verify (RIP) identity. In GDS's projected digital-by-default "internet era" world, with no on-line identity you won't exist.

We have seen how users of GOV.UK Verify (RIP) who registered with Barclays and the Post Office may find it impossible to access public services.

App info for
Safran Morpho/SecureIdentity
We have seen how Safran Morpho/SecureIdentity make you download an app/virus to your mobile phone if you want to use their GOV.UK Verify (RIP) services. Not a good idea. (Digidentity also now want their parishioners to download an app. Ditto, not a good idea.)

We have seen how GOV.UK Verify (RIP) flouts every one of the identity assurance privacy principles. Again, not a good idea.

Cassidian, Ingeus, Mydex, PayPal and Verizon have all pulled out as "identity providers" to GOV.UK Verify (RIP).

Who does that leave?

It leaves CitizenSafe/GBG/GB Group plc or whatever they're calling themselves these days, Experian and the Royal Mail.

That looks like three "identity providers" but it's really only two. The Royal Mail's name is being used as a lure but GBG are doing most of the identity assurance work: "Under the terms of their agreement, GBG will manage all technology for the service, with Royal Mail handling call centre services where users may need to clarify technical issues over the phone" (please see 11.3.16).

DMossEsq can choose between GBG (who do criminal records checks and who have international expertise in postal addresses, please see Loqate) and Experian (who are a trusted FTSE-100 credit rating agency with decades of experience, some of it unfortunate). That's if he wants to access on-line public services via GOV.UK Verify (RIP).

Alternatively, he can access on-line public services using his Government Gateway accounts.

How to choose between those two? GOV.UK Verify (RIP)? Or the Government Gateway?

At first, the choice seems easy. The Government Gateway is old, it's been starved of funds for years, you have to wait for an activation code to arrive through the post before you can use the service, you need to maintain several sets of user IDs and passwords and it's fashionable to dislike it.

On the other hand, who is it convenient for, to have just one password as advocated by GDS? It's certainly convenient for hackers.

And relying on the post does act as a check of sorts that you are the person you claim to be. GOV.UK Verify (RIP) doesn't perform that check. Is it really possible to establish someone's identity entirely on-line? With how much confidence?

Can GOV.UK Verify (RIP) prove your identity?
  • OIX, the Open Identity Exchange, GDS's business partner, don't think so. They say (p.11) that it's hard for GOV.UK Verify (RIP) to achieve even level of assurance 2 (civil courts), let alone the level of assurance 3 required for criminal courts.
  • And the US National Institute for Standards and Technology are even more scathing. They say that GOV.UK Verify (RIP)'s registration work amounts to no more than self-certification.
  • The NHS isn't impressed ...
  • ... neither is DWP ...
  • ... nor are the Scots.
  • All sorts of demographics are excluded from GOV.UK Verify (RIP), which last seen was allegedly stuck on about 70% potential penetration, miles short of its 90% target. What use is a national identity assurance scheme that excludes 30% of the nation?
  • One of its supporters says that the original plan was for GOV.UK Verify (RIP) "to provide low to medium security ID assurance for citizens, and this hasn’t changed". We should avoid "wildly unrealistic expectations", she says.
It is mystifying how GDS can believe that GOV.UK Verify (RIP) has anything to offer the finance sector, please see The value of digital identity to the financial sector. Of course digital identity is valuable. Not just valuable. Crucial. But the finance sector needs a lot more than the "low to medium security ID assurance" on offer from GOV.UK Verify (RIP).

GOV.UK Verify (RIP) needs the banks. Not the other way around.

The banks do in-person identity-proofing. For know-your-customer and for anti-money laundering. It may not be very good but it's better than relying on entirely on-line proofing. The banks feed the credit rating agencies with (an extraordinarily large amount of) our personal information. GOV.UK Verify (RIP) depends on the banks.

It's circular to pretend that the banks could in turn depend on GOV.UK Verify (RIP).

Similarly there is nothing in GOV.UK Verify (RIP) to attract UK local government. Why should local authorities accept HMRC's rejects and DWP's and the Scots'?

GOV.UK Verify (RIP) requires us all to spray masses of our personal information all over the world. There must be better ways to enjoy the benefits of GDS's "internet era".

We're handing over our personal information. More and more of it. And GDS have their eyes on even more. Bank data, mobile phone data, health data, travel data, education data, social media data, ..., all in the interests of identification and attribute exchange. That's in addition to our passport data and our driving licence data and our credit rating data. And yet GDS still can't do their job and fill up GOV.UK Verify (RIP)'s population registers.

It's a privacy nightmare as noted above, a nightmare that we are to a large extent spared with the Government Gateway. Let's wake up.

The Americans have ditched connect.gov, their equivalent to GOV.UK Verify (RIP). The Australians are tying themselves in knots. And meanwhile here in the UK, for whatever reason, given the choice, millions of people are choosing the Government Gateway over GOV.UK Verify (RIP). So much for four or five years of user experience testing and agile software engineering. GDS have made the prototype of a product that no-one wants.

Without an identity assurance scheme, GDS have a hole at the centre of their digital-by-default strategy. Which means they have no strategy.

We can kiss goodbye to the unrealistic plans for attribute exchange. And to GDS's sinister and religiose plans for single-source-of-truth registers supporting fantasy Government as a Platform. The desperate pretence that GOV.UK Verify (RIP) is viable is understandable. But no excuse. It's still misfeasance.

That hole could be plugged by using an "internet era" system provided by Google, say. God forbid.

Or by using a descendant of the Government Gateway, best developed by the most successful digital transformation team – HMRC, and not DWP, God forbid – leaving GDS to concentrate on running the National Agile Polytechnic, as per their new director general's plan, with a syllabus set principally by HMRC.

(The bank-based Nordic alternative is not available to the UK, where we don't have the strong municipalities needed.)

Companies have identities, too, not just people. And GOV.UK Verify (RIP) doesn't even pretend to be able to prove the identity of a company. HMRC will continue to rely on the Government Gateway to collect tax from companies for the foreseeable future. The Government Gateway supports billions of transactions every year and collects the hundreds of billions of pounds of Exchequer revenue (p.6) needed to fund public services (p.5).

The Government Gateway has a future. GOV.UK Verify (RIP), by contrast, is no use to HMRC or anyone else.

In the course of five posts over the past week we have now looked at 12 "identity providers" – Barclays, Cassidian, CitizenSafe/GBG/GB Group, Digidentity, Experian, Ingeus, Mydex, PayPal, the Post Office, the Royal Mail, Safran Morpho/SecureIdentity and Verizon. Only two or three of them work. Which ones do we like? None of them. We don't like models with "identity providers" in them.

The Government Gateway may be a pretty awful system. GOV.UK Verify (RIP) is worse.

----------

Updated 20.10.16 1

Government Computing:
Government Digital Service (GDS) director general Kevin Cunnington has been laying out some of his thinking on the direction’s organisation at a briefing this morning ...

Cunnington outlined that GOV.UK Verify [RIP] remains a key element of GDS’s ambitions ...


Updated 20.10.16 2

Government Computing:
GDS new director general Kevin Cunnington has been giving further information about how he sees the organisation developing under his leadership. The overall GDS strategy is still being worked on, he said, but is expected to be out by Christmas.

He indicated that he plans to create a profession for digital, data and technology and he is also going to get a grip of the GOV.UK Verify [RIP] identity assurance scheme.

“Two things that the [GDS] Advisory Board asked us to concentrate on are sort out Verify and get it to scale and the other is to tackle the really hard data issues” ...

On the future of Verify, he indicated that GDS was beginning to think bigger about it, asking why it was necessary to limit Verify to simply government services. He suggested that banks and gambling organisations could see the benefit of using it.

The thinking behind this, Cunnington suggested, had made GDS actively look at whether it can change the business model for Verify.

He also insisted that DWP had been a strong supporter of Verify ...

RIP IDA – however you cut it, GOV.UK Verify (RIP) is no more. It has ceased to be. It's expired and gone to meet its maker. This is a late identity assurance scheme. It's a stiff. Bereft of life, it rests in peace. If GDS hadn't nailed it to GOV.UK, it would be pushing up the daisies. It's rung down the curtain and joined the choir invisible. This is an ex-identity assurance scheme. RIP.

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
We have seen how Digidentity, one of the Government Digital Service's "identity providers", can unilaterally revoke your on-line GOV.UK Verify (RIP) identity. In GDS's projected digital-by-default "internet era" world, with no on-line identity you won't exist.

We have seen how users of GOV.UK Verify (RIP) who registered with Barclays and the Post Office may find it impossible to access public services.

App info for
Safran Morpho/SecureIdentity
We have seen how Safran Morpho/SecureIdentity make you download an app/virus to your mobile phone if you want to use their GOV.UK Verify (RIP) services. Not a good idea. (Digidentity also now want their parishioners to download an app. Ditto, not a good idea.)

We have seen how GOV.UK Verify (RIP) flouts every one of the identity assurance privacy principles. Again, not a good idea.

Cassidian, Ingeus, Mydex, PayPal and Verizon have all pulled out as "identity providers" to GOV.UK Verify (RIP).

Who does that leave?

Sunday 25 September 2016

RIP IDA – privacy/identity assurance principles

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
We have seen how Digidentity, one of the Government Digital Service's "identity providers", can unilaterally revoke your on-line GOV.UK Verify (RIP) identity. In GDS's projected digital-by-default internet era world, with no on-line identity you won't exist.

We have seen how users of GOV.UK Verify (RIP) who registered with Barclays and the Post Office may find it impossible to access public services.

Cassidian, Ingeus, Mydex, PayPal and Verizon have all pulled out as "identity providers" to GOV.UK Verify (RIP).

Who does that leave?

Among others, Safran Morpho/SecureIdentity:


As you can see, back in February 2016 DMossEsq managed successfully to register for GOV.UK Verify (RIP) with Safran Morpho/SecureIdentity.

GDS's registration dialogue has been updated since then. They try to point new applicants at the "identity providers" most likely to be able to register them. That means pointing them away from the "identity providers" least likely to be able to register them.

Day in, day out, for months now, since at least 12 April 2016, Safran Morpho/SecureIdentity have suffered the humiliating indignity of being fingered by GDS as useless:


Quite why Safran Morpho/SecureIdentity put up with this astonishing behaviour is unclear.

Whatever the answer, DMossEsq was registered with Safran Morpho/SecureIdentity but when he tried to log on to HMRC's on-line self-assessment service the other day through Safran Morpho/SecureIdentity, he failed. Just as he had already failed with the Post Office. And Barclays. And Digidentity.

Like the Post Office, Safran Morpho/SecureIdentity is not properly a certified company. They were supposed to be certified by tScheme by May 2016, but it's never happened. When GDS tell you that all their "identity providers" are certified companies, they're wrong:


But that isn't the problem in this case. DMossEsq closed his account with Safran Morpho/SecureIdentity almost as soon as he opened it. That's why he can't log on to HMRC via Safran Morpho/SecureIdentity.

Why did he close the account? Because DMossEsq doesn't approve of downloading apps onto his mobile phone and Safran Morpho/SecureIdentity insist that you do.

You might as well deliberately install a virus – look at the functions Safran Morpho/SecureIdentity's app can perform on the mobile phone screen snapshot alongside.

Do you want Safran Morpho/SecureIdentity modifying your system settings? Or finding and using your other accounts?

No. This is utterly intrusive. And quite unnecessary for the job in hand – in this case, to look at HMRC's on-line self-assessment service.

Which brings us to the nine identity assurance principles promulgated by PCAG, the Privacy and Consumer Advisory Group. GDS repeatedly claim that they abide by these principles which are designed to guard our privacy. But they don't.

The PCAG identity assurance principles for GOV.UK Verify (RIP) are shown below in black with comments in red:

Identity Assurance Principle
Summary of the control afforded to an individual
1. User Control
I can exercise control over identity assurance activities affecting me and these can only take place if I consent or approve them
Not true.
• How would you know if your identity was being checked by someone tomorrow morning at 9 a.m.?
• When did you give your consent for the credit rating agencies to share your personal information with GDS's "identity providers"? Or the banks or the mobile phone companies ditto? What about your health records? And your travel records? And your education records? And your social media accounts?
• Is your consent informed? Is your consent given freely or do you rather feel that you have no alternative?
2. Transparency
Identity assurance can only take place in ways I understand and when I am fully informed
Not true. Do you understand how GDS's identity hub works? Are you fully informed on the matter of security?
3. Multiplicity
I can use and choose as many different identifiers or identity providers as I want to
Not true.
• DMossEsq has found himself subsequently unable to use Digidentity, Barclays and the Post Office despite having previously registered with them.
• And GDS warn that Safran Morpho/SecureIdentity are unlikely to be able to prove the identity of new applicants.
• Who can make these choices? GDS decided back in April 2016 that, with some exceptions, applicants for a GOV.UK Verify (RIP) account have to be at least 20 years old. What are 19 year-old voters supposed to do? They're excluded. Ditto 19 year-old taxpayers and benefits claimants. Ditto 20 year-olds with little credit history. GOV.UK Verify (RIP) is not for everyone. Some people can't choose any identifiers at all, nor any "identity providers".
4. Data Minimisation
My interactions only use the minimum data necessary to meet my needs
Not true.
• Registration, which is an "interaction", requires more and more personal information, far more than is required for the Government Gateway and therefore far more than the minimum.
• When it comes to verification, another sort of "interaction", who knows how much personal information is exchanged?
• The quantity of personal information seems to be determined by the needs of GDS and the "identity providers" and the relying parties like HMRC. Not the needs of the mere users.
5. Data Quality
I choose when to update my records
Not true. Digidentity decided that DMossEsq had to upload an image of his passport. Without that, they decided, he can't use his Digidentity account.
6. Service User Access and Portability
I have to be provided with copies of all of my data on request; I can move / remove my data whenever I want
Not true.
• You can't remove your personal information whenever you want. All "identity providers" keep it for at least seven years.

• Digidentity, like other "identity providers", share your personal information with unnamed suppliers. You don't know who they are. You don't know what personal information of yours they have. How can you remove it?
• There has been talk for a long time of "signal sharing" to detect and prevent fraud. Who would perform this function? Could you remove your personal information from them?
7. Certification
I can have confidence in the Identity Assurance Service because all the participants have to be certified against common governance requirements
Not true.
• Some "identity providers" are certified by tScheme. Others aren't. The governance requirements aren't common.
• Nor are they obviously effective – Verizon are certified by tScheme but their services have nevertheless been withdrawn: "Recent changes to Verizon’s contracting structure mean that the service in its current form has not yet fully completed the external certification process. Verizon is working with Cabinet Office and independent auditors to make sure their service meets the contractual requirements, is fully accredited, and gives the best results possible for users".
• What about Zendesk? That's a company GDS have got participating in GOV.UK Verify (RIP). Are Zendesk certified? No. Ditto StatusPage.io – can you be confident about the uncertified StatusPage.io who participate by logging all activity in GOV.UK Verify (RIP)?
8. Dispute Resolution
If I have a dispute, I can go to an independent Third Party for a resolution
Not true. Can you name this independent third party? There was supposed to be a GOV.UK Verify (RIP) ombudsman. None has been appointed.
9. Exceptional Circumstances
I know that any exception has to be approved by Parliament and is subject to independent scrutiny
Not true. Do you know that parliament approves all exceptions? How do you know? What independent scrutiny? There is none.

Principle #6 promises that "I can move / remove my data whenever I want". This is false. When DMossEsq closed his Safran Morpho/SecureIdentity account his data wasn't removed. It will be kept by Safran Morpho/SecureIdentity for seven years.

DMossEsq can't remove his data whenever he wants. Principle #6 is being flouted, please see Safran Morpho/SecureIdentity's privacy policy:
1.4 How long does Morpho keep your personal data

Morpho will keep your data for as long as necessary in order to provide you with the services available on our website and applications.

Morpho may also keep your contact details to send you service-related information. Morpho might use your contact details for direct marketing in connection with the service provided.

Morpho may keep records of your activities for seven (7) years after the date on which your identity account is closed, to handle complaints or disputes that may arise.

Morpho will keep your personal data to the extent necessary to comply with all applicable laws, regulations and code of practices.
It's not just Safran Morpho/SecureIdentity. All the "identity providers" keep your data whether you want them to or not. The "control afforded to an individual" is nil.

And it's not just Principle #6. GOV.UK Verify (RIP) flouts all nine privacy principles. It doesn't abide by a single one (6 May 2016 1). How GDS can claim that they do abide by these principles is a mystery.

That is what they say: "GOV.UK Verify [RIP] protects users' privacy. It has been designed to meet the principles developed by our privacy and consumer advisory group". But it's not true, is it.

----------

Updated 11.11.16

Check the GOV.UK performance platform and you'll find that nine government services can be accessed using GOV.UK Verify (RIP). That's what GDS say. There are many qualifications that should be added to that claim of theirs.

Let's let that drop for the moment and instead note here that two more services are to be added to that modest list, please see GOV.UK Verify [RIP] welcomes 2 more DVLA services:
You can now use GOV.UK Verify [RIP] to access the DVLA’s Driving with a medical condition service and Renew your medical driving licence service.
That looks like one service, not two, but don't let's cavil. Note rather this claim:
GOV.UK Verify [RIP] has been designed to minimise storage of personal data, so drivers can be assured that their personal information remains safe and private.
It does not follow from personal information storage being kept to a minimum that your personal information is safe and private.

And the design of GOV.UK Verify (RIP) requires your personal information – in this case including medical information – to be sprayed all over the world. Nothing could make it less likely that your personal information is "safe and private".

Then there's this claim:
With GOV.UK Verify [RIP] connected to Driving with a medical condition, the DVLA can be sure be sure [doubly sure?] applicants are who they say there [they?] are ...
The US National Institute for Standards and Technology disagree. They say that GOV.UK Verify (RIP) offers relying parties like DVLA nothing more than self-certification. Spraying your data all over the world is all downside.

DVLA is the Driver and Vehicle Licensing Agency. GDS have driven a coach and horses through their identity assurance principles, please see main post above. The National Health Service don't think that GOV.UK Verify (RIP) meets the standards required for medical records. You might be well advised to listen to them.


Updated 4.1.17 1

Late last year the Government Digital Service (GDS) published three articles about the GOV.UK Verify (RIP) privacy assurance principles:

Applying Failing to apply
the identity assurance principles

to GOV.UK Verify (RIP):
30 November 2016 Part 1
9 December 2016 Part 2
20 Decmber 2016 Part 3
"We’ve blogged a lot about how user security and privacy is [are] at the heart of GOV.UK Verify [RIP]", GDS say in Part 1. True enough but blogging about them doesn't demonstrate that GOV.UK Verify (RIP) really does provide security and privacy.

"We’ve also talked about the Privacy and Consumer Advisory Group (PCAG)", GDS go on, "and one of their key outputs: the Identity Assurance Principles. These exist to inform and guide the privacy-related aspects of identity assurance, especially in GOV.UK Verify [RIP]". Agreed. That's the idea ...

... but of course it's our contention above that GOV.UK Verify (RIP) doesn't abide by the identity assurance principles. And that's precisely what GDS themselves demonstrate, at length, over the course of these three articles.

Take principle #8, for example, treated in Part 3: "If I have a dispute, I can go to an independent third party for a resolution".

What do GDS say?

"If a user wants to raise a complaint, then they can do so through the certified company’s user support". That's not an independent third party.

Also, "if the user is not satisfied with the result, then they can get in touch with the GOV.UK Verify [RIP] user support team. They can look into the user’s problem to help offer a solution, and they can also raise the complaint with Verify’s Privacy Officer". Neither the user support team nor the Privacy Officer is an independent third party.

Also, "user support has the ability to share anonymised and statistical outcomes with the independent PCAG for further investigation, if required". But principle #8 says that you can go to an independent third party. That's not the same as GOV.UK Verify (RIP)'s user support team going to PCAG.

Does GOV.UK Verify (RIP) abide by principle #8? Manifestly, no.

Principle #9 is: "Any exception has to be approved by Parliament and is subject to independent scrutiny".

What does that mean?

GDS say: "An exceptional circumstance within the privacy principles is defined as a situation where it’s agreed that the privacy principles we’ve just covered are not followed".

We've just seen that principle #8 isn't followed. So that's an exception. Has it been approved by Parliament? No. So principle #9 isn't followed either.

Neither are principle ##1-7.

GDS may have succeeded in convincing themselves that GOV.UK Verify (RIP) complies with PCAG's identity assurance principles. But no-one else.


Updated 4.1.17 2

The following comment has been submitted on GDS's blog post Applying the identity assurance principles to GOV.UK Verify: Part 3:
David Moss
Your comment is awaiting moderation.
"It’s worth noting that all of our certified companies are certified by tScheme ..."
Morpho, the Post Office and the Royal Mail are not certified by tScheme [*].
"... but not necessarily separately. This is because when a certified company uses the same system as another company that is already tScheme certified, then there is no need for a second certification of the same system".
Does that mean that Morpho, the Post Office and the Royal Mail are not doing any real identity assurance work? The work is really being done behind the scenes by someone else?
Who is doing Morpho's work for them?
Who is doing the Post Office's work for them?
Who is doing the Royal Mail's work for them?
----------
Link to this comment

Update 5.1.17 1

The DMossEsq comment above on the GOV.UK Verify (RIP) blog has been deleted and the following email response has been received:
From: Emily Ch'ng
Sent: 04 January 2017 14:49
To: DMossEsq
Subject: Your comment on the GOV.UK Verify blog

Dear David,

Thank you for your comment on the GOV.UK Verify blog. I am the blog's moderator.

I would like to let you know that I am unable to approve your comment as we do not discuss the subcontracting details of GOV.UK Verify's certified companies in the public domain as this is commercially sensitive and thus confidential information.

If you would like to find out further details about certified companies and tScheme, you are free to contact the certified companies themselves.

Many thanks for your interest in GOV.UK Verify.

Kind regards,
--

Emily
Digital Engagement Manager

Government Digital Service

Update 5.1.17 2

The following response to GDS has been sent:
From: David Moss
Sent: 05 January 2017 11:40
To: 'Emily Ch'ng'
Subject: RE: Your comment on the GOV.UK Verify blog, http://www.dmossesq.com/2016/09/rip-ida-privacyidentity-assurance.html#update3

Dear Emily

Thank you for your email.

In her blog post Applying the identity assurance principles to GOV.UK Verify [RIP]: Part 3
Orvokki Lohikoski, the GOV.UK Verify (RIP) privacy officer, writes:
"It’s worth noting that all of our certified companies are certified by tScheme, but not necessarily separately".
In other words, all of our certified companies are certified by tScheme except that they're not ...

... a museum quality example of self-contradiction that she attempts to resolve by saying:
"when a certified company uses the same system as another company that is already tScheme certified,
then there is no need for a second certification of the same system".

That inevitably raises the question in the mind of the public
which uncertified certified companies
rely on which certified certified companies,
a question which the Government Digital Service raise
but which you then say in your email that they will not discuss.
So why raise it?
It looks as though GDS are teasing the public.

Given that the service operated by Morpho – one of the certified companies – is not approved by tScheme,
which tScheme-approved company is really doing the work?
The same question needs to be raised in the cases of the Post Office and the Royal Mail.
Their services also are not approved by tScheme.
People think they are dealing with the Post Office, say, but in reality they're not.
People are being deceived by GDS's GOV.UK Verify (RIP).

Not only will you not answer the question on the GOV.UK Verify (RIP) blog which you moderate,
you won't even publish it – my comment on Ms Lohikoski's blog post has been deleted.

"Make things open: it makes things better", it says in the GDS Design Principles.
It would make things better in this case but,
for reasons of commercial sensitivity and confidentiality,
GDS are not being open.
The public are being lured into handing over sensitive personal information
in the hope that it will be treated confidentially
by certified companies that may not be certified.
But despite having to pay for the privilege, we are not allowed to know how the system works.

You recommend that I should raise the question
which non-tScheme-approved companies rely on which tScheme-approved companies
with the "identity providers" themselves.
Thank you for that recommendation, I shall do so.

That leaves the public and the certified companies to sort out their relationship with no assistance from GDS.
It cuts GDS out of the loop
in the identity assurance ecosystem/market
that GDS say they are trying to promote and regulate.
A market which relies on self-contradiction.
A market which moderates/suppresses public discussion of its workings
on the very forum which invites comments.
A market predicated on an openness which is not available precisely when it is needed.
A market which everyone acknowledges depends on trust.
What are the public to make of that?

Ms Lohikoski has the impssible task of convincing the public
that GOV.UK Verify (RIP) abides by the identity assurance principles
laid down by the Privacy and Consumer Advisory Group.
It manifestly doesn't.
And PCAG have undermined their own credibility by pretending that it does,
last March and in Ms Lohikoski's December blog post.

GDS have no experience of creating and operating a market and it shows.
GOV.UK Verify (RIP) is a mess.
By comparison, the stock market is a model of openness.

Yours sincerely
David Moss


RIP IDA – privacy/identity assurance principles

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
We have seen how Digidentity, one of the Government Digital Service's "identity providers", can unilaterally revoke your on-line GOV.UK Verify (RIP) identity. In GDS's projected digital-by-default internet era world, with no on-line identity you won't exist.

We have seen how users of GOV.UK Verify (RIP) who registered with Barclays and the Post Office may find it impossible to access public services.

Cassidian, Ingeus, Mydex, PayPal and Verizon have all pulled out as "identity providers" to GOV.UK Verify (RIP).

Who does that leave?

Thursday 22 September 2016

RIP IDA – the Post Office

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
We have seen how Digidentity, one of the Government Digital Service's "identity providers", can unilaterally revoke your on-line GOV.UK Verify (RIP) identity. In GDS's projected digital-by-default internet era world, with no on-line identity you won't exist.

We have seen how users of GOV.UK Verify (RIP) who registered with Barclays may find it impossible to access public services.

Cassidian, Ingeus, Mydex, PayPal and Verizon have all pulled out as "identity providers" to GOV.UK Verify (RIP).

Who does that leave?

Among others, the trusty old Post Office:


What happens when DMossEsq now tries to access HMRC's on-line self-assessment service? He enters his username and password, the Post Office send a one-time password to his mobile, he enters it and sees:


But don't get your hopes up because next thing you know, "Aw, Snap! Something went wrong".

There are four more "identity providers" to check – CitizenSafe/GB Group plc, Experian, the Royal Mail and SecureIdentity/Morpho. But we're really not having much luck with GOV.UK Verify (RIP), are we. It doesn't work. That's what it looks like.

And by the way, when we say "trusty old Post Office", remember that the Post Office isn't actually certified trustworthy by tScheme. Their application lapsed 18 months ago in February 2015.

Digidentity, surprisingly in view of our findings, is certified trustworthy. But the Post Office isn't. It's not a "certified company", whatever the Government Digital Service say.

The Post Office is only allowed to operate as an "identity provider" because of some otherwise undisclosed connection to Digidentity:
Post Office uses the same system as another provider which has been t-Scheme certified, so we [GDS] have agreed that there is no need for a second certification of the same system unless and until Post Office introduces anything that is different in its system for verifying identities, in which case that would need to be separately certified.
If you register for GOV.UK Verify (RIP) via the Post Office, are you really being catered for by Digidentity?

RIP IDA – the Post Office

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
We have seen how Digidentity, one of the Government Digital Service's "identity providers", can unilaterally revoke your on-line GOV.UK Verify (RIP) identity. In GDS's projected digital-by-default internet era world, with no on-line identity you won't exist.

We have seen how users of GOV.UK Verify (RIP) who registered with Barclays may find it impossible to access public services.

Cassidian, Ingeus, Mydex, PayPal and Verizon have all pulled out as "identity providers" to GOV.UK Verify (RIP).

Who does that leave?

Wednesday 21 September 2016

RIP IDA – Ingeus, Cassidian, Mydex, Paypal, Verizon, Digidentity and Barclays

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
We have seen how Digidentity, one of the Government Digital Service's "identity providers", can unilaterally revoke your on-line GOV.UK Verify (RIP) identity. In GDS's projected digital-by-default internet era world, with no on-line identity you won't exist.

In the remaining months of your existence, let's take a look at the other "identity providers". Are they behaving like Digidentity?

Ingeus – one of GDS's early "identity providers", they never provided anyone with a GOV.UK Verify (RIP) on-line identity. Ditto Cassidian. And Mydex. And PayPal. They all pulled out before they could do any harm. Verizon stayed a while, but now they, too, have pulled out. So that's five "identity providers" we don't need to worry about.

After Digidentity, DMossEsq signed up with Barclays. They're a bank. Banks are good at on-line identity management. Registration went smoothly:


Six months later:


It is almost inconceivable that DMossEsq should enter his username or password incorrectly. Nevertheless, try 'Need help signing in?' as suggested, and what does he see?


DMossEsq has dutifully tried repeatedly, every few minutes, but mobile security code generation just keeps on failing.

It's not looking healthy, is it, GOV.UK Verify (RIP)'s identity assurance. It's getting harder to feel confidence in it.

How on earth can a gigantic UK retail bank get into this embarrassing position?

Here's one theory.

The Barclays GOV.UK Verify (RIP) service depends in some unspecified way on Verizon. "We may share your personal information with ... Verizon, our technical services partner, so they can perform certain parts of the Identity Service on our behalf", it says in the Barclays privacy policy. Now that Verizon have disappeared perhaps Barclays can't function.

The theory may or may not be right. Either way, that's seven GOV.UK Verify (RIP) "identity providers" down and just four to go ...

... in a later post.

----------

Updated 22.9.16

"Seven GOV.UK Verify (RIP) 'identity providers' down and just four to go"? No. It's five to go – CitizenSafe/GB Group plc, Experian, the Post Office, the Royal Mail and SecureIdentity/Morpho. Not four. Five.


RIP IDA – Ingeus, Cassidian, Mydex, Paypal, Verizon, Digidentity and Barclays

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
We have seen how Digidentity, one of the Government Digital Service's "identity providers", can unilaterally revoke your on-line GOV.UK Verify (RIP) identity. In GDS's projected digital-by-default internet era world, with no on-line identity you won't exist.

In the remaining months of your existence, let's take a look at the other "identity providers". Are they behaving like Digidentity?

Ingeus – one of GDS's early "identity providers", they never provided anyone with a GOV.UK Verify (RIP) on-line identity. Ditto Cassidian. And Mydex. And PayPal. They all pulled out before they could do any harm. Verizon stayed a while, but now they, too, have pulled out. So that's five "identity providers" we don't need to worry about.

Tuesday 20 September 2016

RIP IDA – agile identity, now you are you, now you're not

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
"Congratulations!", they said in the email, "You have completed the registration process":


There he was, DMossEsq, all kitted up with a brand new on-line identity, provided by GOV.UK Verify (RIP) via Digidentity, one of the Government Digital Service's "identity providers".

Digidentity had collected all the details of DMossEsq's passport and driving licence, among other things, and here they were confirming that he is him, the person he claims to be. "Your registration has been completed" – that's what the email says. And polite to a fault, Digidentity even said: "Thank you for registering".

And yet yesterday, when DMossEsq tried to log in for the sixteenth time since that email, he couldn't get through to his personal tax account. There has been no communication from Digidentity since the email above but Digidentity now want more passport details before they'll confirm that DMossEsq is DMossEsq:


Digidentity want an image of the passport uploaded, using an app of theirs which has to be downloaded onto DMossEsq's mobile phone first:


The GOV.UK Verify (RIP) team make it all sound so easy. Register once and they'll vouch for you, they know who you are because you've already proved it and they'll tell HMRC or whoever yes, this is DMossEsq. You have to hand over an inordinate amount of personal information about yourself but at least you'll then be able to use public services on-line.

Not true.

The bargain has been broken. You've handed over the personal information. You still can't use public services on-line.

It seems that an "identity provider" can without warning decide that you aren't you after all and demand further proof without which you can't communicate with any government departments using GOV.UK Verify (RIP).

That could be serious. Suppose you were away from home without your passport, on a sales trip to the Northern Powerhouse, for example, selling gluten-free cupcakes to digital entrepreneurs, and you needed to pay your tax bill. You sit down in your hotel room confident that you can make this payment because you've got your trusty Digidentity on-line identity already set up ...

... only to find that your on-line identity has been taken away from you. Result? You have to pay interest on your tax and a penalty in addition. And there's no compensation. Thank you, GOV.UK Verify (RIP).

Even if you do have your passport with you in the hotel, why should you have to download an app from Digidentity? That's tantamount to deliberately installing a virus.

You never know where you are with GOV.UK Verify (RIP). That could be one reason no-one's using it.

How does this come about? How have the Government Digital Service (GDS) acquired the attitude that they can change the rules behind your back?

The answer is "agile".

Their agile software engineering methodology assumes that they can iterate. They can make changes to live public services all the time. That's what Google do with Chrome, for example. And Google embody the internet era. GDS want to transform government so that it becomes digital by default. And what does "digital" mean? Answer: "digital means applying the culture, practices, processes and technologies of the internet era to respond to people’s raised expectations". So that's what GDS can do with GOV.UK Verify (RIP).

They were warned about this, in January 2013, when four professors told them that: "there are risks that rapidly changing services will deter the takeup of digital services, not encourage it". They didn't listen.

----------

Updated 22.9.16

The matters above have been brought to Digidentity's attention and the Government Digital Service's.

GDS never respond, of course.

Digidentity have responded, please see tweets alongside.

In addition to those tweets, Digidentity also sent two identical emails saying "your identity document is accepted" (please see copy below).

Which document? They don't say.

Whatever their emails say, DMossEsq's GOV.UK Verify (RIP) account registered with Digidentity still doesn't work. He still can't use it to access his personal tax account.

Why doesn't the account work? It used to.

What's changed?

Are Digidentity allowed to withdraw the right to access public services from people to whom they have previously granted that right?

Should they notify people first?

Are they allowed to demand more and more intrusive access to people's personal information such as insisting on their app being installed on our mobile phones?

Can they change the rules as they're going along so that one day you are you and the next day you're not?

Are GDS comfortable with Digidentity creating people on-line and deleting them, wiping them out, so that they don't exist any more?

Do GDS even know it's happening or have they lost track?

These are general policy questions of interest to everyone. Digidentity's offer to discuss them in private won't do.

"We're building trust by being open" – that's GDS's claim. Time to prove it.

What identity document? No new document has been submitted.


Updated 12.6.17

DMossEsq has made no attempt to use his Digidentity GOV.UK Verify (RIP) account since 19 September 2016, please see above. Today, the following email was received:


"We're sorry but we couldn't verify your identity". Very odd. DMossEsq hasn't asked Digidentity to verify his identity. Perhaps someone else has. Who? Why?


Updated 14.6.17

It looked as though someone was trying to use one of DMossEsq's GOV.UK Verify (RIP) accounts, the one maintained by Digidentity, please see above.

An email to Digidentity elicited several prompt responses, please see below, for which they have been thanked.

In the event, it was not a third party but Digidentity themselves who were accessing the account, they were trying to do one of their periodic checks that the account is still kosher. It might improve the user experience in future to make that clear in the email automatically sent to the accountholder.
From: Support [mailto:helpdesk@digidentity.co.uk]
Sent: 13 June 2017 17:00
To: DMossEsq
Subject: [Digidentity] Re: Registration Query

##- Please type your reply above this line -##
Your request (8209) has been updated. To add additional comments, reply to this email.

Liz (Digidentity UK)
Jun 13, 18:00 CEST

Dear Mr Moss,

We have investigated your account further and it appears that our system went through some recent verification checks. These were automatically made on your account without you needing to log in. We require these checks from time to time in order to continue proving who you are.

As you did register quite a long time ago however, what I needed to do is reprocess your information so that we could still be sure that it was definitely you registering online. Now that I have done this, you are still fully verified.

I wish to apologise for any cause for concern. You should now be able to log into your Digidentity account in future and be redirected to the service you require.


Liz (Digidentity UK)
Jun 13, 17:24 CEST

Dear Mr Moss,

Thank you for your message.

What I have done is passed your account to the relevant team at the company in order to investigate further. I would like to thank you for your patience in the meantime. I will get back to you as soon as I have more information.


David Moss
Jun 13, 14:40 CEST

Sirs

I received the email below, “Your registration couldn’t be completed”. It’s a mystery. I have not attempted to use the account for many many months now. Is there any way you can investigate to see who was trying to use it?

Yours faithfully
David Moss

----------
From: noreply@digidentity.eu [mailto:noreply@digidentity.eu]
Sent: 12 June 2017 15:52
To: DMossEsq
Subject: Your registration couldn't be completed.

We’re sorry but we couldn’t verify your identity

Unfortunately we couldn’t verify your identity

Unfortunately your identity can’t be verified right now. Please go back to the GOV.UK Verify webpage or contact our helpdesk if you have any questions regarding your registration.

Kind regards,
Digidentity
Copyright © 2017, All rights reserved | https://www.digidentity.eu


This email is a service from Digidentity UK. Delivered by Zendesk
[N8O6PO-EPKO]
"CEST" turns up a lot in the correspondence with Digidentity. It stands for Central European Standard Summer Time, the timezone chosen by Zendesk, who provide user support services to the Government Digital Service and, so it appears, to Digidentity as well. As we were saying in March:
While claiming to put the user in control, GDS like us to spray our personal information all over the world when we register with GOV.UK Verify (RIP). Their heart really isn't in this privacy lark, is it. They use Eventbrite to organise events. They use Zendesk for user support. They use StatusPage for network monitoring. They use Survey Monkey for user feedback. All the personal information involved is stored and used beyond your control and now GDS want you to upload your CV to Jobvite.

Updated 20.5.18

In a re-run of what happened last year, 1 May 2018, DMossEsq got an email from Digidentity saying "Your registration couldn't be completed". Same day, DMossEsq brings this to Digidentity's attention and points out that he hasn't tried to register recently. Five more emails are exchanged over the next two days and then, 18.5.18, this email arrives from Digidentity:
From: Support <helpdesk@digidentity.co.uk>
Sent: 18 May 2018 10:09
To: DMossEsq
Subject: [Digidentity UK] Re: Account Query

##- Please type your reply above this line -##

Your request (999999) has been updated. To add additional comments, reply to this email.


Liz (Digidentity UK)
May 18, 11:08 CEST

Dear Mr Moss,

I wish to apologise for the delay in getting back to you regarding your query; I wanted to be clear on the matter before informing you.

Although I was not aware of this, it seems that you are well known to some of the Digidentity team. They informed me about some of your blogs where you have documented the GOV.UK Verify registration that we provide. One blog I want to draw to your attention is the following: https://www.dmossesq.com/2016/09/agile-identity.html. It seems that on this site, you posted your personal QR code.

The reason it took longer than expected for me to get back in touch with you is because I have been waiting on a response from another Digidentity user. In the end I did not get a reply from her, but from what we can gather, she may have searched for help online when uploading her own document via the app, possibly when she did not understand about how to scan a QR code. If you search for 'Digidentity QR code', your blog comes up in the image search.

What we can determine from this is that she scanned your own QR code instead, which was connected to your own account. As a result, her photo was uploaded to your account. Our system highlighted this mismatch in information, causing a registration rejection and sending the message you received. Although I did not understand this at the time, it is likely what caused the message to be sent last time you contacted us.

I suppose this is the consequence of posting a personal part of your registration online, which we strongly advise against users doing. Our system rightly detected when this occurred, but we are increasing security and have improved the scanning of the QR code process and it will only be possible to use the QR code as a one off (expires after use), meaning that this situation will no longer occur in future.

I hope that I have informed you sufficiently regarding the matter.

Kind regards,
Liz
Digidentity Customer Support
It seems that including the Digidentity QR code in the 20 September 2016 post above opened the door to people using it to try to register for a GOV.UK Verify (RIP) account.

The attempt(s) failed thanks to Digidentity's existing procedures. Digidentity have nevertheless, as a result of this incident, decided to enhance their procedures to make the use of their QR codes one-time only – a decent partial solution but note that DMossEsq didn't use the QR code so the first user would still be someone else not DMossEsq.

The QR code has now been obfuscated in the blog post above.

Search for 'Digidentity QR code' in Google images as Digidentity suggest and you will find the code Digidentity sent DMossEsq and several others.

In the interests of science, DMossEsq logged in to his Digidentity account to see the picture of the lady who tried to register using his QR code. Nothing doing, it's not there.

He then tried to log in to his personal tax account using his Digidentity GOV.UK Verify (RIP) account. Nothing doing, he's still not him:


The details provided on 23 February 2015 matched the information held by DVLA, HM Passport Office and Callcredit, please see above. Now they don't – now you are you, now you're not.

On the one hand, good work done by the Digidentity customer support team. And by Mr Marcel Wendt, the founder of Digidentity, whom DMossEsq bumped into at the Think.Digital Identity for government conference on 18 May 2018 and who knew all about the incident.

On the other hand, you don't get these problems with the Government Gateway. That's no doubt one reason why Her Majesty's Revenue and Customs don't recommend GOV.UK Verify (RIP). And why GOV.UK Verify (RIP) died.