Monday, 30 January 2017

RIP IDA – OIX to the rescue

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.

14 June 2012, we discovered that the Government Digital Service (GDS) had joined the Open Identity Exchange (OIX) in order to help with their moribund identity assurance programme now known as "GOV.UK Verify (RIP)".

23 December 2016, OIX published The value of digital identity to the financial service sector, which explores "the reuse of a GOV.UK Verify [RIP] digital identity in a financial service application process".

Does that report help GDS?

Executive Summary (pp.2-4)
In the Executive summary of their report, OIX tell us that GOV.UK Verify (RIP) "currently has 1 million users, with an ambition to scale to 25 million users by 2020" (p.2).

They're wrong.

Note 1 below demonstrates that there were fewer than 800,000 so-called "verified" accounts in late December 2016, not 1,000,000, and argues that these could represent fewer than 112,000 people.

Note 2 reveals that GDS's ambition is unrealistic in that, at the present rate, it could take until October 2074 to enrol 25 million people. Or March 2425.

And Note 3 questions the quality of GOV.UK Verify (RIP) accounts – are they any use to the financial service sector? To be told as we are seven times during the report that GOV.UK Verify (RIP) is endorsed by the government doesn't answer that question.

OIX say the financial service sector needs "an understandable, convenient, safe and trusted solution to manage and protect our identities online". They may or may not be right about that. The sector may need several such schemes, not just one.

But is GDS's GOV.UK Verify (RIP) a candidate? Given their inability to get the numbers right, confidence in OIX's ability to answer that question is undermined before the reader has even turned to p.3 of their 27-page report.

Participants (p.27)
OIX list eight participants in the production of their report

The list includes Verizon. Note 4 below suggests that Verizon is an odd choice by OIX to use to inspire confidence in GOV.UK Verify (RIP) – Verizon have been dropped from the register of approved "identity providers".

The Post Office are included. Their entry says: "The Post Office is proud to be one [of] the first certified providers of the GOV.UK Verify [RIP] scheme" (p.27).

That sounds straightforward.

Note 5 below demonstrates that it is anything but.

The Post Office isn't certified and it doesn't do any identity assurance work. Without telling the users, that work is actually done for it by another "identity provider", probably Digidentity. And what's more, Digidentity's service is governed by Dutch law, not English.

According to GDS, the other two uncertified GOV.UK Verify (RIP) "identity providers" – the Royal Mail and SecureIdentity – also quietly rely on third parties.

A straightforward proposition might be attractive to the financial service sector. A cloudy proposition, where the Post Office is really Digidentity and the Royal Mail is really GB Group, might not be.

Barclays are included in OIX's list of participants: "We're proud to be the only bank to be selected by UK government as a certified company to provide a safe, secure identity verification service" (p.27).

Unlike the Post Office Barclays are certified but, cloudy again, like the Post Office they don't provide their "safe, secure identity verification service" themselves. The Barclays privacy policy states that: "We may share your personal information with ... Verizon, our technical services partner, so they can perform certain parts of the Identity Service on our behalf".

The participant they don't include in the list is OIX themselves. You might expect OIX to be acting as a professional consultancy which maintains its objectivity by being independent. You might be wrong.

The OIX report is written by Bryn Robinson-Morgan. And according to his LinkedIn entry Mr Robinson-Morgan:
  • worked for the Royal Mail for 7½ years
  • then he worked for the Post Office for 8½ years including over two years on their identity assurance service
  • then he put in 17 months on the Barclays identity assurance service
  • followed by six months producing the OIX report with Innovate Identity, who are one of the five participants we haven't mentioned so far: "Our team have vertical industry expertise in financial services, payments, technology, telecoms, government, online retail, online gambling as well as breadth of geographical knowledge across multiple global jurisdictions ..." (p.27).
If the financial service sector wants an independent assessment of GOV.UK Verify (RIP) it's going to have to look elsewhere.

Financial Sector Analysis (pp.17-20)
OIX conduct a SWOT analysis – strengths and weaknesses, opportunities and threats – to assess the advisability of the financial service sector adopting GOV.UK Verify (RIP).

Under Weaknesses (pp.18-19) OIX note GOV.UK Verify (RIP)'s lack of scale, the failure of GDS to educate people with a digital identity public information campaign, the threats to people's privacy and the absence of any attribute exchange. As OIX say: "A central, commercial, driving force for the adoption of a standards driven digital identity scheme currently does not exist".

Under Threats (p.19) OIX worry that it is not certain that GOV.UK Verify (RIP) will succeed and that the scheme faces competition from Google, Apple, Facebook and Amazon.

The Strengths listed by OIX (p.18) are actually weaknesses:
  • OIX assume that GOV.UK Verify (RIP) provides "a strong identity that has been verified to the highest standards in comparison to existing methods generally deployed" but that's exactly what it doesn't do. (OIX ought to know that.)
  • "With consent and control of the personal data being with the customer", OIX say, "a sense of ownership is established". GOV.UK Verify (RIP) sprays its accountholders' personal information all over the world, out of anyone's control. Like the poor quality low level of assurance identities it peddles, lack of control/loss of ownership is another weakness of GOV.UK Verify (RIP)'s and not a strength.
Which leaves us with the Opportunities (p.19):
  • "Opportunities exist for financial service providers to reduce their costs by reusing an established digital identity". Really? By how much? No answer. When? No answer. OIX provide a SWOT analysis with no figures. And no logic. Just assertion and hope.
  • "Customers who currently abandon the application process can be capitalised upon by removing barriers of privacy ...". How many customers want to be capitalised upon by losing their privacy? No answer.
  • "The development of a unified, trusted brand, can be a catalyst to a reduction in fraudulent applications and opportunistic identity theft". Perhaps it can be. How big would the reduction be? No answer. Equally, a single unified service could make it easier to commit fraud and so increase its incidence rather than reduce it. This particular opportunity could just as well be included under Threats.
During the SWOT analysis on pp.18-19 OIX forget the p.17 "challenge" GOV.UK Verify (RIP) faces in "enabling those with a 'thin' credit file, such as younger people, new to country or those with limited recent financial transactions". Lack of penetration, one more weakness to add to the list.

OIX's hypothesis (p.17) is that: "Financial service institutions would accept an assured digital identity from a third party provider as part of their product application process if an established trust framework met their regulatory and service requirements". They may be right. But they haven't proved that GOV.UK Verify (RIP) is "an established trust framework". It isn't. It's not established. And it's not trusted.

Conclusions (p.25)
"A widely-adopted, fit-for-purpose, trusted, standards-based digital identity scheme could have significant value for the financial services industry ... it could simplify the initial digital engagement with a provider and subsequent transactions ... it could deliver a consistent approach to user identification and management and reduce the cost of onboarding and transactional business processes. It could facilitate the delivery of new services ...  it could provide the basis for delivering new user centric industry models ..." (p.25).

Yes. It could. It could do all sorts of things. The financial service sector probably know that and don't need a 27-page report from OIX to tell them.

They might be interested to know whether GOV.UK Verify (RIP) will be notified under eIDAS (Article 9). OIX don't say.

GOV.UK Verify (RIP) has until 25 May 2018 to comply with GDPR. Are GDS going to make it? The financial service sector might be interested to know but OIX don't say.

They might be interested to know how secure GOV.UK Verify (RIP) is but OIX are silent on the matter. (Not entirely silent, please see Note 6 below.)

They might be interested to know what they're supposed to do with GOV.UK Verify (RIP) which can't verify the identity of companies. Payments can't be authorised by companies via GOV.UK Verify (RIP) because GOV.UK Verify (RIP) doesn't know what a company is, the concept doesn't exist. OIX don't mention that Weakness/Risk. (Or is it a Strength/Opportunity?)

HMRC and Companies House use the Government Gateway for transactions with natural persons, companies, partnerships and trusts. It works and has done for 16 years+. Why are OIX reporting on GOV.UK Verify (RIP) and not the Government Gateway?

It can't be for the financial service sector. Who is this report for?

----------

NOTES

Note 1
GDS tell us that there were 966,767 accounts on 25 December 2016 of which 185,149 were "... ‘basic accounts’ created as part of a trial between May and July 2015. Basic accounts were not verified by certified companies, but allowed access to government services that required a lower level of certainty about identity". These self-certified "basic accounts" don't count, they are unverified Verify accounts, they should be deducted from the total.

That leaves GOV.UK Verify (RIP) with just 781,618 verified accounts in late December 2016. The OIX claim of 1,000,000 overstates the case by 28%. That's a poor start for the report ...

... and it gets worse. DMossEsq, for example, has created seven GOV.UK Verify (RIP) accounts for himself. He remains nevertheless just one person. GDS say there are 781,618 GOV.UK Verify (RIP) accounts. If everyone has done the same as DMossEsq and created seven accounts for themselves, then there are just 111,660 people involved and not OIX's 1,000,000, which overstates the case by 796%.

GDS's GOV.UK Verify (RIP) statistics go back over two years to October 2014. It could be that as few as 111,660 people have a GOV.UK Verify (RIP) account. By contrast, HMRC signed up 6.7 million users of their new personal tax account service in under 12 months.

Note 2
The ambition of GOV.UK Verify (RIP) is to "scale to 25 million users by 2020".

Since going live on 24 May 2016, GDS have been adding accounts at the rate of 1,172 per day. If 25 million users need 25 million accounts, that could take 21,331 days, which brings us to 18 October 2074, 54 years after GDS's ambitious target date of 2020.

Many of us will be dead by then and many new people will need to be registered. More so if everyone needs seven accounts, in which case we're looking at 18 March 2425, four centuries away.

Note 3
Doubts about the credibility of the OIX report set in before you have even turned to p.3. It's not just the number of GOV.UK Verify (RIP) accounts. It's the quality.

GDS admit that the 185,149 "basic accounts" are associated with a "lower level of certainty about identity". The other 781,618 aren't over-burdened with certainty either:
  • "... the original plan for Verify was for it 'to provide low to medium security ID assurance for citizens, and this hasn’t changed' ...", according to Civil Service World magazine (see also "wildly unrealistic expectations").
  • The US National Institute of Standards and Technology go further. GOV.UK Verify (RIP) doesn't even make it to a medium level of assurance according to them – the 781,618 so-called "verified" accounts are no better than self-certification (see also Table 2-1).
Note 4
"GOV.UK Verify is a federated identity scheme that uses an approved panel of certified private sector companies to confirm the identity of individuals". That's what OIX tell us on p.6.

Verizon is one of the 12 certified companies also known as "identity providers" who signed up to GOV.UK Verify (RIP) – Barclays, Cassidian, Experian, GB Group plc/GBG/CitizenSafe, Digidentity, Ingeus, Mydex, Paypal, the Post Office, the Royal Mail, Safran Morpho SecureIdentity and Verizon.

First Verizon were there on the register of "identity providers". Then, in March 2016, they disappeared. They reappeared in April 2016 and re-disappeared in July 2016, this time perhaps for good – "Verizon ... is no longer a certified company", GDS finally got round to telling the world in January 2017, with no explanation.

A. Consider these comments of OIX's:
  • "... a new approach for digital identities has emerged. One where the user is in control of their identity" (p.5).
  • "Customers are ... demanding greater levels of privacy, control and granular consent" (p.17).
  • "With consent and control of the personal data being with the customer, a sense of ownership is established" (p.18).
  • "Government endorsement being able to reduce customer friction and putting the users in control of their personal data were also seen as strengths" (p.20).
B. Then consider Verizon's claim: "Ultimately, we don’t see ourselves as a data provider; we see ourselves as an ad platform that helps brands and consumers connect". That, and the fine they received for using "supercookies", Verizon fined just $1.4m for stalker supercookies.

B. suggests that Verizon are pulling in the opposite direction from A. when it comes to the ownership and control of personal information.

Perhaps that's why GDS dropped Verizon from the register of "identity providers".

Or perhaps it's something to do with this – German government terminates Verizon contract over NSA snooping fears.

Perhaps GDS didn't drop Verizon, maybe they walked out because there's no money to be made from GOV.UK Verify (RIP).

Maybe Verizon will after all be back in the GOV.UK Verify (RIP) fold one day. They have not one but two identity assurance services approved trustworthy by tSchemeUIS and IPS/IBS.

Confusing, isn't it. No-one knows where they stand. It would help if GDS followed its own advice: "Make things open: it makes things better".

Note 5
Delivering Identity Assurance: You must be certified. That's what GDS promised everyone back in April 2013. "Certification ... is how government, and users, will know that the suppliers can be trusted". What they had in mind was certification by tScheme in the UK or by the Kantara Initiative in the US,

Is the Post Office certified by tScheme?

No.

The Post Office applied for approval of its identity assurance service in February 2014. A year later, its application lapsed:


The claim made by OIX or whoever that the Post Office is certified is false.

GDS claim that all their "identity providers" are certified:


How do GDS square that claim with the fact that neither the Post Office nor SecureIdentity nor the Royal Mail is certified?

A year ago, GDS told us that: "Post Office uses the same system as another provider which has been t-Scheme certified, so we have agreed that there is no need for a second certification of the same system unless and until ...".

Lovers of cockamamie logic will enjoy a related claim made by GDS last month: "It’s worth noting that all of our certified companies are certified by tScheme, but not necessarily separately".

The joke is likely to have worn off by the time it gets to members of the financial service sector. They are unlikely to be able to undertake payments apparently authorised by DMossEsq, whose identity is apparently verified by the Post Office or the Royal Mail or SecureIdentity but isn't really.

GDS refuse to say who the other "identity provider" is whose system the Post Office uses. We think it may be Digidentity's.

Digidentity's identity assurance service is "governed by Dutch law". This also may cause difficulties for the financial service sector.

We have no clue whose identity assurance system SecureIdentity are using.

The Royal Mail are thought to be using GB Group plc's identity assurance scheme, please see the Government Computing website: "From this week, users wishing to access specific online government services will be able to select the [Royal Mail] to verify their identity through a service which will be managed by GB Group (GBG) under the Royal Mail brand".

Please see also the Royal Mail's privacy policy: "In order to verify your identity, we will share your information with our partners, GB Group, who will check it against information held on databases maintained by ...".

It's more complicated than that. When you register with either the Royal Mail or GBG, you find yourself on the website of a third company, Avoco Secure. A user who thinks he or she is opening a GOV.UK Verify (RIP) account through the Royal Mail is actually using Avoco Secure and the account will actually be managed by GBG.

GOV.UK Verify (RIP) should be straightforward. It isn't. The public are being lured in with recognisable brands like the Royal Mail when, behind the scenes, whether they know it or not, they're really dealing with GBG and Avoco Secure. Your dealings with the Post Office turn out to be with Digidentity and to be governed by Dutch law. A more straightforward offering would surely be more attractive to the financial service sector.

Note 6
OIX conducted customer research for their report (pp.10-16) with the terms of reference set out at pp.7-9. The report takes 10 pages to explain that 15 individuals were given a "mid-fidelity clickable prototype" system (p.11) with which to try to open a bank account using a GOV.UK Verify (RIP) identity.

"That this was offered at no charge was highlighted as a positive" (p.13) – is there anyone left who still believes that government and/or bank services are free?

Are the reactions of 15 people to a prototype of any use to the financial service sector?

Apparently these people felt reassured as to the trustworthiness of GOV.UK Verify (RIP) because the government are involved (p.13).

They were using the Post Office to create their GOV.UK Verify (RIP) identity (p.14). This caused "a degree of confusion" (p.14). Were they told that the Post Office had failed to have their identity assurance service approved by tScheme (please see Note 5 above)? Would they still have felt reassured by the government's involvement?

"For most participants, a strong brand recognition was important in their choice of identity provider" (p.14). Were they told that they weren't really dealing with the Post Office, that's just a front, a deception, behind the scenes the identity registration work is actually being performed by another organisation, probably Digidentity, whose brand they probably wouldn't recognise at all (please see Note 5 above)?

Participants were asked "if they felt the process was secure" (p.9). So what if they did feel that it was secure? That has no bearing on the question whether it is secure.

And what did the participants feel after their sessions with the "mid-fidelity clickable prototype"? "Delight", apparently, "in the application journey being frictionless" (p.16).

The financial service sector regulators may not be so easily delighted, much friction to be expected, if the payments industry places any reliance whatever on these research findings of OIX's.

----------

Updated 1.3.17

Project points to using council data in Verify. That's what Mark Say said on 24 February 2017: "A discovery ... project, run by Tower Hamlets and Etive Technologies with the support of the Government Digital Service (GDS) and the Open Identity Exchange (OIX), has provided evidence that an aggregator such as the Digital Log Book could provide supporting evidence to verify the identities of some people who lack the right ‘digital footprint’ in the private sector".

That takes a bit of unscrambling.

"Digital log book" is another name for what we have in the past called a "personal data store (PDS)". Etive Technologies (ET), referred to in Mr Say's article, is a small version of Mydex, the famous promoters of PDSs here in the UK.

ET and Mydex are both small companies. ET claim that there are 11,000+ of their digital log books in existence.

Even if they were bigger, it wouldn't help. We have already demonstrated that a PDS/digital log book is irrelevant when it comes to attribute exchange.

OIX have blogged a bit about their Tower Hamlets project. 12 victims were subjected to user research with a prototype system, not a real one, rather like OIX's methodology above. Watch the video:

 

Some of the victims say quite clearly that they don't want to share their personal information with all and sundry. Others say that if that's the only way to claim their benefits then they will use digital log books. OIX's conclusion is that everyone (12 people) thinks PDSs are a tremendous idea and what the world needs is another OIX beta/trial.

How secure is ET's service? In what way do ET assist GPG45-style identity proofing? A lot of people have trouble registering with GOV.UK Verify (RIP). Would ET help to improve penetration? By how much? We don't know. We don't know the answer to any of those questions. OIX don't tell us.

All those involved in the registration of GOV.UK Verify (RIP) accounts are meant to be "certified". ET aren't certified. Given that even the Post Office and the Royal Mail and Safran/Morpho SecureIdentity have proved incapable of achieving certification, what chance do ET have?

Mydex never achieved certification either and finally dropped out of the running to become GOV.UK Verify (RIP) "identity providers".

When will OIX learn?

It doesn't matter.

But local authorities do need to realise that they can expect little if any benefit from GOV.UK Verify (RIP), with or without Etive Technologies.

Project points to using council data in Verify?
No it doesn't.


Updated 8.4.17

About 30 percent of attempts to register with GOV.UK Verify (RIP) end in failure. That's what the Government Digital Service (GDS) said. When they used to publish registration/enrolment statistics.

They wanted to get that failure rate down below 10 percent before declaring GOV.UK Verify (RIP) to be "live". In the event, the system is now supposedly live and we haven't the least idea how many people fail to get a GOV.UK Verify (RIP) account because GDS stopped publishing the statistics.

There's clearly still a problem, though, and once again here comes the Open Identity Exchange (OIX) to the rescue.

OIX oversaw an experiment involving GDS, Safran and Timpson. 16 people who had failed to register on-line with GOV.UK Verify (RIP) were invited to try again, off-line, face-to-face, in a Timpson shop, please see Face-to-face identity proofing to help people obtain an assured digital identity.

OIX mislead their readers when they say: "Obtaining a GOV.UK Verify [RIP] digital identity with a certified company - otherwise known as an identity provider - is an online experience" (p.3). Famously, Safran is not a certified company. Neither is Timpson.

Timpson have created a brand name, ArkHive, and OIX say: "Users were happy with the concept of creating an ArkHive account as a way of sharing access to documents with their identity provider" (p.3). An ArkHive account sounds like a personal data store (PDS) and "users" may care to think again before declaring themselves "happy with the concept".

How does visiting a Timpson shop overcome the problem of registering on-line with GOV.UK Verify (RIP)? The answer isn't clear. You have to do a bit of detective work.

OIX tell us that the 16 GOV.UK Verify (RIP) victims turned up at Timpsons with their passport and driving licence, both of which were scanned, then they had their photograph taken, then they went away and some days later they were told whether they had succeeded in registering. How does that work? OIX don't tell us.

We learn a bit about the reactions of the victims:
  • "Participants didn’t like having their photo taken. The process of capturing an ID photo in store was an area of great discomfort for participants, this being due to a natural dislike of their photo being taken, particularly by women" (p.19), for example.
  • And "Participants did not feel comfortable entering a password in the shop. Participants were most uncomfortable with entering a password when setting up their ArkHive account. Entering a password in store was considered the weakest link in the service, since it was a public computer" (p.26). Very sensible of the participants.
  • Then their good sense deserted them: "the process was changed to enable the participants to enter a password in their own time. Two-step authentication using an email address or mobile number allowed the participant to receive a text whilst in store with a temporary code that then prompted them to change their password when they first logged into their ArkHive account. It was clear that participants felt this was secure" (p.26). Why does this feel any more secure than entering your password in the shop?
  • “It’s an online document storage folder as secure as Dropbox, Google Drive or iCloud” – James, 38 (p.20). How does James know that?
  • "The participants’ trust in the service is transferred from its association with GOV.UK. Participants trusted the SecureIdentity brand [Safran] because it was recommended by GOV.UK. That trust then continued to the ArkHive brand as it had been recommended and certified by SecureIdentity [Safran]. Participants trusted the overall service" (p.18). There's not a lot supporting this trust house of cards and a fair amount undermining it (p.10):
The only one with access? Complete control?

But OIX do not tell us how this Timpson/Safran process amounts to face-to-face identity-proofing. Not in so many words, at least. But there's a graphic on p.10, a representation of the "user journey", which includes this at step #3:


Facial recognition technology.

So that's why Safran – the self-proclaimed world leader in biometric identity solutions – are involved in this OIX exercise.

Mass consumer biometrics are utterly unreliable. Facial recognition is the world leader in mass consumer biometrics utter unreliability. The Association of Chief Police Officers (now NPCC) told the House of Commons Science and Technology Committee that they were "not aware of [police] forces [in England and Wales] using facial image software at the moment" and that "the technology is not yet at the maturity where it could be deployed" (para.95).

GDS are being fooled, so are OIX and Timpson, and so are the public if they believe that mass consumer facial recognition biometrics technology will prove anyone's identity.

Why would the financial service sector (please see above) rely on an identity "proved" by facial recognition biometrics? They wouldn't.

Why would Her Majesty's Revenue and Customs pay a tax refund to an identity "proved" by facial recognition biometrics? They wouldn't.

Will mass consumer biometrics help GDS to increase the roll to 25 million GOV.UK Verify (RIP) accountholders in the next three years? No. 25 million times no.

OIX to the rescue? No.

GOV.UK Verify (RIP) will have to look elsewhere for the solution to its on-line registration/enrolment problem.


Updated 11.4.17

If a crook convinces your bank that he or she is you and gets some money out of your account, you slip into the well-oiled machine of the banks' fraud procedures, they compensate you and, if necessary, your new debit card turns up a few days later. That's an integral part of a live service.

The Government Digital Service (GDS) claim that GOV.UK Verify (RIP) is a live service. But they don't have well worked out procedures to follow in the event that your account is hijacked.

We know that because OIX have helped to test a suggested procedure, please see Identity repair in the GOV.UK Verify [RIP] federation:
  • "This report summarises the results of an Open Identity Exchange (OIX) discovery project conducted on the subject of Identity Repair ... The project tested out an online identity repair function ... It also considered how identity repair services should be branded and initiated ... Further work will be conducted following this initial project ..." (p.4).
  • "It is anticipated that this collaborative project will lead onto an alpha project that will design and refine the identity repair function" (p.21).
GDS hope to interest the UK financial service sector in GOV.UK Verify (RIP). Not a chance. Not with GOV.UK Verify (RIP) in this state of fatal vulnerability, with no "repair function".

---  o  O  o  ---

As a matter of interest, you may ask how is the proposed OIX repair function supposed to work? Biometrics (p.17):


Hopeless. GOV.UK Verify, RIP.

No comments:

Post a Comment