Tuesday, 23 May 2017

RIP IDA – a ridiculous manifesto promise

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.

The Conservative Party's 2017 manifesto includes this at p.81:
... we must use common platforms across government and the wider public sector. That must start with the way we identify ourselves online, so that people have one single, common and safe way of verifying themselves to all parts of government. That is why we shall roll out Verify, so that people can identify themselves on all government online services by 2020, using their own secure data that is not held by government. We will also make this platform more widely available, so that people can safely verify their identify to access non-government services such as banking.
As DMossEsq readers know, it may be convenient for people to have "one single, common ... way of verifying themselves to all parts of government" but it isn't "safe".

DMossEsq readers also know that millions of people prefer to use the Government Gateway to access on-line government services, not GOV.UK Verify (RIP).

They know that there are currently only about 12 on-line government services that can be accessed using GOV.UK Verify (RIP) and that the chances that they will all be accessible using GOV.UK Verify (RIP) by 2020 are small.

And they know that their personal information is sprayed all over the world, out of their control, if they open an account with GOV.UK Verify (RIP).

Suppose that you have your accounts with Lloyds bank and that you access them on-line using your GOV.UK Verify (RIP) credentials which you created through the Royal Mail because that's a brand you recognise and trust.

Unbeknownst to you, that means that you have actually been registered by GB Group plc, whom you've never heard of.

GB Group share your personal information with a wide variety of other organisations, which the Royal Mail didn't tell you when you registered.

Suppose that one of them is hacked [Equifax, for example, added 9.9.17] and, for safety's sake, your GOV.UK Verify (RIP) account has to be suspended [if your account isn't suspended, despite the Equifax breach, why isn't it? Surely it should be]. Yours, and millions hundreds of other people's GOV.UK Verify (RIP) accounts.

There's nothing the Royal Mail can do about GB Group suspending you and nothing GDS can do about it either. There's nothing Lloyds can do about it and now you can't access your bank accounts on-line.

Nor can you access any of the on-line government services you need, because you foolishly use the same GOV.UK Verify (RIP) credentials for everything.

That's one risk of inserting GOV.UK Verify (RIP) into the access control processes for banking.

Can anyone remember what the benefit is?
GOV.UK Verify (RIP) is not an attractive prospect and not one single bank anywhere in the world currently allows people to use GOV.UK Verify (RIP) to log on to their on-line accounts.

Millions of us can already log on to on-line banking. We accountholders don't need GOV.UK Verify (RIP) for that ...

... and neither do the banks.

And why would the banks want to risk their relationship with us by dislocating the whole process of authorising access to our accounts just to insert the Government Digital Service into it?

And not just GDS but all of GDS's seven "identity providers" (IDPs), too. And all of the IDPs' uncounted subsidiaries and business partners and suppliers and sub-contractors in the UK and overseas.

It may sound sensible and modern for the Conservatives and any other political party to promise to deploy GOV.UK Verify (RIP) nationwide. It isn't.


Updated 9.9.17

Up to 44m Britons at risk in Equifax cyberattack
Equifax hack: 44 million Britons' personal details feared stolen in major US data breach
The Equifax Hack Didn't Have to Be This Bad
Breach at Equifax May Impact 143M Americans
Equifax Breach Response Turns Dumpster Fire
Equifax: Hackers Gained Access to Sensitive Data, Affecting 143 Million People
Stand up who HASN'T been hit in the Equifax mega-hack – whoa, whoa, sit down everyone
Equifax mega-leak: Security wonks smack firm over breach notification plan
Surprising nobody, lawyers line up to sue the crap out of Equifax

Equifax Hack Exposes Peril of Credit Bureau Model

No comments:

Post a Comment