Friday, 28 July 2017

RIP IDA – the last blip on the life support system monitor

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.

"If Verify is the answer, what was the question?"

The Law Commission: "Verify does not currently ensure that the person entering the information
is in fact the person he or she is purporting to be;
rather it focuses on verifying that the person exists" (para.6.67/p.119)

The signs of life are petering out:
  • GOV.UK Verify (RIP) blog posts are now collectors' pieces. Like the Cabinet Secretary's once loud expressions of support for GOV.UK Verify (RIP).
  • The GOV.UK Verify (RIP) team hardly ever tweet.
  • They never go live on a new central government service. The big departments of state look like sorting out identity assurance themselves.
  • Local government is deserting GOV.UK Verify (RIP) even before joining it.
  • The Open Identity Exchange (OIX) publishes one report after another explaining why GOV.UK Verify (RIP) has nothing much to offer the private sector in general and nothing whatever to offer the financial services sector in particular.
  • Cabinet Office ministers come, they are made to say something ridiculous about the importance of GOV.UK Verify (RIP) and then they go.
  • Two executive directors of GDS have left, there weren't even any ripples on the departure of the second one and his replacement, a director general, didn't take the opportunity of his appointment to abandon their apology for a strategy – 25 million GOV.UK Verify (RIP) users by 2013 2020.
There is still the occasional blip on the GOV.UK Verify (RIP) life support system monitor. techUK hosted an encounter between GDS and the UK's technology suppliers earlier this week, a market briefing on GDS's government transformation strategy.

For an organisation claiming that making things open makes them better GDS have been very quiet about this event, which may as well have taken place on board a submarine. The press were excluded ("Press weren’t invited to the event"). Even DMossEsq failed to get in.

But some reports have been published. GDS wants IT suppliers to use its GaaP products – but won’t offer service guarantees, for example, Government needs tech industry skills to deliver on transformation plan, says GDS boss CunningtonGDS chief to set out plans to meet Transformation Strategy agenda and GDS sets out vendor prospects from its transformation strategy plans.

From those reports it seems that GDS have been working hard on undermining GOV.UK Verify (RIP) by producing a version that doesn't verify people's identity. And that they want suppliers in the technology sector to use GDS's platform components only.

10 out of 10 for trying to be totalitarian but GOV.UK Notify and GOV.UK Pay aren't even live – so how could techUK's members use them and why would they abandon the products they already use? And next to no-one in central and local government and in the private sector wants to use GOV.UK Verify (RIP) – so why would techUK members want to use it, even if it doesn't verify anyone's identity?

The last time Whitehall tried to insert itself into the nation's payment systems the banks and the major retailers said no. On balance, they preferred the UK economy to survive. The same answer is confidently expected this time.

Jerry Fishenden has already explained the need for a rethink. So has Alan Mather in his GDS isn't working series.

Both of them were prime movers in the design and deployment of the Government Gateway, which remains today the main way for individuals and businesses to access central government services on-line, unlikely as that may seem – as Mr Mather says: "the Government Gateway is still there, 16 years old and looking not a day older than it did in 2006 when the [user interface] was last refreshed". They both want to see the Government Gateway replaced but GOV.UK Verify (RIP) is not in their view a feasible replacement.

Messrs Fishenden and Mather have actually done the job. GDS have proved that it's beyond them. What do we do now? There's no point asking GDS. Has anybody asked Messrs Fishenden and Mather?

GDS's much-vaunted digital-by-default government is impossible without identity assurance. The UK isn't going to get that from GOV.UK Verify (RIP), as DMossEsq has said for years with nary a response from GDS, hermetically sealed from reality as they are. Two exemplary public servants saying the same thing carries infinitely more weight. GOV.UK Verify? RIP.


Updated 19.8.17

As we were saying above GOV.UK Verify (RIP)-wise, "Messrs Fishenden and Mather have actually done the job. GDS have proved that it's beyond them. What do we do now? There's no point asking GDS. Has anybody asked Messrs Fishenden and Mather?".

Bryan Glick, the esteemed editor of Computer Weekly magazine, had already published Jerry Fishenden, please see Verify and identity assurance - it's time for a rethink.

He's on the case and in his Verify fails to meet key business case targets Mr Glick also cites Alan Mather and adds the National Audit Office, whose March 2017 report on digital transformation in government calls for more clarity on GDS's rôle. Not just once, 33 times the NAO call for more clarity.

The main burden of Mr Glick's editorial is that GDS have failed to deliver on a single one of the promises made in the business case for GOV.UK Verify (RIP). The business case made to the Treasury is a false prospectus:
  • Too many people have trouble registering in the first place and too many people have trouble subsequently using GOV.UK Verify (RIP) to access public services.
  • 1.4 million GOV.UK Verify (RIP) accounts have been created. With seven "identity providers" to choose from, that could represent just 200,000 people with seven accounts each. GDS are committed to 25 million users by 2020. That's 25 million people. They have just three years to add up to 24.8 million people. At the present rate, that is impossible ...
  • ... it is also pointless if these people create level-of-assurance-1 accounts (LOA1), "little more than a system to set up a username and password", as Mr Glick says. The relying parties like HMRC and DWP and the NHS need properly assured accounts out of it if GOV.UK Verify (RIP) is to be ... reliable. The notion that they or the banks or the major retailers could rely on these LOA1 accounts now being offered by GDS is laughable.
  • Not enough public services have signed up to use GOV.UK Verify (RIP) and so much do they distrust it that they're developing their own identity assurance systems.
  • The promised cost savings do not look like materialising and, when asked about that, GDS avoid the question.
If one of the big systems integrators (SIs) turned in a performance like this GDS and its supporters would quite rightly be among the first to castigate them. There is no good reason to treat GDS differently from Capita, say, or Fujitsu, or any of the other SIs.

GDS have become a big SI themselves, with hundreds of staff, smart offices, influential PR, the connivance of senior officials and politicians, budgets measured in the hundreds of millions of pounds and guaranteed long-term public sector contracts.

We don't need another big SI. We want, need, deserve and pay for delivery and we're not getting it from GDS:
  • Alan Mather and Jerry Fishenden are admirably clear on that point.
  • The NAO imply it with their 33-fold call for clarity.
  • Mr Glick looks as though he agrees.
  • And then there's the Law Commission, please see the rubric above: "Verify does not currently ensure that the person entering the information is in fact the person he or she is purporting to be".
Nothing has been achieved in the past five years. "The first services will be developed and tested by February 2012, with IDA [identity assurance, now GOV.UK Verify (RIP)] due to be rolled out for initial public services by autumn 2012". That's what GDS told Computer Weekly. The first in an unbroken series of broken promises.

How long can this sleazy misfeasance in public office continue?

Is there any good reason you can think of why it should continue beyond today? What in your opinion would we lose if GOV.UK Verify (RIP) was cremated in 10 minutes time?

No comments:

Post a Comment