Thursday 14 December 2017

What does the BBC mean by "control"?

A charming email arrived from the BBC the other day. They want to make it easier for DMossEsq to sign in to his account. And they want him to be able to sign in orally – no more fuddy-duddy typing.

So the subject of the email is "Talk your way into the Beeb"? No. It's "Important changes to the BBC Privacy and Cookies Policy".

Bit boring. But let's take a look:
Hello,

We’ve made some changes to the BBC’s Privacy and Cookies Policy. We’ve done this so that we can introduce new features, while protecting your data and putting you in control of what happens to it.

You can view the updated Privacy and Cookies Policy by going to bbc.co.uk and searching for our Privacy and Cookies Policy or by clicking on the link below.

View updated Privacy & Cookies policy

...
The BBC Privacy and Cookies Policy turns out to be 5,000 words long and to comprise 20 clauses.

Clause 4 lists 11 uses to which the BBC may put DMossEsq's personal information. Most of these are unimpeachable.

For example, the BBC may use DMossEsq's personal information for analysis and research to assist with marketing and strategic service development. DMossEsq has no objection to this use of his personal information. But it is odd to describe this as a case of him having "control of what happens to [his personal information]".

It would make sense for the BBC to say "thank you, DMossEsq, for providing us with the data to help us with our strategy". It makes no sense to say that DMossesq is "in control of that data".

On those rare occasions when the hermit DMossEsq leaves his mountaintop eyrie in Merton and goes abroad, the BBC warn him at clause 4 that he may be subjected to "online behavioural advertising". Which suggests that the BBC are forever monitoring his behaviour so that they are ready to offer him appropriate advertisements as soon as he is overseas. DMossEsq has no control over that monitoring. The BBC know that and it is silly of them to pretend that he has.

Clause 7 says that the BBC "may use information which we hold about you to show you relevant advertising on third party sites (e.g. Facebook, Google, Instagram, Snapchat and Twitter)". And clause 8 says "we may share [some data] with third party sites (e.g. Facebook, Google, Instagram, Snapchat and Twitter)".

DMossEsq can opt out of this sharing. Good. But hang on a minute. Facebook, Google, Instagram, Snapchat and Twitter don't display advertisements for free. They like to be paid. Presumably by the BBC. Are they being paid with money taken from DMossEsq's licence fee? Or with DMossEsq's personal information? Or both? And what else are Facebook, Google, Instagram, Snapchat and Twitter doing with his personal information?

Clause 13 assures DMossEsq that he can always find out what personal information of his is held by the BBC on the sole condition that he give them even more of it. Specifically his passport details, driving licence details, birth certificate, ..., and £10. It's hard to see any way round this. But again it seems peculiar to describe it as DMossEsq being in control.

Clause 15 tackles cookies. The BBC's own cookies. And third party cookies:
To support our journalism, we sometimes embed content from social media and other third party websites. These may include YouTube, Twitter, Facebook, SoundCloud, Vine, Instagram, Pinterest and Flickr. As a result, when you visit a page containing such content, you may be presented with cookies from these websites and these third party cookies may track your use of the BBC website. The BBC does not control the dissemination of these cookies and you should check the relevant third party's website for more information.
"The BBC does not control the dissemination of these cookies". Oh good. DMossEsq isn't in control and neither is the BBC.

DMossEsq could delete these cookies. If he remembered to. And had the time. But then the service wouldn't work, more than likely. Or it might work today but not in a year's time.

DMossEsq's "control" could rely on not having a BBC account at all. But then what does he do when the BBC say, as they inevitably will, that, in order to protect the children or stop tax evasion, DMossEsq can only avail himself of BBC services if he has an account?

Perhaps there's no alternative. But that's not the point. The point here is that DMossEsq is obviously not in control of his own personal information whereas the BBC say that he is.

"Aha", says the bright girl in the second row, "you can use the do-not-track (DNT) option in your web browser, that'll put you in control". Nice idea but no silver star – the BBC tell us at clause 16 that "this website does not currently respond to DNT requests".

Mind you, that could change. As we learn at clause 18. In fact the whole privacy and cookies policy could change at any time, "so you may wish to check it each time you submit personal information to the BBC". Very amusing. DMossEsq wants to search iPlayer for an hour or two of Lucy Worsley but before doing that he'll just quickly plough through 5,000 words looking for any changes since the previous version. Who is controlling whom?

Does anybody remember where we started? It seems hours ago but the BBC wanted to tell DMossEsq how to log in more conveniently.

----------

Updated later that same day, 11:37

As per the above, someone in the BBC sent all us accountholders an email saying "we’ve made some changes to the BBC’s Privacy and Cookies Policy. We’ve done this so that we can introduce new features, while protecting your data and putting you in control of what happens to it" whereas an examination of the BBC Privacy and Cookies Policy quickly establishes that we accountholders have no control over the personal information we give the BBC.

If that email had been written by BBC News DTrumpEsq would have been all over it. Control? Fake news.

"Control" is just the wrong word.

The BBC are not normally imprecise. What causes them to be imprecise in this case? Let's allow ourselves two guesses.

Firstly, the BBC want to sound nice. They're paying us the compliment of pretending to be controlled by us. Give it another day or two and, who knows, the BBC may go further and tell us that we have been "empowered" by handing over our personal information to them.

Second, almost everyone else pretends that their identity management scheme allows the user to be in control of their own personal information, so why shouldn't the BBC join in, follow the herd, take cover in the crowd and do the same?

Take Mydex, for example. It's been years since DMossEsq has bothered to look at Mydex. They never could answer the question how handing over your personal information to other people gave you control of it and they still can't but they still make that promise: "Complete control You decide what you store, see and share". Perhaps the BBC are copying Mydex.

Or take the Government Digital Service's GOV.UK Verify (RIP), for example. "Users are ... in control of when their information is passed to a government service" – no we're not. Nor are we in control of our own personal information when GOV.UK Verify (RIP)'s "identity providers" send our personal information all over the world to their subsidiaries and sub-contractors and agents. Perhaps the BBC are copying GDS.

GDS pretend that GOV.UK Verify (RIP) abides by the nine sets of privacy principles devised by the UK's Privacy and Consumer Advisory Group. In fact it flouts the lot of 'em. Including no.1, user control, "I can exercise control over identity assurance activities affecting me and these can only take place if I consent or approve them".

No-one can make good on that promise. Not Mydex. Not GDS. And not the BBC. So it's silly to make the promise in the first place. Control is not on the menu. Stop pretending that it is.

It's just as silly as GDS's other pretence that GOV.UK Verify (RIP) is, without qualification, "secure". It can't be and everyone knows that it can't. The pretence undermines confidence and trust ...

... like GDS's other other pretence, that "frictionless" means good. It doesn't. It means voluntary enslavement.

And then there's the other other other pretence that apps are good for you. They aren't. Not necessarily. A lot of the time, an app is just a virus by another name.

Our guesses as to the aetiology of the control promise may be wrong but the promise is anyway misleading and demeans the BBC. It's nearly Christmas. Can we look forward to a BBC retraction?

If the BBC want another example to follow, they could do worse than Barclays Bank, whose terms and conditions say:
If you, or someone with authority over your account, asks us to share your information with third parties, we're happy to do so, but it's important you know that we, as your bank, will have no control over how that information is used. You will need to agree the scope of use directly with the third party.
And the Barclays privacy policy, which says:
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
GDS and the BBC don't have much experience of managing personal information. Or of talking to their parishioners like grown-ups. They could learn a thing or two from Barclays, who do.


What does the BBC mean by "control"?

A charming email arrived from the BBC the other day. They want to make it easier for DMossEsq to sign in to his account. And they want him to be able to sign in orally – no more fuddy-duddy typing.

So the subject of the email is "Talk your way into the Beeb"? No. It's "Important changes to the BBC Privacy and Cookies Policy".

Bit boring. But let's take a look:
Hello,

We’ve made some changes to the BBC’s Privacy and Cookies Policy. We’ve done this so that we can introduce new features, while protecting your data and putting you in control of what happens to it.

You can view the updated Privacy and Cookies Policy by going to bbc.co.uk and searching for our Privacy and Cookies Policy or by clicking on the link below.

View updated Privacy & Cookies policy

...
The BBC Privacy and Cookies Policy turns out to be 5,000 words long and to comprise 20 clauses.

Wednesday 13 December 2017

Open banking, PSD2, GOV.UK Verify (RIP) and the end of civilisation as we know it

Open banking starts in the UK in four weeks time on Saturday 13 January 2018. The competition is keen. Who will be the first little old lady to be cheated out of her life savings? And can she lose the lot by close of play on Monday 15 January 2018 or will we have to wait until Tuesday?

What, we hear you ask in your millions, is DMossEsq talking about?

By way of an answer, consider this email kindly sent by Barclays Bank at 21:34 on 25 September 2017. You will have received similar communications from Barclays and other banks and ignored them:
...

Why are we making changes?
From time to time, we need to update our agreement to reflect changes in banking legislation, new technological developments, and changes to the way we use information. One example is the introduction of a number of new laws which are known as 'Open Banking'. This will enable you to share your data and make payments through third parties ...

Open Banking – new services are coming soon
Open Banking will enable you to share your bank account data with other companies if you give permission. This means you will be able to see multiple bank accounts and transactions in one place (for example on your Barclays Mobile Banking) even if they're from different banks. You will also be able to allow other companies to give payment instructions from your account. If you don't want to use these new services, you won't notice any differences in the way you bank, as you will always have to provide permission for the new services.

The safest way is to create a secure connection ...

An alternative option, is to share your bank account login details directly ...
Open Banking is a UK initiative promoted by the Competition and Markets Authority (CMA). People are paying too much for payments, the retail banks constitute a cartel, the market must be opened to competition from different organisations, innovation will drive prices down and quality up. That's the theory ...

... but.

Is it really a good idea for our little old lady to "share [her] bank account data with other companies"? Or to "share [her] bank account login details"? If she can "see multiple bank accounts and transactions in one place", who else can? What are they luring the old girl into? What have the CMA got against her?

Leaving those questions for another day, consider now the scale of what's happening. "I can’t stress enough just how big a deal the UK’s transition to Open Banking is", says the estimable Dave Birch. "Open Banking is 'a new way of dealing with the twenty-first century's most sought-after resource, personal data' ... Identity is the new money. Banks are about to be transformed from places that store Sterling into places that store Digital Identities ... [Banks could] let this slip through their fingers and hand digital identity to Apple, Facebook, Google, Amazon and Microsoft ... the internet giants who already have the customer relationships".

RIP IDA – if you've got nothing to say, say it
TUESDAY, 11 FEBRUARY 2014

When GDS's David Rennie spoke at the US Identity Ecosystem Steering Group conference in January, he said that the reason there are none of the big retail banks signed up to IDA [the old name for GOV.UK Verify (RIP)], the identity assurance programme, is that they've been too busy sorting out the aftermath of 2008's credit crunch (32'10"-32:35").

That's silly. Identity assurance is what retail banks do all day every day – they can't be "too busy" to do it.
It's not just Mr Birch and DMossEsq who think open banking is a major event. As noted the other day, so does Don Thibeau of the Open Identity Exchange.

Unlike us, Mr Thibeau believes that open banking is a great opportunity for the Government Digital Service's dead cat, GOV.UK Verify (RIP). Apple, Facebook, Google, Amazon, Microsoft and the other internet giant GOV.UK Verify (RIP)? No. Is Mr Thibeau revealed as one of the greater deadpan comedians?

And it's not just open banking. According to Payments UK: "The requirement from the CMA coincides with the EU legislation, the revised Payment Services Directive (PSD2), which requires all payment account providers across the EU to provide third party access". The EU, too, want our little old lady to use PISPs (payment initiation service providers, since you ask) and AISPs (account information service providers).

Payments UK ("We represent the payments industry in the UK") say that open banking and, by extension, PSD2 "will give customers more control over their data and will support an emerging market of new, exciting third party products and services, such as tailored price comparison websites ... It will keep customers safe and secure, enhancing the opportunities for enhancing customer propositions".

Finextra, the fintech house mag, write in even purpler prose: "After PSD2 ... open banking apps and services from third parties will flood the European market and offer users never-before-seen levels of choice and variety in payment, loyalty, behaviour-based and user-friendly data-oriented services".

The PSD2/open banking prospectus sounds like midata re-heated. PSD2 gives credence to the flaky mass consumer biometrics industry. If Don Thibeau isn't joking perhaps the UK's banks really will try to rely on GOV.UK Verify (RIP). That's all three lemons in a row. Jackpot. The pied pipers will be calling the tune.


----------

Updated 5.1.18

Just one week to go now before the start of Open Banking, please see above.

Who's in charge?

The Competition and Markets Authority (CMA). Who have set up an implementation entity called "Open Banking". Which has a trustee in charge, an Ernst & Young partner called Imran Gulamhuseinwala. OBE. Who gave a talk at the Open Identity Exchange's 17 November 2017 conference on the Economics of Identity:



It's only a short talk, 16½ minutes, and yet Mr Gulamhuseinwala manages three times – at 3'45", 5'30" and 12'45" – to tell us that Open Banking will allow people to take control of their own personal information. This we shall achieve by giving our personal information to strangers. The BBC understand how this amounts to taking control. The rest of us don't. To us, it looks like losing control.

Open banking relies on identity assurance. Identity assurance and Open Banking are converging, Mr Gulamhuseinwala says. How does this relationship between Open Banking and identity assurance work? It looks like something to do with the economics of identity but twice – at 2'55" and then again at 14'55" – Mr Gulamhuseinwala, the man in charge, tells us at length that he doesn't know, he's not sure, he hasn't got all the answers and that's not his job.

He does know that Open Banking will allow us to review our bank accounts and switch to better ones. Ditto energy accounts, mobile phone deals and insurance policies. He just doesn't know how. He also knows somehow that unnamed Open Banking apps (viruses) will securely review all our personal information and improve our well-being.

This is the hoary old midata prospectus, beloved of the LibDems who ran the Department for Business Innovation and Skills during the UK's 2010-15 coalition government. They promised that nanny-state-on-a-chip apps (viruses) would nag us to stop wasting money on take-away meals or some such. Vince Cable, Ed Davey, Norman Lamb and Jo Swinson could never convince anyone of midata's virtues.

Obviously it's not his job but good luck to Mr Gulamhuseinwala when it comes to explaining how the putative little old lady above's being cheated out of her life savings is all for her own good.


Updated 7.1.18

10 p.m. today, the Daily Telegraph newspaper warns its readers 'Open banking' revolution could lead to scams and pricing rip-offs, experts warn. Better late than never.


Updated 11.1.18 #1

Less than 48 hours to go. Soon Open Banking will be up and running in the UK. Without GOV.UK Verify (RIP).

As we were saying, please see above, "unlike us, Mr Thibeau [of the Open Identity Exchange] believes that open banking is a great opportunity for the Government Digital Service's dead cat, GOV.UK Verify (RIP)". Open Banking relies on on-line identities. GOV.UK Verify (RIP) can't provide them ...

... not in bulk, not for companies which might want to use Open Banking, not securely and not while preserving privacy.

Open Banking should have been GOV.UK Verify (RIP)'s great opportunity. As it is, all Open Banking does is to point up the failure of GOV.UK Verify (RIP).

Bryan Glick, the estimable editor of Computer Weekly magazine, writing last week in Five things in tech to watch out for in 2018, says: "Getting digital identity right is the key to unlocking so many online opportunities, from public service delivery to open banking. The government has tried to crack this with Gov.uk Verify [RIP], but has gone down a dead-end ...".

GOV.UK Verify (RIP)?

Dead.

End.


Updated 11.1.18 #2

After all the excitement on Saturday morning when Open Banking starts in the UK, the public jubilation here and the jealousy in the rest of the world, you may find yourself at dinner and in need of saying something knowledgeable about it.

Eighteen months ago the Open Data Institute published The open future of banking. There's your cribsheet.

"... an Open Banking Standard will help banks and innovators to collaborate and rise to the challenge of providing a first-class service that still keeps the regulators happy" – cue discussion of the need to keep regulators happy.

If the conversation flags, try "this is not just about open data, but other aspects of open such as open source, open culture and open innovation".

And if that doesn't do it, go for the jugular: "it’s not just the customer that will benefit: banks will also benefit from efficiencies in time and money. They will also encourage greater interactions from orthogonal areas (e.g. insurance, pensions, accountants)".

As dessert approaches, garnish with Google or Facebook or Apple or Microsoft ... or Amazon, Will Amazon Lending Disrupt, Displace, or Prop Up Banks?.

This is your chance to mention that the banks use artificial intelligence, AI, to process each accountholder's transaction data to calculate customised terms and conditions for loans and other financial products. If the banks no longer have access to that data because one of Mr Gulamhuseinwala's payment initiation service providers or account information service providers has got it instead, then the banks could fail, a warning issued by Dave Birch, who knows a thing or two, Forget banks, in 2018 you'll pay through Amazon and Facebook:
... AI in 2018 will be a kind of event horizon for financial services. No one can see what is on the other side. But when Google feeds all the data from someone's bank accounts into their advertising engines it's fairly certain that bank profits - based on information asymmetries, product friction and brand loyalties - will vanish.

... 2018 will be the start of a fundamental realignment as banks become heavily regulated pipes for tech giants to use for their profit.
You may never be invited to dinner again.


Updated 12.1.8

UK retail banks are exceptionally big and powerful. They may face some competition as a result of Open Banking. That competition is unlikely to bring them down.

You may not like the retail banks but that doesn't mean that you do like their Open Banking competitors. In fact you may find those competitors even more unpleasant.

The UK retail banks' Open Banking competitors may offer reduced costs for a while but that wouldn't last for long. Insert Facebook/WhatsApp, say, into your banking arrangements with Lloyds Bank and you may soon find that the financial benefit has evaporated and you're left worse off because Lloyds now charge more for their other services and because a lot of your personal information is now stored out of your control God knows where on the planet with an unregulated supplier operating beyond the jurisdiction of any UK ombudsman.

But suppose for the sake of argument that these titans, the UK retail banks, are hollowed out by Open Banking.

What then?

Among other implications, consider what might happen to the credit rating agencies.

At the moment the credit rating agencies enjoy several extraordinary and generally unremarked entitlements. They are allowed to collect all sorts of information about us and then sell it to interested parties, including political parties, please see Time for someone to take the personal information economy seriously.

Experian, Callcredit, Equifax et al collect a lot of their data from the retail banks. If Open Banking deprives the retail banks of that data, the credit rating agencies will be left high and dry. A political party wanting to identify floating voters with their good news message during a general election would have to approach Microsoft/LinkedIn instead of Experian. Ditto an entrepreneur looking to launch a new product who needs to know first how much demand there is and where it is.

The risks to the UK's retail banks posed by Open Banking are threats just as much to our credit rating agencies. That is a major issue. You may not like the credit rating agencies any more than you like the retail banks. That doesn't alter the fact that it would represent a major change, not necessarily for the better.

Less portentous, just think what would happen to poor old GOV.UK Verify (RIP). What is a person? According to GOV.UK Verify (RIP) a person is just a credit history. All the "identity providers" to GOV.UK Verify (RIP) need the credit rating agencies to do their identity proofing and verification (IPV). Except Experian. Which is a credit rating agency. No IPV, no GOV.UK Verify (RIP).

Open Banking could cause GOV.UK Verify (RIP)'s completion rates to plumb even more miserable depths.


Updated 1.10.18

It was 13 December last year, 2017, when DMossEsq brought the attention of its millions of readers to Open Banking, please see above. The revolution was coming one month later – 13 January 2018 was going to see the UK's payments infrastructure liberated, heralding a new dawn of hope for humanity with the UK in the lead.

13 January 2018 was 261 days ago and nothing's happened. No Open Banking. Why not? No answer. Lots of hype. Nothing to show for it. The squib is damp.

We noted the nexus between Open Banking and midata, the turkey farmed at the Department for Business Enterprise Energy and Industrial Strategy (BEIS). The DMossEsq millions were first advised of midata back on 16 November 2011. 2,511 days ago. Benefit of midata to the consumer so far? Nil.

Does this nexus exist? 28 September 2018, and what do we read in a government press release?  "The government’s recent green paper ‘Modernising Consumer Markets’ announced that the government will conduct a Smart Data Review ... [which] will build upon existing interventions such as Open Banking, midata, and the UK’s new data protection laws".

2,511 days into the midata project and already the busy bees have launched a review to see if anyone's interested. Smart.

What busy bees? On 29 March 2018, 186 days ago, the Prime Minister told us that "the data policy and governance functions of the Government Digital Service (GDS) will transfer from the Cabinet Office to the Department for Digital, Culture, Media and Sport (DCMS)".

So it's the busy bees at DCMS?

Yes, but not just DCMS. BEIS, too. The press release is issued jointly by BEIS and DCMS, with BEIS in the lead, we assume, given that "we encourage all organisations that would like to be involved in the Smart Data Review to register their interest at smartdatareview@beis.gov.uk".

midata needs national identity assurance. And midata is Open Banking. No national identity assurance, no Open Banking.

It was 13 September 2011 when Computer Weekly magazine published the government's promise to get national identity assurance working. Today, 2,575 days later, we still don't have GDS's national identity assurance. GDS's national identity assurance programme is GOV.UK Verify and GOV.UK Verify is dead, remember. RIP.

In Whitehall, this is what BEIS/DCMS/GDS call "modernising consumer markets". You may be able to think of another name for it.

Open banking, PSD2, GOV.UK Verify (RIP) and the end of civilisation as we know it

Open banking starts in the UK in four weeks time on Saturday 13 January 2018. The competition is keen. Who will be the first little old lady to be cheated out of her life savings? And can she lose the lot by close of play on Monday 15 January 2018 or will we have to wait until Tuesday?

What, we hear you ask in your millions, is DMossEsq talking about?

Friday 1 December 2017

RIP IDA – the Whitehall user research lab

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.

"If Verify is the answer, what was the question?"

The Law Commission: "Verify does not currently ensure that the person entering the information
is in fact the person he or she is purporting to be;
rather it focuses on verifying that the person exists" (para.6.67/p.119)

The Government Digital Service (GDS) have a user research lab, in which they "carry out research into all the things we deliver [?], from guidance and standards to common components, such as GOV.UK Pay and GOV.UK Verify [RIP]".

Despite the user research lab, "deliver" is just what GDS haven't done with GOV.UK Verify (RIP).

It's not just DMossEsq who say that GOV.UK Verify (RIP) is a failure.

Back in June, Computer Weekly magazine noted that GDS lacks strong and stable leadership. They quoted Rob Anderson, of whom more anon, who believes that GDS are "haemorrhaging senior management and losing more credibility with operational departments".

Computer Weekly remind us that GDS is supposed to make savings of £3.5 billion across government in return for its £450 million budget but "it seems unlikely GDS will ever meet that rather ambitious savings target".

Why so sceptical?

Partly because the common technology services project has been "mothballed" and partly because of low take-up for Government as a Platform (GaaP) but mostly because of the failure of GOV.UK Verify (RIP), a failure identified not just by Computer Weekly but also by the National Audit Office: "The NAO said there was little incentive for departments to adopt Verify".

Julian David, the CEO of TechUK, is quoted in further support of Computer Weekly's position and so is the Institute for Government.

This Rob Anderson man, he's a "principal analyst, central government, at GlobalData (formerly known as Kable)", according to Computer Weekly. He's got an article in Government Computing at the moment, GDS: Now we are Five. "Such a landmark anniversary often provokes a review of achievements in those formative years," he says, "but this was not obviously forthcoming, possibly because big ticket projects like Verify, the wider GaaP portfolio and examples of cogent joined-up public services are still few and far between".

Mr Anderson notes that GDS keep signing contracts with third party suppliers in the hopeless bid to enrol 25 million people in GOV.UK Verify (RIP) by 2020. Meanwhile, their success with GovWiFi is underwhelming, in Mr Anderson's eyes, and "GDS is but a sideshow, albeit a mildly entertaining one".

Government Computing also report on the European Commission's annual survey of eGovernment, UK slips to “European average” in terms of digitising its services, EU study shows. Oh dear. What now?
According to the report, the key challenge for the UK is to increase availability of key enablers such as electronic identification and authentication sources. The UK’s score for key enablers is 22% compared to a 52% EU average.
So, let's see, that's Computer Weekly, the NAO, TechUK, the Institute for Government, GlobalData/Government Computing, the European Commission and DMossEsq among others all expressing scepticism about GOV.UK Verify (RIP).

And on the other side?

Here's a comment from someone at the 17 November 2017 Economics of Identity conference hosted by OIX, the Open Identity Exchange: "Verify: the only standard for digi identity in the UK. Gov.uk has kicked started it - we have to pick up the mantle".

The other side's response looks like self-deception. GOV.UK Verify (RIP) isn't a standard and it doesn't have a mantle. Government Computing have collected together a number of these strange responses here, in OIX meeting weighs up the economics of identity.

Don Thibeau, the head of OIX, spoke at another conference, on 8 November 2017, where his chosen subject was Identity Systems at Scale. You can watch the video (particularly between 1'37" and 2'50") and be amazed at his assertion that Europe, Australia, Japan and the US are all spellbound, watching the progress of GOV.UK Verify (RIP) and hoping to learn some tips from the global masters of open banking.

His own organisation, OIX, has already demonstrated several times that GOV.UK Verify (RIP) has precisely nothing to offer the financial sector. Is he in denial? It is beyond the scope of this blog to explain his behaviour at that conference.

What we can do is to point at Whitehall itself as a user research lab. How do the participants in a failed project respond to the stream of facts as they come in, one after another, each one confirming failure more and more clearly? Answer, they ignore them. GOV.UK Verify (RIP) is the only game in town, they say to themselves, and they believe that the rest of the world is agog at its success.

GDS claim to lead the UK government digital, data and technology professions. Maybe they haven't noticed yet but, because GDS know nothing about the economics of identity, responsibility for the operation of the UK digital economy has been taken away from them and given to the Department for Digital, Culture, Media and Sport.

"Matt Upson and Mat Gregory are data scientists at GDS". That's what it says in Transforming the process of producing official statistics. Matt and Mat have been working on RAP, reproducible analytical pipelines. The two of them have been telling the Department for Digital, Culture, Media and Sport, the Department for Education and the Ministry of Justice all about RAP, teaching their grandmothers to suck eggs.

How successful have they been?

"We have celebrated the achievements so far with a laptop sticker". Official statistics? Done.

14 November 2017, and we learnt that More than 100 services are now running on government common platforms: "over 100 services across 26 departments and agencies are now using GaaP tools, guidance and components. From GOV.UK Verify [RIP] to GOV.UK Notify, GOV.UK Pay and GOV.UK Platform as a Service, Government as a Platform is becoming a reality, and that’s a great thing for taxpayers and citizens".

There's even a sticker to prove it:


GOV.UK Verify (RIP) is connected to just 14 on-line public services according to GDS's own performance dashboard. HMRC don't use it for anything important, neither do DWP and neither do the NHS. GOV.UK Notify is connected to 115 on-line public services, again excluding the big players, but isn't it a decade or two too late to claim a noteworthy success when a government department uses email and texts? The GOV.UK Pay performance dashboard doesn't list any services connected to it. And GOV.UK Platform as a Service doesn't have a performance dashboard.

Is that what you understood by "more than 100 services are now running on government common platforms"?

That's a tendentious way of reporting the facts. The UK Statistics Authority and the Office for National Statistics would be down on any minister like a ton of bricks, quite rightly, if they misused statistics like that.

It was never clear why GDS were given responsibility for the data profession. They have never done anything with that responsibility and there are signs now that that, too, will be taken away from them.

While its responsibilities shrink, though, GDS continues to recruit as though there were no tomorrow. There are currently 19 GDS jobs available for your delectation on the civil service jobs website. You, too, could join the 900 or is it only 700 people already in this giant user research lab.

----------

Updated 4.12.17

How many people are there in GDS? That was the question we finished on in the blog post above. The answer is given in the NAO's report, Digital transformation in government (p.19):


This year, 2017-18, there should be 834 of them, all beavering away.

But just what do they all do?

As far as GOV.UK Verify (RIP) is concerned, the answer must be "not a lot". The front end hasn't changed for months, there's very little activity on Twitter, none on the identity assurance blog and 65% of attempts to access public services using the wretched system fail.

In the absence of any answers DMossEsq has taken a look at the UK government's Contracts Finder service. And you won't believe it – we've been asking the wrong people. GDS don't seem to have anything to do with GOV.UK Verify (RIP) any more. Now, it's all our old friends the Methods group.

You remember the Methods group. We came across them first in GaaP – 1½ million useless public servants out the door and 35 billion quid off the deficit. What's not to like?. And when GDS's 25 exemplars failed, Mike Beaven, their transformation director, left and joined Methods, please see @gdsteam, success and ... candy floss.

Two companies in the Methods group have been promised £1,307,000 since April Fool's Day 2017 to make GOV.UK Verify (RIP) work, please see the table below and/or this easier-to-read spreadsheet. And since 9 October 2017 Methods Business and Digital Technology Limited have been the Lead Commercial Delivery Manager for GOV.UK Verify (RIP):


Fuller Contracts Finder findings are available in another spreadsheet here. You thought GDS did the work on GOV.UK Verify (RIP)? Think again. Those 834 GDS staff have got something better to do.

Such as ensuring diversity across the civil service? No. Methods Digital Limited were paid £208,000 to work on "race disparity data across the public sector".

Such as working on GaaP? No. Methods Professional Services Ltd were paid £143,000 to provide "a WebOps service to deliver the GaaP Programme".

Such as working on the common technology services project? No. Methods Digital Limited are being paid £2,000,000 (sic) to "define the strategy of CTS and support collating and analysing commercial ICT information across HMG".

You thought GDS worked out GaaP themselves? No. It was the Methods group. And McKinsey, who were paid £2,200,000 (sic) back in the spring of 2015 to "assist GDS to analyse the potential for digitally-enabled improvement of public services through the adoption of the 'Government as a Platform' approach".

The common technology services project (iPhones for all civil servants) is costing a fortune in external fees. Methods Digital Limited got their £2,000,000, as we have seen. Not bad, but Computing Distribution Group Limited picked up £5,000,000 to "provide application, cloud and infrastructure design, standards and good practice guides for the common technology service team". GDS are meant to be the go-to consultants for the whole civil service and, on a good day, local government as well and they have to ask Computing Distribution Group Limited for design, standards and good practice guides?

Entech Limited settled for a modest £325,000 for CTS work. Zeefix Consulting Limited are getting £2,000,000, like Ergon Limited, and DMSG Limited are members of the £5,000,000 club. PriceWaterhouseCoopers LLP just missed. £4,000,000. Unlucky.

M4 Managed Services International Limited are getting £5,000,000 for providing "application and infrastructure design services (?)". ThoughtWorks Limited picked up £791,000 for four months' work this year on "agile iterative support consultancy services to develop and continually improve" a few things, including GOV.UK Verify (RIP). That's on top of their £1,300,000 to "drive the adoption of Verify ... working in pair and mop programming in the listed areas".

And then there's IXYDO Limited, who have amassed five contracts worth a total of £553,000 to help migrate GOV.UK Verify (RIP) from VMWare across the Styx to Amazon Web Services. Part of our national infrastructure, IXYDO had one director who owned the one share in the company until recently, according to Companies House, and the latest accounts show that he has almost managed to repay the £28,000 or so that he borrowed from the company. Don't worry, this won't make it any harder for Methods Professional Services Ltd to get GOV.UK Verify (RIP) taken seriously by our European partners in eIDAS.

834?


Updated 30.1.18

As we were saying above, "maybe they haven't noticed yet but, because GDS know nothing about the economics of identity, responsibility for the operation of the UK digital economy has been taken away from them and given to the Department for Digital, Culture, Media and Sport [DCMS]".

Also, "it was never clear why GDS were given responsibility for the data profession. They have never done anything with that responsibility and there are signs now that that, too, will be taken away from them" ...

... signs like DCMS launches research project into data portability. DCMS have got £250,000 burning a hole in their pocket and the Government Computing website tell us that "according to a tender notice issued by the department earlier this month for a £250,000 contract , DCMS is looking for analysis and practical research on data portability".

Despite having 834 staff and £450 million to spend and despite being in charge of digital, data and technology GDS are clearly not the first port of call if you want a spot of analysis and practical research on data portability.

Bit of a poke in the eye for GDS.

Just to rub it in, Government Computing also report that DCMS launches search for new Data Ethics centre leader: "The government wants the centre to advise on the measures needed to enable and ensure safe, ethical and innovative uses of data-driven technologies".

GDS did some work on data ethics, please see "Data Science Ethical Framework" – contempt for the public. Fail. Over to DCMS.


Updated 24.4.18

The Government Digital Service (GDS) have 860 staff at the moment. They can't possibly need to use contractors for software engineering work, can they?

Their last contract – with the Methods Group – for software engineering work on GOV.UK Verify (RIP) ran out on 6 April 2018. Verify is dead. GDS can't need to spend any more money on it, can they?

Wrong. Yesterday, 23 April 2018, St George's Day, GDS published an invitation to tender for six months' work on Development Capability for GOV.UK Verify [RIP].


Updated 31.5.18

It is six months since we said, please see above:
You thought GDS worked out GaaP themselves? No. It was the Methods group. And McKinsey, who were paid £2,200,000 (sic) back in the spring of 2015 to "assist GDS to analyse the potential for digitally-enabled improvement of public services through the adoption of the 'Government as a Platform' approach".
The McKinsey Center for Government have now published Delivering for citizens – how to triple the success rate of government transformations.

What do they have to say about GDS?

Nothing.

GDS don't get a mention.

RIP IDA – the Whitehall user research lab

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.

"If Verify is the answer, what was the question?"

The Law Commission: "Verify does not currently ensure that the person entering the information
is in fact the person he or she is purporting to be;
rather it focuses on verifying that the person exists" (para.6.67/p.119)

The Government Digital Service (GDS) have a user research lab, in which they "carry out research into all the things we deliver [?], from guidance and standards to common components, such as GOV.UK Pay and GOV.UK Verify [RIP]".

Despite the user research lab, "deliver" is just what GDS haven't done with GOV.UK Verify (RIP).