DMossEsq: DWP

Showing posts with label DWP. Show all posts

Monday, 11 November 2013

GDS – this is getting embarrassing

GDS, the Government Digital Service.

Remember the pan-government identity assurance system that was promised for autumn 2012, then March 2013 and which still doesn't exist?

Remember the assisted digital project that keeps starting, stumbling and starting again?

Remember the four professors' frosty report on GDS's government digital strategy?

Remember the other frosty report, this one by the Electoral Commission?

Remember the fifth professor's warning about the need to use formal methods (para.13) to produce quality software systems?

Remember the CloudStore being unavailable for four days?

They've only been and gone and done it again:

"This site will be unavailable from 6pm (GMT) Friday 8 November due to required maintenance" – 75 hours later, it's still down and we get this post on the G-Cloud blog:

CloudStore update:
Posted on November 11, 2013 by Raphaelle Heaf — No Comments ↓
Sorry that the CloudStore is not available right now.
Current CloudStore status
On Friday, we were carrying out updates to the records and the search indexes, and noticed that this had affected some of the search queries which were not always returning all of the relevant services. It’s important that no-one is at a disadvantage and we've decided to take the site down until this is fixed to ensure everyone is being treated fairly.
Working on a fix
Right now we’re working on a fix to get things up and running again as soon as possible. We’re keen to ensure that this issue are resolved and to make the user experience better as we keep iterating and making improvements.
If you need help
If you have an urgent procurement, we can help. Please email enquiries@gcloud.cabinet-office.gov.uk and we’ll aim to respond to you as soon as possible.

GDS are supposed to be using open source software. You'd expect open source software to have been used at thousands of sites worldwide and to have conducted billions of searches. There shouldn't be any major bugs left in it. People make mistakes with search queries. "select * from table1" when they mean "select * from table2". That kind of thing. It doesn't take 75 hours to fix.

The Guardian called GDS "an elite team of digital experts". Will the Cabinet agree with that description? Or the Americans? What are the Koreans going to make of it? Or the Estonians? Or Chris Chant?

GDS run the digital leaders network, a cadre of IT people who are supposed to mould Whitehall to the Cabinet Office's wishes. What kind of an example to Whitehall is this latest CloudStore outage?

As Philip Virgo was asking only the other day, Should G-Cloud and the GDS be taken seriously as contenders to run Universal Credit?. What temptation is there left for DWP to adopt GDS's agile methods?

Talking of which, agile principle #7: "Working software is the primary measure of progress".

Not to mention principle ##1 and 3 "Our highest priority is to satisfy the customer through early and continuous delivery of valuable software" and "Deliver working software frequently, from a couple of weeks to a couple of months, with a preference to the shorter timescale".

Tomorrow is Tuesday. Tuesday is when GDS publish their weekly diary. The diary is usually fairly anodyne. But tomorrow? The first signs of a GDS re-launch?

----------

Update 12.11.13:

The Law Society Gazette announced yesterday that the Supreme Court has entered into a new contract in the hope of cutting its IT costs. Was the new service procured through G-Cloud? No.
CloudStore is back, says the post on the G-Cloud blog, but the search facility still isn't working so it's not entirely back.

It doesn't matter so much, sub specie aeternitatis, if the CloudStore's doors are shut for several days at a time. Contrarywise, if the ID hub proposed for GDS's Identity Assurance Programme goes down, the digital-by-default UK will seize up, Estonia-style – luckily, there is still no sign of GDS providing identity assurance to the nation.
Earlier, Digital By Default News magazine announced the winners of their Digital Leaders 50 awards, given to "leaders and organisations who demonstrate a pioneering and sustainable approach to digital transformation". GDS came top. The BBC came second and Francis Maude came third.
No GDS this week diary yet.

Update 15.11.13:

CloudStore is back. That's what the G_Cloud team told us three days ago. And again two days ago. But is it?

@G_Cloud_UK Any idea when the supplier section will open again so we can update services? Ta.
— enCircle Solutions (@encircleltd) November 15, 2013

GDS – this is getting embarrassing

more ►

Thursday, 28 March 2013

GDS, the NAO, the BBC, parliament and DWP – five questions

The National Audit Office (NAO) have released a new report, Digital Britain 2: Putting users at the heart of government’s digital services, examining the Government Digital Service (GDS) plans for digital-by-default. The report's conclusions concentrate on the problems faced by people who can't or won't use on-line public services.

The same problem was examined the day before yesterday by Mark Easton, the BBC's home affairs editor.

And 52 members of parliament have put their name to an early day motion to debate the problem.

Meanwhile the Department for Work and Pensions (DWP), who were depending on digital-by-default for the introduction of Universal Credit, have published not one but two documents confirming that benefits will continue to rely on face-to-face meetings, telephone calls and letters in the post – the very opposite of digital-by-default – please see Local Support Services Framework and Universal Credit – Your claim journey.

GDS have responded to the NAO report with a post on their blog today:

Overall, this report is a really positive sign we’re moving in the right direction. But it’s also a helpful reminder of the work we still need to do to support those who are less able to use online services.

The NAO report has some ("really positive"?) comments to make on the putative savings we can look forward to from digital-by-default:

1.5 The GDS has also highlighted the possible savings from switching to digital channels. As the strategy states, central government provides more than 650 public services – which cost between £6 billion and £9 billion in 2011-12, according to GDS. The GDS has estimated total potential annual savings of £1.7 billion to £1.8 billion if all these services were operated through digital channels. More than 300 of these services have no digital channel. The savings estimate does not include the costs that may be required to create or redesign digital services. However, it also does not take into account the government’s new approach to becoming digital, set out in its strategy, which could lead to greater savings being achieved more quickly. The GDS states that the average cost of a central government digital transaction can be almost 20 times lower than by phone and 50 times lower than face-to-face.

1.6 We have not audited the estimated savings in the Government Digital Strategy, nor have we audited how government will redesign and develop its new digital services. Our future audits will evaluate the value for money of digital services as the GDS and departments work together to move more than 650 services online.

The report also mentions (without being "really positive") the need for identity assurance. Someone posted a comment on the GDS blog:
28/03/2013

dmossesq #

Please Note: Your comment is awaiting moderation.

The NAO report is available at http://www.nao.org.uk/wp-content/uploads/2013/03/10123-001-Digital-Britain-2-Book.pdf

Under the heading “Trust”, the report includes the following:

QUOTE

4.9 To use online public services people need to be able to trust the government with the information they provide online. The Government Digital Strategy recognises that users of public services often find it hard to register for online services, and that it needs to offer a more straightforward, secure way to allow users to identify themselves online while preserving their privacy. Therefore there is an Identity Assurance Programme [IDAP] under way in GDS and we were told that this is to develop a framework to enable federated identity assurance to be adopted across government services.

4.10 The government also told us that this will involve creating a simple, trusted and secure new way for people and businesses to access government services, which will provide assurance to government that the right person is accessing their own personal information.

UNQUOTE

Without IDAP, there is no digital-by-default.

DWP were led to believe that IDAP would be “fully operational” for up to 21 million claimants of Universal Credit “from March 2013″, https://online.contractsfinder.businesslink.gov.uk/Common/View%20Notice.aspx?NoticeId=797279

Here we are in March 2013. And the question the NAO almost ask is, where is IDAP?

28/03/2013

That comment has now been moderated. Has it been published? No. It's been deleted.

Tomorrow should see the publication of ex-Guardian man Mike Bracken's video diary, This week at GDS.

He's the executive director of GDS and the senior responsible ~~officer~~ owner for the pan-government identity assurance programme. Will he comment on:

the NAO report?
the BBC report?
the early day motion in parliament?
DWP being stranded without IDAP?
the deliberations of the permanent secretaries who met at GDS's offices yesterday to consider digital-by-default?

----------

Added 16:48:

Following publication of the post above, DMossEsq brought it to the attention of GDS. The comment which had previously been deleted from their blog has now been published by GDS. Also, this week's edition of This week at GDS has been published, a day early, perhaps because of the bank holiday. No response to questions 2., 3. and 4. above. A passing mention of 5. and a promise to consider 1. in next week's edition.

GDS, the NAO, the BBC, parliament and DWP – five questions

Overall, this report is a really positive sign we’re moving in the right direction. But it’s also a helpful reminder of the work we still need to do to support those who are less able to use online services.

more ►

Thursday, 14 March 2013

GDS's Identity Assurance Programme goes up in smoke

Computer Weekly, 14 March 2013:

IDA services put on ice for Universal Credit delivery

Only the other day there we were, weren't we, asking if the Government Digital Service's pan-government Identity Assurance service is up and running yet. They had promised that it would be "fully operational" for 21 million Department for Work and Pensions claimants "by March 2013".

Well now, thanks to Computer Weekly, we know the answer.

No mention was made of the use of IDA in the DWP’s Local Support Services Framework ... Instead, the paper referenced the issuing of PIN numbers to users for their online accounts ...

GDS talked a good game once. Is there any hope now for IDA?

No. Judging by this 12 March 2013 post on their blog, Identity Alphas, GDS are innocents abroad in the world of identity management.

"Where did it all go wrong?" You may well ask.

GDS's Identity Assurance Programme goes up in smoke

Computer Weekly, 14 March 2013:

IDA services put on ice for Universal Credit delivery

No mention was made of the use of IDA in the DWP’s Local Support Services Framework ... Instead, the paper referenced the issuing of PIN numbers to users for their online accounts ...

Wednesday, 23 January 2013

21 million prospective Universal Credit claimants, 40,000+ ex-public servants, 400 days and GDS

From spring 2013
It is the Government Digital Service's dream to make all public services digital by default. To make that happy dream come true they need identity assurance – each UK parishioner needs his or her own electronic ID.

• 20 April 2011:
... To someone's dyspeptic eye, IDA looks like a non-starter, another elaborate and expensive plan which turns out to be fantasy, doomed to failure when it confronts reality. The timetable for IDA was presented and described as not over-ambitious. That is perfectly accurate. The timetable is not over-ambitious. It looks more like the psychedelic product of a prolonged session on hallucinogenic drugs. Far from being merely over-ambitious, it is quite simply impossible.

• 22 September 2012, Universal Credit and the December putsch:
... The revised notice was published on 1 March 2012 and the service has to be operational from the Spring of 2013? Barely a year later? Only six months after the contracts are awarded? 21 million claimants? Millions of whom have never used the web? Operational? Countrywide? ... It's a tall order.

• 25 September 2012, Identity assurance – the clock is ticking, ex-Guardian man Mike Bracken's chickens are coming home to roost:
... That's six months time if we measure to the start of next spring, or nine months if we measure to the end. Either way, DWP's Universal Credit (UC) scheme has to be up and running by October 2013 and UC depends on identity assurance as Lord Freud, the welfare reform minister, has emphasised – no identity assurance, no UC.

• 6 November 2012, Identity assurance – shall we vote on it?:
... That's what it says in the draft legislation. Ex-Guardian man Mike Bracken was meant to announce who would be the UK's so-called "identity providers" by 30 September 2012. We're still waiting ... He'd better hurry up. He's promised to have an identity assurance service "operational" for 21 million Universal Credit claimants by Spring 2013.

• 26 November 2012, Identity assurance – one under the eight:
More to the point, there are 21 million prospective claimants for Universal Credit in the UK. Identity assurance is meant to be operational by the Spring of 2013 for all 21 million of them. The chances of that happening are now nil. GDS's failure is extending the imprisonment in the poverty trap of millions of claimants who could be released by Universal Credit. Putting the wrong people in charge of identity assurance has miserable social consequences.

• 10 December 2012, Universal Credit – GDS's part in its downfall:
... That wouldn't be feasible, not now, December 2012, not even if the details of IDAP had all been worked out but they haven't been ("we now have a group of suppliers with whom we can work out the practical issues"). Why hasn't it already been done? How much longer will it take?

• 11 December 2012, GDS's identity assurance story continues to unravel:
... GDS went on in their blog post of last March to refer to the procurement of identity assurance services, needed by DWP for their Universal Credit initiative: "The initial DWP services will be required to provide identity assurance for approximately 21 000 000 claimants ... To support the rollout of universal credit and personal independence payments, identity assurance suppliers will be selected in summer 2012 and systems will need to be fully operational from spring 2013" ... Question – how did GDS come up with that timetable?

• 18 January 2013, #2 of many lessons about GDS and the external digital thought-leaders:
... it's impossible. Would you trust an organisation that promises the impossible?

And so was born GDS's Identity Assurance Programme (IDAP) [29.12.17: currently known as "GOV.UK Verify (RIP)"] which they have repeatedly promised would be "fully operational from spring 2013".

In the first instance, GDS need to provide identity assurance for the new Universal Credit (UC) system which is designed to rescue people from welfare dependency by making work pay. It's UC that needs identity assurance to be fully operational from spring 2013 and that's what GDS have promised.

From March 2013
Eight so-called "identity providers" have been appointed to turn IDAP into reality. The documentation on the IDAP contracts was published the other day, 16 January 2013, and includes this:

To support the rollout of universal credit and personal independence payments providers will be selected by June 2012 and systems will need to be fully operational from March 2013.

"... fully operational from March 2013" – 37 days away.

That deadline has seemed impossible for years, since at least 20 April 2011 (please see opposite), before GDS existed, but they (GDS) have never sought in public to change it and, even now with only 37 days to go, there may be up to 21 million prospective universal credit claimants out there who assume that the deadline will be met.

It won't. It can't be.

April 2014
In his 22 January 2013 Computer Weekly blog the engaging Toby Stevens reports on the current state of IDAP and says:

And when does all this happen? We would expect to see the first pilots in October this year, with more widespread use kicking off in April 2014.

Fully operational from March 2013? No. October 2013. But that's just "trials". So not fully operational. Maybe more like April 2014. And maybe not.

Has anyone told Iain Duncan Smith that GDS have delayed his beacon policy by at least a year? Presumably not as he keeps telling Parliament that UC's going swimmingly. Has anyone told the press? Or the prospective claimants of UC?

No.

GDS have kept quiet about it.

Cui bono?
Instead, they have diverted us with scores of blog posts about how important the users are – excluding benefit claimants, presumably – and how the users' needs are GDS's only guide and only concern.

They trumpet the success of their single government domain project – "This website replaces Directgov [and] Business Link", it says on the home page of GOV.UK. Manifestly false. The IDAP documentation quoted from above, for example, is on businesslink.gov.uk.

They proudly announce that they will make a minimum of 40,000 public servants redundant thereby saving the government – but not the public – up to £1.8 billion p.a.

Cheekily, in view of UC, GDS claim to believe that they are dedicated to "delivery".

And on 21 January 2013, they held a jamboree, The future is here, attended by 300 civil servants to celebrate themselves and to announce vaingloriously that they would transform government in 400 days.

Who is this all for?

It's clearly not for the users. It's not for the 21 million prospective UC claimants. And it's not for the 40,000+ ex-public servants.

That's alright then
The executive director of GDS and senior responsible ~~officer~~ owner for IDAP is ex-Guardian man Mike Bracken. And on his website he modestly quotes these words of Martha Lane Fox's:

It is a rare individual that can take a bunch of ideas and turn them into a reality in any environment but particularly in government. Mike is doing just that for me and it has been a privilege to watch.

Ms Lane Fox was interviewed at the heady, revivalist, the-future-is-here jamboree by a Computer Weekly journalist, Kathleen Hall, who finishes her article with this:

Although Lane Fox has been digital champion for four years, she has no immediate plans to step down. “I think you have to be constantly appraising yourself as to whether yours is the best voice – or whether you are becoming a bit like white noise, and not doing a good as job as you could be. But at the minute I’m still having a great time,” she said.

GDS's new world
Martha Lane Fox describes her digital-by-default project as a revolution. Those of us who were born yesterday will have no trouble believing that we are living in a new world. First we believed that UC would be fully operational in 37 days time. Then seamlessly we believed that the target is 400 days.

And in 400 days time?

What will GDS have us believe then?

21 million prospective Universal Credit claimants, 40,000+ ex-public servants, 400 days and GDS

To support the rollout of universal credit and personal independence payments providers will be selected by June 2012 and systems will need to be fully operational from March 2013.

And when does all this happen? We would expect to see the first pilots in October this year, with more widespread use kicking off in April 2014.

It is a rare individual that can take a bunch of ideas and turn them into a reality in any environment but particularly in government. Mike is doing just that for me and it has been a privilege to watch.

Ms Lane Fox was interviewed at the heady, revivalist, the-future-is-here jamboree by a Computer Weekly journalist, Kathleen Hall, who finishes her article with this:

Although Lane Fox has been digital champion for four years, she has no immediate plans to step down. “I think you have to be constantly appraising yourself as to whether yours is the best voice – or whether you are becoming a bit like white noise, and not doing a good as job as you could be. But at the minute I’m still having a great time,” she said.

Thursday, 17 January 2013

The identity of the UK's eighth identity provider has now been provided, reluctantly

The acknowledged problems with public administration in the UK are to be solved, it is proposed, by making public services digital by default, which requires us all to have electronic identities (eIDs). These are to be provided by eight so-called "identity providers" of whom only seven were previously announced, please see Identity assurance – one under the eight.

The eighth identity provider is PayPal.

How do we know that?

Did the Government Digital Service (GDS) make an announcement? No.

Did the Department for Work and Pensions (DWP) make an announcement? Not really. DWP posted a notice on the Contracts Finder service of businesslink.gov.uk, a website which GDS say no longer exists – it's supposed to have been replaced by their GOV.UK.

So how?

Answer:

DWP publishes details of eight IDPs for ID Assurance services, including Paypal contractsfinder.businesslink.gov.uk/Common/View%20…
— OIX UK (@OIXUK) January 16, 2013

This is not an open way to deal with the public.

Check the Contracts Finder link in the Tweet above and you'll find that PayPal have been on the ID assurance list of suppliers for months. Why the delay in making an announcement? Who was reluctant? Why?

Hundreds of millions of pounds are scheduled to be wasted on the failure of GDS's identity assurance programme. The appointment of a national identity provider is an important matter. Why is its announcement buried on Twitter?

And what is the rôle of OIX in the UK's new Constitution?

The identity of the UK's eighth identity provider has now been provided, reluctantly

more ►

Friday, 14 December 2012

GDS misbriefing

The invitation to tender for the Government Digital Service (GDS) market research contract with IFF Research Ltd includes this picture of the "new identity assurance model":

The document was created on 8 November 2012, according to its Microsoft Word properties, and was last modified on 12 November 2012. Next day, 13 November 2012, the names of the UK's appointed identity providers (the electronic Mary Poppinses) were announced. Halifax weren't on the list. Neither were Lambeth and Visa. Nor Lloyds and Equifax.

Which means that GDS briefed the prospective suppliers wrongly in their invitation to tender.

Experienced consultants like IFF Research will be quite used to that. It always takes a while for the client's real requirements to come to light. By now they will have established a more accurate picture, with seven known identity providers and a mystery one:

How will the interviews go, as IFF Research set about their market research?

IFF: (to person in the street) The government is trying to cause an ecosystem of private sector suppliers to flourish. Would you feel comfortable using Visa as an identity provider?
PITS: yes.
IFF: well they're not on the list. How about Cassidian?

IFF: (to person in the street) The government is trying to cause an ecosystem of private sector suppliers to flourish. Would you feel comfortable using Ingeus as an identity provider?
PITS: are you sure that's how it's pronounced?
IFF: shall I put you down as a don't-know?

IFF: (to person in the street) The government is trying to cause an ecosystem of private sector suppliers to flourish. Would you feel comfortable using Mydex as an identity provider?
PITS: why's it called Mydex? What does it mean?
IFF: I have no idea, the question is would you feel comfortable ...
PITS: any particular reason why I should trust them?
IFF: I ask the questions.

IFF: (to person in the street) The government is trying to cause an ecosystem of private sector suppliers to flourish. Would you feel comfortable using Verizon as an identity provider?
PITS: I thought they were a US mobile phone network.
IFF: they are.
PITS: so how are they going to verify my identity for the UK government?
IFF: I don't know.

IFF: (to person in the street) The government is trying to cause an ecosystem of private sector suppliers to flourish. Would you feel comfortable using a completely unknown supplier represented on this picture by a yellow question mark as an identity provider?
PITS: yes.
IFF: thank you.

IFF: (to person in the street) The government is trying to cause an ecosystem of private sector suppliers to flourish. Would you feel comfortable using digidentity as an identity provider?
PITS: is this a wind-up?
IFF: thank you.

IFF: (to person in the street) The government is trying to cause an ecosystem of private sector suppliers to flourish. Would you feel comfortable using the Post Office as an identity provider?
PITS: the Post Office isn't a private sector supplier.
IFF: Yes it is, look it up on the Companies House website, company number 02154540.
PITS: you mean I can buy shares in it?
IFF: no, the shares in the Post Office are all held by Royal Mail and the shares in Royal Mail are all held by Vince Cable and he's not selling any but otherwise it's a private sector company.
PITS: who's paying for all this identity-providing lark?
IFF: the Department for Work and Pensions, to get Universal Credit going.
PITS: so there's nothing private sector about this at all, is there?
IFF: no, you're right, the private sector element is one of GDS's many fantasies.
PITS: pleasure talking to you, I'm sure, can't wait to see your report.
IFF: don't hold your breath.

IFF: (to person in the street) The government is trying to cause an ecosystem of private sector suppliers to flourish. Would you feel comfortable using Experian as an identity provider?
PITS: yes.
IFF: why? What's the matter with you?
PITS: that's a job they already do, isn't it, they've already demonstrated their competence, unlike any of the other suppliers on your picture.
IFF: is that true?

Why did all the banks and credit card companies refuse to become official identity providers? Why aren't there any UK mobile phone companies among their number? How long will this farce be allowed to continue? How much will it cost us? Will anyone be accountable?

GDS misbriefing

The invitation to tender for the Government Digital Service (GDS) market research contract with IFF Research Ltd includes this picture of the "new identity assurance model":

more ►

Monday, 26 November 2012

Identity assurance – one under the eight

On 13 November 2012 the Department for Work and pensions (DWP) announced the appointment of seven so-called "identity providers" for the new digital-by-default UK – the Post Office, Cassidian, Digidentity, Experian, Ingeus, Mydex, and Verizon.

We were previously led to believe that the announcement would be made on 22 October 2012. And before that we were supposed to have the news by 30 September 2012.

Publication slipped. And we still don't know who the eighth "identity provider" will be.

Two things we do know:

Whoever the eighth one is, there is clearly some reluctance somewhere, some friction. Maybe DWP aren't sure about the credentials of this eighth supplier. Maybe the eighth supplier isn't sure that it wants to be involved with IDAP, the government's tottering Identity Assurance Programme. Either way, they will start with their credibility impugned.
It's not really DWP doing the appointing. It's GDS, the Government Digital Service. GDS may be very good at designing websites. But what credentials, if any, do they have for identity assurance? The appointment is clearly giving them an embarrassing problem. More to the point, there are 21 million prospective claimants for Universal Credit in the UK. Identity assurance is meant to be operational by the Spring of 2013 for all 21 million of them. The chances of that happening are now nil. GDS's failure is extending the imprisonment in the poverty trap of millions of claimants who could be released by Universal Credit. Putting the wrong people in charge of identity assurance has miserable social consequences.

Identity assurance – one under the eight

more ►

Thursday, 22 November 2012

midata and identity assurance – BIS and DWP lure the British public into danger

Hat tip: Dave Birch

Questions have been raised about the advisability of creating population registers on the web.

The Department for Business Innovation and Skills (BIS) have an initiative called "midata" which would require us to enrol in identity registers in the cloud, please see for example Cybersecurity – good news at last, from midata.

The Department for Work and Pensions (DWP) have an initiative called "Universal Credit" which would require us to ditto, please see for example Identity assurance – convenient? It'll make your life so much easier.

The objections to subscribing to on-line population registers are manifold and include the dangers of cybercrime.

What dangers of cybercrime?

Take a look at this, from Reuters, 20 November 2012:

Man arrested in Athens over ID theft of most of Greek population

ATHENS | Tue Nov 20, 2012 12:14pm EST

(Reuters) - Greek police have arrested a man on suspicion of stealing the personal data of roughly two thirds of the country's population, police officials in Athens said on Tuesday.

The 35-year old computer programmer was also suspected of attempting to sell the 9 million files containing identification card data, addresses, tax ID numbers and license plate numbers. Some files contained duplicate entries, police said.

Greece's population is 11 million ...

BIS and DWP promise us, of course, that the midata and Universal Credit registers will be held in secure websites. No doubt. But then the Greek population register was supposed to be secure, too. Not much help, is it?

Surely this must be a one-off, you object? No. You're forgetting last year's Jerusalem Post, 24 October 2011:

'Contract worker stole all Israelis' personal information'

By JPOST.COM STAFF LAST UPDATED: 10/24/2011 13:16

Information was used to create searchable database; computer technician put the database on Internet for anyone worldwide to access.

A contract worker from the Labor and Welfare Ministry was charged with stealing the personal information of over nine million Israelis from the Population Registry, the Justice Ministry announced Monday after a media ban was lifted.

The worker electronically copied identification numbers, full names, addresses, dates of birth, information on family connections and other information in order to sell it to a private buyer ...

And so it goes on ...

BIS and DWP are luring the British public into danger. It is at the very least irresponsible of them to do that. Why are they doing it?

It's up to them to answer that question.

Meanwhile, you are strongly advised to resist their invitations.

midata and identity assurance – BIS and DWP lure the British public into danger

more ►

Wednesday, 21 November 2012

Identity assurance – convenient? It'll make your life so much easier

Have DWP and GDS taken leave of their senses

suggesting that we should trust unknown third parties

with our user IDs and passwords?

Yes.

The Department for Work and Pensions (DWP) identity assurance press release the other day naming seven of the UK's "identity providers" (IDPs) was commendably short. Every word counted:

13 November 2012 – Providers announced for online identity scheme

The Post Office, Cassidian, Digidentity, Experian, Ingeus, Mydex, and Verizon are the successful providers chosen to design and deliver a secure online identity registration service for the Department for Work and Pensions.

The identity registration service will enable benefit claimants to choose who will validate their identity by automatically checking their authenticity with the provider before processing online benefit claims.

The Minister for Welfare Reform Lord Freud said:
"We are working with cyber security experts to ensure we are clear about the threats to the online process and we are confident that the providers announced today will offer an effective, safe and free to use identity service for future online benefit claims."
As well as offering a safe and secure system, providers will be required to offer a simplified registration process, minimise the number of usernames and passwords a customer will need to remember and reduce the costs incurred across Government for the management of Identity Assurance.

The online Identity Assurance model will be incorporated into Universal Credit as it’s developed and rolled-out. Over time Identity Assurance will become available to all UK citizens who need to access online public services.

"... providers will be required to ... minimise the number of usernames and passwords a customer will need to remember ..." – what's that all about?

At the moment, you have to know separate user IDs and passwords for logging onto Facebook, for example, Twitter, Amazon, eBay, PayPal, your bank, HMRC (self-assessment), HMRC (VAT returns), etc ... That is very inconvenient.

GDS, the Government Digital Service, the people behind identity assurance – remember, ex-Guardian man Mike Bracken is not only chief executive of GDS but also the senior responsible ~~officer~~ owner for the government's identity assurance programme – want to make your life more convenient.

So what they propose is that you give all those user IDs and passwords to your chosen IDP and let them log on for you. You still have to remember the user ID and password you use to log onto your IDP. But as long as you can do that, you're fine, your IDP will remember all other user IDs and passwords and log on for you.

That's obviously convenient. But is it wise?

Take a look at the seven IDPs. Which one would you trust with the user ID and password for your bank accounts? And why? You've never heard of them, have you? Apart from the Post Office. They may all be eminently trustworthy. But suppose some ne'er-do-well teenager with Asperger's hacks into them and just steals all the user IDs and passwords?

Remembering all those user IDs and passwords ourselves may be unavoidable. It may be the price we pay for security. It might be convenient to have someone do our remembering for us but, if we lose our security as a result, it wouldn't be wise.

Have DWP and GDS taken leave of their senses suggesting that we should trust unknown third parties with our user IDs and passwords?

----------

Updated 16.2.15

In the intervening two-and-a-bit years since the post above was written the notions of secure websites and secure communications have died a thousand times. Remember Sony. Take a look at yesterday's Telegraph, Hackers steal £650 million in world's biggest bank raid. Think back to QinetiQ.

Your only option is to minimise your inevitable losses. Make sure that if one set of defences is breached they aren't all breached. Maintain distinct logon ID-and-password combinations for each on-line service you use.

The Government Digital Service continue to try to breathe life into the corpse of their Identity Assurance programme (IDA). The service is now known as "GOV.UK Verify". GDS continue to ask us to believe against all the evidence that it is secure.

And they continue to advocate having as few logon ID-password combinations as possible on the grounds that that is convenient and the Devil take the risks. No bank would recommend that. But then the banks are liable to compensate you if your bank account is emptied by hackers. GDS aren't. If you're hacked as a result of using GOV.UK Verify, you pay.

The BBC have been drafted in to promote GOV.UK Verify. Here's an extract from BBC Radio 4's World At One news programme, 23 January 2015:

David Alexander, the CEO of Mydex, is interviewed. Mydex is one of the five "identity providers" left at GDS's identity assurance funeral. Use a Mydex personal data store (PDS), says Mr Alexander towards the end of the extract, and let that log on to all your other services for you. That will be much more convenient.

Take him, for example. Currently, he says, he has 705 logon ID-password combinations for on-line services he uses. That's awfully inconvenient. How much better to store them all in his PDS and let Mydex log on to these 705 services for him.

But hang on a minute. If one of those 705 services is hacked at the moment, he's left with 704 services that haven't been hacked. Follow his recommendation, use a Mydex PDS, and one security breach opens the door to all 705 services.

You don't need to be a genius at risk assessment to recognise the disproportionate danger of the PDS idea.

Mr Alexander is in 705 times more danger if he uses GDS's GOV.UK Verify than if he doesn't.

If someone offers you the convenience of a single logon ID-password combination, run a mile.

RIP IDA.

Identity assurance – convenient? It'll make your life so much easier

Have DWP and GDS taken leave of their senses

suggesting that we should trust unknown third parties

with our user IDs and passwords?

Yes.

The Department for Work and Pensions (DWP) identity assurance press release the other day naming seven of the UK's "identity providers" (IDPs) was commendably short. Every word counted:

13 November 2012 – Providers announced for online identity scheme

The Post Office, Cassidian, Digidentity, Experian, Ingeus, Mydex, and Verizon are the successful providers chosen to design and deliver a secure online identity registration service for the Department for Work and Pensions.

The identity registration service will enable benefit claimants to choose who will validate their identity by automatically checking their authenticity with the provider before processing online benefit claims.

The Minister for Welfare Reform Lord Freud said:

"We are working with cyber security experts to ensure we are clear about the threats to the online process and we are confident that the providers announced today will offer an effective, safe and free to use identity service for future online benefit claims."
As well as offering a safe and secure system, providers will be required to offer a simplified registration process, minimise the number of usernames and passwords a customer will need to remember and reduce the costs incurred across Government for the management of Identity Assurance.

The online Identity Assurance model will be incorporated into Universal Credit as it’s developed and rolled-out. Over time Identity Assurance will become available to all UK citizens who need to access online public services.

"... providers will be required to ... minimise the number of usernames and passwords a customer will need to remember ..." – what's that all about?

more ►

Monday, 19 November 2012

PRESS RELEASE: midata – time for BIS to answer the questions

PRESS RELEASE

To:

Home Office

OIG (re US-VISIT)

IDABC (re OSCIE)

China (re Golden Shield)

Pakistan (re NADRA)

FBI (re NGI)

UIDAI (re Aadhaar)

Agencies

midata – time for BIS to answer the questions

19 November 2012

When midata was announced a year ago Rory Cellan-Jones, the BBC’s Technology Correspondent, asked “what's the catch for consumers and why is the government getting involved”? Good questions.

Lifestyle choices

... individual users were not yet being allowed to exploit all the information relating to them to make their lives easier. Armed with the information that social networks and other web giants hold about us, he said, computers will be able to "help me run my life, to guess what I need next, to guess what I should read in the morning, because it will know not only what's happening out there but also what I've read already, and also what my mood is, and who I'm meeting later on".

Thus Tim Berners-Lee, inventor of the web, interviewed by the Guardian in April.

Slightly dotty, of course – your computer will know what mood you’re in? But the Department for Business Innovation and Skills (BIS) are trying to promote their midata initiative and it suits their purpose to say, in a press release the other day, that midata will allow consumers to “make better lifestyle choices”.

Even if it was true, what business would it be of the government’s?

None. If there’s a demand for lifestyle software, let the private sector provide it.

Economic growth

BIS also claim that midata would be “good for growth in the economy”. Strange, because at the 9 August 2012 midata open forum David Miller, a BIS economist, was asked how much midata would make the economy grow by and answered, it’s very difficult to say what the macro-economic effects of midata would be.

Banks, phone companies and energy companies already provide us with detailed statements, on-line and on paper, they have done for decades, and the economy isn’t growing. So what’s new about midata?

Personal data stores (PDSs)

Answer – PDSs, please see para.2.19, p.24 of BIS's midata 2012 review and consultation. BIS want us all to have PDSs, databases storing all of our transaction data, which can be processed to make our lifestyle choices for us and which identify us uniquely.

We wouldn’t be expected to maintain the PDSs ourselves. That would be the job of so-called “trusted third parties”, who would store all our personal data on the web, where it would be continuously updated by permanent links with all our suppliers.

What personal data? The BIS press release refers us to a document of theirs, A midata future: 10 ways it could shape your choices. The answer seems to be any contracts you have entered into, any warranties you have taken out, your driving licence, your educational qualifications, your CRB report, your bank accounts, the clothes you buy, your gas and electricity usage and your neighbours’ usage, too, your health records, entertainment preferences and favourite restaurants.

It’s an extensive set of data about you. midata may not help the economy to grow but, in the PDSs which it relies on, it would provide you with an on-line ID card.

Trusted third parties

Who are the third parties you’re meant to trust with all this personal data? Only one is regularly mentioned and most people will never have heard of it – Mydex – so what reason is there to trust it?

At the 9 August 2012 midata open forum Kirstin Green, a deputy director at BIS, mentioned that the chairman of Mydex sits on the BIS midata strategy board. To understand BIS’ midata proposal it helps to understand Mydex is therefore written with considerable authority, as is Making midata work for you.

Identity assurance

Actually, you may have heard of Mydex. You may have read the Department for Work and Pensions (DWP) press release about the Identity Assurance Programme last week, Providers announced for online identity scheme. Mydex is one of the seven “identity providers” appointed for the UK last week by DWP. The idea is that in Whitehall’s new digital-by-default world, if you want to register for benefits, you need an identity provider to vouch for you, to say that you are you – a PDS is an ID card.

----------

They couldn’t answer them last year. Let’s see if BIS can answer Mr Cellan-Jones’s questions now.

About David Moss
David Moss has worked as an IT consultant since 1981. The past 9 years have been spent campaigning against the Home Office's plans to introduce government ID cards into the UK. It must now be admitted that the Home Office are much better at convincing people that these plans are a bad idea than anyone else, including David Moss.

Press contacts: David Moss, BCSL@blueyonder.co.uk