That's what it says in 24-point bold capitals on the relatively public Buzzfeed website. So much for "secretly".
"In a move that has alarmed Whitehall officials, the prime minister has instructed departments to share data they collect about usage of the GOV.UK portal so that it can feed into preparations for leaving the European Union at the end of next month". These Whitehall officials must exist in a permanent state of alarm – GOV.UK usage data is already collected and shared on the Government Digital Service's ricketyperformance platform and has been for years:
No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.
IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.
The Government Digital Service (GDS) have contracted with nine so-called "identity providers" or "certified companies" to register all us Brits and to supply us with on-line identities, ready for the brave new digital-by-default world.
Armed with these on-line identities, 90% of us will be able one day (in April 2016?) to use public services via GOV.UK Verify (RIP). That's the idea.
GDS are more diffident about this but, later on, these on-line identities may allow us to use private sector services, too.
GBGroup is one of GDS's "identity providers", although you won't see their name when you try to sign up for GOV.UK Verify (RIP) – there they aren't:
It seems unfair. SecureIdentity and Barclays aren't certified, despite GDS's claim above. Neither is the Post Office. That's three mistakes GDS have made on one screen. Four, if you count the suggestion that GOV.UK Verify (RIP) is free.
And yet GBGroup have been certified for ages. Ever since 12 February 2015. Why aren't they allowed to operate as an "identity provider"?
As it happens, if and when GBGroup are let loose on the British public, you still won't see their name on the list. That's not just because their real name is "GB Group plc". It's because they've now stopped trading as "GBGroup" and started trading as "CitizenSafe".
What's more, while they're about it, they seem to have changed the name of ID3global to "CitizenSafe" as well.
You have to be a bit of an identity assurance enthusiast yourself to keep up with some of these "identity providers". Morpho, for example, used to be Sagem Sécurité before they morphed.
When we talk about an "identity provider" being certified, we mean certified by tScheme, the independent experts in measuring trustworthiness.
Verizon are the most heavily qualified "identity provider" according to tScheme. By comparison, GB Group plc or GBGroup or CitizenSafe, whatever they're calling themselves, may not command as much trust:
Approval Profile for Identity Registration Services
✔
✔
Approval Profile for Credential Validation Services
✔
✘
Approval Profile for an Identity Provider
✔
✘
Approval Profile for Credential Management Services
✔
✘
GBGroup/CitizenSafe do not match the profiles for credential validation or credential management? Nor do they match the profile for an "identity provider"? tScheme's approval of their ID3global/CitizenSafe product looks generous.
No surprise, perhaps, that the public haven't been exposed to GBGroup/CitizenSafe yet.
And no surprise either that GBGroup/CitizenSafe have sought assistance. Not just GBGroup/CitizenSafe, but the Royal Mail, too, another "identity provider":
(Reuters) Avoco Secure announces today that they have partnered with Royal Mail Group and GBGroup to provide solutions that will deliver Verified Identity Assurance Services for public services
Royal Mail and GBGroup have been chosen to partner with GOV.UK’s Verify service, to provide verification of individuals so that they can access Government services online, safely and easily ...
"Avoco Secure’s Trust platform is the technology that enables Royal Mail to deliver a verified, scalable, secure, user centric identity assurance service, which will allow users to authenticate themselves to UK Government digital services,” Jim Conning, Managing Director of Royal Mail Data Services stated, "Their industry expertise and proven track record played an important factor in Royal Mail partnering with Avoco” ...
"Avoco are pleased to partner to deliver Identity Assurance as a Service with recognizable and trusted organisations like Royal Mail and GBGroup,” said Gerry O’Brien, CEO, Avoco Secure ...
John Lord, Managing Director at GBGroup commented, “We are pleased to be partnering with Avoco Secure as we believe their Trust Platform will enable a secure, friction free user experience across all government services in the scheme” ...
That's your on-line identity GDS expect you to entrust to GBGroup/CitizenSafe. Or possibly, behind the scenes, to Avoco Secure. Up to you.
GBGroup/CitizenSafe have to communicate with GDS via Twitter:
And there's something odd at the moment on GOV.UK Verify (RIP) – Verizon have disappeared from GDS's list of "identity providers". They were there the other day. Now they've gone.
GOV.UK Verify (RIP) has been designed by GDS. Their pre-eminent design principle is: "start with needs – user needs, not government needs".
That's what they started with and somehow you've ended up potentially being asked to register with an "identity provider" who is certified not to match the profile of an "identity provider". You never felt the need to do that, did you?
Something, somewhere along the line, has gone wrong. It's all got out of hand. GOV.UK Verify? RIP.
----------
Updated 8.3.16
GBGroup/CitizenSafe, please see above, have now been added to the list – Brits can now sign up to GOV.UK Verify (RIP) and help to compile the national identity register via GBGroup/CitizenSafe, the "identity provider" certified by tScheme not to match the profile of ... an "identity provider":
No objection to the word "Next" on the screen above but otherwise please note that Barclays, SecureIdentity and the Post Office aren't certified, GBGroup/CitizenSafe with Avoco Secure somewhere in the mix are certified not to be an "identity provider" and, whatever GDS say, there most certainly is a "charge for this service".
In the continued absence of Verizon, the blushing "identity provider" which appears to have disappeared, the choice for new mooncalves is between Digidentity and Experian.
If you're not a mooncalf and you would simply like to access the odd public service, stick to the Government Gateway. That's worked for the past 15 years or so and it doesn't require you to hand over all your personal information just to submit a tax return, or whatever.
If you're a company, of course, then you'll have to use the Government Gateway because GOV.UK Verify (RIP) doesn't know what a company is. The concept doesn't exist. After four years of development GOV.UK Verify (RIP) still can't verify the identity of a company.
It's not that good at identifying individuals either:
The GOV.UK Verify (RIP) account creation success rate, which GDS promise will be 90% by April 2016, just over three weeks away, fell last week from 72% to 67%.
And the level of assurance delivered by GOV.UK Verify (RIP) falls well below the standard required in a criminal court. OIX, GDS's business partner, say that GOV.UK Verify (RIP) is having trouble meeting the standard required in a civil court.
Remember that Reuters article? The one about the company you'd never heard of, Avoco Secure, and how they're supplying services to the other company you'd never heard of, the one with at least three names, GB Group plc/GBGroup/Citizensafe? To them, and to Royal Mail, the company you have heard of? Well there was news yesterday. Royal Mail has entered the lists.
There are now seven "identity providers" in operation out of GDS's total of nine. Verizon are still missing in action. And PayPal still show no sign of wanting to have anything to do with GOV.UK Verify (RIP).
The GOV.UK Verify (RIP) registration dialogues are identical for Royal Mail and CitizenSafe. The tabs on the browser have the Avoco Secure icon on them and if use Chrome to View Page Source it says the author is Avoco Secure.
Royal Mail completes GOV.UK Verify [RIP] ID provider rollout, said Neil Merrett yesterday, "users wishing to access specific online government services will be able to select the company to verify their identity through a service which will be managed by GB Group (GBG) under the Royal Mail brand".
Royal Mail's name is being used but otherwise their involvement in GOV.UK Verify (RIP) is minimal. They're running a help desk: "Under the terms of their agreement, GBG will manage all technology for the service, with Royal Mail handling call centre services where users may need to clarify technical issues over the phone".
GDS are offering the public Royal Mail as an "identity provider" for GOV.UK Verify (RIP), making the most of Royal Mail's name recognition and public trust. But surreptitiously, behind the scenes, actually your identity will be managed by GB Group plc/GBGroup/CitizenSafe, whom no-one has ever heard of and who are certified by tScheme not to match the profile of an "identity provider".
No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.
IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.
The Government Digital Service (GDS) have contracted with nine so-called "identity providers" or "certified companies" to register all us Brits and to supply us with on-line identities, ready for the brave new digital-by-default world.
Armed with these on-line identities, 90% of us will be able one day (in April 2016?) to use public services via GOV.UK Verify (RIP). That's the idea.
GDS are more diffident about this but, later on, these on-line identities may allow us to use private sector services, too.
GBGroup is one of GDS's "identity providers", although you won't see their name when you try to sign up for GOV.UK Verify (RIP) – there they aren't:
No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.
IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.
The Government Digital Service (GDS) have contracted with nine so-called "identity providers" or "certified companies" to register all us Brits and to supply us with on-line identities, ready for the brave new digital-by-default world.
Armed with these on-line identities, 90% of us will be able one day (in April 2016?) to use public services via GOV.UK Verify (RIP). That's the idea.
GDS are more diffident about this but, later on, these on-line identities may allow us to use private sector services, too.
GDS promised in the past that all "identity providers" would be certified by tScheme, an independent body, expert in measuring trustworthiness. That's meant to give the public confidence in GOV.UK Verify (RIP).
Safran Morpho applied for certification for SecureIdentity on 19 November 2015. These things take time. SecureIdentity may or may not be certified in the end but it doesn't appear on tScheme's roll of trust yet.
Unlike the other "identity providers" who have GOV.UK Verify (RIP) products available, Safran Morpho require you to download an app onto your mobile phone.
Your mobile phone then becomes part of your identity. That may imply that your existence is interrupted, as far as Safran Morpho are concerned, when you change phones.
Long-time DMossEsq readers will know that downloading apps onto your mobile phone is indistinguishable from inviting in a virus.
The SecureIdentity app has the features shown in the mobile phone screenshot opposite.
If you are convinced that you understand what they all mean and if you are happy to give SecureIdentity house room, fine.
If not, there are five other "identity providers" to choose from today – Barclays, Digidentity, Experian, the Post Office and Verizon – to which you should soon be able to add GBGroup, PayPal and the Royal Mail.
You had better read, learn and inwardly digest Safran Morpho's terms and conditions for SecureIdentity and their privacy and cookies policies. They estimate 10 to 15 minutes for registration. Good luck with that.
To register with Safran Morpho, you have to tick the box that says you've read all these documents and you may then be deemed to have freely given your informed consent.
What consent?
Answer, your consent to a lot of personal information about you bouncing around the world's telecommunications networks, in the UK and overseas, between Safran Morpho, unnamed credit referencing agencies, unnamed sub-contractors, government departments, law enforcement agencies, tax authorities, Zendesk, DoubleClick, YouTube and Google, because that's who GDS use for their analytics.
De-registration, by the way, takes at least seven years. That's the minimum length of time Safran Morpho will keep any information they have about you.
The SecureIdentity privacy policy includes:
1.2 The types of personal data that Morpho may collect and hold
Personal data that Morpho may collect include:
- Your full name; - Your date and place of birth - Your postal address; - Your email address; - Your telephone number; - Your user ID (application store account) - Your gender - The data necessary to identify the date, time and duration of a communication - Your static or dynamic IP address - Characteristics of your software platform (Operating System, Browser) - Your passport details - Your Driving License details - Your Marriage Certificate details - Your Birth Certificate details - Your Poll Card details - Your bank account number
1.3 How does Morpho collect your personal data
Morpho usually collects personal data directly from you. For that purpose, Morpho may require you to complete a consent form to acknowledge that you are fully aware of the collection and processing of your personal data.
Morpho may also check your personal data against publicly available information and information already present in our partner companies' databases in order to verify your identity and ensure that you are the person you' re claiming to be.
Personal data that Morpho may check, include:
- Your Credit Record History - Your Electoral Roll History - Your financial court orders records (CCJ, IVA, DRO, Bankruptcy) - Your record in the Land Registry … - Your Directors Register record
We might in certain circumstances verify if you are active on social networks.
Morpho may collect personal data about you because Morpho is required or authorised by law to collect it.
Safran Morpho clearly envisage an intimate relationship with you, including your life in the social media. Not to mention anything that the SecureIdentity app can glean from your sleepless mobile phone, the accounts on it and the network(s) it is attached to.
In the course of that intimate relationship, Safran Morpho can't help collecting a lot of personal information about you:
1.5.1 Disclosure of personal data by Morpho
Morpho may share personal data with:
- Government Digital Service (GDS): the DVLA, the HMPO [Her Majesty's Passport Office] and any other relevant HMG Department in connection with the provision of the Evidence Checking Services
- Its subcontractors (including without limitation third party fraud-prevention agencies and credit agencies) to verify your identity during the SecureIdentity registration process and to provide customer care.
Morpho will not sell, rent or otherwise disclose your personal data to third parties without your informed consent.
Morpho may also share your personal data if it is required to do so by virtue of any legal obligations (such as law enforcement, tax), or in order to enforce Morpho’s [sic] terms and conditions (a copy of which can be seen at www.secureidentity.co.uk/help).
1.5.2 Overseas disclosure by Morpho
Morpho is part of the Morpho Group of Companies ("Morpho Group") which is a global organisation; for the purposes explained in this policy, your information may be transferred to the head office of the Morpho Group, Morpho SAS based in France ...
1.5.3 Marketing communications
Your information may be used by SecureIdentity (Morpho UK) for marketing purposes in connection with the service provided ...
GOV.UK Verify (RIP) has been designed by GDS. Their pre-eminent design principle is: "start with needs – user needs, not government needs". That's what they started with and somehow you've ended up handing over reams of the personal information that defines you, beyond your control, to a lot of strangers.
And all you wanted to do was to obey the law by submitting your tax return. That was the user need. You didn't previously feel the need to help the "identity providers" with their marketing, did you?
You've been able to submit your tax return on-line for years via the Government Gateway. Why do you now also have to send your credit history to all these strangers?
Something, somewhere along the line, has gone wrong. It's all got out of hand. GOV.UK Verify? RIP.
----------
Updated 20.3.17 It's just over a year since the blog post above was written. Yesterday Safran Morpho tweeted this: "'Why is the @GOVUKverify programme happening?' Read the answer & other FAQs on our website", followed by a link to this antique page on their website, copy available here.
Troll along and you read: "Right now 13 government services are connected to GOV.UK Verify [RIP] (7 can be accessed as public beta services). By April next year about 30 government services will be using the system and others will join over 2016/17".
Fiscal 2016/17 ends in 11 days time, 31 March 2017, and there are just 12 services signed up to GOV.UK Verify (RIP), not 30, not even 13.
Safran Morpho are an "identity provider" retained by the Government Digital Service (GDS) to sign victims up to GOV.UK Verify (RIP). There's a choice of "identity providers". Would you choose the one that relies on marketing literature over a year out of date?
Victims "must choose from one of nine certified verification companies to obtain their own personal secure ID". That's what Safran Morpho said over a year ago. There aren't nine "identity providers". Only seven – PayPal never turned up and Verizon pulled out, twice. You want the supplier providing you with a "secure ID" to be strong on the detail ...
All the "identity providers", according to Safran Morpho, are "guided by nine Identity Assurance Principles". You won't be fooled into confusing "guided by" with "compliant with". All nine identity assurance principles are flouted by the "identity providers" and by GDS themselves.
All the "identity providers", according to Safran Morpho, "offer the verification service at no cost". Very old-fashioned marketing, nostalgic even, hands up everyone who believes that GOV.UK Verify (RIP) is free.
"To become a certified verification company a business must be able to meet or exceed high standards set by government and an independent certification body". So they keep saying but of course Safran Morpho have not been certified, their SecureIdentity service remains obstinately absent from the independent certification body tScheme's list of approved services, a full 16 months after applying for approval.
Four "identity providers" have had their services approved. What's wrong with the other three – the Post Office, the Royal Mail and Safran Morpho?
With marketing material like this – out of date, inaccurate, misleading, self-hoisting with petard – does GOV.UK Verify (RIP) need critics?
Updated 21.3.17
It's almost as if Safran Morpho are reading this blog. Yesterday they claimed that GOV.UK Verify (RIP) is connected to 13 UK government services. Today, in a tweet, they have corrected that to 12: "You can now access 12 govt online services @GOVUKverify @secureIDverify incl. @HMRCgovuk s.ripl.com/bfkk03".
That message is reinforced by a silent video which lasts for 10 seconds and on which, unless you're a hawk, the text is illegible.
Better that than the video on the SecureIdentity website – the same three chords repeated for 50 interminable seconds:
Is the product called "secureidentity" or "Secure Identity" or "SecureIdentity"? All three versions appear on the Safran Morpho website. And is the product brought to us by Safran Morpho? Or by Safran? Or by Morpho, "the world leader in government ID"? Which is it? There's a bit of work to do on the branding there ...
... and a bit more work to do on the number of UK government services accessible via GOV.UK Verify (RIP). 13? 12? No, not on the SecureIdentity website, neither of those figures, this time it's eight:
Updated 27.3.17
Safran Morpho's identity assurance product, SecureIdentity or secureidentity or Secure Identity or whatever it's called – how many UK government on-line services can it connect you to? 8? 12? 13? You don't know. Safran Morpho don't seem to know.
That's a bit of a worry, as we were saying on 21 March 2017. Safran Morpho are one of the Government Digital Service's "identity providers". You need to be able to trust them. Otherwise you can't trust GOV.UK Verify (RIP). And it's hard to trust them if they can't count. You don't get the feeling you can rely on them.
23 March 2017, Safran Morpho were tweeting again: "Digital access to govt services is changing: here's a helpful Beginner’s Guide to @GOVUKverify ow.ly/hALP308NvZN #identity #infosec". Click on that link and you learn: "At SecureIdentity we’re one of nine verification services you can choose from" and "The first time you use GOV.UK Verify [RIP] to access services, you’ll be given a choice of nine certified verification companies to obtain your own personal secure ID".
Wrong again. Why do Safran Morpho try to confuse beginners? There has never been a choice of nine "identity providers". Briefly, there were eight. Now there are just seven. And of those seven, just four are certified. Three of them, including Safran Morpho, are not certified.
"Competition delivers greater security", say Safran Morpho. Not if some of the competitors don't know what's going on.
We're "Putting you in control". That's what Safran Morpho suggest. They don't seem to be in control themselves.
And not just them. Aren't GDS supposed to do a bit of quality control? This is their identity assurance ecosystem or market that they're trying to create. And one of their agents is misleading the public. In a properly regulated market, that would be quickly detected and corrected. GOV.UK Verify (RIP) doesn't look properly regulated.
Updated 2.6.17
Remember Safran Morpho? The uncertified "identity provider" to GOV.UK Verify (RIP)? The one that can't count?
No announcement from the Government Digital Service, of course. Presumably GDS know about the transaction. Presumably they don't think you need to know:
Updated 7.10.17
We noted above that Morpho don't bother to update their GOV.UK Verify (RIP) information for the public which still tells people that there are nine "identity providers". There never were nine. Currently there are seven. GDS do nothing to correct Morpho. The public continue to be misled.
We noted also that Morpho has now been sold by Safran. Are the new owners as trustworthy as Safran? Who knows. Again, GDS have not bothered to advise the public.
Log on now, four months after completion of the sale to Advent International and Bpifrance, try to create a GOV.UK Verify (RIP) account via Morpho and you still see Safran branding all over the screens.
Odd.
Odder still given that Morpho is no longer called "Morpho". It's now morphed into"Idemia".
There's no mention of Idemia on any GOV.UK Verify (RIP) web pages. The change has passed GDS by. They fail once again to operate their market competently – as we said in March 2016, "GDS have never created or regulated a market in their lives. And it shows".
And there's no mention of GOV.UK Verify (RIP) on Idemia's web pages, nor of SecureIdentity. GOV.UK Verify (RIP) doesn't exist as far as Idemia are concerned. They're not interested. Understandably so. It's dead.
Morpho's GOV.UK Verify (RIP) service was called "SecureIdentity" among other things. Idemia's is called "Augmented Identity". Good name. GDS should have thought of that.
Behind the good name it's just the same old nonsense – biometrics. The same parcel has been passed now from Visionics and Viisage and Identix and Iridian to L-1 Identity Solutions to Safran to the present private equity investors.
Why do these organisations keep selling it? Because one day the parcel-holder is going to find that there's nothing inside the wrapping paper, just an augmented loss.
We in the UK can continue to trust Sagem SécuritéMorphoOT-Morpho Idemia with our personal information, of course. Otherwise GDS would surely have warned us.
No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.
IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.
The Government Digital Service (GDS) have contracted with nine so-called "identity providers" or "certified companies" to register all us Brits and to supply us with on-line identities, ready for the brave new digital-by-default world.
Armed with these on-line identities, 90% of us will be able one day (in April 2016?) to use public services via GOV.UK Verify (RIP). That's the idea.
GDS are more diffident about this but, later on, these on-line identities may allow us to use private sector services, too.
GDS promised in the past that all "identity providers" would be certified by tScheme, an independent body, expert in measuring trustworthiness. That's meant to give the public confidence in GOV.UK Verify (RIP).
Safran Morpho applied for certification for SecureIdentity on 19 November 2015. These things take time. SecureIdentity may or may not be certified in the end but it doesn't appear on tScheme's roll of trust yet.
"... we use our ‘inside government’ experience of to advise and support governments and international institutions on practical strategies for enduring change" – that's what it says on Slide #3 of the presentation, followed by "we have ... worked on IT enabled transformation with over 30 governments, across five continents".
There are eight reasons why government IT projects fail, #2 is "lack of focus on understanding and segmenting user needs", according to Slide #5, and #4 is "lack of effective engagement with stakeholders".
Then Slide #6 comes up with a ninth reason: "IT projects fail because there is no such thing as an IT project … there are only IT-enabled business change projects".
Do Messrs Bracken et al really hope that this presentation will make governments believe that public.digital can help and cause them to get in touch, contact@public.digital?
No.
Because it's not their presentation.
The quotations above come from a July 2006 presentation given by gov³™, government for the third millennium™.
Since you ask, "Gov3 is THE global strategic consultancy for governments ... launched in September 2004 by the core team in the UK’s Office of the eEnvoy".
Gov3 Ltd, company no. 05126620, was wound up on 28 July 2009, a liquidator was appointed and its dissolution was finally gazetted a year and a day ago on 3 December 2014.
PS You can find all the relevant documents on the Companies House website. The old Companies House website. Not the new Companies House website, which has been transformed under the influence of GDS and no longer shows the documents. On the old website, you have to pay £1 for each document. The documents are free now. But there aren't any documents.
The bad old days
Onwards!
Updated 10.12.15
"We transformed digital delivery for the UK government". That's what it says on the public.digitalweb page. That's the shoutline.
public.digital offers consultancy in leadership, strategy, transformation and design.
One of the £4 company's four shareholders is Tom Loosemore.
Whether Mr Loosemore was wearing his leadership hat at the time, or strategy or transformation or design, whichever, he told the Australians six weeks ago that he and his colleagues didn't transform digital delivery for the UK government. Not a bit of it. What they actually did was to "put lipstick on pigs":
This is a more than cosmetic transformation of the company's shoutline:
What can his fellow shareholders make of Mr Loosemore's hand-brake turn?
How do the staff left behind at the Government Digital Service (GDS) feel about this revelation by their sometime leader?
What is the correct response for all the UK ministers and officials who have been lured in the past into effusive endorsements of GDS's putative transformational successes?
Will a lot of journalists have to publish/broadcast retractions of their earlier pronouncements?
It's a quandary for the digital services of other governments the world over who have based their business cases on the shaky platform of GDS's achievements.
And what are the prospective clients of public.digital supposed to think?
Thursday 10 December 2015 saw the news from Argentina begin to surface on Twitter. They're starting their own government digital service, modelled on the UK's GDS.
Just supposing the Argentinians approached public.digital for a bit of advice, what do you think Messrs Bracken, Loosemore, et al would say? Apart from woooop.
Synchronicitously enough, the next day saw an interview with Tom Loosemore published in Computing magazine.
The interview includes all his usual aperçus on Victorian London's sewage system. First he told the Americans. Then the Australians. Next the Argentinians?
No doubt. But this time there's more. Mr Loosemore has noticed that, whereas politicians come and go, public officials are permanent:
"If you're a minister you've only got one or two people that really support you - your special advisers. Civil servants are there for the duration. Most of them are brilliant by the way but bureaucracies exist to protect bureaucracies. It takes a war or a space race to change institutional shape and allow the introduction of new institutions with different roles" ...
In August GDS director Mike Bracken left the government to join the Co-operative Group, and his erstwhile colleagues Russell Davies, Ben Terett and Tom Loosemore soon followed. Loosemore cites slow progress and the bureaucracy described above as being behind this decision.
Would public.digital advise Argentina to form a co-operative? Maybe.
Would they advise Argentina to go to war? Unlikely. War isn't really their bag. "Internet jibba jabba". That's what they're into:
That leaves just one option – expect the announcement of the Argentinian space programme any day now.
Updated 18.12.15
In late 90s I tried to educate parliament about risks of database state. I thought some fellow campaigners mildly paranoid. I was so wrong.
Awfully good of him, of course, to try to "educate parliament". Perhaps the UK parliament really was too ignorant to understand the dangers of the "database state". That seems unlikely but it's irrelevant anyway as public.digital aren't marketing in the UK, only abroad. What they're looking for is ignorant overseas governments.
If you are an overseas government, the question is do you want to govern a database state or not? If you don't then, judging by the tweet above, Tom Loosemore is your man. Him and public.digital. They clearly wouldn't advise Estonia, for example.
But it's more complicated than that. Take a look at the picture below. What is it, if not the very picture of the "database state"?
That layer at the bottom, the Registers layer, is what Mr Loosemore himself calls the "single source of truth".
It's his picture. His picture of the ideal state, where benevolent decisions are made on the basis of knowing everything about people.
"Basis"?
"Platform". This is Government as a Platform (GaaP). This is public.digital's premium product. This is what the Victorians would have deployed if only they hadn't got bogged down with sewers. This is what any innovative administration would do if only it was bold enough, you have to be bold, it's a mistake not to be, that's what Mr Loosemore says. To everyone. The Americans. The Australians. Everyone, maybe even Argentina.
"Hang on a minute", you may say, "that's unfair, Mr Loosemore insists on a Trust and Consent layer in his picture. Trust and consent are to be enforced by parliament. To object that that wouldn't work is to say you don't believe in democracy".
That argument is worth consideration. It's still an argument in favour of the database state. of course. But it's a database state by consent.
Consider this. Who would give their consent? Not Mr Loosemore. That's for sure. He had to warn an ignorant parliament in the 1990s about the dangers of the database state. He must think that consent is for other people. Inferior people. That's not very democratic of him.
He's got a credibility problem. Look at his survivors in the Government Digital Service (GDS). Like Paul Downey, the author of Linking Registers. Barely is Mr Loosemore out of GDS's doors than Mr Downey produces this picture:
A Registers layer and a Services layer and nothing in between. No Trust and Consent called for and none offered. GDS aren't serious about trust and consent. All they can see is a state that knows better what you need than you do. Which is why there's no need for trust and consent.
For the rest of us, the database state picture is wrong for another reason. A state that thinks it needs all that knowledge about us is a state that has exceeded its remit. There are places where a democratic state doesn't go. Total knowledge is only sought and required by totalitarian states.
Mr Loosemore has a fond but unjustified belief that the database state would lead to "efficiency".
Call it what you like but no thank you.
Updated 6.2.18
"Right now, we are Mike Bracken, Russell Davies, Tom Loosemore and Ben Terrett". That was then. December 2015. A year ago today Russell Davies resigned as a director of Public Digital Ltd according to Companies House. Fair enough. People move on.
18 December 2017, Andrew David Greenway was appointed a director, Merry Christmas Mr Greenway.
Mr Greenway is one of the banshees who always seem to be upset by changes at the Government Digital Service (GDS) but can never explain why. "Meanwhile, GDS is following the course charted by other successful centralised reformers in government. Icarus-like soaring for a few years. The occasional flutter of feathers. Then a headlong dive into the timeless, inky depths of the bureaucratic abyss. The sun always rises, Whitehall always wins". That's what Mr Greenway said in August 2016.
The banshees are excoriating about the lack of leadership and direction at GDS and DCMS. Nothing is being delivered by way of digital government. It's all just talk, talk, talk and no action. That's what Messrs du Preez and Greenway both say.
But in that case, what is there to bewail in the demise of GDS? Disruption is a good thing according to the revolutionaries who set up GDS and disruption begins at home. If GDS has turned out to be a damp squib, let it sink. The faster the better. That's how a healthy ecosystem deals with its failed adaptations.
(An unhealthy ecosystem prolongs their existence for years at a time by extending ludicrously cheap credit with the result that the final collapse is more painful than it could have been. But that's another Carillion-type story.)
Messrs du Preez and Greenway must know that. Mr du Preez could say it. Mr Greenway, as a recently appointed director of Public Digital, probably has to be a little more circumspect.
We are seeking an experienced Privacy Officer to lead the data protection and privacy aspects of the GOV.UK Verify [RIP] programme, both within GDS and across our delivery partners ...
Interviews week commencing: 21/09/2015 ...
Advice Who knows but you might advise as follows.
QUOTE
Each move you make in your career affects your subsequent opportunities. You could take your experience to GDS. Would that be wise? Perhaps. The world looks like a Privacy Officer's oyster at the moment, in the public sector and beyond – there are other employers and other users who need you.
"The strategy is delivery" is one of GDS's old mottos. It doesn't bear inspection. They promised that GOV.UK Verify (RIP) would go live in the spring of 2013. It didn't. And two-and-a-half years later it still hasn't.
The currently promised live date is March 2016, six months away. Will they deliver on time? If they don't, it's not going to look good on your CV.
As long as you're very junior and on short notice in your present job, you could join GDS in October. That will give you less than six months to knock GOV.UK Verify (RIP) into shape data-protection-and-privacywise. Is that feasible? You need to decide.
The identity hub that glues GOV.UK Verify (RIP) together was written by GDS themselves. A team of US and UK academics assessed the hub and declared it full of holes. Despite their claim to build trust by being open, GDS have stayed remarkably tight-lipped about these allegations. You will have to be genuinely open.
You may assume that one of your first jobs is to assess the GOV.UK Verify (RIP) liability model. It isn't. They haven't got one. Unlike the banks, who compensate you if your account is hacked, GDS make no mention of compensation and the so-called "identity providers" (IDPs) limit their liability to derisory levels. Good luck with that one.
The IDPs are paid a pittance by GDS so you won't have much traction there. GDS are in bed with an outfit called OIX and it doesn't help that OIX have just published a white paper saying that the IDPs can't do their job. What GOV.UK Verify (RIP) really needs is the banks, not IDPs.
Actually, they've published two white papers to that effect. In the second one, Reducing fraud and improving online safety through IDP signal sharing, OIX make it clear that as things stand there are no standards for monitoring account activity in GOV.UK Verify (RIP) and no established procedures to follow when exceptional events are detected. The banks, by contrast, have had that buttoned down for years.
In their white paper, OIX acknowledge "the risk that a Shared Signals system might be incorrectly perceived as a surveillance tool that could undermine some users’ confidence in GOV.UK Verify [RIP]". Signal sharing between IDPs is the opposite to what the public have been promised with GOV.UK Verify (RIP). The IDPs are meant to be independent, not colluding. People's data is meant to stay where it's put, not be transmitted all over the place. And any use to which it's put is meant to be undertaken by consent, which in this case it hasn't been. You're going to be very busy over Christmas ...
... and thereafter, because GDS's relationship with the central government departments and agencies, the "Relying Parties" as they're known (RPs), the RPs that the public is trying to communicate with through GOV.UK Verify (RIP) is fragile. Fragile or non-existent. Non-existent with the National Health Service, for example, and with the Department for Education. Fragile with the Department for Work and Pensions, who are believed to have banned GDS from their premises, ... some little local difficulty with Universal Credit. Fragile with the Electoral Commission, to whom GDS gave an application system to register to vote which omits identity assurance. Fragile with the Department for Environment Food and Rural Affairs where the GDS system had to be abandoned in favour of paper and pen. And fragile with Her Majesty's Revenue and Customs, who have had to remind people that GOV.UK Verify (RIP) isn't their system, it's GDS's.
Diplomacy will be the name of the game when it comes to dealing with the RPs. Your diplomacy. It will have to be yours because GDS have spent years telling the world that the rest of Whitehall is useless, traditional policy-making has broken down and the guiding principles of public administration need a revolution. Why would these much-maligned parties now rely on GOV.UK Verify (RIP)?
And why would the public rely on it? The public want their data kept safely and only used for limited purposes. Meanwhile, GDS cheer on every step towards open data without ever trying to distinguish between public data and personal data. GDS's previous boss described the laws constraining data-sharing as "myths". You'll need to provide solace to the public. You've got your comforting answers ready, of course, haven't you?
They're a rum lot, GDS. Not like the rest of Whitehall. That's deliberate. The impression is that the staff all wander around all day in a missionary zeal, interpreting the word of their executive director, ex-Guardian man Mike Bracken CBE CDO CDO, senior responsible owner of GOV.UK Verify (RIP). You may get to be interviewed by him if GDS stick to the 21 September timetable.
But you won't see him for long. He's off on 30 September to pastures new. As are all the other senior staff/prophets. The organisation you join is not the organisation you will work for.
We are seeking an experienced Privacy Officer to lead the data protection and privacy aspects of the GOV.UK Verify [RIP] programme, both within GDS and across our delivery partners ...
Five organisations have come together to run a three-month feasibility study to explore how to empower citizens with their own data. The miData Studio initiative is a collaboration between Ctrl-Shift and Milton Keynes Council, the Cabinet Office, Open University and Connected Digital Economy Catapult.
The project aims to create an open, collaborative environment where citizens, the council and developers explore how empowering citizens with their own information can enable better services, better quality of life and efficiency in the delivery of public services.
The project will develop exemplar use cases that deliver benefit to the council and citizens and the local economy more generally.
The project will look for new ways for citizens to gain control of their information, exploring how they can give controlled access to trusted service providers for the services they want or need. It will also act as a pilot for the Cabinet Office’s identity assurance scheme in a local authority context.
This overarching project aim is to empower citizens with their own data in a way they can trust. The project will create a space for learning about working with citizens’ data, building a safe environment to try things out and study what works and what doesn’t work. Crucially the project aims to understand how to do this in such a way that individuals are in control of their data.
It was 3 November 2011 when Ed Davey first announced midata:
Today’s announcement marks the first time globally there has been such a Government-backed initiative to empower individuals with so much control over the use of their own data.
Little did we expect then that it would be the best part of three years before anyone started to "explore" how midata might work. But only now, if DbyDN are to be believed, is a "feasibility study" being launched.
In fact, not mentioned by DbyDN, Craig Belsham introduced us to the midata Innovation Lab (mIL) on 2 May 2013. Over the following few months mIL produced five deeply discouraging prototype apps.
Now we have the "miData Studio" instead. And what is the planned output from their feasibility study? Working services? No. Just some "exemplar use cases" – the miData Studio could take even longer to get to the future than mIL.
There will be five "collaborators" in the miData Studio according to DbyDN – "Ctrl-Shift and Milton Keynes Council, the Cabinet Office, Open University and Connected Digital Economy Catapult".
Or should that be six? "The project aims to create an open, collaborative environment where citizens, the council and developers explore how empowering citizens with their own information can enable ...". It looks as though "citizens" also will need to be collaborators.
Or should it be 11? "The project ... will also act as a pilot for the Cabinet Office’s [non-existent] identity assurance scheme in a local authority context". How can the studio deliver its exemplar use cases if the identity assurance scheme's five surviving "identity providers" aren't collaborating.
And however many collaborators there are, will the identity assurance scheme (RIP) prove any more successful in Milton Keynes than it did in Warwickshire?
It's all very well for DbyDN to say that the miData Studio will explore how citizens "can give controlled access [to their personal data] to trusted service providers" but how is anyone going to overcome Chris Chant's objection that trust is just not on the menu?
"Truth, not trust". That's Mr Chant's watchword. The pursuit of trust is a "doomed strategy".
Do any of the collaborators in the miData Studio have it in their gift to grant citizens control over their personal data? How? "Trust frameworks", as Ctrl-Shift tell us, are like unicorns. They don't exist. There's no way to enforce the rules. Control isn't on the menu any more than trust is. Or empowerment.
What are the prospective investors in the Cabinet Office's identity assurance scheme supposed to make of this project? They thought they were being invited to invest in a service that already exists.
It's only a 225-word article that DbyDN published but it raises a lot of questions.
1) Delivers massive cost savings 2) Increases data quality 3) Enables joined up services and streamlined customer journeys 4) Supports more personalised services 5) Enables citizens to get things done online 6) Reduces risk and ensures compliance 7) Builds trust 8) Supports operations such as identity assurance 9) Saves time, offers convenience and increases satisfaction
Really?
These may well be some of the presents local authorities and public sector organisations would ask Father Christmas for. But is Mydex Father Christmas? Are these presents in Mydex's gift? Who believes that? Why?
And who believes Mydex's claim at the bottom of the page? Remember Sony:
Mydex provides the individual with a hyper-secure storage area to enable them to manage their personal data, including text, numbers, images, video, certificates and sound. No-one but the individual can access or see the data.
Walter Mitty is a fictional character in James Thurber's short story "The Secret Life of Walter Mitty", first published in The New Yorker on March 18, 1939, and in book form in My World and Welcome to It in 1942. Thurber loosely based the character on his friend, Walter Mithoff. It was made into a film in 1947 ...
Mitty is a meek, mild man with a vivid fantasy life: in a few dozen paragraphs he imagines himself a wartime pilot, an emergency-room surgeon, and a devil-may-care killer. The character's name has come into more general use to refer to an ineffectual dreamer, appearing in several dictionaries. The American Heritage Dictionary defines a Walter Mitty as "an ordinary, often ineffectual person who indulges in fantastic daydreams of personal triumphs". The most famous of Thurber's inept male protagonists ...
European data law: UK.gov TRASHES 'unambiguous consent' plans
The UK government has raised objections to current EU proposals that would require businesses seeking to rely on "consent" as the lawful basis for processing personal data to ensure that that consent has been unambiguously given "for one or more specific purposes".
It said those proposals are "unjustified" and called on EU law makers to instead turn to the definition of consent under existing EU data protection rules instead for setting the legal standard businesses would need to achieve for consent under the draft new General Data Protection Regulation ...
The ElReg article is written by Out-Law.com, an outlet of the firm of lawyers Pinsent Masons, who follow this sort of thing and provide expert commentary.
In brief, the EU's 1995 Data Protection Directive is due to be replaced with a much-debated General Data Protection Regulation:
Should consent for your personal data to be processed be given unambiguously or is that unjustified as the UK government apparently argue? Is it adequate for that consent to be unambiguous or should it be explicit? Under what conditions can data be processed without consent? Is it lawful to create profiles of individuals from their personal data? How can you be said to freely give your informed consent if you actually have no alternative?
Assuming the 28 members can agree the answers to these questions, and about 3,000 more, how should they set about enforcing the regulation within the EU? And what about the rest of the world – what do the EU do if Russia, say, pays not a blind bit of notice?
As ElReg/Out-Law.com/Pinsent Masons say:
The European Parliament agreed on its version of the Regulation earlier this year and is waiting for the Council to reach its own consensus on the reforms before trialogue discussions on a final version of the text, which would also involve the European Commission, can be opened.
It's a trialogue (?) between the European Council of Ministers, the European Parliament and the European Commission.
That excludes other people.
DMossEsq, for example.
If DMossEsq offers you total control over your personal data, you can safely ignore the offer as having been made by some sad Walter Mittyish character subject to delusions of grandeur.
As it happens, DMossEsq is making no such offer. He recognises that it's not in his gift. But there are other people out there with a "vivid fantasy life". Remember – the power lies with the EU, and not with Walter Mitty.
