May 2013, and Alan Gelb and Julia Clark of the Center for Global Development publish a report on biometrics. Not so much a report as an uncritical re-hash of the marketing material used by the biometrics industry. The industry that owes so much to astrology.
It is possible that you had forgotten.
November 2018, and the CGD publish an odd report on GOV.UK Verify (RIP) with a preface by the same Alan Gelb. At least, one assumes that it's the same Alan Gelb.
The report is written by Dr Edgar A Whitley, "an Associate Professor (Reader) in Information Systems in the Department of Management at the London School of Economics and Political Science". That doesn't seem to have helped:
Edgar Whitley - no fan of ID systems - v good, surprisingly positive review of @GOVUKverify, with guidance on how other systems can embed privacy principles too, and stacking it up against the 10 principles for ID at the end. https://t.co/JTawvgXIv1 … #ID4D#GoodID
Section D, Verify's Governance Arrangements (pp.43-55), weirdly ignores the fact that @gdsteam lost control of national identity policy six months ago to @DCMS, https://t.co/UE45q7qwPI
"Nineteen local authorities have signed up for the #VerifyLocal pilots, six of whom will pilot both services [concessionary travel and parking permits]" (p.47)
By 27 November 2017, over a year ago, there were just 4 local authorities left and no progress, https://t.co/awBoHRvleG
Under the heading 'Private Sector Use of Verify’d Identities' (pp.57-8), the @cgdev report mentions @oixuk reports without noting their conclusions – that @govukverify RIP has little or nothing to offer the private sector,https://t.co/1ZwsssZp6A
Under the heading 'Future Government Services Using Verify' (pp.60-2), the @CGDev report reprints @gdsteam's Walter Mitty predictions 2½ years ago for @govukverify RIP's progress without noting that it never happened,https://t.co/75ypFitAv2
Under the heading 'Learning from Verify' (pp.65-72) no mention is made of the lesson drawn by the UK – Government projects watchdog recommends terminating https://t.co/57JbIoDT81 Verify identity project,https://t.co/4xVzOzeGpm
May 2013, and Alan Gelb and Julia Clark of the Center for Global Development publish a report on biometrics. Not so much a report as an uncritical re-hash of the marketing material used by the biometrics industry. The industry that owes so much to astrology.
It is possible that you had forgotten.
November 2018, and the CGD publish an odd report on GOV.UK Verify (RIP) with a preface by the same Alan Gelb. At least, one assumes that it's the same Alan Gelb.
No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.
IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.
The Government Digital Service (GDS) have contracted with nine so-called "identity providers" or "certified companies" to register all us Brits and to supply us with on-line identities, ready for the brave new digital-by-default world.
Armed with these on-line identities, 90% of us will be able one day (in April 2016?) to use public services via GOV.UK Verify (RIP). That's the idea.
GDS are more diffident about this but, later on, these on-line identities may allow us to use private sector services, too.
GBGroup is one of GDS's "identity providers", although you won't see their name when you try to sign up for GOV.UK Verify (RIP) – there they aren't:
It seems unfair. SecureIdentity and Barclays aren't certified, despite GDS's claim above. Neither is the Post Office. That's three mistakes GDS have made on one screen. Four, if you count the suggestion that GOV.UK Verify (RIP) is free.
And yet GBGroup have been certified for ages. Ever since 12 February 2015. Why aren't they allowed to operate as an "identity provider"?
As it happens, if and when GBGroup are let loose on the British public, you still won't see their name on the list. That's not just because their real name is "GB Group plc". It's because they've now stopped trading as "GBGroup" and started trading as "CitizenSafe".
What's more, while they're about it, they seem to have changed the name of ID3global to "CitizenSafe" as well.
When we talk about an "identity provider" being certified, we mean certified by tScheme, the independent experts in measuring trustworthiness.
Verizon are the most heavily qualified "identity provider" according to tScheme. By comparison, GB Group plc or GBGroup or CitizenSafe, whatever they're calling themselves, may not command as much trust:
Approval Profile for Identity Registration Services
✔
✔
Approval Profile for Credential Validation Services
✔
✘
Approval Profile for an Identity Provider
✔
✘
Approval Profile for Credential Management Services
✔
✘
GBGroup/CitizenSafe do not match the profiles for credential validation or credential management? Nor do they match the profile for an "identity provider"? tScheme's approval of their ID3global/CitizenSafe product looks generous.
No surprise, perhaps, that the public haven't been exposed to GBGroup/CitizenSafe yet.
And no surprise either that GBGroup/CitizenSafe have sought assistance. Not just GBGroup/CitizenSafe, but the Royal Mail, too, another "identity provider":
(Reuters) Avoco Secure announces today that they have partnered with Royal Mail Group and GBGroup to provide solutions that will deliver Verified Identity Assurance Services for public services
Royal Mail and GBGroup have been chosen to partner with GOV.UK’s Verify service, to provide verification of individuals so that they can access Government services online, safely and easily ...
"Avoco Secure’s Trust platform is the technology that enables Royal Mail to deliver a verified, scalable, secure, user centric identity assurance service, which will allow users to authenticate themselves to UK Government digital services,” Jim Conning, Managing Director of Royal Mail Data Services stated, "Their industry expertise and proven track record played an important factor in Royal Mail partnering with Avoco” ...
"Avoco are pleased to partner to deliver Identity Assurance as a Service with recognizable and trusted organisations like Royal Mail and GBGroup,” said Gerry O’Brien, CEO, Avoco Secure ...
John Lord, Managing Director at GBGroup commented, “We are pleased to be partnering with Avoco Secure as we believe their Trust Platform will enable a secure, friction free user experience across all government services in the scheme” ...
That's your on-line identity GDS expect you to entrust to GBGroup/CitizenSafe. Or possibly, behind the scenes, to Avoco Secure. Up to you.
GBGroup/CitizenSafe have to communicate with GDS via Twitter:
And there's something odd at the moment on GOV.UK Verify (RIP) – Verizon have disappeared from GDS's list of "identity providers". They were there the other day. Now they've gone.
GOV.UK Verify (RIP) has been designed by GDS. Their pre-eminent design principle is: "start with needs – user needs, not government needs".
That's what they started with and somehow you've ended up potentially being asked to register with an "identity provider" who is certified not to match the profile of an "identity provider". You never felt the need to do that, did you?
Something, somewhere along the line, has gone wrong. It's all got out of hand. GOV.UK Verify? RIP.
----------
Updated 8.3.16
GBGroup/CitizenSafe, please see above, have now been added to the list – Brits can now sign up to GOV.UK Verify (RIP) and help to compile the national identity register via GBGroup/CitizenSafe, the "identity provider" certified by tScheme not to match the profile of ... an "identity provider":
No objection to the word "Next" on the screen above but otherwise please note that Barclays, SecureIdentity and the Post Office aren't certified, GBGroup/CitizenSafe with Avoco Secure somewhere in the mix are certified not to be an "identity provider" and, whatever GDS say, there most certainly is a "charge for this service".
In the continued absence of Verizon, the blushing "identity provider" which appears to have disappeared, the choice for new mooncalves is between Digidentity and Experian.
If you're not a mooncalf and you would simply like to access the odd public service, stick to the Government Gateway. That's worked for the past 15 years or so and it doesn't require you to hand over all your personal information just to submit a tax return, or whatever.
If you're a company, of course, then you'll have to use the Government Gateway because GOV.UK Verify (RIP) doesn't know what a company is. The concept doesn't exist. After four years of development GOV.UK Verify (RIP) still can't verify the identity of a company.
It's not that good at identifying individuals either:
The GOV.UK Verify (RIP) account creation success rate, which GDS promise will be 90% by April 2016, just over three weeks away, fell last week from 72% to 67%.
And the level of assurance delivered by GOV.UK Verify (RIP) falls well below the standard required in a criminal court. OIX, GDS's business partner, say that GOV.UK Verify (RIP) is having trouble meeting the standard required in a civil court.
Remember that Reuters article? The one about the company you'd never heard of, Avoco Secure, and how they're supplying services to the other company you'd never heard of, the one with at least three names, GB Group plc/GBGroup/Citizensafe? To them, and to Royal Mail, the company you have heard of? Well there was news yesterday. Royal Mail has entered the lists.
There are now seven "identity providers" in operation out of GDS's total of nine. Verizon are still missing in action. And PayPal still show no sign of wanting to have anything to do with GOV.UK Verify (RIP).
The GOV.UK Verify (RIP) registration dialogues are identical for Royal Mail and CitizenSafe. The tabs on the browser have the Avoco Secure icon on them and if use Chrome to View Page Source it says the author is Avoco Secure.
Royal Mail completes GOV.UK Verify [RIP] ID provider rollout, said Neil Merrett yesterday, "users wishing to access specific online government services will be able to select the company to verify their identity through a service which will be managed by GB Group (GBG) under the Royal Mail brand".
Royal Mail's name is being used but otherwise their involvement in GOV.UK Verify (RIP) is minimal. They're running a help desk: "Under the terms of their agreement, GBG will manage all technology for the service, with Royal Mail handling call centre services where users may need to clarify technical issues over the phone".
GDS are offering the public Royal Mail as an "identity provider" for GOV.UK Verify (RIP), making the most of Royal Mail's name recognition and public trust. But surreptitiously, behind the scenes, actually your identity will be managed by GB Group plc/GBGroup/CitizenSafe, whom no-one has ever heard of and who are certified by tScheme not to match the profile of an "identity provider".
No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.
IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.
The Government Digital Service (GDS) have contracted with nine so-called "identity providers" or "certified companies" to register all us Brits and to supply us with on-line identities, ready for the brave new digital-by-default world.
Armed with these on-line identities, 90% of us will be able one day (in April 2016?) to use public services via GOV.UK Verify (RIP). That's the idea.
GDS are more diffident about this but, later on, these on-line identities may allow us to use private sector services, too.
GBGroup is one of GDS's "identity providers", although you won't see their name when you try to sign up for GOV.UK Verify (RIP) – there they aren't:
No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.
IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.
The Government Digital Service (GDS) have contracted with nine so-called "identity providers" or "certified companies" to register all us Brits and to supply us with on-line identities, ready for the brave new digital-by-default world.
Armed with these on-line identities, 90% of us will be able one day (in April 2016?) to use public services via GOV.UK Verify (RIP). That's the idea.
GDS are more diffident about this but, later on, these on-line identities may allow us to use private sector services, too.
GDS promised in the past that all "identity providers" would be certified by tScheme, an independent body, expert in measuring trustworthiness. That's meant to give the public confidence in GOV.UK Verify (RIP).
Safran Morpho applied for certification for SecureIdentity on 19 November 2015. These things take time. SecureIdentity may or may not be certified in the end but it doesn't appear on tScheme's roll of trust yet.
Unlike the other "identity providers" who have GOV.UK Verify (RIP) products available, Safran Morpho require you to download an app onto your mobile phone.
Your mobile phone then becomes part of your identity. That may imply that your existence is interrupted, as far as Safran Morpho are concerned, when you change phones.
Long-time DMossEsq readers will know that downloading apps onto your mobile phone is indistinguishable from inviting in a virus.
The SecureIdentity app has the features shown in the mobile phone screenshot opposite.
If you are convinced that you understand what they all mean and if you are happy to give SecureIdentity house room, fine.
If not, there are five other "identity providers" to choose from today – Barclays, Digidentity, Experian, the Post Office and Verizon – to which you should soon be able to add GBGroup, PayPal and the Royal Mail.
You had better read, learn and inwardly digest Safran Morpho's terms and conditions for SecureIdentity and their privacy and cookies policies. They estimate 10 to 15 minutes for registration. Good luck with that.
To register with Safran Morpho, you have to tick the box that says you've read all these documents and you may then be deemed to have freely given your informed consent.
What consent?
Answer, your consent to a lot of personal information about you bouncing around the world's telecommunications networks, in the UK and overseas, between Safran Morpho, unnamed credit referencing agencies, unnamed sub-contractors, government departments, law enforcement agencies, tax authorities, Zendesk, DoubleClick, YouTube and Google, because that's who GDS use for their analytics.
De-registration, by the way, takes at least seven years. That's the minimum length of time Safran Morpho will keep any information they have about you.
The SecureIdentity privacy policy includes:
1.2 The types of personal data that Morpho may collect and hold
Personal data that Morpho may collect include:
- Your full name; - Your date and place of birth - Your postal address; - Your email address; - Your telephone number; - Your user ID (application store account) - Your gender - The data necessary to identify the date, time and duration of a communication - Your static or dynamic IP address - Characteristics of your software platform (Operating System, Browser) - Your passport details - Your Driving License details - Your Marriage Certificate details - Your Birth Certificate details - Your Poll Card details - Your bank account number
1.3 How does Morpho collect your personal data
Morpho usually collects personal data directly from you. For that purpose, Morpho may require you to complete a consent form to acknowledge that you are fully aware of the collection and processing of your personal data.
Morpho may also check your personal data against publicly available information and information already present in our partner companies' databases in order to verify your identity and ensure that you are the person you' re claiming to be.
Personal data that Morpho may check, include:
- Your Credit Record History - Your Electoral Roll History - Your financial court orders records (CCJ, IVA, DRO, Bankruptcy) - Your record in the Land Registry … - Your Directors Register record
We might in certain circumstances verify if you are active on social networks.
Morpho may collect personal data about you because Morpho is required or authorised by law to collect it.
Safran Morpho clearly envisage an intimate relationship with you, including your life in the social media. Not to mention anything that the SecureIdentity app can glean from your sleepless mobile phone, the accounts on it and the network(s) it is attached to.
In the course of that intimate relationship, Safran Morpho can't help collecting a lot of personal information about you:
1.5.1 Disclosure of personal data by Morpho
Morpho may share personal data with:
- Government Digital Service (GDS): the DVLA, the HMPO [Her Majesty's Passport Office] and any other relevant HMG Department in connection with the provision of the Evidence Checking Services
- Its subcontractors (including without limitation third party fraud-prevention agencies and credit agencies) to verify your identity during the SecureIdentity registration process and to provide customer care.
Morpho will not sell, rent or otherwise disclose your personal data to third parties without your informed consent.
Morpho may also share your personal data if it is required to do so by virtue of any legal obligations (such as law enforcement, tax), or in order to enforce Morpho’s [sic] terms and conditions (a copy of which can be seen at www.secureidentity.co.uk/help).
1.5.2 Overseas disclosure by Morpho
Morpho is part of the Morpho Group of Companies ("Morpho Group") which is a global organisation; for the purposes explained in this policy, your information may be transferred to the head office of the Morpho Group, Morpho SAS based in France ...
1.5.3 Marketing communications
Your information may be used by SecureIdentity (Morpho UK) for marketing purposes in connection with the service provided ...
GOV.UK Verify (RIP) has been designed by GDS. Their pre-eminent design principle is: "start with needs – user needs, not government needs". That's what they started with and somehow you've ended up handing over reams of the personal information that defines you, beyond your control, to a lot of strangers.
And all you wanted to do was to obey the law by submitting your tax return. That was the user need. You didn't previously feel the need to help the "identity providers" with their marketing, did you?
You've been able to submit your tax return on-line for years via the Government Gateway. Why do you now also have to send your credit history to all these strangers?
Something, somewhere along the line, has gone wrong. It's all got out of hand. GOV.UK Verify? RIP.
----------
Updated 20.3.17 It's just over a year since the blog post above was written. Yesterday Safran Morpho tweeted this: "'Why is the @GOVUKverify programme happening?' Read the answer & other FAQs on our website", followed by a link to this antique page on their website, copy available here.
Troll along and you read: "Right now 13 government services are connected to GOV.UK Verify [RIP] (7 can be accessed as public beta services). By April next year about 30 government services will be using the system and others will join over 2016/17".
Fiscal 2016/17 ends in 11 days time, 31 March 2017, and there are just 12 services signed up to GOV.UK Verify (RIP), not 30, not even 13.
Safran Morpho are an "identity provider" retained by the Government Digital Service (GDS) to sign victims up to GOV.UK Verify (RIP). There's a choice of "identity providers". Would you choose the one that relies on marketing literature over a year out of date?
Victims "must choose from one of nine certified verification companies to obtain their own personal secure ID". That's what Safran Morpho said over a year ago. There aren't nine "identity providers". Only seven – PayPal never turned up and Verizon pulled out, twice. You want the supplier providing you with a "secure ID" to be strong on the detail ...
All the "identity providers", according to Safran Morpho, are "guided by nine Identity Assurance Principles". You won't be fooled into confusing "guided by" with "compliant with". All nine identity assurance principles are flouted by the "identity providers" and by GDS themselves.
All the "identity providers", according to Safran Morpho, "offer the verification service at no cost". Very old-fashioned marketing, nostalgic even, hands up everyone who believes that GOV.UK Verify (RIP) is free.
"To become a certified verification company a business must be able to meet or exceed high standards set by government and an independent certification body". So they keep saying but of course Safran Morpho have not been certified, their SecureIdentity service remains obstinately absent from the independent certification body tScheme's list of approved services, a full 16 months after applying for approval.
Four "identity providers" have had their services approved. What's wrong with the other three – the Post Office, the Royal Mail and Safran Morpho?
With marketing material like this – out of date, inaccurate, misleading, self-hoisting with petard – does GOV.UK Verify (RIP) need critics?
Updated 21.3.17
It's almost as if Safran Morpho are reading this blog. Yesterday they claimed that GOV.UK Verify (RIP) is connected to 13 UK government services. Today, in a tweet, they have corrected that to 12: "You can now access 12 govt online services @GOVUKverify @secureIDverify incl. @HMRCgovuk s.ripl.com/bfkk03".
That message is reinforced by a silent video which lasts for 10 seconds and on which, unless you're a hawk, the text is illegible.
Better that than the video on the SecureIdentity website – the same three chords repeated for 50 interminable seconds:
Is the product called "secureidentity" or "Secure Identity" or "SecureIdentity"? All three versions appear on the Safran Morpho website. And is the product brought to us by Safran Morpho? Or by Safran? Or by Morpho, "the world leader in government ID"? Which is it? There's a bit of work to do on the branding there ...
... and a bit more work to do on the number of UK government services accessible via GOV.UK Verify (RIP). 13? 12? No, not on the SecureIdentity website, neither of those figures, this time it's eight:
Updated 27.3.17
Safran Morpho's identity assurance product, SecureIdentity or secureidentity or Secure Identity or whatever it's called – how many UK government on-line services can it connect you to? 8? 12? 13? You don't know. Safran Morpho don't seem to know.
That's a bit of a worry, as we were saying on 21 March 2017. Safran Morpho are one of the Government Digital Service's "identity providers". You need to be able to trust them. Otherwise you can't trust GOV.UK Verify (RIP). And it's hard to trust them if they can't count. You don't get the feeling you can rely on them.
23 March 2017, Safran Morpho were tweeting again: "Digital access to govt services is changing: here's a helpful Beginner’s Guide to @GOVUKverify ow.ly/hALP308NvZN #identity #infosec". Click on that link and you learn: "At SecureIdentity we’re one of nine verification services you can choose from" and "The first time you use GOV.UK Verify [RIP] to access services, you’ll be given a choice of nine certified verification companies to obtain your own personal secure ID".
Wrong again. Why do Safran Morpho try to confuse beginners? There has never been a choice of nine "identity providers". Briefly, there were eight. Now there are just seven. And of those seven, just four are certified. Three of them, including Safran Morpho, are not certified.
"Competition delivers greater security", say Safran Morpho. Not if some of the competitors don't know what's going on.
We're "Putting you in control". That's what Safran Morpho suggest. They don't seem to be in control themselves.
And not just them. Aren't GDS supposed to do a bit of quality control? This is their identity assurance ecosystem or market that they're trying to create. And one of their agents is misleading the public. In a properly regulated market, that would be quickly detected and corrected. GOV.UK Verify (RIP) doesn't look properly regulated.
Updated 2.6.17
Remember Safran Morpho? The uncertified "identity provider" to GOV.UK Verify (RIP)? The one that can't count?
No announcement from the Government Digital Service, of course. Presumably GDS know about the transaction. Presumably they don't think you need to know:
Updated 7.10.17
We noted above that Morpho don't bother to update their GOV.UK Verify (RIP) information for the public which still tells people that there are nine "identity providers". There never were nine. Currently there are seven. GDS do nothing to correct Morpho. The public continue to be misled.
We noted also that Morpho has now been sold by Safran. Are the new owners as trustworthy as Safran? Who knows. Again, GDS have not bothered to advise the public.
Log on now, four months after completion of the sale to Advent International and Bpifrance, try to create a GOV.UK Verify (RIP) account via Morpho and you still see Safran branding all over the screens.
Odd.
Odder still given that Morpho is no longer called "Morpho". It's now morphed into"Idemia".
There's no mention of Idemia on any GOV.UK Verify (RIP) web pages. The change has passed GDS by. They fail once again to operate their market competently – as we said in March 2016, "GDS have never created or regulated a market in their lives. And it shows".
And there's no mention of GOV.UK Verify (RIP) on Idemia's web pages, nor of SecureIdentity. GOV.UK Verify (RIP) doesn't exist as far as Idemia are concerned. They're not interested. Understandably so. It's dead.
Morpho's GOV.UK Verify (RIP) service was called "SecureIdentity" among other things. Idemia's is called "Augmented Identity". Good name. GDS should have thought of that.
Behind the good name it's just the same old nonsense – biometrics. The same parcel has been passed now from Visionics and Viisage and Identix and Iridian to L-1 Identity Solutions to Safran to the present private equity investors.
Why do these organisations keep selling it? Because one day the parcel-holder is going to find that there's nothing inside the wrapping paper, just an augmented loss.
No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.
IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.
The Government Digital Service (GDS) have contracted with nine so-called "identity providers" or "certified companies" to register all us Brits and to supply us with on-line identities, ready for the brave new digital-by-default world.
Armed with these on-line identities, 90% of us will be able one day (in April 2016?) to use public services via GOV.UK Verify (RIP). That's the idea.
GDS are more diffident about this but, later on, these on-line identities may allow us to use private sector services, too.
GDS promised in the past that all "identity providers" would be certified by tScheme, an independent body, expert in measuring trustworthiness. That's meant to give the public confidence in GOV.UK Verify (RIP).
Safran Morpho applied for certification for SecureIdentity on 19 November 2015. These things take time. SecureIdentity may or may not be certified in the end but it doesn't appear on tScheme's roll of trust yet.
10 June 2013, the BBC Radio 4 world news programme World At One (WATO) carries a 5-minute report (27'32"-32'55") by Jon Manel on GDS, the Government Digital Service.
11 June 2013, WATO carries another 8 minutes (24'58"-32'55") of Mr Manel's report on GDS.
13 June 2013, the Guardian publish a 6'50" video by Jemima Kiss, Gov.uk: how geeks opened up government featuring ex-Guardian man Mike Bracken (executive director, GDS), ex-BBC man Tom Loosemore (deputy director, GDS) and ex-Morgan Stanley man Francis Maude, their political boss (Cabinet Office minister).
What are GDS trying to tell us?
Listen, read, watch and what you learn is that GDS's staff are young, everyone dresses informally and each team has a fluffy mascot:
There is an inflatable guitar - a red one. You cannot fail to miss [notice?] the bunting. And then there are the mascots.
"For us, the Platform Team, it's an otter. His name is Jerry," one woman explains pointing to a brown and white soft toy with a rather sad expression on its face ...
As for the young civil servants in the GDS headquarters, some of them seem to have an almost evangelical spirit about them.
Some people will find the evangelical spirit which moves GDS charming. Others won't.
The idea is to promote openness in government. GDS's single government domain project, GOV.UK, and their Identity Assurance Programme (IDAP) are major projects. But the Major Projects Authority verdicts on GOV.UK and IDAP have not been published.
An elite team of digital experts has sparked a radical shake-up in the way the government does its business. Some of the UK's best designers and developers are working on building a new single website for all government departments – gov.uk – but their influence has gone much further.
That's the rubric under the 13 June video on the Guardian website.
Pace Jemima Kiss, at least four professors are unconvinced that the team – or at least the Government Digital Strategy – is elite. And Dr Martyn Thomas, visiting professor at the universities of Oxford and Bristol, makes a fifth unconvinced professor – he told the House of Commons Science and Technology Committee that it's impossible to measure the quality of software systems developed with GDS's so-called "agile" methods.
The idea is to avoid the spectacularly poor value for money of some government IT contracts. An unimpeachable objective.
But how will GDS achieve it?
To be told, as we are in the Guardian video, that GDS are trying to improve the search algorithm on GOV.UK is no answer.
So-called "open systems" aren't the answer either, according to the four professors.
Will the "oligopoly" – as Jon Manel calls them – of government contractors fall in with GDS's plans for shorter contracts? Why should they? There's no need to while the big departments of state continue, as they do, to sign long contracts.
Is it the case that GDS's "influence has gone much further", as the Guardian claim? Francis Maude ends the Guardian video saying that there is enormous demand in Whitehall for GDS's services. Is there?
The Department for Work and Pensions (DWP) spend about £200 billion a year. When Jon Manel asks about DWP's Universal Credit (UC) initiative in the 11 June WATO report, the otherwise jocular ex-Guardian man Mike Bracken becomes guarded, "not that close to it", he says (31'29"), a response which Mr Manel glosses as "not our fault, guv".
GDS hijacked IDAP from DWP and then promised to have it "fully operational" for UC by March 2013. It wasn't and it still isn't. Leaving UC high and dry.
"Not that close to it"? Ex-Guardian man Mike Bracken is the senior responsible officer owner for government-wide identity assurance and there's no getting away from it.
The Department of Health spend about £120 billion a year. What are GDS doing about their computer systems? Or the systems at the Department for Education? And what are we to make of BBC money man Paul Lewis's warning on Twitter yesterday:
"We're moving http://t.co/JRcgtJ5eR5 specialist content on to GOV.UK." And 'repurposing' it. Be afraid, lawyers, be v afraid — Paul Lewis (@paullewismoney) June 13, 2013
Apart from GDS, the only government body we hear from in this PR campaign is HMRC, in the 11 June WATO report. The clamorous demand is muted – Lin Homer, chief executive, describes GDS as "bumptious" but adds that there's nothing wrong with that.
She can afford to be kind. GDS haven't laid a glove on her £8 billion ASPIRE contract. Or on her website, www.hmrc.gov.uk, which GDS falsely claim to have incorporated into GOV.UK.
Meanwhile, GDS have some involvement with the plan to make us all enrol on-line on the new electoral register to be used for the 2015 general election. Why don't the BBC and the Guardian tell us anything about that major project?
What about GDS's involvement with the Department for Business Innovation and Skills midata project? And the related Shakespeare Review? What about their new-found responsibility for G-Cloud? What are GDS's plans for the Government Gateway? And what do GDS have to say about cybersecurity?
MPs are worried about digital-by-default – something else the BBC and the Guardian don't mention. Something like 16 million people in the UK will not be able to use the proposed web-based, digital-by-default public services which GDS are meant to deliver. They launched the assisted digital project on 28 July 2011 to try to solve the problem. And in today's weekly GDS diary, 14 June 2013, what does ex-Guardian man Mike Bracken tell us?
Also this week GOV.UK won two D&AD awards for our content design and the Assisted Digital team had their first market engagement event with suppliers.
Nearly two years after the starting pistol was fired, they had their first meeting with suppliers?
It's early days, you may say, GDS can't be expected to have achieved much yet. Maybe. But in that case the PR is premature. Francis Maude is up in front of the House of Commons Science and Technology Committee on Monday to give evidence on digital-by-default. Let's see what that adds to the campaign.
10 June 2013, the BBC Radio 4 world news programme World At One (WATO) carries a 5-minute report (27'32"-32'55") by Jon Manel on GDS, the Government Digital Service.
11 June 2013, WATO carries another 8 minutes (24'58"-32'55") of Mr Manel's report on GDS.
13 June 2013, the Guardian publish a 6'50" video by Jemima Kiss, Gov.uk: how geeks opened up government featuring ex-Guardian man Mike Bracken (executive director, GDS), ex-BBC man Tom Loosemore (deputy director, GDS) and ex-Morgan Stanley man Francis Maude, their political boss (Cabinet Office minister).
Whitehall has a pitiful record when it comes to investing public money. Think of the National Programme for IT, the NHS black hole into which £6 billion of our money disappeared without trace. Or possibly £12 billion. No-one seems to be sure.
Mindful of which, we now have something called the Major Projects Authority (MPA), a Whitehall unit which keeps tabs on where the money's going and how likely we are to see any return. The MPA issues red-amber-green verdicts on our investments. Green is good news. Red means kiss goodbye to the money.
These verdicts have been kept secret until now but following lobbying, not least by Tony Collins, in the spirit of open government, the MPA have recently published their verdicts on 191 major government projects with a combined lifetime value of £353.7 billion.
The verdicts are categorised by department. Looking at the Cabinet Office projects:
We see for example that the Electoral Registration Transformation Programme gets an amber light. – An old friend on this blog, this is the programme which seeks to compile a national identity register, which is the opposite of the Coalition government's stated policy. – It seeks to ensure that the register is complete and accurate by illegally matching electoral records against National Insurance Number records, among others. N [please see update below] – The data-matching pilots were a complete failure – in one ward in Ceredigion, only 18% of electoral records could be matched (Table C1, p.31). – There will nevertheless be a value-for-money illegal national data-matching exercise carried out this summer and apparently a new electoral register in time for the next general election. N [please see update below] – Lifetime budget: £218 million. MPA verdict? Amber.
We see also that another old friend, G-Cloud, gets an amber/red signal. – Strange. Only the other day, G-Cloud won an award, the prestigious public cloud project of the year award. – Cloud computing, remember, is the quickest way of losing control of our data yet discovered. – It's not as though there's a lack of customers for G-Cloud – public bodies are pretty well being ordered to use it, through the Cloud First policy. It's unlikely that the project can fail for lack of take-up, so why the amber/red? – Any sign of a lack of spending on G-Cloud, and the programme director, Denise McDonagh, can simply buy something herself as she happens to be IT Director at the Home Office and disposes of a considerable budget. Only the other day (it may have been the same other day), she did just that and bumped up the sales figures by handing Skyscape the £1.5 million contract to host the heir to the Criminal Records Bureau. – That's Skyscape, the one-man band that barely existed a year ago but somehow beat the long-established competition in a completely fair selection process. – Lifetime budget, according to the MPA: £0.58 million. MPA verdict? Amber/red.
Which brings us to our oldest friend, the Government Digital Service (GDS). – They've got their award-winningGOV.UK project. 24 ministerial departments have been pointlessly and only partially transferred to GOV.UK and several hundred other government bodies are yet to be pointlessly and only partially transferred. – They're working on Individual Electoral Registration. Illegally. See above. N [please see update below] – They promised to have identity assurance fully operational by March 2013 for 21 million benefit claimants and failed. That leaves DWP's Universal Credit flailing and ditto the BIS midatanonsense. – We have eight "identity providers" in the UK with nothing to do as a result. – GDS's digital-by-default plan is holed below the waterline (fatally according to four professors) not least because millions of us Brits have never used the web. – On 28 July 2011, GDS promised to sort this out with their assisted digital sticking plaster. The best part of two years later, on 23 May 2013, they finally got round to starting to chat about the problem. – 56 members of parliament have signed an early day motion to debate digital-by-default. – GDS are also meant to replace the cumbersome-but-functional Government Gateway at some point, although what with, they've never said. – The mandarins keep expressing their support for GDS, Lord knows why. – But what about the MPA verdict, you ask? There isn't one. There just isn't one. None of these GDS projects is major? Or maybe GDS doesn't exist? Or the MPA ran out of colours? One way and another, if you're looking for openness, hard cheese.
----------
Updated 29 May 2013 12:35 N Data-matching was illegal. With the passing of the Electoral Registration and Administration Act on 31 January 2013, it is assumed to be no longer illegal. The suggestion that it is illegal is now presumably false and misleading. Please see SCOOP? IER, sackcloth, ashes and Rip Van Winkle.
Updated 28.5.14
The other day, the MPA, the Major projects Authority, published their second report, for 2013-14.
Projects don't come much more major than GDS's mission to transform the UK government. GDS (the Government Digital Service) are the show, they tell us, the only solution to the delivery crisis and if it wasn't for them there'd be riots in the streets.
In the interests of openness, what is the MPA's verdict on GDS? How are GDS getting on? Red? Surely not. Amber? Green? That's more like it.
Sadly, no. There's not a mention of GDS. HS2, yes. GDS, no.
Whitehall has a pitiful record when it comes to investing public money. Think of the National Programme for IT, the NHS black hole into which £6 billion of our money disappeared without trace. Or possibly £12 billion. No-one seems to be sure.
Mindful of which, we now have something called the Major Projects Authority (MPA), a Whitehall unit which keeps tabs on where the money's going and how likely we are to see any return. The MPA issues red-amber-green verdicts on our investments. Green is good news. Red means kiss goodbye to the money.
Would you trust an organisation that promises the impossible?
It's a week now since ex-Guardian man Mike Bracken, executive director of the Government Digital Service (GDS) and senior responsible officer owner for the government-wide Identity Assurance Programme (IDAP), issued his invitation to Sprint 13, The Future is Here.
What a party it promises to be. Come and meet "Government and Agency Board Members, Officials, Policy Makers, Ministers, Press and External Digital Thought-Leaders" in uptown SW1 at the Queen Elizabeth II Conference Centre on Monday 21 January 2013 from 08:45 to 13:00 (GMT) – "jealousy" hardly begins to describe the state of those of us who have been uninvited.
Still, at least the uninvited don't face the invidious choice of the select band of party-goers – which workshop to attend:
Can the law be changed to allow the data-sharing which its advocates believe would facilitate a complete and accurate electoral roll?
Would data-sharing help?
How do you reconcile Whitehall's claim that they don't want to create a single national identity register with the plan to store the complete electoral roll with the credit referencing agencies?
Would that complete electoral roll provide the basis for a new way to conduct the national census?
If there's no on-line identity assurance, then GDS have been wasting their time.
If we can't transact with the government on the web, then digital-by-default collapses.
What are the chances of GDS delivering on-line identity assurance? Slim-to-nil.
We have the lesson of the National Identity Scheme to go by. After eight years of unstinting political support and taxpayers' money, it collapsed, with nothing to show for it, except the nervous breakdown from which the Identity & Passport Service still haven't recovered.
It would be a hard job in any circumstances to get digital-by-default off the ground. The news every day carries stories of security breaches on even the most exalted websites. And even whole countries – including ex-Guardian man Mike Bracken's favourite Estonia.
After years of security failures, GDS start with no trust. Which means they can't start.
No-one believes any more that there is any such thing as a secure website. The belief in secure websites is right up there with the belief in unicorns.
It would be hard enough, to recap, to make digital-by-default work in any circumstances, but GDS have made it even harder for themselves than it need be.
With the quasi-religious light of web zealots in their eye, GDS want to make access to public services just as easy as access to Facebook and Google and Twitter. That means abandoning the clunky old Government Gateway. The Gateway is relatively secure. Precisely because it's so clunky. Having separate user IDs and passwords for each person/company for each public service is precisely what makes it relatively secure. Get rid of the clunkiness and you lose the relative security.
GDS have appointed eight national so-called "identity providers" (IDPs). The name is either laughable or sinister. Neither quality promotes trust.
All that, and GDS want to put public services in the cloud, acknowledged as the single most efficacious way to lose control of your data. In this case of course, our data. Another own goal by GDS.
It promises to be a lively congregation on Monday and it's an infuriating shame to miss it.
----------
Updated 23.11.14
It was January 2013 when we wrote the following, please see above – all but two years ago:
GDS have appointed eight national so-called "identity providers" (IDPs). The name is either laughable or sinister. Neither quality promotes trust.
When you want to access a service using GOV.UK Verify for the first time, you’ll be asked to choose from a list of certified companies (also known as ‘identity providers’ – they can actually be any type of organisation that is certified).
... they're not called "identified providers" any more. Now they're called "certified companies". Stuck in their own terrarium, it's taken GDS two years and more to notice how ridiculous the idea of an "identity provider" is.
That's not all that's changed.
Three of the original "identity providers" have pulled out – Cassidian, Ingeus and PayPal want nothing to do with IDA/GOV.UK Verify.
And of the remaining five, only one is certified – Experian. The other four – Digidentity, Mydex, the Post Office and Verizon – have yet to be certified trustworthy by tScheme, an organisation no-one has heard of and no-one has any reason to trust.
