Monday 17 February 2014

Skyscape – the Surprise as a Service company

It was such a surprise that everyone can remember where they were the day that Skyscape Cloud Services Ltd won the contract to host GOV.UK.

Skyscape was so young then that the company hadn't even submitted its first set of accounts to Companies House. One man alone owned all the shares in the company. There was plenty of competition from long-established cloud services companies with measurable track records. How did Skyscape beat them?

How did Skyscape go on to win contracts with the MOD? And HMRC? And the Home Office?

How did they qualify for pan-government accreditation?

Last month Skyscape surprised the world again with its open letter to the Government Digital Service and the Government Procurement Service. G-Cloud sales are rising "exponentially", they said, but that's not fast enough for Skyscape. G-Cloud is transforming government IT, they said, but again, not enough. Were they really saying that G-Cloud isn't working? And won't work, as currently designed?

There is a mystery exercising some of us about that open letter of Skyscape's. How did they get Bird & Bird to sign it?

Bird and Bird are solicitors. Red hot, no doubt, at drafting agreements, what are they doing signing a public complaint about operational matters drafted by a little splinter group of malcontents and addressed to what must be Bird and Bird's (prospective) clients?

While we were all pondering that, Skyscape slipped in yet another surprise. They submitted their 2013 statutory accounts to Companies House. 19 pages of surprises. They need to be rationed. You can have one now, just to be going on with.

Skyscape have used the Business review and future developments section of the Directors' report to do a hard sell. Among other things, the directors say:
With a current G-Cloud market share of circa 50%, Skyscape is the leading supplier of Infrastructure as a Service (IaaS) on the UK government's G-Cloud framework and delivers services directly to an increasing range of government departments including ...
50%?

A company that barely existed a year ago has been given 50% of G-Cloud business?

Is that the sign of a market operating efficiently?

What's the point of any other suppliers trying to sell through G-Cloud?

Those and many other questions would need to be answered if the 50% claim was accurate but, as it happens, it isn't.

Let's assume that a "current G-Cloud market share" is a share as at 23 December 2013 when Skyscape's accounts were signed. G-Cloud have published their sales figures to the end of November 2013 and Skyscape account for £1.3 million out of a total of £77.8 million. 1.7% of the G-Cloud market. Not 50%.

As for being the "leading supplier" of IaaS, according to the G-Cloud sales figures again, Skyscape do precisely no IaaS business, they make their money out of hosting, compute and storage. G-Cloud's IaaS business, such as it is, goes mainly to Intechnology plc. N Please see update below, 23 February 2014.

What will Skyscape come up with to entertain us next?

----------

Updated 23 February 2014

N Alan Mather has kindly corrected a DMossEsq mistake here.

Search through the November 2013 sales figures for G-Cloud, looking for occurrences of "IaaS", and you find 15 of them as follows:
Lot
Supplier
Product / Service Description
Total Charge
£(Ex VAT)
4
Actica Consulting Ltd
IaaS procurement
11,900.00
4
Actica Consulting Ltd
IaaS procurement
12,275.00
4
Actica Consulting Ltd
IaaS contract set-up support
11,175.00
1
INTECHNOLOGY PLC
IaaS
9,500.00
1
INTECHNOLOGY PLC
IaaS
9,300.00
1
INTECHNOLOGY PLC
IaaS
9,300.00
1
INTECHNOLOGY PLC
IaaS
9,500.00
1
INTECHNOLOGY PLC
IaaS
52,618.00
1
INTECHNOLOGY PLC
IaaS
49,560.00
1
INTECHNOLOGY PLC
IaaS
9,500.00
1
INTECHNOLOGY PLC
IaaS
9,500.00
1
INTECHNOLOGY PLC
IaaS
9,500.00
1
INTECHNOLOGY PLC
IaaS
9,500.00
1
INTECHNOLOGY PLC
IaaS
9,500.00
1
SPECIALIST COMPUTER
CENTRE
GCLOUD IAAS VPN
TERMINATION
4,120.00







226,748.00

No sign of Skyscape in the list, and thus the "Skyscape do precisely no IaaS business" comment above.

But that's not how you do it. The G-Cloud framework is divided into four Lots – 1, 2, 3 and 4 – and the whole of Lot 1 is classed as IaaS, see G-Cloud ‘Simple’ Procurement Instructions:
  • Lot 1 - Infrastructure as a Service (IaaS)
  • Lot 2 - Platform as a Service (PaaS)
  • Lot 3 - Software as a Service (SaaS)
  • Lot 4 - Specialist Cloud Services
On that basis, Skyscape had 38.86% (£1,299,765.53) of G-Cloud's IaaS business (£3,344,877.25) which, in some circles, could be described as "circa 50%", as long as you don't accidentally give the impression that you have 50% of the total market (£77.8 million) when, in fact, you only have 1.7%:
With a current G-Cloud market share of circa 50%, Skyscape is the leading supplier of Infrastructure as a Service (IaaS) on the UK government's G-Cloud framework and delivers services directly to an increasing range of government departments including ...

Updated 18.8.17

Just to keep DMossEsq's millions of readers bang up to date, it should be noted that Skyscape changed its name a year ago to UKCloud, please see Skyscape Cloud Services relaunches as UKCloud.

Why did they change their name? ElReg suggest that Skyscape rebrands to UKCloud following legal challenge by Sky. Computer Weekly magazine seem to agree, please see The Sky's the limit: Why UK Cloud has become the new name for Skyscape Cloud Services. Diginomica magazine ditto, David v Goliath – Skyscape rebrands as UKCloud after taking Sky to court.

ElReg et al may be partially right but "UKCloud" is undeniably a more appropriate name than "Skyscape". UKCloud's strategist Bill Mew argued in January this year that organisations including government departments are wrong to trust the big US cloud suppliers. In Only one cheer for the government’s public cloud endorsement he singled out Amazon Web Services (AWS) and Azure (Microsoft) in particular. It would be wrong to trust them with your data.

He says you'd be safer using UKCloud, who respect data sovereignty.

So now it's not just UKCloud v. Rupert Murdoch's Sky but also UKCloud v. Amazon and UKCloud v. Microsoft ...

... and UKCloud v. GDS, the Government Digital Service – Mr Mew is not impressed with GDS's failure to argue in favour of UK data sovereignty. DMossEsq agrees. GDS have consistently shown a complete lack of interest in the matter.

"... it was this largely inaccurate perception that public cloud is less secure than private cloud that was the main factor holding back cloud adoption. GDS’s recent very clear rebuttal of this central perception and its clear endorsement of public cloud is therefore very welcome", says Mr Mew. Cloud security is a problem and GDS saying it isn't won't comfort anyone.

Cloud security is a problem. And so is data sovereignty in the cloud. They always were and they still are. The case for cloud remains ... insubstantial.

Skyscape – the Surprise as a Service company

It was such a surprise that everyone can remember where they were the day that Skyscape Cloud Services Ltd won the contract to host GOV.UK.

Skyscape was so young then that the company hadn't even submitted its first set of accounts to Companies House. One man alone owned all the shares in the company. There was plenty of competition from long-established cloud services companies with measurable track records. How did Skyscape beat them?

How did Skyscape go on to win contracts with the MOD? And HMRC? And the Home Office?

How did they qualify for pan-government accreditation?

Sunday 16 February 2014

Some people must think that the British public is a cretin

Some people must think that the British public is a cretin


Cyber security








Digital by default

Health

Economics I

Economics II

ID cards

Innovation
__________

Updated 18.2.14:



care.data

Updated 12.5.14:


Youniverse

Updated 22.5.14:



Social Enterprise UK

Updated 25.6.14 #1:



G-Cloud by Tim Hanley

Updated 27.8.14




NSTIC (National Strategy for Trusted Identities in Cyberspace)
(This example is American rather than British
but same deal
as our IDA seems to share certain features with their NSTIC)

Updated 28.11.14




Updated 29.12.14


The UK should be more Estonian

Updated 13.1.15



It's not just the British, American and Estonian publics but the French one, too.

Updated 15.2.15

BBC Radio 4 World At One 23 January 2015 35'24"-41'39"


GOV.UK Verify – adrift in a world of its own:

The Great Pretender

Oh-oh, yes I'm the great pretender
Pretending that I'm doing well
My need is such I pretend too much
I'm lonely but no one can tell

Oh-oh, yes I'm the great pretender
Adrift in a world of my own
I've played the game but to my real shame
You've left me to grieve all alone

Too real is this feeling of make-believe
Too real when I feel what my heart can't conceal

Yes I'm the great pretender
Just laughin' and gay like a clown
I seem to be what I'm not, you see
I'm wearing my heart like a crown
Pretending that you're still around

Too real is this feeling of make-believe
Too real when I feel what my heart can't conceal

Yes I'm the great pretender
Just laughin' and gay like the clown
I seem to be what I'm not, you see
I'm wearing my heart like a crown
Pretending that you're still around

Songwriters
RAM, BUCK

Published by
Lyrics © Peermusic Publishing
1. While two little girls play Guess who? ...

2. ... and The Platters sing The Great Pretender,

3. Janet Hughes of the Government Digital Service and a spokesman for the Department for Work and Pensions fail to explain why GOV.UK Verify is several years late starting, and

4. David Alexander of Mydex reveals that, with GOV.UK Verify, as soon as security is breached, hackers will be able to impersonate him on all the 705 digital services for which he currently has separate logon ID and password combinations.



Updated 21.5.15 1



GaaP 1

Updated 21.5.15 2



GaaP 2


Updated 15.12.15



GOV.UK Verify (RIP)


Updated 23.12.15 1




Updated 23.12.15 2




Updated 3.1.16



Learning to be a better Civil Service



Updated 26.11.16





Updated 7.10.17





Thursday 13 February 2014

G-Cloud – Animal Farm

Tony Singleton is the Chief Operating Officer of the Government Digital Service (GDS) and, since GDS took over on 1 June 2013, he is also the G-Cloud Programme Director. This morning he published Taking G-Cloud forward on the G-Cloud blog:
G-Cloud has the potential to reach an estimated 30,000 buyers across the public sector. Yet research carried out by the 6 Degree Group suggests that nearly 90 percent of local authorities have not heard of G-Cloud.
30,000 prospective customers. There's supposed to be a "cloud first" policy. 27,000 customers haven't even heard of G-Cloud. That's a problem.

Take a look at the sales figures for G-Cloud:

December 2013 CSV data: G-Cloud-Total-Spend-13-12-13
(Will we see the same surge in March 2014 as we did in 2013
when people desperately try to use up their budget before the year-end?)

"There are over 13,000 services available via the CloudStore, provided by 1186 suppliers", Mr Singleton tells us, and G-Cloud sales to date stand at £77,788,989.55. That is deemed to be a disappointing figure and the rest of his missive is about how to improve performance.

His message has been trailed by a couple of publications, see Exclusive: Government removes 100 irrelevant services from G-Cloud and G-Cloud purge 100 services. It transpires that Mr Singleton is responding to an open letter orchestrated by Nicky Stewart, the commercial director of Skyscape.

We have already come across Ms Stewart and Skyscape. Before joining Skyscape she was the G-Cloud Head of ICT Strategy Delivery. She is not pleased with G-Cloud's performance since she left. And in her open letter to GDS and the Government Procurement Service she suggests some major changes.

The customer is always wrong
"We are passionate advocates of G-Cloud, and firmly believe in its principles of open competition within a diverse and transparent market", she says, and then complains two paragraphs later that:
The level of understanding around how to buy from the CloudStore remains variable. We see a wide range of practices and attitudes, and in frequent cases the G-Cloud buying guide does not appear to be followed. We all share a common interest in safeguarding the future of the framework, and thereby the emerging G-Cloud market. As opportunities through the framework become larger (and more valuable to suppliers), there is an increased risk of challenge from those suppliers who are losing revenues to G-Cloud. A successful challenge could potentially damage the integrity of the initiative, and all that it promises to deliver to the UK public sector. We recommend that a system be put in place to enable suppliers to report variances from the G-Cloud buying guide to the G-Cloud team and CCS to enable any common issues to be addressed ...
Her passionate advocacy of "open competition" stops short of welcoming competition to G-Cloud and she wants to stamp out any failure by the customers to adhere to the standard practice laid down in the G-Cloud buying guide.

Standardisation is also her solution to the messy business of customers impertinently asking for their own terms and conditions of business:
The G-Cloud framework is standardised and designed to remove complexity. In best case scenarios contracts can be completed within hours. Nonetheless, contractual standardisation generates challenges: for the buyer whose default is their own terms and conditions; and for suppliers whose own terms and conditions are at the bottom of a contractual hierarchy ... There is a clear need to engage with buyers to establish what the G-Cloud Framework terms need to cover, and incorporate into the standard terms to the extent possible. This – coupled with renewed emphasis on the G-Cloud buying guide on the extent that additional clauses can be used – will lead to improved adoption and safer contracting for all ...
Customers must be made to understand that their petty local requirements cannot be allowed to stand in the way of the greater good. They need to be re-educated: "better central guidance and education is needed as to what constitutes a material change to service".

Half the point of G-Cloud as recommended by Chris Chant was to have short contracts that don't lock customers into their suppliers. Ms Stewart turns that on its head: "The two year call-off term is often cited by buyers as a reason for not using G-Cloud, as it would force them into a frequent procurement cycle".

Short contracts are annoying for suppliers, too, and according to Ms Stewart: "given that a 'termination for no cause' clause now exists within the framework, we recommend that GPS increase the maximum contract term to three years. We believe this would encourage the immediate take up of cloud services, allowing buyers to get maximum benefit from the market, without locking them into any given supplier or technology".

She also thinks that customers are being too fussy about security: "Clear guidance is needed very soon: this will benefit the buyer, who may opt for an unnecessarily high (and costly) security wrap, and also the suppliers who have either invested or are investing heavily in PGA accreditation".

Not only does her market annoy her by insisting on individual terms and conditions and by walking away from contracts early and by wasting time trying to ensure that their systems are secure, they further annoy Ms Stewart by not always telling her when they have money to spend:
There is little, if any, transparency of forthcoming opportunity to the supplier, which can in turn lead to negative speculation about how long-lists and shortlists are compiled. We recommend that transparency principles are applied to all areas of G-Cloud transacting:
  • That an opportunity pipeline is published so that suppliers can see who is planning to buy and when (Contracts Finder would be the logical channel);
  • That suppliers are informed if they have been long-listed – and that reasons for failing to make the shortlist are communicated to the supplier. Suppliers can then improve their products and pricing which will in turn benefit the market as a whole.
"The CloudStore is, in our collective view, reforming public sector ICT procurement", she says. G-Cloud's short contracts with small- and medium-sized enterprises (SMEs) were meant to be the alternative to long lock-ins with an oligopoly of big Systems Integrators (SIs). But, as the self-appointed spokesman for the collective, Ms Stewart clearly doesn't approve.

With apologies to George Orwell: "The customers outside looked from SME to SI, and from SI to SME, and from SME to SI again; but already it was impossible to say which was which".

----------

Updated 14.2.14

The signatories to Ms Stewart's open letter are:
Simon Hansford, CTO, Skyscape Cloud Services Ltd
Richard Steel, General Manager UK, Azeus UK Ltd
Roger Bickerstaff, Partner, Bird and Bird
Tim Bennett, Managing Director, Datatank Ltd
Richard Clarke, Head of Public Sector EMEA, Huddle
Elizabeth Vega, CEO, Informed Solutions Ltd
Marek Baldy, Business Development Director, Konetic
Mark Cooper, IS&GS Civil UK Managing Director, Lockheed Martin UK Ltd
Karen Carlton, Head of Sales and Marketing, MDS Technologies Ltd
Mark Webber, Partner, Osborne Clarke
Sam Simpson, Commercial and Delivery Director, Roc Technologies
Peter Hornsby, COO, SFW Ltd
Martin Rice, CEO, The Agile Consultancy
Scot Paton, COO, Vysionics ITS Ltd
Andrew Curtois, Senior IT Category Manager, Westminster City Council

G-Cloud – Animal Farm

Tony Singleton is the Chief Operating Officer of the Government Digital Service (GDS) and, since GDS took over on 1 June 2013, he is also the G-Cloud Programme Director. This morning he published Taking G-Cloud forward on the G-Cloud blog:
G-Cloud has the potential to reach an estimated 30,000 buyers across the public sector. Yet research carried out by the 6 Degree Group suggests that nearly 90 percent of local authorities have not heard of G-Cloud.
30,000 prospective customers. There's supposed to be a "cloud first" policy. 27,000 customers haven't even heard of G-Cloud. That's a problem.

Tuesday 11 February 2014

RIP IDA – if you've got nothing to say, say it

No need to say it, it goes without saying, it should be obvious to all but, just in case it isn't obvious to all, IDA is dead.

IDA is the Cabinet Office Identity Assurance programme. And it's dead.

----------

17:09, yesterday afternoon, Monday 10 February 2014, an email arrives saying that the Government Digital Service (GDS) have published a new blog post, Striking a balance between security and usability.

Read it, and one question keeps asking itself – why? Why did they publish this interview with James Stewart, the director of technical architecture at GDS? What was publication supposed to achieve? What is the message they're trying to convey?

A number of messages do come across. But unless GDS is trying to undermine itself these messages can't possibly have been intended. Mr Stewart's topic is the balance between security and usability. That's the question. And his answer is – you have to balance them.

Yes James, thank you, we know that, that's the title of the blog post, the question is how? How do you balance security and usability? And since he doesn't answer that question, the inference is that he can't answer it – GDS don't know how to balance security and usability. That's the message that comes across.

That ignorance doesn't seem to worry them. That's another message that comes across. GDS aren't interested in security. Only in usability.

This isn't the first time. We saw this lack of interest in security in Public Servant of the Year ex-Guardian man Mike Bracken CBE's speech last October to the Code for America Summit 2013 and we saw signs of it again two weeks ago in the blog post by GDS's Janet Hughes and Leisa Reichelt, Security and convenience: Meeting user needs.

GDS may not be interested in security. But other people are. They understand its importance.

When GDS's David Rennie spoke at the US Identity Ecosystem Steering Group conference in January, he said that the reason there are none of the big retail banks signed up to IDA, the identity assurance programme, is that they've been too busy sorting out the aftermath of 2008's credit crunch (31'22"-32:32").

That's silly. Identity assurance is what retail banks do all day every day – they can't be "too busy" to do it.

Is the real reason that the banks won't sign up that they don't want to be associated with IDA? And they don't want to be associated with it because, without a proper understanding of security, IDA will crash on take-off, destroying the reputation and the share price of everyone connected with it?

Is that perhaps the reason why Cassidian and PayPal, who were signed up to IDA, have subsequently pulled out?

Security isn't important. What does that imply for HMRC, who are being asked to give up the long-established Government Gateway and to rely instead on IDA?

And what does it imply for the remaining "identity providers"?

It would be a shame to see the Post Office's good name besmirched. The fates of Digidentity, Mydex and Verizon don't concern us much in the UK, they don't have a reputation here to lose. But Experian should worry us all.

They don't need GDS. Experian already do identity assurance in the UK and overseas. They're good at it. They have a global brand, a global good name, and DMossEsq, for one, would like to see them keep it, not least because his pension fund is quite heavily invested in Experian. Their association with GDS and IDA is a threat to DMossEsq's retirement, and the retirement of many others – we're talking about a FTSE-100 company here.

The message from James Stewart's blog post is – Experian, get out, like Cassidian and PayPal, before the shareholders revolt. Why did GDS want to publish that?

----------

Updated 23.5.14
Ebay urges users to reset passwords after cyberattack

Auction site eBay has urged users to change their passwords after suffering what may have been the biggest-ever cyber-attack when hackers broke into a database holding its 233m customers’ personal data ...

The attack is even bigger than that which affected the US retailer Target in December, when around 40m customer credit cards were stolen by hackers, who broke into the company’s systems. The fallout from that security breach led to the resignation of Target’s chief executive in May ...
The latest in a long line of security breaches. And a harbinger of things to come unless GDS starts to take security seriously.

Updated 9.6.14

GDS published a blog post today, Sensible Security. At first it looks as if they're starting to take security seriously ...
... for routine government business and the delivery of public services, government should think about security just as a large and well-run company would do – consider the organisations who look after your savings, manufacture medicines or produce the smartphone in your pocket ... The answer is to think about security as part of the user needs ...
... but the effort proves once again to be too great and we are left with them thinking about security as ...
... something that is integral to (and should be balanced against) every other facet of the service. If we can achieve this balance, and users and risk owners alike can understand it, then we’ll have been successful.
They're no further forward than 10 February 2014 and Striking a balance between security and usability. Luckily the banks and other organisations GDS claim to want to emulate are way ahead.


Updated 20.1.15

No stopping GDS. Now they're responsible for the Public Services Network (PSN).

The what?

"Simply put, the Public Services Network (PSN) is the government’s high-performance network". That's James A Duncan's take on the matter in Making the PSN better. And he's the new new Chief Technology Officer for the PSN so he should know.

According to Mr Duncan:
For suppliers previously, a Pan-Government Accreditor (PGA) would accredit services against the requirements for the Impact Levels. This created an unwieldy bottleneck that has actively added cost to supplier services, and slowed down the rate at which new services are made available on the network. We are changing the over-the-top Service assurance to be more in-line with G-Cloud and the Cloud Service Security Principles.
The Cloud Security Principles remove the "unwieldy bottleneck" which cost money and took time by making the users responsible for assessing security themselves on the basis of unaudited assertions made by the suppliers. You can see why Mr Duncan fits in well with GDS. He has the same relaxed view of security.

What is not clear is how this makes the PSN "better".

Does Mr Duncan have any security advice for his users? For all those central government departments and local authorities and "schools, doctors’ surgeries, pharmacies, emergency services, hospitals and charities large and small"? You bet:
… we’re creating an option for connectivity that allows customers to connect using suitable encryption, via the internet.
"Suitable"? What does that mean? Like "balanced" (please see James Stewart in the post above), it means nothing.

There goes the PSN.

----------

Updated 23.11.16



Updated 23.1.17

Mystery: the departing James Stewart on DirectGov and BusinessLink.


RIP IDA – if you've got nothing to say, say it

No need to say it, it goes without saying, it should be obvious to all but, just in case it isn't obvious to all, IDA is dead.

IDA is the Cabinet Office Identity Assurance programme. And it's dead.

----------

17:09, yesterday afternoon, Monday 10 February 2014, an email arrives saying that the Government Digital Service (GDS) have published a new blog post, Striking a balance between security and usability.

Read it, and one question keeps asking itself – why? Why did they publish this interview with James Stewart, the director of technical architecture at GDS? What was publication supposed to achieve? What is the message they're trying to convey?

A number of messages do come across. But unless GDS is trying to undermine itself these messages can't possibly have been intended. Mr Stewart's topic is the balance between security and usability. That's the question. And his answer is – you have to balance them.

Yes James, thank you, we know that, that's the title of the blog post, the question is how? How do you balance security and usability? And since he doesn't answer that question, the inference is that he can't answer it – GDS don't know how to balance security and usability. That's the message that comes across.

Saturday 8 February 2014

RIP IDA – JFDI and the Black Pencil


... every transaction you ever undertake should depend on Mydex.
No Mydex, no transactions ...

No need to say it, it goes without saying, it should be obvious to all but, just in case it isn't obvious to all, IDA is dead.

IDA is the Cabinet Office Identity Assurance programme. And it's dead.

----------

If you're a creative, there's nothing like winning a D&AD award for your work. And as DMossEsq readers know, the Government Digital Service (GDS) won a prestigious Design and Art Direction Black Pencil last year in a specially-created category for UK-government-websites-called-GOV.UK.

Judging by this week's Looking back at Sprint 14, GDS are going for the double and trying to win another pencil.

Sprint 14 was the government computer nerds' celebration at which Francis Maude famously announced that "we’re the JFDI school of government". Rather than attempting to string a few sentences together to explain what's going on in the Cabinet Office computerwise, GDS have produced two videos with exciting upbeat music and a few flashcards making vague assertions about progress but nothing you could hold them to.

GDS aren't meant to be the government's ad agency. They're meant to be developing computer services which will, as they keep telling us, transform government – "400 days to transform government". In pursuit of which, they have a transformation page on GOV.UK. A transformation page which continues stubbornly to show that, of the 25 target services, only one has gone live:


(an old screenshot, the numbers are currently 3/5/16/1)
Faced with the oneness of their transformation to date, GDS suggest in their videos that it's thanks to them that individuals and companies can submit on-line returns to HMRC.
But some of us have been doing that for a decade already. And that's thanks to HMRC. Not GDS. HMRC have a good record. GDS didn't even exist when HMRC and DVLA and Companies House, among others, first made their services available on-line.

The question exercising this year's D&AD Awards Committee is no doubt the same question exercising us all – where is IDA?

None of these 25 on-line government services is worth a broken pencil without IDA, identity assurance. First promised for live public use by autumn 2012, IDA still doesn't exist.

Where is it?

We don't know.

All that we do know is that the UK's unwritten Constitution is going through one of its occasional adaptations. According to GDS, it will now have to accommodate an institution known as the "identity provider" or "IDP".

Every individual in the country, every company, charity, trust, ... will be provided with an on-line ID and will use that to communicate with the government when making tax returns or whatever. That's the idea of Martha-now-Lady Lane Fox's digital-by-default manifesto.

There are (probably) five IDPs. Four of them – Digidentity, Experian, the Post Office and Verizon – never say anything in public about IDA, so they don't help to answer our question. But one of them, Mydex, by contrast, is downright exhibitionist. And they too, like GDS, have recently released a video, New directions, commercial opportunities, and managing the risks, "watch the video of our CEO David Alexander speaking at the BCS and EEMA event".

Mr Alexander is a fast-talking jovial cove who gives himself 16 minutes and 46 seconds to explain why every transaction you ever undertake should depend on Mydex. No Mydex, no transactions.

That's the burden of his message towards the end of the video. You may or may not be convinced.

At the start, he is at some pains to tell you that Mydex is a CIC, which it is, a Community Interest Company, which can't sell itself to Google or any of the other latter-day Pied Pipers. That suggests, quite rightly, given that they're not giving their services away for free, that if Mydex were to succeed in their ambition to become the axis around which every single transaction in the UK economy revolves, it would be a very valuable company.

But first, it needs to inspire trust in every individual and every organisation in the country, as noted, most of whom have never heard of Mydex. How?

Mr Alexander suggests that we should trust Mydex because it is a "member" of tScheme. tScheme is a standards body which measures the trustworthiness of on-line services like Mydex. But why should we trust tScheme, of whom we have also never heard? Mr Alexander doesn't tell us.

We have come across tScheme before, when William Heath, the chairman of Mydex, told us that Mydex is "compliant" with tScheme. And as we noted then, tScheme's list of certified services stubbornly refuses to include Mydex. Or Digidentity or the Post Office or Verizon.

A member? Maybe. Compliant? Maybe. But certified? No. Mydex has not been certified by tScheme.

And what do we know about certification and IDA?

Answer, Steve Wreyford of GDS has told us that Delivering Identity Assurance: You must be certified: "We need to be sure that before any of the identity assurance framework suppliers begin providing services to departments, they are certified as being capable of delivering proof of identity as defined in the Government’s Good Practice Guides".

Which implies that, by GDS's own JFDI lights, there is a bit of a dent in the bodywork of GDS's fleet of IDPs. A problem with trust. An impediment to Mydex's ambitions. And Digidentity's and the Post Office's and Verizon's.

"What about Experian?", you ask. Good question. Let's leave that for another day.

For the moment, as far as D&AD are concerned, and the rest of us, the stubborn reality is that GDS's marketing is just hype. There is no IDA. No Black Pencil for GDS this year. RIP IDA.

----------

Updated 12:05

Some readers may remember that IDA was tested by Warwickshire County Council. The Council worked with three of GDS's IDPs – Mydex, PayPal and Verizon.

How did that test go?

With no exciting upbeat music and not a flashcard in sight, PayPal have subsequently pulled out of IDA. And the Open Identity Exchange report on the test "highlighted shortcomings in the user journey arising from the technical implementation of the IDA Scheme".

The report also said that "... considerably more thought needs to be applied in this area [stepping up from Level of Assurance 1 to Level of Assurance 2] if it is to become a viable proposition going forward".

And that: "... at the time of this project, the functionality required to deliver user data directly within the IDA Scheme [to create a new account] had yet to be developed ... The consequence is that the user is faced with a convoluted process when using the IDA Scheme for the first time".

And "... users often struggled as they sought to understand how this method of signing in to government services worked".

Before adding "users were not clear why private sector companies were being used to carry out identity assurance on behalf of government" and "Some aspects of the registration processes proved annoying to the users ...".

The D&AD Awards Committee may want to pencil some of these comments into their calculations.

Updated 15.8.14

It's six months since we noted that only one of the UK's "identity providers" is certified trustworthy by tScheme. Experian. The other four hadn't even bothered to apply at the time. The Post Office and Verizon, Digidentity and Mydex. They just hadn't got round to it.

Now they have – take a look at tScheme's list of registered applicants.

A bit late, you may say. It's one thing to apply. Quite another to obtain certification. That could take ages.

Ah, but you don't know the half of it.

It doesn't matter how long certification takes. It's a waste of time. Not worth the paper it's written on. Or the authentic digital certificate it's encrypted in. Because there's no such thing as a trust framework.

That's the opinion of Ctrl-Shift, Mydex's sister company, who say that there's no agreed definition of "trust framework", no known way to enforce the conditions of trust and no viable way to pay for enforcement anyway.

You may or may not agree with Ctrl-Shift but there is growing support for their view. The Estonian cybersecurity company Guardtime, for example, believe that the pursuit of trust in the digital world is a wild goose chase, a "doomed strategy", as they call it. You may or may not agree with Guardtime. But Chris Chant does.

Mr Chant was the primum mobile behind G-Cloud, the UK government cloud computing initiative. He has been promoting Guardtime on the G-Cloud Twitter account for the past two months or so. "Truth, not trust". That's his slogan.

And not once have G-Cloud disagreed with him or objected in any way.

If Ctrl-Shift and Chris Chant and the G-Cloud team and Guardtime are right, we ordinary members of the public would be ill-advised to rely on Mydex for every on-line transaction we undertake. And even if IDA existed we could have no trust in it, RIP.

RIP IDA – JFDI and the Black Pencil


... every transaction you ever undertake should depend on Mydex.
No Mydex, no transactions ...

No need to say it, it goes without saying, it should be obvious to all but, just in case it isn't obvious to all, IDA is dead.

IDA is the Cabinet Office Identity Assurance programme. And it's dead.

----------

If you're a creative, there's nothing like winning a D&AD award for your work. And as DMossEsq readers know, the Government Digital Service (GDS) won a prestigious Design and Art Direction Black Pencil last year in a specially-created category for UK-government-websites-called-GOV.UK.