Thursday 10 September 2015

RIP IDA – investment interest "has closed or been withdrawn"

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.

Let's say that you're a venture capital person. In that case you'll know that 95% of the ventures you invest in bomb. For £95 out of every £100 that you invest, there's nothing to show for it. You lose your money. It's gone.

Just to break even, the other £5 has got to return £100. Your investment has to appreciate by a factor 20. After tax. After all investment costs. Such as hiring the Four Seasons Hotel in Hampshire for the day. That's not cheap.

But what's the point of breaking even? You can do that by not investing in the first place. The idea is to make a profit.

How much profit? You want to double your money? Then that £5 investment you made in the one surviving enterprise has to grow by a factor of 40, not 20.

That's not going to happen overnight. Suppose your investment grows at the rate of 10% p.a. How long will it take to be worth £200? Answer, something between 38 and 39 years. 38.70394 years to be precise, but there's no point being precise because you have clearly starved to death a long time before merely doubling your money.

38 is pushing it. Let's say you can afford to lock up your money for five years. How fast does the value of the investment have to grow? Answer, at the rate of 109.1279% p.a. Every annum. For five years. After tax. And after costs.

It's not easy finding investments that can do that. And even if you find one, your peers in the venture capital business will laugh at you for only doubling your money. But never mind their laughter, let's say that you're a pretty grounded sort of investor and that, for you, net doubling your money in five years is enough.

Time to take an example.

Let's suppose some entrepreneur brings you a prospect based on GOV.UK Verify (RIP), a business idea that depends for its success on identity assurance.

It's got Whitehall's name behind it. That's good. Lions, unicorns, crowns, Latin Old French mottos and the bottomless pockets of UK taxpayers and the ever-generous austere overseas creditors who have so far lent the UK £1,500 billion.

It's got volume. 60 million people. Shame GOV.UK Verify (RIP) can't do companies, partnerships and trusts yet, maybe that will come, but at least it's got 60 million potential users, the great unwashed.

And the great unwashed can be forced to use GOV.UK Verify (RIP). Its use can be made mandatory. Either that, or the great unwashed can be nudged into using it. You want a driving licence? Apply using GOV.UK Verify (RIP). You don't want to use GOV.UK Verify (RIP)? Fine. Don't. But then you don't get a driving licence. Up to you.

It's looking quite healthy. There are other identity assurance suppliers out there, notably the banks, there is competition, but Whitehall has some powerful monopoly advantages. The EU wants everyone to have electronic ID. The UK government would like to look modern. Like Google or Amazon or Facebook or Apple.

Of course, the product doesn't actually exist yet. Some of GOV.UK Verify (RIP) is currently in public beta but most of it is in private beta or even less far advanced. A lot of this prospect is just a glint in the eye at the moment. But that's what venture capital talent scouts are meant to be good at spotting, the glints that are going to survive to term and grow up to become healthy cash cows.

GOV.UK Verify (RIP) relies on "identity providers". Nine of them. We have been assured that "identity providers" have to be certified trustworthy:
  • Four of them are certifiedExperian, Verizon, GBGroup and digidentity.
  • One of them has applied for certification – the Post Office.
  • The other four haven't even applied yet – Barclays, Morpho, Paypal and Royal Mail.
Not a good sign. Not for a service that's meant to be out of beta and live by April 2016.

And these "identity providers", they're paid a pittance by GDS, the Government Digital Service. It's a contractual thing.

That's not good either. Why do they bother? That'll slow things down. They're not going to go the extra mile needed to deliver 109.1279% p.a. growth. Get the lawyers onto it. Maybe they can work something out.

And the customer base is shrinking. It's not 60 million. GDS say they are on track to cover 90% of the population by April 2016. That's six million users lost. They say they can only cover 80% at the moment. Another six million who won't be generating turnover.

That's not good.

And who says GDS have got GOV.UK Verify (RIP) covering 80% of the population right now? Only GDS. No-one independent.

Not good.

What's the marketing plan for GOV.UK Verify (RIP)? It better be good. Something's got to promote public trust in these "identity providers", half of whom no-one's ever heard of. Something's got to make the public want GOV.UK Verify (RIP). Something's got to tell the public what it's for and how to use it.

There is no marketing plan. GDS's "objectives for live" do not mention any such plan. And so far all they've told the public is that GOV.UK Verify (RIP) is for submitting tax returns and applying for state benefits. They've sort of missed out the private sector, entrepreneurial bit. So far. In public. For the moment.

That's not good. That's really not good.

Who's in charge of this major new service that doesn't have a marketing plan? Answer, Public Servant of the Year ex-Guardian man Mike Bracken CBE CDO CDO. He's the executive director of GDS and he's the senior responsible owner of GOV.UK Verify (RIP).

That's good.

Until you remember that he's leaving at the end of September, in 19 days, and no new SRO has been announced.

That's not good.

What about cybersecurity? Have GDS ticked all the boxes? Venture capital persons have investment boards to report back to. The directors like to see ticks in all the boxes before they expend the considerable intellectual energy required to assess the investment in detail. And a lot of those boxes concern security.

GDS are a bit ambivalent about security. They do mention it. But they prefer to market on usability.

That won't worry the venture capital persons one bit. GDS can market on usability all they like. Just so long as they market on something and actually tell the public that the product exists and give the public some reason for using it, thereby causing money to change hands. But the question remains, is GOV.UK Verify (RIP) secure?

There's an academic report arguing that the GOV.UK Verify (RIP) identity hub is hackable. The investment board won't like that. GDS have recruited one of the academics. That's dastardly. And sensible That'll keep him quiet.

The others may be prevailed upon to restrict their criticisms to the US equivalent, NSTIC. If the remaining academics shut up about GOV.UK Verify (RIP) the board might just wear it, with a big question mark. The prospect could still be in with a chance. But there's more.

There's that GDS job ad on LinkedIn.

"This is an opportunity to be at the heart of an evolving service that is leading the world ...". Who says GOV.UK Verify (RIP) leads the world? Only GDS. Is it a good thing to lead the world? Not necessarily.

"You will be working in a relatively unique technical environment ...". What is relative uniqueness? How is it distinguished from absolute uniqueness? And why?

"The Government Digital Service is leading the digital transformation of government ...". Says who?

GDS want to recruit a Security Operations Engineer. That's what the job ad's for. "... technical problem solving will be related to security, identity management, and scaling in a cloud based environment ... You will resolve threat and vulnerability management issues ... work with the technical teams to continuously improve the security of the platform ... lead technical projects to implement or enhance security ... work with external suppliers, such as penetration testers ... help develop robust security processes and security awareness amongst technical teams ...". You will be responsible for the "administration of internal PKI [public key infrastructure] and assisting Relying Parties [HMRC, DWP, ...] and Identity Providers with their certification onboarding ...".


This is all good news for the investment board. Except that this job ad was posted "15 days ago" according to LinkedIn and it says: "As the first dedicated Security Operations Engineer in this team, it is an opportunity for you to ...".

The first? There are no others? The GOV.UK Verify (RIP) project has been running for four years and this will be the first dedicated security engineer in the team?

And if you click on Apply on company website, what do you see? Lions, unicorns, crowns, Latin Old French mottos and:


"This job has closed or been withdrawn". As has, by now, surely, any interest in investing, by any venture capital person.

----------

Updated 11.9.15
Agile. You just have to be agile.

"This job has closed or been withdrawn" – that's what it says on civilservicejobs.service.gov.uk.

But if you look at gds.blog.gov.uk it doesn't say that. It looks as if the job offer still exists.

So which is it? Closed-or-withdrawn or still-available? We don't know and there's no point guessing.

The only things that must be clear to a venture capital person considering an investment are that GDS is (a) very late recruiting its own in-house security expertise, (b) unsure about its short-term future and (c) unable to co-ordinate two GOV.UK websites devoted to the same matter.

No cigar. Investment contra-indicated.

And for anyone applying for the other job advertised to work as a GDS Privacy Officer? We've already warned that the organisation you join is not the organisation you will work for. But now you need to factor in the question whether, having successfully submitted your application on time, yesterday or earlier, the job will still exist by the time interviews start on Monday week, 21 September 2015. Or the next day.

Updated 20.9.15
"You don’t have to go far
to see digital teams
doing the do"

One of the guiding principles of GDS's work is to meet user needs. As they never stop telling us.

They may tell us that but, in contravention of one of their other guiding principles, show-don't-tell, they can't show it. We have seen the case of transferable marriage allowances, for example.

The Daily Mail newspaper told us about it back in June 2015, Thousands miss out in marriage tax fiasco. So did the Times newspaper, in May, Perk that’s just too taxing. Twice, Applying for this marriage perk ain’t easy.

The problem is that people can't register with GOV.UK Verify (RIP). And if they can't register, they can't apply for this benefit. Not on-line, at least, they can't. They give up the attempt to claim £212 p.a.

Prospective claimants regard the cost of registering with GOV.UK Verify (RIP) as being greater than £212 p.a. There's a thought for entrepreneurs and the people funding them.

HMRC, who administer these tax claims, are naturally embarrassed that it is so difficult for legitimate claimants to succeed. "No one will miss out on the Marriage Allowance because of difficulties with online verification", they say. And in their defence they remind people that it's not they, HMRC, who devised GOV.UK Verify (RIP), "it’s not our IT system; it’s the Cabinet Office’s".

Why do the London School of Economics say that GOV.UK Verify (RIP) "highlights the benefits of directly addressing user needs"? No-one knows.

User needs are not being met. Or they weren't last May and June. As OIX, the Open Identity Exchange, GDS's business partner pointed out, the "identity providers" currently signed up to GOV.UK Verify (RIP) can't hack it. They need help to try to reach level of assurance 2.

Luckily, there is another guiding principle of GDS's work – to be agile. Iteration allows GDS services to be continually updated so that user needs are better met:


Is that true? It's one thing to tell us. But can GDS show that agile software engineering delivers constant improvement?

Not according to yesterday's Times, where a tax advisor suggests that it's best to bypass GOV.UK Verify (RIP) and apply for marriage allowance transfers by post, Try snail mail for the marriage tax break.

Only the other day, 11 September 2015, the Prime Minister was saying "across the spectrum, there are opportunities for us to make a difference not just to people’s pockets but to people’s lives. For example, I believe the creation of the Government Digital Service is one of the great unsung triumphs of the last Parliament".

That's unfair. DMossEsq has taken the trouble to write a song celebrating GDS's triumphs. There must be someone somewhere whose pockets and life have been improved, who could record Agile People and take it to No.1.

Meanwhile, GDS are reduced to devising ever more gnomic guiding principles, their latest being "you don’t have to go far to see digital teams doing the do". Let that be a comfort to the married couples forgoing £212 p.a.


Updated 2.11.15

Ever optimistic, some venture capitalists may still be considering making an investment in an innovative business which relies for its success on GOV.UK Verify (RIP) working. The triumph of hope over experience.

The rest of the venture capital caravan will have moved on. They have learnt about taking unreasonable risks with their money. They will be able to read GDS's latest blog post on the subject, Making GOV.UK Verify [RIP] available to more people, with equanimity.

It won't worry them when they read that GOV.UK Verify (RIP) can only be made "available to more people" by lowering the standards of verification. GOV.UK Verify (RIP) has never reached level of assurance 2 and now that goal will be even further away:
You don’t need as much evidence to prove your identity
Whereas previously you would often need 3 pieces of evidence to prove your identity, now  you will often only need 2 pieces of evidence.
They won't feel that their money is going down the plughole when told that GOV.UK Verify (RIP) may rely on selfies and the hopelessly flaky biometrics technology of face recognition:
You can take a photo of yourself instead of answering questions based on credit history
... Now, GOV.UK Verify [RIP] also works for people who don’t want or aren’t able to answer questions about their loans, credit cards or mortgages, or who don’t have enough financial products on their credit file to serve as a basis for security questions.

If you have a smartphone or tablet and a UK passport, you can now - with 2 of the companies [i.e. two of the "identity providers"] - verify your identity without answering questions about your credit history. Instead, you can use an app to scan your identity document and take a photograph of yourself, so the images can be compared.
GDS make it clear in their post that, for them, successful verification depends on the payments industry:
Certified companies ... can now use methods developed for online payments to check an electronic payment card directly with the issuing authority.
The work is being done by the payments industry, not GDS. That's where the realistic venture capitalists will be investing. The optimistic ones won't, because they won't have any money left to invest. RIP.


RIP IDA – investment interest "has closed or been withdrawn"

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.

Let's say that you're a venture capital person. In that case you'll know that 95% of the ventures you invest in bomb. For £95 out of every £100 that you invest, there's nothing to show for it. You lose your money. It's gone.

Just to break even, the other £5 has got to return £100. Your investment has to appreciate by a factor 20. After tax. After all investment costs. Such as hiring the Four Seasons Hotel in Hampshire for the day. That's not cheap.

But what's the point of breaking even? You can do that by not investing in the first place. The idea is to make a profit.

How much profit? You want to double your money? Then that £5 investment you made in the one surviving enterprise has to grow by a factor of 40, not 20.

That's not going to happen overnight. Suppose your investment grows at the rate of 10% p.a. How long will it take to be worth £200? Answer, something between 38 and 39 years. 38.70394 years to be precise, but there's no point being precise because you have clearly starved to death a long time before merely doubling your money.

38 is pushing it. Let's say you can afford to lock up your money for five years. How fast does the value of the investment have to grow? Answer, at the rate of 109.1279% p.a. Every annum. For five years. After tax. And after costs.

It's not easy finding investments that can do that. And even if you find one, your peers in the venture capital business will laugh at you for only doubling your money. But never mind their laughter, let's say that you're a pretty grounded sort of investor and that, for you, net doubling your money in five years is enough.

Time to take an example.

Tuesday 8 September 2015

Assisted dying the digital way with a core consent delegation management repository

Guess what this is:

Transaction Date Transaction Type Merchant/Description
Debit/Credit
Balance
31-12-2014 GDS ***********************************************
-224.76
2,524.32
30-12-2014 BIS ********************************
-1,614.68
2,749.08
01-12-2014 GDS ***********************************************
-185.57
4,363.75
01-12-2014 GDS ******************************
-1,269.42
4,549.33
31-10-2014 GDS **********
-1,066.21
5,818.75
30-10-2014 BIS ************************
826.43
6,884.96
30-09-2014 GDS ***************************
2,440.86
6,058.53
30-09-2014 GDS ************************
2,953.17
3,617.67
08-09-2014 BIS ***********************************************
-206.86
664.50
04-09-2014 BIS ***********************************************
-311.02
871.36

Give up?

Here's a clue:
In 1621, King James I directed the Privy Council to establish a temporary committee to investigate the causes of a decline in trade and consequent financial difficulties. 394 years later, the temporary committee is still with us, currently known as the Department for Business Innovation and Skills (BIS).

In November 2011, nearly four years ago, BIS promised us midata, an initiative which was supposed to empower us consumers by giving us control over our own data.

"midata is about giving the public more control and access to their personal data. There are potentially endless possibilities", BIS told us and proceeded to list 10 of them starting with "midata could help you manage your returns and warranties".

It's not just returns and warranties. "midata also creates opportunities for new markets to develop where businesses help consumers use their data to make better consumption decisions and lifestyle choices". If only we consumers would agree to keep all our data up to date in a personal data store (PDS), then apps created by entrepreneurs in these burgeoning markets could process it and tell us what to do. Say goodbye to illogical decisions.

It's arrant nonsense of course. Not even Narcissus has the time or the inclination to "curate" himself, as they call it, by keeping his PDS up to date. There's no-one left on the planet stupid enough to hand over their personal data to an on-line stranger – think Ashley Madison. And this control BIS were talking about. Control over your personal data. Once you've handed the data over, you've got no control. You've lost it and it's not in BIS's gift to give it back to you.

A number of major suppliers including DMossEsq's bank had to humour BIS. No point upsetting a central government department. Play along. But there are limits. These suppliers have to make sure that their customers aren't harmed by midata. That's a practical matter of reputational survival. Any customer who suffers from midata is going to blame the bank, not James I.

And so they came up with the useless data shown in the opening table above*. DMossEsq clicked midata on his on-line banking service and, after reams of warnings not to show the data to anyone, the bank served up the last year's transactions on one of his little-used accounts.

You will note that DMossEsq received £2,953.17 from ************************ on 30 September last year and that he spent £185.57 with *********************************************** on 1 December. Whether he got a warranty isn't clear. Try making a logical decision based on that.

You can probably forget about the midata initiative now.

But the desire to get people to fill up a PDS with all their personal data and then pay a stranger to use it lives on.

In gradually more and more perverse ways.

The latest of which is exemplified by our old friends Mydex, who now advocate PDSs as an aid to considerate death, Personal empowerment means addressing the consent challenges we all face: "If transaction-based consent persists, what's needed is the ability to take a feed from each site's transactional processes that automatically drops every ticked consent box into the individual's core consent delegation management repository, part of their personal data store".

----------

* Dozens of transactions are not shown in the table, it's just an extract from DMossEsq's midata report. The transaction dates have been changed. So have the transaction types and the debit/credit amounts, with the balances updated accordingly. The merchant/description details have not been changed – that's exactly how they appear, as a variable number of asterisks.

Assisted dying the digital way with a core consent delegation management repository

Guess what this is:

Transaction Date Transaction Type Merchant/Description
Debit/Credit
Balance
31-12-2014 GDS ***********************************************
-224.76
2,524.32
30-12-2014 BIS ********************************
-1,614.68
2,749.08
01-12-2014 GDS ***********************************************
-185.57
4,363.75
01-12-2014 GDS ******************************
-1,269.42
4,549.33
31-10-2014 GDS **********
-1,066.21
5,818.75
30-10-2014 BIS ************************
826.43
6,884.96
30-09-2014 GDS ***************************
2,440.86
6,058.53
30-09-2014 GDS ************************
2,953.17
3,617.67
08-09-2014 BIS ***********************************************
-206.86
664.50
04-09-2014 BIS ***********************************************
-311.02
871.36

Give up?

Monday 7 September 2015

RIP IDA – what they didn't tell you about the future of GOV.UK Verify (RIP). Follow the entrepreneur


No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.

GOV.UK Verify (RIP) 101
According to Introducing GOV.UK Verify (RIP), "GOV.UK Verify [RIP] is the new way to prove who you are online so you can use government services safely, like viewing your driving licence or assessing your tax".

It's a daunting prospect, "when you’re using digital services, you need to be sure that your privacy is being protected and your data is secure".

But don't worry, "GOV.UK Verify [RIP] is more secure than usual methods of proving who you are, because there’s no central storage of information". That is a contender for one of the world's great non sequiturs but, all the same, don't worry ...

... because "GOV.UK Verify [RIP] uses certified companies to check it’s you ... it takes less than a minute to verify your identity each time you need to use a GOV.UK service ... You choose the certified company (you can choose as many as you like, and you can change at any time). You don’t have an account with government ... no-one has more information than the minimum to perform their function".

Don't be confused, "GOV.UK Verify [RIP] isn’t a service in its own right. Rather, it provides a way into government services on GOV.UK".

Follow the entrepreneur
Last week saw the fifth Annual Investor Summit at the Four Seasons Hotel in Hampshire. 200 throbbing entrepreneurs were entertained for the day with a programme designed and sponsored by:
  • Ariadne Capital, "an investment and advisory firm which operates as an enabling platform for Corporates who seek to build new digital revenues, acquire digital start-ups and enhance their strategy, Start-ups who understand digital infrastructure and are building enabling technologies which will bring strategic advantage and revenues to Corporates, and Financiers who are seeking the winning industrialists of the day to back. We operate in the MediaTech, HealthTech, FinTech and Cleantech ecosystems".
  • EntrepreneurCountry Global, "Ariadne Capital is investing in the ‘Digital Enablers’ whose role is to bring new economics to larger, non-tech traditional businesses and industries ... EntrepreneurCountry, a subsidiary of Ariadne Capital, is operationalizing these economics for the larger, non-tech traditional businesses and industries (we call them affectionately Goliaths). By building in EntrepreneurCountry, Goliaths can build their ‘Digital P&L’ by formulating new hypotheses about how their business will work in the future, and how their industry should work. In our marketspace, we help Goliaths – whether they be banks, newspaper groups, retailers, transportation firms – build the future from the future, test pilot new ventures through EntrepreneurCountry’s ‘citizens’ who act as an early adopter group, and learn how the new economics of becoming a platform are superior to the current economics of their firm. Why are we doing this? [Good question] ... ",
  • Kemp Little, "Many law firms keep up with new technology. We lead it_ ... At Kemp Little, we are known for our ability to serve the very particular needs of a large but diverse technology client base. Our hands-on industry know-how makes us a good fit with many of the world's biggest technology and digital media businesses, yet means we are equally relevant to companies with a technology bias, in sectors such as professional services, financial services, retail, travel and healthcare".
  • ®ightsrer "was founded in May 2011 with the vision of enabling media businesses and brands to overcome the huge fragmentation in the online video market with a single technology platform for engaging audiences and transacting with optimal efficiency".
  • Xoriant, "we bring three core differentiators to every client engagement [Good] ...".
  • O2, "the Think Big Blueprint – our plan for people and planet – shows how we're going to get there. You can also download this as an e-brochure".
  • OIX "is helping drive the expansion of existing internet services and the rapid deployment of new online products. With its team of rivals, OIX has become a global center of excellence for the identity trust layer of online transactions serving as a test bed for business, legal and governance policies in the emerging open identity ecosystem".
You know what to expect from these events, don't you. The day opened with The future of Communications and networks followed by The future of India. You can watch for yourself as Arvind Gupta explains (1:09:55) that there are millions of people in India and millions of them have got mobile phones so, like him, you ought to be able to make some money there.



They covered The future of media and The future of conflict resolution. Not to mention The future of property and The future of banking & financial services.

Antony Barker, the Managing Director and Chief Pensions Officer of Santander forgot to mention the future in the title of his presentation, Harnessing energy to feed returns but then normal service was resumed with The future of backing creative artists and The future of story telling, followed by The future of democracy and citizenship and finally The future of retail.

So what?
So what was our Janet Hughes doing there?

Janet, remember, is the programme director for GOV.UK Verify (RIP). And GOV.UK Verify (RIP), remember, "provides a way into government services on GOV.UK". That's its job. Nowhere on GOV.UK does it mention how the idea of GOV.UK Verify (RIP) is to throw 60 million UK electronic identities (eIDs) like so much red meat to 200 keen-as-mustard entrepreneurs.

Nevertheless, there was Janet chatting about The future of identity to the assembled company (2:15:13).

She was a bit naughty. She didn't tell them any of the problems with GOV.UK Verify (RIP). Some of the younger entrepreneurs may have gone away thinking it works.

And she was lucky that no-one seemed to notice the logical howler when she said that she was basing her predictions on Wardley maps which, she said, don't tell you what's going to happen or when (2:21:40).

What her slides did tell the entrepreneurs is that she's got a few hundred thousand eIDs for them already and there are millions more where they came from, just you wait and see, Spring 2016, ... and the implication is that, if you can only harness the energy, you entrepreneurs will be able to feed all the returns you've ever dreamed of, for free – why else did Janet attend the event?

Nobody told you. But there it is. The future.

----------

Updated 9.9.15

Six months ago, back in March, the Government Digital Service (GDS) published an obituary, GOV.UK Verify (RIP): objectives for live. Like all good obituaries, we said, it's what's not included that is important. And there was a lot not included.

GDS have now updated the obituary, please see today's GOV.UK Verify [RIP]: an update on progress towards objectives for live, and would you believe it, everything is going swimmingly, progress is being made, satisfaction levels are going through the roof, the timetable will be adhered to.

That's one agenda. That's what GDS tell us, the public, and no doubt what GDS will tell their colleagues in the UK Civil Service tomorrow at #CivilServiceLive in Newcastle.

That's all about GOV.UK Verify (RIP) being used by the digitally literate public with a healthy credit history and a working broadband connection to access public services.

But that's not what GDS are telling the world's entrepreneurs, please see blog post above, which is "here comes GOV.UK Verify (RIP), fill your boots".

You see, it's what's not included that is important.


Updated 21.9.15

Today the GOV.UK Verify (RIP) page on the GOV.UK website was updated. It is designed to help central government departments confirm that you are you when you use their on-line services, while protecting your privacy and keeping your data secure. It uses "identity providers"/"certified companies" to do its job.

And it says that "GOV.UK Verify [RIP] is in public beta. While GOV.UK Verify (RIP) is in beta, it’s optional for users". In the mind of the Government Digital Service (GDS), GOV.UK Verify (RIP) may become mandatory if at some stage they deem the system at their whim to be no longer in public beta but live.

What would become mandatory is the use of GOV.UK Verify (RIP) to access public services. That's all you read about on the updated website. GOV.UK Verify (RIP) is all about viewing or sharing your driving licence information, for example, claiming a tax refund, and so on.

There is no mention of GOV.UK Verify (RIP) providing a platform for private sector services. There is no mention of the 200 entrepreneurs Janet Hughes was talking to on 4 September 2015 being able to use GOV.UK Verify (RIP) to help them make a profit.

Whether you think entrepreneurs making profits is a good thing or a bad thing is irrelevant. The point is that it's just not mentioned on GOV.UK, the public face on-line of UK central government. People aren't being prepared for the idea. People are being only partially informed. People are being misinformed.

Ms Hughes is the programme director for GOV.UK Verify (RIP). She has 1,915 followers on Twitter who will all know from her tweet this afternoon that the idea is to help build a market for identity services.

We know that. But no-one relying on the GOV.UK page knows it. They're not being told.

Why?

While you're scrabbling around looking for an answer to that question, you might also care to remember that the market for identity services has existed for decades, if not centuries. GDS aren't helping to build it from scratch.

Further, compared with the banks, in particular, GDS are ill-equipped to help with expanding the market for identity services.

Also, the services to which GDS promise to connect GOV.UK Verify (RIP)-users are in the main forever stuck on the horizon six months away.

GOV.UK Verify (RIP) is in trouble. GDS aren't telling us that but that's the message that comes across.


Updated 28.10.15

"On 26 October 2015 the Minister for the Cabinet Office Matt Hancock spoke at the Institute for Government on how digital transformation can improve government services." There is an excerpt of his talk available on the GOV.UK Verify (RIP) blog.

The Minister talked about "the development of GOV.UK Verify [RIP] and how he verified his identity on his mobile phone, in between meetings, using just the contents of his wallet".

We know what he means, we who are versed in the dogma of the Government Digital Service (GDS). But to an outsider, that second claim must look as though the Minister registered his identity using his phone and perhaps a £20 note.

Even an insider will be baffled by the claim that GOV.UK Verify (RIP) offers users "a level of ID security that wasn’t previously possible online". There's no telling what the Minister means by that ...

... but never mind that for the moment, because the blog post isn't about security, it's about the merits of GDS's user research: "When GDS trialled this service, they gave people a list, showing the logos of the [identity] providers they could choose. But this made people feel uncomfortable. It looked too commercial, in a space where you really want reassurance that you’re dealing with the government. So when the team replaced the logos with the names people responded diffenetly [sic] and more positively, and so of course that’s what now happens".

There it is, in black and white, the Minister and GDS know that users feel "uncomfortable" if GOV.UK Verify (RIP) looks like a commercial venture. Hardly surprising – Ministers and GDS have always promoted GOV.UK Verify (RIP) to the general public as though it's all about transacting with the government, GOV.UK Verify (RIP) is "the new way to prove who you are online, so you can use government services safely".

But that's misleading, as we followers of the dogma know. And as the Minister should know.

He must know that Janet Hughes, the GOV.UK Verify (RIP) programme director, is chatting up investment capitalists and entrepreneurs, extolling the benefits to them of GDS's identity assurance scheme. Take for example her appearance at the 4 September 2015 Annual Investor Summit, Follow the Entrepreneur.

Different messages for different audiences? Instead of each audience separately feeling confident about GOV.UK Verify (RIP), the result could be general mistrust. And as the Minister says, "of course that’s what now happens".

RIP IDA – what they didn't tell you about the future of GOV.UK Verify (RIP). Follow the entrepreneur


No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.

GOV.UK Verify (RIP) 101
According to Introducing GOV.UK Verify (RIP), "GOV.UK Verify [RIP] is the new way to prove who you are online so you can use government services safely, like viewing your driving licence or assessing your tax".

It's a daunting prospect, "when you’re using digital services, you need to be sure that your privacy is being protected and your data is secure".

But don't worry, "GOV.UK Verify [RIP] is more secure than usual methods of proving who you are, because there’s no central storage of information". That is a contender for one of the world's great non sequiturs but, all the same, don't worry ...

... because "GOV.UK Verify [RIP] uses certified companies to check it’s you ... it takes less than a minute to verify your identity each time you need to use a GOV.UK service ... You choose the certified company (you can choose as many as you like, and you can change at any time). You don’t have an account with government ... no-one has more information than the minimum to perform their function".

Don't be confused, "GOV.UK Verify [RIP] isn’t a service in its own right. Rather, it provides a way into government services on GOV.UK".

Thursday 3 September 2015

RIP IDA – 1466442, or what the careers advisor said to GDS's prospective Privacy Officer


No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.

Scenario
You are a careers advisor. A young person approaches you clutching a situations vacant ad. What do you advise?

Sit Vac
The Government Digital Service seeks to appoint a Privacy Officer, closing date for applications one week today, 10 September 2015:
Privacy Officer

Government Digital Service

We are seeking an experienced Privacy Officer to lead the data protection and privacy aspects of the GOV.UK Verify [RIP] programme, both within GDS and across our delivery partners ...

Interviews week commencing: 21/09/2015 ...
Advice
Who knows but you might advise as follows.

QUOTE

Each move you make in your career affects your subsequent opportunities. You could take your experience to GDS. Would that be wise? Perhaps. The world looks like a Privacy Officer's oyster at the moment, in the public sector and beyond – there are other employers and other users who need you.

"The strategy is delivery" is one of GDS's old mottos. It doesn't bear inspection. They promised that GOV.UK Verify (RIP) would go live in the spring of 2013. It didn't. And two-and-a-half years later it still hasn't.

The currently promised live date is March 2016, six months away. Will they deliver on time? If they don't, it's not going to look good on your CV.

As long as you're very junior and on short notice in your present job, you could join GDS in October. That will give you less than six months to knock GOV.UK Verify (RIP) into shape data-protection-and-privacywise. Is that feasible? You need to decide.

You're going to have your work cut out:
  • GDS have always promoted usability ahead of security. They have also promised that the public can have confidence in the security of GOV.UK Verify (RIP). You're going to have to educate GDS. And the public.
  • The identity hub that glues GOV.UK Verify (RIP) together was written by GDS themselves. A team of US and UK academics assessed the hub and declared it full of holes. Despite their claim to build trust by being open, GDS have stayed remarkably tight-lipped about these allegations. You will have to be genuinely open.
  • You may assume that one of your first jobs is to assess the GOV.UK Verify (RIP) liability model. It isn't. They haven't got one. Unlike the banks, who compensate you if your account is hacked, GDS make no mention of compensation and the so-called "identity providers" (IDPs) limit their liability to derisory levels. Good luck with that one.
  • The IDPs are paid a pittance by GDS so you won't have much traction there. GDS are in bed with an outfit called OIX and it doesn't help that OIX have just published a white paper saying that the IDPs can't do their job. What GOV.UK Verify (RIP) really needs is the banks, not IDPs.
  • Actually, they've published two white papers to that effect. In the second one, Reducing fraud and improving online safety through IDP signal sharing, OIX make it clear that as things stand there are no standards for monitoring account activity in GOV.UK Verify (RIP) and no established procedures to follow when exceptional events are detected. The banks, by contrast, have had that buttoned down for years.
  • In their white paper, OIX acknowledge "the risk that a Shared Signals system might be incorrectly perceived as a surveillance tool that could undermine some users’ confidence in GOV.UK Verify [RIP]". Signal sharing between IDPs is the opposite to what the public have been promised with GOV.UK Verify (RIP). The IDPs are meant to be independent, not colluding. People's data is meant to stay where it's put, not be transmitted all over the place. And any use to which it's put is meant to be undertaken by consent, which in this case it hasn't been. You're going to be very busy over Christmas ...
  • ... and thereafter, because GDS's relationship with the central government departments and agencies, the "Relying Parties" as they're known (RPs), the RPs that the public is trying to communicate with through GOV.UK Verify (RIP) is fragile. Fragile or non-existent. Non-existent with the National Health Service, for example, and with the Department for Education. Fragile with the Department for Work and Pensions, who are believed to have banned GDS from their premises, ... some little local difficulty with Universal Credit. Fragile with the Electoral Commission, to whom GDS gave an application system to register to vote which omits identity assurance. Fragile with the Department for Environment Food and Rural Affairs where the GDS system had to be abandoned in favour of paper and pen. And fragile with Her Majesty's Revenue and Customs, who have had to remind people that GOV.UK Verify (RIP) isn't their system, it's GDS's.
  • Diplomacy will be the name of the game when it comes to dealing with the RPs. Your diplomacy. It will have to be yours because GDS have spent years telling the world that the rest of Whitehall is useless, traditional policy-making has broken down and the guiding principles of public administration need a revolution. Why would these much-maligned parties now rely on GOV.UK Verify (RIP)?
  • And why would the public rely on it? The public want their data kept safely and only used for limited purposes. Meanwhile, GDS cheer on every step towards open data without ever trying to distinguish between public data and personal data. GDS's previous boss described the laws constraining data-sharing as "myths". You'll need to provide solace to the public. You've got your comforting answers ready, of course, haven't you?
They're a rum lot, GDS. Not like the rest of Whitehall. That's deliberate. The impression is that the staff all wander around all day in a missionary zeal, interpreting the word of their executive director, ex-Guardian man Mike Bracken CBE CDO CDO, senior responsible owner of GOV.UK Verify (RIP). You may get to be interviewed by him if GDS stick to the 21 September timetable.

But you won't see him for long. He's off on 30 September to pastures new. As are all the other senior staff/prophets. The organisation you join is not the organisation you will work for.

UNQUOTE

RIP IDA – 1466442, or what the careers advisor said to GDS's prospective Privacy Officer


No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.

Scenario
You are a careers advisor. A young person approaches you clutching a situations vacant ad. What do you advise?

Sit Vac
The Government Digital Service seeks to appoint a Privacy Officer, closing date for applications one week today, 10 September 2015:
Privacy Officer

Government Digital Service

We are seeking an experienced Privacy Officer to lead the data protection and privacy aspects of the GOV.UK Verify [RIP] programme, both within GDS and across our delivery partners ...

Interviews week commencing: 21/09/2015 ...
Advice
Who knows but you might advise as follows.

Monday 31 August 2015

RIP IDA – as tactfully as possible, the intensive care team take the family aside and prepare them for the inevitable


No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.


OIX, the intensive care team, is well known to DMossEsq's millions of regular readers but for the rest of you:
Open Identity Exchange UK (OIXUK)

This is the UK arm of a global organisation working directly with governments and the private sector developing solutions and trust for online identity, specifically for the British citizen.

OIX UK works closely with the Cabinet Office on the Identity Assurance Programme.  This is the development of the GOV.UK Verify service.  The identity assurance process can also be applied to other, non government websites where proof of identity is wanted.

The OIX goal is to enable the expansion of online identity services and adoption of new online identity products.

We work as a broker between industries designing, testing and developing pilot projects to test real use cases.  All project results are published for the public in the form of white papers.

OIX UK is open to new members.  Non members are welcome to attend our workshops,  membership is preferred for participation in projects – contact us for further information.
OIX has just published not one but two white papers:
Jointly and severally conveyed, the message is the same – there's no hope, IDA is dead, GOV.UK Verify (RIP).

GOV.UK Verify (RIP) is designed to rely on so-called "identity providers" (IDPs). There are currently four IDPs – Experian, Digidentity, the Post Office and Verizon. Together, they are said to constitute a "market" in identity services.

According to OIX's first paper, The use of bank data for identity verification:
  • The current market for identity assurance identity services is not able to serve 100% of the population (p.4).
  • At this time of publication of this paper the GOV.UK Verify [RIP] service is a beta service. It has set a number of objectives to achieve before becoming a fully live service (p.5).
  • In this early market the supply chain of data sources to support the creation of digital identity has not yet evolved to support the GOV.UK Verify [RIP] initiative (p.5).
  • The Digital Data Deficit section below describes how many users assertions of identity cannot be digitally verified (p.5).
  • As a result, some people who don’t have credit accounts (such as a loan, mortgage or credit card) are not able to assert financial evidence (p.7).
  • ... providers are not able to refer to bank account data to establish that an identity has been active over time (p.7).
  • ... resulting in variable results for users and problems can occur when users attempt to validate money evidence (p.9).
  • ... there is insufficient evidence of activity history in currently available data sources (p.9).
  • The current market has need for more data sources to accurately verify identities across a wide demographic (p.12). 
OIX is being as diplomatic as you have to be on these occasions, dealing with the distraught family in the waiting room outside intensive care, but it is clear that as long as GOV.UK Verify (RIP) depends on the current IDPs, it's not going to get out of the beta phase and become live, it's dead.

The banks are thought by OIX to provide the solution to all the current GOV.UK Verify (RIP) problems. In that case, why bother to have the IDPs? They add nothing. They are irrelevant. Appendix B of OIX's paper is a list of the problems faced by the IDPs which can be solved by the banks. Everything that needs to be done can be done by the banks alone.

There is no reason for GOV.UK Verify (RIP) to retain the IDPs and OIX identifies two reasons not to mix them up with the banks:
  • ... digital identity services delivered by non-bank Identity Providers could erode the relationship between banks and their retail customers (p.11).
  • If a financial institution refuses to compensate a customer for the loss of funds arising from misuse of credentials because the customer granted access for an Identity Provider, then broader consumer confidence in the scheme will be undermined by adverse publicity (p.13).
We were originally told that GOV.UK Verify (RIP) would be live by Spring 2013. It wasn't and it still isn't. We are currently meant to believe that it will be live by March 2016. From what OIX tells us, that is clearly impossible.

GOV.UK Verify (RIP) will not survive the amputation of Experian, Digidentity, the Post Office and Verizon. What comes out at the other end will no longer be GOV.UK Verify (RIP). That's what OIX is telling us in its first paper.

We may look at the second paper in a later post, wherein you will discover that there is a keen desire to ignore the privacy guidelines for GOV.UK Verify (RIP), but that's quite enough for now.

----------

Updated 1.9.15

In Whitehallspeak, Experian, Digidentity, the Post Office and Verizon were part of GOV.UK Verify (RIP)'s first "framework".

Out of 80 initial expressions of interest, eight suppliers proceeded to sign a framework agreement with the Government Digital Service (GDS). Cassidian pulled out, as did Ingeus and PayPal, and despite promising repeatedly that they would, Mydex didn't become an IDP after all, which left GDS with just the four above.

A year ago, GDS launched a second framework, and six months later they'd netted five new IDPs – Barclays, GB Group, Morpho, PayPal again and Royal Mail. So now there are nine IDPs supplying GOV.UK Verify (RIP)?

No.

Just four.

The five new prospective IDPs still haven't been "on-boarded", as they say. In fact, they haven't been heard from for six months. Why? Where are they? What's going on?

RIP IDA – as tactfully as possible, the intensive care team take the family aside and prepare them for the inevitable


No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.


OIX, the intensive care team, is well known to DMossEsq's millions of regular readers but for the rest of you:
Open Identity Exchange UK (OIXUK)

This is the UK arm of a global organisation working directly with governments and the private sector developing solutions and trust for online identity, specifically for the British citizen.

OIX UK works closely with the Cabinet Office on the Identity Assurance Programme.  This is the development of the GOV.UK Verify service.  The identity assurance process can also be applied to other, non government websites where proof of identity is wanted.

The OIX goal is to enable the expansion of online identity services and adoption of new online identity products.

We work as a broker between industries designing, testing and developing pilot projects to test real use cases.  All project results are published for the public in the form of white papers.

OIX UK is open to new members.  Non members are welcome to attend our workshops,  membership is preferred for participation in projects – contact us for further information.
OIX has just published not one but two white papers:
Jointly and severally conveyed, the message is the same – there's no hope, IDA is dead, GOV.UK Verify (RIP).