Thursday 18 January 2018

Making a difference

We volunteer because we want to make a difference - HMRC digital
The difference maker
We’re delivering reform – and starting to make a difference
Design that Makes a Difference exhibition
Teachers dedicated to making a difference

That's the first five hits returned by a Google search just now for "making a difference". We could go on. For some time. There are about 1,775 more hits where those five came from.

That's if you restrict your search to just UK government blogs, blog.gov.uk. Extend the search to the whole gov.uk domain, and Google gets 6.72 million hits. The civil service is clearly fascinated by making a difference.

Take the brake off, search across all domains, and Google offers you 320 million articles to read.

Making a difference is a big subject.

Too big to tackle in its entirety.

Let's restrict our scope to just the UK Government Digital Service (GDS). They have spotted the making-a-difference fashion and adopted it for their endless and compulsive recruitment drive:


The examples could be multiplied. There's this – We're looking for an inspiring Service Manager: "We want someone who is as committed to transformation as we are, and in return we will offer a friendly, supportive working environment full of people who want to make a difference". And there's the Ross Ferguson tweet alongside. You will have no problem finding further examples.

Is it really such a good idea for GDS to market themselves on the basis that they make a difference?

Catching flu makes a difference to millions of people and presumably GDS don't want to suggest that they're a debilitating virus but that possibility is not excluded from their glib marketing.

Does the flap of a butterfly’s wings in Brazil set off a tornado in Texas? Any event must have a cause. That's how we think. Rightly or wrongly. Every action of ours must have an effect. Trivially, it follows that it is impossible not to make a difference. What is the non-trivial point that GDS are trying to make?

Presumably GDS want you to understand that they know what they're doing, they know what difference it is that they are trying to bring about, they're not just a Brazilian butterfly unwittingly bringing destruction to Texas. But what is it that they know? How do they know it? And why don't they tell us?

When President Clinton demanded back in 1992 that mortgages be made available to everyone he caused the credit crunch of 2007/2008. What is there to protect GDS from the law of unintended consequences? Nothing.

The public sector ethos is an appealing idea. The suggestion is that public servants are uniquely altruistic and motivated only by increasing the public good. Piffle. Anyone working in the private sector, whether or not they are inspiring and talented and committed and passionate, could do more good and/or less harm than a GDSer. That's a hypothesis. What is GDS's counter-argument? How do GDS measure the public good? They don't say.

GDS hold themselves out as being bathed in the glow of making a difference. But making a difference is an empty claim without a lot of supporting definition and evidence and argument. Potential recruits are recommended to ask at interview what this difference is that GDS claim to have made in the past and promise to make in the future.

Making a difference

We volunteer because we want to make a difference - HMRC digital
The difference maker
We’re delivering reform – and starting to make a difference
Design that Makes a Difference exhibition
Teachers dedicated to making a difference

That's the first five hits returned by a Google search just now for "making a difference". We could go on. For some time. There are about 1,775 more hits where those five came from.

That's if you restrict your search to just UK government blogs, blog.gov.uk. Extend the search to the whole gov.uk domain, and Google gets 6.72 million hits. The civil service is clearly fascinated by making a difference.

Take the brake off, search across all domains, and Google offers you 320 million articles to read.

Making a difference is a big subject.

Too big to tackle in its entirety.

Thursday 14 December 2017

What does the BBC mean by "control"?

A charming email arrived from the BBC the other day. They want to make it easier for DMossEsq to sign in to his account. And they want him to be able to sign in orally – no more fuddy-duddy typing.

So the subject of the email is "Talk your way into the Beeb"? No. It's "Important changes to the BBC Privacy and Cookies Policy".

Bit boring. But let's take a look:
Hello,

We’ve made some changes to the BBC’s Privacy and Cookies Policy. We’ve done this so that we can introduce new features, while protecting your data and putting you in control of what happens to it.

You can view the updated Privacy and Cookies Policy by going to bbc.co.uk and searching for our Privacy and Cookies Policy or by clicking on the link below.

View updated Privacy & Cookies policy

...
The BBC Privacy and Cookies Policy turns out to be 5,000 words long and to comprise 20 clauses.

Clause 4 lists 11 uses to which the BBC may put DMossEsq's personal information. Most of these are unimpeachable.

For example, the BBC may use DMossEsq's personal information for analysis and research to assist with marketing and strategic service development. DMossEsq has no objection to this use of his personal information. But it is odd to describe this as a case of him having "control of what happens to [his personal information]".

It would make sense for the BBC to say "thank you, DMossEsq, for providing us with the data to help us with our strategy". It makes no sense to say that DMossesq is "in control of that data".

On those rare occasions when the hermit DMossEsq leaves his mountaintop eyrie in Merton and goes abroad, the BBC warn him at clause 4 that he may be subjected to "online behavioural advertising". Which suggests that the BBC are forever monitoring his behaviour so that they are ready to offer him appropriate advertisements as soon as he is overseas. DMossEsq has no control over that monitoring. The BBC know that and it is silly of them to pretend that he has.

Clause 7 says that the BBC "may use information which we hold about you to show you relevant advertising on third party sites (e.g. Facebook, Google, Instagram, Snapchat and Twitter)". And clause 8 says "we may share [some data] with third party sites (e.g. Facebook, Google, Instagram, Snapchat and Twitter)".

DMossEsq can opt out of this sharing. Good. But hang on a minute. Facebook, Google, Instagram, Snapchat and Twitter don't display advertisements for free. They like to be paid. Presumably by the BBC. Are they being paid with money taken from DMossEsq's licence fee? Or with DMossEsq's personal information? Or both? And what else are Facebook, Google, Instagram, Snapchat and Twitter doing with his personal information?

Clause 13 assures DMossEsq that he can always find out what personal information of his is held by the BBC on the sole condition that he give them even more of it. Specifically his passport details, driving licence details, birth certificate, ..., and £10. It's hard to see any way round this. But again it seems peculiar to describe it as DMossEsq being in control.

Clause 15 tackles cookies. The BBC's own cookies. And third party cookies:
To support our journalism, we sometimes embed content from social media and other third party websites. These may include YouTube, Twitter, Facebook, SoundCloud, Vine, Instagram, Pinterest and Flickr. As a result, when you visit a page containing such content, you may be presented with cookies from these websites and these third party cookies may track your use of the BBC website. The BBC does not control the dissemination of these cookies and you should check the relevant third party's website for more information.
"The BBC does not control the dissemination of these cookies". Oh good. DMossEsq isn't in control and neither is the BBC.

DMossEsq could delete these cookies. If he remembered to. And had the time. But then the service wouldn't work, more than likely. Or it might work today but not in a year's time.

DMossEsq's "control" could rely on not having a BBC account at all. But then what does he do when the BBC say, as they inevitably will, that, in order to protect the children or stop tax evasion, DMossEsq can only avail himself of BBC services if he has an account?

Perhaps there's no alternative. But that's not the point. The point here is that DMossEsq is obviously not in control of his own personal information whereas the BBC say that he is.

"Aha", says the bright girl in the second row, "you can use the do-not-track (DNT) option in your web browser, that'll put you in control". Nice idea but no silver star – the BBC tell us at clause 16 that "this website does not currently respond to DNT requests".

Mind you, that could change. As we learn at clause 18. In fact the whole privacy and cookies policy could change at any time, "so you may wish to check it each time you submit personal information to the BBC". Very amusing. DMossEsq wants to search iPlayer for an hour or two of Lucy Worsley but before doing that he'll just quickly plough through 5,000 words looking for any changes since the previous version. Who is controlling whom?

Does anybody remember where we started? It seems hours ago but the BBC wanted to tell DMossEsq how to log in more conveniently.

----------

Updated later that same day, 11:37

As per the above, someone in the BBC sent all us accountholders an email saying "we’ve made some changes to the BBC’s Privacy and Cookies Policy. We’ve done this so that we can introduce new features, while protecting your data and putting you in control of what happens to it" whereas an examination of the BBC Privacy and Cookies Policy quickly establishes that we accountholders have no control over the personal information we give the BBC.

If that email had been written by BBC News DTrumpEsq would have been all over it. Control? Fake news.

"Control" is just the wrong word.

The BBC are not normally imprecise. What causes them to be imprecise in this case? Let's allow ourselves two guesses.

Firstly, the BBC want to sound nice. They're paying us the compliment of pretending to be controlled by us. Give it another day or two and, who knows, the BBC may go further and tell us that we have been "empowered" by handing over our personal information to them.

Second, almost everyone else pretends that their identity management scheme allows the user to be in control of their own personal information, so why shouldn't the BBC join in, follow the herd, take cover in the crowd and do the same?

Take Mydex, for example. It's been years since DMossEsq has bothered to look at Mydex. They never could answer the question how handing over your personal information to other people gave you control of it and they still can't but they still make that promise: "Complete control You decide what you store, see and share". Perhaps the BBC are copying Mydex.

Or take the Government Digital Service's GOV.UK Verify (RIP), for example. "Users are ... in control of when their information is passed to a government service" – no we're not. Nor are we in control of our own personal information when GOV.UK Verify (RIP)'s "identity providers" send our personal information all over the world to their subsidiaries and sub-contractors and agents. Perhaps the BBC are copying GDS.

GDS pretend that GOV.UK Verify (RIP) abides by the nine sets of privacy principles devised by the UK's Privacy and Consumer Advisory Group. In fact it flouts the lot of 'em. Including no.1, user control, "I can exercise control over identity assurance activities affecting me and these can only take place if I consent or approve them".

No-one can make good on that promise. Not Mydex. Not GDS. And not the BBC. So it's silly to make the promise in the first place. Control is not on the menu. Stop pretending that it is.

It's just as silly as GDS's other pretence that GOV.UK Verify (RIP) is, without qualification, "secure". It can't be and everyone knows that it can't. The pretence undermines confidence and trust ...

... like GDS's other other pretence, that "frictionless" means good. It doesn't. It means voluntary enslavement.

And then there's the other other other pretence that apps are good for you. They aren't. Not necessarily. A lot of the time, an app is just a virus by another name.

Our guesses as to the aetiology of the control promise may be wrong but the promise is anyway misleading and demeans the BBC. It's nearly Christmas. Can we look forward to a BBC retraction?

If the BBC want another example to follow, they could do worse than Barclays Bank, whose terms and conditions say:
If you, or someone with authority over your account, asks us to share your information with third parties, we're happy to do so, but it's important you know that we, as your bank, will have no control over how that information is used. You will need to agree the scope of use directly with the third party.
And the Barclays privacy policy, which says:
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
GDS and the BBC don't have much experience of managing personal information. Or of talking to their parishioners like grown-ups. They could learn a thing or two from Barclays, who do.


What does the BBC mean by "control"?

A charming email arrived from the BBC the other day. They want to make it easier for DMossEsq to sign in to his account. And they want him to be able to sign in orally – no more fuddy-duddy typing.

So the subject of the email is "Talk your way into the Beeb"? No. It's "Important changes to the BBC Privacy and Cookies Policy".

Bit boring. But let's take a look:
Hello,

We’ve made some changes to the BBC’s Privacy and Cookies Policy. We’ve done this so that we can introduce new features, while protecting your data and putting you in control of what happens to it.

You can view the updated Privacy and Cookies Policy by going to bbc.co.uk and searching for our Privacy and Cookies Policy or by clicking on the link below.

View updated Privacy & Cookies policy

...
The BBC Privacy and Cookies Policy turns out to be 5,000 words long and to comprise 20 clauses.

Wednesday 13 December 2017

Open banking, PSD2, GOV.UK Verify (RIP) and the end of civilisation as we know it

Open banking starts in the UK in four weeks time on Saturday 13 January 2018. The competition is keen. Who will be the first little old lady to be cheated out of her life savings? And can she lose the lot by close of play on Monday 15 January 2018 or will we have to wait until Tuesday?

What, we hear you ask in your millions, is DMossEsq talking about?

By way of an answer, consider this email kindly sent by Barclays Bank at 21:34 on 25 September 2017. You will have received similar communications from Barclays and other banks and ignored them:
...

Why are we making changes?
From time to time, we need to update our agreement to reflect changes in banking legislation, new technological developments, and changes to the way we use information. One example is the introduction of a number of new laws which are known as 'Open Banking'. This will enable you to share your data and make payments through third parties ...

Open Banking – new services are coming soon
Open Banking will enable you to share your bank account data with other companies if you give permission. This means you will be able to see multiple bank accounts and transactions in one place (for example on your Barclays Mobile Banking) even if they're from different banks. You will also be able to allow other companies to give payment instructions from your account. If you don't want to use these new services, you won't notice any differences in the way you bank, as you will always have to provide permission for the new services.

The safest way is to create a secure connection ...

An alternative option, is to share your bank account login details directly ...
Open Banking is a UK initiative promoted by the Competition and Markets Authority (CMA). People are paying too much for payments, the retail banks constitute a cartel, the market must be opened to competition from different organisations, innovation will drive prices down and quality up. That's the theory ...

... but.

Is it really a good idea for our little old lady to "share [her] bank account data with other companies"? Or to "share [her] bank account login details"? If she can "see multiple bank accounts and transactions in one place", who else can? What are they luring the old girl into? What have the CMA got against her?

Leaving those questions for another day, consider now the scale of what's happening. "I can’t stress enough just how big a deal the UK’s transition to Open Banking is", says the estimable Dave Birch. "Open Banking is 'a new way of dealing with the twenty-first century's most sought-after resource, personal data' ... Identity is the new money. Banks are about to be transformed from places that store Sterling into places that store Digital Identities ... [Banks could] let this slip through their fingers and hand digital identity to Apple, Facebook, Google, Amazon and Microsoft ... the internet giants who already have the customer relationships".

RIP IDA – if you've got nothing to say, say it
TUESDAY, 11 FEBRUARY 2014

When GDS's David Rennie spoke at the US Identity Ecosystem Steering Group conference in January, he said that the reason there are none of the big retail banks signed up to IDA [the old name for GOV.UK Verify (RIP)], the identity assurance programme, is that they've been too busy sorting out the aftermath of 2008's credit crunch (32'10"-32:35").

That's silly. Identity assurance is what retail banks do all day every day – they can't be "too busy" to do it.
It's not just Mr Birch and DMossEsq who think open banking is a major event. As noted the other day, so does Don Thibeau of the Open Identity Exchange.

Unlike us, Mr Thibeau believes that open banking is a great opportunity for the Government Digital Service's dead cat, GOV.UK Verify (RIP). Apple, Facebook, Google, Amazon, Microsoft and the other internet giant GOV.UK Verify (RIP)? No. Is Mr Thibeau revealed as one of the greater deadpan comedians?

And it's not just open banking. According to Payments UK: "The requirement from the CMA coincides with the EU legislation, the revised Payment Services Directive (PSD2), which requires all payment account providers across the EU to provide third party access". The EU, too, want our little old lady to use PISPs (payment initiation service providers, since you ask) and AISPs (account information service providers).

Payments UK ("We represent the payments industry in the UK") say that open banking and, by extension, PSD2 "will give customers more control over their data and will support an emerging market of new, exciting third party products and services, such as tailored price comparison websites ... It will keep customers safe and secure, enhancing the opportunities for enhancing customer propositions".

Finextra, the fintech house mag, write in even purpler prose: "After PSD2 ... open banking apps and services from third parties will flood the European market and offer users never-before-seen levels of choice and variety in payment, loyalty, behaviour-based and user-friendly data-oriented services".

The PSD2/open banking prospectus sounds like midata re-heated. PSD2 gives credence to the flaky mass consumer biometrics industry. If Don Thibeau isn't joking perhaps the UK's banks really will try to rely on GOV.UK Verify (RIP). That's all three lemons in a row. Jackpot. The pied pipers will be calling the tune.


----------

Updated 5.1.18

Just one week to go now before the start of Open Banking, please see above.

Who's in charge?

The Competition and Markets Authority (CMA). Who have set up an implementation entity called "Open Banking". Which has a trustee in charge, an Ernst & Young partner called Imran Gulamhuseinwala. OBE. Who gave a talk at the Open Identity Exchange's 17 November 2017 conference on the Economics of Identity:



It's only a short talk, 16½ minutes, and yet Mr Gulamhuseinwala manages three times – at 3'45", 5'30" and 12'45" – to tell us that Open Banking will allow people to take control of their own personal information. This we shall achieve by giving our personal information to strangers. The BBC understand how this amounts to taking control. The rest of us don't. To us, it looks like losing control.

Open banking relies on identity assurance. Identity assurance and Open Banking are converging, Mr Gulamhuseinwala says. How does this relationship between Open Banking and identity assurance work? It looks like something to do with the economics of identity but twice – at 2'55" and then again at 14'55" – Mr Gulamhuseinwala, the man in charge, tells us at length that he doesn't know, he's not sure, he hasn't got all the answers and that's not his job.

He does know that Open Banking will allow us to review our bank accounts and switch to better ones. Ditto energy accounts, mobile phone deals and insurance policies. He just doesn't know how. He also knows somehow that unnamed Open Banking apps (viruses) will securely review all our personal information and improve our well-being.

This is the hoary old midata prospectus, beloved of the LibDems who ran the Department for Business Innovation and Skills during the UK's 2010-15 coalition government. They promised that nanny-state-on-a-chip apps (viruses) would nag us to stop wasting money on take-away meals or some such. Vince Cable, Ed Davey, Norman Lamb and Jo Swinson could never convince anyone of midata's virtues.

Obviously it's not his job but good luck to Mr Gulamhuseinwala when it comes to explaining how the putative little old lady above's being cheated out of her life savings is all for her own good.


Updated 7.1.18

10 p.m. today, the Daily Telegraph newspaper warns its readers 'Open banking' revolution could lead to scams and pricing rip-offs, experts warn. Better late than never.


Updated 11.1.18 #1

Less than 48 hours to go. Soon Open Banking will be up and running in the UK. Without GOV.UK Verify (RIP).

As we were saying, please see above, "unlike us, Mr Thibeau [of the Open Identity Exchange] believes that open banking is a great opportunity for the Government Digital Service's dead cat, GOV.UK Verify (RIP)". Open Banking relies on on-line identities. GOV.UK Verify (RIP) can't provide them ...

... not in bulk, not for companies which might want to use Open Banking, not securely and not while preserving privacy.

Open Banking should have been GOV.UK Verify (RIP)'s great opportunity. As it is, all Open Banking does is to point up the failure of GOV.UK Verify (RIP).

Bryan Glick, the estimable editor of Computer Weekly magazine, writing last week in Five things in tech to watch out for in 2018, says: "Getting digital identity right is the key to unlocking so many online opportunities, from public service delivery to open banking. The government has tried to crack this with Gov.uk Verify [RIP], but has gone down a dead-end ...".

GOV.UK Verify (RIP)?

Dead.

End.


Updated 11.1.18 #2

After all the excitement on Saturday morning when Open Banking starts in the UK, the public jubilation here and the jealousy in the rest of the world, you may find yourself at dinner and in need of saying something knowledgeable about it.

Eighteen months ago the Open Data Institute published The open future of banking. There's your cribsheet.

"... an Open Banking Standard will help banks and innovators to collaborate and rise to the challenge of providing a first-class service that still keeps the regulators happy" – cue discussion of the need to keep regulators happy.

If the conversation flags, try "this is not just about open data, but other aspects of open such as open source, open culture and open innovation".

And if that doesn't do it, go for the jugular: "it’s not just the customer that will benefit: banks will also benefit from efficiencies in time and money. They will also encourage greater interactions from orthogonal areas (e.g. insurance, pensions, accountants)".

As dessert approaches, garnish with Google or Facebook or Apple or Microsoft ... or Amazon, Will Amazon Lending Disrupt, Displace, or Prop Up Banks?.

This is your chance to mention that the banks use artificial intelligence, AI, to process each accountholder's transaction data to calculate customised terms and conditions for loans and other financial products. If the banks no longer have access to that data because one of Mr Gulamhuseinwala's payment initiation service providers or account information service providers has got it instead, then the banks could fail, a warning issued by Dave Birch, who knows a thing or two, Forget banks, in 2018 you'll pay through Amazon and Facebook:
... AI in 2018 will be a kind of event horizon for financial services. No one can see what is on the other side. But when Google feeds all the data from someone's bank accounts into their advertising engines it's fairly certain that bank profits - based on information asymmetries, product friction and brand loyalties - will vanish.

... 2018 will be the start of a fundamental realignment as banks become heavily regulated pipes for tech giants to use for their profit.
You may never be invited to dinner again.


Updated 12.1.8

UK retail banks are exceptionally big and powerful. They may face some competition as a result of Open Banking. That competition is unlikely to bring them down.

You may not like the retail banks but that doesn't mean that you do like their Open Banking competitors. In fact you may find those competitors even more unpleasant.

The UK retail banks' Open Banking competitors may offer reduced costs for a while but that wouldn't last for long. Insert Facebook/WhatsApp, say, into your banking arrangements with Lloyds Bank and you may soon find that the financial benefit has evaporated and you're left worse off because Lloyds now charge more for their other services and because a lot of your personal information is now stored out of your control God knows where on the planet with an unregulated supplier operating beyond the jurisdiction of any UK ombudsman.

But suppose for the sake of argument that these titans, the UK retail banks, are hollowed out by Open Banking.

What then?

Among other implications, consider what might happen to the credit rating agencies.

At the moment the credit rating agencies enjoy several extraordinary and generally unremarked entitlements. They are allowed to collect all sorts of information about us and then sell it to interested parties, including political parties, please see Time for someone to take the personal information economy seriously.

Experian, Callcredit, Equifax et al collect a lot of their data from the retail banks. If Open Banking deprives the retail banks of that data, the credit rating agencies will be left high and dry. A political party wanting to identify floating voters with their good news message during a general election would have to approach Microsoft/LinkedIn instead of Experian. Ditto an entrepreneur looking to launch a new product who needs to know first how much demand there is and where it is.

The risks to the UK's retail banks posed by Open Banking are threats just as much to our credit rating agencies. That is a major issue. You may not like the credit rating agencies any more than you like the retail banks. That doesn't alter the fact that it would represent a major change, not necessarily for the better.

Less portentous, just think what would happen to poor old GOV.UK Verify (RIP). What is a person? According to GOV.UK Verify (RIP) a person is just a credit history. All the "identity providers" to GOV.UK Verify (RIP) need the credit rating agencies to do their identity proofing and verification (IPV). Except Experian. Which is a credit rating agency. No IPV, no GOV.UK Verify (RIP).

Open Banking could cause GOV.UK Verify (RIP)'s completion rates to plumb even more miserable depths.


Updated 1.10.18

It was 13 December last year, 2017, when DMossEsq brought the attention of its millions of readers to Open Banking, please see above. The revolution was coming one month later – 13 January 2018 was going to see the UK's payments infrastructure liberated, heralding a new dawn of hope for humanity with the UK in the lead.

13 January 2018 was 261 days ago and nothing's happened. No Open Banking. Why not? No answer. Lots of hype. Nothing to show for it. The squib is damp.

We noted the nexus between Open Banking and midata, the turkey farmed at the Department for Business Enterprise Energy and Industrial Strategy (BEIS). The DMossEsq millions were first advised of midata back on 16 November 2011. 2,511 days ago. Benefit of midata to the consumer so far? Nil.

Does this nexus exist? 28 September 2018, and what do we read in a government press release?  "The government’s recent green paper ‘Modernising Consumer Markets’ announced that the government will conduct a Smart Data Review ... [which] will build upon existing interventions such as Open Banking, midata, and the UK’s new data protection laws".

2,511 days into the midata project and already the busy bees have launched a review to see if anyone's interested. Smart.

What busy bees? On 29 March 2018, 186 days ago, the Prime Minister told us that "the data policy and governance functions of the Government Digital Service (GDS) will transfer from the Cabinet Office to the Department for Digital, Culture, Media and Sport (DCMS)".

So it's the busy bees at DCMS?

Yes, but not just DCMS. BEIS, too. The press release is issued jointly by BEIS and DCMS, with BEIS in the lead, we assume, given that "we encourage all organisations that would like to be involved in the Smart Data Review to register their interest at smartdatareview@beis.gov.uk".

midata needs national identity assurance. And midata is Open Banking. No national identity assurance, no Open Banking.

It was 13 September 2011 when Computer Weekly magazine published the government's promise to get national identity assurance working. Today, 2,575 days later, we still don't have GDS's national identity assurance. GDS's national identity assurance programme is GOV.UK Verify and GOV.UK Verify is dead, remember. RIP.

In Whitehall, this is what BEIS/DCMS/GDS call "modernising consumer markets". You may be able to think of another name for it.

Open banking, PSD2, GOV.UK Verify (RIP) and the end of civilisation as we know it

Open banking starts in the UK in four weeks time on Saturday 13 January 2018. The competition is keen. Who will be the first little old lady to be cheated out of her life savings? And can she lose the lot by close of play on Monday 15 January 2018 or will we have to wait until Tuesday?

What, we hear you ask in your millions, is DMossEsq talking about?

Friday 1 December 2017

RIP IDA – the Whitehall user research lab

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.

"If Verify is the answer, what was the question?"

The Law Commission: "Verify does not currently ensure that the person entering the information
is in fact the person he or she is purporting to be;
rather it focuses on verifying that the person exists" (para.6.67/p.119)

The Government Digital Service (GDS) have a user research lab, in which they "carry out research into all the things we deliver [?], from guidance and standards to common components, such as GOV.UK Pay and GOV.UK Verify [RIP]".

Despite the user research lab, "deliver" is just what GDS haven't done with GOV.UK Verify (RIP).

It's not just DMossEsq who say that GOV.UK Verify (RIP) is a failure.

Back in June, Computer Weekly magazine noted that GDS lacks strong and stable leadership. They quoted Rob Anderson, of whom more anon, who believes that GDS are "haemorrhaging senior management and losing more credibility with operational departments".

Computer Weekly remind us that GDS is supposed to make savings of £3.5 billion across government in return for its £450 million budget but "it seems unlikely GDS will ever meet that rather ambitious savings target".

Why so sceptical?

Partly because the common technology services project has been "mothballed" and partly because of low take-up for Government as a Platform (GaaP) but mostly because of the failure of GOV.UK Verify (RIP), a failure identified not just by Computer Weekly but also by the National Audit Office: "The NAO said there was little incentive for departments to adopt Verify".

Julian David, the CEO of TechUK, is quoted in further support of Computer Weekly's position and so is the Institute for Government.

This Rob Anderson man, he's a "principal analyst, central government, at GlobalData (formerly known as Kable)", according to Computer Weekly. He's got an article in Government Computing at the moment, GDS: Now we are Five. "Such a landmark anniversary often provokes a review of achievements in those formative years," he says, "but this was not obviously forthcoming, possibly because big ticket projects like Verify, the wider GaaP portfolio and examples of cogent joined-up public services are still few and far between".

Mr Anderson notes that GDS keep signing contracts with third party suppliers in the hopeless bid to enrol 25 million people in GOV.UK Verify (RIP) by 2020. Meanwhile, their success with GovWiFi is underwhelming, in Mr Anderson's eyes, and "GDS is but a sideshow, albeit a mildly entertaining one".

Government Computing also report on the European Commission's annual survey of eGovernment, UK slips to “European average” in terms of digitising its services, EU study shows. Oh dear. What now?
According to the report, the key challenge for the UK is to increase availability of key enablers such as electronic identification and authentication sources. The UK’s score for key enablers is 22% compared to a 52% EU average.
So, let's see, that's Computer Weekly, the NAO, TechUK, the Institute for Government, GlobalData/Government Computing, the European Commission and DMossEsq among others all expressing scepticism about GOV.UK Verify (RIP).

And on the other side?

Here's a comment from someone at the 17 November 2017 Economics of Identity conference hosted by OIX, the Open Identity Exchange: "Verify: the only standard for digi identity in the UK. Gov.uk has kicked started it - we have to pick up the mantle".

The other side's response looks like self-deception. GOV.UK Verify (RIP) isn't a standard and it doesn't have a mantle. Government Computing have collected together a number of these strange responses here, in OIX meeting weighs up the economics of identity.

Don Thibeau, the head of OIX, spoke at another conference, on 8 November 2017, where his chosen subject was Identity Systems at Scale. You can watch the video (particularly between 1'37" and 2'50") and be amazed at his assertion that Europe, Australia, Japan and the US are all spellbound, watching the progress of GOV.UK Verify (RIP) and hoping to learn some tips from the global masters of open banking.

His own organisation, OIX, has already demonstrated several times that GOV.UK Verify (RIP) has precisely nothing to offer the financial sector. Is he in denial? It is beyond the scope of this blog to explain his behaviour at that conference.

What we can do is to point at Whitehall itself as a user research lab. How do the participants in a failed project respond to the stream of facts as they come in, one after another, each one confirming failure more and more clearly? Answer, they ignore them. GOV.UK Verify (RIP) is the only game in town, they say to themselves, and they believe that the rest of the world is agog at its success.

GDS claim to lead the UK government digital, data and technology professions. Maybe they haven't noticed yet but, because GDS know nothing about the economics of identity, responsibility for the operation of the UK digital economy has been taken away from them and given to the Department for Digital, Culture, Media and Sport.

"Matt Upson and Mat Gregory are data scientists at GDS". That's what it says in Transforming the process of producing official statistics. Matt and Mat have been working on RAP, reproducible analytical pipelines. The two of them have been telling the Department for Digital, Culture, Media and Sport, the Department for Education and the Ministry of Justice all about RAP, teaching their grandmothers to suck eggs.

How successful have they been?

"We have celebrated the achievements so far with a laptop sticker". Official statistics? Done.

14 November 2017, and we learnt that More than 100 services are now running on government common platforms: "over 100 services across 26 departments and agencies are now using GaaP tools, guidance and components. From GOV.UK Verify [RIP] to GOV.UK Notify, GOV.UK Pay and GOV.UK Platform as a Service, Government as a Platform is becoming a reality, and that’s a great thing for taxpayers and citizens".

There's even a sticker to prove it:


GOV.UK Verify (RIP) is connected to just 14 on-line public services according to GDS's own performance dashboard. HMRC don't use it for anything important, neither do DWP and neither do the NHS. GOV.UK Notify is connected to 115 on-line public services, again excluding the big players, but isn't it a decade or two too late to claim a noteworthy success when a government department uses email and texts? The GOV.UK Pay performance dashboard doesn't list any services connected to it. And GOV.UK Platform as a Service doesn't have a performance dashboard.

Is that what you understood by "more than 100 services are now running on government common platforms"?

That's a tendentious way of reporting the facts. The UK Statistics Authority and the Office for National Statistics would be down on any minister like a ton of bricks, quite rightly, if they misused statistics like that.

It was never clear why GDS were given responsibility for the data profession. They have never done anything with that responsibility and there are signs now that that, too, will be taken away from them.

While its responsibilities shrink, though, GDS continues to recruit as though there were no tomorrow. There are currently 19 GDS jobs available for your delectation on the civil service jobs website. You, too, could join the 900 or is it only 700 people already in this giant user research lab.

----------

Updated 4.12.17

How many people are there in GDS? That was the question we finished on in the blog post above. The answer is given in the NAO's report, Digital transformation in government (p.19):


This year, 2017-18, there should be 834 of them, all beavering away.

But just what do they all do?

As far as GOV.UK Verify (RIP) is concerned, the answer must be "not a lot". The front end hasn't changed for months, there's very little activity on Twitter, none on the identity assurance blog and 65% of attempts to access public services using the wretched system fail.

In the absence of any answers DMossEsq has taken a look at the UK government's Contracts Finder service. And you won't believe it – we've been asking the wrong people. GDS don't seem to have anything to do with GOV.UK Verify (RIP) any more. Now, it's all our old friends the Methods group.

You remember the Methods group. We came across them first in GaaP – 1½ million useless public servants out the door and 35 billion quid off the deficit. What's not to like?. And when GDS's 25 exemplars failed, Mike Beaven, their transformation director, left and joined Methods, please see @gdsteam, success and ... candy floss.

Two companies in the Methods group have been promised £1,307,000 since April Fool's Day 2017 to make GOV.UK Verify (RIP) work, please see the table below and/or this easier-to-read spreadsheet. And since 9 October 2017 Methods Business and Digital Technology Limited have been the Lead Commercial Delivery Manager for GOV.UK Verify (RIP):


Fuller Contracts Finder findings are available in another spreadsheet here. You thought GDS did the work on GOV.UK Verify (RIP)? Think again. Those 834 GDS staff have got something better to do.

Such as ensuring diversity across the civil service? No. Methods Digital Limited were paid £208,000 to work on "race disparity data across the public sector".

Such as working on GaaP? No. Methods Professional Services Ltd were paid £143,000 to provide "a WebOps service to deliver the GaaP Programme".

Such as working on the common technology services project? No. Methods Digital Limited are being paid £2,000,000 (sic) to "define the strategy of CTS and support collating and analysing commercial ICT information across HMG".

You thought GDS worked out GaaP themselves? No. It was the Methods group. And McKinsey, who were paid £2,200,000 (sic) back in the spring of 2015 to "assist GDS to analyse the potential for digitally-enabled improvement of public services through the adoption of the 'Government as a Platform' approach".

The common technology services project (iPhones for all civil servants) is costing a fortune in external fees. Methods Digital Limited got their £2,000,000, as we have seen. Not bad, but Computing Distribution Group Limited picked up £5,000,000 to "provide application, cloud and infrastructure design, standards and good practice guides for the common technology service team". GDS are meant to be the go-to consultants for the whole civil service and, on a good day, local government as well and they have to ask Computing Distribution Group Limited for design, standards and good practice guides?

Entech Limited settled for a modest £325,000 for CTS work. Zeefix Consulting Limited are getting £2,000,000, like Ergon Limited, and DMSG Limited are members of the £5,000,000 club. PriceWaterhouseCoopers LLP just missed. £4,000,000. Unlucky.

M4 Managed Services International Limited are getting £5,000,000 for providing "application and infrastructure design services (?)". ThoughtWorks Limited picked up £791,000 for four months' work this year on "agile iterative support consultancy services to develop and continually improve" a few things, including GOV.UK Verify (RIP). That's on top of their £1,300,000 to "drive the adoption of Verify ... working in pair and mop programming in the listed areas".

And then there's IXYDO Limited, who have amassed five contracts worth a total of £553,000 to help migrate GOV.UK Verify (RIP) from VMWare across the Styx to Amazon Web Services. Part of our national infrastructure, IXYDO had one director who owned the one share in the company until recently, according to Companies House, and the latest accounts show that he has almost managed to repay the £28,000 or so that he borrowed from the company. Don't worry, this won't make it any harder for Methods Professional Services Ltd to get GOV.UK Verify (RIP) taken seriously by our European partners in eIDAS.

834?


Updated 30.1.18

As we were saying above, "maybe they haven't noticed yet but, because GDS know nothing about the economics of identity, responsibility for the operation of the UK digital economy has been taken away from them and given to the Department for Digital, Culture, Media and Sport [DCMS]".

Also, "it was never clear why GDS were given responsibility for the data profession. They have never done anything with that responsibility and there are signs now that that, too, will be taken away from them" ...

... signs like DCMS launches research project into data portability. DCMS have got £250,000 burning a hole in their pocket and the Government Computing website tell us that "according to a tender notice issued by the department earlier this month for a £250,000 contract , DCMS is looking for analysis and practical research on data portability".

Despite having 834 staff and £450 million to spend and despite being in charge of digital, data and technology GDS are clearly not the first port of call if you want a spot of analysis and practical research on data portability.

Bit of a poke in the eye for GDS.

Just to rub it in, Government Computing also report that DCMS launches search for new Data Ethics centre leader: "The government wants the centre to advise on the measures needed to enable and ensure safe, ethical and innovative uses of data-driven technologies".

GDS did some work on data ethics, please see "Data Science Ethical Framework" – contempt for the public. Fail. Over to DCMS.


Updated 24.4.18

The Government Digital Service (GDS) have 860 staff at the moment. They can't possibly need to use contractors for software engineering work, can they?

Their last contract – with the Methods Group – for software engineering work on GOV.UK Verify (RIP) ran out on 6 April 2018. Verify is dead. GDS can't need to spend any more money on it, can they?

Wrong. Yesterday, 23 April 2018, St George's Day, GDS published an invitation to tender for six months' work on Development Capability for GOV.UK Verify [RIP].


Updated 31.5.18

It is six months since we said, please see above:
You thought GDS worked out GaaP themselves? No. It was the Methods group. And McKinsey, who were paid £2,200,000 (sic) back in the spring of 2015 to "assist GDS to analyse the potential for digitally-enabled improvement of public services through the adoption of the 'Government as a Platform' approach".
The McKinsey Center for Government have now published Delivering for citizens – how to triple the success rate of government transformations.

What do they have to say about GDS?

Nothing.

GDS don't get a mention.

RIP IDA – the Whitehall user research lab

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.

"If Verify is the answer, what was the question?"

The Law Commission: "Verify does not currently ensure that the person entering the information
is in fact the person he or she is purporting to be;
rather it focuses on verifying that the person exists" (para.6.67/p.119)

The Government Digital Service (GDS) have a user research lab, in which they "carry out research into all the things we deliver [?], from guidance and standards to common components, such as GOV.UK Pay and GOV.UK Verify [RIP]".

Despite the user research lab, "deliver" is just what GDS haven't done with GOV.UK Verify (RIP).

Thursday 31 August 2017

In praise of friction

With the acceleration due to gravity standing at 9.81 ms-2, if there were no friction, you could never walk uphill. The only way would be down. Not good.

In Part 3 of his series of blog posts on the vision for the Digital Marketplace Warren Smith says that the Government Digital Service (GDS) are "enabling end-to-end buying that's as frictionless for users as possible". That can be bad for people who make a purchase in haste and then regret it. That's why we have cooling-off periods.

Again, "frictionless" doesn't always mean good.

GOV.UK is the public face of the UK administration on-line. GDS's vision for GOV.UK is like their vision for the Digital Marketplace: "Simpler, clearer, faster access to government services and information ... That means providing a single place for people to interact with government that's as frictionless as possible, and which continuously improves. And it means providing a platform that helps government understand and meet users' needs".

Open data is like a box of chocolates: "... He stressed the importance of open data as a means to 'unlock facts and evidence held in different silos, so that better local services can be realised.' This is about delivering real change for people in a frictionless way ...". Maybe silos aren't all bad.

In his blog post on what it is to be a "data-confident" government Paul Maltby regrets that "the type of frictionless internal data system we saw in Silicon Valley, even for non-sensitive data, seems a long way off". He may be wrong to regret it.

That may be a mistake.

There are limits.

Sometimes, users need friction to stay upright ...

... and never more so than when it comes to identity assurance.

Ewan Willars, a policymaker for several institutions, regrets that "the identification and verification of applications for new bank accounts is one of the key hurdles that can prevent a frictionless online account opening process" and recommends that GOV.UK Verify (RIP) might usefully promote frictionlessness. God forbid.

"It's so easy to open an Amazon account", some people say, "why is it so hard to open a bank account?". There's a trivial mistake in that question.

The only reason it's so easy to open an Amazon account is that you and your bank have already done all the hard work of verifying your identity.

And it's only because you and your bank have applied enough force to overcome the inherent friction in opening your account that the bank can authorise your Amazon purchase.

It has to be a bit frictiony (frictive?) to open a bank account. And to use it – all those niggly user names, passwords, one-time codes sent to your mobile, mother's maiden name, ... That's just the price of security. Take away the friction, and Amazon would be royally defrauded for a while and then it would go out of business.

You can open a Twitter account with almost no friction at all. What does that tell you? That it's almost worthless. Who wants the same to be said of a GOV.UK Verify (RIP) account? No-one sensible.

----------

Updated 26.11.17

TISA is the Tax Incentivised Savings Association. It has scores of members from AJ Bell Securities Ltd and Aberdeen Asset Management Ltd at one end of the alphabet to Zopa Ltd and Zurich Financial Services at the other.

TISA is a member of OIX, the Open Identity Exchange, the people who keep trying to rescue the Government Digital Service's GOV.UK Verify (RIP) identity assurance scheme.

TISA have published a white paper on OIX's website:
In light of the relatively high levels of friction that UK consumers encounter when acquiring new financial products and the TISA mission to improve the financial wellbeing of UK consumers, it was decided to embark on the TISA Digital ID project with a view to allowing consumers to utilise a federated identity as part of the onboarding process to attain a new product and thereby improve the user journey in terms of the time taken and the amount of friction encountered.
These days, they say, it "takes longer to open a savings account than apply [for] and receive a pay day loan".

There you have it. The desire for frictionless "onboarding" risks putting you in the same category as a payday loan merchant.

Wonga, it should be noted, with its 1,000% p.a. interest loans, are not members of TISA.

Could GOV.UK Verify (RIP) help to reduce the friction involved in opening a bank account while simultaneously "[improving] the financial wellbeing of UK consumers"? Yes, say TISA.

There are acknowledged standards to consider. The new payment services directive, for example, "suggests that authentication in payment applications look to a Level 4 identity at enrolment" – level 4 is a high level of assurance (LoA) that the person on the other end of the line trying to verify their identity is who he or she says they are.

What is TISA's suggestion? Answer, "having analysed the components of the Identity Processing & Verification process in relation to an LoA2, this was decomposed to a lower level of assurance that was judged by the group to be in line with the [Joint Money Laundering Steering Group] guidelines ... This lower level of assurance was defined as ...".

An extraordinary judgement, their members will not thank TISA for suggesting that they should use GOV.UK Verify (RIP) to reduce friction by lowering the level of assurance from an already unacceptable 2 to something even deeper into the frictionless world of payday loans.

In praise of friction

With the acceleration due to gravity standing at 9.81 ms-2, if there were no friction, you could never walk uphill. The only way would be down. Not good.

In Part 3 of his series of blog posts on the vision for the Digital Marketplace Warren Smith says that the Government Digital Service (GDS) are "enabling end-to-end buying that's as frictionless for users as possible". That can be bad for people who make a purchase in haste and then regret it. That's why we have cooling-off periods.

Again, "frictionless" doesn't always mean good.

GOV.UK is the public face of the UK administration on-line. GDS's vision for GOV.UK is like their vision for the Digital Marketplace: "Simpler, clearer, faster access to government services and information ... That means providing a single place for people to interact with government that's as frictionless as possible, and which continuously improves. And it means providing a platform that helps government understand and meet users' needs".

Open data is like a box of chocolates: "... He stressed the importance of open data as a means to 'unlock facts and evidence held in different silos, so that better local services can be realised.' This is about delivering real change for people in a frictionless way ...". Maybe silos aren't all bad.

In his blog post on what it is to be a "data-confident" government Paul Maltby regrets that "the type of frictionless internal data system we saw in Silicon Valley, even for non-sensitive data, seems a long way off". He may be wrong to regret it.

That may be a mistake.