Saturday, 21 September 2019

RIP IDA – Johnson and Cummings are in for a shock

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.

"If Verify is the answer, what was the question?"

The Law Commission: "Verify does not currently ensure that the person entering the information
is in fact the person he or she is purporting to be;
rather it focuses on verifying that the person exists" (para.6.67/p.119)


Boris Johnson Secretly Asked For A Massive Amount Of User Data To Be Tracked. Dominic Cummings Said It’s “TOP PRIORITY”.

That's what it says in 24-point bold capitals on the relatively public Buzzfeed website. So much for "secretly".

"In a move that has alarmed Whitehall officials, the prime minister has instructed departments to share data they collect about usage of the GOV.UK portal so that it can feed into preparations for leaving the European Union at the end of next month". These Whitehall officials must exist in a permanent state of alarm – GOV.UK usage data is already collected and shared on the Government Digital Service's rickety performance platform and has been for years:


Saturday, 12 January 2019

RIP IDA – 12 years after promising a way for employers to check the right of a prospective recruit to work in the UK, the Home Office introduces a partial service based on unproven technology

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.

"If Verify is the answer, what was the question?"

The Law Commission: "Verify does not currently ensure that the person entering the information
is in fact the person he or she is purporting to be;
rather it focuses on verifying that the person exists" (para.6.67/p.119)


Online right to work checks – that's a press release, by the Home Office, 14 December 2018: "Employers will be able to rely on an online Right to Work Checking Service to demonstrate compliance with illegal working legislation".

Pretty good, you may say, well done the Home Office, very 21st century, faced with a prospective recruit how does an employer establish their right to work in the UK? Answer, on-line.

Modern. Quick. Efficient. Definitive.

Or is it?

Cast your mind back. Cast it back before yesterday. And even before 14 December 2018. Cast it back exactly 12 years, all the way back to 14 December 2006, when the Home Office published their first so-called Strategic Action Plan for the National Identity Scheme.

Turn to Annex 1 on p.25 and you'll see that the Home Office planned strategically for the Immigration and Nationality Directorate to have an "enhanced employee checking service available for employers" six months later, in June 2007.

In the event it took 12 years. Not six months. 12 years.

It's 11 years since DMossEsq wrote about this matter, Not working in the UK. "Why hasn't this strategic action been performed by IPS [the Identity and Passport Service as was, now Her Majesty's Passport Office]?", he asked in January 2008, and "Is there perhaps a problem with the biometrics?".

The Home Office have given us no reason in the interim to believe that the biometrics their employee checking service depends on are reliable ...

... but rely on them they do, as they told us in last month's press release: "The online Right to Work Checking Service can be used by non-EEA nationals who hold biometric residence permits or biometric residence cards ...".

Even after 12 years that little matter remains outstanding, we're not quite there yet, there's an on-line service but we can't be sure that it identifies prospective employees reliably.

And the service isn't universal.

It doesn't handle any non-EEA nationals who don't have these cards, it doesn't handle all EEA nationals and UK nationals without a passport can supposedly demonstrate their right to work by producing "short birth or adoption certificates, which they can get for free, instead of the long versions".

Surely GOV.UK Verify (RIP) could help to assure employers that the person in front of them is who the birth certificate or plastic card says they are and has the right to work in the UK?

Apparently not.

Maybe in another 12 years.

Good job (sic) there's no hurry.

RIP IDA – 12 years after promising an on-line way for employers to check the right of a prospective recruit to work in the UK, the Home Office introduces a partial service based on unproven technology

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.

"If Verify is the answer, what was the question?"

The Law Commission: "Verify does not currently ensure that the person entering the information
is in fact the person he or she is purporting to be;
rather it focuses on verifying that the person exists" (para.6.67/p.119)


Online right to work checks – that's a press release, by the Home Office, 14 December 2018: "Employers will be able to rely on an online Right to Work Checking Service to demonstrate compliance with illegal working legislation".

Pretty good, you may say, well done the Home Office, very 21st century, faced with a prospective recruit how does an employer establish their right to work in the UK? Answer, on-line.

Modern. Quick. Efficient. Definitive.

Or is it?

Friday, 21 December 2018

Brexit – "Why I don’t, never have, and never will trust the people"

Matthew Parris, writing in the Spectator magazine, 15 December 2018:


This is his reason for supporting those politicians of all parties, civil servants and media persons who want to ignore the Brexit referendum result.

Mr Parris has done us a great service, as he always does, by being so clear and open. And amusing – he quotes Arthur Balfour: "I have the greatest respect for the Conservative party conference, but I would no more consult it on a matter of high policy than I would my valet".

Mr Parris has done us an even greater service by pin-pointing the mistake in this line of reasoning as it applies to Brexit.

"... at the idea that the people should dictate the policies of government on a daily basis, we shudder"?

Yes, quite right, but in this case Parliament explicitly handed the problem over to us plebs, it was up to us to solve it and our decision would be an instruction to be executed by Parliament.

We're not talking about daily plebiscites, which God forbid. We're talking about a one-off.

We're talking about Parliament making a promise (the decision is yours) and then reneging on their promise (the decision is ours). Do that, in this case, and we plebs will never trust Parliament.

----------

Updated later that same day

"Chary" of referendums as he was by 15 December 2018, on 20 October 2018 Mr Parris advocated ... a second referendum, please see We must march and demand to vote again.

Brexit is the enemy of his usual logical coherence.

This is not the only example. On 11 December 2018 Mr Parris told us I’m disgusted by baying mob of hypocrites attacking Theresa May:
  • Two days later on 13 December 2018: "My last encounter with [Theresa May] was not long after she became prime minister. Being regarded as a 'friendly' journalist, I was invited to Downing Street for coffee. It was appalling ... I kissed her as I left. She looked a little alarmed. But the truth is I had arrived as a supporter, and departed dismayed". (Dismayed? See what he did there?)
  • And on 14 December 2018, in Theresa May has become detached from reality: "At what point does tenacity become rigidity become mulishness become a frozen panic? ... Does she hear? Does she see? Does she know? Is there anyone at home?" Etc ...
It's a nimble reader who can keep up.

Brexit – "Why I don’t, never have, and never will trust the people"

Matthew Parris, writing in the Spectator magazine, 15 December 2018:


This is his reason for supporting those politicians of all parties, civil servants and media persons who want to ignore the Brexit referendum result.

Mr Parris has done us a great service, as he always does, by being so clear and open. And amusing – he quotes Arthur Balfour: "I have the greatest respect for the Conservative party conference, but I would no more consult it on a matter of high policy than I would my valet".

Tuesday, 18 December 2018

Brexit – cast your mind back 212 years to Napoleon and the continental system

According to today's Times newspaper:


2½ years late, as they say in the accompanying article, "Colin Clark, a Scottish Conservative MP, has said contingency planning should have started immediately after the vote in 2016", but better late than never.

Mr Clark is not alone in his views, several respectable people believe that is and always has been the obvious approach ...

... but the Chancellor of the Exchequer, Philip Hammond, is quoted elsewhere as saying that "what they were doing must be seen as a precaution, not a policy challenge. He warned that the idea of a managed no deal was a ‘unicorn’ ...".

Who's right?

The respectable people or the Chancellor?

Cast your mind back 212 years and you be the judge.

According to Andrew Roberts’s 2014 Napoleon the Great, starting around p.427, 212 years ago in 1806 Napoleon instituted the “continental system”, which included these articles among others:
1. The British Isles are in a state of blockade.
2. All trade and all correspondence with the British Isles is forbidden.
3. Every British subject, of whatever state or condition he may be … will be made a prisoner of war.
4. All warehouses, all merchandise, all property, of whatever nature it might be, belonging to a subject of England will be declared a valid prize …
7. No ship coming directly from England or the English colonies, or having been there since the publication of the present decree, will be received in any port.
Napoleon reckoned that would soon settle our hash ...
Since one-third of Britain’s direct exports and three-quarters of her re-exports went to continental Europe, Napoleon intended the decrees to put huge political pressure on the British government to restart the peace negotiations broken off in August …
... but, according to Mr Roberts:
Although Napoleon believed that the Berlin Decrees would be popular with French businessmen, who he hoped would pick up the trade that previously went to Britain, he was soon disabused by the reports from his own chambers of commerce. As early as December that of Bordeaux reported a dangerous downturn of business … By March 1807 he had to authorize special industrial loans from the reserve funds to offset the crises that were resulting …
Plus ça change, the regional prefect of the area that includes Calais is already demanding extra funds to ensure that UK business is not lost to dastardly Belgian and Dutch ports.

Further:
… the British government managed to ride out domestic criticism. By contrast, the Continental System damaged precisely those people who had done well from Napoleon’s regime and had hitherto been his strongest supporters: the middle classes, tradesmen, merchants and better-off peasantry … ‘Shopkeepers of all countries were complaining about the state of affairs,’ recalled the treasury minister Mollien, but Napoleon was in no mood to listen, let alone compromise.
Plus ça change, President Macron, convinced that he is actually Jupiter, and not merely Napoleon, won't compromise. Just like he didn't compromise the other day with the gilets jaunes.

Plus ça change, "domestic criticism", in the person of Anna Soubry and the BBC and the unicorn expert, Philip Hammond, has duly reappeared:
  • They want us to stay linked to a collapsing financial system, the Euro, which beggars Greece and Spain and Portugal in order to underwrite German exports and which caused years of hardship to Ireland after its asset price bubble burst.
  • They want us to stay in the friendly partnership which sees Italy at loggerheads with Brussels ...
  • ... not to mention the friendly partnership between Hungary and Brussels.
  • They want us to have our tax rates harmonised.
  • They want our armed forces to come under President Juncker's control.
  • They want to keep charging huge protectionist tariffs on poor countries trying to export sugar to us.
  • They want our legislature to be dictated to by the European Court of Justice ...
For some reason the "domestic critics" find this imperial prospect attractive. Your highest ambition may not be for the UK to become a colony. You may hope that the government once again "rides it out".

The huge volume of our exports to the EU is a problem for them as well as us:
One major problem with the Continental System was that it could not be imposed universally. In 1807, for example, because Hamburg and the Hanseatic towns such as Lübeck, Lüneburg, Rostock, Stralsund and Bremen couldn’t manufacture the 200,000 pairs of shoes, 50,000 greatcoats, 37,000 vests and so on that the Grande Armée required, their governors were forced to buy them from British manufacturers under special licences allowing them through the blockade. Many of Napoleon’s soldiers in the coming battles of the Polish campaign wore uniforms made in Halifax and Leeds ...
Fluctuations in the exchange rate? Financial innovation in the City? Expanding into new markets? They've all happened before. And pace the miserable remainers, they could all happen again:
When French customs officials did capture contraband a proportion of it was often returnable for a bribe, and in due course it became possible to take out insurance against seizures at Lloyd’s of London. Meanwhile, French imperial customs revenues collapsed from 51 million francs in 1806 to 11.5 million in 1809, when Napoleon allowed the export of grain to the British at high price when their harvest was weak – some 74 per cent of all British imported wheat came from France that year – in order to deplete British bullion reserves. The Continental System failed to work because merchants continued to accept British bills-of-exchange, so London continued to see net capital inflows. Much to Napoleon’s frustration, the British currency depreciated against European currencies by 15 per cent between 1808 and 1810, making British exports cheaper. The Continental System also forced British merchants to become more flexible and to diversify, investing in Asia, Africa, the Near East and Latin America much more than before, so exports that had been running at an average of £25.4 million per annum between 1800 and 1809 rose to £35 million between 1810 and 1819. By contrast, imports fell significantly, so Britain’s balance of trade was positive, which it hadn’t been since 1780.

Brexit – cast your mind back 212 years to Napoleon and the continental system

According to today's Times newspaper:


2½ years late, as they say in the accompanying article, "Colin Clark, a Scottish Conservative MP, has said contingency planning should have started immediately after the vote in 2016", but better late than never.

Mr Clark is not alone in his views, several respectable people believe that is and always has been the obvious approach ...

... but the Chancellor of the Exchequer, Philip Hammond, is quoted elsewhere as saying that "what they were doing must be seen as a precaution, not a policy challenge. He warned that the idea of a managed no deal was a ‘unicorn’ ...".

Who's right?

The respectable people or the Chancellor?

Thursday, 13 December 2018

RIP IDA – LSE Prof sells CGD a pup

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.

"If Verify is the answer, what was the question?"

The Law Commission: "Verify does not currently ensure that the person entering the information
is in fact the person he or she is purporting to be;
rather it focuses on verifying that the person exists" (para.6.67/p.119)


May 2013, and Alan Gelb and Julia Clark of the Center for Global Development publish a report on biometrics. Not so much a report as an uncritical re-hash of the marketing material used by the biometrics industry. The industry that owes so much to astrology.

It is possible that you had forgotten.

November 2018, and the CGD publish an odd report on GOV.UK Verify (RIP) with a preface by the same Alan Gelb. At least, one assumes that it's the same Alan Gelb.

The report is written by Dr Edgar A Whitley, "an Associate Professor (Reader) in Information Systems in the Department of Management at the London School of Economics and Political Science". That doesn't seem to have helped:

RIP IDA – LSE Prof sells CGD a pup

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.

"If Verify is the answer, what was the question?"

The Law Commission: "Verify does not currently ensure that the person entering the information
is in fact the person he or she is purporting to be;
rather it focuses on verifying that the person exists" (para.6.67/p.119)


May 2013, and Alan Gelb and Julia Clark of the Center for Global Development publish a report on biometrics. Not so much a report as an uncritical re-hash of the marketing material used by the biometrics industry. The industry that owes so much to astrology.

It is possible that you had forgotten.

November 2018, and the CGD publish an odd report on GOV.UK Verify (RIP) with a preface by the same Alan Gelb. At least, one assumes that it's the same Alan Gelb.

Wednesday, 17 October 2018

RIP IDA – international ID slapstick, that's the way to do it

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.

"If Verify is the answer, what was the question?"

The Law Commission: "Verify does not currently ensure that the person entering the information
is in fact the person he or she is purporting to be;
rather it focuses on verifying that the person exists" (para.6.67/p.119)

A week ago we learnt that people with a German electronic ID are now able to use it to log on to HMRC:


This has been on the cards, so to speak, for over 10 years now, ever since the inception of the European Union's Project STORK. German students studying at UK universities should be able to access UK public services while they're over here using trusted German identity assurance. Ditto UK students in Germany. And not just Germany and the UK, any EU citizens in any EU country.

Over the years, Project STORK became eIDAS, EU Regulation 910/2014. The German Federal Office for Information Security jumped through all the eIDAS hoops to "notify" their Ausweis identity assurance scheme, it's passed all the tests and, as noted in the Martin Jordan tweet above, Her Majesty's Revenue and Customs now have to accept Ausweis identities.

That's the theory.

In practice, this is the response a German currently gets:


That's the way to do it.

"Something went wrong".

It certainly did.

But where?

Germany? HMRC?

Apparently not. The error message is branded GOV.UK Verify (RIP). Their logo. Their problem.

Speaking of which, GOV.UK Verify (RIP) has been put up for eIDAS membership. It's been "pre-notified" in the lingo:


Will it be as successful as the Germans' Ausweis? Will it be deemed to provide a low level of assurance that the owner of the GOV.UK Verify (RIP) identity is who they say they are? Or a substantial level of assurance or even a high one?

Our EU partners will not be impressed at the rejection of GOV.UK Verify (RIP) by HMRC, DWP (para.3.21), the NHS, Scotland, UK local government and others. Nor will they be mollified when they see US NIST's opinion that GOV.UK Verify (RIP) provides nothing better than self-certification.

It's all about trust, and what are our partners supposed to make of the fact that the Post Office are treated as an "identity provider" (IDP) even though they're not certified by tScheme? It looks underhand making people think they're dealing with the Post Office when really all the identity proofing work is carried out behind the scenes by Digidentity. It undermines trust.

Has GOV.UK Verify (RIP) been pre-notified by the Government Digital Service? That would seem strange:
  • Partly because it is the Department for Digital Culture Media and Sport that has responsibility for the digital economy and for identity policy, not GDS.
  • And partly because it has recently been announced that the UK government will cease funding GOV.UK Verify (RIP) in 18 months' time.
Who will underwrite GOV.UK Verify (RIP) identities after that?

No-one knows. Certainly not the 27 other members of the EU.

As things stand, the probability of GOV.UK Verify (RIP) getting through the eIDAS vetting procedure is not high, not substantial but, if it's lucky, maybe low. Low-to-non-existent.

That's the way to do it.

----------

Updated 23:52

Our European partners may recall that early last month the UK's Infrastructure and Projects Authority recommended that GOV.UK Verify (RIP) be terminated. That's the same GOV.UK Verify (RIP) that we're trying to get approved for use in eIDAS, please see above.

Not confidence-inspiring.

Reality bites. But instead of terminating the scheme, the Senior Responsible Owner is abandoning ship and GDS are letting go of the controls and handing it over to the private sector. Perhaps the private sector will prove better at terminating it.

Not confidence-inspiring.

GOV.UK Verify (RIP) boasted seven "identity providers" until recently – Barclays Bank, CitizenSafe/GB Group plc, Digidentity, Experian, the Post Office, the Royal Mail and SecureIdentity/Morpho.

During the handover to the private sector two of those "identity providers" are dropping out – CitizenSafe/GB Group plc and the Royal Mail.

In reality, the Royal Mail was never a true "identity provider", they just provided a call centre service and all the identity proofing and verification work done in its name was really conducted behind the scenes by CitizenSafe/GB Group plc, another example of GDS's duplicity like the Post Office/Digidentity charade, please see above.

Not confidence-inspiring.

What happens to all the personal information that the Royal Mail and CitizenSafe/GB Group plc amassed while they were still operational? Them and their subsidiaries and partners and contractors? Where's the information gone now? What control do we citizens have over our own personal information? What happens when GDS and DCMS are no longer involved?

Come to that, what's happened to all the personal information Verizon amassed while they were an "identity provider"?

Even for the continuing "identity providers" – Barclays Bank, Digidentity, Experian, the Post Office and SecureIdentity/Morpho – GOV.UK Verify (RIP) doesn't abide by a single one of the identity assurance principles that are meant to govern it.

Not confidence-inspiring.

GDS never answer questions posed by us, the public. Maybe they'll answer the eIDAS authorities.


Updated 18.10.18

Certification of the GOV.UK Verify (RIP) services supplied by "identity providers" is carried out by tScheme. The summary of their certification has now been updated.

The Post Office is most notable as the only "identity provider" to have no tScheme approval whatever.

None of the "identity providers" is certified by tScheme as having any expertise with digital certificates – something of a gap vis-à-vis eIDAS, which is all about trust services.