DMossEsq: November 2012

Friday, 30 November 2012

midata – the false prospectus. Every time you look, you see another mendacious argument

There is a peril in conflating the concepts of open data and personal data

Sometimes you sit down to write a post and you get to work on it, only to find that someone else has done it first – and what's more, in 22 words flat.

How Midata will affect business and consumers

Kathleen Hall
Tuesday 20 November 2012 12:47

As the government pushes private companies to release customer data under its Midata initiative, Computer Weekly looks at what this means for the digital economy and who stands to benefit most from this new form of "consumer empowerment".

The government's Department for Business, Innovation and Skills has singled out energy companies, mobile phone firms, banks and payment companies as key organisations that should release customer data to allow consumers to make more informed decisions under its Midata initiative ...

Ms Hall goes on to describe how midata will force suppliers who already provide us with a record of our transactions to provide us with a record of our transactions.

She introduces the reader to Professor Nigel Shadbolt, co-director with Professor Sir Tim Berners-Lee of the Open Data Institute (ODI). He believes that there is money to be made by people writing apps to process personal data and help them to make better decisions.

She interviews Nick Pickles, the director of Big Brother Watch, who has reservations about midata.

And she interviews Owen Boswarva:

Owen Boswarva, open data activist, warned there is a danger of consumers being blasé about their information being passed on to third parties. He said the potential risks were in danger of being de-emphasised.

“On the face of it, this is presented as being an unalloyed good thing, and you can’t argue with having more access to data. But it will depend on the checks and balances in how this is implemented,” he said.

Boswarva said he would like to see additional processes built in to ensure data is handled properly.

“There is a peril in conflating the concepts of open data and personal data, which I feel the government may be doing,” he said.

(Boswarva links added by DMossEsq,
not in Computer Weekly article)

And there it is. In 22 words. Admirable conciseness: "There is a peril in conflating the concepts of open data and personal data, which I feel the government may be doing". That's all that needs to be said.

Glutton for punishment?

Here's the DMossEsq 1,000-word version.

25 September 2012, and the Guardian publish Time for online users to devise a transparent internet we all could trust by Alastair Crawford, the founder of 192.com.

First we get:

... consumers have much to gain through sharing personal data and by understanding what data exists on them, either for making smarter purchases or exploring commercial opportunities – the government's Midata project, being debated in the enterprise and regulatory reform bill, enables consumers to demand the transaction data companies store on them. This will allow consumers to understand their spending patterns better and become smarter shoppers.

Followed by:

... a post-Wikileaks world requires accountability – if we are not accountable, someone will account for us. Perhaps this is the thinking behind the UK government's Open Data initiative, which makes public data available so we can better understand policy decisions and see the "raw data driving government forward".

And finally:.

It's particularly important that the biggest player in this equation remains the individual. The individual must be empowered to take greater control over the use of data created by and about him. As more data is created on people, there must be an ever more sensitive balance between privacy and accountability

Never mind the fact that equations don't normally have players in them, you see what's happened there?

Against a background of transparency, trust, understanding, smart shopping, accountability, empowerment and control, the argument moves from personal data to public data and back to personal as though they should both be open, as though they're comparable.

They're not.

It is not just legitimate but essential that Whitehall expose as much data as possible showing how they spend 700 billion of our pounds every year so that we can look for ways to get better value for money. There is no such imperative for individuals to expose their personal data – which is what midata would do – and there is every reason to reveal as little of it as possible.

On that basis, Professor Shadbolt's involvement with the ODI seems nothing but benign. But why is he involved with midata? Why is the co-director of the ODI (public data) also the chairman of the quite different midata (personal data)?

The answer centres on Garlik Ltd, a company the professor collaborated with (or founded) and which has now been sold to Experian, the credit referencing agency, which is one of the UK's seven appointed "identity providers".

Garlik helps people to avoid identity theft/fraud. So Professor Shadbolt has some relevant expertise in fighting fraud. Good. But then why would he promote midata, an initiative which can only increase the incidence of identity theft/fraud as people record more and more of their personal data, including logon IDs and passwords, in their personal data stores, on the web?

Every time you look at midata you see these contradictions:

midata promises to make suppliers provide statements. But they already do.
midata promises to give consumers control over their data. But that control is not midata's to give ...
... and anyway, midata looks more like giving up control than gaining it ...
... because the way midata works is that you hand over all your data to a trusted third party you have no reason to trust ...
... who stores it on the web, which you know is a dangerous place to store it.
The advocates of midata promise loudly that it will boost the UK economy but admit that it might not ...
... while staying very quiet about the way the scheme would work in practice and particularly the dangerous need to create a personal data store on the web.
midata is supposed to help people make better decisions, but the only examples given are switching applications – switch mobile phone suppliers, switch gas and electricity suppliers, ... – and those applications already exist. We don't need new legislation.
midata involved introducing new regulations. The department for Business Innovation and Skills say it will have a de-regulatory effect.
...

It's a false prospectus. One mendacious argument after another. Of which the elision of public and personal data is just one more.

----------

Added 27.12.12:

Government revives plan for greater data-sharing between agencies
... Guy Herbert, of the No2ID campaign, said he was alarmed to see the revival of the Blair government's database state policies. "There has been a consistent – and it can only be deliberate – habit in Whitehall of conflating 'public information', which most people take to mean information about the state, with information on the public held by state agencies. This has now been hooked on to the new administration's modish transparency, and is used to suggest that 'open data' implies opening us all up to inspection at official whim. It doesn't."

midata – the false prospectus. Every time you look, you see another mendacious argument

There is a peril in conflating the concepts of open data and personal data

Sometimes you sit down to write a post and you get to work on it, only to find that someone else has done it first – and what's more, in 22 words flat.

How Midata will affect business and consumers

Kathleen Hall
Tuesday 20 November 2012 12:47

As the government pushes private companies to release customer data under its Midata initiative, Computer Weekly looks at what this means for the digital economy and who stands to benefit most from this new form of "consumer empowerment".

The government's Department for Business, Innovation and Skills has singled out energy companies, mobile phone firms, banks and payment companies as key organisations that should release customer data to allow consumers to make more informed decisions under its Midata initiative ...

Owen Boswarva, open data activist, warned there is a danger of consumers being blasé about their information being passed on to third parties. He said the potential risks were in danger of being de-emphasised.

“On the face of it, this is presented as being an unalloyed good thing, and you can’t argue with having more access to data. But it will depend on the checks and balances in how this is implemented,” he said.

Boswarva said he would like to see additional processes built in to ensure data is handled properly.

“There is a peril in conflating the concepts of open data and personal data, which I feel the government may be doing,” he said.

(Boswarva links added by DMossEsq,
not in Computer Weekly article)

more ►

Wednesday, 28 November 2012

HMRC, Skyscape and a 2nd response from Phil Pavitt

30 September 2012	G-Cloud, GDS, HMRC and Skyscape, the company with just one director, who owns all the shares – Whitehall SNAFU
11 October 2012	Open letter to Lin Homer, Chief Executive, HMRC, asking about the wisdom of entrusting their data (our data) to the cloud with Skyscape Cloud Services Ltd.
22 October 2012	Response from Phil Pavitt, Director General Change, Security and Information, HMRC, on behalf of Lin Homer.
24 October 2012	Open letter to Phil Pavitt.
28 November 2012	Response dated 26 November 2012 from Phil Pavitt, please see below:

[Skyscape has subsequently changed its name to UKCloud: "London – August 1, 2016 – Skyscape Cloud Services Limited, the easy to adopt, easy to use and easy to leave assured cloud services company, has today renamed and relaunched as UKCloud Ltd (www.ukcloud.com), to reinforce the company’s exclusive focus on supporting the UK public sector in the digital transformation of services".]

HMRC and Skyscape Cloud Services Ltd

Dear Mr Moss

Thank you for your letter of 24 October 2012 expressing your concerns in respect of Skyscape Cloud Services Ltd suitability to host HMRC data. I apologise for the delay in responding to you.

Further to my reply of 22 October, I wanted to provide you with some more information to alleviate your concerns. I must reiterate our assurance that using Skyscape HMRC data will continue to be kept in accordance with existing legislation and HMRC security policies.

When fully operational, Skyscape Cloud Services Ltd will securely host all HMRC data currently held on office File and Print Servers (FAPS). FAPS support the work of many HMRC offices and hold data for a wide range business purposes e.g. administrative and customer related. FAPS do not hold the definitive tax records for the UK and these records remain distributed across a number of secure systems.

HMRC routinely risk assesses and tests the security of our solutions and services. Our secure connection to Skyscape will be delivered in line with HM Government standards to protect our data, with ongoing assurance checks throughout the life of this service.

As emphasised in my letter of 24 October, in order to deliver through G-Cloud, Skyscape were required to meet a set of mandatory criteria set out by Government Procurement Services (GPS) including financial standing and Experian risk assessments. Additionally, HMRC carried out its own standard taxation and financial compliance checks before awarding the contract and Skyscape passed the standards set by HMRC and Government.

All G Cloud contracts are let on a one year basis, with exit provisions agreed to transfer the data to a new supplier should this prove necessary.

Data security remains integral to HMRC and a pre-requisite of any of our data being migrated to Skyscape is for their solution, including all the constituent parts, to be formally accredited by CESG (the Communications-Electronics Security Group) to Impact Level 3 (IL3). All security aspects of the service will have to be proven in line with HM Government security standards. This will include the need to ensure the ‘cloud’ is hosted in a UK domiciled, secure data centre(s) and operated by staff with appropriate security clearance. We are also carrying out internal accreditations including Internal Risk Management and Accreditation Document Set (RMADS) and PSN risk assessments.

I trust that this answers your concerns and you are able to appreciate our decision to contract with Skyscape.

Yours sincerely

Regards

Phil Pavitt
HMRC Director General Change, Security and Information

HMRC, Skyscape and a 2nd response from Phil Pavitt

30 September 2012	G-Cloud, GDS, HMRC and Skyscape, the company with just one director, who owns all the shares – Whitehall SNAFU
11 October 2012	Open letter to Lin Homer, Chief Executive, HMRC, asking about the wisdom of entrusting their data (our data) to the cloud with Skyscape Cloud Services Ltd.
22 October 2012	Response from Phil Pavitt, Director General Change, Security and Information, HMRC, on behalf of Lin Homer.
24 October 2012	Open letter to Phil Pavitt.
28 November 2012	Response dated 26 November 2012 from Phil Pavitt, please see below:

HMRC and Skyscape Cloud Services Ltd

Dear Mr Moss

Thank you for your letter of 24 October 2012 expressing your concerns in respect of Skyscape Cloud Services Ltd suitability to host HMRC data. I apologise for the delay in responding to you.

Further to my reply of 22 October, I wanted to provide you with some more information to alleviate your concerns. I must reiterate our assurance that using Skyscape HMRC data will continue to be kept in accordance with existing legislation and HMRC security policies.

When fully operational, Skyscape Cloud Services Ltd will securely host all HMRC data currently held on office File and Print Servers (FAPS). FAPS support the work of many HMRC offices and hold data for a wide range business purposes e.g. administrative and customer related. FAPS do not hold the definitive tax records for the UK and these records remain distributed across a number of secure systems.

HMRC routinely risk assesses and tests the security of our solutions and services. Our secure connection to Skyscape will be delivered in line with HM Government standards to protect our data, with ongoing assurance checks throughout the life of this service.

As emphasised in my letter of 24 October, in order to deliver through G-Cloud, Skyscape were required to meet a set of mandatory criteria set out by Government Procurement Services (GPS) including financial standing and Experian risk assessments. Additionally, HMRC carried out its own standard taxation and financial compliance checks before awarding the contract and Skyscape passed the standards set by HMRC and Government.

All G Cloud contracts are let on a one year basis, with exit provisions agreed to transfer the data to a new supplier should this prove necessary.

Data security remains integral to HMRC and a pre-requisite of any of our data being migrated to Skyscape is for their solution, including all the constituent parts, to be formally accredited by CESG (the Communications-Electronics Security Group) to Impact Level 3 (IL3). All security aspects of the service will have to be proven in line with HM Government security standards. This will include the need to ensure the ‘cloud’ is hosted in a UK domiciled, secure data centre(s) and operated by staff with appropriate security clearance. We are also carrying out internal accreditations including Internal Risk Management and Accreditation Document Set (RMADS) and PSN risk assessments.

I trust that this answers your concerns and you are able to appreciate our decision to contract with Skyscape.

Yours sincerely

Regards

Phil Pavitt
HMRC Director General Change, Security and Information

Monday, 26 November 2012

HMRC soon to be Pavittless

Computer Weekly, 22 November 2012:

Phil Pavitt has stepped down as HMRC’s CIO to join insurance giant Aviva as global director of IT transformation ...

Under his role at Aviva Pavitt will be tasked with simplifying the firm’s IT services, and modernising and digitising its business.

DMossEsq readers have met Mr Pavitt a couple of times.

Back in May he forgot that the UK already has a Government Gateway and doesn't need GDS – the Government Digital Service – to develop a new one, even if they could.

More recently, he was deputed by Lin Homer, Chief Executive of HMRC, to explain why HMRC have decided to store all our tax records with a one-man company, Skyscape Cloud Services Ltd:

Let's hope he has time to explain this transformational decision to the public before he leaves HMRC.
And let's see if Aviva, in the name of "modernisation", will store all their insurance records in the cloud and instantly lose control of them.

HMRC soon to be Pavittless

Computer Weekly, 22 November 2012:

Phil Pavitt has stepped down as HMRC’s CIO to join insurance giant Aviva as global director of IT transformation ...

Under his role at Aviva Pavitt will be tasked with simplifying the firm’s IT services, and modernising and digitising its business.

DMossEsq readers have met Mr Pavitt a couple of times.

more ►

Identity assurance – one under the eight

On 13 November 2012 the Department for Work and pensions (DWP) announced the appointment of seven so-called "identity providers" for the new digital-by-default UK – the Post Office, Cassidian, Digidentity, Experian, Ingeus, Mydex, and Verizon.

We were previously led to believe that the announcement would be made on 22 October 2012. And before that we were supposed to have the news by 30 September 2012.

Publication slipped. And we still don't know who the eighth "identity provider" will be.

Two things we do know:

Whoever the eighth one is, there is clearly some reluctance somewhere, some friction. Maybe DWP aren't sure about the credentials of this eighth supplier. Maybe the eighth supplier isn't sure that it wants to be involved with IDAP, the government's tottering Identity Assurance Programme. Either way, they will start with their credibility impugned.
It's not really DWP doing the appointing. It's GDS, the Government Digital Service. GDS may be very good at designing websites. But what credentials, if any, do they have for identity assurance? The appointment is clearly giving them an embarrassing problem. More to the point, there are 21 million prospective claimants for Universal Credit in the UK. Identity assurance is meant to be operational by the Spring of 2013 for all 21 million of them. The chances of that happening are now nil. GDS's failure is extending the imprisonment in the poverty trap of millions of claimants who could be released by Universal Credit. Putting the wrong people in charge of identity assurance has miserable social consequences.

Identity assurance – one under the eight

more ►

Thursday, 22 November 2012

midata – nudging you into an interactive flashbased graph

There's so much wrong with midata, the Department for Business Innovation and Skills initiative to "empower" all us consumers, that you may forget the delightful loopiness of its proposed benefits:

If organisations try to share customer data with each other they invade individuals’ privacy and risk breaching the Data Protection Act. The result is duplication, waste and missed opportunities ...

Tallyzoo, a service dedicated to self monitoring, allows users to measure anything from their caffeine intake to the number of times they cut their grass. Users collect data using a mobile device or website program which creates interactive flashbased graphs enabling them to spot trends and patterns in their consumption habits, work, health and fitness goals. Data is manipulated so that users can share statistics and compare the end results ...

Access to such data represents a ‘holy grail’ data to companies because it explains why people do what they do and predicts what they are going to do next.

Silly old privacy laws. They just get in the way. They're synonymous with waste and duplication. They stand in the way of interactive flashbased graphs of our coffee consumption and lawn-mowing. With midata choice engines we'll be able to predict the future and control it.

Which mooncalf would fall for this unlikely sales pitch? Cui bono?

There are many answers but one obvious one is Whitehall's Behavioural Insights Team.

They're not having much luck. Most people ridicule the team's nudging job. Their behavioural insight is limited. Tasked with getting UK retailers to sign up to midata, they failed and have now resorted to legislation – the very tool they're meant to abjure.

How could their performance be improved? What would help the Behavioural Insights Team to do its job?

These questions must have haunted Sir-Gus-now-Lord O'Donnell, head of the team's advisory board. And then along came midata. midata and its attendant app-writers, churning out choice engines to help people make life-style decisions, vehicles which could be tuned, perhaps, by Whitehall – who are footing the bill, after all, let's face it – tuned to influence, or nudge people's decisions in a chosen direction, an officially preferred direction ...

----------

Just after writing the word "pitch", just before "Cui bono", an email appeared from Alan Mitchell, the man who thinks midata will allow us to tell the future more accurately than horoscopes:

Please forward this newsletter to colleagues if you think they will find the content useful. Anyone can sign up to receive the newsletter by joining our registered [sheltered?] community here. We only send the newsletter to people who request to receive it.

Would you like to join this registered community? Perhaps this sample will help to nudge you:

We have published a short, informative paper, ‘midata: where next?’ ... It summarises the new focus areas of the programme and showcases a prize winning example straight from the recent inaugural, ground-breaking midata Hackathon of what innovation and value can be achieved in a new midata-enabled world ...

In a series of blog posts we’ve ... discussed how, by opening up a new private sector market of Identity Providers which can act on an individual’s behalf, the Government is kick starting an ecosystem of enriched, trusted data sharing, stimulating innovation and cost saving opportunities ...

There is further investment in the quantified self space as Canadian company Retrofit announces $8 million in new funding ...

----------

Added 1.4.13: Nike+ FuelBand and Google Glass: what next for the 'quantified self'?

midata – nudging you into an interactive flashbased graph

If organisations try to share customer data with each other they invade individuals’ privacy and risk breaching the Data Protection Act. The result is duplication, waste and missed opportunities ...

Tallyzoo, a service dedicated to self monitoring, allows users to measure anything from their caffeine intake to the number of times they cut their grass. Users collect data using a mobile device or website program which creates interactive flashbased graphs enabling them to spot trends and patterns in their consumption habits, work, health and fitness goals. Data is manipulated so that users can share statistics and compare the end results ...

Access to such data represents a ‘holy grail’ data to companies because it explains why people do what they do and predicts what they are going to do next.

more ►

midata and identity assurance – BIS and DWP lure the British public into danger

Hat tip: Dave Birch

Questions have been raised about the advisability of creating population registers on the web.

The Department for Business Innovation and Skills (BIS) have an initiative called "midata" which would require us to enrol in identity registers in the cloud, please see for example Cybersecurity – good news at last, from midata.

The Department for Work and Pensions (DWP) have an initiative called "Universal Credit" which would require us to ditto, please see for example Identity assurance – convenient? It'll make your life so much easier.

The objections to subscribing to on-line population registers are manifold and include the dangers of cybercrime.

What dangers of cybercrime?

Take a look at this, from Reuters, 20 November 2012:

Man arrested in Athens over ID theft of most of Greek population

ATHENS | Tue Nov 20, 2012 12:14pm EST

(Reuters) - Greek police have arrested a man on suspicion of stealing the personal data of roughly two thirds of the country's population, police officials in Athens said on Tuesday.

The 35-year old computer programmer was also suspected of attempting to sell the 9 million files containing identification card data, addresses, tax ID numbers and license plate numbers. Some files contained duplicate entries, police said.

Greece's population is 11 million ...

BIS and DWP promise us, of course, that the midata and Universal Credit registers will be held in secure websites. No doubt. But then the Greek population register was supposed to be secure, too. Not much help, is it?

Surely this must be a one-off, you object? No. You're forgetting last year's Jerusalem Post, 24 October 2011:

'Contract worker stole all Israelis' personal information'

By JPOST.COM STAFF LAST UPDATED: 10/24/2011 13:16

Information was used to create searchable database; computer technician put the database on Internet for anyone worldwide to access.

A contract worker from the Labor and Welfare Ministry was charged with stealing the personal information of over nine million Israelis from the Population Registry, the Justice Ministry announced Monday after a media ban was lifted.

The worker electronically copied identification numbers, full names, addresses, dates of birth, information on family connections and other information in order to sell it to a private buyer ...

And so it goes on ...

BIS and DWP are luring the British public into danger. It is at the very least irresponsible of them to do that. Why are they doing it?

It's up to them to answer that question.

Meanwhile, you are strongly advised to resist their invitations.

midata and identity assurance – BIS and DWP lure the British public into danger

more ►

Wednesday, 21 November 2012

midata, consumption patterns and choice engines – the natural habitat of the stupid

People are forever ringing DMossEsq asking what is the key selling point of midata.

Here, once and for all, is the definitive answer.

Open the Impact Assessment for midata, turn to p.3 and read – it's all in there:

What are the policy objectives and the intended effects?
Giving consumers access to their transaction data will enable consumers to make better informed decisions and choose products which offer them the best value. This in turn will reward firms offering the best value because they will be able to win more customers, increasing competition and leading to lower prices, improved efficiency and greater innovation. It will allow consumers to analyse and then improve their consumption patterns, particularly by enabling third party ‘choice engines’ to process transactional data on behalf of consumers and advise them on their consumption habits and potential switching options. We expect the release of information to stimulate innovation in and expansion of third party choice engines.

"Choice engines". What a phrase. Who won the office sweepstake last week for that one?*

The idea behind midata is that you should store all your transaction data in a personal data store (PDS) hosted in the cloud, on the web, by a trusted third party like, say, Mydex. Some innovative juvenile writes an app which, given the evidence of your consumption patterns, recommends the best play to go to see in London. You give Mydex permission to share your data with WhatsOnApp® and a stream of unwanted phone calls ensues, trying to get you to see Chicago. Ditto health apps – eat more broccoli. And financial apps – earn more interest, save with Bear Sterns.

You've got to be a bit stupid anyway to open a midata account in the first place and store all your personal data in the worldwide wild West of the web with a third party you've never met and have no reason to trust. Even more stupid to go on to share your personal data with unknown third party apps.

But then, you are stupid, aren't you.

That's what BIS must assume. You're the sort of person who can't choose what clothes to buy for the Summer without having an app to help you, see A midata future: 10 ways it could shape your choices.

Advocates of midata are forever promising an "ecosystem" of apps developers. That's not the answer to the question. They're more likely to create a natural habitat of the stupid.

----------

* Probably DMossEsq, come to think of it, see Have you ever had breakfast with Sophia Loren? (2003), p.81:

The choices made,
the preferences expressed,
are a function of my personality,
if you like,
of my character.
That's using your language.
In my language,
personality or character
is a choice engine.
And choices are made to maximise rewards.

midata, consumption patterns and choice engines – the natural habitat of the stupid

What are the policy objectives and the intended effects?
Giving consumers access to their transaction data will enable consumers to make better informed decisions and choose products which offer them the best value. This in turn will reward firms offering the best value because they will be able to win more customers, increasing competition and leading to lower prices, improved efficiency and greater innovation. It will allow consumers to analyse and then improve their consumption patterns, particularly by enabling third party ‘choice engines’ to process transactional data on behalf of consumers and advise them on their consumption habits and potential switching options. We expect the release of information to stimulate innovation in and expansion of third party choice engines.

"Choice engines". What a phrase. Who won the office sweepstake last week for that one?*

more ►

Identity assurance – convenient? It'll make your life so much easier

Have DWP and GDS taken leave of their senses

suggesting that we should trust unknown third parties

with our user IDs and passwords?

Yes.

The Department for Work and Pensions (DWP) identity assurance press release the other day naming seven of the UK's "identity providers" (IDPs) was commendably short. Every word counted:

13 November 2012 – Providers announced for online identity scheme

The Post Office, Cassidian, Digidentity, Experian, Ingeus, Mydex, and Verizon are the successful providers chosen to design and deliver a secure online identity registration service for the Department for Work and Pensions.

The identity registration service will enable benefit claimants to choose who will validate their identity by automatically checking their authenticity with the provider before processing online benefit claims.

The Minister for Welfare Reform Lord Freud said:
"We are working with cyber security experts to ensure we are clear about the threats to the online process and we are confident that the providers announced today will offer an effective, safe and free to use identity service for future online benefit claims."
As well as offering a safe and secure system, providers will be required to offer a simplified registration process, minimise the number of usernames and passwords a customer will need to remember and reduce the costs incurred across Government for the management of Identity Assurance.

The online Identity Assurance model will be incorporated into Universal Credit as it’s developed and rolled-out. Over time Identity Assurance will become available to all UK citizens who need to access online public services.

"... providers will be required to ... minimise the number of usernames and passwords a customer will need to remember ..." – what's that all about?

At the moment, you have to know separate user IDs and passwords for logging onto Facebook, for example, Twitter, Amazon, eBay, PayPal, your bank, HMRC (self-assessment), HMRC (VAT returns), etc ... That is very inconvenient.

GDS, the Government Digital Service, the people behind identity assurance – remember, ex-Guardian man Mike Bracken is not only chief executive of GDS but also the senior responsible ~~officer~~ owner for the government's identity assurance programme – want to make your life more convenient.

So what they propose is that you give all those user IDs and passwords to your chosen IDP and let them log on for you. You still have to remember the user ID and password you use to log onto your IDP. But as long as you can do that, you're fine, your IDP will remember all other user IDs and passwords and log on for you.

That's obviously convenient. But is it wise?

Take a look at the seven IDPs. Which one would you trust with the user ID and password for your bank accounts? And why? You've never heard of them, have you? Apart from the Post Office. They may all be eminently trustworthy. But suppose some ne'er-do-well teenager with Asperger's hacks into them and just steals all the user IDs and passwords?

Remembering all those user IDs and passwords ourselves may be unavoidable. It may be the price we pay for security. It might be convenient to have someone do our remembering for us but, if we lose our security as a result, it wouldn't be wise.

Have DWP and GDS taken leave of their senses suggesting that we should trust unknown third parties with our user IDs and passwords?

----------

Updated 16.2.15

In the intervening two-and-a-bit years since the post above was written the notions of secure websites and secure communications have died a thousand times. Remember Sony. Take a look at yesterday's Telegraph, Hackers steal £650 million in world's biggest bank raid. Think back to QinetiQ.

Your only option is to minimise your inevitable losses. Make sure that if one set of defences is breached they aren't all breached. Maintain distinct logon ID-and-password combinations for each on-line service you use.

The Government Digital Service continue to try to breathe life into the corpse of their Identity Assurance programme (IDA). The service is now known as "GOV.UK Verify". GDS continue to ask us to believe against all the evidence that it is secure.

And they continue to advocate having as few logon ID-password combinations as possible on the grounds that that is convenient and the Devil take the risks. No bank would recommend that. But then the banks are liable to compensate you if your bank account is emptied by hackers. GDS aren't. If you're hacked as a result of using GOV.UK Verify, you pay.

The BBC have been drafted in to promote GOV.UK Verify. Here's an extract from BBC Radio 4's World At One news programme, 23 January 2015:

David Alexander, the CEO of Mydex, is interviewed. Mydex is one of the five "identity providers" left at GDS's identity assurance funeral. Use a Mydex personal data store (PDS), says Mr Alexander towards the end of the extract, and let that log on to all your other services for you. That will be much more convenient.

Take him, for example. Currently, he says, he has 705 logon ID-password combinations for on-line services he uses. That's awfully inconvenient. How much better to store them all in his PDS and let Mydex log on to these 705 services for him.

But hang on a minute. If one of those 705 services is hacked at the moment, he's left with 704 services that haven't been hacked. Follow his recommendation, use a Mydex PDS, and one security breach opens the door to all 705 services.

You don't need to be a genius at risk assessment to recognise the disproportionate danger of the PDS idea.

Mr Alexander is in 705 times more danger if he uses GDS's GOV.UK Verify than if he doesn't.

If someone offers you the convenience of a single logon ID-password combination, run a mile.

RIP IDA.

Identity assurance – convenient? It'll make your life so much easier

Have DWP and GDS taken leave of their senses

suggesting that we should trust unknown third parties

with our user IDs and passwords?

Yes.

The Department for Work and Pensions (DWP) identity assurance press release the other day naming seven of the UK's "identity providers" (IDPs) was commendably short. Every word counted:

13 November 2012 – Providers announced for online identity scheme

The Post Office, Cassidian, Digidentity, Experian, Ingeus, Mydex, and Verizon are the successful providers chosen to design and deliver a secure online identity registration service for the Department for Work and Pensions.

The identity registration service will enable benefit claimants to choose who will validate their identity by automatically checking their authenticity with the provider before processing online benefit claims.

The Minister for Welfare Reform Lord Freud said:

"We are working with cyber security experts to ensure we are clear about the threats to the online process and we are confident that the providers announced today will offer an effective, safe and free to use identity service for future online benefit claims."
As well as offering a safe and secure system, providers will be required to offer a simplified registration process, minimise the number of usernames and passwords a customer will need to remember and reduce the costs incurred across Government for the management of Identity Assurance.

The online Identity Assurance model will be incorporated into Universal Credit as it’s developed and rolled-out. Over time Identity Assurance will become available to all UK citizens who need to access online public services.

"... providers will be required to ... minimise the number of usernames and passwords a customer will need to remember ..." – what's that all about?

more ►

Cybersecurity – good news at last, from midata

Cybercrime
The magnificent power of the web is a double-edged sword. It makes it easy for us all to do our banking on-line. And it makes it easy for cybercriminals to defraud us. Huge brains are working on the side of law-abiding web users and they're holding the line. Thanks to them, fraud is held down, just, to acceptable levels. That could change. Huge brains are working on committing fraud and if they make any serious progress, eBanking and eCommerce in general could have to stop – there is no law of nature that says that eCommerce must be feasible. The web is a dangerous place to do business.

midata
Nevertheless, the Department for Business Innovation and Skills (BIS) want to "empower" consumers by getting us all to store all our transactions on-line, on the web, in the cloud, on the servers of unknown so-called "trusted" third parties or their sub-contractors. Is that a good idea? Given the incidence of cybercrime, aren't BIS behaving irresponsibly? With midata, they're inciting their parishioners to take serious and unnecessary risks. They're trying to take powers to force banks, phone companies, energy companies, retailers and others to put all our transaction data on the web.

"Oi, you two, Tesco, Sainsbury's, get over 'ere",

BIS are effectively saying,
pointing at the flames,

"and bring the petrol".

Impact assessment
Luckily, this proposed legislation requires an impact assessment, listing the putative benefits and the associated risks, please see Impact Assessment for midata – in case of any enquiries, ring Craig Belsham or David Miller.

You remember David Miller. He's the BIS economist who said at the 9 August 2012 open forum that it's very difficult to say if midata would boost the economy. It might. It might not.

Anyway, they're onto it. Under Key assumptions/sensitivities/risks on p.4 it says:

Consumer transaction data held by firms can be valuable commercial information. There is a risk that the existence of a power to compel firms to release this data to consumers may reduce their incentive to collect the information. To minimise this risk the power will only refer to ‘raw’ factual information. Any extension of the sectors beyond energy, mobile telecoms and personal banking/ credit cards will be subject to criteria aimed at promoting price transparency. Consumers will have more of their information in an easily accessible format this could pose a risk of an increase in identity theft or fraud.

"Consumers will have more of their information in an easily accessible format this could pose a risk of an increase in identity theft or fraud" – quite. So, is midata off the menu? Too risky?

Not a bit of it.

Solved
Turn to para.123 on p.48:

123. Consumers will increasingly have more of their information in an easily accessible format. With increasing amounts of this data held on home computers or with third party intermediaries, it may increase the likelihood of identity theft or fraud. This may lead to consumers increasing their own cyber security to mitigate this risk. The Government and members of the midata Interoperability Board are undertaking a programme of work to identify and address these issues, which will conclude before any secondary legislation is brought forward.

"The Government and members of the midata Interoperability Board are undertaking a programme of work to identify and address these issues" – sorted. It's hard to think of any sizeable organisation in the world from the Pentagon on down who won't be ringing Craig and David.

Cybersecurity – good news at last, from midata

"Oi, you two, Tesco, Sainsbury's, get over 'ere",

BIS are effectively saying,
pointing at the flames,

"and bring the petrol".

more ►

Monday, 19 November 2012

PRESS RELEASE: midata – time for BIS to answer the questions

PRESS RELEASE

To:

Home Office

OIG (re US-VISIT)

IDABC (re OSCIE)

China (re Golden Shield)

Pakistan (re NADRA)

FBI (re NGI)

UIDAI (re Aadhaar)

Agencies

midata – time for BIS to answer the questions

19 November 2012

When midata was announced a year ago Rory Cellan-Jones, the BBC’s Technology Correspondent, asked “what's the catch for consumers and why is the government getting involved”? Good questions.

Lifestyle choices

... individual users were not yet being allowed to exploit all the information relating to them to make their lives easier. Armed with the information that social networks and other web giants hold about us, he said, computers will be able to "help me run my life, to guess what I need next, to guess what I should read in the morning, because it will know not only what's happening out there but also what I've read already, and also what my mood is, and who I'm meeting later on".

Thus Tim Berners-Lee, inventor of the web, interviewed by the Guardian in April.

Slightly dotty, of course – your computer will know what mood you’re in? But the Department for Business Innovation and Skills (BIS) are trying to promote their midata initiative and it suits their purpose to say, in a press release the other day, that midata will allow consumers to “make better lifestyle choices”.

Even if it was true, what business would it be of the government’s?

None. If there’s a demand for lifestyle software, let the private sector provide it.

Economic growth

BIS also claim that midata would be “good for growth in the economy”. Strange, because at the 9 August 2012 midata open forum David Miller, a BIS economist, was asked how much midata would make the economy grow by and answered, it’s very difficult to say what the macro-economic effects of midata would be.

Banks, phone companies and energy companies already provide us with detailed statements, on-line and on paper, they have done for decades, and the economy isn’t growing. So what’s new about midata?

Personal data stores (PDSs)

Answer – PDSs, please see para.2.19, p.24 of BIS's midata 2012 review and consultation. BIS want us all to have PDSs, databases storing all of our transaction data, which can be processed to make our lifestyle choices for us and which identify us uniquely.

We wouldn’t be expected to maintain the PDSs ourselves. That would be the job of so-called “trusted third parties”, who would store all our personal data on the web, where it would be continuously updated by permanent links with all our suppliers.

What personal data? The BIS press release refers us to a document of theirs, A midata future: 10 ways it could shape your choices. The answer seems to be any contracts you have entered into, any warranties you have taken out, your driving licence, your educational qualifications, your CRB report, your bank accounts, the clothes you buy, your gas and electricity usage and your neighbours’ usage, too, your health records, entertainment preferences and favourite restaurants.

It’s an extensive set of data about you. midata may not help the economy to grow but, in the PDSs which it relies on, it would provide you with an on-line ID card.

Trusted third parties

Who are the third parties you’re meant to trust with all this personal data? Only one is regularly mentioned and most people will never have heard of it – Mydex – so what reason is there to trust it?

At the 9 August 2012 midata open forum Kirstin Green, a deputy director at BIS, mentioned that the chairman of Mydex sits on the BIS midata strategy board. To understand BIS’ midata proposal it helps to understand Mydex is therefore written with considerable authority, as is Making midata work for you.

Identity assurance

Actually, you may have heard of Mydex. You may have read the Department for Work and Pensions (DWP) press release about the Identity Assurance Programme last week, Providers announced for online identity scheme. Mydex is one of the seven “identity providers” appointed for the UK last week by DWP. The idea is that in Whitehall’s new digital-by-default world, if you want to register for benefits, you need an identity provider to vouch for you, to say that you are you – a PDS is an ID card.

----------

They couldn’t answer them last year. Let’s see if BIS can answer Mr Cellan-Jones’s questions now.

About David Moss
David Moss has worked as an IT consultant since 1981. The past 9 years have been spent campaigning against the Home Office's plans to introduce government ID cards into the UK. It must now be admitted that the Home Office are much better at convincing people that these plans are a bad idea than anyone else, including David Moss.

Press contacts: David Moss, BCSL@blueyonder.co.uk

PRESS RELEASE: midata – time for BIS to answer the questions

PRESS RELEASE

To:

Home Office

OIG (re US-VISIT)

IDABC (re OSCIE)

China (re Golden Shield)

Pakistan (re NADRA)

FBI (re NGI)

UIDAI (re Aadhaar)

Agencies

midata – time for BIS to answer the questions

19 November 2012

more ►

Saturday, 17 November 2012

Cutting costs/making savings, and GDS's fantasy strategy

For some time now, the Government Digital Service (GDS) have made the meaning of their digital-by-default agenda clear – they want the UK to be like Estonia.

It is thanks to the fact that practically every service in Estonia is delivered over the web that, back in 2007, Russia was able to bring the country to its knees in a matter of days. If GDS succeed with their "modernisation" plans, there will be nothing to stop that happening here in the UK.

GDS are in awe of the financial success and popularity of Apple, Amazon, eBay/PayPal, Google and Facebook. With no experience of government behind them, the over-promoted software engineers at the head of GDS want to bring their heroes' tricks to the delivery of public services in the UK.

Sensible people will see Facebook et al as latter-day Pied Pipers of Hamelin – sensible people, including the tens of thousands of public servants who will be laid off and replaced by GDS's computers when government is, as they say, "transformed".

Many of these organisations are famous for avoiding tax on their UK profits and for using their near-monopolies to tyrannise their suppliers and to milk their customers. But GDS somehow maintain their naïve veneration and on 6 November 2012 they published their Government Digital Strategy.

This fantasy strategy is an elaboration of Martha Lane Fox's ideas, set out in her October 2010 letter to Francis Maude, Directgov 2010 and beyond: revolution not evolution. Ms Lane Fox is the Prime Minister's digital champion, she's a historian, and when she says "revolution" she means it.

Her revolutionary fervour is carried over into last week's GDS strategy, which Sir Bob Kerslake – head of the home civil service, permanent secretary at the Department for Communities and Local Government (DCLG) and previously the chief executive of first the London Borough of Hounslow and then Sheffield City Council – has greeted with a post on GDS's blog, Welcoming the Digital Strategy:

Our reform plan also made a clear commitment to improve the quality of the government’s digital services, and to do this by publishing a Government Digital Strategy setting out how we would support the transformation of digital services [how does publishing a wishlist improve the quality of public services?].

We fulfilled that commitment yesterday with the launch of the Government Digital Strategy, Digital Efficiency Report and Digital Landscape Report and I very much welcome their publication.

But why? Why does Sir Bob "welcome" this emmental cheese of a strategy? It's full of holes. Consider cutting costs/making savings for example.

Let's get our duck in a row.

Martha Lane Fox says:

Shifting 30% of government service delivery contacts to digital channels would deliver gross annual savings of more than £1.3 billion, rising to £2.2 billion if 50% of contacts shifted to digital. I strongly suggest that the core Directgov team concentrates on service quality and that it should be the "citizens' champion with sharp teeth" for transactional service delivery ...

The savings from a reduction in duplication are significant, but will take time to realise. The Government recently announced a 75% rationalisation of Government websites. It is estimated this should reduce overall Government web expenditure from around £560 million to about £200 million a year. I think there is agreement that Government can go much further than this, perhaps over time reducing overall expenditure to less than £100 million a year (and some think much less than this though I think we should be careful to manage expectations at this stage) ...

I recommend that any savings from the reduction in duplication should remain in departments, once transition costs and ongoing funding for the new central team have been taken into account.

How are we doing with managing expectations?

In his Foreword to the Government Digital Strategy Francis Maude, Cabinet Office Minister, waves a couple of high-sounding numbers around without asserting anything, the statement is short and conditional:

By going digital by default, the government could save between £1.7 and £1.8 billion each year.

The main body of the document is even more non-committal:

On the basis of historical savings achieved by existing digital services we estimate that £1.7 to £1.8 billion of total annual savings could be made by shifting the transactional services offered by central government departments from offline to digital channels. Of this, £1.1 to £1.3 billion will be saved directly by the government, with the rest passed on to service users through lower prices. These figures do not include the potential costs of a transition to digital [potCosts], but also do not include the additional savings [addSav] that could be gained from fundamental service redesign or back-end technology changes ...

Our estimates suggest that an hour spent interacting with government costs the average citizen £14.70. If just half an hour were saved by digitising every transaction currently completed offline, the total savings to the economy could therefore be around £1.8 billion. Furthermore, many public services are run by agencies that recover their costs directly through user charges, so reducing costs provides the potential for savings to be passed on to users.

Not quite an equation, we have an approximation here:

Savings p.a. ≈ £1.7 billion - potCosts + addSav

We don't have even an approximation of the values of potCosts and addSav.

But we do have the thumbs up. Digital-by-default has been given the go-ahead.

How much will it cost? We don't know.

How much will it save? We don't know.

If it saves anything, will the public be allowed to keep their own money? No, Martha Lane Fox recommends that Whitehall departments should keep it. For whose benefit is this project being conducted?

What are these savings we're talking about? Lay-offs. Lay-offs of public servants no longer needed. Replaced by computers. How many of them? When? Which ones?

What are the chances of digital-by-default working? And when – how long will it take?

How much advertising revenue could GOV.UK raise? Will GDS follow its heroes Google, Facebook et al into this – into advertising – as they have done into everything else?

Where there should be answers to these questions in the Government Digital Strategy there are just holes. Revolution is proposed with no justification. And yet Sir Bob, the head of the home civil service, welcomes this fantasy.