If public services are to become digital-by-default the Government Digital Service (GDS) need to deliver on identity assurance.
It's their responsibility:
- Ex-Guardian man Mike Bracken, the Chief Executive of GDS, is also the senior responsible
officerowner for Her Majesty's Government's Identity Assurance Programme (IDAP).
- GDS acknowledge an IDAP project on their blog.
- And they said on 1 March 2012 that they want to ensure that "... ultimately, HMG-wide Identity Assurance is supplied across central departments via a common procurement portal ... and governed by the Cabinet Office [i.e. by GDS]".
- Francis Maude, Cabinet Office Minister, talking about digital-by-default on 6 March 2012: "... for all this to work users of digital public services need to be able to assert their identities safely, securely and simply".
IDAP has a customer ...
The first guinea pig has been chosen. The Department for Work and Pensions (DWP) are responsible for Universal Credit (UC) and UC will be the first public service to use IDAP, c.f. Francis Maude again: "... soon Identity Assurance Services will be used to support the Department for Work and Pension’s Universal Credit scheme and the Personal Independence payment which, from 2013, will replace the complex and outdated benefit system".
No IDAP, no UC.
... and IDAP has seven suppliers ...
According to the 1 March 2012 notice placed in the Official Journal of the European Union (OJEU): "The initial DWP services will be required to provide identity assurance for approximately 21 000 000 claimants ... To support the rollout of universal credit and personal independence payments, identity assurance suppliers will be selected in summer 2012 and systems will need to be fully operational from spring 2013".
Two deadlines came and went. 30 September 2012 and 22 October 2012. In the end, it was 13 November 2012 when DWP announced the names of seven "identity assurance suppliers". That's what they were called in the March OJEU notice but, by November, they had become "identity providers" (IDPs).
There were meant to be eight of them but the identity of the reluctant eighth IDP remains a mystery.
Not that the other seven are exactly well-known in the UK – the Post Office, Cassidian, Digidentity, Experian, Ingeus, Mydex, and Verizon – apart from the Post Office, of course, but no-one thinks of that venerable institution as an IDP.
And they're a strange collection. Just look who isn't there. Where are the banks? Where are the (UK) telcos? What happened to the utility companies and the insurance people? Too sensible to accept the hospital pass?
For the first time in history, the UK has official identity providers. You think you already have an identity? Not if it hasn't been provided by an IDP, you don't, not if GDS have their way, not in their modernised, joined up, transformational UK.
As yet, we know nothing about what these IDPs will do – how will IDAP work?
... but the bit in between is missing – there is no IDAP serviceIt should be big news but the media haven't paid much attention and DWP haven't mentioned IDPs since their 13 November 2012 press release. We have no idea from them how IDAP is meant to work.
Mydex blogged about it but there's been no publicity from the other six named IDPs.
And GDS, the people in charge, have managed just one reference to the appointment of the IDPs, "... we now have a group of suppliers with whom we can work out the practical issues of becoming operational as Identity Providers across all of government".
GDS haven't worked out the "practical issues" yet? It's two years since the prospective suppliers went off to work out the details of what was then the Digital Delivery Identity Assurance Project, part of the G-Digital Programme. Haven't they worked anything out in the interim? What was in GDS's invitation to tender? How do you choose and appoint suppliers if you don't know what you want them to do?
The IDPs are only getting an 18-month contract. And they have to register 21 million claimants for no more than £25 million and issue them all with electronic IDs. How are they going to do that? When are they going to do that? And where?
Remember, OJEU notice: "systems will need to be fully operational from spring 2013". That wouldn't be feasible, not now, December 2012, not even if the details of IDAP had all been worked out but they haven't been ("we now have a group of suppliers with whom we can work out the practical issues"). Why hasn't it already been done? How much longer will it take?
Some lessons from recent history
IDAP requires us all to have an electronic ID which will allow us to identify ourselves on-line so that we can transact with the authorities.
The Home Office – or more specifically the Identity & Passport Service (IPS) – had eight years from 2002 to 2010 of unlimited budgets and unstinting political support to issue us all with ID cards, they had the whole of Whitehall behind them, every management consultant money can buy and most of the media, and yet they failed.
IPS couldn't settle on the objectives of the ID cards scheme, they couldn't make their case, they couldn't say what the point was, they didn't have enough registration centres, the chosen biometrics technology doesn't work, CESG refused to sanction DWP's database as the foundation for the National Identity Register, the public had concerns about data-sharing and the loss of personal privacy, and there were unanswered questions about the security of the system.
By paying airport workers to register and by leaning on Home Office staff to register, IPS finally managed to enrol about 30,000 (?) people on the National Identity Register, 0.07% (?) of the target population of 45 million, before giving up, kissing goodbye to at least £292 million of public funds – your money and mine – and having an institutional nervous breakdown from which they still haven't recovered.
Identity assurance requires trust on all sides and IPS destroyed it wholesale.
GDS haven't even started their eight-year march yet.
Two years ago, IDAP was nowhere. It still is.
No progress has been made.
Why did GDS make their promise to have IDAP operational by the Spring of 2013? Why haven't they announced yet that deployment will have to be delayed? Why are DWP still committed to testing UC from March 2013 and having it fully operational by October 2013?
What have GDS been doing all this time?
Three boondoggles and a talking shop
Thoughts on my recent trip to the West Coast with Francis Maude, Minister for the Cabinet Office: "Andrew Nash, Google’s Director of Identity, ran us through the current issues facing identity.He explained how Google aim to grow and be part of an ecosystem of identify providers, and encouraged the UK Government to play its part in a federated system. The UK ID Assurance team and Google agreed to work more closely to define our strategy – so look out for future announcements. Andrew also took the opportunity to walk the Minister through the Identity ecosystem".
It's not known what Francis Maude made of his walk through the identity ecosystem. One way and another, though, Google were excluded from the list of official IDPs.
Estonia’s technology economy and online service provision- back to the future?: "We came to see how a small country of 1.3 million has developed a culture and system of Governance and public service provision using the Internet and transparency as core principles ... Whilst we met dozens of people at breakneck speed, many of whom we hope to see in the UK soon, over the next week I will be explaining the wider points we have uncovered which reflect directly on our challenge to make public services in the UK digital by default, and how the Estonian experience links to our core principles".
Despite their links to the UK's core principles, there is no known Estonian among our IDPs.
29 May 2012, and GDS reported their trip to the White House, Steve Wreyford, Identity Assurance goes to Washington. Connected with which, 14 June 2012, Steve Wreyford, Cabinet Office joins the Open Identity Exchange – the OIX is a talking shop.
And that seems to be about it IDAPwise for GDS. A trip to California. A trip to Estonia. A trip to Washington. And signing up to a talking shop.
What else have GDS been up to?
Playing with computers
Using a team of up to 140, GDS have produced a new website, https://www.gov.uk (GOV.UK). That involved re-writing two existing websites, Directgov and Business Link. They are now in the process of re-writing most of the central government departmental websites and incorporating them into GOV.UK.
Why? It's a huge job and what's the point? Why go to the trouble?
Whatever the answers to those questions, GOV.UK is undeniably something GDS have done.
Unlike providing an identity assurance service.
Producing websites is obviously what GDS are at home with, it's what they enjoy and what they apply themselves to, it's what floats their boat:
Wow! New @mysociety Mapumental product bit.ly/VUX17g Great example ofkind of utility whichshould come from opening Govt data
Ooh, interesting for identity in govt services @gdsteam RT @timbray AccountChooser, a project of the OpenID Foundation: goo.gl/zY5h1
Why re-write all these websites? GDS say that it's all something to do with improving the user experience of government websites. But what's a "user experience"? GDS offer no definition. In the end, arguably, GDS decide for themselves, inscrutably, whether they have improved the user experience:
| Early days but there's no answer to this tweet yet:
@neillyneil @tomskitomski @gdsteam Can you tell us your definition of "user experience" at GDS?
And they say that it's all something to do with a new approach to government. Ex-Guardian man Mike Bracken: "GOV.UK is not Government on the Internet, but of the Internet".
To them, the web is so special that there is something religiose about their mission and when they wanted a blessing for their work on GOV.UK, did they turn to a satisfied user whose experience had been improved? No, they turned to Tim O'Reilly. How did he get past security? How did he even know where the GDS building is?
The Government Gateway – convenience and/or security
Do we need a way to communicate with the government on-line?
Yes, of course we do.
And what's more, we already have a way and we have had for 10 years and more – the UK Government Gateway. Why throw that away? Are we so rich? We can afford to re-write websites and throw away the expensive originals? We can afford to throw away the tried and tested Gateway?
But if GDS have decided to throw it away, how can it take two years not to specify and develop the Gateway's replacement?
The objection to the Gateway is that it's hard to use. Millions of us manage but, yes, it's not easy. GDS promise something easier to use, something more like Facebook. They haven't developed a replacement, or even specified it, but that's what they promise.
But suppose that's impossible? Suppose that if you want a secure system, it just has to be more difficult to use than Facebook? Suppose that if a system is as easy to use as Facebook, then it just can't be secure?
These questions are unanswered. On the one hand, there is no proof that secure systems have to be relatively hard to use. And on the other, GDS certainly haven't provided any proof that "convenient" systems can be adequately secure.
Universal Credit is important. Many people in the UK – maybe millions – are caught in the poverty trap set by our poorly-designed welfare system. UC could spring the trap and release them. They're not guinea pigs, we're talking about the lives of human beings here. While GDS are talking about computers.
Iain Duncan Smith is Secretary of State at DWP. How did he allow an important political initiative to be turned into an experiment for digital-by-default? If people were computers, digital-by-default might work but we're not, are we. Judging from outside:
- DWP's and GDS's deadlines cannot possibly be achieved – how can Francis Maude say that "soon Identity Assurance Services will be used to support the Department for Work and Pension’s Universal Credit scheme"?
- Iain Duncan Smith and his officials have increased the likelihood of UC failing.
- DWP made a terrible mistake when they ceded control to GDS ...
- ... they must take back control over identity assurance for UC ...
- ... otherwise there will be no escape from the poverty trap.
- GDS are simply not up to the job of providing identity assurance services ...
- ... it's not their bag, it's not what they're interested in ...
- ... let them play to their strengths, developing websites, and let them get out of the way of progress on UC.
Daily Telegraph, 17 September 2012, Cyber attacks threaten welfare reforms, ministers warn:
Universal Credit is due to replace scores of individual benefits from next year, simplifying claims and allowing claimants to keep more of their benefits when they take paid work. The regime will be internet-based, with ministers intending that most claimants apply and report a change in circumstances online.
Appearing before a Commons inquiry into the reform, Lord Freud, the welfare reform minister, was asked what was the biggest risk to the programme. “I’ll say what the challenges are, what we need to get right: to get the security system working properly,” he said.
Private security companies will be commissioned to develop a system of “identity assurance” to check that only real claimants can get benefits. “That’s one of the biggest challenges,” said Lord Freud.