Friday 18 January 2013

#2 of many lessons about GDS and the external digital thought-leaders

Would you trust an organisation that promises the impossible?

It's a week now since ex-Guardian man Mike Bracken, executive director of the Government Digital Service (GDS) and senior responsible officer owner for the government-wide Identity Assurance Programme (IDAP), issued his invitation to Sprint 13, The Future is Here.

What a party it promises to be. Come and meet "Government and Agency Board Members, Officials, Policy Makers, Ministers, Press and External Digital Thought-Leaders" in uptown SW1 at the Queen Elizabeth II Conference Centre on Monday 21 January 2013 from 08:45 to 13:00 (GMT) – "jealousy" hardly begins to describe the state of those of us who have been uninvited.

Still, at least the uninvited don't face the invidious choice of the select band of party-goers – which workshop to attend:

• AGILE working methods? Why do we need digital delivery? Electoral Registration Transformation?
Assuring identity in a digital environment? Going digital? ‘You be the judge’?
Aid information platform? Digital policy engagement? Open changes everything?
The use of social media? Open policymaking? ...

Very tempting to try Electoral Registration Transformation. So many questions:
  • Can the law be changed to allow the data-sharing which its advocates believe would facilitate a complete and accurate electoral roll?
  • Would data-sharing help?
  • How do you reconcile Whitehall's claim that they don't want to create a single national identity register with the plan to store the complete electoral roll with the credit referencing agencies?
  • Would that complete electoral roll provide the basis for a new way to conduct the national census?
  • ...
But in the end the choice surely must be Assuring identity in a digital environment:
  • If there's no on-line identity assurance, then GDS have been wasting their time.
  • If we can't transact with the government on the web, then digital-by-default collapses.
What are the chances of GDS delivering on-line identity assurance? Slim-to-nil.

We have the lesson of the National Identity Scheme to go by. After eight years of unstinting political support and taxpayers' money, it collapsed, with nothing to show for it, except the nervous breakdown from which the Identity & Passport Service still haven't recovered.

It would be a hard job in any circumstances to get digital-by-default off the ground. The news every day carries stories of security breaches on even the most exalted websites. And even whole countries – including ex-Guardian man Mike Bracken's favourite Estonia.

After years of security failures, GDS start with no trust. Which means they can't start.

No-one believes any more that there is any such thing as a secure website. The belief in secure websites is right up there with the belief in unicorns.

It would be hard enough, to recap, to make digital-by-default work in any circumstances, but GDS have made it even harder for themselves than it need be.

With the quasi-religious light of web zealots in their eye, GDS want to make access to public services just as easy as access to Facebook and Google and Twitter. That means abandoning the clunky old Government Gateway. The Gateway is relatively secure. Precisely because it's so clunky. Having separate user IDs and passwords for each person/company for each public service is precisely what makes it relatively secure. Get rid of the clunkiness and you lose the relative security.

GDS have appointed eight national so-called "identity providers" (IDPs). The name is either laughable or sinister. Neither quality promotes trust.

They were late naming seven of the IDPs, please see Identity assurance – one under the eight. And the name of the eighth – PayPal – only came to light about 48 hours ago, by such a devious route that their appointment looks suspicious, please see The identity of the UK's eighth identity provider has now been provided, reluctantly.

Why are GDS so embarrassed about PayPal? Or why are PayPal so embarrassed about GDS? Either way, it does nothing for trust.

Last March, 2012, GDS told us that IDAP would be "fully operational from spring 2013", please see Universal Credit and the December putsch. Now we learn that "systems will need to be fully operational from March 2013". The beginning of March? 41 days away. Or the end? 72 days. Either way, it's impossible. Would you trust an organisation that promises the impossible?

All that, and GDS want to put public services in the cloud, acknowledged as the single most efficacious way to lose control of your data. In this case of course, our data. Another own goal by GDS.

It promises to be a lively congregation on Monday and it's an infuriating shame to miss it.


Updated 23.11.14

It was January 2013 when we wrote the following, please see above – all but two years ago:
GDS have appointed eight national so-called "identity providers" (IDPs). The name is either laughable or sinister. Neither quality promotes trust.
It's all change now. The Identity Assurance scheme (IDA) is now known as "GOV.UK Verify" and as GDS were telling us the other day in How does a certified company establish that it’s really you? ...
When you want to access a service using GOV.UK Verify for the first time, you’ll be asked to choose from a list of certified companies (also known as ‘identity providers’ – they can actually be any type of organisation that is certified).
... they're not called "identified providers" any more. Now they're called "certified companies". Stuck in their own terrarium, it's taken GDS two years and more to notice how ridiculous the idea of an "identity provider" is.

That's not all that's changed.

Three of the original "identity providers" have pulled out – Cassidian, Ingeus and PayPal want nothing to do with IDA/GOV.UK Verify.

And of the remaining five, only one is certified – Experian. The other four – Digidentity, Mydex, the Post Office and Verizon – have yet to be certified trustworthy by tScheme, an organisation no-one has heard of and no-one has any reason to trust.

No comments:

Post a Comment