Science and Technology Committee
14 Tothill Street
House of Commons
London SW1H 9NB
14 Tothill Street
House of Commons
London SW1H 9NB
Dear Dr McGinness
Digital by default
I refer to the Committee’s oral evidence session held on 5 June 2013.
1. May I bring to the Committee’s attention in case they haven’t seen it the draft report written by Professors Brown, McDermid, Sommerville and Witty. In A Perspective on the Government Digital Strategy (GDS): Balancing agility and efficiency inUK Government IT delivery the four professors cast serious doubt on the prospects for digital-by-default being delivered. The Major Projects Authority (MPA) use a red-amber-green traffic light scoring method to represent their verdicts on major projects. The Committee will note that the professors’ verdict on digital-by-default looks like an amber/red or possibly a simple red. Selected quotations from the report are included at the end of this letter.
2. Digital-by-default is a major project. The MPA haven’t published their verdict on it. May I suggest that if they haven’t done so already the Committee seek out the MPA’s verdict in addition to that of the four professors.
3. By 18 April 2013 56 MPs had signed an early day motion to debate the fate, under digital-by-default, of people who can’t use the web. Testimony was given at the evidence session suggesting that there are about 16 million such people who risk being excluded by default. Digital-by-default is the responsibility of the Government Digital Service (GDS). On 28 July 2011 GDS launched their assisted digital project to try to resolve this problem: “It is about taking a more proactive approach to getting people online and thereby sharing the benefits available from being online”. 665 days later on 23 May 2013 GDS published Starting the conversation about providing assisted digital support. The Committee may be expected by at least 56 MPs to investigate just how long this proactive conversation is likely to take and what happens to 16 million excluded people in the meantime.
4. Dr Martyn Thomas gave it as his opinion that the phrase “anonymised research data” is an oxymoron: if data about a person is released and there is enough of that data to be useful, then the person can be identified; if the person can’t be identified, then the data won’t be any use. Mr William Heath gave it as his opinion that users of Mydex could release their data in such a way as to prove some entitlement of theirs without giving away their identity. They can’t both be right. Which of them, if either, is right? May I draw this question to the Committee’s attention.
5. Dr Thomas gave it as his opinion that the danger of using so-called “identity providers” is that users lose control of their data. Mr Heath gave it as his opinion that the purpose of Mydex (one of the UK’s appointed “identity providers”) is precisely to allow users to keep control of their data. Again, they can’t both be right. May I draw the Committee’s attention to the question which of them is right, if either.
6. Dr Thomas gave it as his opinion that the way to maintain standards in digital-by-default is to make the “identity providers” and others pay compensation when the system fails. Mr Heath gave it as his opinion that Mydex’s liability is mitigated as the users hold the keys to their Mydex personal data stores themselves. That argument is specious. Lockheed Martin and QinetiQ hold the keys to their data stores but that hasn’t stopped allegedly Chinese hackers from stealing their intellectual property including the designs for fighter jets and remote-controlled bomb disposal robots. Google, Facebook and Yahoo! accountholders hold their own keys but that hasn’t stopped the US National Security Agency (NSA) from obtaining their personal details, allegedly, if the Guardianare to be believed. The Committee took the point that liability causes the retail banks to maintain standards. May I draw the Committee’s attention to the question whether Dr Thomas or Mr Heath is right about the connection between compensation and standards, or neither of them.
7. When the Committee asked the witnesses why eight “identity providers” are being proposed for the UK instead of the government doing their job Mr Heath gave an answer referring to the rich panoply of data which people use to run their personal lives. The remit of digital-by-default is set out in Martha Lane Fox’s 14 October 2010 letter to Francis Maude, Cabinet Office Minister. Directgov 2010 and beyond: revolution not evolution concerns improvements to the way that public services are delivered. May I draw the Committee’s attention to the question whether advising people how they should run their lives is beyond the scope of digital-by-default. If it isn’t beyond the scope of digital-by-default then the Committee’s enquiry may have to include Dr Stephan Shakespeare’s national data strategyas well, including the work of Professor Nigel Shadbolt at the Open Data Institute (ODI). Professor Shadbolt is not only the chairman of the ODI but also the chairman of the midata programme (para.21) – the distinction between open public sector data (“big data”) and personal information is in danger of being of being lost.
8. Dr Thomas gave it as his opinion that the Committee could not be told in open session how effective the UK’s cybersecurity measures are. May I draw the Committee’s attention to the question how responsible it is in that case for the administration to lure people into recording every detail about their lives in personal data stores held on the web, in the cloud. That is the idea behind Mydex, and behind the Department for Business Innovation and Skills (BIS) initiative, midata.
9. Mydex and the Post Office are two of the UK’s eight appointed “identity providers” and were both represented at the evidence session. The other six include Verizon, which allegedly makes the “metadata” of millions of its customers’ mobile phone calls available to the NSA. The Committee may consider it important to take evidence from Verizon at a subsequent session.
10. Deploying digital-by-default, as noted, is the job of GDS. They intend to use the single government domain, GOV.UK, to register everyone who uses public services and to manage their cases. GOV.UK is to be hosted in the cloud by a £1,000 company, Skyscape Cloud Services Ltd, under the control of one man, Mr Jeremy Robin Sanders, via another company, Virtual Infrastructure Group Ltd. Skyscape is accredited by the government cloud programme (G-Cloud) to sell its products to central and local government through its on-line shop, CloudStore. Skyscape barely existed a year ago. It now has contracts with GDS, HMRC, the MODand the Home Office. Which means that long-established SMEs with a measurable track record don’t have those contracts. May I draw the Committee’s attention to the question how scientific it is for digital-by-default to be entrusted to an organisation with no track record.
11. The OECDhave warned against cloud computing: “cloud computing creates security problems in the form of loss of confidentiality if authentication is not robust and loss of service if internet connectivity is unavailable or the supplier is in financial difficulties ...”. So have ENISA, the EU’s Network and Information Security Agency: “[re cloud computing] its adoption should be limited to non-sensitive or non-critical applications and in the context of a defined strategy for cloud adoption which should include a clear exit strategy ...”. Cloud computing is a special case of outsourcing. Any organisation risks losing control of its business when it is outsourced. Are the staff of the contractor and its sub-contractors properly vetted before recruitment? Are proper procedures in place and are they enforced? With cloud computing, the dangers of loss of control are magnified. Data can quickly move to any country in the world, beyond the jurisdiction of English law. May I draw the Committee’s attention to the question how responsible it is of the administration to entrust digital-by-default or any other important national asset to the cloud, where it will be out of control by the authorities and liable to cyberattack and/or to unwarranted scrutiny by foreign strangers via the NSA, the Chinese and others.
12. GDS have taken on the responsibility for G-Cloud since 1 June 2013. Long before that, 1 March 2012, they claimed responsibility for the Identity Assurance Programme (IDAP). A notice was placed in the Official Journal of the European Union (OJEU) specifying that identity assurance services would be “fully operational” from “spring 2013” for the 21 million claimants who rely on the Department for Work and Pensions (DWP). On 16 January 2013 the IDAP contract was published, repeating the point, this time saying that the service would be “fully operational” by “March 2013”. It wasn’t fully operational then and it still isn’t. IDAP still doesn’t exist. The witnesses at the evidence session were unanimous about identity assurance being essential to digital-by-default. May I draw the Committee’s attention to the question whether there is something wrong with GDS’s software engineering processes which allows an important deadline for 21 million people to be missed without apology or explanation or even acknowledgement.
13. Dr Thomas gave it as his opinion that it is impossible to measure the quality of most computerised systems and that that will remain the case until systems developers use formalised languages. For background, each statement in a formalised language is a theorem which gives rise to a proof obligation, that obligation is disbursed if a valid argument can be logically constructed to prove the truth of the theorem, in which case development of the system can continue, otherwise it can’t. Martha Lane Fox called for “revolution”. (This emotive language may be forgivable in a salesman but innocent people get injured in revolutions and it is preferable to use the term “innovative”.) Far from being innovative, GDS are using the same so-called “agile” systems development methods as millions of others – methods which require what Dr Thomas called “heroic” amounts of testing and yet you still don’t know at the end whether the system works. May I draw the Committee’s attention to the question whether, instead of conforming to fashion, GDS should be genuinely innovative and start to use formalised languages.
14. The Committee didn’t elicit much information from the witnesses about the Government Gateway. For over ten years now the Government Gateway has allowed people and businesses to communicate with the government on-line, submitting VAT returns, and so on. It seems to work. It seems to be adequately secure. Users need a different ID for each Gateway service they subscribe to and they may have a different password for each service, too. That is inconvenient. “Identity providers”, according to a DWP press release, “will be required to offer a simplified registration process, minimise the number of usernames and passwords a customer will need to remember and reduce the costs incurred across Government for the management of Identity Assurance”. It is arguable that the adequate security of the Government Gateway is earned by its being inconvenient and that if you take away the inconvenience, then you lose the security, too. May I draw the Committee’s attention to the question whether, if GDS’s replacement for the Government Gateway is made more convenient in this way, it will at the same time lose its adequate security, it will block on-line communication between people, businesses and the government, and it will threaten the administration’s ability to raise revenue and to control state pension payments and welfare.
15. Also on the subject of the Government Gateway, it has been reportedthat “In the [IDAP] model, the government provides a number of ‘federation hubs’, which provide the data-matching, anonymisation and audit services to support interaction between a market of identity providers (IDPs) and the government departments that will consume identity information”. May I draw the Committee’s attention to the question whether, if the hubs support anonymous use, transactions really can be audited. Contrarywise, if the hubs can be audited, how can users remain anonymous?
16. The scope of digital-by-default extends to the compilation of the new electoral register which will be used for the 2015 general election. GOV.UKtells us that: “The Electoral Registration and Administration Act has received Royal Assent. The Act allows Individual Electoral Registration to be introduced in 2014 to help tackle electoral fraud and paves the way for online registration from 2014, which will make it more easier [sic] and more convenient for individuals to ensure they are registered to vote”. It is intended that that register should in turn form the basis in future for the national census. GDS have undertaken some of the cross-referencing (para.2.3) between the electoral register and other databases such as the National Insurance Number database designed to ensure that the register is complete and accurate. May I draw the Committee’s attention to the question what connection there is between the new electoral register and IDAP.
Most of these questions have been raised with the Cabinet Office, GDS, the G-Cloud team, BIS, Mydex and others over the past 18 months (e.g. GOV.UK/digital by default – 17 questions for Mr Maude) and remain for the most part unanswered. (HMRC is an honourable exception.) The House of Commons Science and Technology Committee will surely fare better in holding the administration to account.
Extracts from the four professors’ report on the Government Digital Strategy:
... it is not clear how realistic this ideal is ... brevity cannot be an excuse for lack of detail, explanation, and precision ... It is impossible with the detail provided to form any reasonable view of how this key activity will be performed ... there is an urgent need for standards to be developed and agreed ... he had no practical understanding of how to use this strategy to have positive impact on his team’s work; We suspect he is not alone in this view ... The GDS shows no evidence that it is aware or has taken account of the impact of such thinking ... The GDS must avoid falling into the trap of an overly-simplistic response ... Open source solutions are neither free to administer and support, nor are they the most cost-effective answer in all situations ... rapidly changing services will deter the takeup of digital services, not encourage it ... The GDS is remarkably (perhaps alarmingly) silent on the issue of how to coordinate SMEs in project delivery ... We see little discussion of a concrete and practical change management process to support the “digital by default” strategy in the current GDS. We view this as a potentially fatal omission ... the principles on which the current GDS is based centre on too narrow a view of how to attain those benefits, and lack focus on the major adjustment in culture, processes, and technologies that must underpin ... this view is much too simplistic and highly risky ... there is very little detail about how such goals will be achieved, or the broader cultural impact those changes represent ... a lack of consistency in interpretation of how to enact the GDS ... It is not clearly stated in the GDS who is managing the execution process across the 18 UK Government departments to coordinate and assess progress.
Para.7, "Dr Stephan Shakespeare" should be "Mr Stephan Shakespeare", see He's all heart, Shakespeare.