Monday, 30 September 2013

GDS – next month is Identity Assurance Month

Here we are at the end of September.

Next month is Identity Assurance Month.

How often have you said that before?

Cast your mind back to 1 February 2012, Computer Weekly magazine, What the beta of Gov.uk means for public services:
GDS [the Government Digital Service] has a remit to fundamentally change public services to a "digital by default" model and Gov.uk is the first phase of delivering that goal ...

The big cost savings associated with Gov.uk will come through more citizens transacting with government online ...

Another key aspect of transactions is the work on identity assurance (IDA), which is intended to create a marketplace of private sector providers which citizens can choose to identify themselves online.

[Ex-Guardian man Mike] Bracken is now the senior responsible owner for IDA. “It’s something that I put my hand up for because it’s so important. Unless we have better and wider used security protocols, it will be hard to identify users, allow transactions and link up services ...”
That's when you discovered who's in charge. "It’s something that I put my hand up for". Ex-Guardian man Mike Bracken. The executive director of the Government Digital Service (GDS). It's his job to equip you with a selection of electronic IDs "because it's so important" – no electronic IDs, no digital-by-default.

When is he supposed to deliver?

How often have you asked that before?

Cast your mind back to 13 September 2011, Computer Weekly magazine, Identity assurance - how it will affect public services and your personal data:
Identity assurance (IDA) will play a central role for the government in delivering digital public services - seen as an important way to cut the cost of the public sector. IDA is the process citizens will need to go through to verify who they are to access public services online. Part of the government's remit under the IDA project is to create a market of private sector identity assurance services to enable access ...

The government is also eager to put as much distance as possible between IDA and the failed identity card system under Labour, as some critics have accused it of resurrecting that unpopular programme under a different name ...

The first service to be delivered using identity assurance will be the Department for Work and Pensions' Universal Credits scheme; HM Revenue & Customs' One Click and Real-Time Information; NHS HealthSpace; and the Skills Funding Agency Customer Identification project ...

A prototype for IDA will be completed by the end of the year [2011]. The first services will be developed and tested by February 2012, with IDA due to be rolled out for initial public services by autumn 2012.
"The first services will be developed and tested by February 2012, with IDA due to be rolled out for initial public services by autumn 2012" – if you were expecting electronic IDs/identity assurance (IDA) to be available by, say, October 2012, then – just to answer the first question above – this must be the twelfth time you've said "next month is Identity Assurance Month".

Despite all the protestations of being "agile", GDS are a year late with IDA.

They'd better deliver this time.

It's one thing to derail Universal Credit, which relied on IDA being "fully operational" by spring 2013 (para.12). You can do that to DWP, the Department for Work and Pensions, the biggest spender in UK government. Who cares?

But you can't do it to HMRC. And that's who's relying on IDA being ready next month. HMRC is the government's tax farmer. They raise over £500 billion a year. Threaten that revenue, and your future starts to look sticky.

What are HMRC relying on?

IDA "is intended to create a marketplace of private sector providers which citizens can choose to identify themselves online" or "a market of private sector identity assurance services to enable access [on-line public services]".

You know the sort of thing.

Sainsbury's or Tesco. Lidl or Waitrose. Morrison or the Co-op. Asda or M&S. You can go to any supermarket chain and be pretty confident of getting decent quality food at a competitive price. The choice is yours. And your choice isn't limited to just the big stores – even today, there are thousands of little grocers where you can shop. There's a real market there.

That's what IDA is meant to offer, too.

But it doesn't.

GDS have appointed eight prospective suppliers of electronic IDs in their IDA pseudo-market, three have pulled out for some unknown reason and five of them are going to take part – the Post Office, Experian, Digidentity, Mydex and Verizon.

The Post Office isn't a "private sector provider". You know that. The government are currently trying to privatise it but for the moment it's a company with just one shareholder, Vince Cable. Nothing like Tesco.

And the Post Office is nothing like Digidentity which, in turn, is nothing like Mydex. Asda and the Co-op et al are all comparable. They can all do the same job, independently. Unlike GDS's so-called "identity providers" – they need each other, they can only operate IDA in partnership.

Digidentity is Dutch and Verizon is American. What do they know about UK identity?

Experian's got all the data already, it already does identity assurance, but what data does Mydex have?

Mydex promises that if you store all your personal data in one of their PDSs (personal data stores) then you'll be able to control who sees it and the uses to which it is put. No doubt Verizon make the same promise but when the US National Security Agency demanded to see Verizon's client data they had no option but to let them.

 How can Mydex promise you control? They can't. It's not theirs to give.

Next month is Identity Assurance Month?

----------

Updated 27.6.14

"IDA due to be rolled out for initial public services by autumn 2012" – that's what we were told in September 2011. IDA is already over 18 months late.

It's just like the old days, when big IT suppliers came in years late and hundreds of millions of pounds over budget. But it's all meant to be different with GDS. Agile.

It's beginning to matter. In the interests of individual electoral registration (IER), we now have what is generally acknowledged to be a second rate on-line application system – electoral registration officers have little or no assurance that the person applying to register to vote is who they say they are.

We know what DVLA think about GDS's failure: "this authentication process ... does not provide us with the level of confidence the user is who they say they are in order to ... allow them to link to a transactional service". What do the Electoral Commission think?

The Electoral Commission don't pull their punches. What are they going to say about second rate identity assurance when they start their IER publicity campaign next month?

GDS have five so-called "identity providers" lined up to provide us all with on-line personal data stores.

Only one of them is certified trustworthy by tScheme. And that's Experian. Who are waiting to hear what the judge in a US identity fraud case has to say about them selling personal data to fraudsters.

(Not that GDS are interested in security. It's all usability with them.)

The other four "identity providers" are not certified trustworthy and the German government has just cancelled their contract with one of them, Verizon, for handing over personal data to the US authorities.

Verizon can hardly be deemed good enough for the UK but not for Germany. So now we're down to only three "identity providers", who are meant to constitute an "ecosystem", or private sector market.

But it's a funny market – any IDA payments made to them will come exclusively from the government.

Any other major Whitehall project would be monitored and reported on by the Major Projects Authority. But IDA isn't. Why not?

No comments:

Post a comment