Tuesday 21 January 2014

RIP IDA – Obama fails to consult Maude

No need to say it, it goes without saying, it should be obvious to all but, just in case it isn't obvious to all, IDA is dead.

IDA is the Cabinet Office Identity Assurance programme. And it's dead.


Last week, the US Identity Ecosystem Steering Group (IDESG) held a three-day conference, 14-16 January 2014 at the Georgia Tech Research Institute. It's all very international and there was a one-hour slot on the Wednesday for An Overview of 2014 Plans for the UK Identity Assurance Program. The talk was given by David Rennie of the Government Digital Service (GDS). The sound recording below is for any Brits who might also be interested in our government's plans for us:

The subject matter is identity assurance (IDA), not everyone's cup of tea, and you don't have to listen to all 55'44". There is a summary appended below.

But you might consider sampling odd snatches. Between 21'10" and 21'35", for example, Mr Rennie states that GDS are working with OIX, the Open Identity Exchange, to draft the rules for the trust framework within which the UK's "identity providers" (IDPs) will have to work.

We hoi polloi need to know that we can trust the IDPs. Otherwise we would be imprudent to use them in our on-line dealings with government. And if we don't, then GDS's digital-by-default initiative is a dead duck (RIP).

Steve Wreyford, Mr Rennie's colleague at GDS, told us about this on 15 April 2013, please see his amusing blog post Delivering Identity Assurance: You must be certified where we are advised to trust IDPs only if they have been certified trustworthy by tScheme.

The millions of readers of the DMossEsq blog are already up to speed on this one but not necessarily so the IDESG conference. How are they supposed to know about tScheme?

So DMossEsq submitted an on-line question to the conference and you can hear the result in the 43 seconds between 29'48" and 30'31". Mr Rennie tells the conference that:
"All the identity providers will have to be certified by tScheme before we go to full live. They're all going through the certification process at the moment.
There are five UK IDPs. Digidentity, Experian, Mydex, the Post Office and Verizon. You can check on the tScheme website – Experian is the only IDP currently certified and Verizon is the only one that has applied for certification.

So is Mr Rennie right when he says that all the IDPs are "going through the certification process at the moment"? There is some doubt there. It looks as though three of them haven't even applied for certification yet.

It must all be getting a bit tense. GDS want to start Beta-testing IDA behind closed doors "in the next few weeks" (9'00") with a view to going live "at the end of the summer":
  • What happens if the certification process hasn't finished by that time?
  • Suppose that one or more of the IDPs fail their certification. What happens then?
  • What's the point of doing IDA tests with IDPs who might fail to get their tScheme certification?
  • Wouldn't it be better for them to be certified before the tests start?
  • Better still if they were certified before they were appointed as IDPs in the first place.
  • Eight IDPs had been appointed by 16 January 2013. What happened to the other three (Cassidian, Ingeus and PayPal)? Why did they pull out of IDA?
  • What have Digidentity, Mydex and the Post Office been doing all year? Why haven't they even applied to tScheme yet?
  • And are there really five IDPs left or only two?
That last is a question raised by Charlotte Jee's article Beta launch for identity assurance this year on the government computing news website – "an official from the IDA programme ... explained that the first two identity providers will start supporting the scheme from the end of November ...".

Her article was published on 22 October 2013, when November 2013 was still in the future and it made sense to have two IDPs supporting IDA. In the event, there was no IDA to support in November. Or December. What happened? Why were the tests postponed to January or February 2014? Have three more IDPs pulled out? Which three? Why?

We don't know. There has been no explanation. Attendees at Code for America's CfA Summit 2013 conference are going to be pretty surprised. Ex-Guardian man Mike Bracken CBE, the executive director of GDS, told them on 16 October 2013 that "the first [IDA] services run out with our tax system this month". He also told them that "we have about eight or nine companies already providing identity to us". Take your pick – 2, 5, 8, 9, ...

There is a danger here that the Americans are being misled by GDS. The British public, too – we could be being misled.

But that's not all. It seems possible that GDS are misleading themselves. They have two IDA tests coming up in the next few weeks and at 15'25" Mr Rennie calls that having IDA "up and running" and says that GDS have achieved "real live delivery". Only for very low values of "up", "running", "real", "live" and "delivery".

Is misleading themselves becoming endemic?

That seems unfortunately to be entirely possible. Unfortunately, because GDS are in the trust framework as well, not just the IDPs and the public.

The earlier IDA test with Warwickshire County Council which Mr Rennie referred to at 18'05" was reviewed by OIX and was severely criticised. Words like "significant barrier", for example, and "shortcomings" were used. "Considerably more thought needs to be applied", the OIX report said and carried on with "convoluted process", "reluctant", "struggled", "not clear" and "annoying".

And how does Mr Rennie describe the same IDA test? He says it showed that "identity assurance will support the move to digital by default, simplify and improve the customer experience and make service providers more efficient.  In short, a virtuous circle of reduced effort, reduced cost and improved customer satisfaction".

And then a kind correspondent sent a link to an extraordinary article in the Huffington Post. Like ex-Guardian man Mike Bracken CBE telling CfA last October to be more like GDS if they want to get on in this world, his political boss Francis Maude has some diplomatic advice for Obama himself:
Cabinet Office Minister Francis Maude Decries 'Old Style' Obamacare Insurance Website
The Huffington Post UK | By Paul Vale
Posted: 09/01/2014 02:43 GMT | Updated: 09/01/2014 03:47 GMT

Speaking on Wednesday, the Cabinet Office minister said that the American government should have learned from the British approach to providing online access to public services, and in particular the success of the UK government's digital programme, including the gov.uk site ...

The minister added that his department had not been consulted by the Obama administration but suggested that they "probably should" get in touch due to the global interest in the British government's IT roll-out ...

"This is something that is a problem for countries that do not have an ID card system and a national ID database," he said. "So it is an issue for countries like ourselves and the UK. The US is going down the same path as we are, but they are some distance behind."

Summary of the points made in David Rennie's talk to IDESG
and of the subsequent question and answer session:

David Rennie's talk
"In the next few weeks", two applications will be used to test IDA. Initially, the tests will be "private Betas" (9'00"), the Betas will go public some time in the summer of 2014 (10'25"), the services will go live at the end of the summer and in the next 12 months or so GDS expect IDA to have about 600,000 people on it.

Application #1 will be an on-line record of people's driving licence endorsements (11'40"), with the data available to DVLA, drivers and insurance companies. Application #2 will be a facility for people to amend their tax code (12'40"), with the data available to HMRC and taxpayers.

In the terminology of IDA, DVLA and HMRC are so-called "relying parties" (RPs). They rely on the so-called "identity providers" (IDPs) -- the Post Office, Digidentity, Experian, Mydex, and Verizon -- to assert that you are the driver or taxpayer that you say you are. There are different Levels of Assurance (LoAs), some services will require a high level (4) and others can get by with a lower one (1). The RPs, IDPs, drivers, insurance companies and taxpayers are all linked by GDS's so-called "ID hub" in the confines of a national "trust framework".

GDS hope that, a long way down the line, we will be able to access our health records via IDA (14'20").

GDS are assisted by OIX, the Open Identity Exchange, in developing IDA:
  • OIX publish white papers on IDA matters, including for example the IDA test conducted with Warwickshire County Council (18'05").
  • OIX is the forum where GDS are considering upgrading the ID hub (18'55") to become an "attribute exchange", e.g. the hub should be able to answer questions like "is person X entitled to a Blue Badge, yes/no?".
  • OIX are investigating the involvement of the mobile phone companies (20'30").
  • And OIX is the place where the rules of the trust framework are agreed (21'10").
Question and answer session
Rules of engagement for IDPs (23'10"): the ID hub is entirely GDS's work (24'05") and is built using SAML 2.0; negotiating contracts with the IDPs was difficult (26'20") but the outcome is that they have to agree their procedures with GDS in advance.

Identifiers, e.g. email addresses (28'00"): any identifiers can be used, it's up to the IDPs, as long as they can authenticate who you are and as long as they follow GDS's security standards.

Trust framework (29'50"): it is true that only one of the IDPs currently has tScheme certification (30'20") but all five will eventually have to achieve that standard and they have all begun the process to achieve it.

Existing credentials (30'35"): GDS tried to get the banks to act as IDPs, they were too busy but may yet agree to join the trust framework. Meanwhile, it's up to the IDPs and not GDS to find reliable credentials and to register people.

Business users (32'45"): citizens dealing with government already discussed, for businesses dealing with government GDS plan to provide APIs (33'30"), e.g. there should be an API that allows a new business that has gone through the process of setting up a bank account to be able to use that when registering with Companies House and HMRC, and maybe an API that allows you to start the process of applying for a new passport while booking your summer holiday.

Multiple IDs, pseudonymity, anonymity (35'40"): it's up to the IDPs to decide what satisfies them and it's up to the RPs, too; there are different LoAs, at LoA1 (self-certification) you can use any name you like.

Unobservability (41'10"): GDS is advised on key-signing by GCHQ; the ID hub is designed so that IDPs don't know which RP is asking for identity assurance and RPs don't know which IDP has responded; thanks to No2ID/BBW/PI/...; it's hard to explain to users how the ID hub handles privacy (45'00") but one day it may be possible for them to barter privacy for utility.

OIX (46'15"): the rôle of OIX includes liaising with other national schemes -- US, Canada, Australia, New Zealand; there is an international committee for trust frameworks (54'10").

Trust elevation (52'00"): requirements for LoA3 will be published by the end of the year; a document-checking service will be provided (passports and driving licences) for IDPs.

No comments:

Post a Comment