Saturday 8 February 2014

RIP IDA – JFDI and the Black Pencil

... every transaction you ever undertake should depend on Mydex.
No Mydex, no transactions ...

No need to say it, it goes without saying, it should be obvious to all but, just in case it isn't obvious to all, IDA is dead.

IDA is the Cabinet Office Identity Assurance programme. And it's dead.


If you're a creative, there's nothing like winning a D&AD award for your work. And as DMossEsq readers know, the Government Digital Service (GDS) won a prestigious Design and Art Direction Black Pencil last year in a specially-created category for UK-government-websites-called-GOV.UK.

Judging by this week's Looking back at Sprint 14, GDS are going for the double and trying to win another pencil.

Sprint 14 was the government computer nerds' celebration at which Francis Maude famously announced that "we’re the JFDI school of government". Rather than attempting to string a few sentences together to explain what's going on in the Cabinet Office computerwise, GDS have produced two videos with exciting upbeat music and a few flashcards making vague assertions about progress but nothing you could hold them to.

GDS aren't meant to be the government's ad agency. They're meant to be developing computer services which will, as they keep telling us, transform government – "400 days to transform government". In pursuit of which, they have a transformation page on GOV.UK. A transformation page which continues stubbornly to show that, of the 25 target services, only one has gone live:

(an old screenshot, the numbers are currently 3/5/16/1)
Faced with the oneness of their transformation to date, GDS suggest in their videos that it's thanks to them that individuals and companies can submit on-line returns to HMRC.
But some of us have been doing that for a decade already. And that's thanks to HMRC. Not GDS. HMRC have a good record. GDS didn't even exist when HMRC and DVLA and Companies House, among others, first made their services available on-line.

The question exercising this year's D&AD Awards Committee is no doubt the same question exercising us all – where is IDA?

None of these 25 on-line government services is worth a broken pencil without IDA, identity assurance. First promised for live public use by autumn 2012, IDA still doesn't exist.

Where is it?

We don't know.

All that we do know is that the UK's unwritten Constitution is going through one of its occasional adaptations. According to GDS, it will now have to accommodate an institution known as the "identity provider" or "IDP".

Every individual in the country, every company, charity, trust, ... will be provided with an on-line ID and will use that to communicate with the government when making tax returns or whatever. That's the idea of Martha-now-Lady Lane Fox's digital-by-default manifesto.

There are (probably) five IDPs. Four of them – Digidentity, Experian, the Post Office and Verizon – never say anything in public about IDA, so they don't help to answer our question. But one of them, Mydex, by contrast, is downright exhibitionist. And they too, like GDS, have recently released a video, New directions, commercial opportunities, and managing the risks, "watch the video of our CEO David Alexander speaking at the BCS and EEMA event".

Mr Alexander is a fast-talking jovial cove who gives himself 16 minutes and 46 seconds to explain why every transaction you ever undertake should depend on Mydex. No Mydex, no transactions.

That's the burden of his message towards the end of the video. You may or may not be convinced.

At the start, he is at some pains to tell you that Mydex is a CIC, which it is, a Community Interest Company, which can't sell itself to Google or any of the other latter-day Pied Pipers. That suggests, quite rightly, given that they're not giving their services away for free, that if Mydex were to succeed in their ambition to become the axis around which every single transaction in the UK economy revolves, it would be a very valuable company.

But first, it needs to inspire trust in every individual and every organisation in the country, as noted, most of whom have never heard of Mydex. How?

Mr Alexander suggests that we should trust Mydex because it is a "member" of tScheme. tScheme is a standards body which measures the trustworthiness of on-line services like Mydex. But why should we trust tScheme, of whom we have also never heard? Mr Alexander doesn't tell us.

We have come across tScheme before, when William Heath, the chairman of Mydex, told us that Mydex is "compliant" with tScheme. And as we noted then, tScheme's list of certified services stubbornly refuses to include Mydex. Or Digidentity or the Post Office or Verizon.

A member? Maybe. Compliant? Maybe. But certified? No. Mydex has not been certified by tScheme.

And what do we know about certification and IDA?

Answer, Steve Wreyford of GDS has told us that Delivering Identity Assurance: You must be certified: "We need to be sure that before any of the identity assurance framework suppliers begin providing services to departments, they are certified as being capable of delivering proof of identity as defined in the Government’s Good Practice Guides".

Which implies that, by GDS's own JFDI lights, there is a bit of a dent in the bodywork of GDS's fleet of IDPs. A problem with trust. An impediment to Mydex's ambitions. And Digidentity's and the Post Office's and Verizon's.

"What about Experian?", you ask. Good question. Let's leave that for another day.

For the moment, as far as D&AD are concerned, and the rest of us, the stubborn reality is that GDS's marketing is just hype. There is no IDA. No Black Pencil for GDS this year. RIP IDA.


Updated 12:05

Some readers may remember that IDA was tested by Warwickshire County Council. The Council worked with three of GDS's IDPs – Mydex, PayPal and Verizon.

How did that test go?

With no exciting upbeat music and not a flashcard in sight, PayPal have subsequently pulled out of IDA. And the Open Identity Exchange report on the test "highlighted shortcomings in the user journey arising from the technical implementation of the IDA Scheme".

The report also said that "... considerably more thought needs to be applied in this area [stepping up from Level of Assurance 1 to Level of Assurance 2] if it is to become a viable proposition going forward".

And that: "... at the time of this project, the functionality required to deliver user data directly within the IDA Scheme [to create a new account] had yet to be developed ... The consequence is that the user is faced with a convoluted process when using the IDA Scheme for the first time".

And "... users often struggled as they sought to understand how this method of signing in to government services worked".

Before adding "users were not clear why private sector companies were being used to carry out identity assurance on behalf of government" and "Some aspects of the registration processes proved annoying to the users ...".

The D&AD Awards Committee may want to pencil some of these comments into their calculations.

Updated 15.8.14

It's six months since we noted that only one of the UK's "identity providers" is certified trustworthy by tScheme. Experian. The other four hadn't even bothered to apply at the time. The Post Office and Verizon, Digidentity and Mydex. They just hadn't got round to it.

Now they have – take a look at tScheme's list of registered applicants.

A bit late, you may say. It's one thing to apply. Quite another to obtain certification. That could take ages.

Ah, but you don't know the half of it.

It doesn't matter how long certification takes. It's a waste of time. Not worth the paper it's written on. Or the authentic digital certificate it's encrypted in. Because there's no such thing as a trust framework.

That's the opinion of Ctrl-Shift, Mydex's sister company, who say that there's no agreed definition of "trust framework", no known way to enforce the conditions of trust and no viable way to pay for enforcement anyway.

You may or may not agree with Ctrl-Shift but there is growing support for their view. The Estonian cybersecurity company Guardtime, for example, believe that the pursuit of trust in the digital world is a wild goose chase, a "doomed strategy", as they call it. You may or may not agree with Guardtime. But Chris Chant does.

Mr Chant was the primum mobile behind G-Cloud, the UK government cloud computing initiative. He has been promoting Guardtime on the G-Cloud Twitter account for the past two months or so. "Truth, not trust". That's his slogan.

And not once have G-Cloud disagreed with him or objected in any way.

If Ctrl-Shift and Chris Chant and the G-Cloud team and Guardtime are right, we ordinary members of the public would be ill-advised to rely on Mydex for every on-line transaction we undertake. And even if IDA existed we could have no trust in it, RIP.

No comments:

Post a Comment