Monday 31 March 2014

Waterfall Wanderers 0 - 0 Agile Athletic

As we were saying:
The traditional approach to software development is often known as 'waterfall' development: that is, you plan, build, test, review and then deploy, in a relentless cascade. But some IT industry players regard this practice as the chief problem ...A rather different answer which has emerged in the last ten to fifteen years has been what are called 'Agile Systems', perhaps best described as a philosophical movement in action within the software industry.
The quotation comes, of course, from Richard Bacon MP and Christopher Hope's Conundrum: Why every government gets things wrong and what we can do about it, pp.240-1. Here we are, back again, asking why government IT systems too often go over budget and what we can do about it.

The fashionable answer is that the problem is the "waterfall" engineering of software systems and the solution is "agile" engineering. Waterfall bad, agile good. That's the idea. Let's explore it a little.

Waterfall is always associated with Winston W Royce (1929-95) and, to hear people talking about waterfall these days, you'd think he was a bit of an idiot. Actually, he was a rocket scientist who got into large-scale software engineering and ended up running IT for Lockheed.

The reason he bears the blame for the British government wasting a fortune on IT, by common consent, is something to do with a paper he published in 1970, Managing the Development of Large Software Systems. A paper in which, incidentally, the word "waterfall" doesn't appear.

On the other hand, this diagram does appear:


That looks like a waterfall. To some people. Is that the smoking gun?

No.

Royce calls that a "grandiose" approach to systems development and he doesn't recommend it because it omits the "iterative relationship between successive development phases" shown in his next diagram:

He prefers this iterative approach in theory but he believes that in practice it "is risky and invites failure" because of the problem illustrated below – the developers can get locked in a loop, iterating away forever, never deploying the system, never releasing it into the field, it never moves into operational use:

Is that what's happened to the agile-loving Government Digital Service (GDS) and their so-called "transformation programme" with its 25 "exemplars"?

The dial seems to have been stuck on "1" for the number of live services for a very long time.

The single live service is exemplar #6 – Student Finance, which was released no later than 31 October 2012, please see Refining transactions with help from the Minister.

That's 18 months ago. What's going on with the other 24 exemplars? Has the "operations" box become disconnected from the rest of the agile development process, as predicted by Royce?

Maybe.

Are GDS suffering from the lack of an identity assurance service? Would they have done better to stick with the Government Gateway?

Maybe.

Or is it something to do with this paragraph which appears under the 1/7/16/1 dashboard:
The Government Digital Strategy and departmental digital strategies commit us to the redesigning and rebuilding of 25 significant ‘exemplar’ services. We’re going to make them simpler, clearer and faster to use. All these are to meet the Digital By Default Service Standard by April 2014 and be completed by March 2015. 
All 25 exemplars have to meet the digital by default service standard in no more than 30 days time. What does that mean? Never mind.

Look at that "March 2015" at the end of the quotation. Surely no politicians think that releasing 24 digital services at the same time as launching their manifesto will help them to win the UK general election two months later in May 2015, do they?

Maybe.

We don't know why progress has stalled, but it has – agile doesn't seem to be doing any better than waterfall.

What would Royce have recommended 44 years ago? Do your program design first, he said, keep your documentation up to date, do a prototype, test thoroughly and involve the customer. In a nutshell, this – the bit to the left of the dotted line:


Whatever it is, it isn't a waterfall. Not as we know it.

----------

Updated 4.12.15

As far as the Government Digital Service (GDS) is concerned, agile is the only methodology for successful software engineering. They have always said that. Ex-Public Servant of the Year ex-Guardian man Mike Bracken CBE ex-CDO ex-CDO, ex-executive director of GDS and ex-senior responsible owner of the pan-government identity assurance programme now known as "GOV.UK Verify (RIP)", said it in connection with the UK's digital Basic Payment Scheme for farmers, for example:
I go weekly now. I go to the meeting of the Common Agricultural Policy Reform Group. It's the RPA. It's the Rural Payments Agency.

Why I'm so excited about that is because they've embraced agile completely. They're going with an agile build out of a whole new programme. That's going to affect everyone in this country, and how they deal with land management, all the farmers, all the people who deal with crops, all the data. It's going to create, I think, a data industry around some of that data.

It's going to help us deal with Europe in a different way, and quite rightly we're building it as a platform. It's going to be another example of government as a platform.
And yet the digital BPS failed and our farmers now have to apply for their money using pencil and paper.

The National Audit Office have published their report on this failure, Early review of the Common Agricultural Policy Delivery Programme. And they say:
GDS provided limited continuity and insufficient insight into how to adopt agile on this scale. It was not able to identify and provide the systems integration skills required ... (p.9)

... the Cabinet Office [i.e. GDS] should ... provide stronger written guidance and capability building for departments on agile management and governance for major projects and how it fits with traditional governance structures ... [and should] support departments in acquiring the management and technical skills required to apply agile at scale ...(p.12)

The Department [DEFRA, the Department for Environment Food & Rural Affairs] and the RPA [Rural Payments Agency] had no experience of the agile approach. The Department felt it did not receive sufficient support from GDS given the level of experience of Programme staff, leading to poor application of agile. Programme governance was not adapted to quick iterative development cycles. (p.22)

The Department told us it sought guidance in 2013 from GDS on best practice for agile governance, but guidance on this was not published until June 2014. (p.28)

The Department and the RPA described GDS support as patchy. There was little continuity in personnel and GDS staff were reported to have provided insufficient insight into the use of agile at this scale. (p.33)

Many of the commitments GDS made to the Department are vague. For example, it did not quantify the savings that the use of agile would achieve: “no formal estimates of cost savings will be offered but previous experience of operating in an agile manner would suggest a significant cost reduction can be expected from traditional approaches to large scale IT procurement”. It was agreed that the Memorandum of Understanding would be reviewed every six months at Programme Board level, but this did not happen. (p.33)

More comprehensive guidance on agile management would help departments align governance for major projects with traditional governance structures. (p.34)
It looks as though GDS's enthusiastic advocacy of agile methodology is based more on fashion than useful practical experience. They may be keen but, when confronted with the reality of a public service, it looks as though GDS can't deliver.


Updated 7.9.16

Universal Credit – From disaster to recovery? Good question.

That's the title of a report just published by the Institute for Government (IfG). Has Universal Credit (UC) flirted with disaster? Yes it has. Is it possible that UC will one day succeed? Yes it is.

UC is a Department for Work and Pensions (DWP) initiative. The report provides some insight into the IT problems of UC and the occasionally fraught relationship between DWP and the Government Digital Service (GDS):
The reason it took 'much longer than they originally thought it would', according to Lord Freud, was that the GDS team were initially 'very naïve' about just how complex it was to build Universal Credit. He says:
They were messianic about building the front end, doing it in an agile way, front facing, with their beautiful apps, and they were right about all of that. But they had no grasp of how complicated it was to tie the front end to the legacy back-office, these old and creaky legacy systems we have with which it had to work – the customer information system, the debt management system, the payment system and all the things you need to run 20 million people and their records, and with all that implied.
There's a lot more where that came from (p.53) for anyone interested.

The IfG report identifies a lot of problems faced by UC including unrealistic timetables, DWP overload, lack of in-house skills and poor governance. "Waterfall" software engineering methods were not the only problem. "Agile" also was a problem. Nothing in the report demonstrates that "agile" is the solution – some of that earlier fashionable "messianic" ardour was misplaced ...

... and is now waning, please see for example The Tyranny of Agile.

Waterfall Wanderers 0 - 0 Agile Athletic

As we were saying:
The traditional approach to software development is often known as 'waterfall' development: that is, you plan, build, test, review and then deploy, in a relentless cascade. But some IT industry players regard this practice as the chief problem ...A rather different answer which has emerged in the last ten to fifteen years has been what are called 'Agile Systems', perhaps best described as a philosophical movement in action within the software industry.
The quotation comes, of course, from Richard Bacon MP and Christopher Hope's Conundrum: Why every government gets things wrong and what we can do about it, pp.240-1. Here we are, back again, asking why government IT systems too often go over budget and what we can do about it.

The fashionable answer is that the problem is the "waterfall" engineering of software systems and the solution is "agile" engineering. Waterfall bad, agile good. That's the idea. Let's explore it a little.

Waterfall is always associated with Winston W Royce (1929-95) and, to hear people talking about waterfall these days, you'd think he was a bit of an idiot. Actually, he was a rocket scientist who got into large-scale software engineering and ended up running IT for Lockheed.

Sunday 30 March 2014

The Scottish on-line security experiment


On-line, you can have convenience. Or you can have security.
One or the other.
But not both.

Stolen Twitter passwords 'worth more than credit card details'.

That's what it said in the Telegraph a few days ago, 28 March 2014. Credit card details are only worth between $2 and $40 these days on the black market, whereas your Twitter password can be worth between $16 and $325. That's what Michael Callahan of Juniper Networks says. And he's a security expert.

You're probably getting bored with these stories. They appear every day in the media. And every month on the DMossEsq blog, see for example Cybersecurity, and GDS's fantasy strategy. And "When it comes to cyber security QinetiQ couldn’t grab their ass with both hands". And Hyperinflation hits the unicorn market. And ...

It's boring. But it's still important.

The Telegraph article ends with this advice:
Callahan said it was vital for people to use different passwords for each site, so that if one account is compromised it will not allow the hackers access to their whole digital lives
He's not a security expert but even DMossEsq says that. Repeatedly. See for example Identity assurance – convenient? It'll make your life so much easier. And GDS – the user experience of misfeasance in public office. And Digital-by-default, an open letter to the House of Commons Science and Technology Committee (para.14). And ...

But the Government Digital Service (GDS) disagree. They're the people in charge of the identity assurance programme. And when the UK's first so-called "identity providers" were appointed, this is what we read, the opposite of Callahan:
Providers announced for online identity scheme

The Post Office, Cassidian, Digidentity, Experian, Ingeus, Mydex, and Verizon are the successful providers chosen to design and deliver a secure online identity registration service for the Department for Work and Pensions.

... providers will be required to offer a simplified registration process, minimise the number of usernames and passwords a customer will need to remember ...
It's hard work/inconvenient having multiple logon details.

GDS want to make life more convenient for us all. Keep all your logon details in a personal data store (PDS), they say, and the PDS can log on for you to your Amazon account or your electricity account or your bank account and so on and so on, world without end. All you have to remember is the logon details for your PDS. Much more convenient.

And much less secure.

As Mr Callahan says.

And DMossEsq.

On-line, you can have convenience. Or you can have security. One or the other. But not both.

GDS just can't take security seriously. See for example RIP IDA – JFDI security. Security is over-rated, according to GDS, and should always be trumped by usability/convenience.

Who's right?

How can we decide?

We need to conduct an experiment.

As luck would have it, there's an experiment coming up. A big one. In Scotland. Please see Connecting the nation – Scotland's empowered future: "Scotland’s proud heritage of innovation beckons, and Mydex CIC is proud to be part of enabling that future".

(Can a proud heritage beckon?

Never mind.)

Scotland has a Digital Participation Charter and Mydex are going to help her on the road to Estonia. They have a trust framework. They aim to make every on-line transaction dependent on Mydex.  And they will "empower" everyone with a PDS. Armed with one of these dematerialised ID cards, no Scot will ever again have to remember more than one password. That may be convenient. But will it be secure?

The Scots will soon find out.

And so thereby will we.

The Scottish on-line security experiment


On-line, you can have convenience. Or you can have security.
One or the other.
But not both.

Stolen Twitter passwords 'worth more than credit card details'.

That's what it said in the Telegraph a few days ago, 28 March 2014. Credit card details are only worth between $2 and $40 these days on the black market, whereas your Twitter password can be worth between $16 and $325. That's what Michael Callahan of Juniper Networks says. And he's a security expert.

You're probably getting bored with these stories. They appear every day in the media. And every month on the DMossEsq blog, see for example Cybersecurity, and GDS's fantasy strategy. And "When it comes to cyber security QinetiQ couldn’t grab their ass with both hands". And Hyperinflation hits the unicorn market. And ...

It's boring. But it's still important.

Friday 28 March 2014

Time for someone to take the personal information economy seriously

1938 Sears Spring/Summer Catalog
"The roots of mail order date back to the middle ages. In 1498, Aldus Manutius of Venice, a publisher, brought out a catalog of 15 texts which he had published, which were precursors of the paperback books of today" – so says Bonnie Unsworth in her A Brief History of Mail Order Catalogs.

Rather more recently, "the real beginning of mail order was the result of the experiences of a traveling salesman in the mid west, named Montgomery Ward. He published a catalog sheet that listed 163 items right after the Civil War. Within two years, the catalog grew to 8 pages, and then to 72 pages. By 1884, the catalog contained 240 pages with thousands of items, almost everyone of which was illustrated with a woodcut".

While they had Montgomery Ward and Sears Roebuck in the US, here in the UK we had Great Universal Stores, always known affectionately as "GUS".

Mail order was big business and the philanthropic Sir Isaac Wolfson amassed a fortune at GUS. The Wolfson Foundation has awarded charitable grants worth over £1 billion since 1955.

Not just big business, mail order was a credit business. There was no point Mr Ward repeatedly sending the products they had ordered to people who didn't subsequently pay for them. Ditto Sir Isaac. They needed to know before despatch that a given customer wasn't too likely not to pay.

The Manchester Guardian Society was established as a credit rating agency in 1826 in the UK. 1897 saw the formation of the Merchants' Credit Association in the US. The Ramo-Wooldridge Corporation and Thompson Products merged to form TRW in the 1960s. TRW's leading light, Simon Ramo, predicted the cashless society as early as 1961 – enter the credit card. GUS created Commercial Credit Nottingham in 1980, injected TRW into it in 1996 and the whole lot became Experian.

Once you've collected a lot of data about a lot of people – including the UK electoral roll data which Experian picked up en passant – you can do a lot more with it than just calculate a credit rating. That's an important job, oiling the wheels of commerce, but you can also for example sell your data to political parties, seeking to identify floating voters and persuade them to come down on their side of the party fence.

You can help new and established businesses target their marketing. You can do demographic analysis. You can, famously, offer to help the Department for Work and Pensions to find benefit cheats.

And perhaps you can provide the basis for identity assurance, should some government want to make public services, say, digital by default.

That raises questions about the privacy of personal data and the security with which it is maintained. We seem to have quite good laws in the UK protecting that privacy and adequately ensuring the related security – laws which Experian and its UK competitors have a good record of obeying.

They have fewer data broking laws in the US. It is the desire to make good that omission that lies behind the work of Senator Rockefeller's Commerce, Science, & Transportation Committee which we alluded to the other day.

The UK's privacy laws are permanently under threat from attackers like Google, Facebook, Francis Maude (passim), the Health and Social Care Information Centre (care.data), Professor Sir Nigel Shadbolt (ODI, midata), Stephan Shakespeare (PSI) and the Government Digital Service (identity assurance). Not to mention the NSA, GCHQ and every other halfway competent intelligence service in the world. Among others.

Perhaps the walls of civilisation will withstand the siege. Perhaps they won't. Who knows.

One thing we do know is that there's nothing new about mail order or its descendants such as Amazon. Their history can arguably be traced back to fifteenth century Venice.

And there's nothing new about the market in personal data. It already has laws associated with it, suppliers like Experian, trade associations like the DMA, and marketing "gurus" wielding techniques that have grown up over several decades, if not centuries.

You know that.

Everyone knows that.

Except, it seems, the new world born yesterday delegates at last week's seminar on the personal information economy, PIE2014. See, for example, Business scents ‘boom’ in personal information economy:
Business leaders are starting to respond to an emerging market in personal information affecting all individuals and organisations across public and private sectors.

In an interview recorded at last week’s Personal Information Economy 2014 event in London, Alan Mitchell, strategy director of Ctrl-Shift, told the Information Daily that "overall, business is not very well informed, and people are only just beginning to think about it, but it is growing rapidly."
"Starting to respond"? Google and Facebook already have annual turnovers measured in the tens of billions of dollars.

"Not very well informed"? What do these people think Google and Facebook are and always have been if not very well informed data brokers?
There are still many unknowns about the personal data market and how it will operate, including business models, issues of trust, and what new technologies are starting to enable around security, privacy, data extraction and analysis.
Unknown to whom? Everyone else seems to know that the market is already operating. There are over a million apps already available on Google Play, for example.
In a separate interview at the same event, Professor Sir Nigel Shadbolt, Chairman of the government’s Midata initiative set up to increase consumers’ access to their own data, said that the personal information economy was a "booming, burgeoning area", that was already subject to "a bit of a landgrab".
Google has detailed records of the preferences of everyone who uses the web. Facebook has more regular monthly users than the population of most countries. Amazon operates the biggest cloud services business in the world. The banks – necessarily – record our every financial transaction. The mobile phone network operators – necessarily – continuously record our location, accurate to the nearest few metres, wherever we are in the world. Not just our location, but who we call and who calls us. "The entire NHS hospital patient database for England was handed over to management consultants who uploaded it to Google servers based outside the UK". HSCIC want to do the same with our GP health records. "A bit of a landgrab"?

Ctrl-Shift, the organisers of PIE2014, have "Storified" the seminar, please see Seizing the opportunity: the next 18 months. In what way are they going to seize this decades-old opportunity over the next 18 months?


No doubt Sir Martin Sorrell's people will be happy to come up with another name for Mr Auwera.

Professor Sir Nigel himself is supposed to have said "Everybody is going to be a sensor" at PIE2014, and "Any friction is an impediment; additional steps destroy uptake". Once you're in this childish milieu it's probably hard to resist joining in, the frivolity is catching ...

.. but he's not naïve or commercially unaware and he must somehow make people realise that the personal information economy is not some new hippy commune in which people can witter on about "uncanny valleys" and "trust serums". It's a mature and rich market with political power, a market in which people are bartering their personal data for "free" web-based services.

The pretence is that these services "empower" us in some hippy sense of the word. Once all our data has been sucked up into the cloud, once we are all utterly dependent on these services, let's see just how long they continue to be offered free at the point of delivery and how long it takes for the new empowerment to turn into a more traditional subjection.

We have already got to the point where the Pied Pipers can ring up the President of the United States of America to tell him to get out of the way, please see Mark Zuckerberg tells Barack Obama he is 'frustrated' over US government surveillance. And the President accepts the call.

Professor Sir Nigel's colleague at Southampton University and at the Open Data Institute, Professor Sir Tim Berners-Lee, seems to be a certified member of the commune:
Armed with the information that social networks and other web giants hold about us, he said, computers will be able to "help me run my life, to guess what I need next, to guess what I should read in the morning, because it will know not only what's happening out there but also what I've read already, and also what my mood is, and who I'm meeting later on
There doesn't seem to be anyone else. Unless he really does want people to become no more than sensors, feeding data back to the Google brain, it's up to Professor Sir Nigel to forswear meretricious phrase-turning and to devise a serious response.

----------

Updated 29.4.18

There we were four years ago saying that a credit referencing agency can analyse and sell its "data to political parties, seeking to identify floating voters and persuade them to come down on their side of the party fence".

No-one turned a hair.

It was entirely uncontroversial ...

... until it was suggested that Donald Trump won the US presidential election thanks to Cambridge Analytica and that Leave won the Brexit referendum thanks to ditto.

Why the change?

It doesn't matter.

What matters is that now at last people are paying serious attention to their personal information. Cambridge Analytica and Facebook are in the dock for collecting our personal information and making money out of it. So are Google. Others will join them.

Can we add Experian to the list?


And Equifax? They lost the personal information of 145 million people.

And Callcredit:


All three companies – Experian, Equifax and Callcredit – either supply information to the Government Digital Service's GOV.UK Verify (RIP) "identity providers" or they actually are "identity providers".

Would you say "I don't mind Cambridge Analytica having my personal information"? You may well be perfectly happy with that ...

... but if not, why is it more acceptable for Experian to have your personal information, or Equifax or Callcredit?


Updated 13.8.18

Time was when we all knew that the key to winning general elections was social media. Both of the main UK political parties tried. Their supporters wished them well. "May the best man win", as we used to say. No more – Emma's Diary fined £140k for flogging data on over a million new mums to Labour Party:
Data-brokering biz Lifecycle Marketing (Mother & Baby) has been fined £140,000 by the Information Commissioner's Office (ICO) for illegally collating and flogging personal information of more than a million people.

The Buckinghamshire-based business, also known as Emma's Diary, issues advice on pregnancy and childcare. It sold the information to Experian Marketing Services, specifically for use by the Labour Party.
A loss of innocence?

No.

A return to adulthood.

Time for someone to take the personal information economy seriously

1938 Sears Spring/Summer Catalog
"The roots of mail order date back to the middle ages. In 1498, Aldus Manutius of Venice, a publisher, brought out a catalog of 15 texts which he had published, which were precursors of the paperback books of today" – so says Bonnie Unsworth in her A Brief History of Mail Order Catalogs.

Rather more recently, "the real beginning of mail order was the result of the experiences of a traveling salesman in the mid west, named Montgomery Ward. He published a catalog sheet that listed 163 items right after the Civil War. Within two years, the catalog grew to 8 pages, and then to 72 pages. By 1884, the catalog contained 240 pages with thousands of items, almost everyone of which was illustrated with a woodcut".

While they had Montgomery Ward and Sears Roebuck in the US, here in the UK we had Great Universal Stores, always known affectionately as "GUS".

Mail order was big business and the philanthropic Sir Isaac Wolfson amassed a fortune at GUS. The Wolfson Foundation has awarded charitable grants worth over £1 billion since 1955.

Not just big business, mail order was a credit business. There was no point Mr Ward repeatedly sending the products they had ordered to people who didn't subsequently pay for them. Ditto Sir Isaac. They needed to know before despatch that a given customer wasn't too likely not to pay.

The Manchester Guardian Society was established as a credit rating agency in 1826 in the UK. 1897 saw the formation of the Merchants' Credit Association in the US. The Ramo-Wooldridge Corporation and Thompson Products merged to form TRW in the 1960s. TRW's leading light, Simon Ramo, predicted the cashless society as early as 1961 – enter the credit card. GUS created Commercial Credit Nottingham in 1980, injected TRW into it in 1996 and the whole lot became Experian.

Wednesday 26 March 2014

The magic of modern public administration

Here's a new TLA for you (three-letter acronym) – "VRA".

"VRA" is voice risk analysis. VRA software listens in on phone calls and tells you whether someone is lying.

If you'll believe that, you'll believe anything.

As the Guardian tell us:
Voice risk analysis has been mired in controversy since scientists raised doubts over the technology soon after it reached the market. In 2007 two Swedish researchers, Anders Eriksson and Francisco Lacerda, published their own analysis of VRA in the International Journal of Speech, Language and Law. They found no scientific evidence to support claims for the device made by the manufacturer.

Lacerda, head of linguistics at Stockholm University, told the Guardian that VRA "does nothing. That is the short answer. There's no scientific basis for this method. From the output it generates this analysis is closer to astrology than science. There was very good work done by the DWP [the Department for Work and Pensions] in the UK showing it did not work ...".
So what?

Here in the UK you get a 25 percent discount on your Council Tax if you live on your own. Some people lie. DWP don't think VRA will identify them. Neither do Messrs Eriksson and Lacerda. Nor, it can safely be asserted, do DMossEsq's millions of readers.

But according to the Guardian article at least 24 local authorities in the UK do believe in magic. Redcar, for example, Middlesbrough, West Dorset and Wycombe among them. "South Oxfordshire ... says that [their VRA] system helped reduce the number of people claiming the single person discount by 3% ...".

Their system is supplied by one of the UK's big government contractors, Capita, who say that: "The technology was never used in isolation. It is only used in cases which are deemed 'high risk', when earlier stages of the review have indicated that more than one person may be living at the property".

The Local Government Association say that: "No one is going to be prosecuted for benefit fraud on the result of voice analysis tests alone".

If VRA doesn't identify suspected fraudsters in the first place and it doesn't provide sufficient evidence to prosecute them, then its contribution to South Oxfordshire's 3 percent reduction is, as Lacerda says, to use the technical term, "nothing". Or as False Economy, a trade union-funded campaign group, put it: "Capita is a firm with a long rap sheet of expensive failure. Neither they nor their technological snake oil should be trusted".

"Astrology"? "Snake oil"? Remind you of anything? The belief in the efficacy of biometrics is akin to the belief in astrologyPublic administration and the McCormick spectrum?

Mass consumer biometrics is a stage prop in the security theatre that the authorities produce and VRA performs, by analogy, in anti-fraud theatre. It may look modern. Technology may impress some people. The authorities may seem to be "doing something". But they're not. Apart from wasting our money.

----------

Updated 1.4.14
Truth or lie - trust your instinct, says research

We are better at identifying liars when we rely on initial responses rather than thinking about it, say psychologists.

Generally we are poor at spotting liars - managing only slightly better than flipping a coin.

But our success rate rises when we harness the unconscious mind, according to a report in Psychological Science ...

The magic of modern public administration

Here's a new TLA for you (three-letter acronym) – "VRA".

"VRA" is voice risk analysis. VRA software listens in on phone calls and tells you whether someone is lying.

If you'll believe that, you'll believe anything.

As the Guardian tell us:
Voice risk analysis has been mired in controversy since scientists raised doubts over the technology soon after it reached the market. In 2007 two Swedish researchers, Anders Eriksson and Francisco Lacerda, published their own analysis of VRA in the International Journal of Speech, Language and Law. They found no scientific evidence to support claims for the device made by the manufacturer.

Lacerda, head of linguistics at Stockholm University, told the Guardian that VRA "does nothing. That is the short answer. There's no scientific basis for this method. From the output it generates this analysis is closer to astrology than science. There was very good work done by the DWP [the Department for Work and Pensions] in the UK showing it did not work ...".
So what?

Monday 24 March 2014

RIP IDA – April is the cruellest month

No need to say it, it goes without saying, it should be obvious to all but, just in case it isn't obvious to all, IDA is dead.

IDA is the Cabinet Office Identity Assurance programme. And it's dead.

----------

Anyone remember this?
Press release
Providers announced for online identity scheme

13 November 2012

Successful providers chosen to design and deliver a secure online identity registration service.

The Post Office, Cassidian, Digidentity, Experian, Ingeus, Mydex, and Verizon are the successful providers chosen to design and deliver a secure online identity registration service for the Department for Work and Pensions.

The identity registration service will enable benefit claimants to choose who will validate their identity by automatically checking their authenticity with the provider before processing online benefit claims ...

Notes to Editors:
...

2. In May 2012 DWP issued an invitation to tender to 44 suppliers.

3. The value of the 18-month framework contracts is £25m.

4. The Identity Assurance programme is a Government-wide initiative led by the Cabinet Office which will in time be available to all UK citizens who need to access online public services.

...

6. Universal Credit, which will go live nationally in October 2013, replaces the current complicated paper based benefits payment system we have now with a new online application that meets the needs of claimants and employers in today’s digital world.

7. One further provider is expected to sign up in the next few weeks - completing the eight chosen to design and deliver a secure online IDA service for Universal Credit.
Once upon a time there were seven "identity providers" – the Post Office, Cassidian, Digidentity, Experian, Ingeus, Mydex, and Verizon. Then there were eight – as per note 7, PayPal signed up later. Then there were five – Cassidian, Ingeus and PayPal pulled out. 39 of the original 44 (note 2) aspitants are gone.

Universal Credit did not go live in October 2013 (note 6). To date, no benefit claimants can choose an "identity provider" to verify their identity and there are no online benefit claims services. No sign of it so far, how long before the Cabinet Office provide identity assurance across all Government departments to all UK citizens (note 4)? They haven't said.

As Whitehall press releases go, Providers announced for online identity scheme must count as one of the most misleading ever. Is there an appropriate award? The Nostradamus Trophy?

There can't be much of that £25 million left 17 months later and there's only a month to go before the contracts come up for renewal (note 3).

With their exclusivity period at an end, will the surviving five "identity providers" face competition from Google? Or Facebook?

Not with only £25 million on the table, they won't. Will that become £250 million for the next 18 months? Or will the government stop paying the "identity providers" and leave us to pay for our dematerialised ID cards ourselves?

Will the surviving five renew their contracts? Or will they prudently cut their losses and depart the field with their reputations relatively intact?

In which case, what will the UK's political parties fill up their May 2015 manifestos with under the heading of "modernisation"?

RIP IDA – April is the cruellest month

No need to say it, it goes without saying, it should be obvious to all but, just in case it isn't obvious to all, IDA is dead.

IDA is the Cabinet Office Identity Assurance programme. And it's dead.

----------

Anyone remember this?
Press release
Providers announced for online identity scheme

13 November 2012

Successful providers chosen to design and deliver a secure online identity registration service.

The Post Office, Cassidian, Digidentity, Experian, Ingeus, Mydex, and Verizon are the successful providers chosen to design and deliver a secure online identity registration service for the Department for Work and Pensions.

The identity registration service will enable benefit claimants to choose who will validate their identity by automatically checking their authenticity with the provider before processing online benefit claims ...

Notes to Editors:
...

2. In May 2012 DWP issued an invitation to tender to 44 suppliers.

3. The value of the 18-month framework contracts is £25m.

4. The Identity Assurance programme is a Government-wide initiative led by the Cabinet Office which will in time be available to all UK citizens who need to access online public services.

...

6. Universal Credit, which will go live nationally in October 2013, replaces the current complicated paper based benefits payment system we have now with a new online application that meets the needs of claimants and employers in today’s digital world.

7. One further provider is expected to sign up in the next few weeks - completing the eight chosen to design and deliver a secure online IDA service for Universal Credit.
Once upon a time there were seven "identity providers" – the Post Office, Cassidian, Digidentity, Experian, Ingeus, Mydex, and Verizon. Then there were eight – as per note 7, PayPal signed up later. Then there were five – Cassidian, Ingeus and PayPal pulled out. 39 of the original 44 (note 2) aspitants are gone.

Universal Credit did not go live in October 2013 (note 6). To date, no benefit claimants can choose an "identity provider" to verify their identity and there are no online benefit claims services. No sign of it so far, how long before the Cabinet Office provide identity assurance across all Government departments to all UK citizens (note 4)? They haven't said.

RIP IDA – 16 June 2014

No need to say it, it goes without saying, it should be obvious to all but, just in case it isn't obvious to all, IDA is dead.

IDA is the Cabinet Office Identity Assurance programme. And it's dead.

----------

Hat tip-and-a-half: Brian Krebs

Operating until recently sometimes out of New Zealand and sometimes out of Vietnam, Mr Hieu Minh Ngo is currently locked up in New Hampshire as a guest of the Justice Department and looks like spending the next 45 years in prison in the US.

An entrepreneurial young man – he's only 24 now, 69 when he gets out – Mr Ngo had two illicit web-based businesses, superget.info and findget.me, which have between them sold the personal details of more than half a million Americans. Their 1,300 customers make money fraudulently by using this information to take out loans in the victim's name, for example, or to make false tax refund requests.

Mr Ngo's companies bought this information from a legitimate company, Court Ventures, which, in turn, bought it from another legitimate company, US Info Search.

How did the information cross the line between the legitimacy of Court Ventures and the criminality of superget.info and findget.me? Rather suspiciously – Mr Ngo paid Court Ventures with monthly wire transfers from Singapore.

So far we've had new Zealand, Vietnam, Singapore and the US. We can throw in Guam, too – the US Secret Service contacted Mr Ngo and offered him some illegal business which required him to leave Vietnam, where they couldn't arrest him, and come to Guam, where they could and did.

It's all quite exotic for us Brits. Interesting in its way. But nothing to do with us, surely.

Wrong.

In March 2012, Court Ventures was bought by our very own Experian. Mr Ngo carried on paying his monthly bills by Singapore wire transfer for over nine months before the Secret Service approached Experian and told them what was happening.

This whole story comes from Brian Krebs, who operates krebsonsecurity.com and who has taken part in the investigation of Mr Ngo. He first wrote about it in October 2013, Experian Sold Consumer Data to ID Theft Service. He returned to it a fortnight ago, Experian Lapse Allowed ID Theft Service Access to 200 Million Consumer Records. And a very embarrassing story it is, too – Experian didn't identify the problem themselves either during the due diligence period before buying Court Ventures or for the first nine months that they owned the company. Their own procedures failed. They had to be told by the Secret Service.

The matter is still under investigation, Experian can't say all they would no doubt like to, in their defence, but they have given this statement to Mr Krebs:
Experian acquired Court Ventures in March, 2012 because of its national public records database. After the acquisition, the US Secret Service notified Experian that Court Ventures had been and was continuing to resell data from US Info Search to a third party possibly engaged in illegal activity. Following notice by the US Secret Service, Experian discontinued reselling US Info Search data and worked closely and in full cooperation with law enforcement to bring Vietnamese national Hieu Minh Ngo, the alleged perpetrator, to justice. Experian’s credit files were not accessed. Because of the ongoing federal investigation, we are not free to say anything further at this time.
15 criminal charges have been brought in New Hampshire – Mr Krebs provides the charge sheet – and Mr Ngo has pleaded guilty and will be sentenced on 16 June 2014.

Meanwhile, the story has moved on from New Hampshire to Washington DC, where Senator Rockefeller's Committee on Commerce, Science, & Transportation is investigating all aspects of the "data broker" industry.

On 18 December 2013 the Committee took evidence from, among others, Mr. Tony Hadley, Experian's Senior Vice President of Government Affairs and Public Policy. Mr Hadley makes his opening statement starting at 1:30:35. Committee member Senator McCaskill confronts him with the Ngo case starting at 2:22:45.

See what you make of it.

Bear in mind that, over here in the UK, Experian is currently one of the five remaining "identity providers" appointed by the Government Digital Service to provide identity assurance (IDA) for GDS's plans for public services to become digital by default.

They're not just one of the UK's "identity providers". They're easily the leading UK "identity provider". Without them, IDA dies.

Over in the US, Experian hold data on 200 million Americans. Experian are acting as "identity providers" to Obamacare. When the New Hampshire judge sentences Mr Ngo to an estimated 45 years behind bars, there's going to be some consternation. There hasn't been much coverage of the case in the UK if any but, on 16 June 2014, the ripples are going to lap up on these shores.

And when they do, can Experian survive as an "identity provider" to IDA? Should they? Will they want to?

GDS themselves are lukewarm to the point of being uninterested in security. That leaves the "identity providers" to shoulder the burden alone. No major retail bank is prepared to put itself forward as an "identity provider". No UK mobile phone network operator ditto. The "identity providers" GDS would probably like to retain – Google and maybe Facebook – are unacceptable. It's Experian or no-one.

Experian is one of the best-performing shares in DMossEsq's pension scheme. It is with considerable pain, therefore, that the verdict handed down round here at DMossEsq Towers is, no-one. RIP IDA.

----------

Updated 15.6.14

It's the big day tomorrow, 16 June 2014 – Hieu Minh Ngo appears in court to be sentenced and the judge may have something to say about how Experian managed to provide him, unknowingly until the US Secret Service alerted them, with the wherewithal to commit fraud.

Updated 27.6.14

Computer Weekly say German government terminates Verizon contract over NSA snooping fears.

What fears? Verizon are quoted as saying: “Our view on the matter is simple: the US government cannot compel us to produce our customers’ data stored in data centers outside the US and, if it attempts to do so, we would challenge that attempt in court”. Clearly the German government disagrees and has terminated the contract anyway.

The US lawyers Mayer Brown disagree. And so do Facebook, who are quoted as saying that they put up a "forceful" defence against disclosing "nearly all data from the accounts of 381 people who use our service" but had to comply in the end.

Verizon is one of the five remaining "identity providers" accredited by the Government Digital Service (but not tScheme) for their hopeless identity assurance service (IDA).

But for how long?

Can Verizon be good enough for the UK but not good enough for Germany?

Updated 28.6.14

The judge was meant to deliver his decision in the matter of Mr Hieu Minh Ngo on 16 June 2014. Here we are 12 days later and the scrofulous DMossEsq still hasn't reported it. What's going on?









Updated 10.3.15

As we were saying, "on 18 December 2013 the Committee took evidence from, among others, Mr. Tony Hadley, Experian's Senior Vice President of Government Affairs and Public Policy". Has anything happened since then?

Yes, hat tip ElReg, the Data-broker Accountability and Transparency Act has been drafted.


RIP IDA – 16 June 2014

No need to say it, it goes without saying, it should be obvious to all but, just in case it isn't obvious to all, IDA is dead.

IDA is the Cabinet Office Identity Assurance programme. And it's dead.

----------

Hat tip-and-a-half: Brian Krebs

Operating until recently sometimes out of New Zealand and sometimes out of Vietnam, Mr Hieu Minh Ngo is currently locked up in New Hampshire as a guest of the Justice Department and looks like spending the next 45 years in prison in the US.

An entrepreneurial young man – he's only 24 now, 69 when he gets out – Mr Ngo had two illicit web-based businesses, superget.info and findget.me, which have between them sold the personal details of more than half a million Americans. Their 1,300 customers make money fraudulently by using this information to take out loans in the victim's name, for example, or to make false tax refund requests.

Mr Ngo's companies bought this information from a legitimate company, Court Ventures, which, in turn, bought it from another legitimate company, US Info Search.

How did the information cross the line between the legitimacy of Court Ventures and the criminality of superget.info and findget.me? Rather suspiciously – Mr Ngo paid Court Ventures with monthly wire transfers from Singapore.

So far we've had new Zealand, Vietnam, Singapore and the US. We can throw in Guam, too – the US Secret Service contacted Mr Ngo and offered him some illegal business which required him to leave Vietnam, where they couldn't arrest him, and come to Guam, where they could and did.

It's all quite exotic for us Brits. Interesting in its way. But nothing to do with us, surely.

Wrong.

Sunday 23 March 2014

Who says Public Servant of the Year ex-Guardian man Mike Bracken CBE doesn't have a sense of humour?

Who says Public Servant of the Year ex-Guardian man Mike Bracken CBE doesn't have a sense of humour?

Sunday 16 March 2014

RIP IDA – what we shan't be told on 10 June 2014

No need to say it, it goes without saying, it should be obvious to all but, just in case it isn't obvious to all, IDA is dead.

IDA is the Cabinet Office Identity Assurance programme. And it's dead.

----------

Individual electoral registration (IER) was passed into law last year and will start in England and Wales in a few months time on 10 June 2014. In the weeks leading up to that date the Electoral Commission will conduct a publicity campaign to tell people how it works and to remind us of the benefits we can expect.

What you will read
We may hear that managing our own electoral registration on-line will give us more control. And that it's more efficient. We may be told that democracy will thereby be extended. And that IER is modern and more fitting for a 21st century country than the household registration by post that it replaces.

We may be told that IER will reduce electoral fraud because, for the first time, electoral roll records can be checked against national insurance records. In fact, that's what we've already been told:
The Government’s plan for the introduction of IER includes the intention to compare existing electors’ names and addresses on the electoral registers with records held by the Department for Work and Pensions (DWP) in order to verify the identity of people currently on the registers. This process is known as 'confirmation'.
There might be a few ignorable moanbags complaining that national insurance records are in such a mess that they don't provide the Electoral Commission with much confidence. Some clever dicks may point out that the reliance on social security numbers to identify people in the US has historically been a nightmare. But this benighted awkward squad, incapable of seeing the marvels of modernisation, won't get much coverage.

The Individual Electoral Registration Bill was a Liberal Democrat Bill sponsored by their leader, Nick Clegg, the Deputy Prime Minister. The impact assessment revealed that the data-matching above was illegal. Primary legislation therefore had to be passed to allow it – a Liberal Democrat Bill had the illiberal effect of removing one of the protections built into the carefully crafted unwritten British Constitution.

Anyone complaining that the sharing of records, between the Department for Work and Pensions (DWP) and Electoral Registration Officers, is a dangerous constitutional revolution will be treated as a typical British eccentric. Charming in their way, but not to be taken seriously.

These old gits can point out all they like that democracy's finger has been pulled out of the dyke, releasing the floodwaters of massive data-sharing in which we shall all drown. They will be ignored. Francis Maude has won the day and convinced the administration that the protections afforded by the old laws were just so many myths.

All of those matters may be discussed. That will be the news.

What you won't read
What will not be news and what will not be discussed is the embarrassing point that the identity assurance programme still doesn't exist.

If IDA existed, we would have a reliable way of determining identity and its associated entitlements such as the entitlement to vote.

We wouldn't have to rely on half-baked checks against DWP, whose national insurance number database contains at least nine million records which no-one can account for. That was the figure back in 2007, after the database had been deduped/cleaned up. Before that, there were 20 million suspect records. How many are there now? Who knows.

IDA was "due to be rolled out for initial public services by autumn 2012" but it wasn't and it still hasn't been and it won't have been by 10 June 2014. It should be the linchpin of digital government but it isn't there to protect the new electoral roll at one of its weakest points – the take-on of voter details for the first time. And at the present rate, it never will be there.

At some point the administration will have to admit that IDA is dead. RIP.

When?

Not 10 June 2014. That's for sure.

You'll have to wait much longer than that.

How much longer?

144 hours. Six days. You'll have to wait until 16 June 2014 ...

RIP IDA – what we shan't be told on 10 June 2014

No need to say it, it goes without saying, it should be obvious to all but, just in case it isn't obvious to all, IDA is dead.

IDA is the Cabinet Office Identity Assurance programme. And it's dead.

----------

Individual electoral registration (IER) was passed into law last year and will start in England and Wales in a few months time on 10 June 2014. In the weeks leading up to that date the Electoral Commission will conduct a publicity campaign to tell people how it works and to remind us of the benefits we can expect.

Thursday 13 March 2014

EXCLUSIVE: GDS and the 2015 general election – SCOOP

"Central plank of the 2015 UK election campaign temporarily unavailable", we said, back in November 2013.

That was when CloudStore went down for a week. Twice. Just after Public Servant of the Year ex-Guardian man Mike Bracken CBE had been allowed to make a presentation to the full Cabinet of the UK government.

Clearly GDS – the Government Digital Service – was going to form part of the Conservative Party May 2015 general election campaign and manifesto, and maybe the Liberal Democrats', too.

But what of UKIP?

Don't know.

And what of Labour?

There's been a bit of activity on Twitter over the past few weeks involving Matthew Taylor and, indirectly, Jon Cruddas MP, Labour's policy architect. It looked as though Labour are trying to make their mind up about digital-by-default and that is confirmed in a blog post by Bryan Glick, the editor of Computer Weekly, following an interview with Chi Onwurah, one of the few Labour (or Conservative or Liberal Democrat or UKIP) MPs who might actually understand the technology.

Only four months after DMossEsq, Mr Glick says "GDS becomes political as Labour launches digital government review" and now GDS have noticed, too, and have started to set out their stall in a blog post today, Mapping the GDS journey.

We've got 14 months of this to look forward to. And we're off to a good start. With a scoop, which Mr Glick has not yet found room to publish in the comments on his blog post. [Mr Glick has now kindly published the comment, which had been trapped by a Computer Weekly spam filter.] So here it is. An exclusive:

By some mystery of modern telecommunications, the following email arrived in my inbox three months before it was sent.
----------
From: SpAd
Sent: 12 June 2014 20:15
To: ShadCabOffMin
Subject: Government Digital Service (GDS)
Dear Chi
As requested, I have taken a look at this GDS business. I understand that the issue is what to put in the manifesto that will make us look modern, alert to the possibilities of technology, caring and prudent moneywise.
There’s an obvious political problem. If we support GDS, we look as though we support the Conservatives/Lib Dems. I strongly recommend, therefore, that we criticise them.
There is ample reason to do so.
They’re promising savings. GDS reckon it would take 11 years [1] from the time digital-by-default starts – which it still hasn’t – to the point at which the country could enjoy savings by making a minimum of 40,000 [2] public servants redundant.
The public has had it up to here with promises of savings that are never delivered. They’ll take one look at that 11 years and decide that (a) it’s so far in the future no-one could possibly make an accurate prediction, (b) that’s 11 years during which no politician or official can be accused of failure, they can just do what they like in the interim, and (c) they’ll all have moved on to retirement/better jobs in the private sector by the time the mission is aborted at a cost estimated by the NAO to be £1 billion.
I may have got this wrong but 40,000 public sector redundancies doesn’t look to me like a Labour policy objective. It would probably knock another million off union subs to the Party. Not helpful with our overdraft at the Co-op.
We’d do best to point out that digital-by-default is just the Blair policy of transformational government [3] under a different name. Criticising it gives us a double whammy. Not only can we say that the coalition have got it wrong, they’ve been hoodwinked by silver-tongued IT salesmen, it also helps to keep a distance between us and TB.
Digital-by-default only works if there’s a reliable national identity management system. We really don’t want to go through all the aggro we had with ID cards again. Do we? Better to cast the coalition mob as Blairite ID card supporters and let Labour take a stand on civil liberties (if any of your colleagues can remember what they are) and the human right to privacy.
There’s a lot more but perhaps that’s enough. Will write up the rest if you insist. As a parting shot, do you realise that GDS’s model for digital by default is Estonia [4]? I wouldn’t fancy your chances of re-election if you try to convince the good people of Newcastle that they should be more Estonian.
Best
SpAd