Monday 29 June 2015

The Future of Digital Government: What's worked? What's not? What's next?

Here's an invitation that was issued by the think tank Policy Exchange earlier this month, on or before 8 June 2015:

The Future of Digital Government: What's worked? What's not? What's next?

29 June 2015 16:00
The Future of Digital Government: What's worked? What's not? What's next?

Synopsis

The UK has a reputation for being a world leader in Digital Government: using technology and data to deliver more and better with less. Key developments during the last parliament included the founding of the Government Digital Service (GDS); the creation of GOV.UK and the exemplar transactions (such as registering to vote and viewing a driving licence) and the Digital-by-Default standard.

With a new government in place, this major public event provides an important opportunity to explore the priorities for digital government for the next five years with a panel of experts:

Key questions for debate will include:
  • How should the GDS model evolve over the coming parliament?
  • What actually is Government as a Platform and what progress are we likely to see on it?
  • What’s the role of the private sector in helping deliver digital government?
  • Should digital public services follow the same trends as those in eCommerce?
  • How do we spread the benefits of digital government to local authorities and other parts of the public sector?
Featuring a keynote speech from Mike Bracken, this event will look back at progress over the last parliament and ask: what has worked well, what lessons can be learned, and – most importantly – what should happen next?
Speakers
Mike Bracken: Executive Director of Digital in the Cabinet Office, and head of the Government Digital Service
Matt Warman: MP for Boston and Skegness; former Technology Editor at the Telegraph
Chi Onwurah: MP for Newcastle Central and Shadow Cabinet Office Minister
Laura Citron: Managing Director, WPP Government & Public Sector Practice, author of "me.gov: the future of digital government"
Steven Cox: Executive Director Public Sector, Fujitsu UK&I
Eddie Copeland: (Chair) Head of Technology Policy, Policy Exchange

RSVP

If you would like to attend please RSVP events@policyexchange.org.uk

Venue

The Ideas Space, Policy Exchange, 10 Storey's Gate, Westminster, SW1P 3AY

Anyone who can get there at 4 p.m. this afternoon may have a few questions about what's worked and what hasn't and about what's next.

Rt Hon Matthew Hancock MP is Minister for the Cabinet Office and Paymaster General and as such the Government Digital Service (GDS) write speeches for him, like the keynote speech he delivered to the National Digital Conference 2015 on 25 June 2015:
This is our chance to build a new state, crafted around the needs of the user. Using the best and most innovative technology to cut costs and improve services.

Not the all-encompassing state of the 20th century, but a state you can hold in the palm of your hand.

And as if to show that the onward march never ceases, the symbol of transformation is no longer the iPhone in your hand, but here, miniaturised in the iWatch on your wrist.

These are exciting times. Technology marches on. And we who see the transformative power of technology, we who would pave the path people travel: we have work to do.
Question 1 – why are GDS putting the words of a simpleton into the minister's mouth?

Next day, 26 June 2015, Public Servant of the Year ex-Guardian man Mike Bracken CBE CDO CDO, executive director of GDS and senior responsible owner of the pan-government identity assurance programme GOV.UK Verify (RIP), was at the Digital Leaders 100 awards ceremony making a speech:




Question 2 – is Mr Bracken trying to get fired? If he says no, does he mean yes? Either way, which change agent is he weaponising?

GDS disapprove of people making "deceptive or misleading" statements. Quite right, too. In that case, why have they got Mr Hancock saying:
In the last Parliament we focused on making some of the most important transactions between government and the citizen digital by default ... Twenty of them are now live and more are on the way.
The claim that "twenty of them are now live" is deceptive and misleading.

Question 3 – when will GDS apply their strictures on truth-telling to themselves?

These politicians earn their money. GDS have got Mr Hancock saying with a straight face:
On digital government we, and a handful of other countries, are the source code. There isn’t a playbook for this, so over the last 5 years we’ve had to innovate and experiment, seeing what works and what doesn’t.
What is the basis for that claim? Apparently it's iteration. GDS iterate:
Iteration is the opposite of the big bang model of policymaking.

We’ve all seen it. The big announcement, the big contract for ‘big IT’, the endless delays, the grand launch… the thing falling over when you press the ‘on’ button.

Iteration is all about small: small teams of developers taking small steps: getting a small prototype out quickly and cheaply, watching to see how people actually use it, then incrementally improving the design. Rinse and repeat. Rinse and repeat.
Mr Bracken himself took an especially active rôle in the development of the new rural payments system required to implement the European Union's common agricultural policy. Despite which, and agile iteration notwithstanding, the thing fell over when they pressed the 'on' button, farmers have had to go back to a manual system and we risk yet again being fined for failure by the EU.

GDS denounce one-size-fits-all services through Mr Hancock but that is precisely what they offer – digital by default. And they claim to put the users' needs first and yet, when the rural payments computerised system had to be scrapped, who did they blame? The users.

Agile software engineering is sometimes appropriate and sometimes not. It doesn't guarantee success. And it doesn't necessarily put the user first. We have known that since at least 1970.

Question 4 – when will GDS stop pretending that agile is a silver bullet?

GDS's achievement so far amounts to re-writing systems that other people have already written, renewing our road tax/vehicle excise duty on-line being the most striking example. They are obviously aware of that and they caused Mr Hancock to say that:
... it’s not just about making websites more user-friendly. As we adopt this approach more widely we will transition from a target culture, where ministers try and manage services from on high, to a data culture, where services adjust in response to user-feedback.
It sounds good. The advertising copy is slick:
... now, for the first time, we are in a position to build digital foundations: made of data not paper, holding up platforms not silos. Common registers, common payments platforms, and common licence systems, all based on common data standards.
Public administration will be transformed, they say, by introducing Government as a Platform (GaaP). And what does this transformation consist in? Centralisation, consolidation and standardisation on common ... everything.

Question 5 – is "digital foundations made of data" anything more than five words?

GDS make everything sound like a game of words. Say "agile" often enough and repeat "Government as a Platform", and transformation will follow. It doesn't work that way.

For years, GDS have promised to deliver a transformational national identity management platform, currently known as "GOV.UK Verify (RIP)" and they have promised that it will be secure and that it will preserve personal privacy. A week ago that promise was challenged by four academics. GDS's response? A flat denial, unsupported with evidence and followed by silence – just for once they seem to be fresh out of words. And data.

Question 6 – what are the chances of the agile GDS having GOV.UK Verify (RIP) up and running nationwide as promised by April March 2016?

----------

Why isn't DMossEsq himself attending this afternoon's meeting to ask these questions? Answer because, despite responding to the invitation on 8 June 2015 at 17:04, it's a great shame but two weeks later, 22 June 2015 at 15:29, Policy Exchange emailed back:

Good afternoon,

I am sorry to inform you that your request for a place at Policy Exchange’s event “The Future of Digital Government” on 29th June 2015 has been unsuccessful.

We have been heavily oversubscribed for this event and have tried to allocate places as fairly as possible. I have placed your name on the waiting list and I will endeavour to inform you as soon as possible if a place becomes available.

A transcript of the event should become available via the Policy Exchange website shortly after the event.

Please accept my sincerest apologies on behalf of Policy Exchange and we do hope to see you at future events!

With very best wishes,
The Events Team

Events and Communications Team

Logo-lo res.jpg 

The Future of Digital Government: What's worked? What's not? What's next?

Here's an invitation that was issued by the think tank Policy Exchange earlier this month, on or before 8 June 2015:

The Future of Digital Government: What's worked? What's not? What's next?

29 June 2015 16:00
The Future of Digital Government: What's worked? What's not? What's next?

Synopsis

The UK has a reputation for being a world leader in Digital Government: using technology and data to deliver more and better with less. Key developments during the last parliament included the founding of the Government Digital Service (GDS); the creation of GOV.UK and the exemplar transactions (such as registering to vote and viewing a driving licence) and the Digital-by-Default standard.

With a new government in place, this major public event provides an important opportunity to explore the priorities for digital government for the next five years with a panel of experts:

Key questions for debate will include:
  • How should the GDS model evolve over the coming parliament?
  • What actually is Government as a Platform and what progress are we likely to see on it?
  • What’s the role of the private sector in helping deliver digital government?
  • Should digital public services follow the same trends as those in eCommerce?
  • How do we spread the benefits of digital government to local authorities and other parts of the public sector?
Featuring a keynote speech from Mike Bracken, this event will look back at progress over the last parliament and ask: what has worked well, what lessons can be learned, and – most importantly – what should happen next?
Speakers
Mike Bracken: Executive Director of Digital in the Cabinet Office, and head of the Government Digital Service
Matt Warman: MP for Boston and Skegness; former Technology Editor at the Telegraph
Chi Onwurah: MP for Newcastle Central and Shadow Cabinet Office Minister
Laura Citron: Managing Director, WPP Government & Public Sector Practice, author of "me.gov: the future of digital government"
Steven Cox: Executive Director Public Sector, Fujitsu UK&I
Eddie Copeland: (Chair) Head of Technology Policy, Policy Exchange

RSVP

If you would like to attend please RSVP events@policyexchange.org.uk

Venue

The Ideas Space, Policy Exchange, 10 Storey's Gate, Westminster, SW1P 3AY

Anyone who can get there at 4 p.m. this afternoon may have a few questions about what's worked and what hasn't and about what's next.

Rt Hon Matthew Hancock MP is Minister for the Cabinet Office and Paymaster General and as such the Government Digital Service (GDS) write speeches for him, like the keynote speech he delivered to the National Digital Conference 2015 on 25 June 2015:
This is our chance to build a new state, crafted around the needs of the user. Using the best and most innovative technology to cut costs and improve services.

Not the all-encompassing state of the 20th century, but a state you can hold in the palm of your hand.

And as if to show that the onward march never ceases, the symbol of transformation is no longer the iPhone in your hand, but here, miniaturised in the iWatch on your wrist.

These are exciting times. Technology marches on. And we who see the transformative power of technology, we who would pave the path people travel: we have work to do.
Question 1 – why are GDS putting the words of a simpleton into the minister's mouth?

Friday 26 June 2015

Spread the verb

Good services are verbs, bad services are nouns

[What's that supposed to mean? Services aren't verbs or nouns (grammatical objects). They're services. Try finding a National Verb Service dentist.]

verbs poster
To a user, a service is simple [Unless it's complicated]. It’s something that helps them to do something - like learn to drive, buy a house, or become a childminder. It’s an activity that needs to be done. A verb that comes naturally from a given situation that cuts across transactions, call centre menus and around advisors towards its goal. [Has any user in the research lab or anywhere else actually said that? Evidence, please.]
But this isn’t how government sees a service. [Phew.]
For government, services [nouns] are discrete transactions that need to be completed in a particular way. Because of this, they need to be easily identifiable so that the people who are operating them can become familiar with them and assist a user to complete the task. So we’ve given these transactions names, nouns, ["name" and "noun" are not synonymous, "red" is the name of a colour in that it denotes that colour but it's not a noun, it's an adjective, and "apply" denotes an action but it's a verb, not a noun, let's not confuse grammar with metaphysics ...] that help to keep track of them. Things like 'Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 1995 (RIDDOR)' or 'Statutory Off Road Vehicle Notification (SORN)'.
859A1796 (1)img_9426_10279745015_o
'SORNing' a vehicle in order to stop paying tax on it [That's important. We have no trouble in English switching between nouns and verbs and adjectives to achieve the same purpose. That tells us that the grammatical part of speech is independent of the action. Is a gerund a good service?]
The trouble with names like these are [is] that you need to be introduced to them before you can use them, meaning that part of ‘doing a thing’ means learning what government calls the thing you’re trying to do [that's not true, is it, you can paraphrase, you can ask in a foreign language, you can do a Google search, ... is this post itself an example of an applicant seeking a service they can't quite name?].
Imagine walking into [a] crowded room and trying to find a doctor, and only once you’ve learned her name can you ask her to help you. That’s how using a lot of government services works [no, it isn't, the analogy fails].
This confusion drives millions of users to call government call centres for help, or worse [GDS needs to overcome its horror of people], attempt to use a ‘service’ in the wrong way or in the wrong order leading to failure for the user, and vast amounts of unnecessary work for government.
In the past, we used advertising to ‘educate users’ in our nouns, [no, in our services]. Forcing the kind of brand familiarity that came naturally to well used objects like Sellotape, Hoovers or Biros [neither Sellotape nor Hoovers nor Biros is naturally occurring, the analogy fails].
The Directgov advertising scheme that taught the UK to ‘go directgov’ in order to tax a car. [That's marvellous. And what an eye-opener. Almost as if the UK had digital services before GDS existed. "directgov" (naturally occurring?) remains a noun, though – does that make it a bad service?]
But in reality most government services are used only once or infrequently at best [that may be true in reality but in the UK HMRC undertakes 1.24 billion transactions p.a.], so brand familiarity really isn’t very useful [that doesn't follow, you may only rarely use AK47s but it's still useful to know that they're dangerous].
That means people who’ve done it before need to fill in the gap and provide our service for us. For those with the means, that’s a lawyer, accountant, or professional ‘government translator’, for everyone else it’s probably a friend or a family member - whose advice may or may not be right [there's that GDS horror of people again and there's that assisted digital project that keeps on starting].
Quite simply, our services are designed for expert operation, which worked perfectly well when services were provided by trained expert humans, but means that these services don’t work unassisted on the internet [where do all these people go to get training to become expert at using pornography services verbs?].
These noun services [?] aren't helpful. We need to turn them into verb services [?].

Turning nouns into verbs

The first step to fixing this [the problem hasn't been defined yet, it's too early to offer a solution] is [to] find out what your users are actually trying to do when they’re using your service [good idea, who knew?].
Choosing the right verb is difficult [except when it's simple], and will mean that you need to do user research to find out what your users are trying to achieve and how your service fits in with that [good idea, see above].
After several rounds of user testing, the Home Office changed the name of ‘Immigration Health Surcharge’ to ‘check if you need to pay towards your health care in the UK’ ["health", "care" and "UK" are all nouns, not verbs, and what about the possessive adjective "your"? That's not a verb either.] - a service [verb] that allows visitors to the UK to pay for the cost of healthcare [light is dawning – the suggestion is that sometimes a how-to approach to documentation can be helpful, but this is hardly a new suggestion].

Not all verbs are equal [true, but then nobody said they are]

What Verb/s [verbs?] work for users will depend on what your user wants to achieve, but [and] also on how much they know about what government might be able to do for them [and myriad other factors].Copy of Services and service standards - 05-05-2015 (1) [What the government needs the user to do is to apply for a Wildlife Licence, just as much a mixture of nouns and verbs and prepositions and articles as "convert a barn"]

Where your service [verb] starts
Often a user’s perception of what government might be able to do for them is so low that they will skip straight to the noun that they think applies to them [How often? If it's the right noun, that's not a problem].
Our job is to intercept that process. [GDS wants to ban skipping as well as nouns?]
Equally [?] there are things that a user will not presume [then the user will usually be correct] to exist as a single service [verb].
Our job is to understand how that overall task breaks down into smaller tasks a user identifies as something they need help with [hard job].
To add to this, there will be many different users, with many different tasks that will run through a service [verb] that serves many different needs [people are difficult, computers are a lot easier, ...] - like a licence - so a service [verb] might have many different starting points as a user becomes more experienced or their needs become more specific [... they just won't stand still].

Verbs will change the way your service [verb] works [isn't there a bit more to changing services than that?]

In a world of easily shared government as a platform [so not in the UK], services [verbs] will be cheaper and easier to make. When that happens there will be more services [verbs], more closely targeted at user needs.
Service [verb] failure, and the calls and casework associated with it, will remain one of the biggest costs in government [how big?] - and for users - unless we change the way that we work to reflect the needs and language of users.
This isn’t going to be easy. It will mean massive changes to the way that our services [verbs] work as the verb/s [verbs?] we choose to describe them gradually affect what it is they do, but without it we will continue to provide services [verbs] made for a world that no longer exists [dentists are no longer needed?].
We've uploaded the poster shown in the picture above as a PDF. Feel free to download it and spread the word.

Spread the verb

Good services are verbs, bad services are nouns

[What's that supposed to mean? Services aren't verbs or nouns (grammatical objects). They're services. Try finding a National Verb Service dentist.]

verbs poster
To a user, a service is simple [Unless it's complicated]. It’s something that helps them to do something - like learn to drive, buy a house, or become a childminder. It’s an activity that needs to be done. A verb that comes naturally from a given situation that cuts across transactions, call centre menus and around advisors towards its goal. [Has any user in the research lab or anywhere else actually said that? Evidence, please.]
But this isn’t how government sees a service. [Phew.]
For government, services [nouns] are discrete transactions that need to be completed in a particular way. Because of this, they need to be easily identifiable so that the people who are operating them can become familiar with them and assist a user to complete the task. So we’ve given these transactions names, nouns, ["name" and "noun" are not synonymous, "red" is the name of a colour in that it denotes that colour but it's not a noun, it's an adjective, and "apply" denotes an action but it's a verb, not a noun, let's not confuse grammar with metaphysics ...] that help to keep track of them. Things like 'Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 1995 (RIDDOR)' or 'Statutory Off Road Vehicle Notification (SORN)'.
859A1796 (1)img_9426_10279745015_o
'SORNing' a vehicle in order to stop paying tax on it [That's important. We have no trouble in English switching between nouns and verbs and adjectives to achieve the same purpose. That tells us that the grammatical part of speech is independent of the action. Is a gerund a good service?]
The trouble with names like these are [is] that you need to be introduced to them before you can use them, meaning that part of ‘doing a thing’ means learning what government calls the thing you’re trying to do [that's not true, is it, you can paraphrase, you can ask in a foreign language, you can do a Google search, ... is this post itself an example of an applicant seeking a service they can't quite name?].
Imagine walking into [a] crowded room and trying to find a doctor, and only once you’ve learned her name can you ask her to help you. That’s how using a lot of government services works [no, it isn't, the analogy fails].
This confusion drives millions of users to call government call centres for help, or worse [GDS needs to overcome its horror of people], attempt to use a ‘service’ in the wrong way or in the wrong order leading to failure for the user, and vast amounts of unnecessary work for government.
In the past, we used advertising to ‘educate users’ in our nouns, [no, in our services]. Forcing the kind of brand familiarity that came naturally to well used objects like Sellotape, Hoovers or Biros [neither Sellotape nor Hoovers nor Biros is naturally occurring, the analogy fails].
The Directgov advertising scheme that taught the UK to ‘go directgov’ in order to tax a car. [That's marvellous. And what an eye-opener. Almost as if the UK had digital services before GDS existed. "directgov" (naturally occurring?) remains a noun, though – does that make it a bad service?]
But in reality most government services are used only once or infrequently at best [that may be true in reality but in the UK HMRC undertakes 1.24 billion transactions p.a.], so brand familiarity really isn’t very useful [that doesn't follow, you may only rarely use AK47s but it's still useful to know that they're dangerous].
That means people who’ve done it before need to fill in the gap and provide our service for us. For those with the means, that’s a lawyer, accountant, or professional ‘government translator’, for everyone else it’s probably a friend or a family member - whose advice may or may not be right [there's that GDS horror of people again and there's that assisted digital project that keeps on starting].
Quite simply, our services are designed for expert operation, which worked perfectly well when services were provided by trained expert humans, but means that these services don’t work unassisted on the internet [where do all these people go to get training to become expert at using pornography services verbs?].
These noun services [?] aren't helpful. We need to turn them into verb services [?].

Turning nouns into verbs

The first step to fixing this [the problem hasn't been defined yet, it's too early to offer a solution] is [to] find out what your users are actually trying to do when they’re using your service [good idea, who knew?].
Choosing the right verb is difficult [except when it's simple], and will mean that you need to do user research to find out what your users are trying to achieve and how your service fits in with that [good idea, see above].
After several rounds of user testing, the Home Office changed the name of ‘Immigration Health Surcharge’ to ‘check if you need to pay towards your health care in the UK’ ["health", "care" and "UK" are all nouns, not verbs, and what about the possessive adjective "your"? That's not a verb either.] - a service [verb] that allows visitors to the UK to pay for the cost of healthcare [light is dawning – the suggestion is that sometimes a how-to approach to documentation can be helpful, but this is hardly a new suggestion].

Not all verbs are equal [true, but then nobody said they are]

What Verb/s [verbs?] work for users will depend on what your user wants to achieve, but [and] also on how much they know about what government might be able to do for them [and myriad other factors].Copy of Services and service standards - 05-05-2015 (1) [What the government needs the user to do is to apply for a Wildlife Licence, just as much a mixture of nouns and verbs and prepositions and articles as "convert a barn"]

Where your service [verb] starts
Often a user’s perception of what government might be able to do for them is so low that they will skip straight to the noun that they think applies to them [How often? If it's the right noun, that's not a problem].
Our job is to intercept that process. [GDS wants to ban skipping as well as nouns?]
Equally [?] there are things that a user will not presume [then the user will usually be correct] to exist as a single service [verb].
Our job is to understand how that overall task breaks down into smaller tasks a user identifies as something they need help with [hard job].
To add to this, there will be many different users, with many different tasks that will run through a service [verb] that serves many different needs [people are difficult, computers are a lot easier, ...] - like a licence - so a service [verb] might have many different starting points as a user becomes more experienced or their needs become more specific [... they just won't stand still].

Verbs will change the way your service [verb] works [isn't there a bit more to changing services than that?]

In a world of easily shared government as a platform [so not in the UK], services [verbs] will be cheaper and easier to make. When that happens there will be more services [verbs], more closely targeted at user needs.
Service [verb] failure, and the calls and casework associated with it, will remain one of the biggest costs in government [how big?] - and for users - unless we change the way that we work to reflect the needs and language of users.
This isn’t going to be easy. It will mean massive changes to the way that our services [verbs] work as the verb/s [verbs?] we choose to describe them gradually affect what it is they do, but without it we will continue to provide services [verbs] made for a world that no longer exists [dentists are no longer needed?].
We've uploaded the poster shown in the picture above as a PDF. Feel free to download it and spread the word.

Tuesday 23 June 2015

RIP IDA – who knows what they're talking about?

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.

22 June 2015, and Janet Hughes says:
GOV.UK Verify (RIP) offers people a convenient, secure way to prove their identity when accessing digital government services. It does not have any other connection with or ability to monitor people or their data.
Funny thing to say.

Why did she say that?

And why did she go on to say:
GOV.UK Verify (RIP) protects users' privacy. It has been designed to meet the principles developed by our privacy and consumer advisory group [PCAG]. GOV.UK Verify (RIP) does not allow for mass surveillance.
The answer is, she had to.

Because four academics published a paper saying that GOV.UK Verify (RIP) is not secure and that it fails to implement the PCAG privacy principles and that it could provide a platform for mass surveillance.

Remember, if there's an impossible job to do, the Government Digital Service (GDS) call for Janet Hughes. This may be her most impossible job yet.

Oi, UK.gov, your Verify system looks like a MASS SPY NETWORK, as ElReg demurely put it. Government Digital Service insists Verify safe despite claims of vulnerabilities, according to Computer Weekly. Or as Government Computing would have it, Government rejects ID assurance study’s security fears.

The academics are Messrs Luís T. A. N. Brandão and Nicolas Christin of Carnegie Mellon University, George Danezis of University College London and someone called Anonymous, apparently also known as 06ac01f8898481dd 2acdaacbe7cea1fd 5cdec8e65fe87db5 8605e865b1860f8e. It is unknown which university 06ac01f8898481dd works at, if any.

Their paper, Toward Mending Two Nation-Scale Brokered Identification Systems, is published in Proceedings on Privacy Enhancing Technologies 2015. Note that:
  • It's not just GOV.UK Verify (RIP) that they criticise but also the US equivalent, the Federal Cloud Credential Exchange (FCCX), recently rebranded as Connect.GOV.
  • They don't just criticise, they also make recommendations how to overcome the failings of both systems.
"We welcome the paper, and its contribution to the developing pool of knowledge and ideas about digital identity assurance", says Ms Hughes, "we are working with the author of the paper to clarify this aspect and provide assurance on the issues raised. We have invited one of the authors, Dr Danezis, to join our privacy and consumer advisory group (and we are pleased he has accepted the invitation), so that we can continue to consult a range of experts and privacy and consumer groups on our approach to these important issues".

Pure Mandarin. GDS must be furious and may feel threatened by this particular pool developing. RIP IDA and all that. They wouldn't have responded to the ElReg article so very quickly otherwise.

What the academics say, in a nutshell, is (p.8) ...
... or to put it more technically, everything GDS have told us about their identity hub is a pack of lies, GOV.UK Verify (RIP) isn't secure and it doesn't protect our privacy.

Ms Hughes disagrees. She asserts the opposite. That's her job.

Which of them knows what they're talking about? Who's right?

----------

Updated 29.6.15

The nuts and dolts of security

It's a week now since the four academics' paper came to light alleging that there are gaping holes in the security and the privacy of GDS's identity hub. Maybe they're right. Maybe they're not, we still don't know. GDS have denied the allegations but, without adducing any evidence in support of their denial, that doesn't amount to much.

Paul George Danezis, one of the academics who criticises the design of the identity hub, says "in 2015, it is very strange that this is considered acceptable. If this system had been peer reviewed it would not have been passed even 15 years ago", and is recorded as suggesting that GDS are simply incompetent, not up to the job: "Perhaps GDS did not have the expertise, or appreciate the need for expertise to deal with this".

And then there's Kevin Curran.

The cricketer?

No. "Kevin Curran is a Reader in Computer Science and group leader for the Ambient Intelligence Research Group. Dr Curran has made significant contributions to advancing the knowledge of computer networking evidenced by over 800 published works. He is a regular contributor to BBC radio & TV news in the UK and is an IEEE Technical Expert for Security and a member of the EPSRC Peer Review College."

That Kevin Curran.

He was interviewed by SC Magazine UK, "the magazine for IT security professionals", who say "he described the plan to provide a UK-wide decryption hub as 'nuts. Not because it cannot be done technically but because it is quite simply nuts', he warned".

We get one more "nuts" in the Curran interview, then a "dumb" followed by an "un-implementable", before "Curran said that there are issues that most of the 'UK government numbskulls are unaware of ... it is pretty obvious that they have completely ignored the advice that any security expert would have given them' ...".

It is not known whether GDS welcome Dr Curran's comments as much as Paul George Danezis's.

The reputations of nine "identity providers" depend on the identity hub being secure, as promised by GDS, impossibly, and on its respecting everyone's personal privacy.

Experian, Digidentity, the Post Office, Verizon et al may now all be having second thoughts. They can probably live with a university lecturer calling them nuts. They can't withstand their shareholders following suit.

They lose control of their reputations once they depend on GDS's identity hub. Why take the risk?

There's nothing we doltish members of the proletariat can do to force GDS's hand. Their suppliers, though, the "identity providers", have leverage.

Expect an announcement soon, clarifying GDS's stance on the design of their identity hub.

And don't be at all surprised if the date changes in GDS's promise to have GOV.UK Verify (RIP) up and running nationwide by March 2016.


Updated 1.7.15

GDS continue to market GOV.UK Verify (RIP) as secure. Or safe.

That comes as a surprise to many of us, who weren't born yesterday, and who are faced with the daily diet of cybersecurity breaches served by the media, take for example yesterday's Audit finds new flaw at US Office of Personnel Management: "TEN MILLION people now counted as victims of original GovSec SNAFU".

The gormless promise of security must come as even more of a surprise to those working in the cybersecurity industry with, let's say, 14 years experience up at the sharp end, one of whom kindly sent DMossEsq a link to Secure Web Hosting for Client X, 4 May 2001 – and May 4th be with him.

Client X asked their security advisor to provide a 100% secure web server. CESG certified, the advisor made two proposals, as you will see in the link.

The first proposal involves ten steps which gradually reveal the enormity of the problem.

The second is shorter: "Don't implement a Web Server until you have a clue".

Nothing has changed in the intervening 14 years cybersecuritywise.

When will GDS stop making fools of themselves by making promises which everyone by now knows or should know that they can't keep?


Updated 7.7.15

"Tirez sur l'autre, il y en a des cloches attachées"

It's over a fortnight now since GDS told us that "GOV.UK Verify (RIP) offers people a convenient, secure way to prove their identity when accessing digital government services". Do GDS know what they're talking about?

Four academics disagree with GDS and argue that the GOV.UK Verify (RIP) identity hub is full of security holes. Do these academics know what they're talking about?

We don't know. We can't be sure. We have the benefit of the advice of the engaging security expert Peter Bance. In his opinion, if you want your server to be secure/safe, you shouldn't let anyone update the data on it and you shouldn't connect it to any networks and certainly not to the internet. But does Mr Bance know what he's talking about?

We all remember QinetiQ winning a contract to advise the Pentagon on how to counter cyberespionage. This upset HBGary, a small rival of QinetiQ's who pointed out that QinetiQ had themselves been hacked. But then HBGary were hacked, too.

Actually some of you may not remember about QinetiQ and HBGary being hacked. Not to mention Bloomberg and the New York Times. And Lockheed Martin. But a bell may have rung when you read the Guardian newspaper yesterday, Hacking Team hacked: firm sold spying tools to repressive regimes, documents claim. Or maybe you read ElReg, Security world chuckles at Hacking Team’s 'virus torrent' squeals.

Either way, an Italian cybersecurity company, Hacking Team, was itself hacked and had 400 gigabytes of its records published including the alleged records of dodgy dealings with repressive regimes using Hacking Team's products, it is said, to repress people. And journalists.

Just like Gamma International, perhaps, the company that sold FinFisher, a surveillance software product. They were hacked last August.

And so it goes. On. And on and on and on until you're bored stiff reading DMossEsq.

Well that's the point. It's endless. It just goes on. It hits the good guys and it hits the bad guys. They all get hacked. There's no defence. Even if you're an expert. Connect a server to a network, and bang – you're hacked. Just ask the US Office of Personnel Management. Or ask their ten million parishioners, whose personal information has been hacked for months. Or years. No-one knows how long it's been going on.

Boring, yes. Unsurprising. Inevitable, even. But in that case who do GDS think they're kidding/confusing/misleading when they claim that GOV.UK Verify (RIP) is secure? Not you, obviously. "Tirez sur l'autre", you may be tempted to say, "il y en a des cloches attachées".


Updated 10.7.15

As reported in The Register:
5 June 2015Hackers steal files on 4 million US govt workers
30 June 2015TEN MILLION people now counted as victims of original GovSec SNAFU
9 July 2015US govt now says 21.5 million people exposed by OPM hack – here's what you need to know ("... and by the way, that's in addition to the four million people whose records OPM had earlier admitted to letting slip into hackers' hands")
...?
That series may not have finished yet.

From what you've seen of GOV.UK Verify (RIP), what reason is there to suppose that it will not one day embark on the same progression? What will you do then?


Updated 27.3.16

The Government Digital Service (GDS) told us the other day How we work with experts to make GOV.UK Verify [RIP] better: "We take the protection of GOV.UK Verify [RIP] and the security of our users and their data very seriously ... The privacy of our users comes first in everything we do ... Working with - and learning from - a wide variety of experts helps us make GOV.UK Verify [RIP] better for users".

GDS are responding here to the paper published by George Danezis and others describing security vulnerabilities in the identity hub for GOV.UK Verify (RIP). They are confident that they are doing the best they can.

The National Health Service disagree, Gov.uk Verify [RIP] not secure enough for NHS, says HSCIC: "The government’s Verify identity verification platform isn’t secure enough for the NHS, so Liverpool Clinical Commissioning Group and HSCIC are working to add extra levels of security".

Who knows what they're talking about?


Updated 27.1.17

Take a look at the tweets alongside. One Andy Pearce taps a slow serve over the net at the Government Digital Service (GDS): "... if an identity is hacked does that not open up more vulnerabilities"?

All they have to do is return the ball and see what Mr Pearce does with it. Instead of which, GDS lose the point in the most embarrassing way possible: "GOV.UK Verify [RIP] is built so that there’s no single point of weakness/failure".

What about the identity hub that GDS are so proud of building? Isn't that a single point weakness/failure?

Yes it is, please see above.

What GDS said in answer to Mr Pearce is blatantly false. It relies on what the Trump administration refers to as an "alternative fact". North Korea, maybe, but we don't expect this behaviour in Whitehall.