Monday 28 September 2015

Lack of control, insecurity, irrelevance to attribute exchange and inconvenience – what else do you look for in a personal data store?

Last heard of in these parts, personal data stores (PDSs) were being advocated as an aid to considerate death. Your PDS is a digital version of you. It represents you on the web while you live. And even in the afterlife, Assisted dying the digital way with a core consent delegation management repository.

Maintain as much information about yourself as possible in a PDS, let apps (viruses) process it for you, and at last you will stop making stupid decisions. A life of rational utility beckons. That was the promise of three liberal democrat politicians – first Ed Davey, then Norman Lamb and finally Jo Swinson – all trying to get us mooncalves to buy in to their midata initiative.

We've been following this story for years. Older readers will remember the midata Innovation Lab, for example, and the peerless explanation offered by Mydex, a purveyor of PDSs.

midata is promulgated by the UK Department for Business Innovation and Skills (BIS).

It's not just undertakers and BIS who think PDSs are good for you. So does the National Health Service (NHS) – they think PDSs will help you to become a good NHS citizen.

It doesn't stop there. Undertakers, BIS, the NHS and ... the Government Digital Service (GDS). On 23 January 2015 it seemed that PDSs were going to be a vital component of GDS's identity assurance initiative, GOV.UK Verify (RIP). Then, at the last minute, 25 March 2015, it was all change and Mydex dropped out of the running to become an accredited "identity provider".

We have had our doubts about PDSs. Four of them.

1. The promise is made by politicians, officials in the civil service and suppliers that using a PDS will put people in control of their personal information. How? How will a PDS ensure that you can control who does what with your personal information? It doesn't. It can't.

1.1 This is confirmed by Mydex's sister company, Ctrl-Shift, who point out that there is no way of enforcing the "trust framework" on which control depends.

2. The promise is made that your PDS will be secure. In fact not just secure. Hypersecure. A claim which seems old-fashioned these days. The media feed us a daily diet of stories about breaches of cybersecurity and we've got the message.

2.1 There's no such thing as guaranteed security. So why would anyone rational believe the promise of security? And why would anyone upright promise it?

3. The promise is made that PDSs will support attribute exchange. What's that? Take an example. Suppose you're applying for a job as an investment manager. You need to be licensed to practice. That's an attribute of yours. The Financial Conduct Authority (FCA) issue your licence, if you pass the exams and you keep your nose clean, you store the licence in your PDS and the idea is that a prospective employer can check your PDS to make sure that you're licensed. That's attribute exchange.

3.1 But it doesn't work. The licence in your PDS may be out of date. The FCA may have revoked it. The only way the prospective employer can be sure that you're still licensed is to check with the FCA. There's no point them checking your PDS. It's irrelevant.

4. The promise is made that PDSs will make life more convenient for people, see for example Identity assurance – convenient? It'll make your life so much easier and We are making customers work too hard, let’s improve the experience for all. Working hard all day to keep your PDS up to date doesn't seem very convenient. It is a labour of self-love that normal people would find irksome, not convenient.

4.1 Any residual suspicion that having a PDS would be convenient is dispelled by Opening up BBC channels and content. At the moment here in the UK, you sign a direct debit and your TV is licensed year after year without you having to think about it.

4.2 With a PDS, the suggestion is that every year you could install the licence on all the TVs, PCs, laptops, iPads and phones that belong to you and your partner and your children and anyone else who lives with you: "If TV Licensing issued a secure digital token to people who can demonstrate that they live in a house covered by a valid licence ... this could be stored in a personal data store and shared with the BBC and any other service that needs it ... This is best done when a TV Licence is purchased – a one time code could be delivered to the household as part of the setup process for a digital license, and this would permit the addition of devices and individuals, with validation mapped back to the core license ...".

4.3 ... the opposite of convenient.

These doubts may be shared by others. Which could explain why PDSs haven't taken off in the UK, much to the querulous indignation of William Heath, one of the participants in the Twitter conversation above: "Can't believe we in UK will have to wait a generation ...".

Now apparently PDSs are taking off in India: "Does 1m Indians in last few months count?". The PDS in India is known as a "DigiLocker" and is a product of the Indian government's Department of Electronics and Information Technology (Deity). Deity is now responsible for the Indian ID card scheme, Aadhaar. And for taking government control of all encryption in India. As well as PDSs. It's a powerful portfolio, in theory.

Call it what you like. A personal data "store" or "vault" or "locker", it's got the same problems – lack of control, insecurity, irrelevance to attribute exchange and inconvenience – and it won't take off in India any more than the UK.

----------

Updated 15:35

As we said above, "the promise is made by politicians, officials in the civil service and suppliers that using a PDS will put people in control of their personal information". We have cast some doubt on that promise.

But not enough doubt.

Because what do we read in our inbox at 14:05 today? Civil servants are users too:
It includes a personal data store for every civil servant - a digital space every individual can use to control what data they share, with whom, and how it’s updated. It could enable staff to share their work objectives (or not), their career history and specialist skills (or not), or their preferred forms of communication (or not).
If we're right, civil servants will have no control over their personal information as a result of storing it in a PDS. The PDS will not be secure. It will be irrelevant to attribute exchange. And it will be inconvenient.

We did ask Tom Loosemore, the deputy executive director of GDS, about this matter in a round about sort of a way but sadly he left before answering so civil servants are now left wondering.

Updated 29.9.15

GDS's childlike elaborate daydream

Consider GDS's application to register to vote system. That system currently offers insufficient identity assurance. It also fails to tell you if your application has been successful. Government in that area remains untransformed.

Now suppose, just for the sake of argument, that PDSs supported attribute exchange in the way that Mydex claims.

With the appropriate attributes stored in it, Mydex might have you believe, you could use your PDS to prove that you are entitled to be entered on the electoral roll. And the Electoral Registration Officer (ERO) for your local authority could update your PDS with a polling card in the form of a digital certificate confirming that you have successfully been registered and that you are entitled to vote.

That might make good the shortcomings of the current system. It might transform government.

In that case, there's not much point you the person applying to register to vote. An app could do it for you. You the person aren't really needed. You can be adequately represented by your PDS.

You could say that that is convenient. Or you could say that the person has been cancelled out of the equation. The PDS is relevant and you aren't.

It is possible to elaborate this daydream:
  • The ERO may not be needed any more than you are.
  • And why take the trouble to vote? BIS claim that midata and its apps will help people to make rational decisions, please see Norman Lamb above. If an app can tell you how to vote it can just as easily tell the Returning Officer how you would/did vote. Cut out the middleman and you needn't be put to any trouble voting. Convenient.
  • And do we really need a Returning Officer?
  • Your PDS will survive you, please see opening paragraph above. It could carry on voting long after you're dead.
  • Etc ...
When GDS offer you convenience, arguably what they're saying is that you're irrelevant. As irrelevant as the 1½ million public servants we don't need.

Convenience = Irrelevance?
10. Going out

midata service providers could use an individuals purchase data to look at which restaurants and bars that user like. Taking this data, they could offer you a unique service, alerting you to new or recommended restaurants that suit your taste and location.

So where your favourite restaurant has deals or offers, you could be alerted in advance to take advantage and make a booking. Combined with other services, the programme could also indicate where you could save money or improve your health by eating elsewhere, drinking less or going out less.
From an old BIS press release no longer available, a victim of the advent of GOV.UK,
A midata future: 10 ways it could shape your choices.
A midata app that nags you
for eating unhealthily, drinking too much and going out too often
will have no compunction in shaping/making your choice how to vote
for your own good.
Before we get carried away, don't worry.

Remember that one of our assumptions was that PDSs work. And they don't.

We know that they can't grant us control over how other people use our personal information. It's just not in their gift.

We know that they can't be made secure any more than Sony could defend itself against the North Koreans or the US Office of Personnel Management could keep millions of government employees' records and biometrics safe.

We know that PDSs are the wrong place to look for attribute exchange, please see the case of the licensed investment manager above.

And we know that, far from being convenient, PDSs can require us to do much more work, for example when renewing our TV licence, please see above, than the current untransformed procedures.

People are complex and government is difficult. It would be easier to govern PDSs. But no adult would be fooled into thinking that that would amount to Whitehall doing its job.


Updated 17.10.15

Civil servants are users too, we learned on 28 September 2015.

But for how long?

Take another look at the quoted extract:
It includes a personal data store for every civil servant - a digital space every individual can use to control what data they share, with whom, and how it’s updated. It could enable staff to share their work objectives (or not), their career history and specialist skills (or not), or their preferred forms of communication (or not).
The PDS can be used by staff to record their specialist skills.

Why's that?

You will remember Mr Mark Thompson and his belief that the UK could get rid of 1½ million useless public servants and cut the deficit by £35 billion as a result while at the same time improving public services. But which 1½ million?

The answer will be determined by matching staff skills against a giant Wardley map of the UK public sector. If you're a public servant and your skills are surplus to the Wardley requirements, then your services can be safely dispensed with:
Wardley’s maps have the power to enable government to become situationally aware; to expose vast redundancy in capability right across the UK ...

... public sector bodies have a special opportunity – indeed, perhaps a duty - to work together to expose, standardise, and consume all that hidden, redundant capability.
They're busy people, Stephen Foreshew-Cain and Mayank Prakash, and it is a venial oversight on their part that they omitted this point from Civil servants are users too. But that's what "Government as a Platform" means and that's what the PDSs are for ...

... to help Mr Thompson, who wants to build a Capability Exchange, on which skills can be traded just as listed shares are priced and traded on the Stock Exchange. A few public servants will be left but not those "lower down the value chain". Wardley maps can be trusted to ...
... expose duplication across public services, placing [public organisations] under pressure to standardise their demand for capabilities lower down the value chain, and consume these as commodities.
There is only one question left. Who's going to establish and operate the Capability Exchange?

Mr Thompson is unimpressed by the present leaders of the Civil Service:
Although government has been good at training more junior technologists, it has perhaps been less effective at communicating to our leaders the radical implications of the web on our public service operating models.
What is needed to fill this skills gap is ...
... 25 to 30 mobile specialists who live and breathe capability mapping and open architecture, with a laser focus on the business, who would criss-cross the country helping business leaders to bootstrap their organisations into the Capability Exchange.
No doubt Mr Thompson will hope to convince his contacts in the Treasury that much of this team of laser-focussed mobile breathers can be hired from his company, the Methods Group, possibly including his recent recruit through the revolving door, Mike Beaven, formerly the Transformation Director at GDS.

(Maybe there is one other question left. If power is no longer wielded by Whitehall, then who will it be wielded by? But don't worry about that.)


Updated 24.10.15

The criticism above of Mark Thompson's advocacy of Government as a Platform (GaaP) has elicited a number of attempted refutations.

Simon Wardley, for example, suggests that Mr Thompson's three-article series in Computer Weekly magazine doesn't say what it means.

Mr Thompson doesn't mention "what strategic points of control Gov needs to maintain" in any of those articles nor in UK voters are being sold a lie. There is no need to cut public services nor What is government as a platform and how do we achieve it?. The reader is somehow meant to intuit his thoughts on the matter.

And as for Mr Thompson himself, he claims that he has been misrepresented. Repeatedly, across all five articles, he holds out the promise of "savings" of £35.5 billion p.a.. He also says that this money could be re-allocated to the front line. But then it wouldn't be a saving. He can't have it both ways.

The £35.5 billion p.a. figure is based on what he himself calls a "back-of-envelope approach" ...

... which only counts staff, not the expensive "silo" software which is supposed to be replaced with cheap "GaaP" components. How much would that replacement save? In five articles on GaaP he doesn't tell us.

Francis-now-Lord Maude, Mr Thompson tells us, has made the point that there is no Constitutional inevitability about the civil service. Ministers don't have to operate through departments. Instead:
Digital operating models broker people’s ability to consume standard building blocks of business – which include information management, accountancy, logistics, payments, workflow, and so on - via a burgeoning market of affordable, easy-to-deploy, and flexible digital services, in ways that require very little “official” intervention.
The civil service exercise power. If that is taken away from them, it will be exercised by someone else.

The question "what strategic points of control Gov needs to maintain", as Mr Wardley says, is unanswered by Mr Thompson. GaaP means stripping Whitehall of power and giving it to the likes of Google and Amazon and Facebook and Apple, "the web is a game changer that requires a new model for government itself".

It is imprudent to adopt this new model without first establishing how it could be controlled. It will have huge power vested in it and it needs to be dedicated to governing the UK in a way that Google and Amazon and Facebook and Apple are not.

Mr Thompson talks about his capability exchange being "self-organising". Like the rest of the "new model for government itself", the danger is that it would be out of ministerial control.

That is the unconstitutional target for GaaP as expounded by Mr Thompson. But how do we get there? What is his plan? How do we move from a set of government departments flying blind, according to Mr Thompson, and incapable of talking to each other to a set of self-organising digital services?

We don't know. He doesn't tell us.

The same question has occurred to HMRC, Her Majesty's Revenue and Customs. They have to be serious about these matters. They can't afford to proceed on the basis of "back-of-envelope" estimates and vague appeals to the efficiency of Uber and AirBnB.

They're spending £20 million with the US consultancy Bain & Company to try to plug the gaps in ... GaaP. Bain are unlikely to advise à la Maude and Thompson that HMRC are a redundant silo but they may make practical proposals how to get better value for money for us taxpayers.

The criticism of Mr Thompson's articles is not that they're Machiavellian. Far from it. That is a misrepresentation of the criticism. The problem is that they do not take sufficient account of the rôle of government and they provide no route map. Without that they are unconvincing. We don't know what it is Mr Thompson is trying to lure us into. His articles are missing the Machiavellian attention to detail.


Updated 2.11.15

Remember, we're talking about PDSs, personal data stores. PDSs specifically in connection with the Civil Service Learning initiative described by GDS and the capability exchange kite flown by Mark Thompson. And PDSs in general, including their proposed adoption by the NHS Citizen project.

Remember that the most ardent proponents of PDSs are Mydex and that, according to them, the more personal information you entrust to your PDS, the better it is for you. That's their pitch. Some people disagree, vehemently, please see blog post above.

Remember that Ctrl-Shift Ltd is Mydex's close cousin and that even Ctrl-Shift don't believe that the "trust framework" required for PDSs is feasible.

Remember that TalkTalk was hacked last week. As reported by the Guardian newspaper among others, please see TalkTalk says hackers accessed fraction of data originally thought, the devastation caused by that hack may be on a smaller scale than initially feared.

Ctrl-Shift detect some importance in that Guardian article. Enough importance to tweet about less personal information having been exposed than was at first reported.

Too right.

It is important.

Suppose it had been your PDS that was hacked and not your TalkTalk account. Your PDS containing every last bit of personal information about you, making identity theft easier than any criminal could ever possibly have hoped.

Ctrl-Shift are to be thanked for making that point. Unlike Civil Service Learning, who have kept quiet. As quiet as NHS Citizen and ... Mydex.


Updated 28.10.17

You know that cybercrime is a growing problem. You know that cybercrime often relies on false identities. You may not know that the British Standards Institution (BSI) have published PAS 499, a draft code of practice for digital identification and authentication, but they have.

PAS is a publicly available specification and at clause 6.1 the document says: "[Any organisation performing identity validation] should have a process in place for checking, against an authoritative source where possible, that identity evidence is in the correct format and is correctly captured, not revoked, nor expired".

That's why a personal data store (a PDS) is irrelevant to attribute exchange. A prospective employer checking my PDS might well find my driving licence there. But suppose that my licence has now been revoked? The prospective employer would have to check with DVLA. So there's no point checking the PDS. It's irrelevant.

You read it here first. And now in PAS 499.

Lack of control, insecurity, irrelevance to attribute exchange and inconvenience – what else do you look for in a personal data store?

Last heard of in these parts, personal data stores (PDSs) were being advocated as an aid to considerate death. Your PDS is a digital version of you. It represents you on the web while you live. And even in the afterlife, Assisted dying the digital way with a core consent delegation management repository.

Thursday 17 September 2015

So where are we on astrology? 13 years late, UK government promises biometrics strategy by end 2015. Why?

In July 2002 Rt Hon David Blunkett MP, Home Secretary, issued a consultation document on introducing government-issued identity cards into the UK. One idea was to use biometrics to verify people's identity.

There was no proof at the time that mass consumer biometrics was reliable enough to do the job. 13 years later, there still isn't. The belief in the efficacy of mass consumer biometrics is akin to the belief in astrology.

In February 2015 the House of Commons Science and Technology Committee published a report, Current and future uses of biometric data and technologies. Biometrics was described as "the shoddiest science offered to the courts" and was said to be locked in a "cycle of failure".

The Committee declared itself to be worried about the privacy issues raised by biometrics and about the security of biometric databases. Which is odd. After all, if the technology doesn't work, there are no privacy issues. And the Committee doesn't (yet) seem to be worried about the storage facilities for horoscopes.

One way and another the Committee's report came up with 12 recommendations, to which the government's response has now been published.

"The Government biometric strategy is still in the early stages of development", they say (p.2). I.e. Whitehall was winging it for eight years with its promises for the benefits of ID cards between 2002 and 2010, when the Identity Cards Act 2006 was repealed. They now promise to publish their biometrics strategy "by the end of 2015" (p.3). What a mistake that will be, to publish a strategy for a shoddy science locked in a cycle of failure.

The strategy "should recognise that biometrics is fast-changing [trans: all over the place] and provides opportunities for better secure identity verification [how?], better public services [such as?], improved public protection [really?] and the ability to identify and stop criminals [all of them?]".

That was on p.4. Something must have changed since Chief Constable Chris Sims, representing the Association of Chief Police Officers, gave evidence to the Committee and said that he was "not aware of forces using facial image software at the moment" and that "the technology is not yet at the maturity where it could be deployed" (para.95).

When we learn on p.5 that "the core facial recognition algorithm used by the Police National Database ... was shown to be one of the best in terms of accuracy" presumably that just tells us, given the testimony of Chief Constable Sims, that all the other algorithms are even more useless.

Also on p.5 the government tell us that, just like astrology, "performance levels of biometric systems cannot be characterised by a single figure. Publicising detailed results of performance is an area requiring careful consideration, as not only is the accuracy testing of large scale biometric systems very complex, so is interpreting the data. System performance is very dependent on the specifics of the application, making direct comparisons between systems difficult and in many cases meaningless".

P.6: "The Home Office systems currently holding biometric data employ a range of defence in depth measures appropriate to the value of the data" – nil?

Privacy impact assessments and the government's ethical framework for astrology are covered on p.7 and then on p.8 they say that: "the government appointed a Chief Data Officer in March 2015, supported by a Government Data Standard to ensure transparency in the use of data by Government". They did indeed.

They appointed Public Servant of the Year ex-Guardian man Mike Bracken CBE CDO CDO, executive director of the Government Digital Service and senior responsible owner of the pan-government identity assurance programme now known as GOV.UK Verify (RIP), as chief data officer. He's leaving Whitehall in 13 days time on 30 September 2015 and is not known to have done anything about biometrics in the interim.

The Committee included in its February report the judgement of the High Court several years ago that the Metropolitan Police Service is breaking the law by retaining, on its biometrics database, the images of people not even charged with an offence, let alone convicted of one (para.99). Now we learn that "the Home Office is currently undertaking a policy review of the statutory basis for the retention of facial images" (p.10). This will surely be a very quick review – it can't take long to establish a policy on the police breaking the law.

"We are considering the role of the Biometrics Commissioner" (p.11). The Committee's report revealed that although the Commissioner is responsible for DNA and fingerprints, he has no locus on facial images (para.102), like an unfortunate soothsayer handicapped by being forbidden to mention Leo.

The Prime Minister promised several years ago to limit net immigration to an annual figure in the tens of thousands. Last year it exceeded 300,000, much to the amusement of the opposition parties and the Guardian newspaper. It is widely agreed that UK immigration is out of control.

And yet the government's astrologer says: "The biometrics landscape has operated with a number of widely adopted international standards for many years, this has been vital in ensuring that governments are able to share data, where allowed and required, and has achieved significant benefits including; solving crimes, finding missing people and controlling immigration" (p.11).

You can have a strong grasp of reality. Or you can have confidence in mass consumer biometrics. One or the other, but not both.

----------

Updated 17.9.15 18:45

We don't often set homework on DMossEsq. Readers tend to cheat and get their children to do it for them.

But let's make an exception. 500 words, please, on the distinction between James McCormick and the suppliers of biometrics "solutions". Mr McCormick is in prison for selling novelty golf ball detectors and pretending that they could be used to detect explosives. No-one from the public bodies which bought them is in prison for pretending to believe him.

You may find it useful to refer to the essay on biometrics written by three world-class experts who conclude that biometrics is not a science. It is "out of statistical control", they say. One of these experts has advised the US government, one of them the UK government and one of them both governments. They know what they're talking about.

500 words. On the DMossEsq desk. 9 a.m. Monday morning 21 September 2015.


Updated 9.4.16

Based on a leak, Kat Hall published the revelation yesterday that GDS has no real strategy for £450m budget pot, internal plan reveals.

She has acquired a copy of GDS's Transforming the relationship between citizens and the state: the Government’s transformation strategy and the Government Digital Service still doesn't have a clue how it's going to transform the relationship between people and the state. Instead, they're playing for time: "More detail about departments’ strategies for business transformation, enabled by digital, technology, data and security are due to be published in September 2016".

Playing for time, and repeating their nostrum about Government as a Platform (GaaP, the search for "promising clusters"): "an approach that involves developing a common core infrastructure of shared components, technology and standards on which it’s easy to build brilliant, user-centred government services".

This vacuous self-importance joins a long line of civil service reports. The excellent Jerry Fishenden, of whom more anon, has listed 80 similar documents published in the past 20 years. We're still waiting for a result and, without wishing to seem mean, it's not clear that the addition of a further £450 million is likely to induce progress.

Kat's article includes:
But the only detail of what [GaaP] will entail were examples of "common platforms" in the Home Office, which will develop a common biometrics platform for government and the Department for Work and Pensions, "which will lead work on a tool to pay money out from government."
Despite all their painful experience, the Home Office still haven't shaken off the hold of biometrics. It must be written in the stars. Their future is their past. They are doomed to re-live the pain apparently eternally.


Updated 11.4.16

Get a coconut

The UK Home Office's big idea for the future is to "develop a common biometrics platform". That will transform government. Make it digital. Expand the UK economy. Be green.

Or will it?

Take a look at India and its Aadhaar scheme. That's a common biometrics platform-and-a-half. They've registered around a billion people. And in the state of Rajasthan, the only way for the poor to collect their food ration is through Aadhaar.

How's that going?

Rajasthan presses on with Aadhaar after fingerprint readers fail: We’ll buy iris scanners:
“Yesterday, we had to send about a hundred people back when the internet did not work for six hours,” said Ali ...

Hanja Devi, an Antyodaya [maximum entitlement] beneficiary, failed to get 35 kilo foodgrain on her third trip in three days because of Aadhaar authentication failures ...

Of the nearly 860 beneficiaries who came to Aziz’s ration shop in December, he said, only half could get their fingerprint authenticated in one go ...

The biometric machine showed that the Aadhaar number of Santosh Devi, of Kesharpura village, belonged to someone else ...

The Rajasthan government made Aadhaar-based authentication mandatory at ration shops in December when the ration-seeding process [without which, digitally, you don't exist] was completed for less than half the ration beneficiaries ...

“From March 11 till 18, one week of the ration consumers’ fortnight, the servers were not working properly" ...

... all parts surrounded by the Aravalli hills had poor internet connectivity. “In Todgarh, which is also near the Aravalli hills, the ration dealer has to collect the beneficiaries 3 kilometres from the shop to catch signal" ...

... several families were trying to get their children’s biometrics registered ... because schools had ordered them to enrol for Aadhaar ...

Hansraj Yadav, who is additional director- Unique Identification Authority, said that to solve the problem of high rates of fingerprint authentication failure, the Rajasthan government is planning to install more biometric machines – this time, iris scanning machines ...
And here's Safran Morpho explaining how well Aadhaar is working, including Safran Morpho's biometrics systems:


No doubt the Home Office believe Safran Morpho's version and will pursue their big idea. The rest of us should prepare for Rajasthan's version.

That couldn't happen here, could it? Not in Blighty.

Believe what you like ...

... but we tried and failed to deploy the Basic Payment Scheme for farmers and our broadband couldn't cope ...

... and CloudStore, the old Digital MarketPlace has been known to be out of action for days and even weeks at a time ...


... and we're currently threatening to deploy GOV.UK Verify (RIP) even though it is thought that up to 30% of the low-paid can't have their identity verified ...

... and we're using Safran Morpho (SecureIdentity) as one of our eight "identity providers" for GOV.UK Verify (RIP) even though GDS themselves say that five of them – Barclays, CitizenSafe, Royal Mail, SecureIdentity and Verizon – are "unlikely to be able to verify you":


"Aadhaar" means platform in many of India's dozens of languages. The idea is that it provides a safe platform on which India can build public services. GOV.UK Verify (RIP), the UK's proposed identity assurance platform, looks just as rickety, in any language.

What's more, GOV.UK Verify (RIP) is due to go live this month. Some time in the next 19 days.

Apparently the Hindi for computer says no is "Aap ka Aadhaar sahi nahi hai". You'd better learn that before May.

And get a coconut. According to the Rajasthan article above, when one old woman couldn't have her identity verified, a bystander quipped: "Break a coconut first next time". It may help you when some idiot deploys electronic voting in the UK.


Updated 7.7.16

You will remember that the only prudent stance on mass consumer biometrics is scepticism. And that the House of Commons Science and Technology Committee were told, please see above, that no UK police force uses "facial image software" at the moment because "the technology is not yet at the maturity where it could be deployed".

You will therefore be amused to read today's Times newspaper:
CCTV riches for man who puts name to a face

... The Somerset-based SSL — Simulation Systems Ltd — a past recipient of the Queen’s Award for Enterprise, has been in the vanguard of developing CCTV equipment for major roads and devices, which it is claimed, can make out the faces of motorists in their vehicles two miles away even if there is mist, rain or snow. In clear weather viewing distances are claimed to be 15 miles ...
The men and women in blue can't get facial image software to work with photographs taken in a well-lit police station but Simulation Systems Ltd can recognise a face two miles away in the mist?

People want to believe in biometrics so much that they will accept any claim however ludicrous. They will even repeat these claims in serious newspapers.


Updated 12.8.16

It's mid-August and even the news has gone on holiday.

What to publish?

How about?
Boffins' blur-busting face recognition can ID you with one bad photo

Developers warn that scary people are out there doing this already

12 Aug 2016 at 03:58, Darren Pauli


Scientists have found a way to accurately identify completely obscured faces using recognition systems trained on only a handful of well-lit photos.

The work by Seong Joon Oh, Rodrigo Benenson, Mario Fritz, and Bernt Schiele of Max Planck Institute in Saarbrücken, Germany, finds faces can be recognised with up to 91.5 per cent accuracy when the system is fed with just 10 clear images of a target's face.

The Faceless Person Recogniser is up to 69.6 per cent accurate when working from just one image ...
Other numbers mentioned include 14.7, 4.65, ones, handful, 12, 83 and, more ambitiously, 40,000 and 2,000.

We've been here before ...

Updated 24.10.16

The Government Digital Service (GDS) don't have a published strategy at the moment. That doesn't stop them recruiting like mad and it didn't stop the Treasury promising them £450 million.

Still, it's embarrassing. So Kevin Cunnington, the new Director General, has taken to briefing journalists on the contents of GDS's strategy, which may be published before Christmas 2016.

All journalists report that Mr Cunnington sees a great future for GOV.UK Verify (RIP), GDS's identity assurance scheme that doesn't work. Rebecca Hill, writing for Public Technology.net, Kevin Cunnington reveals his ‘cunning plan’ for future of GDS, adds this gem:
In addition, Cunnington said he wanted GDS to offer more advice to departments and encourage innovation across Whitehall. He noted that the Home Office was doing some good work on biometrics, but that this sort of attitude to digital innovation should be broadened out further.
The House of Commons Science and Technology Committee were unable to discover any good work being done on biometrics, please see above. If Mr Cunnington is hoping that GOV.UK Verify (RIP) will be saved by biometrics, he's in for a great disappointment.


Updated 10.11.16

We are all still waiting for GDS's strategy to be announced but the other day at least we learned its mission – to "support, enable and assure".

What does "support" mean?

According to Kevin Cunnington, director general of GDS, among other things it means that GDS should "innovate with new ideas, and help departments to innovate. Things like biometric residence permits, which a team at the Home Office has been working on".

Quick reference to p.9 of your well-thumbed July 2006 copy of Identity Card Technologies: Scientific Advice, Risk and Evidence will remind you that:
The Home Office admitted that the timetabling of the programme was being reviewed by the IPS but said that it “remains committed to delivering the ID cards programme as soon as possible, starting with biometric residence permits for foreign nationals in 2008” ...
The programme whose timetable was being reviewed back then was the National Identity Scheme (subsequently the National Identity Service). The NIS was finally reviewed to death in December 2010 when the Identity Cards Act was repealed at which point IPS, the Identity & Passport Service, imploded. Which is why we Brits still don't have UK government-issued ID cards. But some foreigners do, and have done since November 2008 – biometric residence permits.

There was nothing innovative about biometric residence permits. Not in 2008. And not in 2006. By 2002, the Home Office was already issuing asylum seekers with biometric Application Registration Cards, please see p.114 of their consultation on entitlement cards (subsequently ID cards).

That's 14 years ago and nine years before GDS existed. GDS can hardly be said to be innovating new ideas in this case or even helping the Home Office to do so. Biometric residence permits are a rotten example for Mr Cunnington to give of GDS's mission to support.

Despite their failure, the Home Office still harbour a pathological craving for ID cards. A pathological craving which is quite clearly now being channelled through Kevin Cunnington ...

... which tells you what to expect on Christmas Day when you open your GDS strategy.


Updated 11.10.17

The psychopathology continues at the UK Home Office. Face scans at the border to keep track of EU migrants after Brexit, it said in the Daily Telegraph newspaper a few days ago.

Cold comfort but it's not just the Home Office – Dubai Airport is replacing security checks with face-scanning fish.

And we think people were superstitious and gullible in the Middle Ages.


Updated 27.10.17

PAS 499:2017 Digital identification and authentication – Code of practice.

That document is a PAS, a publicly available specification, published by BSI Standards Limited, a company something to do with the venerable British Standards Institution (BSI). The document is in draft and the authors seek comments on it.

PAS 499 is a serious attempt to specify some practices needed to reduce the incidence of cybercrime based on false identities. It could survive all the tests that have to be undergone on the way to becoming a British standard.

The idea is to improve the identification and authentication of the parties to on-line transactions. Financial transactions in particular. "... in payment services regulatory requirements on authentication are going from a very low baseline to an extremely strong customer authentication, where security requirements go far beyond that expected in any other sector" (clause 0.3).

One example among many of these more onerous compliance requirements is PSD2, the latest Payment Services Directive. At clause 3.1.4 of the PAS an authentication factor is defined as:
data or a physical item used to carry out an identity authentication

NOTE 1 Typically categorized into one of the following:
a) Knowledge – something you know (e.g. password)
b) Possession – something you have (e.g. physical token or device)
c) Inherence – something you are (e.g. biometric)

NOTE 2 These may be dynamic (changing on each occasion) or static (fixed and unchanging). Static factors, once compromised, might require replacement in order to ensure integrity of the authentication system.

NOTE 3 Further information on authentication factors is given in PSD2.

NOTE 4 Geolocation can be viewed as an additional category but, under the terms of PSD2, it is not considered an authentication factor on its own. However, it might assist with the authentication risk assessment.
Note 4 is of particular interest to DMossEsq who was working on the idea of location identity back in 2003 (please see §4.9) but is not germane to our purposes here.

What is germane is the concept of authentication factors:
  • At clause 5.3 the PAS recommends that it is good practice to use all three factors when authenticating a person – a knowledge factor and a possession factor and an inherence factor.
  • And at clause 5.6 it recommends that, for all but the lowest levels of assurance, each factor should be multi-modal. If an organisation is using biometrics, for example, as a what-you-are/inherent factor, then at least two biometrics should be used, two modes, e.g. both fingerprints and iris scans.
At which point you realise that this PAS, this serious piece of expert work, is bound to be let down and undermined by the reliance it places on biometrics. PAS 499 depends on the science of mass consumer biometrics working, and it doesn't.

It's not even a science according to three world experts – Messrs Wayman, Possolo and Mansfield – because it's out of statistical control.

You can almost work that out for yourself. The results of large-scale field trials of biometrics always used to reveal that they are hopelessly unreliable. That problem has been solved by not publishing results any more. And, indeed, by not conducting large-scale field trials any more.

There are other problems where PAS 499 strays into biometrics.

At clause 5.7 we read: "The higher the numbers of modes captured at enrolment, or re-enrolment, the greater the chance of establishing uniqueness":
And at clause 9.9 we read: "Where the biometric match is 100%, the organization should review the factor to determine whether a replay attack is being attempted". Certainly a 100% match is extraordinarily suspicious, where you're dealing with probabilities and variable quality scanning/probing equipment, but 100 is not the only number – if a person repeatedly comes up with the same score whatever it is, that is suspicious and points to a replay.

But the core problem is that PAS 499 authentication rests on three factors/pillars, one of which is a mirage made of wishful thinking. That is no use to the payment services industry nor to any of us.


Updated 16.11.17

17 August 2017, and NatWest sent DMossEsq an email that he's only recently read:


"Log in with your fingerprint"? To a serious UK bank? A serious UK bank who must know as well as you do that the login will fail about 20% of the time and annoy their customers? And if it doesn't fail 20% of the time that means that impostors will find it easier to pretend to be you?

DMossEsq tucked that away in the life-is-too-short category until yesterday, when Money Box Live was on the radio while he was washing up, New technology and banking: "New technology is transforming the way we handle our finances. Are you someone who uses mobile apps to keep track of how you spend your money or does the thought of it fill you with dread?".

And blow me down if Nationwide aren't introducing not only fingerprinting but also face recognition, the biometric where it would be just as reliable and a darned sight cheaper to toss an unbiased coin.

What's going on?

That's what DMossEsq wanted to know but he was too late when he rang 03700 100 444 to get on air.

Cheap mass consumer biometrics haven't suddenly started working reliably after 60 years of uninterrupted failure. So why are the banks pretending to rely on them?

Answer, one of Mark King's more cynical suggestions ... PSD2, the second Payment Services Directive, Directive 2015/2366/EU, which comes into force on 13 January 2018.

Cynical. And incontestable – clause 30 of Article 4 defines "strong authentication" as "authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data".

Hidden away in the middle there – "inherence (something the user is)" – is biometrics. If the banks want to be able to say they have authenticated you strongly before authorising a payment out of your account, they'd best have checked your biometrics. And the Member States of the EU will want the banks to be able to say that because, Article 97: "Member States shall ensure that a payment service provider applies strong customer authentication ...".

When they announce their fingerprint and face recognition initiatives and other biometric tat, the banks aren't saying that they're introducing biometrics because they now think biometrics work. They're saying they have to offer biometric authentication because otherwise, thanks to PSD2, they can't be banks.

They'll still really be relying on what you know (e.g. a password) and what you have (e.g. a debit card and a PINSentry). But in addition, at extra cost, to you, they will also dutifully pretend to be interested in your biometrics. Thanks to brilliant and cynical lobbying Apple, among others like our good friends Idemia, have a licence to print money and are going to be laughing all the way to the payment service provider:



Updated 1.12.17

How old would you have to be to believe this latest article in the Times newspaper? Less than 9?
Facebook develops facial recognition cameras that feed shop staff their customers’ profile details

... A patent submitted by the company this month reveals that it is working on technology that will enable brands to target shoppers with specific products informed by their Facebook activity and facial expressions. The plans also give details of crowd-scanning technology that can identify emotions, which are relayed to managers and shop assistants. In theory it will be able to alert staff if a customer is unhappy or needs assistance ...

Updated 20.2.18

Chinese police using facial recognition glasses to identify suspects – that's what it said in the Daily Telegraph newspaper on 7 February 2018:
Chinese police are using dark sunglasses equipped with facial recognition technology to spot criminal suspects.

The glasses, which are being worn by police at a busy train station ahead of the Chinese New Year travel rush, are linked to a central database which contains details of criminal records.

Wearing the technology, police can almost instantly view an individual's personal details, including name, ethnicity, gender and address.
Incredible what they can do these days.

Only the day before, the House of Commons Science and Technology Committee took two hours of evidence on the subjects of forensics and biometrics:



Baroness Williams was there to answer questions on the UK's missing biometrics strategy, please see above.

There was much earnest discussion of the astrological need for proper governance and the privacy implications of horoscopes. The Baroness was hauled over the coals for the failure of the police to delete the custody photographs of people who have been detained and then either found not guilty or released without charge. "Innocent people" as we used to call them.

The Baroness was due to appear before the Committee on her own but, in the event, she was accompanied by a Mr Christophe Prince, the Home Office's "recently appointed" director of data and identity, of whom we are likely to speak more.

Both of them were at some pains to say that the use of biometrics based on face recognition is not "fully developed" (11:03), that biometrics procedures are "more advanced" (11:07) with DNA and fingerprints and that the face recognition technology is still "developing" (11:12) and only being "piloted" (11:13).

In other words, biometrics based on face recognition doesn't work. Astrology may work in China. But not here in the UK.

"Why are the Home Office wasting their time and our money?", you want to know. You are not alone.


Updated 26.3.18

Yoti selected as the official identity provider for the Government of Jersey: "Today marks a landmark day for Yoti. We have been selected as the identity provider for the Government of Jersey ... Securing our first government contract is a huge milestone in our journey and something all of the team are incredibly proud of". No doubt.

According to the FindBiometrics website, "third parties can authenticate Yoti users by prompting them with a QR code to take a video selfie, with facial recognition being used to confirm that end users match their Yoti credentials on file".

According to the police, of course, talking about biometrics based on face recognition, "the technology is not yet at the maturity where it could be deployed" (please see para.95 of the House of Commons Science and Technology Committee report referred to above).

Who's right?

We'll see.


Updated 19.4.18

• At some point in the past few weeks Visa announced Fingerprint authentication moves from phones to payment cards.

You are forgiven for believing as a result that fingerprint authentication has moved from phones to cards but, actually, if you read the press release, it turns out that a new technology is being tested, it may or may not turn out to be reliable.

That headline should have read Fingerprint authentication may move from phones where it's dubious to payment cards or it may not, don't bet on it.


• On 12 April 2018 the BBC told us Chinese man caught by facial recognition at pop concert: "Chinese police have used facial recognition technology to locate and arrest a man who was among a crowd of 60,000 concert goers". You are forgiven for believing as a result that this man was identified by CCTV scanning a huge crowd but, actually, "Mr Ao was identified by cameras at the concert's ticket entrance".

According to the police, please see above, this technology doesn't work in the UK. Why would it work in China? "Identified by cameras"? More detail, please:
  • Had Mr Ao perhaps bought his ticket using a credit card in his name and posted to his address, and face recognition had nothing to do with his identification?
  • "Mr Ao had reportedly driven 90km (56 miles) from Zhangshu to Nanchang with his wife specially to catch the concert" – was he really identified by ANPR?

• "Australians will soon be able to sign up for a national digital identity solution known as the Govpass program, touted by the federal government as making it easier for people to prove who they are when using government services", we were told on 21 March 2018 in ​DTA seeks identity validation platform for Govpass program: "The Digital Transformation Agency (DTA) outlined the process for applying for a Govpass in October, with the system expected to match a user's photograph, as well as Medicare, driver's licence, and birth certificate details, with information already held by various government entities".

You are forgiven for believing that it was all going rather well up to that point but, next paragraph: "After DTA CDO Peter Alexander revealed during Senate Estimates last month that the Govpass solution is currently non-existent ..." – the DTA have got the procedures, it transpires, all they're missing is the face-matching biometrics system needed to make them work.


Updated 20.4.18

Kevin Cunnington, the director general of the Government Digital Service(GDS), doesn't say much in public.

But he does say a few things. Repeatedly.

21 October 2016, he was reported as saying that "he wanted GDS to offer more advice to departments and encourage innovation across Whitehall. He noted that the Home Office was doing some good work on biometrics, but that this sort of attitude to digital innovation should be broadened out further", please see above.

He is consistent on this matter. In an 8 February 2018 blog post, under the heading My priorities for the next 12 months and the sub-heading Being innovators for government, he wrote: "GDS is working with departments to support existing and upcoming programmes, including using biometrics and artificial intelligence on services".

He said the same three days ago in The Government Transformation Strategy: One year on.

GDS have never made any headway with the Department of Health, they have or had a rocky relationship with the Department for Work and Pensions and Her Majesty's Revenue and Customs show no need of any advice from them ...

... but perhaps there is a budding relationship between GDS and the Home Office built on a shared weakness for biometrics. If DMossEsq was reading someone's palm and saw that fate written in their future, he would keep quiet about it, too miserable for words. It's horrific but Mr Cunnington keeps saying it and he may mean it.


Updated 31.5.18

iProov wins US Department of Homeland Security contract. That's a 16 April 2018 blog post published by iProov, "a world leader in spoof-resistant, biometric facial verification technology".

Well done iProov, they've won a contract with DHS which "could help US CBP [Customs and Border Protection] quickly, accurately and reliably identify travellers as they process through US border crossings".

How quickly? How accurately? How reliably? At any chosen matching threshold, what is the false accept rate, using iProov's technology, and what is the associated false reject rate?

They don't say. There is no answer to these questions.

Instead, all we learn is that "iProov has been selected by the US Department of Homeland Security to enhance the way in which it processes people through US borders. Advances in machine learning and AI have enabled a revolution in facial biometrics in the last few years".

No blockchain?

No performance figures, we don't have a clue how reliable the product is except that the UK police believe that face recognition technology is "not yet at the maturity where it could be deployed" (please see above), but – sell the sausage, not the sizzle – at least we know that it has added machine learning. And AI.


Updated 29.6.18

Foolishly, on 6 February 2018, Baroness Williams and Christophe Prince promised the House of Commons Science and Technology Committee a biometrics strategy by June. There's no point having a strategy for the use of a technology that doesn't work.

More foolishly still, yesterday, they published a document claiming to be that strategy. A dreadful piece of work not worthy of the name "strategy", it is reminiscent of Matthew Hancock and Paul Maltby's ethical framework for data science, which isn't a framework and excludes any ethics.

Judging by ElReg's UK.gov's long-awaited, lightweight biometrics strategy fails to impress, this view is shared by the chairman of the science and technology committee and by the biometrics commissioner and by Liberty and by Big Brother Watch among others ...

... including, we may assume, the High Court, which will also be unimpressed with this Home Office document, which leaves the Metropolitan Police in contempt.

And no hope there after all for Kevin Cunnington, director general of the Government Digital Service, who may have been hoping to run the national biometrics/horoscopes platform but has lost control of it just as much as he has lost control of the national data strategy and the national identity assurance strategy.


Updated 3.8.18

The UK Parliamentary Office of Science & Technology (POST) have now published their note on mass consumer biometrics, Biometric Technologies.

Among other technologies, they look at Automated Facial Recognition (AFR), the attempt to use biometrics to identify people on CCTV, see for example Chinese man caught by facial recognition at pop concert.

We weren't very impressed when we considered AFR on 19 April 2018, please see above, and neither are POST: "Over a trial period from June 2017 to March 2018, 8.7% of matches were found to be correct" (p.3).

If 8.7% of matches are correct, then 91.3% aren't. That's not very good, is it.

Is the other mass consumer biometrics technology any better? Flat print fingerprinting? Voice identification? We don't know. POST don't tell us the failure rates for them. Only for AFR. That's a bit asymmetrical. Perhaps in a subsequent edition they might correct that lapse.

"The Commons Science and Technology Committee has said it is essential for biometric systems that impact on civil liberties to be tested, to ensure they are dependable ... Whilst noting the important role of biometric technologies in policing, the Biometrics Commissioner has pointed to a lack of research proving their cost-effectiveness". That's what POST tell us on p.4 ...

... but by then it's too late, the damage has been done, we've already been told on p.1 that "the global market for biometrics is estimated to grow to £21 billion by 2022" for all the world as though the technology works and we've already been treated to several examples of applications where mass consumer biometrics is used even if the technology doesn't work.

"... many banks now offer biometric verification on mobile banking apps, often using fingerprint or facial recognition" (p.1). Of course they do. It's not because the technology works. They have to. Otherwise they'll lose their banking licences. That's the open banking/PSD2 law. As we pointed out last October.

How many readers are going to plough on to the bits at the end of the POST note, raising boring questions about the efficacy of biometrics and governance and privacy and racial bias?

Very few, Idemia and all the other astrologers may safely assume.

Thank you, POST, they may say, for doing your bit to help us keep the licence to print £21 billion for ourselves, everyone so much wants our technology to work that they rarely ask if it does, and thanks to you that continues.



Updated 13.8.18

The state of West Virginia plans to introduce on-line voting in elections. They've retained a company called Voatz to develop a voting app. (An app is a virus, remember, by another name.) How does the state know that the vote has been cast by a legitimate constituent? Answer: "Voatz says its facial recognition software will ensure the photo and video show the same person. Once approved, voters can cast their ballot using the Voatz app".



Updated 10.10.18

The investigative journalism website Bellingcat have published the story of how they unmasked one of the Russian assassins sent to murder Colonel Skripal in Winchester.

Bellingcat made full use of all the surveillance facilities in use these days, all the on-line data stores offered by the web and all the enterprising criminality with which that data is sold to whoever can afford it. Talk about a double-edged sword ...

One passage in their story strikes a wrong note. Given two passport photographs taken 15 years apart, "Prof. Ugail confirmed unequivocally that the two photographs belong to the same person, accounting for the 15-year difference between the two".

Mr Ugail is "professor of visual computing at the University of Bradford and an expert in simulated age progression". Why is his confirmation unequivocal? Partly because the Cosine Similarity is 90.1%. And then there's the K-Nearest Neighbours. That's 87.7%. And the Deep Learning (Meekaaku algorithm) being 91.3% clinches it.


Or does it?

Don't forget that three years ago the Guardian newspaper used a biometrics expert to prove that these are both pictures of Anne Boleyn:

Alexander Mishkin
Alexander Petrov