Monday 28 September 2015

Lack of control, insecurity, irrelevance to attribute exchange and inconvenience – what else do you look for in a personal data store?

Last heard of in these parts, personal data stores (PDSs) were being advocated as an aid to considerate death. Your PDS is a digital version of you. It represents you on the web while you live. And even in the afterlife, Assisted dying the digital way with a core consent delegation management repository.

Maintain as much information about yourself as possible in a PDS, let apps (viruses) process it for you, and at last you will stop making stupid decisions. A life of rational utility beckons. That was the promise of three liberal democrat politicians – first Ed Davey, then Norman Lamb and finally Jo Swinson – all trying to get us mooncalves to buy in to their midata initiative.

We've been following this story for years. Older readers will remember the midata Innovation Lab, for example, and the peerless explanation offered by Mydex, a purveyor of PDSs.

midata is promulgated by the UK Department for Business Innovation and Skills (BIS).

It's not just undertakers and BIS who think PDSs are good for you. So does the National Health Service (NHS) – they think PDSs will help you to become a good NHS citizen.

It doesn't stop there. Undertakers, BIS, the NHS and ... the Government Digital Service (GDS). On 23 January 2015 it seemed that PDSs were going to be a vital component of GDS's identity assurance initiative, GOV.UK Verify (RIP). Then, at the last minute, 25 March 2015, it was all change and Mydex dropped out of the running to become an accredited "identity provider".

We have had our doubts about PDSs. Four of them.

1. The promise is made by politicians, officials in the civil service and suppliers that using a PDS will put people in control of their personal information. How? How will a PDS ensure that you can control who does what with your personal information? It doesn't. It can't.

1.1 This is confirmed by Mydex's sister company, Ctrl-Shift, who point out that there is no way of enforcing the "trust framework" on which control depends.

2. The promise is made that your PDS will be secure. In fact not just secure. Hypersecure. A claim which seems old-fashioned these days. The media feed us a daily diet of stories about breaches of cybersecurity and we've got the message.

2.1 There's no such thing as guaranteed security. So why would anyone rational believe the promise of security? And why would anyone upright promise it?

3. The promise is made that PDSs will support attribute exchange. What's that? Take an example. Suppose you're applying for a job as an investment manager. You need to be licensed to practice. That's an attribute of yours. The Financial Conduct Authority (FCA) issue your licence, if you pass the exams and you keep your nose clean, you store the licence in your PDS and the idea is that a prospective employer can check your PDS to make sure that you're licensed. That's attribute exchange.

3.1 But it doesn't work. The licence in your PDS may be out of date. The FCA may have revoked it. The only way the prospective employer can be sure that you're still licensed is to check with the FCA. There's no point them checking your PDS. It's irrelevant.

4. The promise is made that PDSs will make life more convenient for people, see for example Identity assurance – convenient? It'll make your life so much easier and We are making customers work too hard, let’s improve the experience for all. Working hard all day to keep your PDS up to date doesn't seem very convenient. It is a labour of self-love that normal people would find irksome, not convenient.

4.1 Any residual suspicion that having a PDS would be convenient is dispelled by Opening up BBC channels and content. At the moment here in the UK, you sign a direct debit and your TV is licensed year after year without you having to think about it.

4.2 With a PDS, the suggestion is that every year you could install the licence on all the TVs, PCs, laptops, iPads and phones that belong to you and your partner and your children and anyone else who lives with you: "If TV Licensing issued a secure digital token to people who can demonstrate that they live in a house covered by a valid licence ... this could be stored in a personal data store and shared with the BBC and any other service that needs it ... This is best done when a TV Licence is purchased – a one time code could be delivered to the household as part of the setup process for a digital license, and this would permit the addition of devices and individuals, with validation mapped back to the core license ...".

4.3 ... the opposite of convenient.

These doubts may be shared by others. Which could explain why PDSs haven't taken off in the UK, much to the querulous indignation of William Heath, one of the participants in the Twitter conversation above: "Can't believe we in UK will have to wait a generation ...".

Now apparently PDSs are taking off in India: "Does 1m Indians in last few months count?". The PDS in India is known as a "DigiLocker" and is a product of the Indian government's Department of Electronics and Information Technology (Deity). Deity is now responsible for the Indian ID card scheme, Aadhaar. And for taking government control of all encryption in India. As well as PDSs. It's a powerful portfolio, in theory.

Call it what you like. A personal data "store" or "vault" or "locker", it's got the same problems – lack of control, insecurity, irrelevance to attribute exchange and inconvenience – and it won't take off in India any more than the UK.


Updated 15:35

As we said above, "the promise is made by politicians, officials in the civil service and suppliers that using a PDS will put people in control of their personal information". We have cast some doubt on that promise.

But not enough doubt.

Because what do we read in our inbox at 14:05 today? Civil servants are users too:
It includes a personal data store for every civil servant - a digital space every individual can use to control what data they share, with whom, and how it’s updated. It could enable staff to share their work objectives (or not), their career history and specialist skills (or not), or their preferred forms of communication (or not).
If we're right, civil servants will have no control over their personal information as a result of storing it in a PDS. The PDS will not be secure. It will be irrelevant to attribute exchange. And it will be inconvenient.

We did ask Tom Loosemore, the deputy executive director of GDS, about this matter in a round about sort of a way but sadly he left before answering so civil servants are now left wondering.

Updated 29.9.15

GDS's childlike elaborate daydream

Consider GDS's application to register to vote system. That system currently offers insufficient identity assurance. It also fails to tell you if your application has been successful. Government in that area remains untransformed.

Now suppose, just for the sake of argument, that PDSs supported attribute exchange in the way that Mydex claims.

With the appropriate attributes stored in it, Mydex might have you believe, you could use your PDS to prove that you are entitled to be entered on the electoral roll. And the Electoral Registration Officer (ERO) for your local authority could update your PDS with a polling card in the form of a digital certificate confirming that you have successfully been registered and that you are entitled to vote.

That might make good the shortcomings of the current system. It might transform government.

In that case, there's not much point you the person applying to register to vote. An app could do it for you. You the person aren't really needed. You can be adequately represented by your PDS.

You could say that that is convenient. Or you could say that the person has been cancelled out of the equation. The PDS is relevant and you aren't.

It is possible to elaborate this daydream:
  • The ERO may not be needed any more than you are.
  • And why take the trouble to vote? BIS claim that midata and its apps will help people to make rational decisions, please see Norman Lamb above. If an app can tell you how to vote it can just as easily tell the Returning Officer how you would/did vote. Cut out the middleman and you needn't be put to any trouble voting. Convenient.
  • And do we really need a Returning Officer?
  • Your PDS will survive you, please see opening paragraph above. It could carry on voting long after you're dead.
  • Etc ...
When GDS offer you convenience, arguably what they're saying is that you're irrelevant. As irrelevant as the 1½ million public servants we don't need.

Convenience = Irrelevance?
10. Going out

midata service providers could use an individuals purchase data to look at which restaurants and bars that user like. Taking this data, they could offer you a unique service, alerting you to new or recommended restaurants that suit your taste and location.

So where your favourite restaurant has deals or offers, you could be alerted in advance to take advantage and make a booking. Combined with other services, the programme could also indicate where you could save money or improve your health by eating elsewhere, drinking less or going out less.
From an old BIS press release no longer available, a victim of the advent of GOV.UK,
A midata future: 10 ways it could shape your choices.
A midata app that nags you
for eating unhealthily, drinking too much and going out too often
will have no compunction in shaping/making your choice how to vote
for your own good.
Before we get carried away, don't worry.

Remember that one of our assumptions was that PDSs work. And they don't.

We know that they can't grant us control over how other people use our personal information. It's just not in their gift.

We know that they can't be made secure any more than Sony could defend itself against the North Koreans or the US Office of Personnel Management could keep millions of government employees' records and biometrics safe.

We know that PDSs are the wrong place to look for attribute exchange, please see the case of the licensed investment manager above.

And we know that, far from being convenient, PDSs can require us to do much more work, for example when renewing our TV licence, please see above, than the current untransformed procedures.

People are complex and government is difficult. It would be easier to govern PDSs. But no adult would be fooled into thinking that that would amount to Whitehall doing its job.

Updated 17.10.15

Civil servants are users too, we learned on 28 September 2015.

But for how long?

Take another look at the quoted extract:
It includes a personal data store for every civil servant - a digital space every individual can use to control what data they share, with whom, and how it’s updated. It could enable staff to share their work objectives (or not), their career history and specialist skills (or not), or their preferred forms of communication (or not).
The PDS can be used by staff to record their specialist skills.

Why's that?

You will remember Mr Mark Thompson and his belief that the UK could get rid of 1½ million useless public servants and cut the deficit by £35 billion as a result while at the same time improving public services. But which 1½ million?

The answer will be determined by matching staff skills against a giant Wardley map of the UK public sector. If you're a public servant and your skills are surplus to the Wardley requirements, then your services can be safely dispensed with:
Wardley’s maps have the power to enable government to become situationally aware; to expose vast redundancy in capability right across the UK ...

... public sector bodies have a special opportunity – indeed, perhaps a duty - to work together to expose, standardise, and consume all that hidden, redundant capability.
They're busy people, Stephen Foreshew-Cain and Mayank Prakash, and it is a venial oversight on their part that they omitted this point from Civil servants are users too. But that's what "Government as a Platform" means and that's what the PDSs are for ...

... to help Mr Thompson, who wants to build a Capability Exchange, on which skills can be traded just as listed shares are priced and traded on the Stock Exchange. A few public servants will be left but not those "lower down the value chain". Wardley maps can be trusted to ...
... expose duplication across public services, placing [public organisations] under pressure to standardise their demand for capabilities lower down the value chain, and consume these as commodities.
There is only one question left. Who's going to establish and operate the Capability Exchange?

Mr Thompson is unimpressed by the present leaders of the Civil Service:
Although government has been good at training more junior technologists, it has perhaps been less effective at communicating to our leaders the radical implications of the web on our public service operating models.
What is needed to fill this skills gap is ...
... 25 to 30 mobile specialists who live and breathe capability mapping and open architecture, with a laser focus on the business, who would criss-cross the country helping business leaders to bootstrap their organisations into the Capability Exchange.
No doubt Mr Thompson will hope to convince his contacts in the Treasury that much of this team of laser-focussed mobile breathers can be hired from his company, the Methods Group, possibly including his recent recruit through the revolving door, Mike Beaven, formerly the Transformation Director at GDS.

(Maybe there is one other question left. If power is no longer wielded by Whitehall, then who will it be wielded by? But don't worry about that.)

Updated 24.10.15

The criticism above of Mark Thompson's advocacy of Government as a Platform (GaaP) has elicited a number of attempted refutations.

Simon Wardley, for example, suggests that Mr Thompson's three-article series in Computer Weekly magazine doesn't say what it means.

Mr Thompson doesn't mention "what strategic points of control Gov needs to maintain" in any of those articles nor in UK voters are being sold a lie. There is no need to cut public services nor What is government as a platform and how do we achieve it?. The reader is somehow meant to intuit his thoughts on the matter.

And as for Mr Thompson himself, he claims that he has been misrepresented. Repeatedly, across all five articles, he holds out the promise of "savings" of £35.5 billion p.a.. He also says that this money could be re-allocated to the front line. But then it wouldn't be a saving. He can't have it both ways.

The £35.5 billion p.a. figure is based on what he himself calls a "back-of-envelope approach" ...

... which only counts staff, not the expensive "silo" software which is supposed to be replaced with cheap "GaaP" components. How much would that replacement save? In five articles on GaaP he doesn't tell us.

Francis-now-Lord Maude, Mr Thompson tells us, has made the point that there is no Constitutional inevitability about the civil service. Ministers don't have to operate through departments. Instead:
Digital operating models broker people’s ability to consume standard building blocks of business – which include information management, accountancy, logistics, payments, workflow, and so on - via a burgeoning market of affordable, easy-to-deploy, and flexible digital services, in ways that require very little “official” intervention.
The civil service exercise power. If that is taken away from them, it will be exercised by someone else.

The question "what strategic points of control Gov needs to maintain", as Mr Wardley says, is unanswered by Mr Thompson. GaaP means stripping Whitehall of power and giving it to the likes of Google and Amazon and Facebook and Apple, "the web is a game changer that requires a new model for government itself".

It is imprudent to adopt this new model without first establishing how it could be controlled. It will have huge power vested in it and it needs to be dedicated to governing the UK in a way that Google and Amazon and Facebook and Apple are not.

Mr Thompson talks about his capability exchange being "self-organising". Like the rest of the "new model for government itself", the danger is that it would be out of ministerial control.

That is the unconstitutional target for GaaP as expounded by Mr Thompson. But how do we get there? What is his plan? How do we move from a set of government departments flying blind, according to Mr Thompson, and incapable of talking to each other to a set of self-organising digital services?

We don't know. He doesn't tell us.

The same question has occurred to HMRC, Her Majesty's Revenue and Customs. They have to be serious about these matters. They can't afford to proceed on the basis of "back-of-envelope" estimates and vague appeals to the efficiency of Uber and AirBnB.

They're spending £20 million with the US consultancy Bain & Company to try to plug the gaps in ... GaaP. Bain are unlikely to advise à la Maude and Thompson that HMRC are a redundant silo but they may make practical proposals how to get better value for money for us taxpayers.

The criticism of Mr Thompson's articles is not that they're Machiavellian. Far from it. That is a misrepresentation of the criticism. The problem is that they do not take sufficient account of the rôle of government and they provide no route map. Without that they are unconvincing. We don't know what it is Mr Thompson is trying to lure us into. His articles are missing the Machiavellian attention to detail.

Updated 2.11.15

Remember, we're talking about PDSs, personal data stores. PDSs specifically in connection with the Civil Service Learning initiative described by GDS and the capability exchange kite flown by Mark Thompson. And PDSs in general, including their proposed adoption by the NHS Citizen project.

Remember that the most ardent proponents of PDSs are Mydex and that, according to them, the more personal information you entrust to your PDS, the better it is for you. That's their pitch. Some people disagree, vehemently, please see blog post above.

Remember that Ctrl-Shift Ltd is Mydex's close cousin and that even Ctrl-Shift don't believe that the "trust framework" required for PDSs is feasible.

Remember that TalkTalk was hacked last week. As reported by the Guardian newspaper among others, please see TalkTalk says hackers accessed fraction of data originally thought, the devastation caused by that hack may be on a smaller scale than initially feared.

Ctrl-Shift detect some importance in that Guardian article. Enough importance to tweet about less personal information having been exposed than was at first reported.

Too right.

It is important.

Suppose it had been your PDS that was hacked and not your TalkTalk account. Your PDS containing every last bit of personal information about you, making identity theft easier than any criminal could ever possibly have hoped.

Ctrl-Shift are to be thanked for making that point. Unlike Civil Service Learning, who have kept quiet. As quiet as NHS Citizen and ... Mydex.

Updated 28.10.17

You know that cybercrime is a growing problem. You know that cybercrime often relies on false identities. You may not know that the British Standards Institution (BSI) have published PAS 499, a draft code of practice for digital identification and authentication, but they have.

PAS is a publicly available specification and at clause 6.1 the document says: "[Any organisation performing identity validation] should have a process in place for checking, against an authoritative source where possible, that identity evidence is in the correct format and is correctly captured, not revoked, nor expired".

That's why a personal data store (a PDS) is irrelevant to attribute exchange. A prospective employer checking my PDS might well find my driving licence there. But suppose that my licence has now been revoked? The prospective employer would have to check with DVLA. So there's no point checking the PDS. It's irrelevant.

You read it here first. And now in PAS 499.

No comments:

Post a Comment