Thursday 10 September 2015

RIP IDA – investment interest "has closed or been withdrawn"

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.

Let's say that you're a venture capital person. In that case you'll know that 95% of the ventures you invest in bomb. For £95 out of every £100 that you invest, there's nothing to show for it. You lose your money. It's gone.

Just to break even, the other £5 has got to return £100. Your investment has to appreciate by a factor 20. After tax. After all investment costs. Such as hiring the Four Seasons Hotel in Hampshire for the day. That's not cheap.

But what's the point of breaking even? You can do that by not investing in the first place. The idea is to make a profit.

How much profit? You want to double your money? Then that £5 investment you made in the one surviving enterprise has to grow by a factor of 40, not 20.

That's not going to happen overnight. Suppose your investment grows at the rate of 10% p.a. How long will it take to be worth £200? Answer, something between 38 and 39 years. 38.70394 years to be precise, but there's no point being precise because you have clearly starved to death a long time before merely doubling your money.

38 is pushing it. Let's say you can afford to lock up your money for five years. How fast does the value of the investment have to grow? Answer, at the rate of 109.1279% p.a. Every annum. For five years. After tax. And after costs.

It's not easy finding investments that can do that. And even if you find one, your peers in the venture capital business will laugh at you for only doubling your money. But never mind their laughter, let's say that you're a pretty grounded sort of investor and that, for you, net doubling your money in five years is enough.

Time to take an example.

Let's suppose some entrepreneur brings you a prospect based on GOV.UK Verify (RIP), a business idea that depends for its success on identity assurance.

It's got Whitehall's name behind it. That's good. Lions, unicorns, crowns, Latin Old French mottos and the bottomless pockets of UK taxpayers and the ever-generous austere overseas creditors who have so far lent the UK £1,500 billion.

It's got volume. 60 million people. Shame GOV.UK Verify (RIP) can't do companies, partnerships and trusts yet, maybe that will come, but at least it's got 60 million potential users, the great unwashed.

And the great unwashed can be forced to use GOV.UK Verify (RIP). Its use can be made mandatory. Either that, or the great unwashed can be nudged into using it. You want a driving licence? Apply using GOV.UK Verify (RIP). You don't want to use GOV.UK Verify (RIP)? Fine. Don't. But then you don't get a driving licence. Up to you.

It's looking quite healthy. There are other identity assurance suppliers out there, notably the banks, there is competition, but Whitehall has some powerful monopoly advantages. The EU wants everyone to have electronic ID. The UK government would like to look modern. Like Google or Amazon or Facebook or Apple.

Of course, the product doesn't actually exist yet. Some of GOV.UK Verify (RIP) is currently in public beta but most of it is in private beta or even less far advanced. A lot of this prospect is just a glint in the eye at the moment. But that's what venture capital talent scouts are meant to be good at spotting, the glints that are going to survive to term and grow up to become healthy cash cows.

GOV.UK Verify (RIP) relies on "identity providers". Nine of them. We have been assured that "identity providers" have to be certified trustworthy:
  • Four of them are certifiedExperian, Verizon, GBGroup and digidentity.
  • One of them has applied for certification – the Post Office.
  • The other four haven't even applied yet – Barclays, Morpho, Paypal and Royal Mail.
Not a good sign. Not for a service that's meant to be out of beta and live by April 2016.

And these "identity providers", they're paid a pittance by GDS, the Government Digital Service. It's a contractual thing.

That's not good either. Why do they bother? That'll slow things down. They're not going to go the extra mile needed to deliver 109.1279% p.a. growth. Get the lawyers onto it. Maybe they can work something out.

And the customer base is shrinking. It's not 60 million. GDS say they are on track to cover 90% of the population by April 2016. That's six million users lost. They say they can only cover 80% at the moment. Another six million who won't be generating turnover.

That's not good.

And who says GDS have got GOV.UK Verify (RIP) covering 80% of the population right now? Only GDS. No-one independent.

Not good.

What's the marketing plan for GOV.UK Verify (RIP)? It better be good. Something's got to promote public trust in these "identity providers", half of whom no-one's ever heard of. Something's got to make the public want GOV.UK Verify (RIP). Something's got to tell the public what it's for and how to use it.

There is no marketing plan. GDS's "objectives for live" do not mention any such plan. And so far all they've told the public is that GOV.UK Verify (RIP) is for submitting tax returns and applying for state benefits. They've sort of missed out the private sector, entrepreneurial bit. So far. In public. For the moment.

That's not good. That's really not good.

Who's in charge of this major new service that doesn't have a marketing plan? Answer, Public Servant of the Year ex-Guardian man Mike Bracken CBE CDO CDO. He's the executive director of GDS and he's the senior responsible owner of GOV.UK Verify (RIP).

That's good.

Until you remember that he's leaving at the end of September, in 19 days, and no new SRO has been announced.

That's not good.

What about cybersecurity? Have GDS ticked all the boxes? Venture capital persons have investment boards to report back to. The directors like to see ticks in all the boxes before they expend the considerable intellectual energy required to assess the investment in detail. And a lot of those boxes concern security.

GDS are a bit ambivalent about security. They do mention it. But they prefer to market on usability.

That won't worry the venture capital persons one bit. GDS can market on usability all they like. Just so long as they market on something and actually tell the public that the product exists and give the public some reason for using it, thereby causing money to change hands. But the question remains, is GOV.UK Verify (RIP) secure?

There's an academic report arguing that the GOV.UK Verify (RIP) identity hub is hackable. The investment board won't like that. GDS have recruited one of the academics. That's dastardly. And sensible That'll keep him quiet.

The others may be prevailed upon to restrict their criticisms to the US equivalent, NSTIC. If the remaining academics shut up about GOV.UK Verify (RIP) the board might just wear it, with a big question mark. The prospect could still be in with a chance. But there's more.

There's that GDS job ad on LinkedIn.

"This is an opportunity to be at the heart of an evolving service that is leading the world ...". Who says GOV.UK Verify (RIP) leads the world? Only GDS. Is it a good thing to lead the world? Not necessarily.

"You will be working in a relatively unique technical environment ...". What is relative uniqueness? How is it distinguished from absolute uniqueness? And why?

"The Government Digital Service is leading the digital transformation of government ...". Says who?

GDS want to recruit a Security Operations Engineer. That's what the job ad's for. "... technical problem solving will be related to security, identity management, and scaling in a cloud based environment ... You will resolve threat and vulnerability management issues ... work with the technical teams to continuously improve the security of the platform ... lead technical projects to implement or enhance security ... work with external suppliers, such as penetration testers ... help develop robust security processes and security awareness amongst technical teams ...". You will be responsible for the "administration of internal PKI [public key infrastructure] and assisting Relying Parties [HMRC, DWP, ...] and Identity Providers with their certification onboarding ...".

This is all good news for the investment board. Except that this job ad was posted "15 days ago" according to LinkedIn and it says: "As the first dedicated Security Operations Engineer in this team, it is an opportunity for you to ...".

The first? There are no others? The GOV.UK Verify (RIP) project has been running for four years and this will be the first dedicated security engineer in the team?

And if you click on Apply on company website, what do you see? Lions, unicorns, crowns, Latin Old French mottos and:

"This job has closed or been withdrawn". As has, by now, surely, any interest in investing, by any venture capital person.


Updated 11.9.15
Agile. You just have to be agile.

"This job has closed or been withdrawn" – that's what it says on

But if you look at it doesn't say that. It looks as if the job offer still exists.

So which is it? Closed-or-withdrawn or still-available? We don't know and there's no point guessing.

The only things that must be clear to a venture capital person considering an investment are that GDS is (a) very late recruiting its own in-house security expertise, (b) unsure about its short-term future and (c) unable to co-ordinate two GOV.UK websites devoted to the same matter.

No cigar. Investment contra-indicated.

And for anyone applying for the other job advertised to work as a GDS Privacy Officer? We've already warned that the organisation you join is not the organisation you will work for. But now you need to factor in the question whether, having successfully submitted your application on time, yesterday or earlier, the job will still exist by the time interviews start on Monday week, 21 September 2015. Or the next day.

Updated 20.9.15
"You don’t have to go far
to see digital teams
doing the do"

One of the guiding principles of GDS's work is to meet user needs. As they never stop telling us.

They may tell us that but, in contravention of one of their other guiding principles, show-don't-tell, they can't show it. We have seen the case of transferable marriage allowances, for example.

The Daily Mail newspaper told us about it back in June 2015, Thousands miss out in marriage tax fiasco. So did the Times newspaper, in May, Perk that’s just too taxing. Twice, Applying for this marriage perk ain’t easy.

The problem is that people can't register with GOV.UK Verify (RIP). And if they can't register, they can't apply for this benefit. Not on-line, at least, they can't. They give up the attempt to claim £212 p.a.

Prospective claimants regard the cost of registering with GOV.UK Verify (RIP) as being greater than £212 p.a. There's a thought for entrepreneurs and the people funding them.

HMRC, who administer these tax claims, are naturally embarrassed that it is so difficult for legitimate claimants to succeed. "No one will miss out on the Marriage Allowance because of difficulties with online verification", they say. And in their defence they remind people that it's not they, HMRC, who devised GOV.UK Verify (RIP), "it’s not our IT system; it’s the Cabinet Office’s".

Why do the London School of Economics say that GOV.UK Verify (RIP) "highlights the benefits of directly addressing user needs"? No-one knows.

User needs are not being met. Or they weren't last May and June. As OIX, the Open Identity Exchange, GDS's business partner pointed out, the "identity providers" currently signed up to GOV.UK Verify (RIP) can't hack it. They need help to try to reach level of assurance 2.

Luckily, there is another guiding principle of GDS's work – to be agile. Iteration allows GDS services to be continually updated so that user needs are better met:

Is that true? It's one thing to tell us. But can GDS show that agile software engineering delivers constant improvement?

Not according to yesterday's Times, where a tax advisor suggests that it's best to bypass GOV.UK Verify (RIP) and apply for marriage allowance transfers by post, Try snail mail for the marriage tax break.

Only the other day, 11 September 2015, the Prime Minister was saying "across the spectrum, there are opportunities for us to make a difference not just to people’s pockets but to people’s lives. For example, I believe the creation of the Government Digital Service is one of the great unsung triumphs of the last Parliament".

That's unfair. DMossEsq has taken the trouble to write a song celebrating GDS's triumphs. There must be someone somewhere whose pockets and life have been improved, who could record Agile People and take it to No.1.

Meanwhile, GDS are reduced to devising ever more gnomic guiding principles, their latest being "you don’t have to go far to see digital teams doing the do". Let that be a comfort to the married couples forgoing £212 p.a.

Updated 2.11.15

Ever optimistic, some venture capitalists may still be considering making an investment in an innovative business which relies for its success on GOV.UK Verify (RIP) working. The triumph of hope over experience.

The rest of the venture capital caravan will have moved on. They have learnt about taking unreasonable risks with their money. They will be able to read GDS's latest blog post on the subject, Making GOV.UK Verify [RIP] available to more people, with equanimity.

It won't worry them when they read that GOV.UK Verify (RIP) can only be made "available to more people" by lowering the standards of verification. GOV.UK Verify (RIP) has never reached level of assurance 2 and now that goal will be even further away:
You don’t need as much evidence to prove your identity
Whereas previously you would often need 3 pieces of evidence to prove your identity, now  you will often only need 2 pieces of evidence.
They won't feel that their money is going down the plughole when told that GOV.UK Verify (RIP) may rely on selfies and the hopelessly flaky biometrics technology of face recognition:
You can take a photo of yourself instead of answering questions based on credit history
... Now, GOV.UK Verify [RIP] also works for people who don’t want or aren’t able to answer questions about their loans, credit cards or mortgages, or who don’t have enough financial products on their credit file to serve as a basis for security questions.

If you have a smartphone or tablet and a UK passport, you can now - with 2 of the companies [i.e. two of the "identity providers"] - verify your identity without answering questions about your credit history. Instead, you can use an app to scan your identity document and take a photograph of yourself, so the images can be compared.
GDS make it clear in their post that, for them, successful verification depends on the payments industry:
Certified companies ... can now use methods developed for online payments to check an electronic payment card directly with the issuing authority.
The work is being done by the payments industry, not GDS. That's where the realistic venture capitalists will be investing. The optimistic ones won't, because they won't have any money left to invest. RIP.

No comments:

Post a Comment