Monday 7 March 2016

RIP IDA – GBGroup/ID3global

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.

The Government Digital Service (GDS) have contracted with nine so-called "identity providers" or "certified companies" to register all us Brits and to supply us with on-line identities, ready for the brave new digital-by-default world.

Armed with these on-line identities, 90% of us will be able one day (in April 2016?) to use public services via GOV.UK Verify (RIP). That's the idea.

GDS are more diffident about this but, later on, these on-line identities may allow us to use private sector services, too.

GBGroup is one of GDS's "identity providers", although you won't see their name when you try to sign up for GOV.UK Verify (RIP) – there they aren't:

It seems unfair. SecureIdentity and Barclays aren't certified, despite GDS's claim above. Neither is the Post Office. That's three mistakes GDS have made on one screen. Four, if you count the suggestion that GOV.UK Verify (RIP) is free.

And yet GBGroup have been certified for ages. Ever since 12 February 2015. Why aren't they allowed to operate as an "identity provider"?

As it happens, if and when GBGroup are let loose on the British public, you still won't see their name on the list. That's not just because their real name is "GB Group plc". It's because they've now stopped trading as "GBGroup" and started trading as "CitizenSafe".

What's more, while they're about it, they seem to have changed the name of ID3global to "CitizenSafe" as well.

You have to be a bit of an identity assurance enthusiast yourself to keep up with some of these "identity providers". Morpho, for example, used to be Sagem Sécurité before they morphed.

When we talk about an "identity provider" being certified, we mean certified by tScheme, the independent experts in measuring trustworthiness.

Verizon are the most heavily qualified "identity provider" according to tScheme. By comparison, GB Group plc or GBGroup or CitizenSafe, whatever they're calling themselves, may not command as much trust:
tScheme approval profilesVerizonGBGroup/
Base Approval Profile
Approval Profile for Identity Registration Services
Approval Profile for Credential Validation Services
Approval Profile for an Identity Provider
Approval Profile for Credential Management Services
GBGroup/CitizenSafe do not match the profiles for credential validation or credential management? Nor do they match the profile for an "identity provider"? tScheme's approval of their ID3global/CitizenSafe product looks generous.

No surprise, perhaps, that the public haven't been exposed to GBGroup/CitizenSafe yet.

And no surprise either that GBGroup/CitizenSafe have sought assistance. Not just GBGroup/CitizenSafe, but the Royal Mail, too, another "identity provider":
(Reuters) Avoco Secure announces today that they have partnered with Royal Mail Group and GBGroup to provide solutions that will deliver Verified Identity Assurance Services for public services

Avoco Secure (

Royal Mail and GBGroup have been chosen to partner with GOV.UK’s Verify service, to provide verification of individuals so that they can access Government services online, safely and easily ...

"Avoco Secure’s Trust platform is the technology that enables Royal Mail to deliver a verified, scalable, secure, user centric identity assurance service, which will allow users to authenticate themselves to UK Government digital services,” Jim Conning, Managing Director of Royal Mail Data Services stated, "Their industry expertise and proven track record played an important factor in Royal Mail partnering with Avoco” ...

"Avoco are pleased to partner to deliver Identity Assurance as a Service with recognizable and trusted organisations like Royal Mail and GBGroup,” said Gerry O’Brien, CEO, Avoco Secure ...

John Lord, Managing Director at GBGroup commented, “We are pleased to be partnering with Avoco Secure as we believe their Trust Platform will enable a secure, friction free user experience across all government services in the scheme” ...
That's your on-line identity GDS expect you to entrust to GBGroup/CitizenSafe. Or possibly, behind the scenes, to Avoco Secure. Up to you.

GBGroup/CitizenSafe have to communicate with GDS via Twitter:

If GDS won't give GBGroup/CitizenSafe their telephone number, perhaps you shouldn't either.

Would you be better off using the Royal Mail as your "identity provider"? With added Avoco Secure? Send them a letter. Time will tell.

Or what about Verizon? They're highly regarded by tScheme. Does that make them more confidence-inspiring?

Verizon may be highly regarded by tScheme but Germany doesn't agree, please see German government terminates Verizon contract over NSA snooping fears.

And there's something odd at the moment on GOV.UK Verify (RIP) – Verizon have disappeared from GDS's list of "identity providers". They were there the other day. Now they've gone.

GOV.UK Verify (RIP) has been designed by GDS. Their pre-eminent design principle is: "start with needs – user needs, not government needs".

That's what they started with and somehow you've ended up potentially being asked to register with an "identity provider" who is certified not to match the profile of an "identity provider". You never felt the need to do that, did you?

Something, somewhere along the line, has gone wrong. It's all got out of hand. GOV.UK Verify? RIP.


Updated 8.3.16

GBGroup/CitizenSafe, please see above, have now been added to the list – Brits can now sign up to GOV.UK Verify (RIP) and help to compile the national identity register via GBGroup/CitizenSafe, the "identity provider" certified by tScheme not to match the profile of ... an "identity provider":

No objection to the word "Next" on the screen above but otherwise please note that Barclays, SecureIdentity and the Post Office aren't certified, GBGroup/CitizenSafe with Avoco Secure somewhere in the mix are certified not to be an "identity provider" and, whatever GDS say, there most certainly is a "charge for this service".

In the continued absence of Verizon, the blushing "identity provider" which appears to have disappeared, the choice for new mooncalves is between Digidentity and Experian.

If you're not a mooncalf and you would simply like to access the odd public service, stick to the Government Gateway. That's worked for the past 15 years or so and it doesn't require you to hand over all your personal information just to submit a tax return, or whatever.

If you're a company, of course, then you'll have to use the Government Gateway because GOV.UK Verify (RIP) doesn't know what a company is. The concept doesn't exist. After four years of development GOV.UK Verify (RIP) still can't verify the identity of a company.

It's not that good at identifying individuals either:
  • The GOV.UK Verify (RIP) account creation success rate, which GDS promise will be 90% by April 2016, just over three weeks away, fell last week from 72% to 67%.
  • And the level of assurance delivered by GOV.UK Verify (RIP) falls well below the standard required in a criminal court. OIX, GDS's business partner, say that GOV.UK Verify (RIP) is having trouble meeting the standard required in a civil court.
But you know all that.

Updated 11.3.16
This is sleazy

Remember that Reuters article? The one about the company you'd never heard of, Avoco Secure, and how they're supplying services to the other company you'd never heard of, the one with at least three names, GB Group plc/GBGroup/Citizensafe? To them, and to Royal Mail, the company you have heard of? Well there was news yesterday. Royal Mail has entered the lists.

There are now seven "identity providers" in operation out of GDS's total of nine. Verizon are still missing in action. And PayPal still show no sign of wanting to have anything to do with GOV.UK Verify (RIP).

The GOV.UK Verify (RIP) registration dialogues are identical for Royal Mail and CitizenSafe. The tabs on the browser have the Avoco Secure icon on them and if use Chrome to View Page Source it says the author is Avoco Secure.

Royal Mail completes GOV.UK Verify [RIP] ID provider rollout, said Neil Merrett yesterday, "users wishing to access specific online government services will be able to select the company to verify their identity through a service which will be managed by GB Group (GBG) under the Royal Mail brand".

Royal Mail's name is being used but otherwise their involvement in GOV.UK Verify (RIP) is minimal. They're running a help desk: "Under the terms of their agreement, GBG will manage all technology for the service, with Royal Mail handling call centre services where users may need to clarify technical issues over the phone".

GDS are offering the public Royal Mail as an "identity provider" for GOV.UK Verify (RIP), making the most of Royal Mail's name recognition and public trust. But surreptitiously, behind the scenes, actually your identity will be managed by GB Group plc/GBGroup/CitizenSafe, whom no-one has ever heard of and who are certified by tScheme not to match the profile of an "identity provider".

This is sleazy.

No comments:

Post a Comment