Tuesday 15 March 2016

RIP IDA – reciting the creed

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.

What are the Government Digital Service (GDS) up to? Making GOV.UK Verify [RIP] the default way to access digital services. That's what they're up to. So they say.

"GOV.UK Verify [RIP] is for everyone". So they say.

Not right now it isn't. Right now, at most 62% of people who try to register with GOV.UK Verify (RIP) succeed in doing so – at least 38% fail:

So it's not "for everyone". Even though GDS say it is.

"... we draw together GOV.UK Verify [RIP] performance data with our findings from user research and feedback from users, and work directly with each service planning to use GOV.UK Verify [RIP], to build a rich picture of how GOV.UK Verify [RIP] is working".

All that performance data and user research and feedback and direct work and planning and the rich picture they're building may sound good but it doesn't alter the fact that at least 38% of enrolment attempts currently fail.

"In January we blogged about work we did with the Office of National Statistics to estimate what proportion of the public will be able to use GOV.UK Verify [RIP]". They certainly did. And here's their estimate:

Here we are, just over two weeks away from April 2016, and the verification rate was expected to be over 90%. The observed rate is at most 62%.

"We've been working on the design of the GOV.UK Verify [RIP] user journey throughout the life of the service, iterating and improving it to make it as clear and straightforward as possible for users". This is the creed. Iteration is the same as improvement. The creed is repeated even when the facts undermine it.

Despite GDS's continual iteration, the account creation success rate is going down. Not improving. It was 77% at the end of January 2016. Six weeks later, it's down to 62%. But, in GDS at least, iteration is still equivalent to improvement.

"[If] it’s clear to you why your identity needs to be verified to protect you from someone pretending to be you, then you are much more likely to be willing to spend an initial 10 minutes verifying your identity than if that’s not the case". That's a big if.

GOV.UK Verify (RIP) requires you to divulge a colossal amount of personal information to a large number of organisations who may store it in any number of foreign countries. It's a reverse people-trafficking operation, moving you in a vulnerable vessel from relative safety into a war zone. Far from protecting you against it, it opens you to fraud.

Before you register with Morpho, say, one of GOV.UK Verify (RIP)'s "identity providers", they've never heard of you.

After you've registered, they know your "full name, date and place of birth, postal address, email address, telephone number, user ID, gender, date, time and duration of a communication, IP address, Operating System, Browser, passport details, Driving License details, Marriage Certificate details, Birth Certificate details, Poll Card details, bank account number" ...

... they will have checked your "Credit Record History, Electoral Roll History, financial court orders records (CCJ, IVA, DRO, Bankruptcy), Land Registry records and Companies House records" and they "might in certain circumstances verify if you are active on social networks" ...

... and they may share your personal information with "GDS, DVLA, HM Passport Office and any other relevant HMG Department, Morpho sub-contractors including third party fraud-prevention agencies and credit agencies, law enforcement and tax authorities, and the head office of the Morpho Group, Morpho SAS, based in France" ...

... all of which you're supposed to weigh up and comply with in 10 minutes flat.

That can't reduce the risk, in fact it must increase the risk of your personal information being misused.

"We’re learning all the time", say GDS, once again reciting the creed.

No comments:

Post a Comment