Saturday 5 March 2016

RIP IDA – Safran Morpho/SecureIdentity

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.

The Government Digital Service (GDS) have contracted with nine so-called "identity providers" or "certified companies" to register all us Brits and to supply us with on-line identities, ready for the brave new digital-by-default world.

Armed with these on-line identities, 90% of us will be able one day (in April 2016?) to use public services via GOV.UK Verify (RIP). That's the idea.

GDS are more diffident about this but, later on, these on-line identities may allow us to use private sector services, too.

Safran Morpho is one of GDS's "identity providers":

Safran Morpho offer a product called "SecureIdentity".

GDS promised in the past that all "identity providers" would be certified by tScheme, an independent body, expert in measuring trustworthiness. That's meant to give the public confidence in GOV.UK Verify (RIP).

Safran Morpho applied for certification for SecureIdentity on 19 November 2015. These things take time. SecureIdentity may or may not be certified in the end but it doesn't appear on tScheme's roll of trust yet.

Unlike the other "identity providers" who have GOV.UK Verify (RIP) products available, Safran Morpho require you to download an app onto your mobile phone.

Your mobile phone then becomes part of your identity. That may imply that your existence is interrupted, as far as Safran Morpho are concerned, when you change phones.

Long-time DMossEsq readers will know that downloading apps onto your mobile phone is indistinguishable from inviting in a virus.

The SecureIdentity app has the features shown in the mobile phone screenshot opposite.

If you are convinced that you understand what they all mean and if you are happy to give SecureIdentity house room, fine.

If not, there are five other "identity providers" to choose from today – Barclays, Digidentity, Experian, the Post Office and Verizon – to which you should soon be able to add GBGroup, PayPal and the Royal Mail.

You had better read, learn and inwardly digest Safran Morpho's terms and conditions for SecureIdentity and their privacy and cookies policies. They estimate 10 to 15 minutes for registration. Good luck with that.

To register with Safran Morpho, you have to tick the box that says you've read all these documents and you may then be deemed to have freely given your informed consent.

What consent?

Answer, your consent to a lot of personal information about you bouncing around the world's telecommunications networks, in the UK and overseas, between Safran Morpho, unnamed credit referencing agencies, unnamed sub-contractors, government departments, law enforcement agencies, tax authorities, Zendesk, DoubleClick, YouTube and Google, because that's who GDS use for their analytics.

De-registration, by the way, takes at least seven years. That's the minimum length of time Safran Morpho will keep any information they have about you.

The SecureIdentity privacy policy includes:
1.2 The types of personal data that Morpho may collect and hold

Personal data that Morpho may collect include:

- Your full name;
- Your date and place of birth
- Your postal address;
- Your email address;
- Your telephone number;
- Your user ID (application store account)
- Your gender
- The data necessary to identify the date, time and duration of a communication
- Your static or dynamic IP address
- Characteristics of your software platform (Operating System, Browser)
- Your passport details
- Your Driving License details
- Your Marriage Certificate details
- Your Birth Certificate details
- Your Poll Card details
- Your bank account number

1.3 How does Morpho collect your personal data

Morpho usually collects personal data directly from you. For that purpose, Morpho may require you to complete a consent form to acknowledge that you are fully aware of the collection and processing of your personal data.

Morpho may also check your personal data against publicly available information and information already present in our partner companies' databases in order to verify your identity and ensure that you are the person you' re claiming to be.

Personal data that Morpho may check, include:

- Your Credit Record History
- Your Electoral Roll History
- Your financial court orders records (CCJ, IVA, DRO, Bankruptcy)
- Your record in the Land Registry …
- Your Directors Register record

We might in certain circumstances verify if you are active on social networks.

Morpho may collect personal data about you because Morpho is required or authorised by law to collect it.
Safran Morpho clearly envisage an intimate relationship with you, including your life in the social media. Not to mention anything that the SecureIdentity app can glean from your sleepless mobile phone, the accounts on it and the network(s) it is attached to.

In the course of that intimate relationship, Safran Morpho can't help collecting a lot of personal information about you:
1.5.1 Disclosure of personal data by Morpho

Morpho may share personal data with:

- Government Digital Service (GDS): the DVLA, the HMPO [Her Majesty's Passport Office] and any other relevant HMG Department in connection with the provision of the Evidence Checking Services

- Its subcontractors (including without limitation third party fraud-prevention agencies and credit agencies) to verify your identity during the SecureIdentity registration process and to provide customer care.

Morpho will not sell, rent or otherwise disclose your personal data to third parties without your informed consent.

Morpho may also share your personal data if it is required to do so by virtue of any legal obligations (such as law enforcement, tax), or in order to enforce Morpho’s [sic] terms and conditions (a copy of which can be seen at

1.5.2 Overseas disclosure by Morpho

Morpho is part of the Morpho Group of Companies ("Morpho Group") which is a global organisation; for the purposes explained in this policy, your information may be transferred to the head office of the Morpho Group, Morpho SAS based in France ...

1.5.3 Marketing communications

Your information may be used by SecureIdentity (Morpho UK) for marketing purposes in connection with the service provided ...
GOV.UK Verify (RIP) has been designed by GDS. Their pre-eminent design principle is: "start with needs – user needs, not government needs". That's what they started with and somehow you've ended up handing over reams of the personal information that defines you, beyond your control, to a lot of strangers.

And all you wanted to do was to obey the law by submitting your tax return. That was the user need. You didn't previously feel the need to help the "identity providers" with their marketing, did you?

You've been able to submit your tax return on-line for years via the Government Gateway. Why do you now also have to send your credit history to all these strangers?

Something, somewhere along the line, has gone wrong. It's all got out of hand. GOV.UK Verify? RIP.


Updated 20.3.17
It's just over a year since the blog post above was written. Yesterday Safran Morpho tweeted this: "'Why is the @GOVUKverify programme happening?' Read the answer & other FAQs on our website", followed by a link to this antique page on their website, copy available here.

Troll along and you read: "Right now 13 government services are connected to GOV.UK Verify [RIP] (7 can be accessed as public beta services). By April next year about 30 government services will be using the system and others will join over 2016/17".

Fiscal 2016/17 ends in 11 days time, 31 March 2017, and there are just 12 services signed up to GOV.UK Verify (RIP), not 30, not even 13.

Safran Morpho are an "identity provider" retained by the Government Digital Service (GDS) to sign victims up to GOV.UK Verify (RIP). There's a choice of "identity providers". Would you choose the one that relies on marketing literature over a year out of date?

Victims "must choose from one of nine certified verification companies to obtain their own personal secure ID". That's what Safran Morpho said over a year ago. There aren't nine "identity providers". Only seven – PayPal never turned up and Verizon pulled out, twice. You want the supplier providing you with a "secure ID" to be strong on the detail ...

All the "identity providers", according to Safran Morpho, are "guided by nine Identity Assurance Principles". You won't be fooled into confusing "guided by" with "compliant with". All nine identity assurance principles are flouted by the "identity providers" and by GDS themselves.

All the "identity providers", according to Safran Morpho, "offer the verification service at no cost". Very old-fashioned marketing, nostalgic even, hands up everyone who believes that GOV.UK Verify (RIP) is free.

"To become a certified verification company a business must be able to meet or exceed high standards set by government and an independent certification body". So they keep saying but of course Safran Morpho have not been certified, their SecureIdentity service remains obstinately absent from the independent certification body tScheme's list of approved services, a full 16 months after applying for approval.

Four "identity providers" have had their services approved. What's wrong with the other three – the Post Office, the Royal Mail and Safran Morpho?

With marketing material like this – out of date, inaccurate, misleading, self-hoisting with petard – does GOV.UK Verify (RIP) need critics?

Updated 21.3.17

It's almost as if Safran Morpho are reading this blog. Yesterday they claimed that GOV.UK Verify (RIP) is connected to 13 UK government services. Today, in a tweet, they have corrected that to 12: "You can now access 12 govt online services @GOVUKverify @secureIDverify incl. @HMRCgovuk".

That message is reinforced by a silent video which lasts for 10 seconds and on which, unless you're a hawk, the text is illegible.

Better that than the video on the SecureIdentity website – the same three chords repeated for 50 interminable seconds:

Is the product called "secureidentity" or "Secure Identity" or "SecureIdentity"? All three versions appear on the Safran Morpho website. And is the product brought to us by Safran Morpho? Or by Safran? Or by Morpho, "the world leader in government ID"? Which is it? There's a bit of work to do on the branding there ...

... and a bit more work to do on the number of UK government services accessible via GOV.UK Verify (RIP). 13? 12? No, not on the SecureIdentity website, neither of those figures, this time it's eight:

Updated 27.3.17

Safran Morpho's identity assurance product, SecureIdentity or secureidentity or Secure Identity or whatever it's called – how many UK government on-line services can it connect you to? 8? 12? 13? You don't know. Safran Morpho don't seem to know.

That's a bit of a worry, as we were saying on 21 March 2017. Safran Morpho are one of the Government Digital Service's "identity providers". You need to be able to trust them. Otherwise you can't trust GOV.UK Verify (RIP). And it's hard to trust them if they can't count. You don't get the feeling you can rely on them.

23 March 2017, Safran Morpho were tweeting again: "Digital access to govt services is changing: here's a helpful Beginner’s Guide to @GOVUKverify #identity #infosec". Click on that link and you learn: "At SecureIdentity we’re one of nine verification services you can choose from" and "The first time you use GOV.UK Verify [RIP] to access services, you’ll be given a choice of nine certified verification companies to obtain your own personal secure ID".

Wrong again. Why do Safran Morpho try to confuse beginners? There has never been a choice of nine "identity providers". Briefly, there were eight. Now there are just seven. And of those seven, just four are certified. Three of them, including Safran Morpho, are not certified.

"Competition delivers greater security", say Safran Morpho. Not if some of the competitors don't know what's going on.

We're "Putting you in control". That's what Safran Morpho suggest. They don't seem to be in control themselves.

And not just them. Aren't GDS supposed to do a bit of quality control? This is their identity assurance ecosystem or market that they're trying to create. And one of their agents is misleading the public. In a properly regulated market, that would be quickly detected and corrected. GOV.UK Verify (RIP) doesn't look properly regulated.

Updated 2.6.17

Remember Safran Morpho? The uncertified "identity provider" to GOV.UK Verify (RIP)? The one that can't count?

Well forget it.

There is no Safran Morpho.

Safran have flogged the business to some private equity persons and now it's the uncertified OT-Morpho who own all your personal information and who keep track of you via an app/virus on your mobile.

No announcement from the Government Digital Service, of course. Presumably GDS know about the transaction. Presumably they don't think you need to know:

Updated 7.10.17

We noted above that Morpho don't bother to update their GOV.UK Verify (RIP) information for the public which still tells people that there are nine "identity providers". There never were nine. Currently there are seven. GDS do nothing to correct Morpho. The public continue to be misled.

We noted also that Morpho has now been sold by Safran. Are the new owners as trustworthy as Safran? Who knows. Again, GDS have not bothered to advise the public.

Log on now, four months after completion of the sale to Advent International and Bpifrance, try to create a GOV.UK Verify (RIP) account via Morpho and you still see Safran branding all over the screens.


Odder still given that Morpho is no longer called "Morpho". It's now morphed into"Idemia".

There's no mention of Idemia on any GOV.UK Verify (RIP) web pages. The change has passed GDS by. They fail once again to operate their market competently – as we said in March 2016, "GDS have never created or regulated a market in their lives. And it shows".

And there's no mention of GOV.UK Verify (RIP) on Idemia's web pages, nor of SecureIdentity. GOV.UK Verify (RIP) doesn't exist as far as Idemia are concerned. They're not interested. Understandably so. It's dead.

Morpho's GOV.UK Verify (RIP) service was called "SecureIdentity" among other things. Idemia's is called "Augmented Identity". Good name. GDS should have thought of that.

Behind the good name it's just the same old nonsensebiometrics. The same parcel has been passed now from Visionics and Viisage and Identix and Iridian to L-1 Identity Solutions to Safran to the present private equity investors.

Why do these organisations keep selling it? Because one day the parcel-holder is going to find that there's nothing inside the wrapping paper, just an augmented loss.

Meanwhile Morpho is in a bit of trouble in Kenya, please see Safran Morpho asks IEBC to push election date to October 26  and French Biometrics Firm OT-Morpho [Idemia] to Sue Kenyans for Defamation Over IEBC System Hacking Claims.

We in the UK can continue to trust Sagem Sécurité Morpho OT-Morpho Idemia with our personal information, of course. Otherwise GDS would surely have warned us.

No comments:

Post a Comment