Thursday 17 March 2016

RIP IDA – to lose one "identity provider" may be regarded as a misfortune

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.

Why did PayPal jump ship?
And when will Verizon climb back aboard?

The Government Digital Service (GDS) operate GOV.UK Verify (RIP) under a framework agreement. First there was Framework 1. Then there was Framework 2.

The eight Framework 1 "identity providers" were Cassidian, Digidentity, Experian, Ingeus, Mydex, Post Office, PayPal and Verizon.

Cassidian, Ingeus, Mydex and PayPal all pulled out. Why? We don't know. Which is odd. GDS say "we're building trust by being open – the sunlight of transparency is making things better". There's no transparency here, no sunlight and no openness. So, by GDS's logic, there's no trust.

Why did these four suppliers abandon ship? What did they know that the remaining four didn't? Why did the remaining four stay on board?

Framework 2 replaces Framework 1. The nine Framework 2 "identity providers" were Barclays, Digidentity, Experian, GBGroup, Morpho, Post Office, PayPal (back on board again), Royal Mail and Verizon.

GDS didn't like being stood up like that. It doesn't look good. It doesn't inspire confidence. It doesn't show respect. So when Framework 2 came along, the "identity providers" had to promise to bring an identity assurance service to market.

But PayPal have bolted again. GDS didn't tell us that. Neil Merrett did.

That's what PayPal think of GDS and of GOV.UK Verify (RIP). So much for PayPal's promise to deliver. And so much for GDS's ability to enforce that condition of the contract.

"To lose one parent may be regarded as a misfortune; to lose both looks like carelessness", as Oscar said. To lose five "identity providers", one of them twice, smacks of downright sloppiness.

Is it only five?

Or is it six? It's 10 days now since DMossEsq noticed that Verizon had disappeared from GDS's list of "identity providers".

GDS promised more news soon. That was nine days ago. Since then there's been no sunlight, no transparency, no openness and no news from either GDS or Verizon.

The Barclays GOV.UK Verify (RIP) service depends in some unspecified way on Verizon. "We may share your personal information with [lots of other organisations and] Verizon, our technical services partner, so they can perform certain parts of the Identity Service on our behalf", it says in the Barclays privacy policy. Can Barclays keep going if Verizon have disappeared?

GDS, 15 April 2013

We need to be sure that before any of the identity assurance framework suppliers begin providing services to departments, they are certified as being capable of delivering proof of identity as defined in the Government's Good Practice Guides.

The Cabinet Office has joined a standards certification organisation (tScheme), who will be one of the initial certification bodies to provide the necessary independent assessment of the framework suppliers for compliance with the guides.
All GOV.UK Verify (RIP) "identity providers" are meant to be certified as trustworthy. The Post Office's application for certification lapsed a year ago. Barclays, Morpho and Royal Mail all have applications extant and none of them have been certified yet. PayPal never even applied for certification.

GDS didn't tell anyone about that. DMossEsq did. And, once again, Neil Merrett.

GOV.UK Verify (RIP) is currently down to just three certified "identity providers" and it's due to go live in a fortnight ...

... about time too. It's been in beta for over two years ...

... and once upon a time it was "due to be rolled out for initial public services by autumn 2012".

Back then the identity assurance programme had a senior responsible owner (SRO), Mike Bracken: “It’s something that I put my hand up for because it’s so important". He departed the civil service last September. No replacement SRO has been nominated.

  • The GOV.UK Verify (RIP) account creation success rate keeps going down whereas GDS promised that it would be going up.
  • And the remaining "identity providers" are having trouble achieving even the lowly level of assurance needed by a civil court that account-holders really are who they say they are, let alone the level required by a criminal court.
  • And some of the departments of state that are supposed to rely on GOV.UK Verify (RIP)'s assurances are distancing themselves from GDS's programme and developing their own.
  • And some members of the public may not understand why, under GOV.UK Verify (RIP), just to see their driving licence details on-line, it is necessary to hand over reams of personal information to "identity providers" who promptly share it, beyond your control, with other organisations here in the UK and abroad.
It's looking a bit shaky. Which is not what you want in what is supposed to be a platform for cross-government public services – and especially not the platform embarrassingly earmarked by the Cabinet Secretary himself for increasing public trust in the civil service.


Updated 12.4.16

Since the blog post above was published, Verizon have returned to the fold ...

... and GDS have published another blog post in their GOV.UK Verify: Technical delivery update series. Yesterday, 11 April 2016, saw the seventh episode so far. And once again, GDS's technical contribution to GOV.UK Verify (RIP) occupied centre stage: "To improve GOV.UK Verify [RIP] and make it better for end users, since our last update we’ve ... added new journeys to the hub to reflect the new features released by the certified companies ...".

Let's take a look at this new improved journey which GDS have made better for end users. There are nine steps involved. A bit long for modern attention spans but the dénouement is so dramatic that it's well worth investing the effort to concentrate.

The first four steps in your user journey may look like this:

First, you say this is your first attempt to register with GOV.UK Verify (RIP) ...

... then you take in the news that GOV.UK Verify (RIP) is secure (no qualifications) and stops someone pretending to be you (no qualifications) ...

... at the third step, you discover that there are eight "identity providers" and that they are all without exception certified and that the service is free ...

... and at the fourth step, you start your journey

At this point in your journey, the style of the screens changes. These are the screens GDS are modifying like mad to improve them for user needs:

Step 5 is a bit of hand-holding, GDS are going to help you choose the right "identity provider" for you ...

... at step 6 you confirm that you have your up to date passport and your driving licence with you, you're going to hand over all the details on those documents to the "identity provider" GDS help you to choose ...

... next you confirm that you can install apps (viruses) on your smart phone ...

... and nearly finally, at the eighth step, you confirm that you're over the age of 20 and you've lived in the UK for the past year.

Eight steps and we're nearly there. At the ninth step, when you press Continue, GDS are going to recommend which "identity provider(s)" you should use. Wait for it:

Nine steps into your registration, and what are GDS telling you?

They're telling you that even though you've lived in the UK for the past year and you're over 20 and you can install apps on your smart phone and you've got your up to date passport and driving licence with you ...

... even though all of the above ...

... no less than five of their "identity providers" are "unlikely to be able to verify you".

You weren't expecting that, were you. You thought the answers you gave to GDS's finely crafted dialogue made you one of the easiest candidates for registration.

If the five "identity providers" who are "unlikely to be able to verify you" can't verify you, who on earth can they verify? No-one.

Those five "identity providers" – Barclays, CitizenSafe (GB Group), Royal Mail, SecureIdentity (Safran Morpho) and Verizon – must be, according to GDS, useless.

GDS started Framework 2 with nine "identity providers". First they lost PayPal. Now they've lost five more. They're left with just three.

And having seen the public humiliation meted out to Barclays, CitizenSafe (GB Group), Royal Mail, SecureIdentity (Safran Morpho) and Verizon, using a laboriously reiterated GDS improvement process, "unlikely to be able to verify you", how long will the three survivors hang around?

The directors of Digidentity, Experian and the Post Office have their reputation to think about. And their future. They have shareholders to satisfy. And equity analysts to convince.

How long will they hang around?

As little time as their lawyers tell them they have to.

GOV.UK Verify? RIP.

Updated 14.4.16

Last seen, GDS were impugning the commercial prospects of Barclays, CitizenSafe (GB Group), Royal Mail, SecureIdentity (Safran Morpho) and Verizon. The GOV.UK Verify (RIP) services offered by these five "identity providers" were described by GDS as deficient. They were "unlikely to be able to verify you". Given that that's their job, these services were useless.

This changed some time yesterday. Barclays and CitizenSafe (GB Group) were re-admitted to the useful camp:

Three "identity providers" are still useless – Royal Mail, SecureIdentity (Safran Morpho) and Verizon. "They're unlikely to be able to verify you". Keep away from them. That's GDS's advice.

What has changed in the services offered by Barclays and CitizenSafe (GB Group)? How did they move from useless (according to GDS) to acceptable (according to GDS)? What are Royal Mail, SecureIdentity (Safran Morpho) and Verizon still missing (according to GDS)?

In an orderly market, the public would know the answers to these questions. As it is, we don't know. GDS haven't told us.

GDS are meant to be operating this identity assurance market. It's looking disorderly at the moment. Which isn't what you want in your transactions with government. Nor with anyone else. And certainly not what you want in the management of your identity.

GDS no doubt have the right to praise or damn any or all of their suppliers. In this case their "identity providers". And like the worst civil servants they can do so without giving anyone the reason why. It's their train set.

But they can't declare GOV.UK Verify (RIP) live all by themselves. Not if "live" means anything.

Going live, relying on GOV.UK Verify (RIP) as part of the UK's national infrastructure, inflicting the system on the public at large, is a decision for the Cabinet and the most senior officials in Whitehall.

And as that senior decision-making team looks on, with GDS publicly recommending that the declaration should be made in April 2016, with GDS saying that GOV.UK (RIP) is ready to go live any time in the next 16 days, what do the team see?
  • They see a system which was meant to be able to register at least 90% of the population but which can't. As at last week, the figure was 67%. 33% of the population would be excluded by default from on-line public services.
  • They see an unstable system in which the suppliers come into favour at GDS's whim and fall out of favour just as mysteriously.
  • They see a public which hasn't been prepared for the new system by any national information campaign.
  • They see the public being lured into a system which GDS say is "secure" but which everyone knows can't be.
  • They see the public being lured into a system which claims to protect the privacy of our personal information but which doesn't.
If you think GOV.UK Verify (RIP) should go live this month, you go on television and say so.

You face the press.

You sit there looking confident while Scotland laughs at you – they've got their own system, they don't need GOV.UK Verify (RIP) and they don't want it.

You grin hopefully as every responsible department of state leaves you twisting in the wind as they pursue their own alternatives to GOV.UK Verify (RIP).

You do it. Because you're not going to get any member of the Cabinet to do it. Nor any Whitehall mandarin.

Updated 15.4.16

The day before yesterday, GDS said there were three "identity providers" who could verify your identity when you try to register with GOV.UK Verify (RIP) – Digidentity, Experian and Post Office.

Yesterday, please see above, that number went up to five with the addition of Barclays and CitizenSafe (GB Group).


Barclays and CitizenSafe (GB Group) have been struck off again. Anyone who chose Barclays or CitizenSafe (GB Group) as their "identity provider" yesterday must be feeling pretty sick today:

You don't know where you stand with GOV.UK Verify (RIP). GDS have created a machine for making uncertainty.

Updated 20.4.16 1

Barclays, CitizenSafe/GB Group and Verizon are still out in the cold, "unlikely to be able to verify you" as GDS say. Yesterday morning, so were Royal Mail and Safran Morpho/SecureIdentity. Now those two have been admitted to the fold:

CitizenSafe/GB Group must be feeling a bit peeved. They use the same registration system as Royal Mail but they're out and Royal Mail are in. Why?

Verizon also must be feeling a bit peeved. They've got the highest marks awarded by tScheme to any "identity provider" and yet here's GDS doing their best to exclude them.

A bit rich when you consider that tScheme haven't yet approved the services offered by Royal Mail and Safran Morpho/SecureIdentity (or Barclays) and the Post Office's tScheme application lapsed over a year ago. Some certified companies are a lot less certified than others.

For the moment, your five-way choice of "identity provider" is between three uncertified companies, a Dutch company you've never heard of (Digidentity) and Experian, who have experienced the odd security problem and who reserve the right to store your personal information anywhere in the world.

Which "identity provider" to choose?

You don't have to make that invidious choice. Not according to HMRC you don't. You can use the Government Gateway instead. That's what HMRC say.

Unlike GOV.UK Verify (RIP), the Government Gateway's been working for 15 years. It went live in January 2001. GOV.UK Verify (RIP) might go live, according to GDS, some time in the next 10 days.

The most popular government website is Universal JobMatch. And how do you register there if you want to find a job? With the Government Gateway.

Suppose you help your mother to register with Safran Morpho/SecureIdentity today and tomorrow GDS cross them off the list again? What are you going to tell her then?

GDS have got a lot on their plate. They're trying to work out where they're at. And where they're going. And they've only got until September 2016 to work out a strategy. They've got enough to think about. They're trying to find themselves. Make life easier for them. They're searching for an identity. Go on, be kind, use the Government Gateway.

Updated 20.4.16 2


21:48, later that same day, and Royal Mail and Safran Morpho/SecureIdentity have been dropped again. Banished to the same wilderness as Barclays, CitizenSafe/GB Group and Verizon. We're back down to three "identity providers".

The "identity providers" don't know where they stand. One minute they "can verify you", next minute they're "unlikely to be able to verify you". They won't hang around for long if this is the way GDS treat them.

We the public don't know where we stand. Is it prudent or recommended to register with Royal Mail, for example, or isn't it? Faced with this uncertainty, entirely of GDS's own making, the only sensible option is not to register with any of the "identity providers".

The "relying parties" are meant to be able to rely on the affirmations of the "identity providers". If Barclays say that DMossEsq really is who he says he is, HMRC are meant to be able to rely on that. How can they when GDS themselves say they can't?

And the private sector. They're meant to be attracted to this new approach to identity assurance? GOV.UK Verify (RIP) could underwrite payments?




Updated 21.4.16

A heavy-hitting financial technology conference started in London yesterday, Consult Hyperion's Tomorrow's Transactions Forum 2016.

Barclays Bank were in attendance. They were flying the flag for GOV.UK Verify (RIP).

All the while, the Government Digital Service (GDS) were undermining them, as they still are, displaying a message to anyone who tried to register for GOV.UK Verify (RIP) to the effect that:
  • Digidentity, Experian and the Post Office are OK.
  • Barclays and the other four "identity providers" in the doghouse are no use.
If you had had to guess in advance which of GDS's eight "identity providers" would be best at registering new victims for GOV.UK Verify (RIP), Barclays would surely have been at or near the top.

Unlike GDS, they've got all the qualifications. They're used to registering people. They verify identity all day every day, that's their job, that's what retail banks do. They know about identification and verification and authentication and authorisation. They're undaunted by the huge numbers of people involved. They're used to on-line systems and security and the subtleties of design for comprehensibility and trust. After several centuries of experience, they know how to maximise the probability that those are the right counterparties at each end of a financial transaction.

And yet, according to GDS, Barclays are "unlikely to be able to verify you". What's gone wrong?

Suppose that's the wrong question. Suppose nothing's gone wrong. Your first impression was that Barclays would be among the best at doing the registration job – suppose you were right.

Barclays might not be getting enough punters through the door for GDS's untutored liking but they might be doing the job properly.

Barclays live and breathe the skills of KYC and AML (Know Your Customer and Anti-Money Laundering). When they've broken the rules of KYC and AML they've paid the fines and they've suffered the loss of reputation, see Private Eye. That's not a million miles away from another reason you know that Barclays know how to do registration properly.

GDS set a target of 90% coverage for on-line registration. Where did that figure come from? Thin air? What's it based on? Wishful thinking? Callow insouciance?

90% may be unattainable. It may be a political requirement but that doesn't mean it's realistic. It may simply be that GOV.UK Verify (RIP)'s exclusively on-line registration is not feasible. Perhaps that's what the disappointing account creation success rate is telling us.

What is the percentage of GOV.UK Verify (RIP)'s target population which can have its identity verified on-line with an adequate level of assurance? Null hypothesis: whatever percentage Barclays can achieve.

Updated 25.4.16

GDS seem to have got rid of the ants in their pants. The list of recommended "identity providers" has remained stable for a few days now.

No changes, Digidentity, Experian and the Post Office are the goodies. They "can verify you now".

And Barclays, CitizenSafe/GB Group, Royal Mail, Safran Morpho/SecureIdentity and Verizon are, according to GDS, a waste of space, they're the baddies, they're "unlikely to be able to verify you".

One of the touted benefits of GOV.UK Verify (RIP) is the wide choice of competent "identity providers". It is unfortunate that in the week when GDS are likely to declare the system to be "live", whatever that means, the wide choice has fallen from nine to eight to three.

That's GDS's opinion, of course – others might recommend that the number of "identity providers" it is wise to register with isn't three at all, it's zero.

Updated 26.4.16

Barclays and CitizenSafe/GB Group have now been added to GDS's list of recommended "identity providers".

The list of GDS-approved "identity providers" for GOV.UK Verify (RIP) @ about 15:00 on 26 April 2016

People expect the government-provided identity management system to which we are entrusting a colossal amount of personal information to look dependable and stable. With "identity providers" coming into favour and falling out of favour every few days and, sometimes, every few hours, GOV.UK Verify (RIP) looks anything but stable.

It looks a bit frantic. A bit desperate. A bit amateur.

GOV.UK Verify (RIP) looks like a public service that it would be irresponsible to declare to be ready for live use.

Updated 27.4.16

Keep up, you at the back there. Yesterday, Barclays and CitizenSafe/GB Group were on GDS's list of competent "identity providers" you could feel confident about. Today, they have re-joined the company of the clueless and you're advised not to bother trying to register with them. If you did register with them yesterday, that's not GDS's fault. Nothing is.

The list of GDS-approved "identity providers" for GOV.UK Verify (RIP) @ about 16;30 on 27 April 2016

Updated 1.5.16

Here we are, four days after the previous update, and the Government Digital Service (GDS) are still recommending the same three "identity providers" to people who wish, for whatever reason, to register with GOV.UK Verify (RIP).

This marks a welcome period of calm predictability and stability. Much needed after the frenetic farce-like action over the past few weeks when "identity providers" appeared on stage unexpectedly for a few hours and then inexplicably fell down stairs or out of windows and retreated to the wings.

To keep on changing the list of competent "identity providers" makes it look as though GDS aren't sure what's going on, they're event-driven, nervously reacting to new percepts over which they have no control.

That is no way to inspire trust in the population who are meant to sign up for GOV.UK Verify (RIP). It must be slightly giddy-making for the "identity providers", too. Not to mention the relying parties like HMRC and DWP who are meant to rely on the affirmations of the "identity providers".

If Barclays, for example, tell HMRC that, yes, this man who claims to be Abraham Lincoln really is Abraham Lincoln, can HMRC rely on it? When Barclays were acceptable to GDS one day and unacceptable the next? If GDS can't make their mind up about Barclays, how are HMRC supposed to?

Far better to make a decision and stick with it. Digidentity, Experian and the Post Office are acceptable to GDS as "identity providers". And Barclays, CitizenSafe/GB Group, the Royal Mail, Safran Morpho/SecureIdentity and Verizon aren't. That way we all know where we are.

Unfortunately for GOV.UK Verify (RIP), that's not the only area of farce.

For months now, GDS have said that GOV.UK Verify (RIP) would go live in April 2016. As late as 26 April 2016, Computer Weekly magazine reported: "With the official 'live' date for the programme set for 29 April 2016, Hughes is confident everything is on track".

That's Janet Hughes, programme director of GOV.UK Verify (RIP) and three days later her confidence had melted away and she found herself writing "we’re very nearly there". Nearly. But not quite. In fact, we're not there.

Here we go again. Now you see it. Now you don't. GOV.UK Verify (RIP) is live, yes it is, no it's not.

On the same day, 29 April 2016, Neil Merrett tweeted "GOV.UK Verify tomeet live service requirements 'shortly'" together with a link to one of his excellent articles, giving a selection of reasons for the latest hold-up.

It doesn't matter what reasons are proffered. We can't believe them any more.

If GDS change their mind daily about who is an acceptable "identity provider" and whether GOV.UK Verify (RIP) is live, they are just as likely to change their mind about the reasons.

Two days later, today, 1 May 2016, Mr Merrett tweeted again, "GDS to 'shortly' confirm a rescheduled date for when GOV.UK #Verify platform will switch to a live service" with a link to the same article.

It would clearly be a mistake to do what the first tweet suggested and claim that GOV.UK Verify (RIP) will "shortly" meet the requirements to be declared live. First it's ready to go live, then it isn't, then it is, all in a matter of days? Not confidence-inspiring.

Better perhaps to stick to the second tweet and make an announcement "shortly" that GOV.UK Verify (RIP) will be ready to be declared live in six months time or whatever – six months is GDS's traditional interval on GOV.UK Verify (RIP) progress reports going back to 29 October 2014.

It's not as though there's any hurry. No-one wants GOV.UK Verify (RIP). No-one needs it. We've got the Government Gateway and scores of other identity management schemes. Any haste now will just make GDS look as though they're not in control again, and don't know what they're doing.

Updated 23 June 2016

It was 12 April 2016 when we noted that the Government Digital Service (GDS) were telling new applicants for GOV.UK Verify (RIP) accounts that only three of their "identity providers" were likely to be able to do the job.

DMossEsq has been monitoring the situation ever since. For most of the past two months, Digidentity, Experian and the Post Office have been promoted by GDS, and GDS have been warning applicants not to use the other five "identity providers" – Barclays, GB Group/CitizenSafe, the Royal Mail, Safran Morpho/SecureIdentity and Verizon.

Sometimes Safran Morpho/SecureIdentity appears on the recommended list for a few hours. Then it drops off again. Ditto GB Group/CitizenSafe.

Yesterday, the recommended list grew to six "identity providers". Today we seem to be back down to four. For the moment.

What do the shareholders of Verizon, say, think about this peculiar business. Verizon have signed up with GDS to provide a public service that GDS tell the public Verizon are incapable of providing. If you were a shareholder in Verizon – or Barclays or Digidentity or Experian or GB Group/CitizenSafe or the Royal Mail or Safran Morpho/SecureIdentity – wouldn't you be asking the directors "what on earth are [you] up to wrecking the brand like this?"

Updated 9 July 2016

As at 00:30 this morning, we are back down to just three "identity providers" who can register us with GOV.UK Verify (RIP) – Digidentity, Experian and the Post Office.

As there are eight "identity providers" signed up to GOV.UK Verify (RIP), does that mean that the other five are no good?


GDS told us at 00:30 that only four of them are no good – Barclays, GB Group/CitizenSafe, the Royal Mail and Safran Morpho/SecureIdentity.

Verizon are no longer mentioned. They've gone missing again:

Two questions:
  • The Barclays service relies on Verizon. If Verizon are no longer operating, can Barclays survive?
  • Why haven't GDS told the public that GOV.UK Verify (RIP) has lost an "identity provider"?

No comments:

Post a Comment