Friday 25 March 2016

RIP IDA – Verizon

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.

The Government Digital Service (GDS) claimed until recently that they had nine "identity providers" through whom we proles could register an account with GOV.UK Verify (RIP).

Then PayPal bolted. One minute you see them. Next minute they're gone.

PayPal gave no explanation. Neither did GDS.

Whatever, GDS were then down from nine to eight "identity providers". Or should that be seven?

Some time on or before 7 March 2016, Verizon disappeared from GDS's list of GOV.UK Verify (RIP) "identity providers". They'd been there before. Then they weren't.


On 8 March 2016 GDS tweeted their first and last attempt at an answer: "Verizon are preparing their service under the new contract. More news on this soon. They remain available for existing users".

The "new contract" referred to is Framework 2. It's been well over a year since the terms of Framework 2 were known.

GDS presumably expect us proles to believe that Verizon are so incompetent that, unlike any other "identity provider", they have to take their service down for several weeks just to change their terms and conditions.

That looks so unlikely by way of an explanation that the unsatisfied mind starts to look for other explanations.

On 7 March 2016 ElReg reported Verizon fined just $1.4m for stalker supercookies.

Verizon were fined for using supercookies. What? "That means that over time, it is possible to ... build a strong profile on a particular individual, which advertisers then use to show you so-called relevant adverts".

Is that why Verizon had gone dark GOV.UK Verify (RIP)-wise? "Nah", said security expert Peter Bance, par for the course, already priced in, that's just how Verizon operate, bit of an eye-opener for us proles maybe but not for GDS, Her Majesty's public officials in the know.

GDS tell us that GOV.UK Verify (RIP) is needed to help us view our driving licence details. So Verizon are involved because they want nothing more than for us to view our driving licence details?

Not exactly. Verizon are quite open about it: "Ultimately, we don’t see ourselves as a data provider; we see ourselves as an ad platform that helps brands and consumers connect".

But if Verizon haven't bolted like PayPal, and if it isn't the Framework 2 terms and conditions, and it isn't the shame of being caught using supercookies and the derisory fine of $1.4 million, then what is the reason for Verizon's temporary absence from the host of "identity providers"?

Note first that Verizon already have their GOV.UK Verify (RIP) service approved by tScheme, the experts in trustworthiness. What's more (hat tip: someone), they've applied for tScheme certification of a second identity proofing service. It doesn't look as if they intend to bolt.

Note also that Verizon's GOV.UK Verify (RIP) problems go back to before 7 March 2016. "Verizon have identified an issue within their environment", it said on 26 February 2016 (hat tip: someone), "there will be a short period of downtime to implement an emergency change". That's on GDS's GOV.UK Verify (RIP) status log,

The emergency was over 102 minutes later according to the log and Verizon were fully operational again. Except that four weeks later they're not.

Note finally security expert Brian Krebs's latest revelation, Crooks Steal, Sell Verizon Enterprise Customer Data: "Earlier this week, a prominent member of a closely guarded underground cybercrime forum posted a new thread advertising the sale of a database containing the contact information on some 1.5 million customers of Verizon Enterprise ... Buyers also were offered the option to purchase information about security vulnerabilities in Verizon’s Web site".

That's more like it. That's more like an explanation for Verizon taking their GOV.UK Verify (RIP) registration site down for four weeks. Their security has been breached and 1½ million of their customers are now at more risk than usual as a result.

GDS are always blithely optimistic about security:

GOV.UK Verify (RIP) – "It's secure". No qualification. It's secure and that's all there is to it.

No. No-one believes that and it's a mystery why GDS keep saying it.

It's a false prospectus. Just ask Verizon. GDS's claim amounts to luring in the innocent. GOV.UK Verify (RIP) would never be admitted to the London Stock Exchange's Daily Official List if their broker came along with a whopper like that.

Mystery cleared up, Verizon have gone dark because they've been taken to the cleaners.

Don't let the same happen to you.

According to Verizon's GOV.UK Verify (RIP) privacy policy (hat tip:someone), "... it will also be necessary, in order to provision the service to you [prole] to share the personal information we [Verizon] collect, as described above, to companies that perform services on our behalf as follows ... The identity service product is owned by Zentry LLC. Zentry LLC is a US based company who will receive your information in order to issue the identity credential on your request ...".

Verizon will share your personal information with Zentry. And who are Zentry? According to Bloomberg:

And according to FindTheCompany, "Zentry Technology LLC is a small organization in the business services industry located in Salt Lake City, UT. It opened its doors in 2010 and now has an estimated $90,000 in yearly revenue and approximately 2 employees".

When Verizon reappear in GDS's GOV.UK Verify (RIP) firmament you can entrust all your personal information to them and to Zentry if you like so that you can view your driving licence details. It's up to you.


Updated 29.3.16

GDS's claim that Verizon have stopped registering new GOV.UK Verify (RIP) account-holders because they have to update their terms and conditions of business is cheeky. The other Framework 1 "identity providers" all managed to convert to Framework 2 on the fly.

Is the theory that Verizon are still off air because they've been hacked any better as an explanation?

Not necessarily.

Experian were taken to the cleaners, too, like Verizon, please see RIP IDA – 16 June 2014 and Brian Krebs's Experian Lapse Allowed ID Theft Service Access to 200 Million Consumer Records. Experian are still happily registering new GOV.UK Verify (RIP) victims.

Updated 5.4.16

Here's a snapshot from Verizon's contract with GDS, the bit dealing with key performance indicators:

Before you ask ...
"Availability" means that the on-line Customer facing Services described in paragraph A (Overview) of Schedule 1 (Services) shall be operational and available 24 hours a day, 365 days a year, excluding Scheduled Downtime and shall be samples [sampled?] at intervals of no more than 5 minutes.
... a "measurement window" is seven days and those customer-facing services include:

Verizon haven't provided those services since 7 March 2016, at least four measurement windows ago. This is no mere KPI failure. This is a critical KPI failure, as defined.

And what happens when a provider like Verizon suffers critical KPI failures? Answer, the authority, in this case GDS, may terminate their contract:
The Provider shall at all relevant times meet or exceed the KPIs set out in Table 1 (KPIs) below in performing the Services. The Authority may terminate this Contract under Clause H2 (Termination for Default) in the event that the Provider commits three (3) Critical KPI Failures.
The authority may terminate the contract. They have that right but it's not a duty. Would GDS terminate Verizon's contract just for suffering at least four critical KPI failures? Apparently not.

There's all sorts of other interesting detail available in the Verizon contract. But before we get too excited, this is their Framework 1 contract, which must by now presumably have been replaced with a Framework 2 contract.

The Framework 2 contract is likely to have similar service availability conditions in it. In which case it is relevant to note that, yes, Verizon are still not registering new GOV.UK Verify (RIP) victims.

Updated 6.4.16

Some time today, Verizon reappeared:

"Did you know", they ask, without ever reaching a question mark, ...
... Verizon has customers in 150 countries and manages identity programs for 25 governments. Millions of people across the globe trust their security and personal data to Verizon every day, so you can be confident that we know how to protect you to the highest standards.
"You can be confident that we know how to protect you to the highest standards"? Not very confident. Don't forget Crooks Steal, Sell Verizon Enterprise Customer Data.

Verizon have been closed to new GOV.UK Verify (RIP) victims for the past month or so. Why?

It's because they've been "preparing their service under the new contract", GDS told us on 8 March 2016.

That's not what Verizon told Neil Merrett yesterday:
"We have been working to make sure that the platform gives the best results possible. We have been introducing two new mobile features to make our service more mobile friendly."
Neither proposition explains taking Verizon's registration service down for a month.

If you want to register with Verizon, you're on your own. Even though "there's no charge for this service" and Verizon has "met security standards set by government", DMossEsq couldn't find a single volunteer prepared to try it out:
GDS may want to lure you in but why take the risk?

Especially if next time Verizon go on holiday you might find your identity, and thus your existence, suspended for a month.

Updated 9.12.16

Verizon is one of the "identity providers" for GOV.UK Verify (RIP).

At least, they're meant to be.

Nine months ago, Verizon disappeared without convincing explanation. A month later, they re-appearaed without convincing ditto.

That doesn't inspire confidence.

We, the public, need to feel that GOV.UK Verify (RIP) is stable.

So do the "relying parties", i.e. the likes of the Driver and Vehicle Licensing Agency (DVLA). They need to know that we are who we claim to be when we connect to the on-line public services they operate.

How are the relying parties supposed to feel confident in the assurances of the "identity providers" that we are who we say we are when "identity providers" themselves can just whimsically come and go.

Verizon – now you see them …
You might get away with it once. But not twice. And you know what? Verizon disappeared again, in July. What's more, they still haven't re-appeared five months later.

… now you don't.
Will Verizon be back again?

In time for Christmas?

Will the Government Digital Service ever deign to explain to us, their parishioners, what on earth is going on?

And can you see why sensible relying parties are sticking to the Government Gateway?

No comments:

Post a Comment