Sunday 13 March 2016

RIP IDA – what is the point of GOV.UK Verify (RIP)?

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.

In a few weeks time, in April 2016, according to the Government Digital Service (GDS), GOV.UK Verify (RIP) will go live.

Time for someone at last to summarise the implications.

A spreadsheet has been prepared summarising the terms and conditions of business of the GOV.UK Verify (RIP) services offered by each of GDS's nine "identity providers". Not just the business terms but the privacy policy also:

GOV.UK Verify (RIP) summary spreadsheet
It's too wide to display properly on this blog. Readers are asked kindly to take a look here. [Added 12.5.16: updated version of spreadsheet now available. [Added 3.7.16: updated version of spreadsheet now available. [Added 4.1.17: updated version of spreadsheet now available. [Added 24.9.17: updated version of spreadsheet now available.]]]] The effort is worthwhile. It reveals that GOV.UK Verify (RIP) is a machine for collecting and storing your personal information and sharing it widely in the UK and abroad.

What is the point of GOV.UK Verify (RIP)? Answer, it's a personal information publishing service. That's what the summary spreadsheet shows.

-----  o  O  o  -----

GOV.UK Verify (RIP) would collect a spectacular amount of personal information about us. Nothing like that is needed when we use the Government Gateway, as we have been doing to access public services for 15 years since January 2001.

And the Government Gateway doesn't broadcast our personal information to all corners of the internet the way GOV.UK Verify (RIP) would.

Some of us may want to access public services on-line. It is quite unnecessary to share so much personal information with so many organisations in so many countries at the same time.

Barclays, for example, say that in the name of GOV.UK Verify (RIP) they will collect everyone's "name, address (with 3 years of history), email, mobile phone number, gender, details of your passport, driving licence and bank account, IP address, browser type and version, device type, operating system and version, locale, a unique visitor cookie, user ID, time, URL + We may receive information about you if you use any of the other websites we operate or the other services we provide. We also work closely with third parties to provide aspects of the Identity Service (including sub-contractors, analytics providers, search information providers and credit reference agencies) and we may receive information about you from them".

It's a lot but apparently it's not enough personal information. The "identity providers" aren't going to achieve GDS's goal of being able to register 90% of the population. Not with "just" this mass of personal information. GDS want them to store even more, but they've felt unable for the past year to tell the public what extra information of ours it is that they want.

Having collected it, Barclays will share everyone's personal information with "a credit reference agency (including Equifax), a fraud prevention agency, other member organisations of the fraud prevention agency, other Barclays companies, Barclays business partners, suppliers and sub-contractors, HM Passport Office, DVLA, Verizon, GOV.UK Verify, anyone who buys a Barclays business or Barclays assets" in addition to the public or private services which rely on Barclays' identity verification work.

There is no intention here to suggest that Barclays are unique. They're just being used as an example. The other GOV.UK Verify (RIP) "identity providers" are just the same. (Except that Verizon have for the moment shut up shop to new applicants – will the Barclays service which relies on Verizon survive? – and PayPal have once again bolted.)

-----  o  O  o  -----

Something has clearly gone wrong. All we wanted, some of us, was a way to obey the law for example by submitting our tax returns to HMRC on-line, something we can perfectly well do using the Government Gateway. GDS seem to have missed the point. We did not want to give our credit history to Verizon and we did not want our personal information to be sold when Barclays sell a subsidiary.

Something has clearly gone wrong. GDS repeatedly emphasise that they do not want to create the National Identity Register envisaged for the old ID cards scheme (2002-10, RIP). They have ended up creating nine of them.

GDSDelivering Identity Assurance: You must be certified
Something has clearly gone wrong. GDS repeatedly emphasise that all the "identity providers" are "certified companies". It's easy to check and when you do you find that Barclays isn't certified. Neither is the Post Office nor Morpho (SecureIdentity) nor Royal Mail nor PayPal.

Something has clearly gone wrong. Everyone knows that there is no such thing as unqualified security on the internet. Barclays, to their credit, are realistic and say as much in their privacy policy: "Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access".

And what do GDS say? Unpardonably:

Something has clearly gone wrong. GDS want the GOV.UK Verify (RIP) population register(s) to support a platform for public services offered by multiple central government departments.

HMRC are the pre-eminent suppliers of computerised public services and they have already distanced themselves from GOV.UK Verify (RIP). As have the NHS. And DWP seem to be developing and promoting their own identity assurance procedures for Universal Credit, not GOV.UK Verify (RIP).

If GOV.UK Verify (RIP) goes live next month, some individuals will be able to submit their tax returns to HMRC, but no companies. After four years of development, GOV.UK Verify (RIP) still doesn't work for companies. Or partnerships. Or trusts.

DVLA and HM Passport Office are suppliers to GOV.UK Verify (RIP) – please see the summary spreadsheet – so they don't need it. Rather, it's the other way round. GOV.UK Verify (RIP) needs DVLA and HM Passport Office.

There is no sign of GOV.UK Verify (RIP) being used with GDS's individual electoral registration batch application system. And no reason to believe that it would be capable of helping to compile the national census.

GDS claim that GOV.UK Verify (RIP) supports DEFRA's rural payments scheme. But it can't, because GDS's computerised rural payments scheme has had to be discontinued, it was unusable and farmers currently indent for their payments using pencil and paper.

There is no identity assurance platform for public services ...

... and GOV.UK Verify (RIP) is no use to the private sector either. The private sector has its own platforms already for authenticating account-holders and authorising payments. And it's developing its own new platforms. They don't depend on GOV.UK Verify (RIP). Again, it's the other way round.

Something has clearly gone wrong. In the past, so we are told, Whitehall would specify the requirements for a public service and four years later a computerised system would arrive, not meeting the public's requirements.

GDS repeatedly emphasise that they have overcome that problem by adopting agile software engineering methodologies. And yet what do we see?

Four years after work started, GOV.UK Verify (RIP) arrives, not meeting the public's requirements.

Something has clearly gone wrong. GDS repeatedly emphasise that they pride themselves on the care they take to act responsibly on behalf of the entire nation. They published a blog post the other day, Writing content for everyone, in which they preened themselves over the effort they expend on comprehensibility:
Accessible and inclusive content

At GDS, we always try to design for the least experienced user so no one is excluded from understanding and using a service. We also try to apply the same principle to users with low literacy. By writing for all literacy levels, it means more people can use the government services they depend on.
Some readers can be put off by apostrophes, GDS say – "punctuation can slow people down". Capital letters can deter understanding – "even readers with higher literacy levels can find that reading words all in capitals slows them down".

What are GDS doing luring these people into the treacherous waters of GOV.UK Verify (RIP)?

Something has clearly gone wrong. The Cabinet Secretary is relying on GOV.UK Verify (RIP) to improve public confidence in the civil service. How? If anything, it can only achieve the reverse.

Even after everyone knew it couldn't work it took years to put an end to the NHS's National Programme for IT (NPfIT) and it cost the nation tens of billions of pounds.

If Whitehall have learnt nothing, then the announcement will be made next month that GOV.UK Verify (RIP) has gone live and a lot of people can pretend that it's true, just as a lot of people pretended for years that NPfIT was in robust health.

But that's just the point. GOV.UK Verify (RIP) isn't in robust health. And a lot of people know it. Like NPfIT, like the ID cards scheme, it's dead. RIP.


Updated 8.4.16

Since the post above was written:
  • It has been reported that Verizon have been hacked. Verizon nevertheless claim that "you can be confident that we know how to protect you to the highest standards".
  • Verizon have subsequently returned to registering new victims of GOV.UK Verify (RIP).
  • The "identity providers" summary spreadsheet has been updated accordingly.
  • Digidentity have started to try to sell GOV.UK Verify (RIP) account-holders YubiKeys on the grounds that these devices make the use of GOV.UK Verify (RIP) more secure. They do not answer the question whether it is insecure to use GOV.UK Verify (RIP) without a YubiKey.
  • CitizenSafe have announced that GOV.UK Verify (RIP) replaces the Government Gateway. If the Government Gateway is discontinued, HMRC will no longer be able to collect tax. Do CitizenSafe understand that point? And what are they doing making this announcement? Surely the end of the Government Gateway should be announced by a minister.
  • The NHS have announced that GOV.UK Verify (RIP) is not secure enough for their users' needs.
  • GDS have released data showing that a material percentage of the UK population cannot have its identity verified by GOV.UK Verify (RIP).
The conditions set by GDS themselves which must be satisfied before GOV.UK Verify (RIP) can go live have not been met. GDS continue to announce that GOV.UK Verify (RIP) will nevertheless go live this month, April 2016. It's not their decision, though. It remains to be seen whether their superiors will take the reckless decision to declare GOV.UK Verify (RIP) live.

Updated 22.4.16

Since the previous update:
  • The Office for National Statistics have confirmed that GOV.UK Verify (RIP) will not be used to help compile the 2021 UK national census.
  • Her Majesty's Revenue and Customs have commended their digital personal tax accounts and recommended logging in through the Government Gateway. Logging in through GOV.UK Verify (RIP), they say, restricts you to a limited service.
  • The Government Digital Service (GDS) have taken to dividing their eight remaining "identity providers" into those which work and those which don't. Their recommendation changes frequently but in general new victims of GOV.UK Verify (RIP) ...
    • ... are advised to register with Digidentity, Experian or the Post Office ...
    • ... and they are advised against trying to register with Barclays, CitizenSafe/GB Group, the Royal Mail, Safran Morpho/SecureIdentity or Verizon.
  • The reported account creation success rate has been measured at 71%, still a long way from the 90% required for GOV.UK Verify (RIP) to be declared live.
  • GDS have increased the minimum age for new victims from 19 to 20, thereby cutting GOV.UK Verify (RIP) off from another 1.2% of the population and making it even harder to achieve 90% penetration.
There's a week left before the end of the month. Probably the press releases are already written and nothing can stop the announcement of GOV.UK Verify (RIP) going live some time next week.

Whichever unfortunate ministers and Whitehall officials have their names associated with that announcement are approaching the last weekend on which they can be taken seriously.

Updated 4.5.16

It was too much for them.

No-one wanted their name associated with the declaration that GOV.UK Verify (RIP) is now live.

And so, on 29 April 2016, GDS announced that GOV.UK Verify (RIP) is "nearly there", but not quite. A miss is as good as a mile. GOV.UK Verify (RIP) is not live. After four years of development and two years of testing and several promises that it would go live in April 2016, it didn't. As usual.

Sir Jeremy Heywood, the cabinet secretary, tried to put a brave face on it. Not even he, panjandrum that he is, can disguise the fact that there is nothing there for the relying parties like HMRC to rely on. Nor that GDS themselves continue to say that five of their eight "identity providers" are unlikely to be able to provide you with an identity.

GDS put out one of their amusing little films about GOV.UK Verify (RIP). Apparently the system is safe, simple, fast, secure and private.

It remains the case that about 29% of attempts to create a GOV.UK Verify (RIP) account end in failure. It has particular trouble handling the young, the old, the low-paid and the out of work. It remains the case that account-holders have no control over who sees their data, which can end up anywhere in the world. And that there is still no dashboard for the Government Gateway on GDS's performance platform.

It proved beyond GDS's powers to stop the PR campaign:

Updated 15.5.16

It's been a busy 11 days since the last update and nothing has happened.

GOV.UK Verify (RIP) has still not been declared live. It can't be. It still shows no sign of meeting GDS's "objectives for live". The account creation success rate is down to 68%. The target minimum is 90%. The authentication completion rate is down to 36%. And, unchanged for a month, GDS still tell new GOV.UK Verify (RIP) applicants that five of their "identity providers" are useless. Or, as GDS put it, they're "unlikely to be able to verify you".

No progress there, but there has been an inordinate amount of displacement activity. Verizon have changed their logo. And GDS tarted up their Introducing GOV.UK Verify [RIP] web page on 9 May 2016. You can almost see the space left for all the new services that were due to be connected to GOV.UK Verify (RIP) when it went live in April. But that was not to be.

There was a bit of tweeting on 13 May 2016 about how marvellous it is that one of the country's major retail banks, Barclays, supports GOV.UK Verify (RIP). No recognition that Barclays is one of the "identity providers" GDS says are useless but the Twitter thread did reveal that Lloyds Bank had been in negotiations to join GOV.UK Verify (RIP). No explanation of why those negotiations failed.

6 May 2016 saw the publication of GDS's What kind of fraud do our standards prevent?. Good question.

The answer is spoiled by GDS's failure to mention the ID hub. That's the single point of failure in GOV.UK Verify (RIP) where all communications come together and GDS failed to address how the hub defends against fraud or, to put it another way, how it doesn't promote fraud. Instead, GDS repeated that they have eight "identity providers" (should be three as five of them are useless) and how they're all certified (four of them aren't).

It's unfortunate that on the same day, 6 May 2016, it was reported that Equifax had been hacked. Equifax have been certified trustworthy by tScheme and are relied on by four of GDS's "identity providers" – Verizon, Barclays, CitizenSafe/GB Group and the Royal Mail.

Not a propitious day on which to talk about the standards set by GOV.UK Verify (RIP) for fraud prevention. It's just lucky that GDS don't actually set the standard, whatever they say, and that so few public services are connected to GOV.UK Verify (RIP).

Two days later, 8 May 2016, the US National Institute of Standards and Technology (NIST) issued a new draft of their Digital Authentication Guideline. There's a summary and then there are four detailed documents. NIST's new guideline casts doubt on the way GDS are using levels of assurance in GOV.UK Verify (RIP), it impugns the use of secrets in GDS's recommended identity-proofing procedures and it "deprecates" GOV.UK Verify (RIP)'s two-factor authentication.

It may have occurred to you, too, but what NIST are doing is to raise the question whether it is feasible at all to verify somebody's identity entirely on-line. It's only a hypothesis that it's feasible. The hypothesis could turn out, in practice, to be disproved. In fact it has been. That's why GOV.UK Verify (RIP) can't be declared live.

Where all else has failed, NIST seek salvation in biometrics:
Biometric matching SHOULD be performed locally on claimant’s device or MAY be performed at a central verifier.

Biometrics SHALL be used with another authentication factor that SHALL be revokable.

The biometric system SHALL have a tested equal error rate of 1 in 1000 or better. The biometric system SHALL be operational with a false match rate of 1 in 1000 or better.
As we know, NIST might as well call on astrology. It looks as though online-only identity verification isn't feasible. Not for NIST and not for GDS. GOV.UK Verify? Forget it. RIP ...

... which takes us back to where we started in the blog post above – GOV.UK Verify (RIP) doesn't verify your identity, it's a machine for publishing your personal information far and wide, out of your control, in the UK and abroad.

The Privacy and Consumer Advisory Group say that that's not true. They're wrong.

The Government Gateway is the unsung hero of on-line access to UK public services. It's sat there for 15 years and more, working. It's been instrumental in collecting trillions of pounds of public revenue. The Government Gateway takes much less personal information from you and, to a much greater extent than GOV.UK Verify (RIP), it keeps your personal information under the control of UK government departments.

So what's this we read in on 13 May 2016? Dell appointed to decommission Government Gateway. It's all there on The Government Gateway will be shut by the end of March 2018. The system that works and provides a modicum of privacy is to be discontinued. The system that doesn't work and that blasts all privacy to kingdom come is to be pursued.

It's a new world we're living in. That's what Stephen Foreshew-Cain, GDS's executive director, told us in Where we’re at, and where we’re going on 8 April 2016. And that's what he told TechUK's Public Service 2030 conference on 10 May 2016. His speech was meant to tell delegates what to expect over the next 15 years or so. Read it, and you will be none the wiser about the new world except for Mr Foreshew-Cain's prediction of the end of parliamentary democracy: "The way that the law is made will have changed".

That's a fairly major contention.

So much so that he quite forgot to mention in his speech that GOV.UK Verify (RIP) will after all go live this month, May 2016. But he did remember to tell a journalist from, Verify to go live by end of month. That's how you keep the public informed in the new world.

We'll see. As long as it depends on GDS, it seems unlikely. As Mr Foreshew-Cain told us himself, GDS don't like actually going live. It's the journey that's important to them – "In 2030, and in the years that follow, we shall still be iterating. We shall still be doing the user research, doing the hard work to make things simple ... There’s no definition of done. We’re never done ...".

With the Government Gateway gone, and with GDS busy iterating and researching, let's just hope that HMRC have an alternative up their sleeve to raise the revenue to pay for public services. As things stand, it's "no Government Gateway, no revenue".

But be not disheartened. Even while all around seemed bleak, on 12 May 2016 GDS won a prize. GOV.UK Verify (RIP) was awarded Best Innovation in eGovernment/eCitizen at the European Identity and Cloud Conference 2016. Everyone – even Mr Foreshew-Cain – was, and remains, speechless.

A busy 11 days. As you see. Even if there has been no progress.

Updated 16.5.16

"Read him early. Read him often."

If only DMossEsq followed his own advice he would have remembered to include two more GOV.UK Verify (RIP) incidents in yesterday's review of the 11 days 4-15 May 2016.

Firstly there was Neil Merrett's 6 May 2016 article HSCIC seeks ID authentication market engagement. The National Health Service in England is going to the market to see what's available by way of identity assurance for "over 1 million users and 28,000 system endpoints across 21,000 organisations". If GOV.UK Verify (RIP) isn't obviously good enough for the NHS, is it good enough for you?

Second there was Neil Merrett's other 6 May 2016 article DWP "evaluating" GOV.UK Verify for Universal Credit. "Currently claimants prove their identity by showing ID to their work coach. We are evaluating the Verify system and will announce any plans in due course", said a Department for Work and Pensions spokesperson. Taking their time about it, aren't they. Not a resounding vote of confidence in GOV.UK Verify (RIP).

Read him early, that Neil Merrett, and read him often.

Him, and Mark Say.

Mr Say published an article in on 9 May 2016, Questions arise over local 'Government as a Platform': "... There are also questions around the ability of children and old people to obtain identification through GOV.UK Verify [RIP], the role the NHS could play as an identity provider, and how citizen accounts run by local authorities and the Scottish Government could fit into the picture". Local government is clearly no more convinced about the efficacy of GOV.UK Verify (RIP) than central government.

Of course Neil Merrett covered that story as well: "The briefing noted that children and elderly users may find difficulty in being able to authenticate themselves under the current GOV.UK Verify [RIP] arrangements ... Additional concern was also raised that should the NHS choose to deliver its own ID provider solution based around the NHS number, how could it sit alongside GOV.UK Verify [RIP] ... Similarly, local authority citizen account registers and Scotland's account services were also seen as having roles within an increasingly competitive identity provider marketplace ...".

But stay with Mark Say a moment. We have referred to his work a few times over the years. Notably on 19 February 2016: "About 15 central government services are expected to begin using the GOV.UK Verify [RIP] service for online identity assurance when it shifts from public beta to live in April".

Going live is not a big step for GOV.UK Verify (RIP), according to GDS. Those 15 central government services could have begun using GOV.UK Verify (RIP) in April whether or not the system was declared to be live.

They didn't.

That is an incident significant for its absence.

There is a marked reluctance to connect to GOV.UK Verify (RIP). And no evident enthusiasm.

Meanwhile, with 22½ months ahead of it on Death Row, the Government Gateway continues quietly to rake in the PAYE income tax, National Insurance, VAT and Corporation Tax that pays for ... GDS and GOV.UK Verify (RIP).

Updated 23.5.16

Unlike marriages, weddings are public affairs. That's the point of them. Proud or nervous or both, the principals expose themselves in daylight, to their friends and relatives, in front of the municipal authorities, whether civic or ecclesiastical. The solemn ceremony is an open statement made to the community. It looks to the community for authorisation and recognition, and it seeks in return the commitment and respect of the community.

Something similar was called for in declaring GOV.UK Verify (RIP) to be live.

GOV.UK Verify (RIP) "underpins the digital transformation of government", no less. And yet, instead of a proud and clear announcement, its launch in the community on 19 May 2016 was a fly-by-night, hole-in-the-corner affair. Its advent was smuggled surreptitiously into a speech about the ethical framework for data science full of juvenile exuberance and devoid of either ethics or science. Mutual respect? No. Mutual contempt from the very outset.

Why didn't GOV.UK Verify (RIP) go live in April 2016 when it was meant to?

"We haven’t yet finished the Service Standard assessment process" was the official explanation on 29 April 2016. After four years of development and two years of beta testing? Not convincing.

"... the confirmation of the eight certified companies that will authenticate individuals' identities was only completed in the course of the month" was an alternative explanation offered on 10 May 2016.

Someone imprudent decided to announce that GOV.UK Verify (RIP) would go live in April 2016, if we are to believe these explanations, even though the service assessment hadn't been completed and even though the "identity providers" hadn't been "confirmed", whatever that means.

The trouble is that it's becoming ever harder to believe GDS:
  • They talk about eight certified companies when they know perfectly well that only four of them are certified.
  • They tell applicants trying to register for a GOV.UK Verify (RIP) account that five of these companies are useless.
  • They have jettisoned their own GOV.UK Verify (RIP) "objectives for live".
  • Even having moved the posts, they still can't score a goal. GOV.UK Verify (RIP) is in no position to replace the Government Gateway but that's what we are told it will do by 31 March 2018. Starting on 1 April 2018, the UK Exchequer will have no revenue.
  • HMRC, DWP and the NHS are all reluctant, to put it mildly, to rely on GOV.UK Verify (RIP). They are thought to be working on their own identity verification schemes. As Scotland has done.
  • GDS claim that GOV.UK Verify (RIP) is secure, without qualification, when everyone knows that it can't be.
  • Their credibility is further impugned when they claim that GOV.UK Verify (RIP) abides by nine privacy principles when it patently doesn't.
  • And NIST consider that GOV.UK Verify (RIP) provides nothing more than self-certification – it can't do identity-proofing.
There will be triumphant speeches at the noisy reception, probably tomorrow, 24 May 2016. GOV.UK Verify (RIP) will sit at the top table, beaming, while ancient relatives and old friends talk about all the public services that will rely on it.

Check the list carefully. Is each service new to GOV.UK Verify (RIP) or has it been using GOV.UK Verify (RIP) for months already? In the case of newcomer services, why are they announcing their adherence to GOV.UK Verify (RIP) now? Why couldn't they announce it before? Are they reluctant adherents? Is that why GDS missed April? Did arms have to be twisted? Did unwelcome promises have to be made to get them on board?

We may never know why it died but the end of this marriage is in its beginning.

No comments:

Post a Comment