Tuesday 26 April 2016

RIP IDA – are GDS talking to themselves?

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.

Every week, the Government Digital Service (GDS) publish statistics about GOV.UK Verify (RIP) on their performance platform. A degree of academic rigour is called for. Without that, GDS are just talking to themselves.

As we speak, some of these statistics are complete to the week 11-17 April 2016 while others include the week 18-24 April 2016. We ignore the latter in the paragraphs below.

1. Total authentications
We ignore the 185,149 basic accounts. These are unverified and have no place in a verified identity assurance system.

User sign-ins went up from 547,416 to 571,191, i.e. there were 23,775 of them during the week.The number of verified accounts went up by 7,509 from 487,267 to 494,776.

Adding the two together – which is GDS's peculiar way – tells us that total authentications went up by 31,284.

2. Authentications per week
Nothing to add.

3. Authentication completion rate
43% for sign-ins and account creations added together. Given that there were 31,284 completed/successful authentications (see 1. above), if that's 43% of all attempted authentications, there must have been 72,753 authentication attempts in all, of which 41,469 failed.

4. Authentication success rate
90% – no idea what this means.

5. Account creation success rate, all services
71%. Given that 7,509 verified accounts were created (see 1. above), if that's 71%, then there must have been 10,576 account creation attempts altogether, of which 3,067 failed.

If GDS intend to enrol 50 million people, say, into GOV.UK Verify (RIP), at the rate of 7,509 per week the job will take 6,659 weeks or 128 years.

It could be worse than that. Those 7,509 verified accounts could be 939 people each creating one account with each of the eight "identity providers". On that basis, 50 million people would need 400 million accounts which could take 1,024 years to create.

Most people die before they're 128, let alone 1,024, which implies that GOV.UK Verify (RIP)'s registration job can never be completed.

The advocates of biometrics look for a failure-to-enrol rate (FTE) of less than 1%. Anything higher casts doubt on the credibility of proceeding with that biometric. GOV.UK Verify (RIP)'s FTE of 29% makes the feasibility of the system problematic.

Given that a total of 41,469 attempted authentications failed (see 3 above) and that 3,067 of them were attempted account creations, the other 38,402 must have been failed sign-ins.

Given that there were 72,753 authentication attempts (see 3. above) and that 10,576 of them were attempted account creations, there must have been 62,177 attempted sign-ins.

38,402 failures out of 62,177 attempts indicates a 62% false reject rate (FRR). 62% of the time, people are being told that they are not themselves.

That is similar to the FRR for face recognition any time more than six months after the enrolment photograph is inscribed on the register. Face recognition is useless as a biometric. GOV.UK Verify (RIP) looks similarly useless if its FRR really is 62%.

You can reduce the FRR, of course, by making it easier to achieve a match. But that has the effect of increasing the false accept rate (FAR), i.e. it becomes easier for a person to pretend that they're someone else, which is the opposite of GOV.UK Verify (RIP)'s objective.

6. Sign-in success rate
99% – no idea what this means.

7. User satisfaction – verification, security, certified company
No data available for the week 11-17 April 2016.

8. Certified company completion rate
55% – no idea what this means. Compare 43%, see 3. above?

-----  o  O  o  -----

4., 6. and 8. above may mean something to GDS but they're talking to themselves – these statistics can mean nothing to anyone else. At 7. above GDS have stopped talking even to themselves.

1., 2., 3. and 5. above broadcast GDS's message loud and clear to anyone listening – GOV.UK Verify (RIP) is a dead duck.

GDS nevertheless plan to announce some time this week that the duck is alive. In their world, perhaps it is. But not here on Terror Firmer, it isn't.


Updated: 11:00

At 29%, GOV.UK Verify (RIP)'s failure-to-enrol rate (FTE) is problematic, as noted at 5. above.

GDS are doing what they can to reduce it:
  • They have increased the recommended minimum age of people trying to register for an on-line account from 19 to 20. That may reduce the number of GOV.UK Verify (RIP) failures. But at the same time it would cut out 1.2% of the population and thereby reduce the universality of GDS's identity assurance scheme, making it less use to government and less attractive to the private sector, who are being courted by GDS.
  • They have also taken to steering people away from the "identity providers" who are less likely to be able to complete enrolment. Again, that may reduce the number of GOV.UK Verify (RIP) failures. But it would do so at the expense of reducing the number and variety of enrolment agents/"identity providers"/"certified companies" when GDS's sales pitch to the populace is precisely that there is a wide and high quality choice on offer.
The other action GDS could take is to change the enrolment process. At the moment, the identity of a given name, address and age with sex optional is verified by reference to passport details, driving licence details and credit history. The enrolment process could be changed to take into account further personal information.

What further personal information?

Candidates include your health records, education records, travel records, bank account transactions, insurance policies, mobile phone usage, email contact lists, social media accounts, ... GDS claimed 18 months ago that they were about to announce their choice of additional personal information to include in the GOV.UK Verify (RIP) enrolment process. They still haven't.

Most people are not often exercised by questions of privacy but GDS's demand for yet more personal information might tip the balance.

Despite GDS's claims to the contrary, we have little or no proven control over these personal details once they have been divulged.

The privacy and fraud risks seem exorbitant compared with the benefit of being able to use GOV.UK Verify (RIP) to view our driving licence details on-line.

It seems unnecessary to amplify those risks when we already have the Government Gateway as a long-established working alternative to GOV.UK Verify (RIP).

Unnecessary also when, according to GDS, no other country has adopted this approach, the UK is in the vanguard.

In the absence of any additional personal information being added to the GOV.UK Verify (RIP) enrolment process we are left with GDS's eight "identity providers".

Five of them are being branded useless – Barclays, CitizenSafe/GB Group, the Royal Mail, Safran Morpho/SecureIdentity and Verizon. That must sour relations between them and GDS and it might sour relations between them and the three favoured "identity providers" – Digidentity, Experian and the Post Office.

The position of Barclays is odd. You'd think they would be among the best enrolment agents. Whatever percentage of applicants they can shepherd through the registration process should be definitive. Far from consigning Barclays to the out-of-favour list, perhaps GDS should be checking the apparently outperforming Digidentity, Experian and the Post Office to make sure that they aren't relaxing the matching criteria and exacerbating the FAR problem (false accept rate).

With only three favoured "identity providers", GDS are exposed. The Post Office is not a "certified company", its application for approval lapsed well over a year ago. And Digidentity and the Post Office are linked. If one of them suffers a security problem, they would both be knocked out, leaving GOV.UK Verify (RIP) with just one "identity provider" – Experian.

This visible promotion of Experian into the UK Constitution as the "identity provider" of choice for the entire nation has not been even debated by Parliament, let alone agreed. In this matter, GDS are wildly out of their depth and ultra vires. They need to talk to a lot more people about it than just themselves.

Updated 3.5.16

A new metric has been added to the GOV.UK Verify (RIP) dashboard:

9. Certified company choice
It's 81%.

GDS continue to recommend against registering with Barclays, GB Group/CitizenSafe, the Royal Mail, Safran Morpho/SecureIdentity and Verizon.

User satisfaction, please see 7. above, remains a thing of the past. It is measured in three ways and none of the figures have been updated since 27 March 2016.

Updated 11.11.16

GDS don't always talk to themselves about the performance of GOV.UK Verify (RIP). Two days ago they sent Chris Skidmore MP off to talk to Korea about it. In his speech, he said:
GOV.UK Verify [RIP] allows the citizen to create a single online identity to access a growing number of government services. And since going live in May, GOV.UK Verify [RIP] has verified more than 900,000 users.
Take a quick peak peek at the GOV.UK Verify (RIP) dashboard on the GOV.UK performance platform. On 1 May 2016 there were 692,951 GOV.UK Verify (RIP) accounts. By 6 November 2016, that figure had grown to 911,096.

Mr Skidmore is a historian as well as a politician. He knows to check his sources. But on this occasion he didn't. Since going live in May, GOV.UK Verify (RIP) has verified 218,145 users and not "more than 900,000" of them.

Even its supporters warn about the "wildly unrealistic expectations" of GOV.UK Verify (RIP). Next time he delivers a speech prepared for him by GDS he is advised to check it first.

No comments:

Post a Comment