Wednesday 6 July 2016

Old local authority briefing reviewed on the Antiques Roadshow*

"New Socitm, ADASS and LGA briefing sets out challenges in implementing ID assurance methods that can limit information loss and identify fraud", says the Government Computing website in an article published yesterday, 5 July 2016, Social care providers called on to set out online identity strategies.

Socitm is the pre-eminent society for IT practitioners in the UK public sector and they issued a press release on 4 July 2016, Social care leaders urged to consider options for managing identity and authentication online for service users and providers.

That press release refers to a briefing they have prepared on identity and authentication which includes several questionable claims. Among others (p.7):
  • "The UK Government has adopted GOV.UK Verify [RIP] for central government service providers such as HM Revenue & Customs (HMRC) and, of particular interest for local public services, the Department for Work and Pensions (DWP)." – neither HMRC nor DWP is relying on GOV.UK Verify (RIP), and neither are the NHS nor the nation's payments industry.
  • "GOV.UK Verify [RIP] ... uses a range of identity providers ... to check that users are who they say they are. Currently, four companies are connected: Digidentity, Experian, Post Office and Verizon. It is planned that they will be joined by five more (Barclays, Paypal, Morpho, Royal Mail and GB Group) before GOV.UK Verify goes live in April 2016." – Paypal have pulled out, GOV.UK Verify (RIP) was declared live in May 2016, the Post Office, Morpho and the Royal Mail have yet to be certified trustworthy by tScheme.
  • "The infrastructure of GOV.UK Verify [RIP] is built to meet the privacy principles developed by PCAG and will ensure a greater degree of privacy than is likely through a locally developed solution." – GOV.UK Verify (RIP) doesn't abide by a single one of PCAG's identity assurance principles and accountholders find their personal information sprayed all over the world beyond their control.
  • "At the current time, GOV.UK Verify [RIP] is in public beta for the following seven services ... A further 30 government services are planned to be implemented by April 2016." – in the event, GDS claim that there are just nine government services using GOV.UK Verify (RIP) today, not 37.
  • "And it’s fast: it takes about 15 minutes the first time you verify your identity, and less than a minute each time after that." – the first time you verify your identity is what we would normally call "registration", it's not a race, it's hard and unwise to evaluate the terms and conditions of business of eight "identity providers" before registering in 15 minutes flat.
  • ...
The Socitm/ADASS/LGA briefing mentions the level of assurance that can be achieved on-line as to whether someone is who they say they are (p.4). The US National Institute of Standards and Technology say that GOV.UK Verify (RIP) only achieves Level 1, which is no good to a local authority trying to decide whether to pay for someone's social care.

The briefing also mentions attribute exchange (p.5) and calls yet again on the Warwickshire County Council attempt to automate applications for Blue Badges. Three years ago Ian Litton's prototype was just a prototype and three years later it's still just a prototype. There's a warning there for local authorities.

The briefing was published in December 2015, six months ago. It had faults then and it's got more now. Issuing a press release the day before yesterday suggesting that the briefing is up to date could cause confusion – local authorities, beware.


* In case you don't know, the Antiques Roadshow is a BBC TV programme in which members of the public bring along an ancient artefact to a swanky venue and experts decide whether it's unexpectedly valuable or just yet another old mass produced identity and authentication briefing.

No comments:

Post a Comment