Tuesday 20 September 2016

RIP IDA – agile identity, now you are you, now you're not

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
"Congratulations!", they said in the email, "You have completed the registration process":

There he was, DMossEsq, all kitted up with a brand new on-line identity, provided by GOV.UK Verify (RIP) via Digidentity, one of the Government Digital Service's "identity providers".

Digidentity had collected all the details of DMossEsq's passport and driving licence, among other things, and here they were confirming that he is him, the person he claims to be. "Your registration has been completed" – that's what the email says. And polite to a fault, Digidentity even said: "Thank you for registering".

And yet yesterday, when DMossEsq tried to log in for the sixteenth time since that email, he couldn't get through to his personal tax account. There has been no communication from Digidentity since the email above but Digidentity now want more passport details before they'll confirm that DMossEsq is DMossEsq:

Digidentity want an image of the passport uploaded, using an app of theirs which has to be downloaded onto DMossEsq's mobile phone first:

The GOV.UK Verify (RIP) team make it all sound so easy. Register once and they'll vouch for you, they know who you are because you've already proved it and they'll tell HMRC or whoever yes, this is DMossEsq. You have to hand over an inordinate amount of personal information about yourself but at least you'll then be able to use public services on-line.

Not true.

The bargain has been broken. You've handed over the personal information. You still can't use public services on-line.

It seems that an "identity provider" can without warning decide that you aren't you after all and demand further proof without which you can't communicate with any government departments using GOV.UK Verify (RIP).

That could be serious. Suppose you were away from home without your passport, on a sales trip to the Northern Powerhouse, for example, selling gluten-free cupcakes to digital entrepreneurs, and you needed to pay your tax bill. You sit down in your hotel room confident that you can make this payment because you've got your trusty Digidentity on-line identity already set up ...

... only to find that your on-line identity has been taken away from you. Result? You have to pay interest on your tax and a penalty in addition. And there's no compensation. Thank you, GOV.UK Verify (RIP).

Even if you do have your passport with you in the hotel, why should you have to download an app from Digidentity? That's tantamount to deliberately installing a virus.

You never know where you are with GOV.UK Verify (RIP). That could be one reason no-one's using it.

How does this come about? How have the Government Digital Service (GDS) acquired the attitude that they can change the rules behind your back?

The answer is "agile".

Their agile software engineering methodology assumes that they can iterate. They can make changes to live public services all the time. That's what Google do with Chrome, for example. And Google embody the internet era. GDS want to transform government so that it becomes digital by default. And what does "digital" mean? Answer: "digital means applying the culture, practices, processes and technologies of the internet era to respond to people’s raised expectations". So that's what GDS can do with GOV.UK Verify (RIP).

They were warned about this, in January 2013, when four professors told them that: "there are risks that rapidly changing services will deter the takeup of digital services, not encourage it". They didn't listen.


Updated 22.9.16

The matters above have been brought to Digidentity's attention and the Government Digital Service's.

GDS never respond, of course.

Digidentity have responded, please see tweets alongside.

In addition to those tweets, Digidentity also sent two identical emails saying "your identity document is accepted" (please see copy below).

Which document? They don't say.

Whatever their emails say, DMossEsq's GOV.UK Verify (RIP) account registered with Digidentity still doesn't work. He still can't use it to access his personal tax account.

Why doesn't the account work? It used to.

What's changed?

Are Digidentity allowed to withdraw the right to access public services from people to whom they have previously granted that right?

Should they notify people first?

Are they allowed to demand more and more intrusive access to people's personal information such as insisting on their app being installed on our mobile phones?

Can they change the rules as they're going along so that one day you are you and the next day you're not?

Are GDS comfortable with Digidentity creating people on-line and deleting them, wiping them out, so that they don't exist any more?

Do GDS even know it's happening or have they lost track?

These are general policy questions of interest to everyone. Digidentity's offer to discuss them in private won't do.

"We're building trust by being open" – that's GDS's claim. Time to prove it.

What identity document? No new document has been submitted.

Updated 12.6.17

DMossEsq has made no attempt to use his Digidentity GOV.UK Verify (RIP) account since 19 September 2016, please see above. Today, the following email was received:

"We're sorry but we couldn't verify your identity". Very odd. DMossEsq hasn't asked Digidentity to verify his identity. Perhaps someone else has. Who? Why?

Updated 14.6.17

It looked as though someone was trying to use one of DMossEsq's GOV.UK Verify (RIP) accounts, the one maintained by Digidentity, please see above.

An email to Digidentity elicited several prompt responses, please see below, for which they have been thanked.

In the event, it was not a third party but Digidentity themselves who were accessing the account, they were trying to do one of their periodic checks that the account is still kosher. It might improve the user experience in future to make that clear in the email automatically sent to the accountholder.
From: Support [mailto:helpdesk@digidentity.co.uk]
Sent: 13 June 2017 17:00
To: DMossEsq
Subject: [Digidentity] Re: Registration Query

##- Please type your reply above this line -##
Your request (8209) has been updated. To add additional comments, reply to this email.

Liz (Digidentity UK)
Jun 13, 18:00 CEST

Dear Mr Moss,

We have investigated your account further and it appears that our system went through some recent verification checks. These were automatically made on your account without you needing to log in. We require these checks from time to time in order to continue proving who you are.

As you did register quite a long time ago however, what I needed to do is reprocess your information so that we could still be sure that it was definitely you registering online. Now that I have done this, you are still fully verified.

I wish to apologise for any cause for concern. You should now be able to log into your Digidentity account in future and be redirected to the service you require.

Liz (Digidentity UK)
Jun 13, 17:24 CEST

Dear Mr Moss,

Thank you for your message.

What I have done is passed your account to the relevant team at the company in order to investigate further. I would like to thank you for your patience in the meantime. I will get back to you as soon as I have more information.

David Moss
Jun 13, 14:40 CEST


I received the email below, “Your registration couldn’t be completed”. It’s a mystery. I have not attempted to use the account for many many months now. Is there any way you can investigate to see who was trying to use it?

Yours faithfully
David Moss

From: noreply@digidentity.eu [mailto:noreply@digidentity.eu]
Sent: 12 June 2017 15:52
To: DMossEsq
Subject: Your registration couldn't be completed.

We’re sorry but we couldn’t verify your identity

Unfortunately we couldn’t verify your identity

Unfortunately your identity can’t be verified right now. Please go back to the GOV.UK Verify webpage or contact our helpdesk if you have any questions regarding your registration.

Kind regards,
Copyright © 2017, All rights reserved | https://www.digidentity.eu

This email is a service from Digidentity UK. Delivered by Zendesk
"CEST" turns up a lot in the correspondence with Digidentity. It stands for Central European Standard Summer Time, the timezone chosen by Zendesk, who provide user support services to the Government Digital Service and, so it appears, to Digidentity as well. As we were saying in March:
While claiming to put the user in control, GDS like us to spray our personal information all over the world when we register with GOV.UK Verify (RIP). Their heart really isn't in this privacy lark, is it. They use Eventbrite to organise events. They use Zendesk for user support. They use StatusPage for network monitoring. They use Survey Monkey for user feedback. All the personal information involved is stored and used beyond your control and now GDS want you to upload your CV to Jobvite.

Updated 20.5.18

In a re-run of what happened last year, 1 May 2018, DMossEsq got an email from Digidentity saying "Your registration couldn't be completed". Same day, DMossEsq brings this to Digidentity's attention and points out that he hasn't tried to register recently. Five more emails are exchanged over the next two days and then, 18.5.18, this email arrives from Digidentity:
From: Support <helpdesk@digidentity.co.uk>
Sent: 18 May 2018 10:09
To: DMossEsq
Subject: [Digidentity UK] Re: Account Query

##- Please type your reply above this line -##

Your request (999999) has been updated. To add additional comments, reply to this email.

Liz (Digidentity UK)
May 18, 11:08 CEST

Dear Mr Moss,

I wish to apologise for the delay in getting back to you regarding your query; I wanted to be clear on the matter before informing you.

Although I was not aware of this, it seems that you are well known to some of the Digidentity team. They informed me about some of your blogs where you have documented the GOV.UK Verify registration that we provide. One blog I want to draw to your attention is the following: https://www.dmossesq.com/2016/09/agile-identity.html. It seems that on this site, you posted your personal QR code.

The reason it took longer than expected for me to get back in touch with you is because I have been waiting on a response from another Digidentity user. In the end I did not get a reply from her, but from what we can gather, she may have searched for help online when uploading her own document via the app, possibly when she did not understand about how to scan a QR code. If you search for 'Digidentity QR code', your blog comes up in the image search.

What we can determine from this is that she scanned your own QR code instead, which was connected to your own account. As a result, her photo was uploaded to your account. Our system highlighted this mismatch in information, causing a registration rejection and sending the message you received. Although I did not understand this at the time, it is likely what caused the message to be sent last time you contacted us.

I suppose this is the consequence of posting a personal part of your registration online, which we strongly advise against users doing. Our system rightly detected when this occurred, but we are increasing security and have improved the scanning of the QR code process and it will only be possible to use the QR code as a one off (expires after use), meaning that this situation will no longer occur in future.

I hope that I have informed you sufficiently regarding the matter.

Kind regards,
Digidentity Customer Support
It seems that including the Digidentity QR code in the 20 September 2016 post above opened the door to people using it to try to register for a GOV.UK Verify (RIP) account.

The attempt(s) failed thanks to Digidentity's existing procedures. Digidentity have nevertheless, as a result of this incident, decided to enhance their procedures to make the use of their QR codes one-time only – a decent partial solution but note that DMossEsq didn't use the QR code so the first user would still be someone else not DMossEsq.

The QR code has now been obfuscated in the blog post above.

Search for 'Digidentity QR code' in Google images as Digidentity suggest and you will find the code Digidentity sent DMossEsq and several others.

In the interests of science, DMossEsq logged in to his Digidentity account to see the picture of the lady who tried to register using his QR code. Nothing doing, it's not there.

He then tried to log in to his personal tax account using his Digidentity GOV.UK Verify (RIP) account. Nothing doing, he's still not him:

The details provided on 23 February 2015 matched the information held by DVLA, HM Passport Office and Callcredit, please see above. Now they don't – now you are you, now you're not.

On the one hand, good work done by the Digidentity customer support team. And by Mr Marcel Wendt, the founder of Digidentity, whom DMossEsq bumped into at the Think.Digital Identity for government conference on 18 May 2018 and who knew all about the incident.

On the other hand, you don't get these problems with the Government Gateway. That's no doubt one reason why Her Majesty's Revenue and Customs don't recommend GOV.UK Verify (RIP). And why GOV.UK Verify (RIP) died.

No comments:

Post a Comment