Monday 5 September 2016

RIP IDA – "wildly unrealistic expectations"

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.

"If Verify is the answer, what was the question?"

Take a look at New GOV.UK Verify [RIP] chief sets out stall after departure of Janet Hughes. That's a Civil Service World (CSW) article, 23 August 2016, and there's something in there for everyone.

"If there's a tricky job facing the Government Digital Service (GDS), or indeed an impossible job, what do they do? Call for Janet Hughes". That's what we said. Several times. Now the heroic Janet has left GDS.

Can she be replaced?

A, B, C and D below say no, she can't be. E, F, G and H are waiting in the wings.

Are GDS advertising for a replacement? You take a look.

A Jess McEvoy is standing in as interim programme director of GOV.UK Verify (RIP). CSW say: "According to McEvoy, Verify has now been used to verify more than 800,000 individual identities, with more than three quarters of users reporting that they are either satisfied or very satisfied with the service". Is she right?

GDS have three ways of measuring user satisfaction on the GOV.UK Verify (RIP) performance dashboard. 84.11% of respondents say that they are satisfied or very satisfied from the point of view of security. That figure falls to 72.17% from the point of view of certified companies and 64.97% from the point of view of verification.

Never mind what these categories mean – security, certified companies and verification – in each case there have been about 11,100 respondents out of 821,000 or so GOV.UK Verify (RIP) accountholders. That's a 1.35% response rate.

About 821,000 accounts have been created. They have been used about 844,000 times, i.e. about once each:
  • How many accountholders are there? GDS provide no answer. If each accountholder has seven accounts, one with each of the remaining "identity providers", we could be talking about only 118,000 people, not 821,000.
  • Are these people using GOV.UK Verify (RIP) or just trying it out once and then going back to the Government Gateway? That is, is Ms McEvoy right to refer to them as "users"?
  • Why are the user satisfaction statistics four weeks out of date at the time of writing?
  • Less than three-quarters of respondents are satisfied or very satisfied in two of the user satisfaction categories, where does Ms McEvoy get more than three-quarters from?
  • Do the respondents constitute a representative cross-section of the population from which it is legitimate to extrapolate? Or would it be better to say that 64.97% of 1.35% = 0.88% of users, if that's what they are, are satisfied or very satisfied with GOV.UK Verify (RIP) from the point of view of verification?
  • Do the respondents understand the question? Do they each understand the same thing by the question? Or are they all answering different questions?
GDS are meant to be the experts in data analytics. If this is how they handle statistics, they are in danger of suffering the same fate as the pollsters who get referendum and general election results hopelessly wrong – no-one will believe them.

B Ms McEvoy is supported in the CSW article by Jessica Figueras, chief analyst for technology consultancy Kable: "Figueras said it 'should not come as any surprise' if HMRC was considering other options for identiy verification, because the original plan for Verify was for it 'to provide low to medium security ID assurance for citizens, and this hasn’t changed' ...". Is she right?

Presumably Ms Figueras is talking about low-to-medium assurance, not low-to-medium security. GDS claim to offer nothing but unqualified high security.

Take a look at the 9 October 2014 IPV Operations Manual published by GDS. That document covers identity-proofing and verification for GOV.UK Verify (RIP). Para.5 on p.5 specifies registration requirements at both identity assurance level 2 (civil courts) and level 3 (criminal courts). Para.58 also includes level 3 requirements. So does para.71. So much of paras.87-91 has been blanked out that it's impossible to know for sure but it looks as though GDS are talking about more than low-to-medium security. And so on, para.113, para.118, ...

Ms Figueras appears to be wrong. If GOV.UK Verify (RIP) is now required to provide only low-to-medium assurance as to people's identity, then, surprisingly, the specification has been quietly changed since October 2014.

Suppose for a moment, though, that she's right. CSW talk about GOV.UK Verify (RIP) "allowing drivers to tell the DVLA about their medical conditions and allowing mortgage deeds to be signed through the Land Registry". They talk about "offering the service to NHS trusts and local authorities, as well as private sector organisations". Are DVLA and the Land Registry and NHS trusts and local authorities and private sector organisations happy to accept low-to-medium assurance as to people's identity?

"The fact is", says Ms Figueras, "that Verify is an incredibly ambitious programme and the fundamental concepts behind it were untested". Incredible? Untested? Is that meant to increase the confidence of DVLA, the Land Registry and the rest?

"Figueras said the main problem faced by Verify had been the 'wildly unrealistic expectations for roll-out' ...". Wildly unrealistic? With support like this, GOV.UK Verify (RIP) doesn't need any detractors.

C She is also supported by Daniel Thornton of the Institute for Government, who "explained why HMRC might opt for its own verification system". He's quite right, of course. GOV.UK Verify (RIP) can at best only verify the identity of natural persons, not legal persons like companies and partnerships and trusts and, as Mr Thornton says, that's no use to HMRC, they need "something that will work with businesses as well as individuals".

Was that always meant to be the case?

No. GDS used to hold out the prospect of their scheme verifying the identity of legal persons, please see Good Practice Guide 46, published by GDS on 18 October 2013: "This guide deals with proving the authenticity (identity) of a legal organisation, such as a business, partnership, charity, government body or other public sector organisation".

GOV.UK Verify (RIP) is shrinking and it is pointless to pretend otherwise. As it shrinks it is of interest to fewer and fewer organisations.

D Talking of untested fundamental concepts, is it feasible to verify millions of people's identities on-line and only on-line to a level of assurance satisfactory to the likes of the NHS and local authorities? The US National Institute of Standards and Technology (NIST) raise that question. Their answer seems to be no. They consider the identity-proofing work done in GOV.UK Verify (RIP) to be pointless. They class it as no better than self-certification. in the US has been terminated. GOV.UK Verify. 821,000 self-certifications. RIP?


Updated St Patrick's Day 2017

Verify service manager sought to lead GDS expansion ambitions, we read on 15 March 2017, and yesterday GDS to expand Verify team as pressure to increase user numbers mounts.

Last September we said "Jess McEvoy is standing in as interim programme director of GOV.UK Verify (RIP)", please see above. Isn't it Ms McEvoy's job to "lead GDS expansion ambitions" and to "increase user numbers"? Presumably not.

GOV.UK Verify (RIP) hasn't had a named senior responsible owner since Mike Bracken left GDS in September 2015. And it hasn't had a permanent programme director since Janet Hughes left. It's an orphan programme, unwanted and abandoned.

In the circumstances, how is some poor unfortunate service manager supposed to add 24 million verified GOV.UK Verify (RIP) accountholders in three years flat?

Updated 12.5.17

This time last year the Government Digital Service (GDS) won an award at KuppingerCole's EIC2016 conference for their innovative work on GOV.UK Verify (RIP), the national identity assurance scheme on which innovative staff are now working hard to reduce the level of assurance that a GOV.UK Verify (RIP) accountholder is who he or she claims to be.

GDS aren't up for any KuppingerCole awards this year as far as we know, but Adam Cooper, lead technical architect of GOV.UK Verify (RIP), is attending EIC2017 as we speak. What is the Trust Model of the Future?, he will ask. Good question.

Next Monday Mr Cooper will attend One World Identity's K(NO)W Identity conference, where GDS are finalists in not one but two K(NO)W Nodes awards, which "recognize the most compelling startups, individuals and identity innovations of the year" – they are nominated in the Identity Government Leadership and Trailblazer categories.

"Winners will be selected by ... [a] panel of distinguished judges", including Don Thibeau, chairman and president of OIX, the Open Identity Exchange. GDS are members of OIX and, although it's an uphill struggle, OIX do what they can to help.

Mr Thibeau will know better than most just how much the supposedly trailblazing GOV.UK Verify (RIP) has run into the ground.

And as to leadership? That's one of GOV.UK Verify (RIP)'s many problems. "GOV.UK Verify (RIP) hasn't had a named senior responsible owner since Mike Bracken left GDS in September 2015. And it hasn't had a permanent programme director since Janet Hughes left. It's an orphan programme, unwanted and abandoned", as we were saying, only the other day.

The excellent Dave Birch is speaking as well.

He is a member of PCAG, among other things, the Privacy and Consumer Advisory Group, whose co-chair, Jerry Fishenden, resigned the other other day and recommended that: "The government's Verify identity platform is not meeting user needs - it's time to step back and review how best to make online identity for public services work".

Mr Fishenden doesn't mention innovation or trailblazing in his review of GOV.UK Verify (RIP) but he does say: "We urgently need to see credible leadership and a viable strategy". Not impressed with leadership chez GOV.UK Verify (RIP), Mr Fishenden is also unimpressed with ex-Goldman Sachs man Kevin Cunnington's strategy for GDS.

GDS are used to winning awards, as you and Mr Birch k(no)w. But maybe not this time. This may be the end of the trail.

Updated 15.5.17

Not a moment too soon, please see above, the Government Digital Service (GDS) are trying to strengthen the GOV.UK Verify (RIP) management team by recruiting a service owner.

For £70,000 p.a., the successful recruit will supposedly "run and continuously improve a world-class digital service based on user needs". Mr Fishenden, please see above, says: "The government's Verify identity platform is not meeting user needs - it's time to step back and review how best to make online identity for public services work".

Nevertheless, the successful recruit is supposed to agree that the GOV.UK Verify (RIP) strategy is feasible and that the moribund service is "set to grow from a user base of 1 million users to 25 million by 2020". Hard to swallow.

Candidates reading the job advertisement may believe that GOV.UK Verify (RIP) is meant to support access to central government on-line services only. Why is there no mention of GOV.UK Verify (RIP)'s plans for local government services and the private sector? Shouldn't the owner of the service be told?

As usual with GDS, the successful recruit and all other candidates are invited to lose control of their personal information by sending their CVs to Jobvite.

On the plus side, at least this latest job advertisement has dropped the usual claim that all of GOV.UK Verify (RIP)'s "identity providers" are certified trustworthy – four are, three aren't and five have disappeared. It also omits the usual claim that GOV.UK Verify (RIP) is, without qualification, secure.

No comments:

Post a Comment