Tuesday, 23 May 2017

RIP IDA – a ridiculous manifesto promise

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.

The Conservative Party's 2017 manifesto includes this at p.81:
... we must use common platforms across government and the wider public sector. That must start with the way we identify ourselves online, so that people have one single, common and safe way of verifying themselves to all parts of government. That is why we shall roll out Verify, so that people can identify themselves on all government online services by 2020, using their own secure data that is not held by government. We will also make this platform more widely available, so that people can safely verify their identify to access non-government services such as banking.
As DMossEsq readers know, it may be convenient for people to have "one single, common ... way of verifying themselves to all parts of government" but it isn't "safe".

DMossEsq readers also know that millions of people prefer to use the Government Gateway to access on-line government services, not GOV.UK Verify (RIP).

They know that there are currently only about 12 on-line government services that can be accessed using GOV.UK Verify (RIP) and that the chances that they will all be accessible using GOV.UK Verify (RIP) by 2020 are small.

And they know that their personal information is sprayed all over the world, out of their control, if they open an account with GOV.UK Verify (RIP).


Suppose that you have your accounts with Lloyds bank and that you access them on-line using your GOV.UK Verify (RIP) credentials which you created through the Royal Mail because that's a brand you recognise and trust.

Unbeknownst to you, that means that you have actually been registered by GB Group plc, whom you've never heard of.

GB Group share your personal information with a wide variety of other organisations, which the Royal Mail didn't tell you when you registered.

Suppose that one of them is hacked [Equifax, for example, added 9.9.17] and, for safety's sake, your GOV.UK Verify (RIP) account has to be suspended [if your account isn't suspended, despite the Equifax breach, why isn't it? Surely it should be]. Yours, and millions hundreds of other people's GOV.UK Verify (RIP) accounts.

There's nothing the Royal Mail can do about GB Group suspending you and nothing GDS can do about it either. There's nothing Lloyds can do about it and now you can't access your bank accounts on-line.

Nor can you access any of the on-line government services you need, because you foolishly use the same GOV.UK Verify (RIP) credentials for everything.

That's one risk of inserting GOV.UK Verify (RIP) into the access control processes for banking.

Can anyone remember what the benefit is?
GOV.UK Verify (RIP) is not an attractive prospect and not one single bank anywhere in the world currently allows people to use GOV.UK Verify (RIP) to log on to their on-line accounts.

Millions of us can already log on to on-line banking. We accountholders don't need GOV.UK Verify (RIP) for that ...

... and neither do the banks.

And why would the banks want to risk their relationship with us by dislocating the whole process of authorising access to our accounts just to insert the Government Digital Service into it?

And not just GDS but all of GDS's seven "identity providers" (IDPs), too. And all of the IDPs' uncounted subsidiaries and business partners and suppliers and sub-contractors in the UK and overseas.

It may sound sensible and modern for the Conservatives and any other political party to promise to deploy GOV.UK Verify (RIP) nationwide. It isn't.

----------

Updated 9.9.17

Up to 44m Britons at risk in Equifax cyberattack
Equifax hack: 44 million Britons' personal details feared stolen in major US data breach
The Equifax Hack Didn't Have to Be This Bad
Breach at Equifax May Impact 143M Americans
Equifax Breach Response Turns Dumpster Fire
Equifax: Hackers Gained Access to Sensitive Data, Affecting 143 Million People
Stand up who HASN'T been hit in the Equifax mega-hack – whoa, whoa, sit down everyone
Equifax mega-leak: Security wonks smack firm over breach notification plan
Surprising nobody, lawyers line up to sue the crap out of Equifax
...

Equifax Hack Exposes Peril of Credit Bureau Model


Updated 9.11.17

It remains a psychiatric mystery how the Government Digital Service (GDS) continue to assure the public that the hopeless identity assurance scheme, GOV.UK Verify (RIP), costs nothing, that it is secure without qualification, that our privacy is maintained, that we have control over our personal information and that the system operates under an ethical framework.

That is presumably the conclusion that McKinsey came to in their investigation of GOV.UK Verify (RIP) in their report to John Manzoni, chief executive of the UK home civil service. The McKinsey report has not been published, though, so we can't be certain.

GOV.UK Verify (RIP) depends for its hesitant and occasional operation [1] on credit rating agencies/data brokers, including Equifax, who were so spectacularly hacked on 13 May 2017, please see above.

DMossEsq can make the point until he, she, it or they is or are blue in the face that GOV.UK Verify (RIP) accountholders have no control over what happens to their personal information once they have handed it over but it has no effect. Absolutely no control. And absolutely no effect.

The great Bruce Schneier has now published his Equifax evidence to the House Committee on Energy and Commerce.

"These data brokers deliberately hide their actions, and make it difficult for consumers to learn about or control their data", he says. Also, "there is no way for consumers to protect themselves. Their data has been harvested and analyzed by these companies without their knowledge or consent. They cannot improve the security of their personal data, and have no control over how vulnerable it is".

Perhaps the Schneier testimony will register with GDS and Mr Manzoni more effectively than DMossEsq's.

Whatever, the public show no enthusiasm for signing up with GOV.UK Verify (RIP) [2], nor do HMRC nor NHS England. We and they don't believe that GOV.UK Verify (RIP) is free, secure, etc ... Only GDS believe that.

Refs.
1. Average failure rate: 62%.
2. Average number of times a GOV.UK Verify (RIP) account is used: 1.5.


Updated 23.7.19

As far as we know Equifax used to supply their services to four of GOV.UK Verify (RIP)'s "identity providers". Verizon, Barclays, GB Group and Royal Mail.

Verizon pulled out of the moribund Verify scheme years ago, GB Group and Royal Mail more recently. So four is down to one, it's just Barclays now who rely on the remarkably untrustworthy Equifax.

How untrustworthy is "remarkably untrustworthy"? Equifax in $700m data breach payout. That's what it says in the Times newspaper, where Letitia James, New York attorney general, finds it relevant to mention Equifax's "ineptitude, negligence and lax security standards".

Barclays haven't mentioned that and neither have GDS, of course, sealed off from reality as they are in their Whitechapel nuclear silo, they never find any need to warn us GOV.UK Verify (RIP) users of the dangers we face.

No comments:

Post a comment