Wednesday, 17 October 2018

RIP IDA – international ID slapstick, that's the way to do it

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.

"If Verify is the answer, what was the question?"

The Law Commission: "Verify does not currently ensure that the person entering the information
is in fact the person he or she is purporting to be;
rather it focuses on verifying that the person exists" (para.6.67/p.119)

A week ago we learnt that people with a German electronic ID are now able to use it to log on to HMRC:


This has been on the cards, so to speak, for over 10 years now, ever since the inception of the European Union's Project STORK. German students studying at UK universities should be able to access UK public services while they're over here using trusted German identity assurance. Ditto UK students in Germany. And not just Germany and the UK, any EU citizens in any EU country.

Over the years, Project STORK became eIDAS, EU Regulation 910/2014. The German Federal Office for Information Security jumped through all the eIDAS hoops to "notify" their Ausweis identity assurance scheme, it's passed all the tests and, as noted in the Martin Jordan tweet above, Her Majesty's Revenue and Customs now have to accept Ausweis identities.

That's the theory.

In practice, this is the response a German currently gets:


That's the way to do it.

"Something went wrong".

It certainly did.

But where?

Germany? HMRC?

Apparently not. The error message is branded GOV.UK Verify (RIP). Their logo. Their problem.

Speaking of which, GOV.UK Verify (RIP) has been put up for eIDAS membership. It's been "pre-notified" in the lingo:


Will it be as successful as the Germans' Ausweis? Will it be deemed to provide a low level of assurance that the owner of the GOV.UK Verify (RIP) identity is who they say they are? Or a substantial level of assurance or even a high one?

Our EU partners will not be impressed at the rejection of GOV.UK Verify (RIP) by HMRC, DWP (para.3.21), the NHS, Scotland, UK local government and others. Nor will they be mollified when they see US NIST's opinion that GOV.UK Verify (RIP) provides nothing better than self-certification.

It's all about trust, and what are our partners supposed to make of the fact that the Post Office are treated as an "identity provider" (IDP) even though they're not certified by tScheme? It looks underhand making people think they're dealing with the Post Office when really all the identity proofing work is carried out behind the scenes by Digidentity. It undermines trust.

Has GOV.UK Verify (RIP) been pre-notified by the Government Digital Service? That would seem strange:
  • Partly because it is the Department for Digital Culture Media and Sport that has responsibility for the digital economy and for identity policy, not GDS.
  • And partly because it has recently been announced that the UK government will cease funding GOV.UK Verify (RIP) in 18 months' time.
Who will underwrite GOV.UK Verify (RIP) identities after that?

No-one knows. Certainly not the 27 other members of the EU.

As things stand, the probability of GOV.UK Verify (RIP) getting through the eIDAS vetting procedure is not high, not substantial but, if it's lucky, maybe low. Low-to-non-existent.

That's the way to do it.

----------

Updated 23:52

Our European partners may recall that early last month the UK's Infrastructure and Projects Authority recommended that GOV.UK Verify (RIP) be terminated. That's the same GOV.UK Verify (RIP) that we're trying to get approved for use in eIDAS, please see above.

Not confidence-inspiring.

Reality bites. But instead of terminating the scheme, the Senior Responsible Owner is abandoning ship and GDS are letting go of the controls and handing it over to the private sector. Perhaps the private sector will prove better at terminating it.

Not confidence-inspiring.

GOV.UK Verify (RIP) boasted seven "identity providers" until recently – Barclays Bank, CitizenSafe/GB Group plc, Digidentity, Experian, the Post Office, the Royal Mail and SecureIdentity/Morpho.

During the handover to the private sector two of those "identity providers" are dropping out – CitizenSafe/GB Group plc and the Royal Mail.

In reality, the Royal Mail was never a true "identity provider", they just provided a call centre service and all the identity proofing and verification work done in its name was really conducted behind the scenes by CitizenSafe/GB Group plc, another example of GDS's duplicity like the Post Office/Digidentity charade, please see above.

Not confidence-inspiring.

What happens to all the personal information that the Royal Mail and CitizenSafe/GB Group plc amassed while they were still operational? Them and their subsidiaries and partners and contractors? Where's the information gone now? What control do we citizens have over our own personal information? What happens when GDS and DCMS are no longer involved?

Come to that, what's happened to all the personal information Verizon amassed while they were an "identity provider"?

Even for the continuing "identity providers" – Barclays Bank, Digidentity, Experian, the Post Office and SecureIdentity/Morpho – GOV.UK Verify (RIP) doesn't abide by a single one of the identity assurance principles that are meant to govern it.

Not confidence-inspiring.

GDS never answer questions posed by us, the public. Maybe they'll answer the eIDAS authorities.


Updated 18.10.18

Certification of the GOV.UK Verify (RIP) services supplied by "identity providers" is carried out by tScheme. The summary of their certification has now been updated.

The Post Office is most notable as the only "identity provider" to have no tScheme approval whatever.

None of the "identity providers" is certified by tScheme as having any expertise with digital certificates – something of a gap vis-à-vis eIDAS, which is all about trust services.

3 comments:

Anonymous said...

"Has GOV.UK Verify (RIP) been pre-notified by the Government Digital Service?"
It seems so ... by googling "eidas pre notified" this comes as first result: https://ec.europa.eu/cefdigital/wiki/display/EIDCOMMUNITY/Overview+of+pre-notified+and+notified+eID+schemes+under+eIDAS

David Moss said...

Thank you for your comment, Anonymous @ 20 October 2018 at 16:56.

We all know that GOV.UK Verify (RIP) has been pre-notified.

The question is, who pre-notified it?

GDS? But GDS are no longer in charge of identity policy. DCMS are. By what right could GDS pre-notify?

And now GOV.UK Verify (RIP) is being handed over to the private sector. So should the private sector pre-notify?

Who should the EU's Cooperation Network deal with?

Anonymous said...

If you look at the comment section in the page I've linked and you do your research, it looks like it's coming form them ... although I've got serious doubts as well ;)
Good question ... if it's really them, to what title are they engaging with EU?

Post a Comment