Friday 30 November 2012

midata – the false prospectus. Every time you look, you see another mendacious argument

There is a peril in conflating the concepts of open data and personal data

Sometimes you sit down to write a post and you get to work on it, only to find that someone else has done it first – and what's more, in 22 words flat.
How Midata will affect business and consumers

Kathleen Hall
Tuesday 20 November 2012 12:47

As the government pushes private companies to release customer data under its Midata initiative, Computer Weekly looks at what this means for the digital economy and who stands to benefit most from this new form of "consumer empowerment".

The government's Department for Business, Innovation and Skills has singled out energy companies, mobile phone firms, banks and payment companies as key organisations that should release customer data to allow consumers to make more informed decisions under its Midata initiative ...
Ms Hall goes on to describe how midata will force suppliers who already provide us with a record of our transactions to provide us with a record of our transactions.

She introduces the reader to Professor Nigel Shadbolt, co-director with Professor Sir Tim Berners-Lee of the Open Data Institute (ODI). He believes that there is money to be made by people writing apps to process personal data and help them to make better decisions.

She interviews Nick Pickles, the director of Big Brother Watch, who has reservations about midata.

And she interviews Owen Boswarva:
Owen Boswarva, open data activist, warned there is a danger of consumers being blasé about their information being passed on to third parties. He said the potential risks were in danger of being de-emphasised.

“On the face of it, this is presented as being an unalloyed good thing, and you can’t argue with having more access to data. But it will depend on the checks and balances in how this is implemented,” he said.

Boswarva said he would like to see additional processes built in to ensure data is handled properly.

“There is a peril in conflating the concepts of open data and personal data, which I feel the government may be doing,” he said.

(Boswarva links added by DMossEsq,
not in Computer Weekly article)
And there it is. In 22 words. Admirable conciseness: "There is a peril in conflating the concepts of open data and personal data, which I feel the government may be doing". That's all that needs to be said.

Glutton for punishment?

Here's the DMossEsq 1,000-word version.

25 September 2012, and the Guardian publish Time for online users to devise a transparent internet we all could trust by Alastair Crawford, the founder of 192.com.

First we get:
... consumers have much to gain through sharing personal data and by understanding what data exists on them, either for making smarter purchases or exploring commercial opportunities – the government's Midata project, being debated in the enterprise and regulatory reform bill, enables consumers to demand the transaction data companies store on them. This will allow consumers to understand their spending patterns better and become smarter shoppers.
Followed by:
... a post-Wikileaks world requires accountability – if we are not accountable, someone will account for us. Perhaps this is the thinking behind the UK government's Open Data initiative, which makes public data available so we can better understand policy decisions and see the "raw data driving government forward".
And finally:.
It's particularly important that the biggest player in this equation remains the individual. The individual must be empowered to take greater control over the use of data created by and about him. As more data is created on people, there must be an ever more sensitive balance between privacy and accountability
Never mind the fact that equations don't normally have players in them, you see what's happened there?

Against a background of transparency, trust, understanding, smart shopping, accountability, empowerment and control, the argument moves from personal data to public data and back to personal as though they should both be open, as though they're comparable.

They're not.

It is not just legitimate but essential that Whitehall expose as much data as possible showing how they spend 700 billion of our pounds every year so that we can look for ways to get better value for money. There is no such imperative for individuals to expose their personal data – which is what midata would do – and there is every reason to reveal as little of it as possible.

On that basis, Professor Shadbolt's involvement with the ODI seems nothing but benign. But why is he involved with midata? Why is the co-director of the ODI (public data) also the chairman of the quite different midata (personal data)?

The answer centres on Garlik Ltd, a company the professor collaborated with (or founded) and which has now been sold to Experian, the credit referencing agency, which is one of the UK's seven appointed "identity providers".

Garlik helps people to avoid identity theft/fraud. So Professor Shadbolt has some relevant expertise in fighting fraud. Good. But then why would he promote midata, an initiative which can only increase the incidence of identity theft/fraud as people record more and more of their personal data, including logon IDs and passwords, in their personal data stores, on the web?

Every time you look at midata you see these contradictions:
  • midata promises to make suppliers provide statements. But they already do.
  • midata promises to give consumers control over their data. But that control is not midata's to give ...
  • ... and anyway, midata looks more like giving up control than gaining it ...
  • ... because the way midata works is that you hand over all your data to a trusted third party you have no reason to trust ...
  • ... who stores it on the web, which you know is a dangerous place to store it.
  • The advocates of midata promise loudly that it will boost the UK economy but admit that it might not ...
  • ... while staying very quiet about the way the scheme would work in practice and particularly the dangerous  need to create a personal data store on the web.
  • midata is supposed to help people make better decisions, but the only examples given are switching applications – switch mobile phone suppliers, switch gas and electricity suppliers, ... – and those applications already exist. We don't need new legislation.
  • midata involved introducing new regulations. The department for Business Innovation and Skills say it will have a de-regulatory effect.
  • ...
It's a false prospectus. One mendacious argument after another. Of which the elision of public and personal data is just one more.

----------

Added 27.12.12:
Government revives plan for greater data-sharing between agencies
... Guy Herbert, of the No2ID campaign, said he was alarmed to see the revival of the Blair government's database state policies. "There has been a consistent – and it can only be deliberate – habit in Whitehall of conflating 'public information', which most people take to mean information about the state, with information on the public held by state agencies. This has now been hooked on to the new administration's modish transparency, and is used to suggest that 'open data' implies opening us all up to inspection at official whim. It doesn't."

midata – the false prospectus. Every time you look, you see another mendacious argument

There is a peril in conflating the concepts of open data and personal data

Sometimes you sit down to write a post and you get to work on it, only to find that someone else has done it first – and what's more, in 22 words flat.
How Midata will affect business and consumers

Kathleen Hall
Tuesday 20 November 2012 12:47

As the government pushes private companies to release customer data under its Midata initiative, Computer Weekly looks at what this means for the digital economy and who stands to benefit most from this new form of "consumer empowerment".

The government's Department for Business, Innovation and Skills has singled out energy companies, mobile phone firms, banks and payment companies as key organisations that should release customer data to allow consumers to make more informed decisions under its Midata initiative ...
Ms Hall goes on to describe how midata will force suppliers who already provide us with a record of our transactions to provide us with a record of our transactions.

She introduces the reader to Professor Nigel Shadbolt, co-director with Professor Sir Tim Berners-Lee of the Open Data Institute (ODI). He believes that there is money to be made by people writing apps to process personal data and help them to make better decisions.

She interviews Nick Pickles, the director of Big Brother Watch, who has reservations about midata.

And she interviews Owen Boswarva:
Owen Boswarva, open data activist, warned there is a danger of consumers being blasé about their information being passed on to third parties. He said the potential risks were in danger of being de-emphasised.

“On the face of it, this is presented as being an unalloyed good thing, and you can’t argue with having more access to data. But it will depend on the checks and balances in how this is implemented,” he said.

Boswarva said he would like to see additional processes built in to ensure data is handled properly.

“There is a peril in conflating the concepts of open data and personal data, which I feel the government may be doing,” he said.

(Boswarva links added by DMossEsq,
not in Computer Weekly article)
And there it is. In 22 words. Admirable conciseness: "There is a peril in conflating the concepts of open data and personal data, which I feel the government may be doing". That's all that needs to be said.

Glutton for punishment?

Here's the DMossEsq 1,000-word version.

Wednesday 28 November 2012

HMRC, Skyscape and a 2nd response from Phil Pavitt

G-Cloud, GDS, HMRC and Skyscape, the company with just one director, who owns all the shares – Whitehall SNAFU
Open letter to Lin Homer, Chief Executive, HMRC, asking about the wisdom of entrusting their data (our data) to the cloud with Skyscape Cloud Services Ltd.
Response from Phil Pavitt, Director General Change, Security and Information, HMRC, on behalf of Lin Homer.
Open letter to Phil Pavitt.
28 November 2012
Response dated 26 November 2012 from Phil Pavitt, please see below:

[Skyscape has subsequently changed its name to UKCloud: "London – August 1, 2016 – Skyscape Cloud Services Limited, the easy to adopt, easy to use and easy to leave assured cloud services company, has today renamed and relaunched as UKCloud Ltd (www.ukcloud.com), to reinforce the company’s exclusive focus on supporting the UK public sector in the digital transformation of services".]


HMRC and Skyscape Cloud Services Ltd

Dear Mr Moss

Thank you for your letter of 24 October 2012 expressing your concerns in respect of Skyscape Cloud Services Ltd suitability to host HMRC data. I apologise for the delay in responding to you.

Further to my reply of 22 October, I wanted to provide you with some more information to alleviate your concerns. I must reiterate our assurance that using Skyscape HMRC data will continue to be kept in accordance with existing legislation and HMRC security policies.

When fully operational, Skyscape Cloud Services Ltd will securely host all HMRC data currently held on office File and Print Servers (FAPS). FAPS support the work of many HMRC offices and hold data for a wide range business purposes e.g. administrative and customer related. FAPS do not hold the definitive tax records for the UK and these records remain distributed across a number of secure systems.

HMRC routinely risk assesses and tests the security of our solutions and services. Our secure connection to Skyscape will be delivered in line with HM Government standards to protect our data, with ongoing assurance checks throughout the life of this service.

As emphasised in my letter of 24 October, in order to deliver through G-Cloud, Skyscape were required to meet a set of mandatory criteria set out by Government Procurement Services (GPS) including financial standing and Experian risk assessments. Additionally, HMRC carried out its own standard taxation and financial compliance checks before awarding the contract and Skyscape passed the standards set by HMRC and Government.

All G Cloud contracts are let on a one year basis, with exit provisions agreed to transfer the data to a new supplier should this prove necessary.

Data security remains integral to HMRC and a pre-requisite of any of our data being migrated to Skyscape is for their solution, including all the constituent parts, to be formally accredited by CESG (the Communications-Electronics Security Group) to Impact Level 3 (IL3). All security aspects of the service will have to be proven in line with HM Government security standards. This will include the need to ensure the ‘cloud’ is hosted in a UK domiciled, secure data centre(s) and operated by staff with appropriate security clearance. We are also carrying out internal accreditations including Internal Risk Management and Accreditation Document Set (RMADS) and PSN risk assessments.

I trust that this answers your concerns and you are able to appreciate our decision to contract with Skyscape.

Yours sincerely

Regards

Phil Pavitt
HMRC Director General Change, Security and Information

HMRC, Skyscape and a 2nd response from Phil Pavitt

G-Cloud, GDS, HMRC and Skyscape, the company with just one director, who owns all the shares – Whitehall SNAFU
Open letter to Lin Homer, Chief Executive, HMRC, asking about the wisdom of entrusting their data (our data) to the cloud with Skyscape Cloud Services Ltd.
Response from Phil Pavitt, Director General Change, Security and Information, HMRC, on behalf of Lin Homer.
Open letter to Phil Pavitt.
28 November 2012
Response dated 26 November 2012 from Phil Pavitt, please see below:

[Skyscape has subsequently changed its name to UKCloud: "London – August 1, 2016 – Skyscape Cloud Services Limited, the easy to adopt, easy to use and easy to leave assured cloud services company, has today renamed and relaunched as UKCloud Ltd (www.ukcloud.com), to reinforce the company’s exclusive focus on supporting the UK public sector in the digital transformation of services".]


HMRC and Skyscape Cloud Services Ltd

Dear Mr Moss

Thank you for your letter of 24 October 2012 expressing your concerns in respect of Skyscape Cloud Services Ltd suitability to host HMRC data. I apologise for the delay in responding to you.

Further to my reply of 22 October, I wanted to provide you with some more information to alleviate your concerns. I must reiterate our assurance that using Skyscape HMRC data will continue to be kept in accordance with existing legislation and HMRC security policies.

When fully operational, Skyscape Cloud Services Ltd will securely host all HMRC data currently held on office File and Print Servers (FAPS). FAPS support the work of many HMRC offices and hold data for a wide range business purposes e.g. administrative and customer related. FAPS do not hold the definitive tax records for the UK and these records remain distributed across a number of secure systems.

HMRC routinely risk assesses and tests the security of our solutions and services. Our secure connection to Skyscape will be delivered in line with HM Government standards to protect our data, with ongoing assurance checks throughout the life of this service.

As emphasised in my letter of 24 October, in order to deliver through G-Cloud, Skyscape were required to meet a set of mandatory criteria set out by Government Procurement Services (GPS) including financial standing and Experian risk assessments. Additionally, HMRC carried out its own standard taxation and financial compliance checks before awarding the contract and Skyscape passed the standards set by HMRC and Government.

All G Cloud contracts are let on a one year basis, with exit provisions agreed to transfer the data to a new supplier should this prove necessary.

Data security remains integral to HMRC and a pre-requisite of any of our data being migrated to Skyscape is for their solution, including all the constituent parts, to be formally accredited by CESG (the Communications-Electronics Security Group) to Impact Level 3 (IL3). All security aspects of the service will have to be proven in line with HM Government security standards. This will include the need to ensure the ‘cloud’ is hosted in a UK domiciled, secure data centre(s) and operated by staff with appropriate security clearance. We are also carrying out internal accreditations including Internal Risk Management and Accreditation Document Set (RMADS) and PSN risk assessments.

I trust that this answers your concerns and you are able to appreciate our decision to contract with Skyscape.

Yours sincerely

Regards

Phil Pavitt
HMRC Director General Change, Security and Information

Monday 26 November 2012

HMRC soon to be Pavittless

Computer Weekly, 22 November 2012:
Phil Pavitt has stepped down as HMRC’s CIO to join insurance giant Aviva as global director of IT transformation ...

Under his role at Aviva Pavitt will be tasked with simplifying the firm’s IT services, and modernising and digitising its business.
DMossEsq readers have met Mr Pavitt a couple of times.

Back in May he forgot that the UK already has a Government Gateway and doesn't need GDS – the Government Digital Service – to develop a new one, even if they could.

More recently, he was deputed by Lin Homer, Chief Executive of HMRC, to explain why HMRC have decided to store all our tax records with a one-man company, Skyscape Cloud Services Ltd:
  • Let's hope he has time to explain this transformational decision to the public before he leaves HMRC.
  • And let's see if Aviva, in the name of "modernisation", will store all their insurance records in the cloud and instantly lose control of them.

HMRC soon to be Pavittless

Computer Weekly, 22 November 2012:
Phil Pavitt has stepped down as HMRC’s CIO to join insurance giant Aviva as global director of IT transformation ...

Under his role at Aviva Pavitt will be tasked with simplifying the firm’s IT services, and modernising and digitising its business.
DMossEsq readers have met Mr Pavitt a couple of times.

Identity assurance – one under the eight

On 13 November 2012 the Department for Work and pensions (DWP) announced the appointment of seven so-called "identity providers" for the new digital-by-default UK – the Post Office, Cassidian, Digidentity, Experian, Ingeus, Mydex, and Verizon.

We were previously led to believe that the announcement would be made on 22 October 2012. And before that we were supposed to have the news by 30 September 2012.

Publication slipped. And we still don't know who the eighth "identity provider" will be.

Two things we do know:
  • Whoever the eighth one is, there is clearly some reluctance somewhere, some friction. Maybe DWP aren't sure about the credentials of this eighth supplier. Maybe the eighth supplier isn't sure that it wants to be involved with IDAP, the government's tottering Identity Assurance Programme. Either way, they will start with their credibility impugned.
  • It's not really DWP doing the appointing. It's GDS, the Government Digital Service. GDS may be very good at designing websites. But what credentials, if any, do they have for identity assurance? The appointment is clearly giving them an embarrassing problem. More to the point, there are 21 million prospective claimants for Universal Credit in the UK. Identity assurance is meant to be operational by the Spring of 2013 for all 21 million of them. The chances of that happening are now nil. GDS's failure is extending the imprisonment in the poverty trap of millions of claimants who could be released by Universal Credit. Putting the wrong people in charge of identity assurance has miserable social consequences.

Identity assurance – one under the eight

On 13 November 2012 the Department for Work and pensions (DWP) announced the appointment of seven so-called "identity providers" for the new digital-by-default UK – the Post Office, Cassidian, Digidentity, Experian, Ingeus, Mydex, and Verizon.

We were previously led to believe that the announcement would be made on 22 October 2012. And before that we were supposed to have the news by 30 September 2012.

Publication slipped. And we still don't know who the eighth "identity provider" will be.

Two things we do know:

Thursday 22 November 2012

midata – nudging you into an interactive flashbased graph

There's so much wrong with midata, the Department for Business Innovation and Skills initiative to "empower" all us consumers, that you may forget the delightful loopiness of its proposed benefits:
If organisations try to share customer data with each other they invade individuals’ privacy and risk breaching the Data Protection Act. The result is duplication, waste and missed opportunities ...

Tallyzoo, a service dedicated to self monitoring, allows users to measure anything from their caffeine intake to the number of times they cut their grass. Users collect data using a mobile device or website program which creates interactive flashbased graphs enabling them to spot trends and patterns in their consumption habits, work, health and fitness goals. Data is manipulated so that users can share statistics and compare the end results ...

Access to such data represents a ‘holy grail’ data to companies because it explains why people do what they do and predicts what they are going to do next.
Silly old privacy laws. They just get in the way. They're synonymous with waste and duplication. They stand in the way of interactive flashbased  graphs of our coffee consumption and lawn-mowing. With midata choice engines we'll be able to predict the future and control it.

Which mooncalf would fall for this unlikely sales pitch? Cui bono?

There are many answers but one obvious one is Whitehall's Behavioural Insights Team.

They're not having much luck. Most people ridicule the team's nudging job. Their behavioural insight is limited. Tasked with getting UK retailers to sign up to midata, they failed and have now resorted to legislation – the very tool they're meant to abjure.

How could their performance be improved? What would help the Behavioural Insights Team to do its job?

These questions must have haunted Sir-Gus-now-Lord O'Donnell, head of the team's advisory board. And then along came midata. midata and its attendant app-writers, churning out choice engines to help people make life-style decisions, vehicles which could be tuned, perhaps, by Whitehall – who are footing the bill, after all, let's face it – tuned to influence, or nudge people's decisions in a chosen direction, an officially preferred direction ...

----------

Just after writing the word "pitch", just before "Cui bono", an email appeared from Alan Mitchell, the man who thinks midata will allow us to tell the future more accurately than horoscopes:
Please forward this newsletter to colleagues if you think they will find the content useful. Anyone can sign up to receive the newsletter by joining our registered [sheltered?] community here. We only send the newsletter to people who request to receive it.
Would you like to join this registered community? Perhaps this sample will help to nudge you:
We have published a short, informative paper, ‘midata: where next?’ ... It summarises the new focus areas of the programme and showcases a prize winning example straight from the recent inaugural, ground-breaking midata Hackathon of what innovation and value can be achieved in a new midata-enabled world ...

In a series of blog posts we’ve ... discussed how, by opening up a new private sector market of Identity Providers which can act on an individual’s behalf, the Government is kick starting an ecosystem of enriched, trusted data sharing, stimulating innovation and cost saving opportunities ...

There is further investment in the quantified self space as Canadian company Retrofit announces $8 million in new funding ...
----------

Added 1.4.13: Nike+ FuelBand and Google Glass: what next for the 'quantified self'?

midata – nudging you into an interactive flashbased graph

There's so much wrong with midata, the Department for Business Innovation and Skills initiative to "empower" all us consumers, that you may forget the delightful loopiness of its proposed benefits:
If organisations try to share customer data with each other they invade individuals’ privacy and risk breaching the Data Protection Act. The result is duplication, waste and missed opportunities ...

Tallyzoo, a service dedicated to self monitoring, allows users to measure anything from their caffeine intake to the number of times they cut their grass. Users collect data using a mobile device or website program which creates interactive flashbased graphs enabling them to spot trends and patterns in their consumption habits, work, health and fitness goals. Data is manipulated so that users can share statistics and compare the end results ...

Access to such data represents a ‘holy grail’ data to companies because it explains why people do what they do and predicts what they are going to do next.
Silly old privacy laws. They just get in the way. They're synonymous with waste and duplication. They stand in the way of interactive flashbased  graphs of our coffee consumption and lawn-mowing. With midata choice engines we'll be able to predict the future and control it.

Which mooncalf would fall for this unlikely sales pitch? Cui bono?