On 13 November 2012 the Department for Work and pensions (DWP) announced the appointment of seven so-called "identity providers" for the new digital-by-default UK – the Post Office, Cassidian, Digidentity, Experian, Ingeus, Mydex, and Verizon.
We were previously led to believe that the announcement would be made on 22 October 2012. And before that we were supposed to have the news by 30 September 2012.
Publication slipped. And we still don't know who the eighth "identity provider" will be.
Two things we do know:
Whoever the eighth one is, there is clearly some reluctance somewhere, some friction. Maybe DWP aren't sure about the credentials of this eighth supplier. Maybe the eighth supplier isn't sure that it wants to be involved with IDAP, the government's tottering Identity Assurance Programme. Either way, they will start with their credibility impugned.
It's not really DWP doing the appointing. It's GDS, the Government Digital Service. GDS may be very good at designing websites. But what credentials, if any, do they have for identity assurance? The appointment is clearly giving them an embarrassing problem. More to the point, there are 21 million prospective claimants for Universal Credit in the UK. Identity assurance is meant to be operational by the Spring of 2013 for all 21 million of them. The chances of that happening are now nil. GDS's failure is extending the imprisonment in the poverty trap of millions of claimants who could be released by Universal Credit. Putting the wrong people in charge of identity assurance has miserable social consequences.
On 13 November 2012 the Department for Work and pensions (DWP) announced the appointment of seven so-called "identity providers" for the new digital-by-default UK – the Post Office, Cassidian, Digidentity, Experian, Ingeus, Mydex, and Verizon.
We were previously led to believe that the announcement would be made on 22 October 2012. And before that we were supposed to have the news by 30 September 2012.
Publication slipped. And we still don't know who the eighth "identity provider" will be.
There's so much wrong with midata, the Department for Business Innovation and Skills initiative to "empower" all us consumers, that you may forget the delightful loopiness of its proposed benefits:
If organisations try to share customer data with each other they invade individuals’ privacy and risk breaching the Data Protection Act. The result is duplication, waste and missed opportunities ...
Tallyzoo, a service dedicated to self monitoring, allows users to measure anything from their caffeine intake to the number of times they cut their grass. Users collect data using a mobile device or website program which creates interactive flashbased graphs enabling them to spot trends and patterns in their consumption habits, work, health and fitness goals. Data is manipulated so that users can share statistics and compare the end results ...
Access to such data represents a ‘holy grail’ data to companies because it explains why people do what they do and predicts what they are going to do next.
Silly old privacy laws. They just get in the way. They're synonymous with waste and duplication. They stand in the way of interactive flashbased graphs of our coffee consumption and lawn-mowing. With midatachoice engines we'll be able to predict the future and control it.
Which mooncalf would fall for this unlikely sales pitch? Cui bono?
They're not having much luck. Most people ridicule the team's nudging job. Their behavioural insight is limited. Tasked with getting UK retailers to sign up to midata, they failed and have now resorted to legislation – the very tool they're meant to abjure.
How could their performance be improved? What would help the Behavioural Insights Team to do its job?
These questions must have haunted Sir-Gus-now-Lord O'Donnell, head of the team's advisory board. And then along came midata. midata and its attendant app-writers, churning out choice engines to help people make life-style decisions, vehicles which could be tuned, perhaps, by Whitehall – who are footing the bill, after all, let's face it – tuned to influence, or nudge people's decisions in a chosen direction, an officially preferred direction ...
----------
Just after writing the word "pitch", just before "Cui bono", an email appeared from Alan Mitchell, the man who thinks midata will allow us to tell the future more accurately than horoscopes:
Please forward this newsletter to colleagues if you think they will find the content useful. Anyone can sign up to receive the newsletter by joining our registered [sheltered?] community here. We only send the newsletter to people who request to receive it.
Would you like to join this registered community? Perhaps this sample will help to nudge you:
We have published a short, informative paper, ‘midata: where next?’ ... It summarises the new focus areas of the programme and showcases a prize winning example straight from the recent inaugural, ground-breaking midata Hackathon of what innovation and value can be achieved in a new midata-enabled world ...
In a series of blog posts we’ve ... discussed how, by opening up a new private sector market of Identity Providers which can act on an individual’s behalf, the Government is kick starting an ecosystem of enriched, trusted data sharing, stimulating innovation and cost saving opportunities ...
There is further investment in the quantified self space as Canadian company Retrofit announces $8 million in new funding ...
There's so much wrong with midata, the Department for Business Innovation and Skills initiative to "empower" all us consumers, that you may forget the delightful loopiness of its proposed benefits:
If organisations try to share customer data with each other they invade individuals’ privacy and risk breaching the Data Protection Act. The result is duplication, waste and missed opportunities ...
Tallyzoo, a service dedicated to self monitoring, allows users to measure anything from their caffeine intake to the number of times they cut their grass. Users collect data using a mobile device or website program which creates interactive flashbased graphs enabling them to spot trends and patterns in their consumption habits, work, health and fitness goals. Data is manipulated so that users can share statistics and compare the end results ...
Access to such data represents a ‘holy grail’ data to companies because it explains why people do what they do and predicts what they are going to do next.
Silly old privacy laws. They just get in the way. They're synonymous with waste and duplication. They stand in the way of interactive flashbased graphs of our coffee consumption and lawn-mowing. With midatachoice engines we'll be able to predict the future and control it.
Which mooncalf would fall for this unlikely sales pitch? Cui bono?
Questions have been raised about the advisability of creating population registers on the web.
The Department for Business Innovation and Skills (BIS) have an initiative called "midata" which would require us to enrol in identity registers in the cloud, please see for example Cybersecurity – good news at last, from midata.
(Reuters) - Greek police have arrested a man on suspicion of stealing the personal data of roughly two thirds of the country's population, police officials in Athens said on Tuesday.
The 35-year old computer programmer was also suspected of attempting to sell the 9 million files containing identification card data, addresses, tax ID numbers and license plate numbers. Some files contained duplicate entries, police said.
Greece's population is 11 million ...
BIS and DWP promise us, of course, that the midata and Universal Credit registers will be held in secure websites. No doubt. But then the Greek population register was supposed to be secure, too. Not much help, is it?
Surely this must be a one-off, you object? No. You're forgetting last year's Jerusalem Post, 24 October 2011:
Information was used to create searchable database; computer technician put the database on Internet for anyone worldwide to access.
A contract worker from the Labor and Welfare Ministry was charged with stealing the personal information of over nine million Israelis from the Population Registry, the Justice Ministry announced Monday after a media ban was lifted.
The worker electronically copied identification numbers, full names, addresses, dates of birth, information on family connections and other information in order to sell it to a private buyer ...
Questions have been raised about the advisability of creating population registers on the web.
The Department for Business Innovation and Skills (BIS) have an initiative called "midata" which would require us to enrol in identity registers in the cloud, please see for example Cybersecurity – good news at last, from midata.
What are the policy objectives and the intended effects? Giving consumers access to their transaction data will enable consumers to make better informed decisions and choose products which offer them the best value. This in turn will reward firms offering the best value because they will be able to win more customers, increasing competition and leading to lower prices, improved efficiency and greater innovation. It will allow consumers to analyse and then improve their consumption patterns, particularly by enabling third party ‘choice engines’ to process transactional data on behalf of consumers and advise them on their consumption habits and potential switching options. We expect the release of information to stimulate innovation in and expansion of third party choice engines.
"Choice engines". What a phrase. Who won the office sweepstake last week for that one?*
The idea behind midata is that you should store all your transaction data in a personal data store (PDS) hosted in the cloud, on the web, by a trusted third party like, say, Mydex. Some innovative juvenile writes an app which, given the evidence of your consumption patterns, recommends the best play to go to see in London. You give Mydex permission to share your data with WhatsOnApp® and a stream of unwanted phone calls ensues, trying to get you to see Chicago. Ditto health apps – eat more broccoli. And financial apps – earn more interest, save with Bear Sterns.
You've got to be a bit stupid anyway to open a midata account in the first place and store all your personal data in the worldwide wild West of the web with a third party you've never met and have no reason to trust. Even more stupid to go on to share your personal data with unknown third party apps.
Advocates of midata are forever promising an "ecosystem" of apps developers. That's not the answer to the question. They're more likely to create a natural habitat of the stupid.
The choices made, the preferences expressed, are a function of my personality, if you like, of my character. That's using your language. In my language, personality or character is a choice engine. And choices are made to maximise rewards.
What are the policy objectives and the intended effects?
Giving consumers access to their transaction data will enable consumers to make better informed decisions and choose products which offer them the best value. This in turn will reward firms offering the best value because they will be able to win more customers, increasing competition and leading to lower prices, improved efficiency and greater innovation. It will allow consumers to analyse and then improve their consumption patterns, particularly by enabling third party ‘choice engines’ to process transactional data on behalf of consumers and advise them on their consumption habits and potential switching options. We expect the release of information to stimulate innovation in and expansion of third party choice engines.
"Choice engines". What a phrase. Who won the office sweepstake last week for that one?*
13 November 2012 – Providers announced for online identity scheme
The Post Office, Cassidian, Digidentity, Experian, Ingeus, Mydex, and Verizon are the successful providers chosen to design and deliver a secure online identity registration service for the Department for Work and Pensions.
The identity registration service will enable benefit claimants to choose who will validate their identity by automatically checking their authenticity with the provider before processing online benefit claims.
The Minister for Welfare Reform Lord Freud said:
"We are working with cyber security experts to ensure we are clear about the threats to the online process and we are confident that the providers announced today will offer an effective, safe and free to use identity service for future online benefit claims."
As well as offering a safe and secure system, providers will be required to offer a simplified registration process, minimise the number of usernames and passwords a customer will need to remember and reduce the costs incurred across Government for the management of Identity Assurance.
The online Identity Assurance model will be incorporated into Universal Credit as it’s developed and rolled-out. Over time Identity Assurance will become available to all UK citizens who need to access online public services.
"... providers will be required to ... minimise the number of usernames and passwords a customer will need to remember ..." – what's that all about?
At the moment, you have to know separate user IDs and passwords for logging onto Facebook, for example, Twitter, Amazon, eBay, PayPal, your bank, HMRC (self-assessment), HMRC (VAT returns), etc ... That is very inconvenient.
GDS, the Government Digital Service, the people behind identity assurance – remember, ex-Guardian man Mike Bracken is not only chief executive of GDS but also the senior responsible officer owner for the government's identity assurance programme – want to make your life more convenient.
So what they propose is that you give all those user IDs and passwords to your chosen IDP and let them log on for you. You still have to remember the user ID and password you use to log onto your IDP. But as long as you can do that, you're fine, your IDP will remember all other user IDs and passwords and log on for you.
That's obviously convenient. But is it wise?
Take a look at the seven IDPs. Which one would you trust with the user ID and password for your bank accounts? And why? You've never heard of them, have you? Apart from the Post Office. They may all be eminently trustworthy. But suppose some ne'er-do-well teenager with Asperger's hacks into them and just steals all the user IDs and passwords?
Remembering all those user IDs and passwords ourselves may be unavoidable. It may be the price we pay for security. It might be convenient to have someone do our remembering for us but, if we lose our security as a result, it wouldn't be wise.
Have DWP and GDS taken leave of their senses suggesting that we should trust unknown third parties with our user IDs and passwords?
Your only option is to minimise your inevitable losses. Make sure that if one set of defences is breached they aren't all breached. Maintain distinct logon ID-and-password combinations for each on-line service you use.
The Government Digital Service continue to try to breathe life into the corpse of their Identity Assurance programme (IDA). The service is now known as "GOV.UK Verify". GDS continue to ask us to believe against all the evidence that it is secure.
And they continue to advocate having as few logon ID-password combinations as possible on the grounds that that is convenient and the Devil take the risks. No bank would recommend that. But then the banks are liable to compensate you if your bank account is emptied by hackers. GDS aren't. If you're hacked as a result of using GOV.UK Verify, you pay.
The BBC have been drafted in to promote GOV.UK Verify. Here's an extract from BBC Radio 4's World At One news programme, 23 January 2015:
David Alexander, the CEO of Mydex, is interviewed. Mydex is one of the five "identity providers" left at GDS's identity assurance funeral. Use a Mydex personal data store (PDS), says Mr Alexander towards the end of the extract, and let that log on to all your other services for you. That will be much more convenient.
Take him, for example. Currently, he says, he has 705 logon ID-password combinations for on-line services he uses. That's awfully inconvenient. How much better to store them all in his PDS and let Mydex log on to these 705 services for him.
But hang on a minute. If one of those 705 services is hacked at the moment, he's left with 704 services that haven't been hacked. Follow his recommendation, use a Mydex PDS, and one security breach opens the door to all 705 services.
You don't need to be a genius at risk assessment to recognise the disproportionate danger of the PDS idea.
Mr Alexander is in 705 times more danger if he uses GDS's GOV.UK Verify than if he doesn't.
If someone offers you the convenience of a single logon ID-password combination, run a mile.
13 November 2012 – Providers announced for online identity scheme
The Post Office, Cassidian, Digidentity, Experian, Ingeus, Mydex, and Verizon are the successful providers chosen to design and deliver a secure online identity registration service for the Department for Work and Pensions.
The identity registration service will enable benefit claimants to choose who will validate their identity by automatically checking their authenticity with the provider before processing online benefit claims.
The Minister for Welfare Reform Lord Freud said:
"We are working with cyber security experts to ensure we are clear about the threats to the online process and we are confident that the providers announced today will offer an effective, safe and free to use identity service for future online benefit claims."
As well as offering a safe and secure system, providers will be required to offer a simplified registration process, minimise the number of usernames and passwords a customer will need to remember and reduce the costs incurred across Government for the management of Identity Assurance.
The online Identity Assurance model will be incorporated into Universal Credit as it’s developed and rolled-out. Over time Identity Assurance will become available to all UK citizens who need to access online public services.
"... providers will be required to ... minimise the number of usernames and passwords a customer will need to remember ..." – what's that all about?
