DMossEsq

Monday, 24 February 2014

care.data, midata & PSI/open data

Whitehall's Misfeasance in Public Office (MiPo) Express hurtles on.

Once again the UK's NHS (National Health Service) is in the news, this time as a result of its care.data initiative.

care.data is a threat to medical confidentiality. The campaign to protect medical confidentiality has been conducted by medConfidential, among others. The other day they were able to celebrate one battle won – the introduction of care.data has now been delayed for six months:

.@TheBMA announce #caredata uploads postponed until the Autumn. @NHSEngland must now write to every patient direct and include opt out form!
— medConfidential (@medConfidential) February 18, 2014

Congratulations to medConfidential. And also to the BMA (the British Medical Association) and to NHS England:

Tim Kelsey, national director for patients and information at NHS England, said:

“NHS England exists for patients and we are determined to listen to what they tell us. We have been told very clearly that patients need more time to learn about the benefits of sharing information and their right to object to their information being shared. That is why we are extending the public awareness campaign by an extra six months.”

The NHS already has access to patients' hospital records, which can be used to measure the performance of hospitals. That data is also an invaluable resource for medical research. The idea of care.data is for the first time to add patients' GP records to the hospital data to make an even greater resource for audit and for research.

An Englishman's relationship with his or her family GP (General Practitioner) is very personal and the thought of scores of strangers sifting through all our currently confidential records is bringing a lot of us out in spots. Few of us can make the case for the prosecution cogently. So let's hand that job over to Ben Goldacre, a doctor, the author of Bad Science, a journalist and public speaker, and an enthusiastic advocate of care.data.

Writing in the Guardian the other day, The NHS plan to share our medical data can save lives – but must be done right, he said that care.data ...

... is being put at risk, by the bungled implementation of the care.data project. It was supposed to link all NHS data about all patients together into one giant database, like the one we already have for hospital episodes; instead it has been put on hold for six months, in the face of plummeting public support. It should have been a breeze. But we have seen arrogant paternalism, crass boasts about commercial profits, a lack of clear governance, and a failure to communicate basic science properly.

"Bungled implementation"? "Plummeting public support"? "Arrogant paternalism"? "Crass boasts about commercial profits"? "A lack of clear governance"? "A failure to communicate basic science properly"? He doesn't seem to be very impressed with NHS England, does he.

Nor with Tim Kelsey:

Tim Kelsey is the man running the show: an ex-journalist, passionate and engaging, he has drunk more open-data Kool-Aid than anyone I've ever met. He has evangelised the commercial benefits of sharing NHS data – perhaps because he made millions from setting up a hospital-ranking website with Dr Foster Intelligence – but he is also admirably evangelical about the power of data and transparency to spot problems and drive up standards. Unfortunately, he gets carried away, stepping up and announcing boldly that no identifiable patient data will leave the Health and Social Care Information Centre. Others supporting the scheme have done the same.

The claim that patient records can be anonymised is false. DMossEsq readers know that – Professor Martyn Thomas told us last June. And Ben Goldacre agrees. He takes himself as an example and demonstrates in his Guardian article how he could be identified in a few simple steps even if his name, address and date of birth are not included in his medical records.

DMossEsq readers will also recognise this syndrome of evangelising "the commercial benefits of sharing NHS data" or any other Public Sector Information (PSI). We have come across someone else who's over-indulged in the Kool-Aid, in the form of Stephan Shakespeare.

"Forecasting future benefits is also hard to predict", he told us, and yet he felt confident that "it seems a straightforward decision to invest £143m to make Trading Fund data widely available is a relatively small price to pay to leverage wider economic benefits far exceeding this by orders of magnitude". Which is it? "Hard to predict"? Or "a straightforward decision"? It can't be both.

There's a lot of it about. Professor Sir Nigel Shadbolt's midata project is another example: "A data-enabled online market place will create new services that will take your data and do some really interesting things with it". What "really interesting things"? Once it was put to the test in the midata Innovation Lab, the answer turned out to be none – no really interesting things, not one.

So much for the bold claim made for midata by Ctrl-Shift, the consultancy advising the Department for Business Innovation and Skills (BIS): "Access to such data represents a ‘holy grail’ data to companies because it explains why people do what they do and predicts what they are going to do next". Not only would midata allow BIS to know the future but, conveniently enough, "Ctrl-Shift’s research finds that the market for these new streams of information could grow to be worth £20bn in the UK over the next ten years" (p.14).

Deceitful promises to be able to predict the future are familiar enough throughout history. The only innovation here is how small the Kool-Aid budget is at only £2 billion p.a.

As Ben Goldacre says:

Trust, of course, is key here, and that's currently in short supply. The NSA leaks showed us that governments were casually helping themselves to our private data. They also showed us that leaks are hard to control, because the National Security Agency of the wealthiest country in the world was unable to stop one young contractor stealing thousands of its most highly sensitive and embarrassing documents.

Trust has been punctured by the "crass boasts about commercial profits" and by the false claims as to anonymisation. As for the security of our centralised personal medical records, it's not just the behaviour of GCHQ and the NSA which raises doubts. Ben Goldacre is wrong there.

It's also the daily occurrence of breaches of security on the web. There is no such thing as a secure website. They don't exist. Any more than unicorns.

And where does NHS England's Health and Social Care Information Centre want to put our care.data? In the cloud – just take a look at the extract below from G-Cloud's sales figures as at November 2013. In the cloud where, as DMossEsq readers know, they are guaranteed to lose control of it:

Customer: Health and Social Care Information Centre

Supplier	For Month	Product / Service Description	Total Charge £(Ex VAT)
EMERGN LTD	Jul-13	Agile Coaching	9,900.00
Info-Assure	Nov-13	IT Security	8,820.00
INTECHNOLOGY PLC	Aug-13	IaaS	9,500.00
INTECHNOLOGY PLC	Aug-13	IaaS	9,300.00
INTECHNOLOGY PLC	Sep-13	IaaS	9,300.00
INTECHNOLOGY PLC	Sep-13	IaaS	9,500.00
INTECHNOLOGY PLC	Sep-13	IaaS	52,618.00
INTECHNOLOGY PLC	Sep-13	IaaS	49,560.00
INTECHNOLOGY PLC	Oct-13	Compute	9,300.00
INTECHNOLOGY PLC	Oct-13	Compute	900.00
INTECHNOLOGY PLC	Oct-13	Compute	9,300.00
INTECHNOLOGY PLC	Oct-13	Compute	9,500.00
INTECHNOLOGY PLC	Oct-13	Compute	10,440.00
INTECHNOLOGY PLC	Nov-13	IaaS	9,500.00
INTECHNOLOGY PLC	Nov-13	IaaS	9,500.00
INTECHNOLOGY PLC	Nov-13	IaaS	9,500.00
INTECHNOLOGY PLC	Nov-13	IaaS	9,500.00
INTECHNOLOGY PLC	Nov-13	IaaS	9,500.00
Mastek UK Ltd	Oct-13	Agile Development for Identity and Access Management	73,458.64
Mastek UK Ltd	Oct-13	Agile Development for Identity and Access Management	75,433.74
Mastek UK Ltd	Oct-13	Agile Development for Identity and Access Management	42,236.82
Mastek UK Ltd	Oct-13	Agile Development for Identity and Access Management	24,308.96
Valtech Ltd	Aug-13	Spine 2 Agile development service: initial 10 week term to complete the supplier evaluation	100,000.00

			560,876.16

The case he makes against care.data is so convincing that, understandably, as a supporter, Dr Goldacre gets a bit hysterical towards the end of his article ...

... we need stiff penalties for infringing medical privacy, on a grand and sadistic scale. Fines are useless, like parking tickets, for individuals and companies: anyone leaking or misusing personal medical data needs a prison sentence, as does their CEO. Their company – and all subsidiaries – should be banned from accessing medical data for a decade. Rush some test cases through, and hang the bodies in the town square.

"Just what the doctor ordered", you may say, "hang the bodies in the town square".

But no. There's no need for hangings. No need for grand sadism, as he puts it. NHS England have already irrevocably forfeited the trust of patients and GPs and a six-month delay isn't going to put Humpty Dumpty back together again.

Dr Goldacre's faith in the transcendent virtue of care.data may be misplaced:

Knowledge of all their parishioners' personal data doesn't always help an agency to do good – it didn't stop the Child Support Agency spreading misery all around.
Auditing the hospitals didn't stop the atrocities of Stafford Hospital.
Nor did the best regulatory efforts of the Treasury, the FSA (RIP) and the Bank of England prevent the credit crunch of 2008.
There is no reason to believe that care.data would root out under-performing GPs any more reliably than the systems the NHS already has.
As to the benefits of research, the NHS already has masses of raw data to investigate, as Dr Goldacre tells us.

No more hysteria, please:

We have a golden opportunity in the UK, with 60 million people cared for in one glorious NHS ... the government ... have a good chance of saving a vital data project, and permitting medical research that saves lives on a biblical scale to continue.

And no more "arrogant paternalism" either. "Trust me, I'm a doctor"? Pace Dr Goldacre, we mere laymen are not too stupid to know what's good for us:

Opt-outs would destroy the data, and the growing calls for an opt-in system would be worse: opt-in killed people by holding back organ donation, and more than that, it would exacerbate social inequality around data, because the poorest patients, those most likely to be unwell, are also the least engaged with services, the least likely to opt in. They would become invisible.

The best of luck to medConfidential in the further battles to come over the next six months.

----------

Updated 26.2.14

Whitehall's Misfeasance in Public Office (MiPo) Express hurtles on.

On 23 February 2014 the Telegraph published Hospital records of all NHS patients sold to insurers:

... a report by a major UK insurance society discloses that it was able to obtain 13 years of hospital data – covering 47 million patients – in order to help companies “refine” their premiums ...

... “uniquely” they were able to combine these details with information from credit ratings agencies, such as Experian, which record the lifestyle habits of milllions of consumers.

The calculations were used to advise companies how to refine their premiums, resulting in increased premiums for most customers below the age of 50 ...

There was a helpful follow-up the next day – Patient records should not have been sold, NHS admits. The records shouldn't have been sold. But they were. What is there to stop that happening again? Nothing, as Ben Goldacre had told us in his Guardian article, the HSCIC haven't worked out their procedures yet ...

... a subject which arose at yesterday's evidence session held by the House of Commons Health Select Committee. Three hours of unmissable TV during which officials refused to answer MPs' questions and MPs stated that they had already opted out of care.data because they don't trust HSCIC:

The Twittersphere distinguished itself during the course of the hearing. For example:

That really is the end of it for me. If @HSCIC are still hiding info on what went wrong, #caredata is unsupportable http://t.co/5xPQ3dbTN3
— ben goldacre (@bengoldacre) February 25, 2014

Sorry, I’m out. Until @HSCIC commit to showing everyone what went wrong here, #caredata is not fit for purpose. http://t.co/5xPQ3dbTN3
— ben goldacre (@bengoldacre) February 25, 2014

For those of you who don't have time to watch the proceedings or to plough through the tweets, some kind soul has summarised the matter in 3'50" flat, see Tim Kelsey discovers that care.data is in trouble:

What applies to the NHS's care.data applies equally to Professor Sir Nigel Shadbolt's Open Data Institute (ODI). And to Stephan Shakespeare's related National Data Strategy for Public Sector Information (PSI).

And to the Department for Business Innovation and Skills's midata initiative.

And to the Government Digital Service's identity assurance programme, IDA (RIP) – and, thereby, to the whole business of transacting with government via GOV.UK. And to G-Cloud – if people (and companies and partnerships and trusts and charities and ...) can be inveigled into putting all their data in the cloud, they will voluntarily have lost control of it. Instantly.

They're all on the same express. The MiPO Express.

care.data, midata & PSI/open data

Whitehall's Misfeasance in Public Office (MiPo) Express hurtles on.

.@TheBMA announce #caredata uploads postponed until the Autumn. @NHSEngland must now write to every patient direct and include opt out form!
— medConfidential (@medConfidential) February 18, 2014

Congratulations to medConfidential. And also to the BMA (the British Medical Association) and to NHS England:

Tim Kelsey, national director for patients and information at NHS England, said:

“NHS England exists for patients and we are determined to listen to what they tell us. We have been told very clearly that patients need more time to learn about the benefits of sharing information and their right to object to their information being shared. That is why we are extending the public awareness campaign by an extra six months.”

more ►

Sunday, 23 February 2014

Weight Watchers: try the new low HB diet

What is weight?

You know the answer to that one. You went to school. It's a force.

And what do we know about forces?

They're something to do with acceleration. F=ma. Force = mass times acceleration. That's what Newton said.

When DMossEsq was at school, 300 years after Newton, we were taught that here on planet Earth the rate of acceleration due to gravity is 9.81 metres per second per second. It's fixed. So how come different people have different weights?

Answer, because they have different masses, obviously, so if you want to reduce your weight, you need to reduce your mass.

But what is mass?

Newton kept pretty quiet about that question. Or so we were told at school. But things have moved on now.

Now we know that particles have mass because Higgs Bosons give it to them. No Higgs Bosons, no mass. If you want to reduce your mass and, thereby, reduce your weight, you need to stop eating Higgs Bosons. You need to eat food that is low in Higgs Bosons. A healthy diet is a low-HB diet.

It is unbelievable that the marketing men haven't already unleashed a blizzard of advertisements for low-HB food. And it's downright irresponsible of the UK health fraternity not yet to have set up a single HB watchdog. Where is our HB Tsar? Are expectant mothers to be allowed to continue consuming Higgs Bosons to their heart's content with no thought for the baby? How many HB trawler research projects have been funded so far? None. Use an HB trawler before boarding a plane and the airlines could charge less for your ticket as less fuel would be required for your flight – new dry-cleaned and freshly pressed Higgs Bosons could be returned to you on arrival, adding 10 years to your life expectancy. The possibilities are endless and the authorities don't seem even to have started yet. It's pitiful.

They'll catch up, though, in the end. Just remember when you're filling in your requirements on a dating website and you see your first chance to specify HB preference, you read it here first.

Weight Watchers: try the new low HB diet

more ►

Wednesday, 19 February 2014

The science of political strategy

@RSAMatthew @MTBracken Mr Cruddas hasn't noticed that @gdsteam aim to make 40,000+ public servants redundant http://t.co/MO0lWN6NZA
— David Moss (@DMossEsq) February 18, 2014

@MTBracken @RSAMatthew @JonCruddasMPNot a "good sign" for 40,000+ public servants http://t.co/p8XRRTYjrZ
— David Moss (@DMossEsq) February 18, 2014

Public service reform: credible treatment requires bold diagnosis:

... imagine a centre which saw its role as based not on power, control of money and regulation but influence, expertise and networks. What a happier, more attractive, more open and mroe effective place Whitehall would be.

Digital Efficiency Report
Cabinet Office
November 2012 (p.19):

If the proportion of savings estimated to relate to staff costs (from Fig. 6) is applied to the total estimated annual savings and then divided by an average cost per FTE [full-time equivalent, what we used to call a "person"], this amounts to a total FTE savings estimate of at least 40,000.

----------

Public service reform: credible treatment requires bold diagnosis:

David Moss on Your comment is awaiting moderation. Tue, 18th Feb 2014 2:08 pm

… from a passing reference he makes to expanding the work of the Government Digital Service, it seems Cruddas knows an incoming Labour Government should try to preserve the best of what is going on in the Cabinet Office …

The Government Digital Service (GDS) have created GOV.UK which replaces the previous central government departmental websites. GOV.UK supports Whitehall’s publishing requirements, just as the previous websites did. Net progress – nil.

The progress GDS is aiming at is to make public services digital by default, as called for by Martha-now-Lady Lane Fox in her revolution not evolution paper. The revolution involves centralising policy-making and budget control and news dissemination in GDS. Centralisation on steroids.

For digital by default to work citizens have to be able to transact with government on-line. Two problems.

Firstly, something like 16 million people in the UK can’t or won’t transact on-line.

Second, for those of us who can and will, we all need to be identifiable on-line. We need the on-line, dematerialised, digital equivalent of an ID card.

For that, GDS have the Identity Assurance Programme,IDA. IDA is already late. It creates a new institution in the unwritten British Constitution – the “identity provider” (IDP). GDS have five IDPs.

Will the British public trust these IDPs with all their personal data? Will companies trust them? It’s unlikely. The media are full of stories all day every day about breaches of security on the web. If even US military contractors can’t protect themselves – and they can’t – why should the IDPs be able to? No reason.

Without IDA, it is impossible for GDS to move on from publishing to transacting. Which is why the dial on their “transformation dashboard” is stuck stubbornly at 1 – of 25 transformation projects on the table, only 1 has gone live.

GDS show no sign of being able to get IDA off the ground. They also seem to have a blind spot about security. They just can’t take it seriously.

If Mr Cruddas is relying on GDS for transformation, he may like to consider the points above.

He may also care to consider GDS’s promise, if digital-by-default ever does take off, to make 40,000+ public servants redundant, replaced by intelligent software agents and applications program interfaces. That would be the effect of the Lane Fox prerogative – massive centralisation and standardisation. Let us hope that IDA remains late for a long time to come.

The science of political strategy

@RSAMatthew @MTBracken Mr Cruddas hasn't noticed that @gdsteam aim to make 40,000+ public servants redundant http://t.co/MO0lWN6NZA
— David Moss (@DMossEsq) February 18, 2014

@MTBracken @RSAMatthew @JonCruddasMP Not a "good sign" for 40,000+ public servants http://t.co/p8XRRTYjrZ
— David Moss (@DMossEsq) February 18, 2014

Public service reform: credible treatment requires bold diagnosis:

... imagine a centre which saw its role as based not on power, control of money and regulation but influence, expertise and networks. What a happier, more attractive, more open and mroe effective place Whitehall would be.

Digital Efficiency Report
Cabinet Office
November 2012 (p.19):

If the proportion of savings estimated to relate to staff costs (from Fig. 6) is applied to the total estimated annual savings and then divided by an average cost per FTE [full-time equivalent, what we used to call a "person"], this amounts to a total FTE savings estimate of at least 40,000.

more ►

Monday, 17 February 2014

Skyscape – the Surprise as a Service company

It was such a surprise that everyone can remember where they were the day that Skyscape Cloud Services Ltd won the contract to host GOV.UK.

Skyscape was so young then that the company hadn't even submitted its first set of accounts to Companies House. One man alone owned all the shares in the company. There was plenty of competition from long-established cloud services companies with measurable track records. How did Skyscape beat them?

How did Skyscape go on to win contracts with the MOD? And HMRC? And the Home Office?

How did they qualify for pan-government accreditation?

Last month Skyscape surprised the world again with its open letter to the Government Digital Service and the Government Procurement Service. G-Cloud sales are rising "exponentially", they said, but that's not fast enough for Skyscape. G-Cloud is transforming government IT, they said, but again, not enough. Were they really saying that G-Cloud isn't working? And won't work, as currently designed?

There is a mystery exercising some of us about that open letter of Skyscape's. How did they get Bird & Bird to sign it?

Bird and Bird are solicitors. Red hot, no doubt, at drafting agreements, what are they doing signing a public complaint about operational matters drafted by a little splinter group of malcontents and addressed to what must be Bird and Bird's (prospective) clients?

While we were all pondering that, Skyscape slipped in yet another surprise. They submitted their 2013 statutory accounts to Companies House. 19 pages of surprises. They need to be rationed. You can have one now, just to be going on with.

Skyscape have used the Business review and future developments section of the Directors' report to do a hard sell. Among other things, the directors say:

With a current G-Cloud market share of circa 50%, Skyscape is the leading supplier of Infrastructure as a Service (IaaS) on the UK government's G-Cloud framework and delivers services directly to an increasing range of government departments including ...

50%?

A company that barely existed a year ago has been given 50% of G-Cloud business?

Is that the sign of a market operating efficiently?

What's the point of any other suppliers trying to sell through G-Cloud?

Those and many other questions would need to be answered if the 50% claim was accurate but, as it happens, it isn't.

Let's assume that a "current G-Cloud market share" is a share as at 23 December 2013 when Skyscape's accounts were signed. G-Cloud have published their sales figures to the end of November 2013 and Skyscape account for £1.3 million out of a total of £77.8 million. 1.7% of the G-Cloud market. Not 50%.

As for being the "leading supplier" of IaaS, according to the G-Cloud sales figures again, Skyscape do precisely no IaaS business, they make their money out of hosting, compute and storage. G-Cloud's IaaS business, such as it is, goes mainly to Intechnology plc. N Please see update below, 23 February 2014.

What will Skyscape come up with to entertain us next?

----------

Updated 23 February 2014

N Alan Mather has kindly corrected a DMossEsq mistake here.

Search through the November 2013 sales figures for G-Cloud, looking for occurrences of "IaaS", and you find 15 of them as follows:

Lot	Supplier	Product / Service Description	Total Charge £(Ex VAT)
4	Actica Consulting Ltd	IaaS procurement	11,900.00
4	Actica Consulting Ltd	IaaS procurement	12,275.00
4	Actica Consulting Ltd	IaaS contract set-up support	11,175.00
1	INTECHNOLOGY PLC	IaaS	9,500.00
1	INTECHNOLOGY PLC	IaaS	9,300.00
1	INTECHNOLOGY PLC	IaaS	9,300.00
1	INTECHNOLOGY PLC	IaaS	9,500.00
1	INTECHNOLOGY PLC	IaaS	52,618.00
1	INTECHNOLOGY PLC	IaaS	49,560.00
1	INTECHNOLOGY PLC	IaaS	9,500.00
1	INTECHNOLOGY PLC	IaaS	9,500.00
1	INTECHNOLOGY PLC	IaaS	9,500.00
1	INTECHNOLOGY PLC	IaaS	9,500.00
1	INTECHNOLOGY PLC	IaaS	9,500.00
1	SPECIALIST COMPUTER CENTRE	GCLOUD IAAS VPN TERMINATION	4,120.00

			226,748.00

No sign of Skyscape in the list, and thus the "Skyscape do precisely no IaaS business" comment above.

But that's not how you do it. The G-Cloud framework is divided into four Lots – 1, 2, 3 and 4 – and the whole of Lot 1 is classed as IaaS, see G-Cloud ‘Simple’ Procurement Instructions:

Lot 1 - Infrastructure as a Service (IaaS)
Lot 2 - Platform as a Service (PaaS)
Lot 3 - Software as a Service (SaaS)
Lot 4 - Specialist Cloud Services

On that basis, Skyscape had 38.86% (£1,299,765.53) of G-Cloud's IaaS business (£3,344,877.25) which, in some circles, could be described as "circa 50%", as long as you don't accidentally give the impression that you have 50% of the total market (£77.8 million) when, in fact, you only have 1.7%:

With a current G-Cloud market share of circa 50%, Skyscape is the leading supplier of Infrastructure as a Service (IaaS) on the UK government's G-Cloud framework and delivers services directly to an increasing range of government departments including ...

Updated 18.8.17

Just to keep DMossEsq's millions of readers bang up to date, it should be noted that Skyscape changed its name a year ago to UKCloud, please see Skyscape Cloud Services relaunches as UKCloud.

Why did they change their name? ElReg suggest that Skyscape rebrands to UKCloud following legal challenge by Sky. Computer Weekly magazine seem to agree, please see The Sky's the limit: Why UK Cloud has become the new name for Skyscape Cloud Services. Diginomica magazine ditto, David v Goliath – Skyscape rebrands as UKCloud after taking Sky to court.

ElReg et al may be partially right but "UKCloud" is undeniably a more appropriate name than "Skyscape". UKCloud's strategist Bill Mew argued in January this year that organisations including government departments are wrong to trust the big US cloud suppliers. In Only one cheer for the government’s public cloud endorsement he singled out Amazon Web Services (AWS) and Azure (Microsoft) in particular. It would be wrong to trust them with your data.

He says you'd be safer using UKCloud, who respect data sovereignty.

So now it's not just UKCloud v. Rupert Murdoch's Sky but also UKCloud v. Amazon and UKCloud v. Microsoft ...

... and UKCloud v. GDS, the Government Digital Service – Mr Mew is not impressed with GDS's failure to argue in favour of UK data sovereignty. DMossEsq agrees. GDS have consistently shown a complete lack of interest in the matter.

"... it was this largely inaccurate perception that public cloud is less secure than private cloud that was the main factor holding back cloud adoption. GDS’s recent very clear rebuttal of this central perception and its clear endorsement of public cloud is therefore very welcome", says Mr Mew. Cloud security is a problem and GDS saying it isn't won't comfort anyone.

Cloud security is a problem. And so is data sovereignty in the cloud. They always were and they still are. The case for cloud remains ... insubstantial.

Skyscape – the Surprise as a Service company

more ►

Sunday, 16 February 2014

Some people must think that the British public is a cretin

Cyber security

more ►

Some people must think that the British public is a cretin

__________

Updated 18.2.14:

care.data

Updated 12.5.14:

Youniverse

Updated 22.5.14:

Social Enterprise UK

Updated 25.6.14 #1:

Balanced: all benefits, no costs

Updated 25.6.14 #2:

G-Cloud by Tim Hanley

Updated 27.8.14

How government websites use cookies ("Here's Brian")

Updated 5.9.14

NSTIC (National Strategy for Trusted Identities in Cyberspace)
(This example is American rather than British
but same deal
as our IDA seems to share certain features with their NSTIC)

Updated 28.11.14

Personal data stores

Updated 29.12.14

The UK should be more Estonian

Updated 13.1.15

It's not just the British, American and Estonian publics but the French one, too.

Updated 15.2.15

BBC Radio 4 World At One 23 January 2015 35'24"-41'39"

GOV.UK Verify – adrift in a world of its own:

The Great Pretender

Oh-oh, yes I'm the great pretender
Pretending that I'm doing well
My need is such I pretend too much
I'm lonely but no one can tell

Oh-oh, yes I'm the great pretender
Adrift in a world of my own
I've played the game but to my real shame
You've left me to grieve all alone

Too real is this feeling of make-believe
Too real when I feel what my heart can't conceal

Yes I'm the great pretender
Just laughin' and gay like a clown
I seem to be what I'm not, you see
I'm wearing my heart like a crown
Pretending that you're still around

Too real is this feeling of make-believe
Too real when I feel what my heart can't conceal

Yes I'm the great pretender
Just laughin' and gay like the clown
I seem to be what I'm not, you see
I'm wearing my heart like a crown
Pretending that you're still around

Songwriters
RAM, BUCK

Published by
Lyrics © Peermusic Publishing

1. While two little girls play Guess who? ...

2. ... and The Platters sing The Great Pretender,

3. Janet Hughes of the Government Digital Service and a spokesman for the Department for Work and Pensions fail to explain why GOV.UK Verify is several years late starting, and

4. David Alexander of Mydex reveals that, with GOV.UK Verify, as soon as security is breached, hackers will be able to impersonate him on all the 705 digital services for which he currently has separate logon ID and password combinations.

Updated 21.5.15 1

GaaP 1

Updated 21.5.15 2

GaaP 2

Updated 15.12.15

GOV.UK Verify (RIP)

Updated 23.12.15 1

Going out of mobile range? Turn off myGov Security Codes so you can still sign in! Go to 'settings' in your account pic.twitter.com/9H11ZZWuC9
— myGov (@myGovau) December 22, 2015

The British public and the Australian public, too

Updated 23.12.15 2

Going overseas this summer? If you're registered for myGov security codes make sure you turn them off before you go pic.twitter.com/4rUmG3M2TL
— myGov (@myGovau) December 14, 2015

The British public and the Australian public, too 2

Updated 3.1.16

Learning to be a better Civil Service

Updated 26.11.16

Why GOV.UK Verify (RIP) is safer

Updated 7.10.17

Augmented identity

Thursday, 13 February 2014

G-Cloud – Animal Farm

Tony Singleton is the Chief Operating Officer of the Government Digital Service (GDS) and, since GDS took over on 1 June 2013, he is also the G-Cloud Programme Director. This morning he published Taking G-Cloud forward on the G-Cloud blog:

G-Cloud has the potential to reach an estimated 30,000 buyers across the public sector. Yet research carried out by the 6 Degree Group suggests that nearly 90 percent of local authorities have not heard of G-Cloud.

30,000 prospective customers. There's supposed to be a "cloud first" policy. 27,000 customers haven't even heard of G-Cloud. That's a problem.

Take a look at the sales figures for G-Cloud:

December 2013 CSV data: G-Cloud-Total-Spend-13-12-13
(Will we see the same surge in March 2014 as we did in 2013
when people desperately try to use up their budget before the year-end?)

"There are over 13,000 services available via the CloudStore, provided by 1186 suppliers", Mr Singleton tells us, and G-Cloud sales to date stand at £77,788,989.55. That is deemed to be a disappointing figure and the rest of his missive is about how to improve performance.

His message has been trailed by a couple of publications, see Exclusive: Government removes 100 irrelevant services from G-Cloud and G-Cloud purge 100 services. It transpires that Mr Singleton is responding to an open letter orchestrated by Nicky Stewart, the commercial director of Skyscape.

We have already come across Ms Stewart and Skyscape. Before joining Skyscape she was the G-Cloud Head of ICT Strategy Delivery. She is not pleased with G-Cloud's performance since she left. And in her open letter to GDS and the Government Procurement Service she suggests some major changes.

The customer is always wrong
"We are passionate advocates of G-Cloud, and firmly believe in its principles of open competition within a diverse and transparent market", she says, and then complains two paragraphs later that:

The level of understanding around how to buy from the CloudStore remains variable. We see a wide range of practices and attitudes, and in frequent cases the G-Cloud buying guide does not appear to be followed. We all share a common interest in safeguarding the future of the framework, and thereby the emerging G-Cloud market. As opportunities through the framework become larger (and more valuable to suppliers), there is an increased risk of challenge from those suppliers who are losing revenues to G-Cloud. A successful challenge could potentially damage the integrity of the initiative, and all that it promises to deliver to the UK public sector. We recommend that a system be put in place to enable suppliers to report variances from the G-Cloud buying guide to the G-Cloud team and CCS to enable any common issues to be addressed ...

Her passionate advocacy of "open competition" stops short of welcoming competition to G-Cloud and she wants to stamp out any failure by the customers to adhere to the standard practice laid down in the G-Cloud buying guide.

Standardisation is also her solution to the messy business of customers impertinently asking for their own terms and conditions of business:

The G-Cloud framework is standardised and designed to remove complexity. In best case scenarios contracts can be completed within hours. Nonetheless, contractual standardisation generates challenges: for the buyer whose default is their own terms and conditions; and for suppliers whose own terms and conditions are at the bottom of a contractual hierarchy ... There is a clear need to engage with buyers to establish what the G-Cloud Framework terms need to cover, and incorporate into the standard terms to the extent possible. This – coupled with renewed emphasis on the G-Cloud buying guide on the extent that additional clauses can be used – will lead to improved adoption and safer contracting for all ...

Customers must be made to understand that their petty local requirements cannot be allowed to stand in the way of the greater good. They need to be re-educated: "better central guidance and education is needed as to what constitutes a material change to service".

Half the point of G-Cloud as recommended by Chris Chant was to have short contracts that don't lock customers into their suppliers. Ms Stewart turns that on its head: "The two year call-off term is often cited by buyers as a reason for not using G-Cloud, as it would force them into a frequent procurement cycle".

Short contracts are annoying for suppliers, too, and according to Ms Stewart: "given that a 'termination for no cause' clause now exists within the framework, we recommend that GPS increase the maximum contract term to three years. We believe this would encourage the immediate take up of cloud services, allowing buyers to get maximum benefit from the market, without locking them into any given supplier or technology".

She also thinks that customers are being too fussy about security: "Clear guidance is needed very soon: this will benefit the buyer, who may opt for an unnecessarily high (and costly) security wrap, and also the suppliers who have either invested or are investing heavily in PGA accreditation".

Not only does her market annoy her by insisting on individual terms and conditions and by walking away from contracts early and by wasting time trying to ensure that their systems are secure, they further annoy Ms Stewart by not always telling her when they have money to spend:

There is little, if any, transparency of forthcoming opportunity to the supplier, which can in turn lead to negative speculation about how long-lists and shortlists are compiled. We recommend that transparency principles are applied to all areas of G-Cloud transacting:
That an opportunity pipeline is published so that suppliers can see who is planning to buy and when (Contracts Finder would be the logical channel);
That suppliers are informed if they have been long-listed – and that reasons for failing to make the shortlist are communicated to the supplier. Suppliers can then improve their products and pricing which will in turn benefit the market as a whole.

"The CloudStore is, in our collective view, reforming public sector ICT procurement", she says. G-Cloud's short contracts with small- and medium-sized enterprises (SMEs) were meant to be the alternative to long lock-ins with an oligopoly of big Systems Integrators (SIs). But, as the self-appointed spokesman for the collective, Ms Stewart clearly doesn't approve.

With apologies to George Orwell: "The customers outside looked from SME to SI, and from SI to SME, and from SME to SI again; but already it was impossible to say which was which".

----------

Updated 14.2.14

The signatories to Ms Stewart's open letter are:

Simon Hansford, CTO, Skyscape Cloud Services Ltd
Richard Steel, General Manager UK, Azeus UK Ltd
Roger Bickerstaff, Partner, Bird and Bird
Tim Bennett, Managing Director, Datatank Ltd
Richard Clarke, Head of Public Sector EMEA, Huddle
Elizabeth Vega, CEO, Informed Solutions Ltd
Marek Baldy, Business Development Director, Konetic
Mark Cooper, IS&GS Civil UK Managing Director, Lockheed Martin UK Ltd
Karen Carlton, Head of Sales and Marketing, MDS Technologies Ltd
Mark Webber, Partner, Osborne Clarke
Sam Simpson, Commercial and Delivery Director, Roc Technologies
Peter Hornsby, COO, SFW Ltd
Martin Rice, CEO, The Agile Consultancy
Scot Paton, COO, Vysionics ITS Ltd
Andrew Curtois, Senior IT Category Manager, Westminster City Council

G-Cloud – Animal Farm

G-Cloud has the potential to reach an estimated 30,000 buyers across the public sector. Yet research carried out by the 6 Degree Group suggests that nearly 90 percent of local authorities have not heard of G-Cloud.

30,000 prospective customers. There's supposed to be a "cloud first" policy. 27,000 customers haven't even heard of G-Cloud. That's a problem.

more ►

Tuesday, 11 February 2014

RIP IDA – if you've got nothing to say, say it

No need to say it, it goes without saying, it should be obvious to all but, just in case it isn't obvious to all, IDA is dead.

IDA is the Cabinet Office Identity Assurance programme. And it's dead.

----------

17:09, yesterday afternoon, Monday 10 February 2014, an email arrives saying that the Government Digital Service (GDS) have published a new blog post, Striking a balance between security and usability.

Read it, and one question keeps asking itself – why? Why did they publish this interview with James Stewart, the director of technical architecture at GDS? What was publication supposed to achieve? What is the message they're trying to convey?

A number of messages do come across. But unless GDS is trying to undermine itself these messages can't possibly have been intended. Mr Stewart's topic is the balance between security and usability. That's the question. And his answer is – you have to balance them.

Yes James, thank you, we know that, that's the title of the blog post, the question is how? How do you balance security and usability? And since he doesn't answer that question, the inference is that he can't answer it – GDS don't know how to balance security and usability. That's the message that comes across.

That ignorance doesn't seem to worry them. That's another message that comes across. GDS aren't interested in security. Only in usability.

This isn't the first time. We saw this lack of interest in security in Public Servant of the Year ex-Guardian man Mike Bracken CBE's speech last October to the Code for America Summit 2013 and we saw signs of it again two weeks ago in the blog post by GDS's Janet Hughes and Leisa Reichelt, Security and convenience: Meeting user needs.

GDS may not be interested in security. But other people are. They understand its importance.

When GDS's David Rennie spoke at the US Identity Ecosystem Steering Group conference in January, he said that the reason there are none of the big retail banks signed up to IDA, the identity assurance programme, is that they've been too busy sorting out the aftermath of 2008's credit crunch (31'22"-32:32").

That's silly. Identity assurance is what retail banks do all day every day – they can't be "too busy" to do it.

Is the real reason that the banks won't sign up that they don't want to be associated with IDA? And they don't want to be associated with it because, without a proper understanding of security, IDA will crash on take-off, destroying the reputation and the share price of everyone connected with it?

Is that perhaps the reason why Cassidian and PayPal, who were signed up to IDA, have subsequently pulled out?

Security isn't important. What does that imply for HMRC, who are being asked to give up the long-established Government Gateway and to rely instead on IDA?

And what does it imply for the remaining "identity providers"?

It would be a shame to see the Post Office's good name besmirched. The fates of Digidentity, Mydex and Verizon don't concern us much in the UK, they don't have a reputation here to lose. But Experian should worry us all.

They don't need GDS. Experian already do identity assurance in the UK and overseas. They're good at it. They have a global brand, a global good name, and DMossEsq, for one, would like to see them keep it, not least because his pension fund is quite heavily invested in Experian. Their association with GDS and IDA is a threat to DMossEsq's retirement, and the retirement of many others – we're talking about a FTSE-100 company here.

The message from James Stewart's blog post is – Experian, get out, like Cassidian and PayPal, before the shareholders revolt. Why did GDS want to publish that?

----------

Updated 23.5.14

Ebay urges users to reset passwords after cyberattack

Auction site eBay has urged users to change their passwords after suffering what may have been the biggest-ever cyber-attack when hackers broke into a database holding its 233m customers’ personal data ...

The attack is even bigger than that which affected the US retailer Target in December, when around 40m customer credit cards were stolen by hackers, who broke into the company’s systems. The fallout from that security breach led to the resignation of Target’s chief executive in May ...

The latest in a long line of security breaches. And a harbinger of things to come unless GDS starts to take security seriously.

Updated 9.6.14

GDS published a blog post today, Sensible Security. At first it looks as if they're starting to take security seriously ...

... for routine government business and the delivery of public services, government should think about security just as a large and well-run company would do – consider the organisations who look after your savings, manufacture medicines or produce the smartphone in your pocket ... The answer is to think about security as part of the user needs ...

... but the effort proves once again to be too great and we are left with them thinking about security as ...

... something that is integral to (and should be balanced against) every other facet of the service. If we can achieve this balance, and users and risk owners alike can understand it, then we’ll have been successful.

They're no further forward than 10 February 2014 and Striking a balance between security and usability. Luckily the banks and other organisations GDS claim to want to emulate are way ahead.

Updated 20.1.15

No stopping GDS. Now they're responsible for the Public Services Network (PSN).

The what?

"Simply put, the Public Services Network (PSN) is the government’s high-performance network". That's James A Duncan's take on the matter in Making the PSN better. And he's the new new Chief Technology Officer for the PSN so he should know.

According to Mr Duncan:

For suppliers previously, a Pan-Government Accreditor (PGA) would accredit services against the requirements for the Impact Levels. This created an unwieldy bottleneck that has actively added cost to supplier services, and slowed down the rate at which new services are made available on the network. We are changing the over-the-top Service assurance to be more in-line with G-Cloud and the Cloud Service Security Principles.

The Cloud Security Principles remove the "unwieldy bottleneck" which cost money and took time by making the users responsible for assessing security themselves on the basis of unaudited assertions made by the suppliers. You can see why Mr Duncan fits in well with GDS. He has the same relaxed view of security.

What is not clear is how this makes the PSN "better".

Does Mr Duncan have any security advice for his users? For all those central government departments and local authorities and "schools, doctors’ surgeries, pharmacies, emergency services, hospitals and charities large and small"? You bet:

… we’re creating an option for connectivity that allows customers to connect using suitable encryption, via the internet.

"Suitable"? What does that mean? Like "balanced" (please see James Stewart in the post above), it means nothing.

There goes the PSN.

----------

Updated 23.11.16

After what will be six years, I'm leaving @gdsteam at the end of January. Excited to see what's next. https://t.co/VwJDRk5zBw
— James Stewart (@jystewart) 23 November 2016

Updated 23.1.17

Mystery: the departing James Stewart on DirectGov and BusinessLink.

RIP IDA – if you've got nothing to say, say it

more ►