DMossEsq

Thursday 11 October 2012

HMRC and Skyscape

The following open letter has been sent by email* to Lin Homer in her capacity as Chief Executive, Permanent Secretary and Commissioner of HMRC:

[Skyscape has subsequently changed its name to UKCloud: "London – August 1, 2016 – Skyscape Cloud Services Limited, the easy to adopt, easy to use and easy to leave assured cloud services company, has today renamed and relaunched as UKCloud Ltd (www.ukcloud.com), to reinforce the company’s exclusive focus on supporting the UK public sector in the digital transformation of services".]

Open letter [1]

Lin Homer CB

Chief Executive, Permanent Secretary and Commissioner

Her Majesty’s Revenue and Customs (HMRC) 11 October 2012
Dear Ms Homer
HMRC and Skyscape Cloud Services Ltd
On 26 September 2012 HMRC announced in a press release [2] that the Department had contracted with Skyscape Cloud Services Ltd to store its data in the cloud [3] with a view to increasing “efficiency” and “reliability” while providing “cheaper”, “more secure and greener” services to the public.
Enquiries at Companies House reveal that Skyscape was incorporated as company no. 07619797 on 3 May 2011 and hasn’t yet submitted any accounts. It is impossible for the public therefore to assess the company’s track record and its financial strength.
Skyscape may not have submitted any accounts but it has submitted an annual return as at 3 May 2012 according to which:
· It has no company secretary and just one director, Mr Jeremy Robin Sanders
· Skyscape has just £1,000 of paid-up share capital
· There is only one shareholder, the same Mr Sanders
· The company’s registered office is at Hartham Park, Hartham, Corsham, Wilts SN13 0RP
Questions must arise in the public’s mind whether Skyscape – being so new and so small – is a suitable company to host web access to all our HMRC records.
One share in Skyscape was held by Mr Jeffery (sic) Paul Thomas until 29 April 2012 when it was transferred to Mr Sanders. Skyscape mention on their website [4] a company called ARK Continuity Ltd. Enquiries at Companies House reveal that ARK Continuity has three directors, one of them being Mr Jeffrey (sic) Paul Thomas.
The other two directors are bankers appointed to protect the interests of Revcap Properties 25 Ltd, a property fund. ARK Continuity has filed accounts as at 30 April 2011 according to which its ultimate parent company is Real Estate Venture Capital Partners LLP.
According to its 16 December 2011 annual return:
· ARK Continuity has £16 of issued share capital, not all paid up
· Mr Thomas’s interest in the company is a nominal £3.20
· The company’s registered office is at Hartham Park, Hartham, Corsham, Wilts SN13 0RP
The business relationship between Skyscape and ARK Continuity is unclear. It is described as an “alliance” on the Skyscape website but what is an alliance in this case? It doesn’t look like a joint venture or a partnership. The question must arise in the public’s mind just what the business relationship is and what HMRC are relying on for the storage of our data entrusted to the Department’s care.
ARK Continuity’s principal activity is “the design, construction and operation of data centres”. They’re a property company and naturally enough they proudly describe their major product, the Spring Park data centre, on their website [5] including a map how to get there and the address – Hartham Park, Corsham, Wiltshire SN13 0RP.
Skyscape, ARK Continuity and Spring Park all have the same address. It is possible that the location of the data centre at which the public’s HMRC data is being stored has been advertised for everyone to see on ARK Continuity’s website – everyone including terrorists and hackers. That looks like a potential breach of security.
By this stage, Ms Homer, you will agree that every claim made in HMRC’s 26 September 2012 press release is questionable. The decision to contract with Skyscape and the conduct of the business relationship so far appear dangerous, imprudent, ill-advised, unprofessional, wrong-headed, unbusinesslike, undignified and irresponsible. Could I ask you please to comment on these matters of public interest.
Yours sincerely
David Moss
cc Chartered Institute of Taxation
Institute of Chartered Accountants in England and Wales

[1] HMRC and Skyscape, http://www.dmossesq.com/2012/10/hmrc-and-skyscape.html
[2] HMRC first for new IT contract, http://press.hmrc.gov.uk/Press-Releases/HMRC-first-for-new-IT-contract-680b1.aspx
[3] HMG's cloud computing strategy – there isn't one, http://www.dmossesq.com/2012/06/hmgs-cloud-computing-strategy-there.html
[4] Skyscape Cloud Alliance, http://www.skyscapecloud.com/about/the-skyscape-cloud-alliance
[5] Spring Park, http://www.arkcontinuity.co.uk/contact-spring-park.html

----------

* and by post, the hard copy letter should have arrived with the HMRC Correspondence Team at Somerset House by 16 October 2012. Acknowledgement dated 17 October 2012 received 22 October 2012 promising response "within the next 15 working days".

HMRC and Skyscape

more ►

Thursday 4 October 2012

GDS get off to a bad start, and it's only going to get worse

GDS have broken cover.

GDS is the Government Digital Service and they are responsible for a government project called "identity assurance" (IdA). They were due to announce the winners of the tender to provide identity assurance services in the UK by 30 September 2012. They missed the deadline but three articles appeared in the British press today:

Guardian: Twitter and Facebook to be used for benefit applications
Telegraph: Facebook log-ins 'to be used to access Government services'
Independent: National 'virtual ID card' scheme set for launch (Is there anything that could possibly go wrong?)

All the nonsense that DMossEsq has been blogging about has been confirmed in those articles as government policy. And not just the UK government. The US as well – cloud computing, midata, Skyscape, Universal Credit, Facebok, Google, PayPal, Twitter, GOV.UK, OIX, ...

It will take a long time to unravel. A start has been made by posting the following comment on the GDS blog:

Dear Mr Wreyford

Judging by the Guardian, Independent and Telegraph articles, we are in for a long haul. It will be some time before the Cabinet Office and the US administration abandon their plans for IdA, identity assurance.

Let's make a gentle start.

Question 1. As you say, it's more about trust than identity. The idea is to host GOV.UK on servers operated by Skyscape Cloud Services Ltd. Skyscape has yet to submit any accounts to Companies House. The company has just one director and he owns 100% of the paid-up share capital, which is only £1,000. Why do you trust Skyscape and why should anyone else?

The comment will only appear on their blog if and when GDS allow it to after moderation.

[Skyscape has subsequently changed its name to UKCloud: "London – August 1, 2016 – Skyscape Cloud Services Limited, the easy to adopt, easy to use and easy to leave assured cloud services company, has today renamed and relaunched as UKCloud Ltd (www.ukcloud.com), to reinforce the company’s exclusive focus on supporting the UK public sector in the digital transformation of services".]

GDS get off to a bad start, and it's only going to get worse

Guardian: Twitter and Facebook to be used for benefit applications
Telegraph: Facebook log-ins 'to be used to access Government services'
Independent: National 'virtual ID card' scheme set for launch (Is there anything that could possibly go wrong?)

more ►

Wednesday 3 October 2012

Skyscape, Whitehall have no excuse, the contracts must be unwound

... irresponsible, unwise, imprudent, disgraceful ...

indefensible ...

misfeasance in public office ...

5 questions were posed to the G-Cloud team and the Government Digital Service (GDS). These questions concern Skyscape Cloud Services Ltd.

Skyscape is a new company with just £1,000 of paid up share capital and just one director, who also happens to be the only shareholder.

[Skyscape has subsequently changed its name to UKCloud: "London – August 1, 2016 – Skyscape Cloud Services Limited, the easy to adopt, easy to use and easy to leave assured cloud services company, has today renamed and relaunched as UKCloud Ltd (www.ukcloud.com), to reinforce the company’s exclusive focus on supporting the UK public sector in the digital transformation of services".]

You can't get much smaller than Skyscape and yet the company's wares are listed on the G-Cloud on-line shop, CloudStore. You can't get much smaller, and yet GDS have contracted with Skyscape to host GOV.UK, the new central government website. And HMRC have contracted with this one-man company to store the data currently held at local HMRC offices.

All the normal rules are broken by these baffling decisions. National assets are being entrusted to the care of what looks like a tiny, new company. Thus the five questions.

GDS have posted the questions in full on their blog but not answered them yet.

The G-Cloud team have posted an edited version of the questions on their blog and Eleanor Stewart has kindly answered three of them.

Her first answer contains an important lesson for central and local government. They cannot assume just because a company is listed on CloudStore that it is up to the job, it's up to them to satisfy themselves as to the company's strengths:

... as with everything on the G-Cloud framework the customer can determine whether they are happy with any associated risk at the point of selection

Her third answer provides another lesson. Cloud computing is commonly touted as offering all the flexibility that old-fashioned IT lacks. Ms Stewart makes it clear that there are limits to this flexibility:

Your description is a very reduced version of how some quite complex technology works ... technically correct but missing out any subtlety about the processes involved in each action. Cloud Services do indeed allow the movement of data between servers more easily than other technologies ... it can be diverted and moved anywhere within the grid (or cloud), safely and securely as long as the integrity of the data, it’s security and the processes involved are maintained.

Cloud computing is beginning to look a little less magic than is sometimes suggested by its advocates. No surprise there, we could all have guessed that but what we want to know in this case is what GDS are doing hosting GOV.UK on the servers of a tiny new company and what HMRC are up to relying on Skyscape for the safe storage of local offices' data and reliable acces to it.

Ms Stewart's second answer disappoints. We are none the wiser after reading it than before:

To purchase from G-Cloud GDS and HMRC have gone through a detailed selection process looking their requirements and the options available to them and have concluded that the Skyscape services will best met their needs and that of UK citizens.

The unbusinesslike decisions of the G-Cloud team to list Skyscape on CloudStore and of GDS and HMRC to contract with the company continue to look irresponsible, unwise, imprudent, disgraceful and indefensible. They look like misfeasance in public office.

Skyscape, Whitehall have no excuse, the contracts must be unwound

... irresponsible, unwise, imprudent, disgraceful ...

indefensible ...

misfeasance in public office ...

more ►

Monday 1 October 2012

What are GDS doing while DWP wait for an identity assurance service they can use for Universal Credit?

OIX provides a means of engaging with partners to structure alpha projects that experiment with solutions to real-world problems. These projects will morph and scale into production solutions ...

No?

Me neither.

The wordage above was assembled by Don Thibeau, the Chairman and At-large Director of OIX.

You may not remember, but you've read about OIX here on DMossEsq before. When the Government Digital Service (GDS) had their boondoggle to the White House, they rounded it off with a visit to the Open Identity Exchange.

You may have wondered at the time what OIX is. Well now you know, thanks to its At-large Director.

The GDS visit went off so well that the Cabinet Office joined OIX. An OIX Working Group was set up, devoted to the UK's identity assurance programme. And that was the occasion for Mr Thibeau's battle with natural language, Easier done than said: The challenge of third-party digital identity credentials:

How does HMG's Cabinet Office in the context of an working group encourage what they say they want, or prevent what they don’t we want, from occurring?

Good question. Mr Thibeau should take his ideas to the top. History could be made when he tells Francis Maude face to face that:

Instead of dealing with the technologically straightforward problem of the provenance of personal data and identifiers, the identity community has tried to re-architect the very way that parties transact. We've tied technical capabilities into intractable legal knots. When most business today involves bilateral arrangements, and it’s common for the RP to be the IdP, the OIX UK IDAP Working Group will take a very radical step to move to multilateral schemes and trust frameworks that embrace both legacy business models and new requirements.

That will put the carping of the legacy trolls at DWP into its proper context.

OK, GDS said it was in charge of identity assurance. And OK, GDS said that it aimed to announce which companies would be the UK's identity providers (IdPs) by the end of September. Yesterday. Which it didn't. And OK, so DWP are waiting for the Identity Assurance Programme (IDAP) to function so that they can get their technologically straightforward Universal Credit system up and running.

But you can't rush these things. Here in the real-world, it takes time for partners to engage, to experiment and to structure an alpha project before it can morph or scale into a tractable production solution operating within a multilateral trust framework, and DWP will just have to wait.

What are GDS doing while DWP wait for an identity assurance service they can use for Universal Credit?

OIX provides a means of engaging with partners to structure alpha projects that experiment with solutions to real-world problems. These projects will morph and scale into production solutions ...

No?

Me neither.

The wordage above was assembled by Don Thibeau, the Chairman and At-large Director of OIX.

more ►

Cloud computing and the Gadarene lemmings of Whitehall

It happens sometimes. You sit down to write a post and find you've already written it. In this case three months ago, HMG's cloud computing strategy – there isn't one.

In brief, Chris Chant identified 23 problems with Government IT and claimed that the solution is cloud computing and agile software engineering methods. He never stated how these remedies would solve the 23 problems and neither has anyone else.

Another way of putting which is to say that there is no Whitehall IT strategy for cloud computing. They can't give any examples of how cloud computing will help. They have no reason for creating CloudStores and contracting with a one-man band to host GOV.UK and HMRC's local office records in the cloud. They're just doing it. Because everyone else is. Allegedly.

Allegedly. The qualification has to be added because DMossEsq asked a very senior partner of a major global firm of lawyers if his firm uses the cloud and, in the politest way, he tried not to look as though he was dealing with a lunatic.

It's a breach of confidence to hand over client documents to a third party, a third party who may be anywhere in the world. The message was that his firm prefers to keep control of its data. It prefers to stay in business. The two are linked.

If Whitehall stick all our records in the cloud, they lose control of them. They lose control of their IT costs (our IT costs), the computers, the location of the computers and the staff who operate them, and they lose control of the data stored and processed on them.

Can anyone remember why Whitehall want cloud computing? Why they don't want to use their own data centres? What the return is meant to be? Why they're taking the risk?

Why are they wasting their time and our money? Why are they so intent on losing control? Is government too difficult for them? Have they given up?

Is there any sense in which Whitehall's behaviour is in the public interest? Any sense in which it's businesslike, professional, responsible, logical or dignified?

No. None.

Whitehall are behaving like a herd of adolescent fashion-driven Gadarene lemmings.

Someone wants to say that Whitehall are wasting our money with impunity and that the state of public administration in the UK is disgraceful. Or has he already said that?

Cloud computing and the Gadarene lemmings of Whitehall

It happens sometimes. You sit down to write a post and find you've already written it. In this case three months ago, HMG's cloud computing strategy – there isn't one.

more ►