Wednesday 7 November 2012

Government Digital Service (GDS), your comment is awaiting moderation 1

GDS have published their digital strategy. Francis Maude says that digital by default will save between £1.7 billion p.a. and £1.8 billion p.a. How much longer are people going to fall for that gambit?

Sir Bob Kerslake, head of the home civil service and permanent secretary at DCLG, has penned a tribute to GDS, the strategy and digital by default.

At about 1 o'clock this afternoon, DMossEsq submitted a comment on Sir Bob's post. Unpublished on GDS's blog, it's still awaiting moderation. With GDS you can wait forever:

dmossesq #

Please Note: Your comment is awaiting moderation.

Dear Sir Bob

Digital Strategy

Re your paras.2 and 3, publishing a strategy does not of itself improve government digital services.

Re your paras.4 and 5, it’s hardly a new idea that it’s best if the departments have someone on board who knows what they’re talking about or that you can’t run a business without accurate and up to date management information.

Re your para.6, GOV.UK simply replaces Directgov and Business Link and, so far at least, marks no change in the 24-hour on-line convenience that those two websites have provided to the public for years.

Re your para.7, the public have long experience of Whitehall promises being made that digitisation would save money and long experience of those promises being broken. Scepticism is the order of the day. Mr Maude promised that digital by default will bring savings of between £1.7 billion and £1.8 billion p.a. in his speech yesterday. How many public servants does that equate to? How far advanced are your negotiations with the public service unions to make these lay-offs? Will the savings be passed back to the public or does Whitehall plan to spend the money itself?

Re your para.8, the medium is not the message, form is not content and in the same spirit of scepticism above I trust that you are not as impressed by a small change in format as perhaps some people are, who have retained from childhood the facility to be impressed by meretricious ornamentation.

I would welcome your comments on the matters above.

I propose to consider your para.1 and the need for Whitehall to maintain its values in a separate letter.

Yours sincerely
David Moss

07/11/2012

Government Digital Service (GDS), your comment is awaiting moderation 1

GDS have published their digital strategy. Francis Maude says that digital by default will save between £1.7 billion p.a. and £1.8 billion p.a. How much longer are people going to fall for that gambit?

Sir Bob Kerslake, head of the home civil service and permanent secretary at DCLG, has penned a tribute to GDS, the strategy and digital by default.

At about 1 o'clock this afternoon, DMossEsq submitted a comment on Sir Bob's post. Unpublished on GDS's blog, it's still awaiting moderation. With GDS you can wait forever:

Tuesday 6 November 2012

Identity assurance – shall we vote on it?

For years now
the Cabinet Office have claimed
that they don't want to create a single, central national identity register.

Falsely, as it turns out.

They want to store a single, central identity-assured electoral roll
with the credit referencing agencies.

Lord Maxton: ... The noble Lord, Lord Rennard, in particular, roused me to my feet as I have one simple point to make. The Bill is designed to stop fraud and ought to be designed to encourage people to vote, and there is one simple way to deal with that. Unfortunately this House and the other place both voted to get rid of that simple way of dealing with this matter, which was the introduction of an identity card-a general register of all people. It would have been a compulsory identity card for everyone. It would have ensured that everyone was on the central register and we would not be in this position. The noble Lord, Lord Rennard, led the campaign, as much as anybody did, against ID cards, which was a major error on his part. By the way, the technology on ID cards, or smart cards, has moved on extensively even since we abolished the proposal less than two years ago. Now we could have a smart card that would ensure that people were on a central register and the register itself would divide and set up online registers for the whole of the country. Each constituency would have a register, not completed by a registration officer or by individual registration but automatically: by pressing a series of buttons on a computer it would come up with the right answers ...
The Electoral Registration and Administration Bill began its committee stage last Monday, 29 October 2012. Lord Maxton's contribution ignores the fact that the ID cards scheme failed despite enjoying eight years, 2002-10, of unstinting political support from the European Commission, Whitehall, two Prime Ministers and five Home Secretaries, and despite eight years of hosing unlimited public money at management consultants, software houses and biometrics experts. It's just not that easy, my lord.

One of the lessons of 2002-10 has not been lost on John Reid:
Lord Reid of Cardowan: I am very grateful to the noble Lord [Lord Rennard] for giving way. I am not in principle against what he is suggesting but, as someone who bears the scars on my back of false accusations when in government of an intention to mine data, match data and cross-match data, can he tell us when the Liberal party came to the conclusion that it was perfectly legitimate to mine and cross-match the data from DVLA, from pensions, from national insurance, which the noble Lord mentioned, and from transport? Once you have created this precedent there will be very good reasons for using it, presumably with data from HMRC and others, right across the spectrum so it is not something that should be entered upon lightly.
According to the explanatory notes on the Bill, the objective is to "reduce electoral fraud by speeding up the implementation of individual voter registration". Draft legislation for Individual Electoral Registration (IER) was published on 30 June 2011. In addition to the legislation, there was an impact assessment and a statutory instrument on the pilot schemes needed for the data-matching that Lord Reid was talking about.

The first day's debate in the committee stage of the Bill is a magnificent cornucopia of Constitutional issues:
  • Their lordships debated cross-referencing the electoral roll with DWP's National Insurance number database (NINO), with the equivalent database at the Department for Social Development (Northern Ireland), with HMRC's tax credit and child benefit databases, with Royal Mail's redirection service and with several Department for Education and Department for Transport databases. This is unprecedented. Is that legal? No. According to the impact assessment (p.2), "Key assumptions/sensitivities/risks: Data matching – national rollout would require primary legislation.".
  • Did the pilot schemes suggest that it's worth introducing new primary legislation? Don't know. Haven't seen the results. Don't know how the tests were carried out. What were the protocols? What would constitute success? Was failure possible?
  • Given that IER is meant to be voluntary, why are their lordships mooting civil penalties for failing to register? (Where have we come across that before? ID cards. Supposed to be voluntary. But anyone applying for a passport would automatically be entered on the National Identity Register. So they're not voluntary. Yes they are, says Charles Clarke, Home Secretary at the time, March 2006, because you don't have to apply for a passport, do you?)
  • Why isn't the Department of Health involved?
  • Is it true that the Department for Transport has pulled out?
  • ...
There's too much there for a single post. Too many nuggets to mine. Let's pick on just one:
Lord Wallace of Saltaire: My Lords, before I address the amendments directly, I take up some of the broader issues raised by the noble Lord, Lord Reid, which were touched on by the noble Lord, Lord Maxton, in our first Committee session before dinner. They are extremely wide issues and I agree that they are important. It was for that precise reason that I went to be briefed by the head of the Government Digital Service last week.

As the noble Lord, Lord Reid, pointed out, as we move towards cloud computing, the questions of where data are stored, to what uses they are put and how far they are shared become a very delicate and important area. I also flag up that the question of what is a public database and what is a private one becomes a little more difficult than it is now. There is a whole set of issues there that we need to return to in other contexts because this has the potential to transform the way in which society, the economy and government work as a whole. I was assured that the protocols that now govern what is called identity verification-the very limited use of data sharing to ask, "Is this person real?"-are strong and, as used by the credit agencies and others, provide firewalls which prevent too much information being shared.

Some of us might differ on how far we would be happy for the DWP, HMRC and the National Health Service to share information on what people claim to be earning, claiming or whatever; those questions will also come into that debate. I strongly agree that this is an extremely important long-term issue. However, if I understand it correctly-and I am at the absolute outer limits of my knowledge of computers at this point-I am told that one does not need to amass new databases. That is the difference between what is now beginning to happen and the old ID debate ...
So we're all moving "towards cloud computing", are we? How carefully did ex-Guardian man Mike Bracken, "the head of the Government Digital Service", explain to Lord Wallace, a man "at the absolute outer limits of [his] knowledge of computers", that cloud computing means losing control of your data?

Is it right for Lord Wallace to be "assured that the protocols that now govern what is called identity verification ... are strong"? No-one else believes that. Why does ex-Guardian man Mike Bracken believe it?

Did ex-Guardian man Mike Bracken take Lord Wallace through GPG45? That's the good practice guide, no.45, issued by CESG, on Validating and Verifying the Identity of an Individual in Support of HMG Online Services. Do Facebook and Twitter meet the criteria set out there? Or didn't the matter crop up in conversation?
52. In time other forms of verification may become available which means that a person may not be required to produce their NINO and DOB when making a new application to register – the legislation has been drafted with this in mind. On 18 May 2011 the Government announced plans for the development of a consistent, customer-centric approach to digital identity assurance across all public services. The intention is to create a market of certified identity assurance services delivered by a range of private sector and mutualised suppliers so that people will be able to use the service of their choice to prove their identity when accessing any public service. The draft legislation will allow digital identity assurance to be used in future to verify an application to be added to the electoral register. Additionally it may be possible for verification to take place at local authority level using similar local arrangements. We will monitor these developments with a view to improving the verification process if it helps to simplify the system and encourages more people to register.
That's what it says in the draft legislation. Ex-Guardian man Mike Bracken was meant to announce who would be the UK's so-called "identity providers" by 30 September 2012. We're still waiting.

He'd better hurry up. He's promised to have an identity assurance service "operational" for 21 million Universal Credit claimants by Spring 2013.

Some of the proposed suppliers of identity assurance, the social networks like Facebook, the custodians of the strong protocols Lord Wallace is hoping for, have been irremediably debunked by Whitehall's own security experts who recommend lying to them if you don't want to suffer identity fraud.

And the others? The banks? And the mobile phone suppliers? Do they now see the wisdom of the Department of Health in not getting involved in the first place? Will they now follow the example of the Department for Transport and withdraw?
13. Maintaining a more accurate and complete register will deliver benefits beyond addressing the potential for fraud in elections. The full register is already made available under current legislation to a number of government organisations for official purposes, and the edited version of the full register is available to anyone for any purpose. In addition the full register is also supplied to credit reference agencies to assist financial institutions in the UK to verify a person’s identity when processing an application for credit or opening a bank account.
Damian Green MP feeding disk drives
from the failed UK ID card scheme
and the credibility of the Home Office
into an industrial shredder
Photograph: SA Mathieson/Guardian
For years now, the Cabinet Office have claimed that they've learnt the lesson, they don't want to create a single, central national identity register. Now look. Look at para.13 of the draft legislation. They just want to keep a full copy of the identity-assured electoral roll stored with the credit referencing agencies. Who, if they've got any sense, and they have, will extract themselves from this eye of newt goulash faster than a speeding ballot.

The debate in the Lords was intelligent and informed, elegant and patient, and tirelessly open. An example to us all.

Identity assurance – shall we vote on it?

For years now
the Cabinet Office have claimed
that they don't want to create a single, central national identity register.

Falsely, as it turns out.

They want to store a single, central identity-assured electoral roll
with the credit referencing agencies.

Lord Maxton: ... The noble Lord, Lord Rennard, in particular, roused me to my feet as I have one simple point to make. The Bill is designed to stop fraud and ought to be designed to encourage people to vote, and there is one simple way to deal with that. Unfortunately this House and the other place both voted to get rid of that simple way of dealing with this matter, which was the introduction of an identity card-a general register of all people. It would have been a compulsory identity card for everyone. It would have ensured that everyone was on the central register and we would not be in this position. The noble Lord, Lord Rennard, led the campaign, as much as anybody did, against ID cards, which was a major error on his part. By the way, the technology on ID cards, or smart cards, has moved on extensively even since we abolished the proposal less than two years ago. Now we could have a smart card that would ensure that people were on a central register and the register itself would divide and set up online registers for the whole of the country. Each constituency would have a register, not completed by a registration officer or by individual registration but automatically: by pressing a series of buttons on a computer it would come up with the right answers ...
The Electoral Registration and Administration Bill began its committee stage last Monday, 29 October 2012. Lord Maxton's contribution ignores the fact that the ID cards scheme failed despite enjoying eight years, 2002-10, of unstinting political support from the European Commission, Whitehall, two Prime Ministers and five Home Secretaries, and despite eight years of hosing unlimited public money at management consultants, software houses and biometrics experts. It's just not that easy, my lord.

Sunday 4 November 2012

Cloud computing – how to lose control of your data #94

It's Sunday. Give us a break
Cloud computing is supposed to be cheaper than the alternatives. How many times have we heard that some new management fashion will save us money? How many times can we fall for it? How many times has it turned out to be true? Exactly.

Cloud computing is meant to be more efficient, more reliable, more trusted, more flexible, more scalable, more resilient, more modern, more transformative, ... In each case, the claim is either false or, at best, unproven.

No need to keep banging on about it, the point has been made.

Sign up for cloud computing, like what Her Majesty's Government has in the UK, and you lose control of your data. You want to go out of business? Go ahead. Up to you. Stick your data in the cloud.

We know that. It's all a bit relentlessIt's Sunday. Give us a break.

The gift that keeps on giving
Actually, there's another reason to avoid cloud computing, one that hasn't been mentioned so far on DMossEsq, a new answer to the question why is it foolish to store your data in the cloud.

Kim Dotcom, mega
Still very young, Mr Schmitz
or Dotcom
or Kimble (c.f. The Fugitive)
will be all of 39 years old
on 21 January 2013
6'6" tall and weighing 290lb, the only reason Kim Dotcom (né Schmitz) didn't go to prison after being found guilty on 11 counts of fraud was that ... he was under age at the time of the offences and the judge put it all down to youthful foolishness.

Like most teenagers, he had hacked into NASA. And Citibank. He had also found out how to make international phone calls for free and, unlike most teenagers, had a nice little sideline selling access to these free telecommunications facilities.

He got off the 11 fraud charges with a suspended sentence. And the 10 data espionage charges. But when the insider trading charges started to look a bit serious, he decamped to Thailand. The Thais extradited him back to Germany and he finally served a stretch there. Five months on remand. Quite right, too.

Mr Dotcom loves playing computer games, particularly Modern Warfare 3.

That is not a recognised sign of intellectual achievement, you say.

As you wish. But some people are better at problem-solving than others. How good are you? There are over 15 million players of Modern Warfare 3 worldwide and Mr D was ranked #1, only falling to #2 after a sojourn in a New Zealand prison, about which, more anon.

He also loves cars. Driving in Morocco one day, he became impatient with the car in front and rammed it off the road. These things happen. How was he to know it was being driven by the chief of police?

Kim next set up shop in Hong Kong, picked up a few fines for false declarations to the stock exchange and for marketing a hedge fund that had many fine qualities, like artificial intelligence, but didn't happen to exist and the good ship Dotcom next struck land in New Zealand.

Megaupload
But before that, while in Hong Kong, he had set up a real company, Megaupload. A cloud services company, with 150 staff and and revenues of $175 million p.a., Megaupload had 60 million users, or 180 million according to some reports, it was ranked #13 among all the websites in the world and accounted for 4% of web traffic. Worldwide.

If New Zealand had any qualms about Kim Dotcom's application for residence, the thought of uploading some his money into New Zealand seems to have allayed them. He rented the most expensive house in the country, he laid on a $600,000 fireworks display in Auckland and he donated $50,000 to the mayor's re-election campaign.

Mr Dotcom was rich.

There was a problem when the mayor later had trouble remembering this donation. What would you do, you who have never played Modern Warfare 3? Kim recorded a song called Amnesia. See? Problem-solving. Some people are good at it.

Megaupload was so big that it rented no less than 1,100 servers from another cloud services company, Carpathia, to store all the data people kept handing over.

Got it. You're going to lecture us about contracts. Users may have a contract with one cloud services supplier (e.g. Megaupload) but, if that company hands the users' data over to another cloud services supplier (e.g. Carpathia) with whom the users have no contract, then they have lost control of their data. Ha!

Wrong. Everyone knows that already. That's not a new reason to beware the perils of cloud computing. Think again ...

Hollywood loves a swashbuckler
Not this one they don't.

According to Hollywood, Megaupload has cost them $500 million. It was a seat of piracy, Hollywood's intellectual property rights were being stolen by felons illegally uploading films and TV programs to Megaupload.

That's just my point, you say, you shouldn't be making light of the activities of a seedy criminal.

No-one is making light of anything, least of all Mr Dotcom, who may be a criminal but he is entertaining as well, both, the one doesn't exclude the other.

And not so fast with the "criminal". His Megaupload crimes are alleged. He hasn't been found guilty of them. There's a law. The Digital Millennium Copyright Act (DMCA), which protects the suppliers of a website from the illegal activities of the users of that website. Without that, Sergey Brin of Google would spend his whole time in prison because of all the porn on YouTube. So stick that in your pipe, Roundhead, smoke it and inhale.

DMCA and the evidence against Kim Dotcom were presumably considered by a grand jury and on 5 January 2012 he was indicted on charges of online piracy, racketeering, copyright infringement, and money laundering. That was in Virginia. In the US.
But Mr Dotcom was in New Zealand.

I know. You're going to hold forth on RICO, the Racketeer Influenced and Corrupt Organizations Act, the law they said would only ever be used against suspected gangsters, when opponents of its introduction suggested that its powers were so useful that prosecutors would be unable to resist the temptation to charge everyone with offences under RICO. No, no, said the legislators, that will never happen. But of course it has.

You mean like the surveillance laws here in the UK? The ones they said would only ever be used against suspected terrorists and now local councils use them for fly-tipping offences and dogs fouling the pavement and parents lying about living in the catchment area for desirable schools? No. Completely wrong. Everyone already knows about that. The question is what new reason is there to believe that it's foolish to store your data in the cloud? If all else fails, as teachers used to tell their students, try reading the question.

Due process
The indictments are in Virginia and Dotcom's in Auckland. What would Clarice Sparrow Starling do?

She would probably have a quiet word with her opposite numbers in New Zealand's Government Communications Security Bureau (GCSB). Point out how much appreciated it would be if they could help in this matter. She might maybe exert a bit of pressure. US tariffs on New Zealand lamb imports could be lifted. Or they could be increased. Extraordinary rendition? That kind of thing.

Kim Dotcom appears in court in Auckland in January.
The US wants New Zealand to extradite him
to face internet piracy allegations.
Photograph: AFP/Getty Images
Whatever the FBI said, GCSB went into action immediately. They put Dotcom under surveillance and two weeks later, on 19 January 2012, they got the assault rifles out, started up the helicopter and armed police invaded the Dotcom manor, impounded his possessions right, left and centre, arrested Kim, locked him in prison and froze his assets worldwide.

Which made it hard for him to pay his rent. Or his lawyers. When he was finally allowed access to a bit of his money, the lawyers argued successfully that it was against the law for GCSB to put New Zealand citizens under surveillance, including Kim Dotcom, and that the arrest warrant had been wrongly drafted – too non-specific.

The Prime Minister of New Zealand has subsequently apologised for these mistakes to Mr Dotcom personally and to New Zealanders in general and he has confirmed that GCSB officers mistakenly allowed FBI officers, who happened coincidentally to be present, to take copies of Mega Kim's impounded disk drives.

Prime Minister Key's re-election prospects are in doubt. So are President Obama's. Kim Dotcom blames him personally for his enforced stay in Mt Eden prison, Auckland.

At some point, Mrs Dotcom gave birth to their fourth and fifth children, girl twins, and Kim toyed with the idea of sending the placenta to the FBI to check for pirated DNA, another solution that would never have occurred to you, would it, but let's leave him there, he's clearly quite big enough to look after himself, and turn our attention instead to Kyle Goodwin.

OhioSportsNet
Back in January, the FBI took control of all Megaupload's domain names and their computers and they told Carpathia to keep the 1,100 servers Megaupload rented from them untouched.

The FBI also managed to freeze Megaupload's bank accounts.

Given that Megaupload is a Hong Kong company, how?

Bloomberg think it's something to do with one of Mr Dotcom's fellow defendants having a US address and being an "alter-ego" of the company. Any port in a storm.

Thing is, among the 60 million users of Megaupload, just a couple of them may not be copyright pirates or pornographers. Some of them, like Kyle Goodwin, may run their own legitimate business in Ohio, filming sports events for local high schools, and streaming the footage to sports coaches and the doting parents of the athletes. And Mr Goodwin would kind of like his footage back, please, he's got a business to run, Megaupload have no objection to the return of his data and neither have Carpathia but the courts have:
  • Who says it's his data, the US government asks? Or as their lawyers put it: “Mr. Goodwin has yet to demonstrate whether he has an interest in any property seized by the government ... the mere fact that he may claim, for example, an initial copyright to a version of the files he uploaded is not sufficient to establish that he has an ownership interest in the property that is the subject of this motion”.
  • Suppose we look at what is allegedly Mr Goodwin's data and find he's been infringing copyright? Then what? If he doesn't have "clean hands", we just might start doing a bit of indicting in Ohio.
  • But look, we can't possibly entertain Mr Goodwin's request. It would take ages.
  • And suppose everyone else started asking for their data back, too? Then where would we be?
  • And Carpathia are moaning, too, claiming that it's costing them $9,000 a day to keep these pestilential 1,100 servers out of use. Far as we're concerned Carpathia can just delete all the data on them, all 25 petabytes of it (that's 25 million gigabytes), a course of action various fussy defence lawyers have asked Carpathia please to not pursue.
http://www.megaupload.com today

Your data
And there, ladies and gentlemen, we have the answer.

Mr Goodwin is being represented by lawyers from the Electonic Frontier Foundation (EFF) and they say that "the [US] government maintains that Mr. Goodwin lost his property rights in his data by storing it on a cloud computing service ... both the contract between Megaupload and Mr. Goodwin ... and the contract between Megaupload and the server host, Carpathia ..., likely limit any property interest he may have in his data".

Sign a cloud computing contract and you lose the rights to your property.

The question was, what new reason is there to believe that storing your data in the cloud is a mistake?

And the answer is that you're going to have the devil of a job getting your solicitor to nip over to Quantico to prove that it's yours at all. And as for actually getting it back, forget it. The courts don't have time for all that nonsense. Easier just to delete it.

They wouldn't do that to HMRC and all our tax data stored on Skyscape Cloud Services Ltd's servers. Would they? There are 60 million of us for goodness sake. That could never happen. Could it? And then there's GDS and all our state benefits data stored on ditto ...

Don't you worry about that. Whitehall aren't worried. Don't you worry.

----------

Updated 5.11.12

Philip Johnston, Daily Telegraph, 'Whitehall has its head stuck in the cloud'


Updated 21.2.17

Andrew Orlowski, ElReg, 'NZ High Court rules US can extradite Kim Dotcom after all'

Cloud computing – how to lose control of your data #94

It's Sunday. Give us a break
Cloud computing is supposed to be cheaper than the alternatives. How many times have we heard that some new management fashion will save us money? How many times can we fall for it? How many times has it turned out to be true? Exactly.

Cloud computing is meant to be more efficient, more reliable, more trusted, more flexible, more scalable, more resilient, more modern, more transformative, ... In each case, the claim is either false or, at best, unproven.

No need to keep banging on about it, the point has been made.

Sign up for cloud computing, like what Her Majesty's Government has in the UK, and you lose control of your data. You want to go out of business? Go ahead. Up to you. Stick your data in the cloud.

We know that. It's all a bit relentlessIt's Sunday. Give us a break.

The gift that keeps on giving
Actually, there's another reason to avoid cloud computing, one that hasn't been mentioned so far on DMossEsq, a new answer to the question why is it foolish to store your data in the cloud.

Saturday 3 November 2012

Identity assurance. Only the future is certain – doom 4 and last (William Heath, Mydex, midata, BIS, GDS and ID cards)


What's the beef?
A personal data store is the software equivalent of an ID card ...
After all the promises
going back to the 20 September 2010 identity assurance meeting ...
here we go again.

Remember this:
  • There was a revealing moment at the 31 October 2011 identity assurance (IdA) meeting. Una Bennett, Head, Learner Records Service, did a presentation on the Skills Funding Agency's Learner Passport pilot project.
  • Stay awake.
  • Ms Bennett keeps lists of all the exams people have sat. It's a sort of National Identity Register of exam results. (Public money well spent? You be the judge.) Anyone too disorganised to do their own filing can always contact her to find out if they got a grade 4 in Latin O-level or a grade 5. Something like that.
  • Which seemed to annoy William Heath.
  • Mr Heath was at the meeting, together with other exhibitors/winners of Technology Strategy Board funding, when he laid into Ms Bennett. Your exam results, he implied, like every other fact about you, should be kept in personal data stores (PDSs) administered by Mydex, Mr Heath's company. And they would be, too, if it wasn't for the disgraceful fact that the Skills Funding Agency gets £40 million a year of public funds (Mr Heath's figure) and Mydex doesn't.
Now read on ...

It's Thursday 3 November 2011, a year ago today and three days after the 31 October 2011 IdA meeting:
What's the catch for consumers and why is the government getting involved?"
This is the first the world has heard of midata. (Why wasn't midata announced at the 31 October 2011 meeting? If anyone knows, please tell the rest of us.)

midata is supposed to give consumers control over the way their personal data is used. BIS are unable to explain how midata will achieve that. It is not in their power to grant that control.

25 November 2011, and a consultancy called Ctrl-Shift publish a report, The new personal data landscape, repeating the unsupported claim that midata will give consumers control over their personal data and extolling the virtues of Mydex, a company specialising in PDSs (p.15):
Personal Data Stores
The last year has seen a flurry of activity around the concept of personal data stores or personal data ‘vaults’ that help individuals collect and keep their own data safe, manage, analyse and use this data, and control how it is shared with other parties. Launches include Mydex and ...

Personal Data Management: Mydex
Mydex helps individuals collect, manage and share data under their control ...
Ctrl-Shift fail to mention in their report that Alan Mitchell, the strategy director of Ctrl-Shift, is also a director of Mydex, which he co-founded with William Heath, the chairman of Mydex who, at that time, is also a non-executive director of Ctrl-Shift, please see The case for midata – the answer is a mooncalf.

It subsequently transpires that William Heath, chairman of Mydex, also owns 30 of the 106 shares in Ctrl-Shift and, further, that he sits on the strategy board for midata at BIS, please see Cribsheet below.

BIS is a client of Ctrl-Shift's, i.e. Ctrl-Shift are in the pay of BIS. And Mydex is in receipt of an unknown amount of the funds invested in the identity assurance industry – £14 million by the Technology Strategy Board and £10 million by the Cabinet Office – as announced at the 31 October 2011 IdA meeting.

There must be some doubt about the independence of Ctrl-Shift's consultancy advice. And Mydex begins to look like a creature of BIS and of the Cabinet Office, specifically the Government Digital Service (GDS). When Mydex speaks, it's not independent speech, it's just BIS and GDS speaking.

midata is supposed to be a voluntary scheme. That's back in November 2011. By July 2012 when BIS announce their midata consultation, it turns out that they're seeking statutory powers to force suppliers to comply with midata, please see the BBC's Midata project plan for compulsory customer data:
The new measures, likely to be included in the Enterprise and Regulatory Reform Bill currently going through Parliament, could become law next year.
At the open forum held on 9 August 2012, BIS are unable to say how midata will expand the economy and they cast doubt on whether it would.

5 September 2012, and the close connection between GDS's IdA, midata and Mydex is explained, please see To understand BIS' midata proposal it helps to understand Mydex and Making midata work for you. The connection with the US National Strategy for Trusted Identities in Cyberspace (NSTIC) is thrown in for good measure.

25 October 2012, and the nexus between midata, Mydex and GDS is mentioned for the first time on the GDS blog, see comments on Identity assurance for local government services and reference to personal data stores in the accompanying local government report.

3 November 2012, two hours ago as DMossEsq writes, William Heath releases a televised interview in which he makes the undefended claim that Mydex can save money for consumers and repeats the undefended claim that Mydex can cause the economy to grow.

It's a quite complicated picture. There is a map available. Cutting through the complexity, what's the beef?

A personal data store is the software equivalent of an ID card. Instead of being a piece of plastic in your wallet, it's a file on Mydex's computer. It's still an ID card.

After all the promises going back to the 20 September 2010 IdA meeting, the promises that the lessons had been learnt from the failure of IPS and their ID cards scheme, here we go again. Doom.

----------

Cribsheet
  • Ctrl-Shift is a consultancy which has BIS as a client.
  • BIS pays Ctrl-Shift and Ctrl-Shift issues independent reports saying what a good thing midata is.
  • midata is a BIS initiative so the money is well-spent.
  • Alan Mitchell is a director of Ctrl-Shift.
  • William Heath used to be a director of Ctrl-Shift but he resigned.
  • On the other hand, he retains 30 of Ctrl-Shift Ltd's 106 issued and paid-up ordinary shares, according to the 20 April 2012 annual return filed with Companies House. So he still has a chunky interest in the company.
  • Ctrl-Shift had a turnover in the year to 31 March 2011 of £122,129 and made a loss of £30,136 according to the unaudited accounts.
  • William Heath is the chairman of Mydex Data Services Community Interest Company, but not a director. Alan Mitchell is the strategy director. They have no shares in the company according to the 28 March 2011 annual return. All the 1,000 10p shares in Mydex are registered in the name of another director, Mr Iain Henderson.
  • Mydex is a PDS company. It wants to administer people's PDSs. It wants to manage your on-line identity for you.
  • Mydex made a loss in the year to 31 March 2011 of £2,117,212 but still has positive shareholders' funds thanks to a share options reserve. What that seems to mean is that when you do work for Mydex, you don't always get paid money, you may get share options instead.
  • Mydex may or may not have been the recipient of some of the £14 million the Technology Strategy Board invested in the nascent identity assurance business and/or the £10 million Francis Maude put in.
  • William Heath sits on the midata strategy board at BIS as Kirstin Green, a deputy director at BIS, told us at the 9 August 2012 open forum held as part of the public consultation on midata. At para.2.19 on p.24 of the consultation document you will see that midata depends on personal data inventories/stores.
  • DMossEsq used to contribute to William Heath's Ideal Government blog.
  • Remember The Bridge Over the River Kwai.
  • If you find yourself wondering why you should hand over your PDS to Mydex, a company you've never heard of and have no reason to trust and which will store it on the web, in the cloud, where you will have no control over it, then you're just an obsessive personality who understands nothing about economic reality, you're a troll who perversely doubts that this is the route to economic growth and human perfection:
It’s no more helpful to obsess about identity than to obsess about privacy ... The area to focus on is data logistics ... the compelling reason to pursue better data logistics with user-driven services is saving money.
William Heath, 21 September 2010


midata also creates opportunities for new markets to develop where businesses help consumers use their data to make better consumption decisions and lifestyle choices.
BIS, Cabinet Office and the Behavioural Insights Team, July 2012

Identity assurance. Only the future is certain – doom 4 and last (William Heath, Mydex, midata, BIS, GDS and ID cards)


What's the beef?
A personal data store is the software equivalent of an ID card ...
After all the promises
going back to the 20 September 2010 identity assurance meeting ...
here we go again.

Remember this:
  • There was a revealing moment at the 31 October 2011 identity assurance (IdA) meeting. Una Bennett, Head, Learner Records Service, did a presentation on the Skills Funding Agency's Learner Passport pilot project.
  • Stay awake.
  • Ms Bennett keeps lists of all the exams people have sat. It's a sort of National Identity Register of exam results. (Public money well spent? You be the judge.) Anyone too disorganised to do their own filing can always contact her to find out if they got a grade 4 in Latin O-level or a grade 5. Something like that.
  • Which seemed to annoy William Heath.
  • Mr Heath was at the meeting, together with other exhibitors/winners of Technology Strategy Board funding, when he laid into Ms Bennett. Your exam results, he implied, like every other fact about you, should be kept in personal data stores (PDSs) administered by Mydex, Mr Heath's company. And they would be, too, if it wasn't for the disgraceful fact that the Skills Funding Agency gets £40 million a year of public funds (Mr Heath's figure) and Mydex doesn't.
Now read on ...

Thursday 1 November 2012

G-Cloud team soon to be Eleanor Stewartless

G-Cloud ii has been released. There are now over 3,000 conveniently automated ways for central and local government departments to lose control of their IT through CloudStore.

Eleanor has been closely involved in the project and, as a trained archaeologist, she will be particularly well-placed to go through the remains after it all comes tumbling down, identifying the signs of a once-thriving civilisation. "I look forward to watching it happen from my new role in the FCO", she says – G-Cloud's loss is the Foreign Office's gain.

She will be missed. She said G-Cloud ii would be released on 26 October 2012 and it was. She provided a forum for debate and she confronted criticism openly, e.g. "What the heck can we do to resolve some of the scary and largely unknown legal and policy issues that people are nervous about in a globalised world?". Good question. No answer. But at least she asked. The Foreign Office are lucky.

It's not unknown for Whitehall to be open about criticism. Lin Homer at HMRC is pretty good at it and has been for years. We may yet discover from her, HMRC's side of the story about losing control of all our tax records in the cloud with Skyscape, the one-man company with no track record.

Compare that with the Government Digital Service (GDS).

They said they would announce the names of the UK's so-called "identity providers" by 30 September 2012 and they didn't. Then they said the announcement would be made on 22 October 2012 and it wasn't.

Ask them why they've decided to host GOV.UK on Skyscape and they can't answer.

Post a critical comment* on their blog, and they delete it.

Send them an open letter, and there's no response.

Issue a press release with 17 questions, and you get 0 answers.

Security experts at a Whitehall conference pour scorn on GDS's idea of relying on the social networks for identity assurance and ... silence.

GDS claim to want "participation" as they build the new city on a hill with their (tax) dodgy friends. They don't understand the word. Not the way Eleanor Stewart does.

PS At 10:24 a.m. yesterday a notification was emailed to everyone announcing a new post by Mike Beaven on the GDS blog, Refining transactions with help from the Minister. Click on the link and you get "404: Page Not Found". A Twitter enquiry from Kris Coverdale was met with "we just needed to correct something. We'll be putting it back up again later". That was yesterday. 15 minutes ago, via Tim Lloyd, we have "It wasn't displaying correctly. Trying to resolve now". Just how hard is it to participate?

----------

* A lost fragment from GDS's Less About Identity, More About Trust thread recently discovered by archaeologists. What do GDS know about identity? Or trust? And how many other fragments are missing?
Dear Ms Kidney

Thank you for your 12 October 2012 reply.

As you will see on the G-Cloud blog, I have read and responded to Eleanor’s reply, pointing out that it’s not the OJEU rules I’m interested in but the rules of common sense.

It’s not more information about Skyscape that I’m after but an answer to the question how on earth did GDS go through all the hard work of developing GOV.UK and then host it at a one-man £1,000 company?

GOV.UK is meant to be a major national asset and GDS’s decision to host it on Skyscape looks “dangerous, imprudent, ill-advised, unprofessional, wrong-headed, unbusinesslike, undignified and irresponsible” as I say in my open letter to ex-Guardian man Mike Bracken.

And what similarly awful decisions do we have to look forward to discovering on 22 October 2012? IdA Day?

G-Cloud team soon to be Eleanor Stewartless

G-Cloud ii has been released. There are now over 3,000 conveniently automated ways for central and local government departments to lose control of their IT through CloudStore.

Eleanor has been closely involved in the project and, as a trained archaeologist, she will be particularly well-placed to go through the remains after it all comes tumbling down, identifying the signs of a once-thriving civilisation. "I look forward to watching it happen from my new role in the FCO", she says – G-Cloud's loss is the Foreign Office's gain.

She will be missed. She said G-Cloud ii would be released on 26 October 2012 and it was. She provided a forum for debate and she confronted criticism openly, e.g. "What the heck can we do to resolve some of the scary and largely unknown legal and policy issues that people are nervous about in a globalised world?". Good question. No answer. But at least she asked. The Foreign Office are lucky.

It's not unknown for Whitehall to be open about criticism. Lin Homer at HMRC is pretty good at it and has been for years. We may yet discover from her, HMRC's side of the story about losing control of all our tax records in the cloud with Skyscape, the one-man company with no track record.

Compare that with the Government Digital Service (GDS).