DMossEsq

Tuesday 8 October 2013

Identity assurance, GDS and HMRC – the tension mounts

Here in the UK, this month is Identity Assurance Month. This is the month that the Government Digital Service have to deliver.

It's the 8th of the month and there's no news. Will we soon be able to alter our tax codes on-line? The tension is mounting.

Are you starting to wilt?

Here's a little mental stimulation to divert you and keep you going.

*Public Administration Matriculation Board*
Identity Assurance 101
*October 2013*		*120 minutes*
Candidates should read the attached source document carefully before attempting the following questions.
1	Ten years ago, according to the source document, many UK councils/local authorities “welcomed the benefits that online services would bring but equally they mistrusted data security, and feared the ‘big brother’ State”. The mistrust and the fear still exist and the source document asks “how can councils and their partners allay citizens’ mistrust and fear of Big Brother that have been present for over a decade?”. Answer the question. 10 marks
2	(a) “The only way is digital ...” – is that true? 1 mark (b) “The vision of the European Union’s DG Connect is ‘to make every European digital’ ...” – so what? 1 mark
3	UK local authorities “have shifted from ‘doing more with less’ to the reality of ‘less with less’ and becoming ‘smarter’ ... it’s about smarter councils leading smarter places, and giving smarter citizens smarter spaces to shape smarter services with you”. (a) Explain the connection between Lord Brown of Madingley, “more” and “less”. 2 marks (b) Beginning with the Hayes Smartmodem, trace the history and success of the word “smart” and its cognates as a marketing device over the past 32 years. 5 marks (c) First we learn that “individuals will drive local councils’ digital transformation”, then it’s “smarter councils” who will be “leading smarter places”. Who is in the driving seat, the council/local authority or the individual/citizen? 2 marks
4	“The more adventurous councils aren’t following Whitehall’s charge towards digital by default – they’ve overtaken it!” (a) In what sense is Whitehall charging towards digital-by-default? 1 mark (b) The source document is published by Mydex, one of the nation’s eight “identity providers”. As such, Mydex is integral to the Government Digital Service’s Identity Assurance Programme which is in turn integral to digital-by-default. And to midata. Mydex are poking fun at GDS for being overtaken by “the more adventurous councils”. There was no need to do that. Why did they? 1 mark (c) Will “the [smarter and] more adventurous councils” come to regret their early lead? Will all the stupid timid councils have the last laugh? 1 mark
5	“Mydex is providing the super secure Personal Data Store (PDS) for identity verification that will take the [Wombwell] project to the next level and unlock a myriad of services for this previously off-line, ‘cash in hand’ community”. Is there any such thing as a “super secure personal data store”? 5 marks
6	“This can ultimately manage demand out of the service” – what does this mean? 2 marks
7	“How can councils and their partners allay citizens’ mistrust and fear of Big Brother that have been present for over a decade? ... One of the most effective ways is to be more open, and to give control over personal data back to individuals using personal data stores”. How does storing your personal data on the web, in the cloud, with a third party you've never heard of, give you control over that data? 5 marks
8	(a) “A personal data store allows for automatic personalisation” – what does this mean? Note that the quotation is taken from the start of a paragraph by the end of which people are having to do their own personalisation, it’s stopped being automatic. 2 marks (b) “It really changes how the future can be” – what doesn’t? 2 marks
9	Five times in the source document people are “empowered” by personal data stores. Or are they? Is power actually being relocated in the apps people will depend on? These apps will process the personal data that has been “permissioned” for sharing. Given that even members of the Zuckerberg family who work for the company can’t understand Facebook’s own permissioning system, what chance do the rest of us stand of understanding Mydex’s system? These apps will not be free – how much will dependency cost personal data store owners? These apps are meant to do the jobs currently done by human beings – are public servants inviting redundancy? What is the difference between downloading an app and downloading a virus? 10 marks
10	“Imagine how powerful it would be if by 2020 the 16m people currently off-line or with low on-line skills had developed the digital confidence and trust in digital public services to permission the sharing of their personal data for councils”. That’s one possible scenario. There are many others. Briefly describe four more possible scenarios, taking the total to five. Allocate a probability to each one, giving your reasons. Under what circumstances would it be logical, businesslike and responsible for either central or local government to spend public money inveigling people and businesses into storing their data with companies they have no reason to trust, on the web, in the cloud, where it will be at the mercy of hackers, GCHQ and the NSA, among others? 20 marks

Identity assurance, GDS and HMRC – the tension mounts

more ►

Saturday 5 October 2013

Has anyone heard from the Home Secretary?

Communications Data Bill? Unnecessary. That was the question on the DMossEsq blog on 7 July 2013. And the answer. Judging by the Edward Snowden revelations, we don't need this Home Office Bill. The security services already have all the tools they need to try to keep us secure against terrorism, the Bill adds nothing.

Six days before, on 1 July 2013, the (London) Evening Standard published an article by John Kampfner which includes this: "Plans to introduce the Communications Data Bill or “snoopers’ charter” have been put on hold thanks to determined resistance by Nick Clegg and others ... Now we know they didn't really need the legislation – they've been doing it anyway, without bothering to recourse to the law".

It's not just Mr Kampfner and DMossEsq. Hugo Rifkind had an article in the Spectator the other day, 28 September 2013: "Six months ago we were tying ourselves in knots over the Snooper’s Charter – all about what invasive powers the state required into our digital data – and never was it admitted, even in passing, that our security services had the capacity to do all this stuff anyway, whether granted the new powers they desired or not".

So that's three of us. Including the son of Rt Hon Sir Malcolm Rifkind KCMG QC MP, the Chairman of the Intelligence and Security Committee.

And d'you know what?

Not a word from the Home Secretary.

----------

Updated 6 October 2013
Communications Data Bill, June 2012, Foreword by the Home Secretary, "serious and growing risk":

... communications data from new technologies is less available and often harder to access. Without action there is a serious and growing risk that crimes enabled by email and the internet will go undetected and unpunished, that the vulnerable will not be protected and that terrorists and criminals will not be caught and prosecuted.

Communications Data Bill, June 2012, Introduction, p.2, "neither feasible, necessary nor proportionate":

Nothing in these proposals will authorise the interception of the content of a communication. Nor will it require the collection of all internet data, which would be neither feasible, necessary nor proportionate.

A little deceitful?

Unpublished:

From: David Moss
Sent: 07 July 2013 01:15
To: 'dtletters@telegraph.co.uk'
Subject: Charles Moore, 5 July 2013, 'Edward Snowden is a traitor, just as surely as George Blake was'

http://www.telegraph.co.uk/technology/internet-security/10162351/Edward-Snowden-is-a-traitor-just-as-surely-as-George-Blake-was.html

Sir

Charles Moore argues that everyone already knows that the security services intercept our communications to protect us against terrorism. For the past year, the Telegraph has reported on the Home Office's attempts to promote the Data Communications Bill, desperately needed according to Theresa May to protect us against terrorism. They can't both be right. Which is it?

Yours

David Moss

Unpublished:

From: David Moss
Sent: 01 October 2013 16:41
To: 'letters@thetimes.co.uk'
Subject: Kaya Burgess, 1 october 2013, MI5 playing into hands of ‘twerps like Assange’

http://www.thetimes.co.uk/tto/news/politics/article3883536.ece

Sir

We have it on the authority of Dame Stella Rimington that the security services can intercept any of our internet-based communications.

Two points.

Firstly, the implication is that there is no such thing as a secure website. Secure websites are like unicorns.

Second, the Home Office have been promoting the Communications Data Bill on the grounds that, unless we provide the security services with the tools, they can't defend us against terrorism. The implication was that they don't have the tools needed. As it turns out, they do, and the Home Office were deceiving us.

Yours

David Moss

Updated 7 October 2013
The Guardian, Cabinet was told nothing about GCHQ spying programmes, says Chris Huhne:

... Huhne also questioned whether the Home Office had deliberately misled parliament about the need for the communications data bill when GCHQ, the government's eavesdropping headquarters, already had remarkable and extensive snooping capabilities ...

"Throughout my time in parliament, the Home Office was trying to persuade politicians to invest in 'upgrading' Britain's capability to recover data showing who is emailing and phoning whom. Yet this seems to be exactly what GCHQ was already doing. Was the Home Office trying to mislead?

Has anyone heard from the Home Secretary?

more ►

GDS, agile PAYE on-line

This is the month when the Government Digital Service (GDS) have to deliver.

HMRC Digital Strategy

December 2012

PAYE Online
A new online service for taxpayers who use PAYE to pay tax via their employer. The service will allow individuals to get guidance and information on their tax code and to inform HMRC when they make a change that affects the amount of tax they pay ... (p.17)

IDA
The Digital Solutions Programme, together with the Government Digital Service, is developing an Identity Assurance (IDA) capability that can be re-used across all departmental and governmental services. The ID hub is based around the Security Assertion Markup Language (SAML) standard and gives a route for government to utilise existing, trusted identity providers in the market. A pilot IDA service, using point in time verification (a necessary part of the PAYE online exemplar) to make things simple and easy for one-off transactions will be used in October 2013 with wider IDA capabilities becoming available from October 2014. The new IDA capability will replace the current Government Gateway authentication used by HMRC’s online services with customers being migrated from the Government Gateway in 2015 ... (p.17)

Addressing the user problem
Under PAYE Online, we are giving customers the ability to update information that helps us better calculate their tax code. We are starting with company cars and medical benefits in October 2013. (p.20)

We expected a prototype by the end of 2011, the first public services were due to be tested by February 2012 and live by the autumn of 2012. Nothing happened.

Then we expected it to be fully operational for 21 million people by 31 March 2013. Nothing happened.

Now, we must assume, at last, identity assurance (IDA) is going to see the light of day, this month, October 2013.

What will we see?

Go back to HMRC's December 2012 digital strategy.

HMRC want us PAYE taxpayers to be able to report to them on-line any changes to our circumstances which affect our tax codes.

Until this month, if you wanted to change your tax code, you had to ring HMRC or send them an email or a letter. Now, for benefits in kind, specifically company cars and medical insurance, you'll be able to fill in a form on-line. No more phone calls, emails or letters. That's the promise. "Digital by default", as they say.

Of course, HMRC need to know it's you and not someone else trying to vandalise your tax code by telling HMRC that you're receiving benefits in kind when really you're not. That's where the "trusted identity providers" mentioned by HMRC come in.

This service could be offered over the existing Government Gateway but, no, GDS and HMRC want to operate it on a new pan-government "ID hub".

Will IDA be a reality by 31 October 2013, a year after it was meant to be?

No.

It's still a "pilot service", it will have "wider" capabilities from October 2014 and it will be some time in 2015 before we're all weaned off the Government Gateway – arguably, three years after we were meant to be.

The "ID hub" is meant to offer anonymity. And an audit trail. How can it do both simultaneously? It can't. Will it be as secure as the Government Gateway? Given the daily diet of hacking stories in the press and the post-Snowden revelations about NSA and GCHQ surveillance, is there any such thing as a secure website? No. Given Whitehall's hunger to get their hands on our personal data, is there any chance of our privacy being maintained? No.

It looks, from the HMRC strategy document (and GDS's exemplar no.15), as though we should all have electronic IDs, from the "trusted identity providers in the market" of our choice, by the end of the month. What market? There isn't one. In what sense are these providers trusted? None.

Has anyone got one of these electronic IDs yet? There are only 26 days to go if the agile GDS are to meet their deadline. They're cutting it a bit fine.

"The first service to be delivered using identity assurance will be the Department for Work and Pensions' Universal Credits scheme", we were told back in September 2011. We believed that. It didn't happen.

Nothing to do with me, "not that close to it", ex-Guardian man Mike Bracken, chief executive of GDS, told the BBC. Strange, given that he's the senior responsible owner of IDA, and proud of it. Strange, given that he's the man who had DWP's invitation to tender withdrawn in December 2011 and replaced it with his own in March 2012.

Now it's HMRC's PAYE Online service which will be the first. We believe that. Now. But what will we believe come November?

Will we believe that digital-by-default will save money? How?

The planning for this phase of IDA goes back to September 2010. Three years later, HMRC will make sure that there's something for us to see this month. But it will be a pilot service, not a live one. We were warned. By the four professors. For all GDS's claims to be "agile", the Whitehall outcome seems to be the same, delays and resets, starting again at number 1, born again yesterday.

GDS, agile PAYE on-line

This is the month when the Government Digital Service (GDS) have to deliver.

HMRC Digital Strategy

December 2012

more ►

Monday 30 September 2013

GDS – next month is Identity Assurance Month

Here we are at the end of September.

Next month is Identity Assurance Month.

How often have you said that before?

Cast your mind back to 1 February 2012, Computer Weekly magazine, What the beta of Gov.uk means for public services:

GDS [the Government Digital Service] has a remit to fundamentally change public services to a "digital by default" model and Gov.uk is the first phase of delivering that goal ...

The big cost savings associated with Gov.uk will come through more citizens transacting with government online ...

Another key aspect of transactions is the work on identity assurance (IDA), which is intended to create a marketplace of private sector providers which citizens can choose to identify themselves online.

[Ex-Guardian man Mike] Bracken is now the senior responsible owner for IDA. “It’s something that I put my hand up for because it’s so important. Unless we have better and wider used security protocols, it will be hard to identify users, allow transactions and link up services ...”

That's when you discovered who's in charge. "It’s something that I put my hand up for". Ex-Guardian man Mike Bracken. The executive director of the Government Digital Service (GDS). It's his job to equip you with a selection of electronic IDs "because it's so important" – no electronic IDs, no digital-by-default.

When is he supposed to deliver?

How often have you asked that before?

Cast your mind back to 13 September 2011, Computer Weekly magazine, Identity assurance - how it will affect public services and your personal data:

Identity assurance (IDA) will play a central role for the government in delivering digital public services - seen as an important way to cut the cost of the public sector. IDA is the process citizens will need to go through to verify who they are to access public services online. Part of the government's remit under the IDA project is to create a market of private sector identity assurance services to enable access ...

The government is also eager to put as much distance as possible between IDA and the failed identity card system under Labour, as some critics have accused it of resurrecting that unpopular programme under a different name ...

The first service to be delivered using identity assurance will be the Department for Work and Pensions' Universal Credits scheme; HM Revenue & Customs' One Click and Real-Time Information; NHS HealthSpace; and the Skills Funding Agency Customer Identification project ...

A prototype for IDA will be completed by the end of the year [2011]. The first services will be developed and tested by February 2012, with IDA due to be rolled out for initial public services by autumn 2012.

"The first services will be developed and tested by February 2012, with IDA due to be rolled out for initial public services by autumn 2012" – if you were expecting electronic IDs/identity assurance (IDA) to be available by, say, October 2012, then – just to answer the first question above – this must be the twelfth time you've said "next month is Identity Assurance Month".

Despite all the protestations of being "agile", GDS are a year late with IDA.

They'd better deliver this time.

It's one thing to derail Universal Credit, which relied on IDA being "fully operational" by spring 2013 (para.12). You can do that to DWP, the Department for Work and Pensions, the biggest spender in UK government. Who cares?

But you can't do it to HMRC. And that's who's relying on IDA being ready next month. HMRC is the government's tax farmer. They raise over £500 billion a year. Threaten that revenue, and your future starts to look sticky.

What are HMRC relying on?

IDA "is intended to create a marketplace of private sector providers which citizens can choose to identify themselves online" or "a market of private sector identity assurance services to enable access [on-line public services]".

You know the sort of thing.

Sainsbury's or Tesco. Lidl or Waitrose. Morrison or the Co-op. Asda or M&S. You can go to any supermarket chain and be pretty confident of getting decent quality food at a competitive price. The choice is yours. And your choice isn't limited to just the big stores – even today, there are thousands of little grocers where you can shop. There's a real market there.

That's what IDA is meant to offer, too.

But it doesn't.

GDS have appointed eight prospective suppliers of electronic IDs in their IDA pseudo-market, three have pulled out for some unknown reason and five of them are going to take part – the Post Office, Experian, Digidentity, Mydex and Verizon.

The Post Office isn't a "private sector provider". You know that. The government are currently trying to privatise it but for the moment it's a company with just one shareholder, Vince Cable. Nothing like Tesco.

And the Post Office is nothing like Digidentity which, in turn, is nothing like Mydex. Asda and the Co-op et al are all comparable. They can all do the same job, independently. Unlike GDS's so-called "identity providers" – they need each other, they can only operate IDA in partnership.

Digidentity is Dutch and Verizon is American. What do they know about UK identity?

Experian's got all the data already, it already does identity assurance, but what data does Mydex have?

Mydex promises that if you store all your personal data in one of their PDSs (personal data stores) then you'll be able to control who sees it and the uses to which it is put. No doubt Verizon make the same promise but when the US National Security Agency demanded to see Verizon's client data they had no option but to let them.

How can Mydex promise you control? They can't. It's not theirs to give.

Next month is Identity Assurance Month?

----------

Updated 27.6.14

"IDA due to be rolled out for initial public services by autumn 2012" – that's what we were told in September 2011. IDA is already over 18 months late.

It's just like the old days, when big IT suppliers came in years late and hundreds of millions of pounds over budget. But it's all meant to be different with GDS. Agile.

It's beginning to matter. In the interests of individual electoral registration (IER), we now have what is generally acknowledged to be a second rate on-line application system – electoral registration officers have little or no assurance that the person applying to register to vote is who they say they are.

We know what DVLA think about GDS's failure: "this authentication process ... does not provide us with the level of confidence the user is who they say they are in order to ... allow them to link to a transactional service". What do the Electoral Commission think?

The Electoral Commission don't pull their punches. What are they going to say about second rate identity assurance when they start their IER publicity campaign next month?

GDS have five so-called "identity providers" lined up to provide us all with on-line personal data stores.

Only one of them is certified trustworthy by tScheme. And that's Experian. Who are waiting to hear what the judge in a US identity fraud case has to say about them selling personal data to fraudsters.

(Not that GDS are interested in security. It's all usability with them.)

The other four "identity providers" are not certified trustworthy and the German government has just cancelled their contract with one of them, Verizon, for handing over personal data to the US authorities.

Verizon can hardly be deemed good enough for the UK but not for Germany. So now we're down to only three "identity providers", who are meant to constitute an "ecosystem", or private sector market.

But it's a funny market – any IDA payments made to them will come exclusively from the government.

Any other major Whitehall project would be monitored and reported on by the Major Projects Authority. But IDA isn't. Why not?

GDS – next month is Identity Assurance Month

Here we are at the end of September.

Next month is Identity Assurance Month.

How often have you said that before?

more ►

The answer to Mr Miliband's prayer

Why freeze energy prices? Why not halve them?

Gas and electricity prices rising fast? More and more people having to choose between keeping warm and eating?

Freeze 'em! (The prices, that is, not the people.)

That's the solution recommended by Ed Miliband, the leader of her Majesty's loyal opposition here in the UK.

Everyone knows that this solution won't work. Not if that's all there is to it. You just need to look at what's happening in Venezuela today to see that.

But that isn't all there is to it. Mr Miliband's recommendation in full is to freeze energy prices for 20 months, during which he would do something, if he was in government, to solve the fuel poverty problem sustainably. He's not relying exclusively on a price freeze.

What is that something? What is his sustainable solution?

He hasn't told us.

Look again at the problem. There are at least three elements:

Energy consumers have no autonomy when it comes to prices. We are in no position to negotiate with the suppliers. If that's the price they set, that's the price we pay. Either that, or we freeze.
Prices are rising fast despite the existence of the Department for Energy and Climate Change, the Department for Business Innovation and Skills and OFGEM.
The economy is suffering at the moment from high energy prices. If prices are frozen, the economy will still suffer, Venezuela-style. Either way, the economy suffers.

What options are available to Mr Miliband? What values of something are available?

The energy sector is currently privatised. Competition doesn't seem to be keeping prices down. Not even with regulation. Mr Miliband could instigate an antitrust investigation by the Competition and Markets Authority or maybe by the EU. That's one option. Or the sector could be re-nationalised. That's another. And there are intermediate states in addition, the energy sector could be part-nationalised and part-privatised.

20 months might just be long enough to complete the investigation or to complete the partial or complete re-nationalisation.

Would any of these options work?

It would be a political decision. Ministers would be advised by officials but it would be their decision – the ministers'. They would face a number of awkward questions:

Why wait until 2015 to start tackling the problem?
Why have the price freeze at all? That is, why not go straight for the proposed solution, the something?
Why freeze prices? Why not halve them?
If the proposed solution involves re-nationalisation, what happens to the national debt? We are led to believe that the national debt will stand at £1.5 trillion by the time of the next election. Nationalisation of the energy sector can only increase it. At some point, people are going to stop lending to us at today's low rates. Higher interest payments, allied to quantitative easing, are going to send inflation through the roof and the exchange rate through the floor.
And what happens to the budget deficit? The present government is trying to reduce it by 1% p.a. at the moment. That microscopic reduction will be reversed if the state takes the energy sector onto its books.
Trickiest of all, politically, Mr Miliband happens to be the Energy Secretary who, in the last government, saddled us all with levies to pay for alternative energy and with carbon taxes. Why would anyone believe that he now knows how to reduce the bills that he increased?

The option that ministers choose would have to have economic support. Government economists would provide some supporting arguments and the think tanks would provide a few more.

That risks being unconvincing. After all, there were economic arguments in favour of nationalisation after the war and there were economic arguments in favour of privatisation during the 1980s – ask enough economists, and you'll always find one in the end who will provide the supporting arguments you need for whatever bee there is in your bonnet.

Sometimes that will be a very senior economist indeed, with a global reputation. Sir-Gus-now-Lord O'Donnell, for example:

In 2002, he co-edited a book with Ed Balls, congratulating Gordon Brown on eliminating boom and bust, Reforming Britain's Economic and Financial Policy: Towards Greater Economic Stability. A year later saw another book edited by the two of them and Joe Grice, again congratulating Gordon Brown, this time for Microeconomic Reform in Britain: Delivering Opportunities for All.

As we now know, Sir Gus was spectacularly wrong. Following the 2008 bust Sir Gus claimed to have abolished everyone has become their own economist. Instant economists are a dime a dozen.

And some of these instant economists talk a good enough game to catch the eye of government.

midata, for example, will empower consumers, or so we are told. midata, we are told, will cause the economy to grow and will succeed where the regulators have failed. So will open data/PSI (public sector information), which will boost the EU economy by €140 billion – according to economists – please see Economics made simple 13 July 2013.

midata and PSI between them address the three elements of the energy problem identified above. The perfect solution. Just what Mr Miliband is looking for. And yet we haven't heard much from the midata/ODI (Open Data Institute) pundits recently:

Have they lost their confidence?
Are they keeping their heads down, in the face of a real problem?
Their bluff is being called, do they have nothing to say?
Don't they believe their own publicity?
Or are they all too busy advising Mr Miliband? Perhaps they don't have time these days to publish any more of their entertaining economics essays.
How long before we are told that midata and PSI will make energy affordable?
And if they can't make energy affordable, then just what problems are midata and PSI capable of solving?

The answer to Mr Miliband's prayer

Why freeze energy prices? Why not halve them?

Energy consumers have no autonomy when it comes to prices. We are in no position to negotiate with the suppliers. If that's the price they set, that's the price we pay. Either that, or we freeze.
Prices are rising fast despite the existence of the Department for Energy and Climate Change, the Department for Business Innovation and Skills and OFGEM.
The economy is suffering at the moment from high energy prices. If prices are frozen, the economy will still suffer, Venezuela-style. Either way, the economy suffers.

Why wait until 2015 to start tackling the problem?
Why have the price freeze at all? That is, why not go straight for the proposed solution, the something?
Why freeze prices? Why not halve them?
If the proposed solution involves re-nationalisation, what happens to the national debt? We are led to believe that the national debt will stand at £1.5 trillion by the time of the next election. Nationalisation of the energy sector can only increase it. At some point, people are going to stop lending to us at today's low rates. Higher interest payments, allied to quantitative easing, are going to send inflation through the roof and the exchange rate through the floor.
And what happens to the budget deficit? The present government is trying to reduce it by 1% p.a. at the moment. That microscopic reduction will be reversed if the state takes the energy sector onto its books.
Trickiest of all, politically, Mr Miliband happens to be the Energy Secretary who, in the last government, saddled us all with levies to pay for alternative energy and with carbon taxes. Why would anyone believe that he now knows how to reduce the bills that he increased?

In 2002, he co-edited a book with Ed Balls, congratulating Gordon Brown on eliminating boom and bust, Reforming Britain's Economic and Financial Policy: Towards Greater Economic Stability. A year later saw another book edited by the two of them and Joe Grice, again congratulating Gordon Brown, this time for Microeconomic Reform in Britain: Delivering Opportunities for All.

As we now know, Sir Gus was spectacularly wrong. Following the 2008 bust Sir Gus claimed to have abolished everyone has become their own economist. Instant economists are a dime a dozen.

more ►