Sunday, 23 March 2014

Who says Public Servant of the Year ex-Guardian man Mike Bracken CBE doesn't have a sense of humour?

Who says Public Servant of the Year ex-Guardian man Mike Bracken CBE doesn't have a sense of humour?

Sunday, 16 March 2014

RIP IDA – what we shan't be told on 10 June 2014

No need to say it, it goes without saying, it should be obvious to all but, just in case it isn't obvious to all, IDA is dead.

IDA is the Cabinet Office Identity Assurance programme. And it's dead.

----------

Individual electoral registration (IER) was passed into law last year and will start in England and Wales in a few months time on 10 June 2014. In the weeks leading up to that date the Electoral Commission will conduct a publicity campaign to tell people how it works and to remind us of the benefits we can expect.

What you will read
We may hear that managing our own electoral registration on-line will give us more control. And that it's more efficient. We may be told that democracy will thereby be extended. And that IER is modern and more fitting for a 21st century country than the household registration by post that it replaces.

We may be told that IER will reduce electoral fraud because, for the first time, electoral roll records can be checked against national insurance records. In fact, that's what we've already been told:
The Government’s plan for the introduction of IER includes the intention to compare existing electors’ names and addresses on the electoral registers with records held by the Department for Work and Pensions (DWP) in order to verify the identity of people currently on the registers. This process is known as 'confirmation'.
There might be a few ignorable moanbags complaining that national insurance records are in such a mess that they don't provide the Electoral Commission with much confidence. Some clever dicks may point out that the reliance on social security numbers to identify people in the US has historically been a nightmare. But this benighted awkward squad, incapable of seeing the marvels of modernisation, won't get much coverage.

The Individual Electoral Registration Bill was a Liberal Democrat Bill sponsored by their leader, Nick Clegg, the Deputy Prime Minister. The impact assessment revealed that the data-matching above was illegal. Primary legislation therefore had to be passed to allow it – a Liberal Democrat Bill had the illiberal effect of removing one of the protections built into the carefully crafted unwritten British Constitution.

Anyone complaining that the sharing of records, between the Department for Work and Pensions (DWP) and Electoral Registration Officers, is a dangerous constitutional revolution will be treated as a typical British eccentric. Charming in their way, but not to be taken seriously.

These old gits can point out all they like that democracy's finger has been pulled out of the dyke, releasing the floodwaters of massive data-sharing in which we shall all drown. They will be ignored. Francis Maude has won the day and convinced the administration that the protections afforded by the old laws were just so many myths.

All of those matters may be discussed. That will be the news.

What you won't read
What will not be news and what will not be discussed is the embarrassing point that the identity assurance programme still doesn't exist.

If IDA existed, we would have a reliable way of determining identity and its associated entitlements such as the entitlement to vote.

We wouldn't have to rely on half-baked checks against DWP, whose national insurance number database contains at least nine million records which no-one can account for. That was the figure back in 2007, after the database had been deduped/cleaned up. Before that, there were 20 million suspect records. How many are there now? Who knows.

IDA was "due to be rolled out for initial public services by autumn 2012" but it wasn't and it still hasn't been and it won't have been by 10 June 2014. It should be the linchpin of digital government but it isn't there to protect the new electoral roll at one of its weakest points – the take-on of voter details for the first time. And at the present rate, it never will be there.

At some point the administration will have to admit that IDA is dead. RIP.

When?

Not 10 June 2014. That's for sure.

You'll have to wait much longer than that.

How much longer?

144 hours. Six days. You'll have to wait until 16 June 2014 ...

RIP IDA – what we shan't be told on 10 June 2014

No need to say it, it goes without saying, it should be obvious to all but, just in case it isn't obvious to all, IDA is dead.

IDA is the Cabinet Office Identity Assurance programme. And it's dead.

----------

Individual electoral registration (IER) was passed into law last year and will start in England and Wales in a few months time on 10 June 2014. In the weeks leading up to that date the Electoral Commission will conduct a publicity campaign to tell people how it works and to remind us of the benefits we can expect.

Thursday, 13 March 2014

EXCLUSIVE: GDS and the 2015 general election – SCOOP

"Central plank of the 2015 UK election campaign temporarily unavailable", we said, back in November 2013.

That was when CloudStore went down for a week. Twice. Just after Public Servant of the Year ex-Guardian man Mike Bracken CBE had been allowed to make a presentation to the full Cabinet of the UK government.

Clearly GDS – the Government Digital Service – was going to form part of the Conservative Party May 2015 general election campaign and manifesto, and maybe the Liberal Democrats', too.

But what of UKIP?

Don't know.

And what of Labour?

There's been a bit of activity on Twitter over the past few weeks involving Matthew Taylor and, indirectly, Jon Cruddas MP, Labour's policy architect. It looked as though Labour are trying to make their mind up about digital-by-default and that is confirmed in a blog post by Bryan Glick, the editor of Computer Weekly, following an interview with Chi Onwurah, one of the few Labour (or Conservative or Liberal Democrat or UKIP) MPs who might actually understand the technology.

Only four months after DMossEsq, Mr Glick says "GDS becomes political as Labour launches digital government review" and now GDS have noticed, too, and have started to set out their stall in a blog post today, Mapping the GDS journey.

We've got 14 months of this to look forward to. And we're off to a good start. With a scoop, which Mr Glick has not yet found room to publish in the comments on his blog post. [Mr Glick has now kindly published the comment, which had been trapped by a Computer Weekly spam filter.] So here it is. An exclusive:

By some mystery of modern telecommunications, the following email arrived in my inbox three months before it was sent.
----------
From: SpAd
Sent: 12 June 2014 20:15
To: ShadCabOffMin
Subject: Government Digital Service (GDS)
Dear Chi
As requested, I have taken a look at this GDS business. I understand that the issue is what to put in the manifesto that will make us look modern, alert to the possibilities of technology, caring and prudent moneywise.
There’s an obvious political problem. If we support GDS, we look as though we support the Conservatives/Lib Dems. I strongly recommend, therefore, that we criticise them.
There is ample reason to do so.
They’re promising savings. GDS reckon it would take 11 years [1] from the time digital-by-default starts – which it still hasn’t – to the point at which the country could enjoy savings by making a minimum of 40,000 [2] public servants redundant.
The public has had it up to here with promises of savings that are never delivered. They’ll take one look at that 11 years and decide that (a) it’s so far in the future no-one could possibly make an accurate prediction, (b) that’s 11 years during which no politician or official can be accused of failure, they can just do what they like in the interim, and (c) they’ll all have moved on to retirement/better jobs in the private sector by the time the mission is aborted at a cost estimated by the NAO to be £1 billion.
I may have got this wrong but 40,000 public sector redundancies doesn’t look to me like a Labour policy objective. It would probably knock another million off union subs to the Party. Not helpful with our overdraft at the Co-op.
We’d do best to point out that digital-by-default is just the Blair policy of transformational government [3] under a different name. Criticising it gives us a double whammy. Not only can we say that the coalition have got it wrong, they’ve been hoodwinked by silver-tongued IT salesmen, it also helps to keep a distance between us and TB.
Digital-by-default only works if there’s a reliable national identity management system. We really don’t want to go through all the aggro we had with ID cards again. Do we? Better to cast the coalition mob as Blairite ID card supporters and let Labour take a stand on civil liberties (if any of your colleagues can remember what they are) and the human right to privacy.
There’s a lot more but perhaps that’s enough. Will write up the rest if you insist. As a parting shot, do you realise that GDS’s model for digital by default is Estonia [4]? I wouldn’t fancy your chances of re-election if you try to convince the good people of Newcastle that they should be more Estonian.
Best
SpAd

EXCLUSIVE: GDS and the 2015 general election – SCOOP

"Central plank of the 2015 UK election campaign temporarily unavailable", we said, back in November 2013.

That was when CloudStore went down for a week. Twice. Just after Public Servant of the Year ex-Guardian man Mike Bracken CBE had been allowed to make a presentation to the full Cabinet of the UK government.

Clearly GDS – the Government Digital Service – was going to form part of the Conservative Party May 2015 general election campaign and manifesto, and maybe the Liberal Democrats', too.

But what of UKIP?

Don't know.

And what of Labour?

Sunday, 9 March 2014

Something for the weekend, Sir?

"We wanted to try something new", said GDS four Saturdays ago, 15 February 2014, "sharing the things we've liked over the past week in a blog post".

That was followed by links to stories about the National Archives, ways to write clearly, "an unlikely cause for squeaky brakes" and other matters.

You get the idea. GDS are proposing a frothy Saturday magazine features series. Nothing too serious. A touch of humour. The emphasis is on good news for a change. Which is fine. Utterly harmless. If you're a frothy Saturday magazine.

But they're not. They're the Government Digital Service. This Weekend Links series appears on the GDS blog. And GDS's job is, to quote them, "to be the unequivocal owner of high quality user experience between people and government by being the architect and the engine room of government digital service provision".

What are GDS doing, highlighting flood defences, as they did on 22 February 2014? That's not their job. It's DEFRA's job.

How do the MOD feel about GDS promoting a DEFRA initiative rather than one of theirs?

By 1 March 2014, they'd moved onto the Oscars. They didn't win one. And yesterday, 8 March 2014, they were "celebrating International Women's Day". What's that got to do with GDS?

The accompanying paraphernalia of lions, unicorns and crowns means that, on their blog in the GOV.UK domain, GDS speak with the authority of the government. The selection of which things to share with us, the choice of which things they have liked over the past week, becomes official. Political. Religious even – dieu et mon droit.

These are editorial decisions. Can you imagine GDS choosing to promote DWP's Removal of Spare Room Subsidy?

If not, there's a bias creeping in. And GDS have no business exercising their personal bias at taxpayers' expense. Let them start their own blogs in their own time if that's what they want to do.

"Simpler, clearer, faster". That's the motto of GOV.UK and when it comes to Weekend Links – to put it simply, clearly and fast – don't. It's a mistake.

Is that a bit puritanical? A bit killjoy? Suppose GDS have something useful to say in their weekend links, something that will add to the education and entertainment of the nation. Then it might be less of a mistake. But they don't.

Yesterday's Weekend Links included this: "GDS’s Head of Content Design, Sarah Richards, shares her thoughts on women in technology":



Ms Richards would like to see more women working in technology. Why? Because she would like to see more women working in technology.

And last week, Ms Richards shared her thoughts with us on clear technical writing.

She wants to ban ampersands (480,000 instances on www.gov.uk). Why? "The reason is that 'and' is easier to read and easier to skim. Some people with lower literacy levels also find ampersands harder to understand ...".

The life expectancy of the hyphen is now similarly short. She gives the example "This information relates to 2013-14" and asks: "What does that mean to you?" It would be better to write "tax year 2013 to 2014", she says.

That takes us back to GDS's war against the word "submit". We have already noted their attempt to help HMRC by re-writing every occurrence of "submit a VAT return" as "send a VAT return", the latter being shorter and less "formal" than the former. But GDS's style guide is not followed consistently. There are 16,900 occurrences of "submit" on GOV.UK which they don't object to.

Ms Richards finishes her thoughts with a question about questions. Specifically FAQs – frequently asked questions. GDS don't approve of FAQs. So they've come up with FAQs without the questions. Which obviously tickles them.

"Did it make any difference to your understanding of the page because there’s no actual questions?", she asks. Because? Despite the fact that? There's? There are? That's an unfortunate sample sentence to be penned by someone intent on telling people how to write English.

If GDS want to promote clear English, would they please stop their fashionable talk about "learnings" when they mean "lessons", e.g. "We’ve worked together to co-ordinate research and procurement requirements and to share learnings on commissioned studies".

Also, it's Lent, would GDS please give up "behaviours", e.g. "linking this narrative to the explicit development of our behaviours as leaders, managers, partners and as Public Health England itself".

As long as GDS continue to talk about "learnings" and "behaviours" they are in no position to advise anyone else about style.

They should also learn to embrace the numbered list. They published a paper on privacy some time back and asked for comments. It is easiest to comment on this crucial matter if the paper has numbered paragraphs. They were asked to number them and they agreed to look into the matter.

That was in June 2013. Nothing has happened in the nine months since. GDS seem to be more interested in preserving their chosen unnumbered style than in creating an on-line transactional system that preserves privacy.

GDS have really got only one job to do and that's to get identity assurance working. Without that, everything they do is pointless.

They have failed so far and they should now concentrate all their efforts on IDA.

There is no excuse for "the engine room of government digital service provision" to be publishing Weekend Links.

Something for the weekend, Sir?

"We wanted to try something new", said GDS four Saturdays ago, 15 February 2014, "sharing the things we've liked over the past week in a blog post".

That was followed by links to stories about the National Archives, ways to write clearly, "an unlikely cause for squeaky brakes" and other matters.

You get the idea. GDS are proposing a frothy Saturday magazine features series. Nothing too serious. A touch of humour. The emphasis is on good news for a change. Which is fine. Utterly harmless. If you're a frothy Saturday magazine.

But they're not. They're the Government Digital Service. This Weekend Links series appears on the GDS blog. And GDS's job is, to quote them, "to be the unequivocal owner of high quality user experience between people and government by being the architect and the engine room of government digital service provision".

Tuesday, 4 March 2014

RIP IDA – The Road to Estonia


Come off it, Sten.

No need to say it, it goes without saying, it should be obvious to all but, just in case it isn't obvious to all, IDA is dead.

IDA is the Cabinet Office Identity Assurance programme. And it's dead.

----------

Has it sunk in yet just how important Estonia is to all of us here in the UK?

According to Google there are 45 instances of the word "estonia" on the DMossEsq blog, stretching all the way from Anonymous demonstration of foolproof Cabinet Office plans back in April 2012 and Francis Maude seeks future in Estonia in May 2012, via the Government Digital Service (GDS) "fantasy strategy" series later that year, all the way through to November 2013 and GDS and international relations.

Then in January this year Public Servant of the year ex-Guardian man Mike Bracken CBE, executive director of GDS and senior responsible owner of the pan-government identity assurance programme (IDA), emitted this tweet:


That's the penny that needs to drop: "Estonia is a model for all of us".

That's what Martha-now-Lady Lane Fox's digital-by-default revolution is about – the UK should become more like Estonia.

That's what the UK government signed up to when they allowed GDS to make a presentation to the Cabinet on 29 October 2013.

And that's their manifesto sorted out for the 2015 general election – a vote for us is a vote for Estonia coming to the Home Counties.

The article linked to in the tweet above is Lessons from the World's Most Tech-Savvy Government – An Estonian shares his country's strategy for navigating the digital world. The Estonian in question is Sten Tamkivi, an "entrepreneur in residence" at the venture capital company Andreessen Horowitz. And it's uncanny – in just under 1,500 words Sten mirrors just about every theme in DMossesq.

Sten: The first building block of e-government is telling citizens apart. Estonia has a working identity management system (according to Sten). The UK doesn't and, judging by the progress to date on IDA – none – it's not going to.

Sten: For these identified citizens to transact with each other, Estonia passed the Digital Signatures Act in 2000. Beware. Digital signatures are irrevocable. That's the point of them. At the moment in the UK, as things stand, if you are the victim of identity theft, ... you're not. There's no such crime on the statute book. The bank is the victim of fraud. It's up to them to try to recover the money and, in the meantime, they have to reimburse you whatever is missing from your account. Change that by introducing digital signatures, and you must have agreed to the fraudulent transaction. It becomes your problem, not the bank's.

Sten: Every person over 15 is required to have an ID card, and there are now over 1.2 million active cards. That’s close to 100-percent penetration of the population ... As mobile adoption in Estonia rapidly approached the current 144 percent (the third-highest in Europe), digital signatures adapted too. Instead of carrying a smartcard reader with their computer, Estonians can now get a Mobile ID-enabled SIM card from their telecommunications operator ...

... in other words, Francis Maude can deny that IDA is anything to do with ID cards until he's blue in the face but he's wrong. It's just that, if IDA is ever to work in the UK, the credentials will be digital certificates stored on PCs/tablets/mobiles instead of the material ID cards required by the now repealed UK Identity Cards Act 2006.

Sten: Besides the now-daily usage of this technology for commercial contracts and bank transactions, the most high-profile use case has been elections ... During parliamentary elections in 2011, online voting accounted for 24 percent of all votes. (Citizens voted from 105 countries in total; I submitted my vote from California.). C.f. the clumsy pretence in the UK that Individual Electoral Registration is about individual electoral registration and the Electoral Commission's give-away indication that it wants to introduce photo-ID for voting. That appeal to nineteenth century technology will surely amuse the eFolks back in Tallinn.

Sten: Public and private players can access the same data-exchange system (dubbed X-Road), enabling truly integrated e-services. We have the Government Gateway in the UK, rather than a crossroad, but GDS want to replace it with an "ID hub", which still hasn't been seen or certified three-and-a-half years after the starting pistol was fired on 20 September 2010.

Sten: A prime example is the income-tax declarations Estonians 'fill' out. Quote marks are appropriate here, because when an average Estonian opens the submission form once a year, it usually looks more like a review wizard: 'next -> next -> next -> submit.' This is because data has been moving throughout the year. When employers report employment taxes every month, their data entries are linked to people’s tax records too. Charitable donations reported by non-profits are recorded as deductions for the giver in the same fashion. Tax deductions on mortgages are registered from data interchange with commercial banks. And so forth. Not only is the income-tax rate in the country a flat 21 percent, but Estonians get tax overpayments put back on their bank accounts (digitally transferred, of course) within two days of submitting their forms ...

... which takes us back to 21 July 2013 and The old concept of HMRC is worn out. The Estonian authorities have enough information on their parishioners – even down to their charitable donations – to make a fist of completing their tax returns for them and to take payments/make repayments automatically. They do. Here in the UK, HMRC don't.

Sten: This liquid movement of data between systems relies on a fundamental principle to protect people’s privacy: Without question, it is always the citizen who owns his or her data and retains the right to control access to that data. For example, in the case of fully digital health records and prescriptions, people can granularly assign access rights to the general practitioners and specialized doctors of their choosing ...

... as opposed to here in the UK where we all woke up on Monday 3 March 2014 to find out that HSCIC had paid PA Consulting to put all our hospital records up in Google's cloud, having woken up the week before to be told that HSCIC were going to delay the expropriation of our GP records by six months because they'd just noticed that neither the doctors nor the patients nor the house of Commons Health Select Committee trust them.

Sten: Moving everything online does generate security risks on not just a personal level, but also a systematic and national level. Estonia, for instance, was the target of The Cyberwar of 2007, when well-coordinated botnet attacks following some political street riots targeted government, media, and financial sites and effectively cut the country off from Internet connections with the rest of the world for several hours ...

... you probably wondered whether Sten was going to mention that embarrassing episode, Estonia hit by 'Moscow cyber war'.

No real soldiers needed
to bring Estonia to its knees,
just "botnets".
Once you've become digital by default, all Russia has to do is deploy a division of "botnets" and the country grinds to a halt. You don't have to wake up a single sailor in your Black Sea fleet and ask him to put on his balaclava, amble over to the Crimea and surround all the military bases. The "botnets" do all the work for you.

That looks like a knockdown reason not to become digital by default.

But Sten disagrees.

Sten: Since then, however, Estonia has become the home of NATO Cooperative Cyber Defence Centre of Excellence and Estonian President Toomas Hendrik Ilves has become one of the most vocal cybersecurity advocates on the world stage.

So what? How does that help?

You're going to love the answer.

Sten: There is also a flip-side to the fully digitized nature of the Republic of Estonia: having the bureaucratic machine of a country humming in the cloud increases the economic cost of a potential physical assault on the state. Rather than ceasing to operating in the event of an invasion, the government could boot up a backup replica of the digital state and host it in some other friendly European territory. Government officials would be quickly re-elected, important decisions made, documents issued, business and property records maintained, births and deaths registered, and even taxes filed by those citizens who still had access to the Internet.

Come off it, Sten. And Toomas.

Think about it.

If you spin up a new Estonian eGovernment somewhere else in the cloud, the "botnets" just attack that one, too. Progress? Nil.

And you try finding a supplier in a "friendly European territory" cloud prepared to host the digital Estonia for you in the first place. Once Vladimir gets his secretary to ring up and threaten them with cutting off the gas and oil supplies, you can forget about any euroTovariches getting involved.

Would Amazon host you? Do you think that's in their financial interests?

Suppose Google agree. Or Microsoft. Or cuddly old Apple. Or any of GDS's friends. It's easy to spin up a new instance of Estonia anywhere in the cloud, anywhere in the world, instantly. That's the kind of thing it says in the sales literature. But is it true? Or does it take three weeks? By which time, Estonia has starved and frozen to death.

Suppose Russia doesn't play ball and fight the next war the same way they fought the last one. No "botnets" this time, they might try something a bit subtler. Nobble one or two certification authorities and they could sell all of Estonia's assets to the V. Putin family trust for 100 Swiss Francs. Digitally signed, the transaction would be irrevocable and from that moment on the whole country would become a tenant owing monthly rent to their next door neighbour.

That is no model for the UK. Digital-by-default is a strategic error.

Nor can we be sure that Sten is right about everything working smoothly in today's Estonia. We have just one man's word for it. And that man is a self-confessed entrepreneur in residence at a venture capital company. Utterly charming no doubt, like Lady Lane Fox, with a vivid imagination but a salesman for all that, used to spinning plausible yarns.

Sten says of today's Estonians, with a straight face, in scenarios where they can’t legally block the state from seeing their information, as with Estonian e-policemen using real-time terminals, they at least get a record of who accessed their data and when.

ePolicemen? We've got the law made by an eGovernment in the cloud for eCitizens on a register being enforced by ePolicemen? What could possibly go wrong?

As the gap between the electronic records and the reality they are meant to reflect inevitably widens, the ordinary man or woman in the street must begin to feel like a mutant. That's one thing that could possibly go wrong.

Let's reserve judgement until we hear from other Estonians how well this eState functions before assuming that Sten's picture is accurate.

Luckily, we are a long way from Estonia's sad fate here in the UK.

We don't even have the "first building block of e-government" prescribed by Sten, a national identity management system.

Nor do our officials suffer from the obsession with security that afflicts Estonia – Public Servant of the year ex-Guardian man Mike Bracken CBE expressly forswears it.

No strategic errors for us. No "humming in the cloud".

Where the security on our Parliament.UK website must look buffoonish to the average Estonian schoolboy, to us it just looks charmingly British and human.




Updated 18.3.14

The Times has a story at the moment, PM orders Gove to lay off Old Etonians. That's what it says. But what someone read was "PM orders Gove to lay off Old Estonians".

Updated 12.5.14
PRESS CONFERENCE 12th May 2014 11:00am – Hotel Metropol, Tallinn

International Team of Independent Election Observers to deliver report on Estonian Internet Voting System

...

Their analysis has identified serious flaws in the systems and processes used in Estonian internet voting.
See also the video put together by the University of Michigan, the Open Rights Group and others.

The implication is that you will never know whether the result of an Internet vote was determined by the voters or by someone with enough nous to defeat the security of the voting system. "Even" in Estonia.

This seems to be a speciality of the University of Michigan. Long-term readers will remember the effortless undermining of a Washington DC Internet voting system back in October 2010, please see Hacker infiltration ends D.C. online voting trial.


Updated 1.4.16

Estonia launches Country as a Service.

RIP IDA – The Road to Estonia


Come off it, Sten.

No need to say it, it goes without saying, it should be obvious to all but, just in case it isn't obvious to all, IDA is dead.

IDA is the Cabinet Office Identity Assurance programme. And it's dead.

----------

Has it sunk in yet just how important Estonia is to all of us here in the UK?

According to Google there are 45 instances of the word "estonia" on the DMossEsq blog, stretching all the way from Anonymous demonstration of foolproof Cabinet Office plans back in April 2012 and Francis Maude seeks future in Estonia in May 2012, via the Government Digital Service (GDS) "fantasy strategy" series later that year, all the way through to November 2013 and GDS and international relations.

Then in January this year Public Servant of the year ex-Guardian man Mike Bracken CBE, executive director of GDS and senior responsible owner of the pan-government identity assurance programme (IDA), emitted this tweet:


That's the penny that needs to drop: "Estonia is a model for all of us".