DMossEsq

Wednesday 17 June 2015

RIP IDA – "we've make a mistake"

No need to say it, it goes without saying, it should be obvious to all but,

just in case it isn't obvious to all,

IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",

is the Cabinet Office Identity Assurance programme.

And it's dead.

Can GOV.UK Verify (RIP) Win an Emmy?
30 June 2014, only a year ago, saw the historic release of Identity Assurance Demonstration. Children have all lived in delicious fear of the sinister "identity providers" ever since:

GOV.UK Verify (RIP) Breaks Credit Ratings Record

The catchphrases caught on worldwide. "I had my identity initially verified by Experian", one fan would say knowingly to another. "Me, I'm a Digidentity girl", another would say, while others still would attend GOV.UK Verify (RIP) festivals dressed only in the colours of the Post Office.

Hysteria reached fever pitch when the fourth "identity provider" was due to be revealed to the world. Who would Mooncalf Productions cast in the rôle of Mydex?

And then, a PR disaster. William Heath's agent couldn't agree terms with Aviation House, the West Hollywood studio.

Or was it?

Was it a disaster?

Perhaps the marketing experts know what they're doing after all because, instead of Mydex, 24 March 2015 saw the long-awaited release of GOV.UK Terrify and introduced the spine-chillingest "identity provider" of them all, Verizon:

GOV.UK Verify (RIP) Gets Third Season
The fever reached hysteria pitch now. We were promised five more screen monsters to frighten the children with:

Barclays (the bank).
GB Group (no-one's sure but probably nearly as evil as a bank).
Royal Male (seriously).
PayPal (yes PayPal, seriously, the ones who flounced off the set once before).

That's four. And the fifth one – Morpho.

Inspired.

Borrowed from The Matrix, the "identity provider" who turns your eyes into a template and mashes them with your fingertips, the bi-modal biometrics alien from outer space, or at least from France.

GOV.UK Verify (RIP), the Videogame
With febrile hysteria now pitching, Mooncalf finally made an announcement yesterday:

GOV UK Verify

@GOVUKverify

GOV.UK Verify is the new way to prove your identity when accessing digital government services. Here's how it works identityassurance.blog.gov.uk/?p=855

How GOV.UK Verify works - a film

Here's a short film demonstrating how a certified company verifies your identity the first time you use GOV.UK Verify.If you're interested to know more about how GOV.UK Verify works you can

GOV UK Verify @GOVUKverify

4:42pm · 16 Jun 2015 · Twitter Web Client

At last. The third series. All that expectant tension could be released.

No, it couldn't.

The link in the Tweet only led back to GOV.UK Terrify, the March 2015 film.

Some sort of a joke?
The fans weren't amused:

.@GOVUKverify @JanetHughes Why the new blog post for what must be an old film, "we have contracts with 3 more including @MydexCIC"?
— Eerke @Kent CyberSec (@EerkeBoiten) June 16, 2015

Mooncalf weren't exactly repentant

@EerkeBoiten Hi there. We received feedback saying it was a useful explanation. We'll be updating the film over time.
— GOV UK Verify (@GOVUKverify) June 16, 2015

What feedback?

Then they seemed to see sense, although they had some trouble expressing it:

@EerkeBoiten @williamheath We've make a mistake with this blog post. We'll re-post the it once we've updated the film. Thanks for spotting.
— GOV UK Verify (@GOVUKverify) June 16, 2015

We've make a mistake
"We've make a mistake"? They sure have, because today they did indeed release the same film, but with eight seconds edited out at about 1'45" (hat tip @EerkeBoiten) – the eight seconds in which Ms Hughes (for it is she, if there's an impossible job, send for Janet Hughes, that one) tells us that ...

... oh, never mind, it doesn't matter any more, because now it's never going to be the same again ...

... and Mooncalf are going to go down in history as the impressarios who could have made it big, Britain's Got Talent, anything, sky's the limit ...

... and then they snatched disaster from the jaws of defeat. RIP IDA – who's going to ruin their career and appear in one of Mooncalf's productions now?

Eight seconds short of an Oscar

RIP IDA – "we've make a mistake"

No need to say it, it goes without saying, it should be obvious to all but,

just in case it isn't obvious to all,

IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",

is the Cabinet Office Identity Assurance programme.

And it's dead.

more ►

Monday 15 June 2015

Eat your heart out, Tech City UK

Tech City UK, meet your nemesis – Angers, la Cité des objets connectés.

Connecté avec quoi?

Inauguration de la Cité de l'objet connecté:

De gauche à droite pour dévoiler la plaque inaugurale: Christophe Béchu, Christophe Clergeau, François Hollande et Thierry Sachot. (Photo: Thierry Bonnet/Ville d'Angers)

Connecté avec le string, paraît-il.

Eat your heart out, Tech City UK

Tech City UK, meet your nemesis – Angers, la Cité des objets connectés.

Connecté avec quoi?

Inauguration de la Cité de l'objet connecté:

De gauche à droite pour dévoiler la plaque inaugurale: Christophe Béchu, Christophe Clergeau, François Hollande et Thierry Sachot. (Photo: Thierry Bonnet/Ville d'Angers)

Connecté avec le string, paraît-il.

RIP IDA – “It’s not our IT system; it’s the Cabinet Office’s”

No need to say it, it goes without saying, it should be obvious to all but,

just in case it isn't obvious to all,

IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",

is the Cabinet Office Identity Assurance programme.

And it's dead.

Her Majesty's Revenue and Customs (HMRC) offer their parishioners several digital public services, among others Tax credit renewals and Transferable tax allowance. People are having problems using these digital services because they can't get past GOV.UK Verify (RIP).

Public services are services which the public are entitled to. GOV.UK Verify (RIP) is denying the public their rights.

The problem is that people can't register for a GOV.UK Verify (RIP) on-line ID without a passport or a photo-ID driving licence. Even with those documents, they can't register if they don't have a substantial credit history. Even with a substantial credit history, they can't register if they're not moderately computer-literate. Even with moderate computer literacy, they can't register if they don't have access to the internet.

These problems are well-known now and always have been. The Government Digital Service (GDS) claim to be solving them through their assisted digital initiative.

They've been claiming that since 28 July 2011 and they still are claiming it, please see All aboard: 18 months of assisted digital, 4 June 2015. It remains the case that, as the Daily Mail newspaper put it, talking about the Transferable tax allowance service, Thousands miss out in marriage tax fiasco, "HMRC's problem centres on a £25million computer system called Verify".

This matter has come to the attention of Clare McDonald, the business editor of Computer Weekly magazine. She's been talking to HMRC and reports as follows:

“No one will miss out on the Marriage Allowance because of difficulties with online verification. People can apply at any stage in the tax year and get the full entitlement regardless of when they claim,” said an HMRC spokesperson.

“It’s not our IT system; it’s the Cabinet Office’s,” the spokesperson added.

The Cabinet Office is the home of GDS and, understandably enough, HMRC want to make it clear that the dereliction of duty lies with GDS, and not HMRC, “it’s not our IT system; it’s the Cabinet Office’s”.

Ms McDonald concludes that:

Although the Verify scheme is still in its trial stage, these issues highlight the difficulties the Cabinet Office’s “digital by default” plans can bring for particular demographics, including vulnerable members of the public, people without the necessary documentation and those who do not have access to the internet.

"Particular demographics" means people. Here in the UK, public services are for everyone, not just well-connected iPhone users with a long credit history. GDS need to acknowledge reality. RIP IDA.

----------

Updated 20.1.15

Ms McDonald returned to the subject of GOV.UK Verify (RIP) on 11 June 2015, please see Is HMRC making tax more taxing for non-digital taxpayers?. It's not HMRC's system. And even GDS are trying to keep their distance:

GDS identifies need for testing [nothing gets past them]

GDS has highlighted the need for significant provisions and funding for HMRC to include the assisted digital user base during beta testing, as part of its latest assessment of the progress on developing the personal tax account system ...

The GDS team’s assessment of the project found that, although several “assisted digital users” had been identified, there had not been sufficient testing to register their needs. GDS said the system needed “substantial work” to focus on the needs of this type of user.

If it's not HMRC's problem and it's not quite GDS's either, whose is it?

Expect to see Mark Dearnley hung out to dry at some point. Him, and also the non-performing assisted digital team, whose presence here on earth has had no detectable effect.

But when?

HMRC and GDS had better hurry up about it because even ex-tax inspectors are now publicising the problem, "BBC's Linda McAuley interviews ex Tax Inspector Adrian Huston about how some find online verification difficult":

Some of the demographics out there – "people", as we used to call them – may begin to wonder whether HMRC and GDS are being entirely truthful when they say that "no one will miss out on the Marriage Allowance because of difficulties with online verification". That's not how it looks.

RIP IDA – “It’s not our IT system; it’s the Cabinet Office’s”

No need to say it, it goes without saying, it should be obvious to all but,

just in case it isn't obvious to all,

IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",

is the Cabinet Office Identity Assurance programme.

And it's dead.

more ►

Sunday 14 June 2015

RIP IDA – security through the looking-glass

No need to say it, it goes without saying, it should be obvious to all but,

just in case it isn't obvious to all,

IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",

is the Cabinet Office Identity Assurance programme.

And it's dead.

It's been a torrid week for computer security. Worldwide:

Over there in the US "the Obama administration is scrambling to assess the impact of a massive data breach involving the agency that handles security clearances and US government employee records ...", the Guardian newspaper told us, "Government officials familiar with the situation told the Associated Press the hack occurred at the Office of Personnel Management (OPM) and the Interior Department, and could potentially affect four million people at every federal agency".
"Although reports are conflicting about how the OPM discovered the breach, it took investigators four months to uncover it", Wired magazine tells us, "which means the EINSTEIN system failed" – EINSTEIN is the US government's anti-hacking/hack detection system. Or not.
Dossiers on US spies, military snatched in 'SECOND govt data leak', says ElReg and everyone else, "China said to have stolen detailed info on employees in sensitive federal positions".
Meantime in Germany, "two weeks on from the revelations of a serious cyber attack on the German Bundestag, insiders have told The Register that the tech department is 'clueless' about what is going on ... On Friday it emerged that data had almost certainly been stolen ... As yet techies inside the Bundestag don’t know who is behind the attack – or even when it started ... The Trojan malware which penetrated the entire Bundestag network, including MPs' computers, could have been sitting on computers for months or even years".

But then it always is. A torrid week. For computer security. Every week.

You don't need DMossEsq to tell you that. But we have anyway. Repeatedly. Hyperinflation hits the unicorn market we told you, back in October 2013, with links further back to a collection of hacking stories which started in October 2010.

By now, you may agree that computer security is like a unicorn. A lovely idea but there's no such thing. You may agree that marketing computer services on the basis of security is old-fashioned or other-worldly or downright suspicious – what fools do the marketing persons take us for if they imagine we'll fall for that when even US defence contractors can't ... hack it, cybersecuritywise?

You know that, the US Office of Personnel Management knows that, the German parliament knows that, everyone knows that – except the UK Government Digital Service, apparently, who blithely continue to promise that their identity management scheme, GOV.UK Verify (RIP), is secure: "GOV.UK Verify (RIP) will provide users with a simple, trustworthy and secure means of accessing public services".

Sometimes GDS replace their glib promise of security with a glib promise of safety: "GOV.UK Verify is the new way to prove who you are online so you can use government services safely, like viewing your driving licence or assessing your tax". Changing the word doesn't alter the risk. It's still manifest nonsense:

"I can't believe that!" said Alice.
"Can't you?" the Queen said in a pitying tone. "Try again: draw a long breath, and shut your eyes."
Alice laughed. "There's no use trying," she said: "one can't believe impossible things."
"I dare say you haven't had much practice," said the Queen. "When I was your age, I always did it for half-an-hour a day. Why, sometimes I've believed as many as six impossible things before breakfast."

Through the Looking-Glass, and What Alice Found There

Perhaps GDS are the real thing, delightful eccentrics living in a looking-glass world of their own where they believe without qualification that their parishioners can safely/securely use GOV.UK Verify (RIP).

And perhaps they are cynically manipulative would-be snake oil salesmen exploiting fashion.

It's one or the other and it doesn't matter which because either way the British public is being lured into dangerous territory and that's not what Whitehall is for.

https://identityassurance.blog.gov.uk/wp-content/uploads/sites/36/2014/12/Screen-Shot-2014-12-23-at-10.42.06-620x387.png

Most of us use on-line payments and we would hate to be deprived of that convenience. The banks work hard to try to make on-line payments as safe/secure as possible. When our accounts are nevertheless hacked, as long as we have followed procedures, we are compensated – it's the banks that get defrauded, not us.

Up to a certain point, those compensation payments keep the banks' noses clean, they are motivated to keep on trying hard to increase security. Beyond that point, it won't be worth it, the banks will withdraw on-line payments and it will be goodbye convenience.

GOV.UK Verify (RIP) doesn't follow that model. The "identity providers" limit compensation payments to derisory levels. They operate their parts of GOV.UK Verify (RIP) under contract to GDS, and GDS only. GDS acknowledge no duty of their own to compensate people. What is there to keep GDS's nose clean or their agents' noses?

What Alice found through the looking-glass makes for an enchanting children's story. You can check with the Office of Personnel Management or the German parliament but the world of GOV.UK Verify (RIP) would be altogether grubbier and more unpleasant.

It's one or the other and it doesn't matter which

because either way

the British public is being lured into dangerous territory

and that's not what Whitehall is for.

RIP IDA – security through the looking-glass

No need to say it, it goes without saying, it should be obvious to all but,

just in case it isn't obvious to all,

IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",

is the Cabinet Office Identity Assurance programme.

And it's dead.

It's been a torrid week for computer security. Worldwide:

Over there in the US "the Obama administration is scrambling to assess the impact of a massive data breach involving the agency that handles security clearances and US government employee records ...", the Guardian newspaper told us, "Government officials familiar with the situation told the Associated Press the hack occurred at the Office of Personnel Management (OPM) and the Interior Department, and could potentially affect four million people at every federal agency".
"Although reports are conflicting about how the OPM discovered the breach, it took investigators four months to uncover it", Wired magazine tells us, "which means the EINSTEIN system failed" – EINSTEIN is the US government's anti-hacking/hack detection system. Or not.
Dossiers on US spies, military snatched in 'SECOND govt data leak', says ElReg and everyone else, "China said to have stolen detailed info on employees in sensitive federal positions".
Meantime in Germany, "two weeks on from the revelations of a serious cyber attack on the German Bundestag, insiders have told The Register that the tech department is 'clueless' about what is going on ... On Friday it emerged that data had almost certainly been stolen ... As yet techies inside the Bundestag don’t know who is behind the attack – or even when it started ... The Trojan malware which penetrated the entire Bundestag network, including MPs' computers, could have been sitting on computers for months or even years".

But then it always is. A torrid week. For computer security. Every week.

more ►

Saturday 13 June 2015

RIP IDA – Whitehall and eternity

No need to say it, it goes without saying, it should be obvious to all but,

just in case it isn't obvious to all,

IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",

is the Cabinet Office Identity Assurance programme.

And it's dead.

Here's a selection of Government Digital Service (GDS) posts and a film published in the week leading up to purdah:

24-03-2015	Janet Hughes	Introducing GOV.UK Verify
25-03-2015	Chris Mitchell	Ready for Live: Digital Self-Assessment
25-03-2015	Janet Hughes	Procurement 2: New identity suppliers to join GOV.UK Verify
25-03-2015	Janet Hughes	GOV.UK Verify and Mydex CIC
26-03-2015	Janet Hughes and Stephen Dunn	GOV.UK Verify: Objectives for live
26-03-2015	Mike Bracken	It’s people who make transformation happen
27-03-2015	David Rennie	Working with the private sector to verify identity
27-03-2015	Mike Bracken	Turning the tanker: digital transformation done right
27-03-2015	Mike Beavan	Looking back at the exemplars
28-03-2015	Mike Bracken	Not the HMRC of old
28-03-2015	Mike Bracken	Data as a public asset
29-03-2015	Mike Bracken	Government as a Platform: the next phase of digital transformation
29-03-2015	Liam Maxwell	Better for less
30-03-2015	Martha Lane Fox	The Richard Dimbleby Lecture (text) (text) (text)

Let's take a look at David Rennie's 27 March 2015 offering, Working with the private sector to verify identity. It won't take long.

Mr Rennie tells us that GDS have regular chats with the Open Identity Exchange (OIX). OIX is a talking shop where people interested in identity management meet. Including GDS. GDS have chatted in particular with the GSMA, the Payments Council and VocaLink. "We are now planning a project to investigate how a certified company could validate a user’s bank details", says Mr Rennie, and that's it.

See? It didn't take long.

In fact, why bother to write about it?

Answer, partly because we know that unmentioned by Mr Rennie GDS have also been talking to the pornographers and the insurance industry, both of whom have rejected GOV.UK Verify (RIP) as useless ...

... and partly because Mr Rennie has just published the same post again, please see Identity assurance and the private sector - a discovery project. No mention this time of the GSMA, the Payments Council or VocaLink, but OIX still figure prominently and so do the banks: "banks and pension providers are interested in how they might use digital identity assurance such as that provided by GOV.UK Verify (RIP)".

So what? So "we've agreed with OIX that it would be useful to have a structured and open conversation about this".

Why? What are they going to talk about? "This will help us develop a shared understanding of the needs for identity assurance ... Nothing is decided or presumed in this work at this stage - we’re approaching the issue with an open mind ... At the moment we’re doing early planning work for this project ...".

Early planning work? Identity assurance and the private sector – a discovery project? Is this some sort of elaborate joke? Nothing is decided ... at this stage? It should be – for goodness sake, Mr Rennie has been engaged in this talkathon for ten years:

David Rennie works for the Cabinet Office's Government Digital Service (GDS) where he is Industry Engagement Lead for the pan-Government Identity Assurance Programme (IDAP). Originally a payments consultant in the financial services sector, David joined the Home Office's Identity Card Programme in 2005 to define and develop the notion of 'identity services' under the National Identity Scheme. He went on to support James Crosby's Public Private Forum on Identity Management in 2007 / 2008 [Crosby, Smith, Kelly and Brown]. Since then he has been developing the principles defined in the Crosby Report into the UK public sector's approach to identity assurance initially from within Directgov and latterly through the Identity Assurance Programme.

If nothing's been decided after all this time it clearly never will be. RIP IDA.

RIP IDA – Whitehall and eternity

No need to say it, it goes without saying, it should be obvious to all but,

just in case it isn't obvious to all,

IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",

is the Cabinet Office Identity Assurance programme.

And it's dead.

Here's a selection of Government Digital Service (GDS) posts and a film published in the week leading up to purdah:

24-03-2015	Janet Hughes	Introducing GOV.UK Verify
25-03-2015	Chris Mitchell	Ready for Live: Digital Self-Assessment
25-03-2015	Janet Hughes	Procurement 2: New identity suppliers to join GOV.UK Verify
25-03-2015	Janet Hughes	GOV.UK Verify and Mydex CIC
26-03-2015	Janet Hughes and Stephen Dunn	GOV.UK Verify: Objectives for live
26-03-2015	Mike Bracken	It’s people who make transformation happen
27-03-2015	David Rennie	Working with the private sector to verify identity
27-03-2015	Mike Bracken	Turning the tanker: digital transformation done right
27-03-2015	Mike Beavan	Looking back at the exemplars
28-03-2015	Mike Bracken	Not the HMRC of old
28-03-2015	Mike Bracken	Data as a public asset
29-03-2015	Mike Bracken	Government as a Platform: the next phase of digital transformation
29-03-2015	Liam Maxwell	Better for less
30-03-2015	Martha Lane Fox	The Richard Dimbleby Lecture (text) (text) (text)

Let's take a look at David Rennie's 27 March 2015 offering, Working with the private sector to verify identity. It won't take long.

more ►