Thursday 17 September 2015

So where are we on astrology? 13 years late, UK government promises biometrics strategy by end 2015. Why?

In July 2002 Rt Hon David Blunkett MP, Home Secretary, issued a consultation document on introducing government-issued identity cards into the UK. One idea was to use biometrics to verify people's identity.

There was no proof at the time that mass consumer biometrics was reliable enough to do the job. 13 years later, there still isn't. The belief in the efficacy of mass consumer biometrics is akin to the belief in astrology.

In February 2015 the House of Commons Science and Technology Committee published a report, Current and future uses of biometric data and technologies. Biometrics was described as "the shoddiest science offered to the courts" and was said to be locked in a "cycle of failure".

The Committee declared itself to be worried about the privacy issues raised by biometrics and about the security of biometric databases. Which is odd. After all, if the technology doesn't work, there are no privacy issues. And the Committee doesn't (yet) seem to be worried about the storage facilities for horoscopes.

One way and another the Committee's report came up with 12 recommendations, to which the government's response has now been published.

"The Government biometric strategy is still in the early stages of development", they say (p.2). I.e. Whitehall was winging it for eight years with its promises for the benefits of ID cards between 2002 and 2010, when the Identity Cards Act 2006 was repealed. They now promise to publish their biometrics strategy "by the end of 2015" (p.3). What a mistake that will be, to publish a strategy for a shoddy science locked in a cycle of failure.

The strategy "should recognise that biometrics is fast-changing [trans: all over the place] and provides opportunities for better secure identity verification [how?], better public services [such as?], improved public protection [really?] and the ability to identify and stop criminals [all of them?]".

That was on p.4. Something must have changed since Chief Constable Chris Sims, representing the Association of Chief Police Officers, gave evidence to the Committee and said that he was "not aware of forces using facial image software at the moment" and that "the technology is not yet at the maturity where it could be deployed" (para.95).

When we learn on p.5 that "the core facial recognition algorithm used by the Police National Database ... was shown to be one of the best in terms of accuracy" presumably that just tells us, given the testimony of Chief Constable Sims, that all the other algorithms are even more useless.

Also on p.5 the government tell us that, just like astrology, "performance levels of biometric systems cannot be characterised by a single figure. Publicising detailed results of performance is an area requiring careful consideration, as not only is the accuracy testing of large scale biometric systems very complex, so is interpreting the data. System performance is very dependent on the specifics of the application, making direct comparisons between systems difficult and in many cases meaningless".

P.6: "The Home Office systems currently holding biometric data employ a range of defence in depth measures appropriate to the value of the data" – nil?

Privacy impact assessments and the government's ethical framework for astrology are covered on p.7 and then on p.8 they say that: "the government appointed a Chief Data Officer in March 2015, supported by a Government Data Standard to ensure transparency in the use of data by Government". They did indeed.

They appointed Public Servant of the Year ex-Guardian man Mike Bracken CBE CDO CDO, executive director of the Government Digital Service and senior responsible owner of the pan-government identity assurance programme now known as GOV.UK Verify (RIP), as chief data officer. He's leaving Whitehall in 13 days time on 30 September 2015 and is not known to have done anything about biometrics in the interim.

The Committee included in its February report the judgement of the High Court several years ago that the Metropolitan Police Service is breaking the law by retaining, on its biometrics database, the images of people not even charged with an offence, let alone convicted of one (para.99). Now we learn that "the Home Office is currently undertaking a policy review of the statutory basis for the retention of facial images" (p.10). This will surely be a very quick review – it can't take long to establish a policy on the police breaking the law.

"We are considering the role of the Biometrics Commissioner" (p.11). The Committee's report revealed that although the Commissioner is responsible for DNA and fingerprints, he has no locus on facial images (para.102), like an unfortunate soothsayer handicapped by being forbidden to mention Leo.

The Prime Minister promised several years ago to limit net immigration to an annual figure in the tens of thousands. Last year it exceeded 300,000, much to the amusement of the opposition parties and the Guardian newspaper. It is widely agreed that UK immigration is out of control.

And yet the government's astrologer says: "The biometrics landscape has operated with a number of widely adopted international standards for many years, this has been vital in ensuring that governments are able to share data, where allowed and required, and has achieved significant benefits including; solving crimes, finding missing people and controlling immigration" (p.11).

You can have a strong grasp of reality. Or you can have confidence in mass consumer biometrics. One or the other, but not both.

----------

Updated 17.9.15 18:45

We don't often set homework on DMossEsq. Readers tend to cheat and get their children to do it for them.

But let's make an exception. 500 words, please, on the distinction between James McCormick and the suppliers of biometrics "solutions". Mr McCormick is in prison for selling novelty golf ball detectors and pretending that they could be used to detect explosives. No-one from the public bodies which bought them is in prison for pretending to believe him.

You may find it useful to refer to the essay on biometrics written by three world-class experts who conclude that biometrics is not a science. It is "out of statistical control", they say. One of these experts has advised the US government, one of them the UK government and one of them both governments. They know what they're talking about.

500 words. On the DMossEsq desk. 9 a.m. Monday morning 21 September 2015.


Updated 9.4.16

Based on a leak, Kat Hall published the revelation yesterday that GDS has no real strategy for £450m budget pot, internal plan reveals.

She has acquired a copy of GDS's Transforming the relationship between citizens and the state: the Government’s transformation strategy and the Government Digital Service still doesn't have a clue how it's going to transform the relationship between people and the state. Instead, they're playing for time: "More detail about departments’ strategies for business transformation, enabled by digital, technology, data and security are due to be published in September 2016".

Playing for time, and repeating their nostrum about Government as a Platform (GaaP, the search for "promising clusters"): "an approach that involves developing a common core infrastructure of shared components, technology and standards on which it’s easy to build brilliant, user-centred government services".

This vacuous self-importance joins a long line of civil service reports. The excellent Jerry Fishenden, of whom more anon, has listed 80 similar documents published in the past 20 years. We're still waiting for a result and, without wishing to seem mean, it's not clear that the addition of a further £450 million is likely to induce progress.

Kat's article includes:
But the only detail of what [GaaP] will entail were examples of "common platforms" in the Home Office, which will develop a common biometrics platform for government and the Department for Work and Pensions, "which will lead work on a tool to pay money out from government."
Despite all their painful experience, the Home Office still haven't shaken off the hold of biometrics. It must be written in the stars. Their future is their past. They are doomed to re-live the pain apparently eternally.


Updated 11.4.16

Get a coconut

The UK Home Office's big idea for the future is to "develop a common biometrics platform". That will transform government. Make it digital. Expand the UK economy. Be green.

Or will it?

Take a look at India and its Aadhaar scheme. That's a common biometrics platform-and-a-half. They've registered around a billion people. And in the state of Rajasthan, the only way for the poor to collect their food ration is through Aadhaar.

How's that going?

Rajasthan presses on with Aadhaar after fingerprint readers fail: We’ll buy iris scanners:
“Yesterday, we had to send about a hundred people back when the internet did not work for six hours,” said Ali ...

Hanja Devi, an Antyodaya [maximum entitlement] beneficiary, failed to get 35 kilo foodgrain on her third trip in three days because of Aadhaar authentication failures ...

Of the nearly 860 beneficiaries who came to Aziz’s ration shop in December, he said, only half could get their fingerprint authenticated in one go ...

The biometric machine showed that the Aadhaar number of Santosh Devi, of Kesharpura village, belonged to someone else ...

The Rajasthan government made Aadhaar-based authentication mandatory at ration shops in December when the ration-seeding process [without which, digitally, you don't exist] was completed for less than half the ration beneficiaries ...

“From March 11 till 18, one week of the ration consumers’ fortnight, the servers were not working properly" ...

... all parts surrounded by the Aravalli hills had poor internet connectivity. “In Todgarh, which is also near the Aravalli hills, the ration dealer has to collect the beneficiaries 3 kilometres from the shop to catch signal" ...

... several families were trying to get their children’s biometrics registered ... because schools had ordered them to enrol for Aadhaar ...

Hansraj Yadav, who is additional director- Unique Identification Authority, said that to solve the problem of high rates of fingerprint authentication failure, the Rajasthan government is planning to install more biometric machines – this time, iris scanning machines ...
And here's Safran Morpho explaining how well Aadhaar is working, including Safran Morpho's biometrics systems:


No doubt the Home Office believe Safran Morpho's version and will pursue their big idea. The rest of us should prepare for Rajasthan's version.

That couldn't happen here, could it? Not in Blighty.

Believe what you like ...

... but we tried and failed to deploy the Basic Payment Scheme for farmers and our broadband couldn't cope ...

... and CloudStore, the old Digital MarketPlace has been known to be out of action for days and even weeks at a time ...


... and we're currently threatening to deploy GOV.UK Verify (RIP) even though it is thought that up to 30% of the low-paid can't have their identity verified ...

... and we're using Safran Morpho (SecureIdentity) as one of our eight "identity providers" for GOV.UK Verify (RIP) even though GDS themselves say that five of them – Barclays, CitizenSafe, Royal Mail, SecureIdentity and Verizon – are "unlikely to be able to verify you":


"Aadhaar" means platform in many of India's dozens of languages. The idea is that it provides a safe platform on which India can build public services. GOV.UK Verify (RIP), the UK's proposed identity assurance platform, looks just as rickety, in any language.

What's more, GOV.UK Verify (RIP) is due to go live this month. Some time in the next 19 days.

Apparently the Hindi for computer says no is "Aap ka Aadhaar sahi nahi hai". You'd better learn that before May.

And get a coconut. According to the Rajasthan article above, when one old woman couldn't have her identity verified, a bystander quipped: "Break a coconut first next time". It may help you when some idiot deploys electronic voting in the UK.


Updated 7.7.16

You will remember that the only prudent stance on mass consumer biometrics is scepticism. And that the House of Commons Science and Technology Committee were told, please see above, that no UK police force uses "facial image software" at the moment because "the technology is not yet at the maturity where it could be deployed".

You will therefore be amused to read today's Times newspaper:
CCTV riches for man who puts name to a face

... The Somerset-based SSL — Simulation Systems Ltd — a past recipient of the Queen’s Award for Enterprise, has been in the vanguard of developing CCTV equipment for major roads and devices, which it is claimed, can make out the faces of motorists in their vehicles two miles away even if there is mist, rain or snow. In clear weather viewing distances are claimed to be 15 miles ...
The men and women in blue can't get facial image software to work with photographs taken in a well-lit police station but Simulation Systems Ltd can recognise a face two miles away in the mist?

People want to believe in biometrics so much that they will accept any claim however ludicrous. They will even repeat these claims in serious newspapers.


Updated 12.8.16

It's mid-August and even the news has gone on holiday.

What to publish?

How about?
Boffins' blur-busting face recognition can ID you with one bad photo

Developers warn that scary people are out there doing this already

12 Aug 2016 at 03:58, Darren Pauli


Scientists have found a way to accurately identify completely obscured faces using recognition systems trained on only a handful of well-lit photos.

The work by Seong Joon Oh, Rodrigo Benenson, Mario Fritz, and Bernt Schiele of Max Planck Institute in Saarbrücken, Germany, finds faces can be recognised with up to 91.5 per cent accuracy when the system is fed with just 10 clear images of a target's face.

The Faceless Person Recogniser is up to 69.6 per cent accurate when working from just one image ...
Other numbers mentioned include 14.7, 4.65, ones, handful, 12, 83 and, more ambitiously, 40,000 and 2,000.

We've been here before ...

Updated 24.10.16

The Government Digital Service (GDS) don't have a published strategy at the moment. That doesn't stop them recruiting like mad and it didn't stop the Treasury promising them £450 million.

Still, it's embarrassing. So Kevin Cunnington, the new Director General, has taken to briefing journalists on the contents of GDS's strategy, which may be published before Christmas 2016.

All journalists report that Mr Cunnington sees a great future for GOV.UK Verify (RIP), GDS's identity assurance scheme that doesn't work. Rebecca Hill, writing for Public Technology.net, Kevin Cunnington reveals his ‘cunning plan’ for future of GDS, adds this gem:
In addition, Cunnington said he wanted GDS to offer more advice to departments and encourage innovation across Whitehall. He noted that the Home Office was doing some good work on biometrics, but that this sort of attitude to digital innovation should be broadened out further.
The House of Commons Science and Technology Committee were unable to discover any good work being done on biometrics, please see above. If Mr Cunnington is hoping that GOV.UK Verify (RIP) will be saved by biometrics, he's in for a great disappointment.


Updated 10.11.16

We are all still waiting for GDS's strategy to be announced but the other day at least we learned its mission – to "support, enable and assure".

What does "support" mean?

According to Kevin Cunnington, director general of GDS, among other things it means that GDS should "innovate with new ideas, and help departments to innovate. Things like biometric residence permits, which a team at the Home Office has been working on".

Quick reference to p.9 of your well-thumbed July 2006 copy of Identity Card Technologies: Scientific Advice, Risk and Evidence will remind you that:
The Home Office admitted that the timetabling of the programme was being reviewed by the IPS but said that it “remains committed to delivering the ID cards programme as soon as possible, starting with biometric residence permits for foreign nationals in 2008” ...
The programme whose timetable was being reviewed back then was the National Identity Scheme (subsequently the National Identity Service). The NIS was finally reviewed to death in December 2010 when the Identity Cards Act was repealed at which point IPS, the Identity & Passport Service, imploded. Which is why we Brits still don't have UK government-issued ID cards. But some foreigners do, and have done since November 2008 – biometric residence permits.

There was nothing innovative about biometric residence permits. Not in 2008. And not in 2006. By 2002, the Home Office was already issuing asylum seekers with biometric Application Registration Cards, please see p.114 of their consultation on entitlement cards (subsequently ID cards).

That's 14 years ago and nine years before GDS existed. GDS can hardly be said to be innovating new ideas in this case or even helping the Home Office to do so. Biometric residence permits are a rotten example for Mr Cunnington to give of GDS's mission to support.

Despite their failure, the Home Office still harbour a pathological craving for ID cards. A pathological craving which is quite clearly now being channelled through Kevin Cunnington ...

... which tells you what to expect on Christmas Day when you open your GDS strategy.


Updated 11.10.17

The psychopathology continues at the UK Home Office. Face scans at the border to keep track of EU migrants after Brexit, it said in the Daily Telegraph newspaper a few days ago.

Cold comfort but it's not just the Home Office – Dubai Airport is replacing security checks with face-scanning fish.

And we think people were superstitious and gullible in the Middle Ages.


Updated 27.10.17

PAS 499:2017 Digital identification and authentication – Code of practice.

That document is a PAS, a publicly available specification, published by BSI Standards Limited, a company something to do with the venerable British Standards Institution (BSI). The document is in draft and the authors seek comments on it.

PAS 499 is a serious attempt to specify some practices needed to reduce the incidence of cybercrime based on false identities. It could survive all the tests that have to be undergone on the way to becoming a British standard.

The idea is to improve the identification and authentication of the parties to on-line transactions. Financial transactions in particular. "... in payment services regulatory requirements on authentication are going from a very low baseline to an extremely strong customer authentication, where security requirements go far beyond that expected in any other sector" (clause 0.3).

One example among many of these more onerous compliance requirements is PSD2, the latest Payment Services Directive. At clause 3.1.4 of the PAS an authentication factor is defined as:
data or a physical item used to carry out an identity authentication

NOTE 1 Typically categorized into one of the following:
a) Knowledge – something you know (e.g. password)
b) Possession – something you have (e.g. physical token or device)
c) Inherence – something you are (e.g. biometric)

NOTE 2 These may be dynamic (changing on each occasion) or static (fixed and unchanging). Static factors, once compromised, might require replacement in order to ensure integrity of the authentication system.

NOTE 3 Further information on authentication factors is given in PSD2.

NOTE 4 Geolocation can be viewed as an additional category but, under the terms of PSD2, it is not considered an authentication factor on its own. However, it might assist with the authentication risk assessment.
Note 4 is of particular interest to DMossEsq who was working on the idea of location identity back in 2003 (please see §4.9) but is not germane to our purposes here.

What is germane is the concept of authentication factors:
  • At clause 5.3 the PAS recommends that it is good practice to use all three factors when authenticating a person – a knowledge factor and a possession factor and an inherence factor.
  • And at clause 5.6 it recommends that, for all but the lowest levels of assurance, each factor should be multi-modal. If an organisation is using biometrics, for example, as a what-you-are/inherent factor, then at least two biometrics should be used, two modes, e.g. both fingerprints and iris scans.
At which point you realise that this PAS, this serious piece of expert work, is bound to be let down and undermined by the reliance it places on biometrics. PAS 499 depends on the science of mass consumer biometrics working, and it doesn't.

It's not even a science according to three world experts – Messrs Wayman, Possolo and Mansfield – because it's out of statistical control.

You can almost work that out for yourself. The results of large-scale field trials of biometrics always used to reveal that they are hopelessly unreliable. That problem has been solved by not publishing results any more. And, indeed, by not conducting large-scale field trials any more.

There are other problems where PAS 499 strays into biometrics.

At clause 5.7 we read: "The higher the numbers of modes captured at enrolment, or re-enrolment, the greater the chance of establishing uniqueness":
And at clause 9.9 we read: "Where the biometric match is 100%, the organization should review the factor to determine whether a replay attack is being attempted". Certainly a 100% match is extraordinarily suspicious, where you're dealing with probabilities and variable quality scanning/probing equipment, but 100 is not the only number – if a person repeatedly comes up with the same score whatever it is, that is suspicious and points to a replay.

But the core problem is that PAS 499 authentication rests on three factors/pillars, one of which is a mirage made of wishful thinking. That is no use to the payment services industry nor to any of us.


Updated 16.11.17

17 August 2017, and NatWest sent DMossEsq an email that he's only recently read:


"Log in with your fingerprint"? To a serious UK bank? A serious UK bank who must know as well as you do that the login will fail about 20% of the time and annoy their customers? And if it doesn't fail 20% of the time that means that impostors will find it easier to pretend to be you?

DMossEsq tucked that away in the life-is-too-short category until yesterday, when Money Box Live was on the radio while he was washing up, New technology and banking: "New technology is transforming the way we handle our finances. Are you someone who uses mobile apps to keep track of how you spend your money or does the thought of it fill you with dread?".

And blow me down if Nationwide aren't introducing not only fingerprinting but also face recognition, the biometric where it would be just as reliable and a darned sight cheaper to toss an unbiased coin.

What's going on?

That's what DMossEsq wanted to know but he was too late when he rang 03700 100 444 to get on air.

Cheap mass consumer biometrics haven't suddenly started working reliably after 60 years of uninterrupted failure. So why are the banks pretending to rely on them?

Answer, one of Mark King's more cynical suggestions ... PSD2, the second Payment Services Directive, Directive 2015/2366/EU, which comes into force on 13 January 2018.

Cynical. And incontestable – clause 30 of Article 4 defines "strong authentication" as "authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data".

Hidden away in the middle there – "inherence (something the user is)" – is biometrics. If the banks want to be able to say they have authenticated you strongly before authorising a payment out of your account, they'd best have checked your biometrics. And the Member States of the EU will want the banks to be able to say that because, Article 97: "Member States shall ensure that a payment service provider applies strong customer authentication ...".

When they announce their fingerprint and face recognition initiatives and other biometric tat, the banks aren't saying that they're introducing biometrics because they now think biometrics work. They're saying they have to offer biometric authentication because otherwise, thanks to PSD2, they can't be banks.

They'll still really be relying on what you know (e.g. a password) and what you have (e.g. a debit card and a PINSentry). But in addition, at extra cost, to you, they will also dutifully pretend to be interested in your biometrics. Thanks to brilliant and cynical lobbying Apple, among others like our good friends Idemia, have a licence to print money and are going to be laughing all the way to the payment service provider:



Updated 1.12.17

How old would you have to be to believe this latest article in the Times newspaper? Less than 9?
Facebook develops facial recognition cameras that feed shop staff their customers’ profile details

... A patent submitted by the company this month reveals that it is working on technology that will enable brands to target shoppers with specific products informed by their Facebook activity and facial expressions. The plans also give details of crowd-scanning technology that can identify emotions, which are relayed to managers and shop assistants. In theory it will be able to alert staff if a customer is unhappy or needs assistance ...

Updated 20.2.18

Chinese police using facial recognition glasses to identify suspects – that's what it said in the Daily Telegraph newspaper on 7 February 2018:
Chinese police are using dark sunglasses equipped with facial recognition technology to spot criminal suspects.

The glasses, which are being worn by police at a busy train station ahead of the Chinese New Year travel rush, are linked to a central database which contains details of criminal records.

Wearing the technology, police can almost instantly view an individual's personal details, including name, ethnicity, gender and address.
Incredible what they can do these days.

Only the day before, the House of Commons Science and Technology Committee took two hours of evidence on the subjects of forensics and biometrics:



Baroness Williams was there to answer questions on the UK's missing biometrics strategy, please see above.

There was much earnest discussion of the astrological need for proper governance and the privacy implications of horoscopes. The Baroness was hauled over the coals for the failure of the police to delete the custody photographs of people who have been detained and then either found not guilty or released without charge. "Innocent people" as we used to call them.

The Baroness was due to appear before the Committee on her own but, in the event, she was accompanied by a Mr Christophe Prince, the Home Office's "recently appointed" director of data and identity, of whom we are likely to speak more.

Both of them were at some pains to say that the use of biometrics based on face recognition is not "fully developed" (11:03), that biometrics procedures are "more advanced" (11:07) with DNA and fingerprints and that the face recognition technology is still "developing" (11:12) and only being "piloted" (11:13).

In other words, biometrics based on face recognition doesn't work. Astrology may work in China. But not here in the UK.

"Why are the Home Office wasting their time and our money?", you want to know. You are not alone.


Updated 26.3.18

Yoti selected as the official identity provider for the Government of Jersey: "Today marks a landmark day for Yoti. We have been selected as the identity provider for the Government of Jersey ... Securing our first government contract is a huge milestone in our journey and something all of the team are incredibly proud of". No doubt.

According to the FindBiometrics website, "third parties can authenticate Yoti users by prompting them with a QR code to take a video selfie, with facial recognition being used to confirm that end users match their Yoti credentials on file".

According to the police, of course, talking about biometrics based on face recognition, "the technology is not yet at the maturity where it could be deployed" (please see para.95 of the House of Commons Science and Technology Committee report referred to above).

Who's right?

We'll see.


Updated 19.4.18

• At some point in the past few weeks Visa announced Fingerprint authentication moves from phones to payment cards.

You are forgiven for believing as a result that fingerprint authentication has moved from phones to cards but, actually, if you read the press release, it turns out that a new technology is being tested, it may or may not turn out to be reliable.

That headline should have read Fingerprint authentication may move from phones where it's dubious to payment cards or it may not, don't bet on it.


• On 12 April 2018 the BBC told us Chinese man caught by facial recognition at pop concert: "Chinese police have used facial recognition technology to locate and arrest a man who was among a crowd of 60,000 concert goers". You are forgiven for believing as a result that this man was identified by CCTV scanning a huge crowd but, actually, "Mr Ao was identified by cameras at the concert's ticket entrance".

According to the police, please see above, this technology doesn't work in the UK. Why would it work in China? "Identified by cameras"? More detail, please:
  • Had Mr Ao perhaps bought his ticket using a credit card in his name and posted to his address, and face recognition had nothing to do with his identification?
  • "Mr Ao had reportedly driven 90km (56 miles) from Zhangshu to Nanchang with his wife specially to catch the concert" – was he really identified by ANPR?

• "Australians will soon be able to sign up for a national digital identity solution known as the Govpass program, touted by the federal government as making it easier for people to prove who they are when using government services", we were told on 21 March 2018 in ​DTA seeks identity validation platform for Govpass program: "The Digital Transformation Agency (DTA) outlined the process for applying for a Govpass in October, with the system expected to match a user's photograph, as well as Medicare, driver's licence, and birth certificate details, with information already held by various government entities".

You are forgiven for believing that it was all going rather well up to that point but, next paragraph: "After DTA CDO Peter Alexander revealed during Senate Estimates last month that the Govpass solution is currently non-existent ..." – the DTA have got the procedures, it transpires, all they're missing is the face-matching biometrics system needed to make them work.


Updated 20.4.18

Kevin Cunnington, the director general of the Government Digital Service(GDS), doesn't say much in public.

But he does say a few things. Repeatedly.

21 October 2016, he was reported as saying that "he wanted GDS to offer more advice to departments and encourage innovation across Whitehall. He noted that the Home Office was doing some good work on biometrics, but that this sort of attitude to digital innovation should be broadened out further", please see above.

He is consistent on this matter. In an 8 February 2018 blog post, under the heading My priorities for the next 12 months and the sub-heading Being innovators for government, he wrote: "GDS is working with departments to support existing and upcoming programmes, including using biometrics and artificial intelligence on services".

He said the same three days ago in The Government Transformation Strategy: One year on.

GDS have never made any headway with the Department of Health, they have or had a rocky relationship with the Department for Work and Pensions and Her Majesty's Revenue and Customs show no need of any advice from them ...

... but perhaps there is a budding relationship between GDS and the Home Office built on a shared weakness for biometrics. If DMossEsq was reading someone's palm and saw that fate written in their future, he would keep quiet about it, too miserable for words. It's horrific but Mr Cunnington keeps saying it and he may mean it.


Updated 31.5.18

iProov wins US Department of Homeland Security contract. That's a 16 April 2018 blog post published by iProov, "a world leader in spoof-resistant, biometric facial verification technology".

Well done iProov, they've won a contract with DHS which "could help US CBP [Customs and Border Protection] quickly, accurately and reliably identify travellers as they process through US border crossings".

How quickly? How accurately? How reliably? At any chosen matching threshold, what is the false accept rate, using iProov's technology, and what is the associated false reject rate?

They don't say. There is no answer to these questions.

Instead, all we learn is that "iProov has been selected by the US Department of Homeland Security to enhance the way in which it processes people through US borders. Advances in machine learning and AI have enabled a revolution in facial biometrics in the last few years".

No blockchain?

No performance figures, we don't have a clue how reliable the product is except that the UK police believe that face recognition technology is "not yet at the maturity where it could be deployed" (please see above), but – sell the sausage, not the sizzle – at least we know that it has added machine learning. And AI.


Updated 29.6.18

Foolishly, on 6 February 2018, Baroness Williams and Christophe Prince promised the House of Commons Science and Technology Committee a biometrics strategy by June. There's no point having a strategy for the use of a technology that doesn't work.

More foolishly still, yesterday, they published a document claiming to be that strategy. A dreadful piece of work not worthy of the name "strategy", it is reminiscent of Matthew Hancock and Paul Maltby's ethical framework for data science, which isn't a framework and excludes any ethics.

Judging by ElReg's UK.gov's long-awaited, lightweight biometrics strategy fails to impress, this view is shared by the chairman of the science and technology committee and by the biometrics commissioner and by Liberty and by Big Brother Watch among others ...

... including, we may assume, the High Court, which will also be unimpressed with this Home Office document, which leaves the Metropolitan Police in contempt.

And no hope there after all for Kevin Cunnington, director general of the Government Digital Service, who may have been hoping to run the national biometrics/horoscopes platform but has lost control of it just as much as he has lost control of the national data strategy and the national identity assurance strategy.


Updated 3.8.18

The UK Parliamentary Office of Science & Technology (POST) have now published their note on mass consumer biometrics, Biometric Technologies.

Among other technologies, they look at Automated Facial Recognition (AFR), the attempt to use biometrics to identify people on CCTV, see for example Chinese man caught by facial recognition at pop concert.

We weren't very impressed when we considered AFR on 19 April 2018, please see above, and neither are POST: "Over a trial period from June 2017 to March 2018, 8.7% of matches were found to be correct" (p.3).

If 8.7% of matches are correct, then 91.3% aren't. That's not very good, is it.

Is the other mass consumer biometrics technology any better? Flat print fingerprinting? Voice identification? We don't know. POST don't tell us the failure rates for them. Only for AFR. That's a bit asymmetrical. Perhaps in a subsequent edition they might correct that lapse.

"The Commons Science and Technology Committee has said it is essential for biometric systems that impact on civil liberties to be tested, to ensure they are dependable ... Whilst noting the important role of biometric technologies in policing, the Biometrics Commissioner has pointed to a lack of research proving their cost-effectiveness". That's what POST tell us on p.4 ...

... but by then it's too late, the damage has been done, we've already been told on p.1 that "the global market for biometrics is estimated to grow to £21 billion by 2022" for all the world as though the technology works and we've already been treated to several examples of applications where mass consumer biometrics is used even if the technology doesn't work.

"... many banks now offer biometric verification on mobile banking apps, often using fingerprint or facial recognition" (p.1). Of course they do. It's not because the technology works. They have to. Otherwise they'll lose their banking licences. That's the open banking/PSD2 law. As we pointed out last October.

How many readers are going to plough on to the bits at the end of the POST note, raising boring questions about the efficacy of biometrics and governance and privacy and racial bias?

Very few, Idemia and all the other astrologers may safely assume.

Thank you, POST, they may say, for doing your bit to help us keep the licence to print £21 billion for ourselves, everyone so much wants our technology to work that they rarely ask if it does, and thanks to you that continues.



Updated 13.8.18

The state of West Virginia plans to introduce on-line voting in elections. They've retained a company called Voatz to develop a voting app. (An app is a virus, remember, by another name.) How does the state know that the vote has been cast by a legitimate constituent? Answer: "Voatz says its facial recognition software will ensure the photo and video show the same person. Once approved, voters can cast their ballot using the Voatz app".



Updated 10.10.18

The investigative journalism website Bellingcat have published the story of how they unmasked one of the Russian assassins sent to murder Colonel Skripal in Winchester.

Bellingcat made full use of all the surveillance facilities in use these days, all the on-line data stores offered by the web and all the enterprising criminality with which that data is sold to whoever can afford it. Talk about a double-edged sword ...

One passage in their story strikes a wrong note. Given two passport photographs taken 15 years apart, "Prof. Ugail confirmed unequivocally that the two photographs belong to the same person, accounting for the 15-year difference between the two".

Mr Ugail is "professor of visual computing at the University of Bradford and an expert in simulated age progression". Why is his confirmation unequivocal? Partly because the Cosine Similarity is 90.1%. And then there's the K-Nearest Neighbours. That's 87.7%. And the Deep Learning (Meekaaku algorithm) being 91.3% clinches it.


Or does it?

Don't forget that three years ago the Guardian newspaper used a biometrics expert to prove that these are both pictures of Anne Boleyn:

Alexander Mishkin
Alexander Petrov

So where are we on astrology? 13 years late, UK government promises biometrics strategy by end 2015. Why?

In July 2002 Rt Hon David Blunkett MP, Home Secretary, issued a consultation document on introducing government-issued identity cards into the UK. One idea was to use biometrics to verify people's identity.

There was no proof at the time that mass consumer biometrics was reliable enough to do the job. 13 years later, there still isn't. The belief in the efficacy of mass consumer biometrics is akin to the belief in astrology.

In February 2015 the House of Commons Science and Technology Committee published a report, Current and future uses of biometric data and technologies. Biometrics was described as "the shoddiest science offered to the courts" and was said to be locked in a "cycle of failure".

The Committee declared itself to be worried about the privacy issues raised by biometrics and about the security of biometric databases. Which is odd. After all, if the technology doesn't work, there are no privacy issues. And the Committee doesn't (yet) seem to be worried about the storage facilities for horoscopes.

One way and another the Committee's report came up with 12 recommendations, to which the government's response has now been published.

Saturday 12 September 2015

Government as a Platform is the next current previous phase of digital transformation and you know what that means

GaaP and the future
Government as a Platform (GaaP). It's "the next phase of digital transformation". That's what Public Servant of the Year ex-Guardian man Mike Bracken CBE CDO CDO, executive director of the Government Digital Service (GDS) and Senior Responsible Owner (SRO) of the pan-government identity assurance programme now known as "GOV.UK Verify (RIP)", told us on 29 March 2015.

Which is odd ...

GaaP and the present
... because he'd already told us two years earlier on 11 January 2013, talking about the transformed Basic Payment Scheme for the UK's farmers, that: "It's going to help us deal with Europe in a different way, and quite rightly we're building it as a platform. It's going to be another example of government as a platform. I'm on the Board, and I'm trying to help them every week ...". GaaP is the current phase of digital transformation, not the next one.

And even before that, on 17 October 2012, in Why GOV.UK matters: A platform for a digital Government, he was talking about the award-winning GOV.UK, the on-line public face of UK government, and telling us that : "It is the first major, full platform release from the Government Digital Service. This release heralds a new approach to digital delivery of public services in the UK". But how new?

GaaP and the recent past
Mr Bracken acknowledges his debt to Tim O'Reilly, the herald who has been promoting the phrase "Government as a Platform" for at least six years, see for example his 26 August 2009 blog post What Does Government 2.0 Mean To You?: "As many of you know, I’ve built a new conference, Gov 2.0 Summit, around the idea of the government as platform: how can government design programs to be generative, to use Zittrain’s phrase?". GaaP is getting older and older before our very eyes.

GaaP and central control
GOV.UK has allowed GDS to get a grip on all central government publishing, as recommended by the revolutionary Martha-now-Lady Lane Fox. Departments and agencies can be commissioned for content to appear on GOV.UK but they no longer have their own websites to publish on.

As it says in the 2010 Martha Lane Fox Constitution for the UK: "Ultimately, departments should stop publishing to their own websites, and instead produce only content commissioned by this central commissioning team [GDS] ... Ultimately it makes sense to the user for all Government digital services to reside under a single brand ... This person [the Chief Digital Officer] should have the controls and powers to gain absolute authority over the user experience across all government online services ... and the power to direct all government online spend ... The [Chief Digital Officer] should also have the controls and powers to direct set and enforce standards across government departments ...".

Given that GOV.UK is a platform, that is one thing that GaaP entails – central control.

But what else does it mean?

GaaP and the Basic Payment Scheme
We should be able to learn more answers from the newly transformed Basic Payment Scheme. But we can't because, despite Mr Bracken working on it, and despite his being the government's Chief Digital Officer (that's one of his CDOs), the digital system crashed on take-off and farmers now have to use the paper and pen platform instead.

GaaP and GOV.UK Verify (RIP)
We should also be able to learn from GOV.UK Verify (RIP), which is meant to be the identity assurance platform for central government in the UK

The government has to govern for everyone. GDS's objective is to be able to include 90% of the population in GOV.UK Verify (RIP) by April 2016. Currently, their sources in the credit referencing agencies can only include 80% of us: "We estimate that GOV.UK Verify can cover approximately 80% of the UK adult population now (up from about 65% at the start of our public beta)". Despite Mr Bracken being the government's Chief Data Officer (that's his other CDO), there is some doubt about that 80% estimate and all the other estimates. But whatever the correct figure, it's not 100%.

How much assurance as to people's identity does GOV.UK Verify (RIP) provide? It's struggling to reach Level of Assurance 2, the standard of proof required for the civil courts. GDS's business partner, OIX, the Open Identity Exchange, tells us that if GOV.UK Verify (RIP) could use our personal bank account information, that "would help [to] achieve the required standards against the 5 elements of identity assurance at level of assurance 2" (p.11).

Even for the digitally literate adults in the UK with a rich credit history and a functioning broadband connection who could currently use GOV.UK Verify (RIP), GDS can't achieve the standards required for the criminal courts, Level of Assurance 3, let alone level 4 and beyond.

GaaP and comprehensive service
GOV.UK Verify (RIP) can't include the whole population and it can't provide complete assurance as to identity. Which means that other methods will have to be used. To the extent that a platform should be capable of doing a given job alone, GOV.UK Verify (RIP) is not a platform. That may be the only lesson we can draw from this example.

GaaP and the previous millennium
Long before Mr O'Reilly's 2009 contribution, the UK had the so-called "Government Gateway", a platform which allows people and companies to transact with central and local government. One of the prime architects of the Gateway dates its inception back to 1998 or thereabouts, which makes GaaP pre-millennial.

Not all platforms are equal
There's a lot wrong with the Gateway but it's sat there working for 15 years or so now. If all the effort put into GOV.UK Verify (RIP), which doesn't work, had gone instead into the Gateway, there might be a lot less wrong with it.

Which teaches us, perhaps, another lesson. Not all platforms are equal.

Just because the Gateway manages to do the job of providing authorised public access to multiple government services, like a platform is meant to, doesn't make it admirable. For that, something else is needed. What? There is no reliable answer.

GaaP, wheels and building blocks
So what is a platform in the intended sense of GaaP?

Apart from the few lessons above all we know is that it's something to do with not re-inventing the wheel. "Reinventing the wheel every single time we build a service has led to far too much duplication and waste", says the Chief Data Officer. To what extent will duplication be reduced by GOV.UK Verify (RIP)? The Chief Data Officer doesn't tell us. How much waste will be eliminated? When? How? The Chief Data Officer doesn't tell us. Is there any down side to GOV.UK Verify (RIP)? The Chief Data Officer doesn't tell us.

We also know that GaaP is something to do with building blocks, please see Some people must think that the British public is a cretin.

That doesn't increase our understanding.

What we need is some management consultancy.

GaaP and the business schools
The management consultants have thrown their cap into the ring.

Simon Wardley says we need to map the value chain-evolution surface. That doesn't tell us what's going to happen or when, Janet Hughes, Identity Assurance Programme Director, told 200 entrepreneurs at the Four Seasons Hotel, Hampshire, but nevertheless she says inscrutably that she finds Wardley maps useful for GOV.UK Verify (RIP).

And Mark Thomson starts with Wardley maps, then plots ubiquity against certainty and finally advises us to look for "promising clusters" which will, under some circumstances, "literally constitute the government as a platform".

GaaP is beginning to literally look like one of the less promising clusters in the business school lexicon.

GaaP and GDS
In the search for meaning, you may approach GDS themselves. Paul Downey, Technical Architect, opens his blog post Registers: authoritative lists you can trust with a picture:

Services rest on platforms and platforms rest on registers. That, at last, seems to tell you something substantial about platforms. They are the means by which trustworthy data can efficiently be turned into useful services. No registers, no platforms.

The first sentence of Mr Downey's post reads: "We’ve mentioned registers a few times on this blog, most recently in relation to the work of the Land Registry building on the steel thread, the brilliant new Companies House public beta, and their importance for building platforms". That seems to convey the same definitive message – if you want platforms, you need registers. But apparently that's not the message because, in response to a question, Mr Downey also says: "there's no implication that a platform must use Registers".

Mr Downey leaves us trying to believe both that it is important for a platform to have a register and that platforms don't need registers. If you can manage that, you'll have no problem also believing that you know what Mr Bracken means when he says that GaaP is the next phase of digital transformation and no qualms agreeing that GOV.UK Verify (RIP) should have access to your bank account.

Government as a Platform is the next current previous phase of digital transformation and you know what that means

GaaP and the future
Government as a Platform (GaaP). It's "the next phase of digital transformation". That's what Public Servant of the Year ex-Guardian man Mike Bracken CBE CDO CDO, executive director of the Government Digital Service (GDS) and Senior Responsible Owner (SRO) of the pan-government identity assurance programme now known as "GOV.UK Verify (RIP)", told us on 29 March 2015.

Which is odd ...

Thursday 10 September 2015

RIP IDA – investment interest "has closed or been withdrawn"

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.

Let's say that you're a venture capital person. In that case you'll know that 95% of the ventures you invest in bomb. For £95 out of every £100 that you invest, there's nothing to show for it. You lose your money. It's gone.

Just to break even, the other £5 has got to return £100. Your investment has to appreciate by a factor 20. After tax. After all investment costs. Such as hiring the Four Seasons Hotel in Hampshire for the day. That's not cheap.

But what's the point of breaking even? You can do that by not investing in the first place. The idea is to make a profit.

How much profit? You want to double your money? Then that £5 investment you made in the one surviving enterprise has to grow by a factor of 40, not 20.

That's not going to happen overnight. Suppose your investment grows at the rate of 10% p.a. How long will it take to be worth £200? Answer, something between 38 and 39 years. 38.70394 years to be precise, but there's no point being precise because you have clearly starved to death a long time before merely doubling your money.

38 is pushing it. Let's say you can afford to lock up your money for five years. How fast does the value of the investment have to grow? Answer, at the rate of 109.1279% p.a. Every annum. For five years. After tax. And after costs.

It's not easy finding investments that can do that. And even if you find one, your peers in the venture capital business will laugh at you for only doubling your money. But never mind their laughter, let's say that you're a pretty grounded sort of investor and that, for you, net doubling your money in five years is enough.

Time to take an example.

Let's suppose some entrepreneur brings you a prospect based on GOV.UK Verify (RIP), a business idea that depends for its success on identity assurance.

It's got Whitehall's name behind it. That's good. Lions, unicorns, crowns, Latin Old French mottos and the bottomless pockets of UK taxpayers and the ever-generous austere overseas creditors who have so far lent the UK £1,500 billion.

It's got volume. 60 million people. Shame GOV.UK Verify (RIP) can't do companies, partnerships and trusts yet, maybe that will come, but at least it's got 60 million potential users, the great unwashed.

And the great unwashed can be forced to use GOV.UK Verify (RIP). Its use can be made mandatory. Either that, or the great unwashed can be nudged into using it. You want a driving licence? Apply using GOV.UK Verify (RIP). You don't want to use GOV.UK Verify (RIP)? Fine. Don't. But then you don't get a driving licence. Up to you.

It's looking quite healthy. There are other identity assurance suppliers out there, notably the banks, there is competition, but Whitehall has some powerful monopoly advantages. The EU wants everyone to have electronic ID. The UK government would like to look modern. Like Google or Amazon or Facebook or Apple.

Of course, the product doesn't actually exist yet. Some of GOV.UK Verify (RIP) is currently in public beta but most of it is in private beta or even less far advanced. A lot of this prospect is just a glint in the eye at the moment. But that's what venture capital talent scouts are meant to be good at spotting, the glints that are going to survive to term and grow up to become healthy cash cows.

GOV.UK Verify (RIP) relies on "identity providers". Nine of them. We have been assured that "identity providers" have to be certified trustworthy:
  • Four of them are certifiedExperian, Verizon, GBGroup and digidentity.
  • One of them has applied for certification – the Post Office.
  • The other four haven't even applied yet – Barclays, Morpho, Paypal and Royal Mail.
Not a good sign. Not for a service that's meant to be out of beta and live by April 2016.

And these "identity providers", they're paid a pittance by GDS, the Government Digital Service. It's a contractual thing.

That's not good either. Why do they bother? That'll slow things down. They're not going to go the extra mile needed to deliver 109.1279% p.a. growth. Get the lawyers onto it. Maybe they can work something out.

And the customer base is shrinking. It's not 60 million. GDS say they are on track to cover 90% of the population by April 2016. That's six million users lost. They say they can only cover 80% at the moment. Another six million who won't be generating turnover.

That's not good.

And who says GDS have got GOV.UK Verify (RIP) covering 80% of the population right now? Only GDS. No-one independent.

Not good.

What's the marketing plan for GOV.UK Verify (RIP)? It better be good. Something's got to promote public trust in these "identity providers", half of whom no-one's ever heard of. Something's got to make the public want GOV.UK Verify (RIP). Something's got to tell the public what it's for and how to use it.

There is no marketing plan. GDS's "objectives for live" do not mention any such plan. And so far all they've told the public is that GOV.UK Verify (RIP) is for submitting tax returns and applying for state benefits. They've sort of missed out the private sector, entrepreneurial bit. So far. In public. For the moment.

That's not good. That's really not good.

Who's in charge of this major new service that doesn't have a marketing plan? Answer, Public Servant of the Year ex-Guardian man Mike Bracken CBE CDO CDO. He's the executive director of GDS and he's the senior responsible owner of GOV.UK Verify (RIP).

That's good.

Until you remember that he's leaving at the end of September, in 19 days, and no new SRO has been announced.

That's not good.

What about cybersecurity? Have GDS ticked all the boxes? Venture capital persons have investment boards to report back to. The directors like to see ticks in all the boxes before they expend the considerable intellectual energy required to assess the investment in detail. And a lot of those boxes concern security.

GDS are a bit ambivalent about security. They do mention it. But they prefer to market on usability.

That won't worry the venture capital persons one bit. GDS can market on usability all they like. Just so long as they market on something and actually tell the public that the product exists and give the public some reason for using it, thereby causing money to change hands. But the question remains, is GOV.UK Verify (RIP) secure?

There's an academic report arguing that the GOV.UK Verify (RIP) identity hub is hackable. The investment board won't like that. GDS have recruited one of the academics. That's dastardly. And sensible That'll keep him quiet.

The others may be prevailed upon to restrict their criticisms to the US equivalent, NSTIC. If the remaining academics shut up about GOV.UK Verify (RIP) the board might just wear it, with a big question mark. The prospect could still be in with a chance. But there's more.

There's that GDS job ad on LinkedIn.

"This is an opportunity to be at the heart of an evolving service that is leading the world ...". Who says GOV.UK Verify (RIP) leads the world? Only GDS. Is it a good thing to lead the world? Not necessarily.

"You will be working in a relatively unique technical environment ...". What is relative uniqueness? How is it distinguished from absolute uniqueness? And why?

"The Government Digital Service is leading the digital transformation of government ...". Says who?

GDS want to recruit a Security Operations Engineer. That's what the job ad's for. "... technical problem solving will be related to security, identity management, and scaling in a cloud based environment ... You will resolve threat and vulnerability management issues ... work with the technical teams to continuously improve the security of the platform ... lead technical projects to implement or enhance security ... work with external suppliers, such as penetration testers ... help develop robust security processes and security awareness amongst technical teams ...". You will be responsible for the "administration of internal PKI [public key infrastructure] and assisting Relying Parties [HMRC, DWP, ...] and Identity Providers with their certification onboarding ...".


This is all good news for the investment board. Except that this job ad was posted "15 days ago" according to LinkedIn and it says: "As the first dedicated Security Operations Engineer in this team, it is an opportunity for you to ...".

The first? There are no others? The GOV.UK Verify (RIP) project has been running for four years and this will be the first dedicated security engineer in the team?

And if you click on Apply on company website, what do you see? Lions, unicorns, crowns, Latin Old French mottos and:


"This job has closed or been withdrawn". As has, by now, surely, any interest in investing, by any venture capital person.

----------

Updated 11.9.15
Agile. You just have to be agile.

"This job has closed or been withdrawn" – that's what it says on civilservicejobs.service.gov.uk.

But if you look at gds.blog.gov.uk it doesn't say that. It looks as if the job offer still exists.

So which is it? Closed-or-withdrawn or still-available? We don't know and there's no point guessing.

The only things that must be clear to a venture capital person considering an investment are that GDS is (a) very late recruiting its own in-house security expertise, (b) unsure about its short-term future and (c) unable to co-ordinate two GOV.UK websites devoted to the same matter.

No cigar. Investment contra-indicated.

And for anyone applying for the other job advertised to work as a GDS Privacy Officer? We've already warned that the organisation you join is not the organisation you will work for. But now you need to factor in the question whether, having successfully submitted your application on time, yesterday or earlier, the job will still exist by the time interviews start on Monday week, 21 September 2015. Or the next day.

Updated 20.9.15
"You don’t have to go far
to see digital teams
doing the do"

One of the guiding principles of GDS's work is to meet user needs. As they never stop telling us.

They may tell us that but, in contravention of one of their other guiding principles, show-don't-tell, they can't show it. We have seen the case of transferable marriage allowances, for example.

The Daily Mail newspaper told us about it back in June 2015, Thousands miss out in marriage tax fiasco. So did the Times newspaper, in May, Perk that’s just too taxing. Twice, Applying for this marriage perk ain’t easy.

The problem is that people can't register with GOV.UK Verify (RIP). And if they can't register, they can't apply for this benefit. Not on-line, at least, they can't. They give up the attempt to claim £212 p.a.

Prospective claimants regard the cost of registering with GOV.UK Verify (RIP) as being greater than £212 p.a. There's a thought for entrepreneurs and the people funding them.

HMRC, who administer these tax claims, are naturally embarrassed that it is so difficult for legitimate claimants to succeed. "No one will miss out on the Marriage Allowance because of difficulties with online verification", they say. And in their defence they remind people that it's not they, HMRC, who devised GOV.UK Verify (RIP), "it’s not our IT system; it’s the Cabinet Office’s".

Why do the London School of Economics say that GOV.UK Verify (RIP) "highlights the benefits of directly addressing user needs"? No-one knows.

User needs are not being met. Or they weren't last May and June. As OIX, the Open Identity Exchange, GDS's business partner pointed out, the "identity providers" currently signed up to GOV.UK Verify (RIP) can't hack it. They need help to try to reach level of assurance 2.

Luckily, there is another guiding principle of GDS's work – to be agile. Iteration allows GDS services to be continually updated so that user needs are better met:


Is that true? It's one thing to tell us. But can GDS show that agile software engineering delivers constant improvement?

Not according to yesterday's Times, where a tax advisor suggests that it's best to bypass GOV.UK Verify (RIP) and apply for marriage allowance transfers by post, Try snail mail for the marriage tax break.

Only the other day, 11 September 2015, the Prime Minister was saying "across the spectrum, there are opportunities for us to make a difference not just to people’s pockets but to people’s lives. For example, I believe the creation of the Government Digital Service is one of the great unsung triumphs of the last Parliament".

That's unfair. DMossEsq has taken the trouble to write a song celebrating GDS's triumphs. There must be someone somewhere whose pockets and life have been improved, who could record Agile People and take it to No.1.

Meanwhile, GDS are reduced to devising ever more gnomic guiding principles, their latest being "you don’t have to go far to see digital teams doing the do". Let that be a comfort to the married couples forgoing £212 p.a.


Updated 2.11.15

Ever optimistic, some venture capitalists may still be considering making an investment in an innovative business which relies for its success on GOV.UK Verify (RIP) working. The triumph of hope over experience.

The rest of the venture capital caravan will have moved on. They have learnt about taking unreasonable risks with their money. They will be able to read GDS's latest blog post on the subject, Making GOV.UK Verify [RIP] available to more people, with equanimity.

It won't worry them when they read that GOV.UK Verify (RIP) can only be made "available to more people" by lowering the standards of verification. GOV.UK Verify (RIP) has never reached level of assurance 2 and now that goal will be even further away:
You don’t need as much evidence to prove your identity
Whereas previously you would often need 3 pieces of evidence to prove your identity, now  you will often only need 2 pieces of evidence.
They won't feel that their money is going down the plughole when told that GOV.UK Verify (RIP) may rely on selfies and the hopelessly flaky biometrics technology of face recognition:
You can take a photo of yourself instead of answering questions based on credit history
... Now, GOV.UK Verify [RIP] also works for people who don’t want or aren’t able to answer questions about their loans, credit cards or mortgages, or who don’t have enough financial products on their credit file to serve as a basis for security questions.

If you have a smartphone or tablet and a UK passport, you can now - with 2 of the companies [i.e. two of the "identity providers"] - verify your identity without answering questions about your credit history. Instead, you can use an app to scan your identity document and take a photograph of yourself, so the images can be compared.
GDS make it clear in their post that, for them, successful verification depends on the payments industry:
Certified companies ... can now use methods developed for online payments to check an electronic payment card directly with the issuing authority.
The work is being done by the payments industry, not GDS. That's where the realistic venture capitalists will be investing. The optimistic ones won't, because they won't have any money left to invest. RIP.