No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.
IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.
GOV.UK Verify (RIP), currently being tested, uses a combination of passport details, driving licence and credit rating information to try to enrol people onto the population registers maintained by the Government Digital Service's so-called "identity providers".
Even if a computer-literate person with access to broadband would like a GOV.UK Verify (RIP) account, there can be problems. Among others, that person may not have a passport or a driving licence or a credit history.
We’re working to identify more government data sources to add to the document checking service. We’re hoping to be able to say a bit more about our plans on this in the new year.
The use of any additional official data sources would be subject to formal agreements on how the data can be used, and government data sources will only be used on the basis of informed user choice and consent.
They were looking for "more government data sources". Such as? Two days later, DMossEsq suggested personal information recorded by the government about your education, travel or health. That was a guess.
It wasn't a wild guess. It was based on proposals made by the Department for Business Innovation and Skills for its midata project, a close cousin of GOV.UK Verify (RIP), in this video for mooncalves:
But it was a guess nevertheless.
What is the correct answer?
That should have been known shortly. Remember: "We’re hoping to be able to say a bit more about our plans on this in the new year [i.e. January 2015, a year ago]". Remember, too, that the Cabinet Office Minister at the time, Francis "JFDI" Maude, had promised:
Surprising and disappointing, in the event, GDS still haven't told us what additional government records will be pressed into service to populate their identity registers.
Their business partner OIX, the Open Identity Exchange, has floated an alternative solution. Rather than records held by the government, why don't the "identity providers" leaf through our bank accounts instead? Please see their August 2015 white paper, The use of bank data for identity verification.
The primary benefit for Identity Providers is the availability of an additional source of data to validate user-entered data ..., establish a link between the identity and the person ... and establish activity history ..., which would help them achieve ... identity assurance at level of assurance 2. [Please see p.11]
Level of assurance 2 is acceptable in a civil court but inadequate for a criminal court, where you need level 3. OIX are telling us that GOV.UK Verify (RIP) is having trouble reaching even level 2 and that adding our bank details might help.
GDS have neither confirmed nor denied wanting access to our bank accounts. The sunlight of transparency has been dimmed.
Would we finally discover the answer? Educational attainments? Foreign travel history? Medical records? Current account transactions? Mobile phone logs? Don't get your hopes up:
Experian said it would not be providing further details on the nature of these data sets at this time.
Are Experian embarrassed to tell us what new data sources they intend to use? That might explain their reluctance to tell us. In which case, why are they embarrassed? Do they think that it's wrong to use these data sources? Do they fear that the public might object? And that Experian's reputation might suffer?
Come to that, why have GDS kept quiet for over a year now about the "government data sources" they were "working to identify" way back in December 2014?
We don't know.
The only thing that is clear is that the claim that GOV.UK Verify (RIP) will put us all in control of our own data is empty. Remember the "informed user choice and consent" mentioned by GDS in the opening quotation above? Forget it.
The Department for Work and Pensions looks to be developing its own version of an online identity tool intended as a way to ensure a secure transaction with government services, according to several sources.
And it's not just the Department for Work and Pensions. Her Majesty's Revenue and Customs, too:
A number of sources have told The Register that both the DWP and HMRC are building their own separate online identity systems due to the issues related to getting Verify off the ground.
These service providers have a job to do. HMRC, for example, has to raise the tax revenue on which the state depends. They can't hang around waiting on the off-chance that GDS might get their GOV.UK Verify (RIP) act together.
DWP and HMRC between them must account for the vast majority of GOV.UK Verify (RIP)'s accountholders. The other huge service provider is the National Health Service. But they've already rejected GOV.UK Verify (RIP) on the basis that they're a better "identity provider" than Experian and the other three members of GDS's team, digidentity (Dutch), the Post Office (uncertified) and Verizon (American and banned from any government contracts in Germany).
There's always the private sector, of course. Perhaps they might like to use GOV.UK Verify (RIP)?
No.
Back to Neil Merrett and his June 2015 article, GOV.UK Verify potential in focus as private sector talks begin. GOV.UK Verify (RIP) is no use to the UK finance sector, who are building their own "digital passport". It's no use to merchants who need to conduct on-line age verification. It's even been rejected by the on-line adult entertainment/pornography sector.
The sunlight of transparency reveals an identity assurance scheme with no suppliers and no customers and a data source that dare not speak its name. RIP.
The Government Digital Service (GDS) have got their slide rule out and used a mathematical model to predict what percentage of its target population – us – can in theory be enrolled onto the registers maintained by its "identity providers".
This is the picture of their prediction, categorising us by age:
Will GDS's model prove more accurate than, say, Her Majesty's Treasury's models of the UK economy? The massed brains of the Treasury assured us in 2002 and 2003, you will remember, that we had now seen the end of boom and bust. It didn't work out that way.
"Our next piece of analysis will be conducting logistic regressions and correlation matrices to gain further insights across demographic groups", they say at GDS. Good. Just like the political pollsters who predicted a dead heat between the Labour and Conservative parties at the May 2015 general election. The Conservatives won 99 more seats than Labour.
While we're waiting to see the outcome, take a look at the graph above. It shows a large increase in "verification rates" over the next few weeks.
It needs to if GDS are to meet their April 2016 target of 90 percent coverage.
The "verification rate" for orange people is due to rise from about about 40 percent to about 80 percent. Is there anything more than wishful thinking to support that large increase?
Are GDS expecting their new "identity providers" to provide that increase? No new approvals have been granted by tScheme. So there can't be any new "identity providers". Their services all have to be approved before they're let loose on the unsuspecting public.
If the expected increase isn't predicated on new "identity providers", then have the existing ones gained access to new data sources? And if so, which data sources? What personal information of ours are we about to discover that we have given permission for Verizon et al to access? For all their claims to openness, GDS still haven't told us.
GDS have added a fifth "identity provider", Safran Morpho, to their identity assurance platform, GOV.UK Verify (RIP). The registers underlying GDS's platforms provide a "single source of truth" according to Tom Loosemore.
Turn to the GOV.UK Verify (RIP) dashboard on the GOV.UK Performance platform, and what do we see under Certified companies? Digidentity, Experian, the Post Office and Verizon. But no Safran Morpho.
Presumably this single source of truth has to be updated manually from another single source of truth. That would explain the absence of Safran Morpho and the absence further down the dashboard page of any statistics for the week ending 28 February 2016, yesterday.
The GOV.UK Verify (RIP) Account creation success rate, all services stood at 74% on 3 January 2016.
That is consonant with the figures on the graph produced by GDS's new mathematical model.
The model predicted that "verification rates" would climb over 80% soon after 16 January 2016, please see the thick pale blue line for "total verified", i.e. everyone over the age of 16.
In the event, according to the dashboard, the single source of truth, the "verification rate" had fallen to 72% by 21 February 2016. It's going the wrong way.
Even with Safran Morpho's unregistered assistance, what chance the "verification rate" will exceed 90% in June/July 2016 as predicted by the model?
Updated 8.3.16
Another week, and another fall in the Account creation success rate, all services, down from 72% to 67% when, according to GDS's mathematical model, it was meant to be heading up through 80% towards 90%:
Updated 15.3.16
Another week, and another fall in the Account creation success rate, all services, down from 67% to 62% when, according to GDS's mathematical model, it was meant to be heading up through 80% towards 90%:
By now, late March, pink people – age 75 and over – should have a success rate over 70% according to GDS's mathematical model and for everyone else the success rate should be over 80%.
66% is off the scale. Lower than the lowest projection.
In the charming terminology of the securities world, this week's increase from 62% to 66% is a "dead cat bounce".
Updated 6.4.16
Week ending 20 March 2016, the GOV.UK Verify (RIP) dead cat account creation success rate bounced up to 66%, as noted above. A week later it was falling again, to 63% (27 March 2016) and last week it fell further, to 62% (3 April 2016). Not a good sign for a moggy that's meant to be dancing around the 90% mark.
Update, 29 March 2016: We are now able to publish a CSV file (663 kb) containing the data used for the web tool for 7 of the 9 demographic variables provided by the ONS omnibus survey. This is combined with our model's estimate of the individual's probability of being verified by certified companies over time. This is the maximum number of variables we could make public, whilst preserving the anonymity of respondents.
Take a look at the CSV file linked to in that update.
What you'll see is that GDS's own model predicts that:
GOV.UK Verify (RIP) tends to exclude individuals with a low income, people outside the managerial and professional classes, the unemployed, the very young, the very old, urbanites, women and Northerners.
And for everyone else, even theoretically, it's still miles away from the 100% identity verification rate you might, if you're old-fashioned, associate with a public service public provision.
The logistic regressions and correlation matrices team in GDS have estimated the probability of GOV.UK Verify (RIP)'s "identity providers" being able to verify people's identity on four different dates as follows:
Date
Verification probability
13 October 2014
71.49%
3 December 2015
73.96%
1 March 2016
86.77%
1 July 2016
93.36%
There is no indication how those probabilities were calculated. Or what assumption is made to achieve that huge increase from the 70s to the 90s. Or whether the model is wrong or maybe it's the world that's wrong, with its limp 62% account creation success rate last week.
The data in GDS's model is analysed by geographical region of Great Britain and if you calculate the average verification probability across all four dates you get:
Region
Verification probability
North West
75.62%
Scotland
77.11%
North East
78.03%
London
78.36%
West Midlands
80.90%
South East
83.37%
Wales
83.69%
Yorkshire and Humberside
83.75%
Eastern England
84.23%
South West
84.45%
East Midlands
85.32%
Something in GDS's model suggests that GOV.UK Verify (RIP) should be more successful in the South West and the East Midlands than it is in the North West and Scotland.
The data is also analysed by age:
Age
Verification probability
16 to 24
63.58%
75 and over
69.71%
65 to 74
82.72%
25 to 44
83.89%
55 to 64
84.84%
45 to 54
88.53%
GDS's model predicts significantly greater success with 25 to 74 year-olds than with the under-25s and the over-74s.
The model has four categories of employment status:
Employment status
Verification probability
unemployed
73.46%
economically inactive
73.59%
unpaid family worker
85.90%
in employment
87.36%
GOV.UK Verify (RIP) doesn't look much good for the unemployed and the economically inactive.
Analysing by socio-economic status, we get:
Socio-economic status
Verification probability
not classified
68.85%
routine and manual
79.19%
intermediate
86.86%
managerial and professional
91.77%
GOV.UK Verify (RIP) works best for the managerial and professional classes – senior civil servants? – and steeply worse for everyone else.
It's supposed to work better in rural areas (86.46%) than urban areas (80.53%) according to GDS's model. It's supposed to work better for males (83.21%) than for females (79.96%). And the more income an individual has, the better GOV.UK Verify (RIP) can verify his or her identity:
Individual income
Verification probability
up to £10,399
70.09%
no source of income
71.12%
don't know
74.04%
refused
78.74%
£10,400 to £19,759
80.62%
£19,760 to £28,599
89.71%
£28,600 and over
94.17%
Updated 12.4.16
Last week the dead cat bounced up from 62% to 67%. An account creation success rate of 67% is lower than the worst verification probability predicted (Foreshewn?) by GDS for any UK income group.
GOV.UK Verify (RIP) is meant to be able to verify the identity of 70.09% of individuals with an annual income up to £10,339, please see immediately above. That would exclude 29.91% of these people from public services if the UK relied on GOV.UK Verify (RIP).
That's bad enough but it looks as if the exclusion rate may be more like 33%.
Anyway, nothing like the 10% exclusion rate GDS said was acceptable for GOV.UK Verify (RIP) going live this month, April 2016, 18 days left.
Updated 18 April 2016
Last week, 11-17 April 2016, the GOV.UK Verify (RIP) account creation success rate went up to 71%, just under the 72% peak reached in the last fortnight of February 2016.
This increase could be the result of GDS herding people away from the poorly-performing "identity providers" – Barclays, GB Group/CitizenSafe, Royal Mail, Safran Morpho/SecureIdentity and Verizon.
It could also be the result of increasing the minimum age of registration from 19 to 20, thereby excluding another 1.2% of the UK population from getting one of GDS's on-line identities to transact with public services.
The success rate of 71% is bought at the expense of five "identity providers" and all the under-20s.
It's an increase, but 71% is still miles away from the 90% GDS require before GOV.UK Verify (RIP) can go live. It's not going to be achieved this month. Meanwhile, the outside world isn't standing still.
Updated 25.4.16
In the week to 24 April 2016, the account creation success rate fell to 70% from 71% the previous week. There's nothing much to be said about that except that it remains well below the 90% threshold required to declare GOV.UK Verify (RIP) live but GDS may declare it to be live later this week anyway and hang the consequences.
Updated 3.5.16
In the week to 1 May 2016, the account creation success rate rose to 71% from 70% the previous week. There's nothing much to be said about that except that it remains well below the 90% threshold required to declare GOV.UK Verify (RIP) live. GDS claimed to be "nearly there" last week, but sensibly delayed the live announcement. Another day, another deadline missed.
Updated 9.5.16 1
Has the account creation success rate surged to 90%+ in the past week?
We don't know.
At midday 12 noon on Monday 9 May 2016, the Government Digital Service's performance platform dashboard for GOV.UK Verify (RIP) still hasn't been updated. We're left looking at the statistics up to 1 May 2016, eight days ago:
You might think that the Government Digital Service is digital. And that dashboards on the performance platform get updated automatically and at the speed of light.
Clearly not.
Are GDS waiting for the sign-writers to turn up? Do they have to doctor the figures before publication in some way that can't be encoded in an algorithm?
Updated 9.5.16 2
Whatever you do, don't look down
Gravity is a harsh mistress
Since about 2 p.m. we now know that in the week to 8 May 2016, the GOV.UK Verify (RIP) account creation success rate fell from 71% the previous week to 68% .
There's nothing much to be said about that except that it remains well below the 90% threshold required to declare GOV.UK Verify (RIP) live.
In the same week, the authentication completion rate fell from 40% to 36%.
GDS claim to be "nearly there" but what they mean is that they're a bit further away.
Updated 16.5.16
2:19 p.m. Monday afternoon here in the metropolis and the only question is how did GOV.UK Verify (RIP) do last week? As at 8 May 2016, a week ago, 64% of attempted authentications failed. I.e. the authentication completion rate was a princely 36%.
GOV.UK Verify (RIP) is meant to replace the Government Gateway by the end of March 2018. 22½ months time. The Government Gateway is the system HMRC depends on to raise the revenue to pay for public services in the UK. A 64% failure rate for authentications in GOV.UK Verify (RIP) could induce an uncomfortable clammy feeling here and there in Whitehall.
So has the rate improved this week?
We don't know. The GOV.UK Verify (RIP) dashboard on GDS's performance platform still hasn't been updated.
So much for digital by default.
Updated 3.6.16
It will come as news to nobody that today is Friday.
Friday 3 June 2016.
That's four days after Monday 30 May 2016, which is when we might all have expected to see the updated figures on the performance of GOV.UK Verify (RIP) for the week ending Sunday 29 May 2016.
Well hard luck us. The figures weren't available then and they still aren't now (10:00). We are left with the antique performance figures to 22 May 2016 – account creation success rate 68% (not 100%) and authentication completion rate 34% (not 100%).
We have noted that ever since GOV.UK Verify (RIP) was declared live on 24 May 2016 the Government Digital Service (GDS) immediately went into retrenchment mode. The will gone, their energy sapped, is this silence on the system's performance more of the same? Have GDS simply lost interest?
Updated 23.62016
For the week ending 29 May 2016, we finally discovered, the GOV.UK Verify (RIP) account creation success rate was 69%. A week later it rose to 72% (5 June 2016), then fell again to 71% a week after that (12 June 2016). And for the week ending 19 June 2016? We would normally expect to have the figure some time on Monday 20 June 2016. But no. Here we are on Thursday 23 June 2016 and we still don't know how GOV.UK Verify (RIP) account creation fared last week.
It's not just you losing interest. Clearly, GDS couldn't care either.
Updated 27.6.16 10:55 a.m.
What was the GOV.UK Verify (RIP) account creation success rate for the week ending 19 June 2016? That's what we were asking last week.
We now know that it fell from 71% to 69%. We also know that it fell again, to 68%, for the week ending yesterday.
We were assured that GOV.UK Verify (RIP) could not be declared live until the account creation success rate reached at least 90%. It has missed that low target by at least 20% and yet the system has nevertheless been declared live.
The GOV.UK Verify (RIP) authentication completion rate was 33% in the week ending 12 June 2016. I.e. 67% of attempted authentications failed. Not good. Has that performance improved? We don't know. The performance figures haven't been updated for a fortnight now.
Ditto the certified company completion rate and the certified company choice rate. Ditto, not surprisingly, all three measures of user satisfaction.
Coverage of the UK population by GOV.UK Verify (RIP) may or may not have improved. Either way, it's still below the 90% GDS said they needed for the system to go live and yet go live it did back in May.
What's more, in July, GDS stopped publishing statistics for the account creation success rate on the dashboard, claiming that they don't "tell us or the user much about how well GOV.UK Verify [RIP] is performing". Actually, these statistics speak volumes. Here's GDS's latest graphic:
There's no vertical axis and GDS, supposedly the custodians of data analysis in the UK, don't tell us in their blog post what the different colours mean, but GOV.UK Verify (RIP) clearly has problems authenticating people's identity outside the age range 25 to 44. That is a matter of great interest to the users, pace GDS.
And don't forget, according to the US National Institute of Standards and Technology, even when GOV.UK Verify (RIP) does claim to have proved someone's identity, it hasn't. It's merely recorded an act of self-certification.
No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.
IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.
GOV.UK Verify (RIP), currently being tested, uses a combination of passport details, driving licence and credit rating information to try to enrol people onto the population registers maintained by the Government Digital Service's so-called "identity providers".
Even if a computer-literate person with access to broadband would like a GOV.UK Verify (RIP) account, there can be problems. Among others, that person may not have a passport or a driving licence or a credit history.
We’re working to identify more government data sources to add to the document checking service. We’re hoping to be able to say a bit more about our plans on this in the new year.
The use of any additional official data sources would be subject to formal agreements on how the data can be used, and government data sources will only be used on the basis of informed user choice and consent.
They were looking for "more government data sources". Such as? Two days later, DMossEsq suggested personal information recorded by the government about your education, travel or health. That was a guess.
It was the eve of the eve of New Year's Eve 2015 when the Department for Culture Media and Sport (DCMS) challenged the public to challenge the department:
Challenge us Come 2020, undoubtedly the UK landscape will have changed to be firmly in the digital age. But how do you want to shape that? Government has ideas and ambitions but as Tech City UK back in 2010 shows, the ideas are out there. So challenge us - push us to do more. Let’s show the rest of the world how it’s done.
They gave us until 19 January 2016 to submit our responses.
They asked for it.
Someone had to tell them:
From: David Moss
Sent: 18 January 2016 12:49 To: 'digitalstrategy@culture.gov.uk' Subject: UK Digital Strategy - the next frontier in our digital revolution
1. This is a response to the DCMS request for comments on the Secretary of State's 29 December 2015 press release [1] which we can be sure was written by his officials and not by him. ☠ Wrong. Please see note below.
2. "In 2010, a revolution began", we are told. Why 2010? Computerisation started in the 1950s, the internet in the 1960s, micro-computers in the 1970s, graphical screens and relational databases in the 1980s, the web and mobile phones in the 1990s and social media in the 2000s. What revolution occurred in 2010? None. Where it isn't simply false, much of this press release is excitable. It sounds credulous, ingenuous and childish, unconvincing and confidence-sapping.
3. "... we want the UK to be synonymous with digital". Synonymous? Are you sure?
4. "Matt Hancock is ... driving a transformation", it says, "to create what he calls a 'smartphone state' ...". Why? What is a "smartphone state"? Who wants one?
Unlocking digital growth
5. To the extent that the UK's digital strategy affects the private sector, best practice is well-established – minimum regulation and a government that keeps out of the way. That seems to be the message being sent by BIS in their UK Government Response to EU public consultation on Digital Platforms [2]. It would be coherent/joined up for DCMS to send the same message and not to pretend that they can pick winners or that they are better than the market at allocating resources.
7. The four professors who drafted that report demolished the proposed strategy. Using agile software engineering methodologies, iterating and calling on open source software is not enough. National IT strategies need to be devised by people who know a lot more about IT, a lot more about public administration and a lot more about commerce and inducing cultural change.
8. The professors were right. The former deputy director of the Government Digital Service (GDS) describes years of his own hard work trying to implement that strategy as no more valuable than putting lipstick on pigs [4]. That is no platform for a UK digital strategy.
Transforming day to day life
9. The 2015-20 Spending Review doubled the GDS budget to £450 million to cover the next four years. It is not clear why.
10. Interviewed by PublicTechnology.net[5], their executive director said that GDS would be "going wholesale" in 2016, "iterating" and working on "Government as a Platform". At a 12 January 2016 conference on government IT/ICT in 2016, he tweeted[6]:"Awesome morning at Government ICT 2016 speaking about recasting the relationship between citizens and the state". The day before that, the Cabinet Secretary published a blog post, Civil Service priorities - what we’ve achieved, and what’s ahead [7], in which he said that one of those achievements is that: "at the Spending Review, an additional £1.8 billion investment in digital transformation, as well as £450 million specifically for GDS, was announced". The uses to which that £450 million is to be put remain unclear.
11. Unclear or not, the allocation has been made. In that sense the strategy has been decided upon and it's too late for DCMS or anyone else to be asking for comments. Unless DCMS can force the Cabinet Office/GDS and other departments to change their mind. Can it? Does DCMS have the weight to force a re-think?
12. That seems unlikely. £450 million over four years is more than 50 times as much as DCMS's budget for Tech City UK [8]. GDS's "going wholesale" has got nothing to do with DCMS and neither have the NHS's "amazing doctors and nurses", nor the "MOOCs" referred to in the press release, the driverless cars and the drones. What has the national IT strategy got to do with DCMS? And, given their interest in our quotidian existence, why aren't they asking us about the post-revolutionary survival of newspaper- and book-publishers?
Building the foundations
13. DCMS: "As more of our lives are conducted online, the need to keep ourselves safe from criminals and terrorists increases ... That’s why we’re spending £1.9 billion over the next five years through the National Cyber Security Programme". There goes another £1,900 million. Roughly what JP Morgan have spent on cybersecurity. Not that it did them much good, please see JPMorgan's 2014 Hack Tied to Largest Cyber Breach Ever [9]. That's according to Bloomberg. Who were also hacked [10]. Like Sony[11] and everyone else. Including cyber security experts and defence contractors, please see "When it comes to cyber security QinetiQ couldn’t grab their ass with both hands" [12].
14. GDS say[13]:"We want departments across government to adopt GOV.UK Verify increasingly as it progresses from beta to live because it’s secure, straightforward and meets the needs of their users". Such an unqualified promise of security is unrealistic, impractical and not deliverable. DCMS could usefully promote a cultural change in the understanding of the unavoidable risks of living in a "smartphone state". DCMS will have succeeded when the public read that promise of GDS's, assume that it's a joke and laugh.
15. A related cultural change, DCMS could usefully warn the public that downloading "apps" is synonymous with deliberately inserting viruses into our computers/tablets/phones. Also related, DCMS could work to make the public understand that they should be wary if there is no provision for compensation when cyber security is breached, whether in the case of government systems like GOV.UK Verify or "apps" from Tech City UK start-ups. The banks offer compensation. That keeps their noses clean, securitywise at least. By contrast, the compensation GDS and its "identity providers" offer when GOV.UK Verify is hacked is derisory.
Government as a Platform
16. DCMS's postbag in response to their press release will be full of "agile", "iterate", "pivot", "recast", "transform", "revolution" and "ecosystem" but the highest-frequency buzzword is likely to be "Government as a Platform"/"GaaP".
17. If all the departments of central government used the same payments platform, for example, that would be better than them all having their own. It would be cheaper, less risky and easier for us users. That's the GaaP pitch. It's just obviously right, isn't it.
18. No. How much cheaper? Suppose it's more expensive? When will the benefits start to accrue? Tomorrow or in ten years time? What problem would be solved? Just how difficult is it for users to use different payment systems? Is it more secure to put all your eggs in one payments platform or less? Why has Whitehall starved the pre-eminent platform we already have – the Government Gateway [14]? Starved it of resources, that is. For years. Can GDS be relied on to deliver new platforms? GOV.UK Verify, the identity assurance platform, is already years late, it is still not live, it can't assure anyone of the identity of a company or a partnership or a trust, only people and even then not all people, and it appears to be breaking all its own rules on privacy[15]. GOV.UK Notify may or may not soon be released for initial testing and GOV.UK Pay is still no more than a gleam in the ancien régime's eye.
19. There may be convincing arguments in favour of the massive centralisation, standardisation and personal information-sharing that are built into GaaP. The former deputy director of GDS paints a fantastic picture of public administration in the "smartphone state" based on a "single source of truth" [16, 20'50"-21'00"]. That's the weird biblical language of a bewildered prophet who may have spent a little too much time on his own in the desert.
20. DCMS could make the point that the virtues of GaaP are not obvious and that GaaP is the opposite of today's popular cultural moves towards more localism and more choice.
Conclusion
21. From the DCMS press release: "Every part of the UK economy and our lives has been digitised ... This digital fever exploded from the [Tech City UK] cluster in east London, and has spread to every part of the country, making the UK truly a ‘Tech Nation’ ...". This is simply fatuous. It may sound exciting in a juvenile way. But there's so much of this thoughtless vapourware about these days that what would truly be exciting is to read a realistic contribution that takes the UK's public administration and its economy seriously.
---------- ☠ Updated 23:00 Para.1 in the post above is wrong in that the press release was issued by the Minister of State, Ed Vaizey MP, and not by the Secretary of State, the Rt Hon John Whittingdale MP. It remains the case that the press release will have been written by officials and not by either politician.
Updated 16.1.17
It seems like a whole year since we wrote the blog post above but actually it's only 364 days.
The next frontier in our digital revolution needs a UK digital strategy according to the Department for Culture Media and Sport (DCMS). You'd think that was pretty obvious and pretty important but 364 days later we're still waiting – there's no strategy.
Having described the DCMS consultation on a UK digital strategy as "simply false ... excitable ... credulous, ingenuous ... childish, unconvincing and confidence-sapping ... simply fatuous ... exciting in a juvenile way ... thoughtless vapourware ...", DMossEsq can face the absence of this strategy with equanimity.
Not so the House of Commons Science and Technology Committee. They're getting a bit fed up. Their chairman isn't pleased and he's written to Matt Hancock MP at DCMS to ask what's going on:
"Our disappointment over such a long delay is compounded by the continued absence of the Government's long-promised 'Digital Strategy' ..." – ouch.
Mr Hancock must be getting used to this sort of wigging. His previous berth before DCMS was at the Government Digital Service (GDS) where – guess what – there's no strategy.
His replacement at GDS is Ben Gummer MP, an expert in the Black Death.
Given any organisation plagued with a lack of strategy, will it be known in future as a "gummer" or, more likely, a "hancock"?
Updated 22.1.17
20 January 2017: "The Government's digital strategy was due last summer, six months later than expected, and we are still waiting. I hope this means that it will coincide and be consistent with the wider Government Industrial Strategy, but I'm not going to hold my breath on that one.".
Is that Stephen Metcalfe MP speaking? The chairman of the House of Commons Science and Technology Committee? Once again expressing his dissatisfaction with the government?
No.
It's Iain Wright MP, the chairman of another select committee, the Business Energy and Industrial Strategy Committee.
29 December 2015, the Department for Culture Media and Sport (DCMS) said: "Early next year, we’ll set out a new Digital Strategy for the UK". It's now early 2017, a year later than early 2016, and still no strategy. Not at DCMS. And not at the Government Digital Service.
Back in 2015, DCMS said "challenge us - push us to do more. Let’s show the rest of the world how it’s done". The select committees are challenging DCMS and GDS and pushing them. The rest of the world remains mystified.
It was the eve of the eve of New Year's Eve 2015 when the Department for Culture Media and Sport (DCMS) challenged the public to challenge the department:
Challenge us
Come 2020, undoubtedly the UK landscape will have changed to be firmly in the digital age. But how do you want to shape that? Government has ideas and ambitions but as Tech City UK back in 2010 shows, the ideas are out there. So challenge us - push us to do more. Let’s show the rest of the world how it’s done.
They gave us until 19 January 2016 to submit our responses.
Anyone who pays UK income tax one year can be required to make tax payments on account in the following year in addition to any tax deducted at source via PAYE, the standard pay-as-you-earn system. If the payment on account would be less than £1,000 or if the "relevant" amount is less than 20% of the "assessed" amount, then you are exempted from making payments on account. Not many people know that.
Those who do know that sometimes want to apply to have their payments on account reduced for which HMRC, Her Majesty's Revenue and Customs, kindly provide a form SA303.
The choice is either to log on using your trusty GOV.UK Verify (RIP) account and fill in the SA303 on-line or ...
... what? You can choose the the Postal form option in which case two clicks later you're asked to complete the following form on screen:
No old-fashioned form to print out on paper and complete with black ink, you're filling in the SA303 on-line just as much as if you'd chosen the other option. Henry Ford-style, HMRC are giving you a choice of filling in the form on-line or filling in the form on-line.
Anyone who pays UK income tax one year can be required to make tax payments on account in the following year in addition to any tax deducted at source via PAYE, the standard pay-as-you-earn system. If the payment on account would be less than £1,000 or if the "relevant" amount is less than 20% of the "assessed" amount, then you are exempted from making payments on account. Not many people know that.
Those who do know that sometimes want to apply to have their payments on account reduced for which HMRC, Her Majesty's Revenue and Customs, kindly provide a form SA303.
The BBC's News at Ten is the UK's leading TV news programme. Last night's edition was interesting for what it did say about biometrics and what it didn't.
On 3 January 2016 all news media carried reports of the latest atrocity committed by the psychopaths of ISIS. Here is the Times newspaper, for example, on the subject:
The Isis terror group in Syria has released a new propaganda video purporting to show the ritualised killing of five “British spies” in revenge for British airstrikes on Syria.
The ten minute footage begins with five men of Middle Eastern appearance, each dressed in orange jumpsuits, talking to the camera one by one and “confessing” to spying on behalf of the UK security services.
The men appear to be wearing handcuffs, and occasionally seem to shake, but do not appear to be under any duress.
This video switches to the desert, where five men are seen on their knees in front of masked militants in winter camouflage uniform.
One of the militants, wearing a balaclava, speaks in Arabic and then switches to English with a London accent. The man addresses Mr Cameron, describing him as “insignificant” and a “slave of the White House” and “mule of the Jews”.
Who is the psychopath who "switches to English with a London accent" and who refers to our Prime Minister as a "mule of the Jews"?
He is thought to be one Siddhartha Dhar, a bouncy castle salesman from Walthamstow, East London.
Mr Dhar was arrested in the UK, released on police bail and asked to hand in his passport to his nearest police station which he didn't. Instead, he left the country with his wife and their children, went to Paris and mocked the UK authorities in a blog post, exulting in how easy it had been to escape.
We are supposed to have exit controls now in the UK. They clearly don't work, as the National Audit Office were telling us a month ago. We've spent £830 million on our eBorders system and "there are some early signs that the Department is beginning to grip this vital programme", the NAO tell us at para.23 on p.12 of their report.
Be that as it may, the question remains is Mr Dhar the psychopath in the ISIS video or isn't he? Mr Dhar sounds to some people like the psychopath. And on the News at Ten last night we were treated to this:
A voice biometrics expert was called in and said that on the basis of his voice biometrics expertise Mr Dhar sounds like the psychopath. We knew that. That's why the voice biometrics expert was called in. What he's confirmed is that the reason he was called in is that he was called in. The biometrics has added nothing whatever.
Biometrics has not identified the psychopath. The reverential treatment of biometrics is akin to the credulous acquiescence in astrology. Next time you're kneeling in the desert in an orange suit with a pistol stuck in the back of your head, remember that – biometrics is no defence, it doesn't provide security.
That's what last night's TV news did tell us.
It shouldn't come as a surprise.
Cast your mind back to the riots in the UK in the summer of 2011 and to Operation Withern:
... Photographs, video and CCTV images will be examined by 450 detectives involved in Operation Withern. Simon Foy, a Metropolitan Police Commander, said: “We will be remorseless in our pursuit of these individuals.”
450 detectives had to review all the photographs, video and CCTV images available and the public had to help to identify the rioters. We have national databases of passport photographs and driving licence photographs and how much help was the face recognition biometrics industry? About as much help as the voice recognition biometrics industry was yesterday. None.
Later on, the TV news moved to President Obama's latest effort to increase gun control in the US:
The biometrics industry will tell you that the solution to the problems of gun control is ... biometrics. For example:
Yes, he [Omer Kiyani, a gun victim] believes in making guns safer, but he’s not your typical safety advocate. He’s a gun owner himself, and he wants to control firearms in the most practical of ways. That’s why he founded Sentinl, a Detroit-based startup that’s designing a biometric gun lock called Identilock. Attaching to a gun’s trigger, it unlocks only when the owner applies a fingerprint.
Why didn't the BBC or the President mention that?
Because it wouldn't work.
The false negative rate with flat print fingerprinting is about 20 percent. About 20 percent of the time, a policeman trying to shoot a psychopath in Paris, say, would be refused permission by his Identilock-controlled gun. Would you go into action against odds like that? Neither would anyone else. So that's useless.
You can improve the odds by relaxing the matching threshold required. That would make it more likely that the police could be effective. But false negatives are in inverse proportion to false positives. 20 percent of the time, a person not the owner of the gun could then make it fire. Which negates the point of Identilock and its peer technologies like Apple Touch ID.
In its own way, the News at Ten's silence on this point was just as telling as its exciting visuals on voice biometrics, right up there with the beguiling artwork of astrology.
The BBC's News at Ten is the UK's leading TV news programme. Last night's edition was interesting for what it did say about biometrics and what it didn't.
They have appointed nine so-called "identity providers". How do you know you can trust the "identity providers"? Answer, GDS have a number of good practice guides (GPGs) including GPG45 for identity proofing and verification and they have "joined a standards certification organisation (tScheme), who will be one of the initial certification bodies to provide the necessary independent assessment of the framework suppliers for compliance with the guides".
Of GDS's nine "identity providers", only four have been granted approval by tScheme. Does it follow that you can't trust the other five "identity providers" (Barclays, Morpho, PayPal, the Post Office and Royal Mail)? No idea.
Why have PayPal and Royal Mail not even applied to tScheme for approval? No idea.
How long will it take for tScheme to assess the Barclays and Morpho services? No idea.
Did the Post Office fail its tScheme assessment? No idea.
tScheme approval is not homogeneous. Verizon, for example, is approved in five categories, or "profiles" as tScheme call them – base, identity registration, credential validation, identity provider and credential management. GBGroup is only approved in the first two categories, base and identity registration. Is GBGroup less trustworthy than Verizon? No idea.
Different "identity providers" are having to jump through different hoops. Is that any way to operate a market? No idea.
The "identity providers" register you and provide you with an identity by cross-checking your details with the Home Office, the Driver and Vehicle Licensing Agency (DVLA) and the credit referencing agencies. In many cases the level of assurance that you are who you say you are is too low according to OIX, the Open Identity Exchange, GDS's business partner in GOV.UK Verify (RIP).
They want to add other sources to cross-check against and thus to increase the level of assurance. They want the "identity providers" to be able to cross-check with your bank. They may want to add checks against your health records, your education records and your travel records. Would that bring the level of assurance up to an acceptable level? No idea.
The information about you held by the Home Office, DVLA and the others was not collected so that digidentity, Morpho and the others could verify your identity and these "identity providers" can't know, when you first seek to register on-line, that that is you giving permission for them to conduct their checks. Is this identity proofing and verification legal? No idea.
Some people have found GOV.UK Verify (RIP) so hard to use that they give up the on-line attempt to access the public service they need:
Farmers, for example, trying to apply for the Basic Payment Scheme.
Married couples trying to transfer their marriage allowance – HMRC have been reduced to pointing out that they are not responsible for GOV.UK Verify (RIP), it's GDS's service, not theirs.
The NHS have rejected GOV.UK Verify (RIP) and suggest that they themselves, the NHS, would be better at verifying people's identity.
Will other so-called "relying parties" be more prepared to rely on GOV.UK Verify (RIP) than DEFRA, HMRC and the NHS? No idea.
GDS's solution is to create so-called "basic identity accounts". These are accounts maintained by GOV.UK Verify (RIP) that haven't been verified. What is the point of unverified Verify accounts? No idea.
How many people know that the maximum GDS will pay the "identity providers" for four years of their work is £150 million? No idea.
60 million people have to be registered. That's £2.50 each. If we each register with all nine "identity providers", they will get 27.7 pence each. That has to cover initial registration, re-registration every now and again and perhaps 40 transactions if we transact with government 10 times a year:
Is that enough to do the job properly? No idea.
Is there anything left for profit? No idea.
GDS have been touting GOV.UK Verify (RIP) to the private sector. Will the private sector rely on it for their commercial plans? No idea.
Will UK companies, partnerships and trusts rely on GOV.UK Verify (RIP)? Currently there is no provision for companies etc .... to be provided with an on-line identity, only individuals, "natural persons" as we're called, as opposed to "legal persons" like companies. Will GOV.UK Verify (RIP) ever be able to provide an identity to a legal person? No idea.
We already have an identity assurance platform which has been used and trusted by natural and legal persons in the UK for over 15 years – the Government Gateway:
Why didn't GDS enhance the Gateway? No idea.
Why ignore that asset and destroy its value by trying instead to cook up GOV.UK Verify (RIP)? No idea.
Is there any audit trail in GOV.UK Verify (RIP)? No idea.
GDS's unique selling point for GOV.UK Verify (RIP) is that our privacy is respected by there being no central register of information about us – "there is no central storage of information". Any attempt to create such a register would undermine their claim:
Are OIX recommending precisely that, collecting all our GOV.UK Verify (RIP) transaction data together, when they propose that we should have signal-sharing? No idea.
The four registers maintained by the four current "identity providers" all come together in GDS's identity hub. Is that four physical registers or one single logical register? No idea.
Despite GDS's attempt to build trust by being open the answer to the questions above is, too often, "no idea".
Do you trust GOV.UK Verify (RIP) to provide you with an identity? Which "identity provider(s)" would you choose? Why? You'd better have an answer soon. It's your identity on the line. "No idea" isn't good enough – GOV.UK Verify (RIP) is due to go live in four months time, April 2016.
Morpho lance SecureIdentity : une nouvelle plate-forme d'identité numérique destinée aux citoyens britanniques (Safran Morpho SA)
The world knows that Morpho has launched SecureIdentity and that SecureIdentity is a new identity assurance platform destined for the Brits. But the Brits don't know ...
... unless they happen to have read today's press release from Safran Morpho:
Morpho launches SecureIdentity: a new digital identity platform for GOV.UK online services
Wokingham, UK - December 15, 2015 - Morpho (Safran), world leader in identity and security solutions, today announced the launch of SecureIdentity, a new digital identity service for British citizens and residents. Morpho is one of the new providers to support the expansion of online services offered through the UK government’s new GOV.UK Verify [RIP] program.
Even then we Brits won't have a clue how SecureIdentity works because even if we read all the promotional literature it doesn't tell us how it works.
That's a damp squib of a launch, isn't it.
Morpho have jumped the gun. Shouldn't the Government Digital Service (GDS) have been given the chance to tell us about SecureIdentity first?
And shouldn't Morpho have waited to see if tScheme assess their SecureIdentity service to be trustworthy before claiming to have launched it as part of GOV.UK Verify (RIP)?
It's going to be a bit embarrassing, a bit œuf on the visage, if tScheme say non. Take a look at the Privacy and Consumer Advisory Group's principle #7, "I can have confidence in the Identity Assurance Service because all the participants have to be certified against common governance requirements". SecureIdentity isn't certified. Not yet. You can't have confidence in it:
Identity Assurance Principle
Summary of the control afforded to an individual
1. User Control
I can exercise control over identity assurance activities affecting me and these can only take place if I consent or approve them
2. Transparency
Identity assurance can only take place in ways I understand and when I am fully informed
3. Multiplicity
I can use and choose as many different identifiers or identity providers as I want to
4. Data Minimisation
My interactions only use the minimum data necessary to meet my needs
5. Data Quality
I choose when to update my records
6. Service User Access and Portability
I have to be provided with copies of all of my data on request; I can move / remove my data whenever I want
7. Certification
I can have confidence in the Identity Assurance Service because all the participants have to be certified against common governance requirements
8. Dispute Resolution
If I have a dispute, I can go to an independent Third Party for a resolution
9. Exceptional Circumstances
I know that any exception has to be approved by Parliament and is subject to independent scrutiny
GDS are committed to abiding by these principles. They want to "embed privacy into the service". They've got a lot of trouble doing so, it's difficult, but surely #7 is the easiest one for GDS to abide by.
It will be embarrassing enough if tScheme fail SecureIdentity. That is not inconceivable. It seems they may have failed the Post Office's IDA service, please see above.
You can take a photo of yourself instead of answering questions based on credit history ... Now, GOV.UK Verify [RIP] also works for people who don’t want or aren’t able to answer questions about their loans, credit cards or mortgages, or who don’t have enough financial products on their credit file to serve as a basis for security questions.
If you have a smartphone or tablet and a UK passport, you can now - with 2 of the companies [i.e. two of the "identity providers"] - verify your identity without answering questions about your credit history. Instead, you can use an app to scan your identity document and take a photograph of yourself, so the images can be compared.
What was it that Chief Constable Chris Sims, representing the Association of Chief Police Officers, told the House of Commons Science and Technology Committee on 10 December 2014? Oh yes, he said that he was "not aware of [UK police] forces using facial image software at the moment" and that "the technology is not yet at the maturity where it could be deployed" (para.95).
Let's see now. What have we got?
GDS being upstaged by an uncertified "identity provider" launching a product which the police say is too immature to be deployed.
Not the greatest day in the annals of GOV.UK Verify (RIP)'s brief history, not by une longue craie.
Updated 9.1.16
This isn't just embarrassing any more.
It's terminal.
Four of GDS's "identity providers" offer identity assurance services which have been approved by tScheme – digidentity, Experian, GBGroup and Verizon.
Two of the rest haven't even applied to tScheme – PayPal and Royal Mail. Even if they apply tomorrow, the probability of their services being approved by tScheme in time for GDS's live date in April 2016 is low-to-nil.
Another two of the rest have applied to tScheme – Barclays and Morpho. It is just possible that their services be approved on time but tScheme, quite rightly, don't have a record of falling in with GDS's timetable so don't count on it.
That leaves the Post Office, whose application was made 22 months ago and which has now lapsed, putting the Post Office in the same unapproved boat as PayPal and Royal Mail.
That is a condition that GOV.UK Verify (RIP) must satisfy to inspire and retain the trust of its parishioners. GDS say so.
So does the Privacy and Consumer Advisory Group (PCAG) referred to above. Identity assurance principle #7, certification: "I can have confidence in the Identity Assurance Service because all the participants have to be certified against common governance requirements".
PCAG are committed to ensuring that GOV.UK Verify (RIP) abides by the nine identity assurance principles. They said so in November 2014. They reaffirmed their commitment in September 2015.
PCAG's nine principles are supposed to be our bulwark against the likes of Google, who openly argue that its users have no "reasonable expectation" of confidentiality.
In November 2014, someone suggested that GOV.UK Verify (RIP) abided by not a single one of the principles. But that was just DMossEsq. It doesn't count for anything.
More worrying is when MarkK says the same thing. He knows what he's talking about. And he gets a response from GDS, including this:
Post Office uses the same system as another provider which has been t-Scheme certified, so we have agreed that there is no need for a second certification of the same system unless and until Post Office introduces anything that is different in its system for verifying identities, in which case that would need to be separately certified.
All the "identity providers" need to be certified, says GDS. The Post Office isn't certified. But it's still an "identity provider", says GDS.
Identity assurance principle #7 has been breached. It's as simple as that. Despite PCAG's and GDS's joint commitment, #7 has fallen and the others are going down with it. Like ninepins.
#8, for example: "If I have a dispute, I can go to an independent Third Party for a resolution":
Mr King says there is still "no sign of an independent Ombudsman".
GDS say "we think the current arrangements for dispute resolution are adequate ...".
GDS are wriggling. They're not delivering what they promised. They can't. Not by April 2016. This isn't just embarrassing any more. It's terminal. Public trust has gurgled down the hole between the promise and the reality. GOV.UK Verify, RIP.
Updated 10.1.16
Where is our thing at?
A copy of this post has been sent to the Privacy and Consumer Advisory Group (PCAG) to see what they have to say about the Government Digital Service's apparent failure to ensure that GOV.UK Verify (RIP) abides by the nine identity assurance principles.
PCAG have their own page on the award-winning GOV.UK where you are advised to email communications to idasupport@digital.cabinet-office.gov.uk.
Back came an email from GOV.UK Verify (Life) Support saying that DMossEsq's communication had been assigned ID no.15834 and that "if you would like to add any further information to this ticket, please reply to this message or include #15834 in the subject line of all future correspondence".
The link in that email leads to a screen asking you to enter your email address and your password so that you can Sign In To Verify [Life] Support. Not having a password, DMossEsq chose the New To Verify [Life] Support? option, clicked on Sign Up and submitted his registration details, only to be told that "A user has already signed up with the given email ... Please use the regular sign-in".
Mystifying.
But if you have a go at signing in with any random character as a password, you are told "Email address / password combination is incorrect, try again or get a new password" – "To reset your password for https://gdshelp.zendesk.com, enter your email address and we'll send you an email with instructions". DMossEsq submitted his email address but no "email with instructions" has been received.
Mystifying.
None of which boring story would normally be told if it wasn't for the fact that, as part of their alchemical digital-by-default transformation of leaden public administration into gold, GDS are gearing up to provide us all with a new platform, GOV.UK Notify:
Government receives millions of calls every year, from people anxious to find out where their thing is at. People have to spend time on hold, and running call centres costs a lot of money.
GOV.UK Notify is going to make it easy to keep people informed, by allowing service teams across government to send text messages, emails or letters to their users, before they get anxious enough to call.
Let's hope that this latest platform in GDS's firmament isn't using the GOV.UK Verify (Life) Support system as its mystifying model.
And let's hope (against hope) that GOV.UK Notify itself abides by PCAG's nine principles of identity assurance.
Updated 11.1.16
The need for PCAG to speak
Five of the Government Digital Service's "identity providers" are not certified and yet GDS assert that GOV.UK Verify (RIP) abides by the principle that they all must be. How can GDS say that? How can they expect anyone to believe them? What other GDS assertions are false?
And what is the Privacy and Consumer Advisory Group's opinion of this state of affairs? PCAG specified the identity assurance principles and GDS volunteered to abide by them – and yet they seem to be flouting all nine principles. Do PCAG find that acceptable?
In the circumstances, it would be useful to hear from PCAG. Useful to the general public. And useful to any private sector entrepreneurs who may be lured into developing applications which rely on GOV.UK Verify (RIP).
From: David Moss Sent: 11 January 2016 19:16 To: 'Verify Support' Subject: RE: [Verify Support] Re: Failure of GOV.UK Verify to abide by the PCAG identity assurance principles Dear Vivienne
Thank you for your 11 January 2016 email.
My 9 January 2016 email is addressed to the Privacy and Consumer Advisory Group (PCAG). I am seeking a response from them, not from the Government Digital Service (GDS). The address given on GOV.UK for PCAG is idasupport@digital.cabinet-office.gov.uk, that is where I sent my email and I trust that PCAG have received it.
As you say, Janet Hughes of GDS asserts that GOV.UK Verify abides by the nine PCAG identity assurance principles. My question is, do PCAG agree?
Yours sincerely
David Moss
From: Verify Support Sent: 11 January 2016 17:19 To: David Moss Subject: [Verify Support] Re: Failure of GOV.UK Verify to abide by the PCAG identity assurance principles
##- Please type your reply above this line -##
Your request (15834) has been updated. To add additional comments, reply to this email.
Vivienne(Verify Support)
Jan 11, 17:19
Dear Mr Moss
Thank you for your comment, which has been noted. As Janet Hughes said in response to the blog comment you highlighted, GOV.UK Verify has been built to reflect the identity assurance principles, and we have ongoing discussions with our Privacy and Consumer Advisory Group to help us apply them in the detail of everything we do. We are continually developing our approach as part of the development of GOV.UK Verify from beta to live, and beyond.
We appreciate you taking the time to provide feedback about the development of GOV.UK Verify.
GOV.UK Verify Support
David Moss
Jan 9, 14:03
Dear Sirs
It seems to a number of people that the Government Digital Service's GOV.UK Verify identity assurance system does not abide by the principles you have established. This, despite PCAG's commitment to ensure that it would, and despite GDS's commitment to do so.
I bring this matter to your attention in the interests of the British public who are meant to be able to trust GOV.UK Verify. The basis for that trust is in doubt.
This email is a service from Verify Support. Delivered by ZendeskGQ8-VX9N]
Updated 13.1.16
"Messy and interesting"
Good news, the Government Digital Service (GDS) will pass on an email addressed to the Privacy and Consumer Advisory Group (PCAG):
From: Verify Support [support@gdshelp.zendesk.com] Sent: 12 January 2016 08:42 To: David Moss Subject: [Verify Support] Re: Failure of GOV.UK Verify to abide by the PCAG identity assurance principles
##- Please type your reply above this line -##
Your request (15834) has been updated. To add additional comments, reply to this email.
Vivienne(Verify Support)
Jan 12, 08:42
Dear Mr Moss
We will pass your email on to PCAG.
Many thanks
Vivienne GOV.UK Verify Support
This email is a service from Verify Support. Delivered by Zendesk
GOV.UK Verify [RIP] is being developed by the Cabinet Office as a platform to allow users to select one of several pre-chosen companies to perform a check on their identity in order to securely access its online services - rather than relying on a single government database.
At present, there are four companies - Post Office, Experian, Digidentity and Verizon - accredited to support the identity assurance platform. Nine ID providers in total are expected to be accredited to support the service when it goes live from April.
GOV.UK Verify (RIP) isn't just for accessing GDS's on-line services, GDS are offering its use to the private sector as well.
It is questionable whether GOV.UK Verify (RIP) is secure.
"Secure" is not equivalent to "not relying on a single government database". GDS rely here on a non sequitur.
The GOV.UK Verify (RIP) identity hub has been declared insecure by four academics, one of whom is a member of PCAG (Dr George Danezis).
GDS's Government as a Platform strategy relies precisely on assembling a set of "canonical registers", i.e. databases, which will constitute a "single source of truth".
The Post Office isn't accredited. Not by tScheme, at least. Their application for approval has lapsed.
Having applied for approval fairly late, the chances of Barclays and Morpho being accredited by tScheme by April 2016 are slim to non-existent.
The chances of PayPal and the Royal Mail being accredited by tScheme are non-existent – they haven't even applied for approval.
Verizon have been banned from government contracts in Germany. Good enough for the UK, not good enough for Germany. Doesn't inspire confidence, does it.
Mr Merrett writes what he writes to give GDS the opportunity to correct the record. If they don't take one opportunity, he gives them another one.
He does it again in the same article:
... with GOV.UK Verify [RIP] set to become a live service this year, he [Don Thibeau] argued the planned launch was likely to bring the complex issues of data use to the forefront of public consciousness, notably around standards for the re-use of information and how permission can be obtained.
"When, for example, can HM Revenue & Customs (HMRC) have access to data I gave permission to another department to use to access services and in what situations can this be re-used? These are the key questions that need to be answered," he said.
You thought that GOV.UK Verify (RIP) abides by all nine of PCAG's identity assurance principles, didn't you, including #1, "I can exercise control over identity assurance activities affecting me and these can only take place if I consent or approve them".
Not a bit of it.
Re-use? Permission? "These are the key questions", according to Mr Thibeau, "that [still] need to be answered".
Mr Thibeau is chairman and president of OIX and chairman of OIX UK, the Open Identity Exchange, GDS's business partner on GOV.UK Verify (RIP). And he says these questions are still unanswered. So how can GDS say that GOV.UK Verify (RIP) abides by the PCAG principles?
They can't.
That, surely, is a matter for PCAG to consider and to comment on in public.
Mr Merrett doesn't stop there. He goes on to discuss "safe harbor". The US is not a safe harbour for our data. The European Court of Justice says so. And yet Experian, for example, reserve the right in their terms and conditions when you sign up with them as an "identity provider" to store your data outside the European Economic Area not excluding in the US, please see Where we store your personal data?.
Are Experian ignoring the law? Are GDS conniving in that by continuing to use Experian as an "identity provider"? What do PCAG make of that?
And what do PCAG make of GOV.UK Verify (Life) Support using Zendesk to bring them and their parishioners "closer together". Clause 3.6 of Zendesk's Terms of Service relies on the US being a "safe harbor" which the ECJ says it isn't. Could PCAG be said to be conniving in GDS's flouting of the law?
But we will stop there and not get lured into areas which even Mr Merrett avoids, such as the question of compensation, if any, when something goes wrong with GOV.UK Verify (RIP) and you suffer as a result. That's quite enough for the moment.
Updated 6 May 2016 1
You may remember that on 9 January 2016 DMossEsq asked for an email to be passed on to PCAG, the Privacy and Consumer Advisory Group, please see above.
You may. DMossEsq had forgotten.
And then on 11 March 2016 a response came in from PCAG. Somewhat late in the day, here it is:
Dear David Moss,
We are writing on behalf of the Privacy and Consumer Advisory Group (PCAG) in response to your emailed question to the Group. You ask whether PCAG agrees that GOV.UK Verify [RIP] abides with the nine PCAG identity assurance principles.
As you will be aware, the nine principles “assume that an Identity Assurance Service is mature and well established”, which is clearly not yet the case. The principles also explicitly acknowledge that “in the early stages of its development there may well be a phasing-in period in relation to each Principle, or that in some cases a Principle might need a degree of initial flexibility” (para 2.4 of the Identity Assurance Principles V3.1 available at [address]).
It might also be helpful to clarify a number of points in the (updated) post you referred to in your emails.
You assert that the Post Office isn’t accredited by tScheme and that their application for approval has lapsed. The Verify team point out that the Post Office is utilising an existing tScheme certified service that has been re-badged. Since the underlying service is unchanged, it was not necessary to certify the “front end” company [so the assertion is correct, the Post Office is not certified].
You note that “Having applied for approval fairly late, the chances of Barclays and Morpho being accredited by tScheme by April 2016 are slim to non-existent.” The Verify team has recently provided greater detail about the certification process [address] and [address][both of PCAG's links now broken, standard practice with GDS's GOV.UK]. These posts point out the reality that the full certification process can only be completed “after a period of live operation” [and thus the reality that Barclays and Morpho had no chance of being accredited by April 2016].
In answer to your question – do PCAG agree with Janet Hughes’s assertion that GOV.UK Verify abides by the nine PCAG identity assurance principles – the answer is currently “Yes”.
We will, of course, continue our close scrutiny of the work of Verify as it moves from Beta to Live. We are continually reviewing the scope and applicability of the nine identity assurance principles as experience of using the Verify service grows.
Yours sincerely,
Dr Jerry Fishenden and Dr Edgar Whitley Co-Chairs, on behalf of the Privacy and Consumer Advisory Group (PCAG)
It's mystifying but PCAG are adamant – according to them, GOV.UK Verify (RIP) abides by all nine identity assurance principles:
Identity Assurance Principle
Summary of the control afforded to an individual
1. User Control
I can exercise control over identity assurance activities affecting me and these can only take place if I consent or approve them
2. Transparency
Identity assurance can only take place in ways I understand and when I am fully informed
3. Multiplicity
I can use and choose as many different identifiers or identity providers as I want to
4. Data Minimisation
My interactions only use the minimum data necessary to meet my needs
5. Data Quality
I choose when to update my records
6. Service User Access and Portability
I have to be provided with copies of all of my data on request; I can move / remove my data whenever I want
7. Certification
I can have confidence in the Identity Assurance Service because all the participants have to be certified against common governance requirements
8. Dispute Resolution
If I have a dispute, I can go to an independent Third Party for a resolution
9. Exceptional Circumstances
I know that any exception has to be approved by Parliament and is subject to independent scrutiny
Take a look at #6, for example, "I can move / remove my data whenever I want". DMossEsq handed over a lot of personal information to Safran Morpho/SecureIdentity to open a GOV.UK Verify (RIP) account. He then closed the account. Safran Morpho/SecureIdentity say that they need to keep his data for seven years. "I can remove my data whenever I want"? No.
Take a look at #8, for example, "If I have a dispute, I can go to an independent Third Party for a resolution". Name the "independent Third Party". Go on. Name him or her or it. You can't. There isn't one.
Etc ...
Whatever PCAG say, the Government Digital Service simply cannot claim that GOV.UK Verify (RIP) abides by PCAG's nine identity assurance principles.
Updated 6 May 2016 2
If you sign up to GOV.UK Verify (RIP) using Barclays as your "identity provider", you expect Barclays to be your "identity provider". That's fairly straightforward.
Now take a look (hat tip: someone) at the Government Digital Service (GDS) status log for GOV.UK Verify (RIP):
"Verizon will be carrying out this work, however the downtime relates to the Barclays service and not to Verizon"? Are you using Barclays? Or, without knowing it, Verizon? Or both? You don't really know where you are, do you. Or where your personal information is.
The Company is based in the United States. Our Website is hosted in the United States and our services are provided from the United States. We make no claims that the Website or any of its content is accessible, appropriate or legal outside of the United States. Access to the Website may not be legal by certain persons or in certain countries. If you access the Website from outside the United States, you do so on your own initiative and are responsible for compliance with local laws.
It is possible that certain information will be stored on servers in multiple other countries on the "cloud" or other similar distributed hosting platforms. If you are a user accessing our Website or services from the European Union, Asia or any other region with laws governing personal data collection, use, and disclosure that differ from United States laws, you are expressly and knowingly consenting to the transfer of your personal information to the United States and other jurisdictions as indicated above, and to our use of your personal information in accordance with our Privacy Policy.
And their Privacy Policy says, among other things: "StatusPage complies with the US-EU Safe Harbor Framework ...".
And the European Court of Justice says that Safe Harbor is no such thing, please see above.
What are the Government Digital Service thinking of?
Updated 7.5.16 1
Why are GDS publishing manifestly false assertions?
Chase down GDS's link and you'll find that the "certified companies" referred to are Barclays, CitizenSafe, Digidentity, Experian, Post Office, Royal Mail, SecureIdentity and Verizon. And according to GDS, "all the certified companies ... have to be independently certified".
Only four of them are certified – CitizenSafe/GB Group, Digidentity, Experian and Verizon. You can check that for yourself on the tScheme website.
The other four – Barclays, Post Office, Royal Mail and Safran Morpho/SecureIdentity – are not certified. You can check that for yourself. The Barclays, Royal Mail and Safran Morpho/SecureIdentity services are still awaiting approval by tScheme. And the application to register the Post Office's service isn't even awaiting approval, it lapsed over a year ago.
It follows that GDS are misleading the readers of yesterday's blog post.
GDS assert that it can be truly predicated of GOV.UK Verify (RIP) that all of its "identity providers" have been certified. And they haven't been. The assertion is false.
DMossEsq readers will have known to check that assertion ever since 14 December 2015 when this blog post was published, please see opening table above.
Why are GDS publishing manifestly false assertions?
Chase down GDS's link and you'll find that the "certified companies" referred to are Barclays, CitizenSafe, Digidentity, Experian, Post Office, Royal Mail, SecureIdentity and Verizon. And according to GDS, "all the certified companies ... have to be independently certified".
Step 1 – Take a look at the handy cut-out-and-keep DMossEsqchoose-your-identity-provider app. You will note there that four of GDS's GOV.UK Verify (RIP) "identity providers" share your personal information with Equifax, the credit referencing agency – Verizon, Barclays, CitizenSafe/GB Group and the Royal Mail.
Step 2 – Take a look at the opening table above. Equifax were certified trustworthy by tScheme as long ago as 10 December 2014.
Step 3 – Take a look at one of the current on-line security breach stories, Crooks Grab W-2s from Credit Bureau Equifax. W-2 is a US Internal Revenue Service form which can be used by anyone including crooks to claim tax rebates:
Atlanta-based Equifax’s W-2Express site makes electronic W-2 forms accessible for download for many companies, including Kroger — which employs more than 431,000 people. According to a letter Kroger sent to employees dated May 5, thieves were able to access W-2 data merely by entering at Equifax’s portal the employee’s default PIN code, which was nothing more than the last four digits of the employee’s Social Security number and their four-digit birth year.
Where do these three steps take you?
tScheme approval is not a guarantee against hacking.
tScheme never said it was. But that's what GDS's headline might be taken by the unwary to imply – "what kind of fraud do our standards prevent?".
The unwary may be further misled by GDS's security screen displayed during the GOV.UK Verify (RIP) registration dialogue:
"It's secure". Just like that. No qualification. GOV.UK Verify (RIP) is secure.
But it's not, is it. Look what's just happened to Equifax. And what's happened to Experian, their fellow credit referencing agency, in the past.
Chase down GDS's link and you'll find that the "certified companies" referred to are Barclays, CitizenSafe, Digidentity, Experian, Post Office, Royal Mail, SecureIdentity and Verizon. And according to GDS, "all the certified companies ... have to be independently certified". > It's easier for GDS's eight "identity providers" to verify some people's identity than others.
Very young people tend not to have a long credit history. That makes it hard to verify their identity, given that GOV.UK Verify (RIP)'s answer to the question "what is a person?" is "something with a long and current credit history".
Very old people often let their passport lapse and have to give up their driving licence which, again, can make it hard to verify their identity the GOV.UK Verify (RIP) way.
You can do an experiment at home. Go through all the preliminaries of signing up for a new GOV.UK Verify (RIP) account to look at your self-assessment tax return.
Don't worry, you can pull out before you have to enter a single item of personal information.
Click on You can also sign in with a GOV.UK Verify account, say it's your first time, Next, Next, Start now, Continue, say you've got a UK driving licence and a UK passport and no foreign ID, you've got a mobile phone on which you can install apps, you're over 20 and you've lived in the UK for the past 12 months.
That's GDS's way of trying to measure how hard it's going to be for an "identity provider" to verify your identity.
With those answers, you must be just about the easiest identity in town to verify. And yet what do you see when you press your last Continue? It varies but at 13:47 today, 7 May 2016, you would have seen something like this:
Despite being the easiest verification case possible, GDS say that five of their "identity providers" are "unlikely to be able to verify you".
GDS are saying that Barclays, CitizenSafe/GB Group, the Royal Mail, Safran Morpho/SecureIdentity and Verizon are useless.
GDS are promoting the Post Office, who are uncertified, ahead of Verizon, for example, who are certified and have been since 11 February 2015.
They're promoting Digidentity, whose contract with you is governed by Dutch law, which you may or may not be expert in, and who want you to buy a YubiKey to improve the presumbly reduced-without-a-YubiKey security of their service ahead of CitizenSafe/GB Group, for example, who specialise in checking criminal records.
Why?
GOV.UK Verify (RIP) is supposed to be a "market" created by GDS or, sometimes, an "ecosystem". Why are GDS sticking their untutored oar in and distorting the market?
Never mind that, GDS are a law unto themselves, but what is the public supposed to make of it? Are there eight "identity providers" or just "three"? Do GDS know what they're doing? They're emitting mixed messages. Confused signals. Which threatens the survival of their own already-dubious little ecosystem.
What is the public supposed to make of it and what are the "relying parties" supposed to make of GDS's bull-in-a-china-shop market regulation?
The Office for National Statistics have already said that GOV.UK Verify (RIP) will not be used for the UK's 2021 national census.
And Her Majesty's Revenue and Customs have announced that if you want the full benefits of an on-line tax account you need to log in through the Government Gateway, logging in through GOV.UK Verify (RIP) will expose only a reduced service.
Chase down GDS's link and you'll find that the "certified companies" referred to are Barclays, CitizenSafe, Digidentity, Experian, Post Office, Royal Mail, SecureIdentity and Verizon. And according to GDS, "all the certified companies ... have to be independently certified".
"What kind of fraud do our standards prevent?" – that's one question.
There is another – what kind of fraud does GOV.UK Verify (RIP) invite?
Give your personal information including "title, first name, middle name or initial, surname, any other names you are known by, date of birth, gender, current address, previous addresses in the last three years (and the duration at each address), home telephone number, mobile telephone number and email address. We will also ask you to provide details of official identity documents, such as your passport or driving licence" (to quote just the Royal Mail) ...
To any or all of CitizenSafe/GB Group, Digidentity, Experian, Verizon, Barclays, Post Office, Royal Mail, Safran Morpho/SecureIdentity, Callcredit, Her Majesty's Passport Office, the Driver & Vehicle Licensing Agency, any other relevant HMG Department, ID Checker, WorldPay, the third party that hosts our (the Post Office's) website, other companies within the Experian group, the suppliers that we (Digidentity) work with to deliver the service to you, a company within the Verizon Group or other affiliated entity, Equifax, Zentry LLC, Techmahindra Ltd, Expert Solutions Support Centre, GDS, Morpho sub-contractors including third party fraud-prevention agencies and credit agencies, law enforcement and tax authorities, the head office of the Morpho Group Morpho SAS based in France, a fraud prevention agency, other member organisations of the fraud prevention agency, other Barclays companies, Barclays business partners, suppliers and sub-contractors, GOV.UK Verify (RIP), anyone who buys a Barclays business or Barclays assets, the Police and/or other relevant authorities, any company in the GB Group group, business partners, suppliers and sub-contractors, analytics and search engine providers, other companies and organisations for the purposes of fraud protection and credit risk reduction ...
Who may store it irrevocably out of your control in any or every country in the world.
What kind of fraud does GOV.UK Verify (RIP) invite?
Chase down GDS's link and you'll find that the "certified companies" referred to are Barclays, CitizenSafe, Digidentity, Experian, Post Office, Royal Mail, SecureIdentity and Verizon. And according to GDS, "all the certified companies ... have to be independently certified".
----- o O o -----
GDS don't mention the GOV.UK Verify (RIP) identity hub in their what-kind-of-fraud blog post. That is a serious omission in a review of the system's security.
----- o O o -----
"We have helped set the standards for identity proofing and verification and online authentication for UK government digital services". So say GDS. And what are those standards?
GOV.UK Verify (RIP) has trouble proving the identity of the very young and the very old and the low-paid and the unemployed. 30% or more of these people would be excluded from public services if access depended on GOV.UK Verify (RIP).
Approximately 30% of attempts to register for a GOV.UK Verify (RIP) account end in failure.
The "identity providers" have trouble reaching level of assurance 2 (LOA2) that any given applicant is who they say they are. That's according to OIX, the Open Identity Exchange, GDS's business partner in GOV.UK Verify (RIP). LOA2 is better than LOA1 (self-certification). It's supposedly a high enough standard of proof for a civil court. But not for a criminal court (LOA3) or beyond.
For those few UK government digital services which use GOV.UK Verify (RIP), it's not providing a very successful standard of identity proofing and verification – GDS are looking for 90% penetration of the population and for a 90% account creation success rate. The 70% or so allegedly being achieved in each case is a long way short of GDS's own target for an acceptable system.
Most UK government digital services don't use GOV.UK Verify (RIP). Pace GDS, GOV.UK Verify (RIP) is not the standard for identity proofing and verification and on-line authentication.
----- o O o -----
Chase down GDS's link to identity proofing and verification and you get to CESG's GPG 45 document (Good Practice Guide 45). There's a lot in there about identity proofing and verification but CESG say nothing about using Verizon, for example, to do the proofing and verification. The use of "identity providers" is something GDS have added.
----- o O o -----
It would be terribly useful if most people could have their identity proven on-line to a high level of assurance by "identity providers". But it may not be feasible. That possibility must be entertained ...
NIST are worried about identity proofing. That relies in part on secrets. At least that's the idea. But of course it doesn't hold water. If the knowledge an applicant is tested on were really a secret then the "identity provider" wouldn't know whether the answer was right.
NIST are worried about levels of assurance. GDS's assumption that an LOA2 is an LOA2 and that's all there is to it is wrong. Some "identity providers" are worse than others – CitizenSafe/GB Group's LOA2, for example, may only be worth a Verizon LOA1.5.
NIST are worried about one-time passwords, those magic numbers GDS send to your mobile and that you key in to your computer to prove that you are you. NIST now "deprecate" them.
And NIST are beginning to lean more and more on biometrics to make on-line identity proofing work:
Biometric matching SHOULD be performed locally on claimant’s device or MAY be performed at a central verifier.
Biometrics SHALL be used with another authentication factor that SHALL be revokable.
The biometric system SHALL have a tested equal error rate of 1 in 1000 or better. The biometric system SHALL be operational with a false match rate of 1 in 1000 or better.
"Equal error rate"? False match rate and false non-match rate are inversely proportional. As one goes up, the other goes down and vice versa. The point at which the two graphs cross is the equal error rate and good luck to NIST finding a mass consumer biometric with an equal error rate that good. Null hypothesis: there aren't any. (You can forget about the fingerprint reader on your iPhone for a start.)
"False match rate"? A false match is what you have when an impostor manages to pass himself off as someone else. NIST want that rate to be measured at 0.1% or lower in operation. But it can't be. You can't measure the operational false match rate because impostors don't nip back to border control to update the statistics and tell the staff that they've just let an impostor through.
Once high performance mass consumer biometrics are needed, you know that the end is nigh for any identity assurance system. Its proponents may as well appeal to astrology.
You see? It may not be feasible for most people to have their identity proven on-line to a high level of assurance by "identity providers". GDS can't be blamed for the failure of GOV.UK Verify (RIP). Not if it's just not feasible – in that case, no-one could have made it work.
Updated 15.11.16
GDS started with nine "identity providers" for GOV.UK Verify (RIP)'s second framework. PayPal never offered a service and Verizon have temporarily pulled out for several months now. There are just seven left.
All "identity providers" are certified. So say GDS, to inspire confidence in us Brits. They're wrong.
Barclays is certified by tScheme. So are Digidentity and Experian. And so are GB Group plc/CitizenSafe (in a small way). That's four. What about the other three?
The Post Office's application for tScheme approval lapsed ages ago. We know that. Two to go.
The Royal Mail applied for approval on 21 December 2015. Approval still hasn't been granted. And this coming Saturday will be the first anniversary of Safran Morpho/SecureIdentity's 19 November 2015 application, still pending, still no approval.
