In a few weeks time, in April 2016, according to the Government Digital Service (GDS), GOV.UK Verify (RIP) will go live.
Time for someone at last to summarise the implications.
A spreadsheet has been prepared summarising the terms and conditions of business of the GOV.UK Verify (RIP) services offered by each of GDS's nine "identity providers". Not just the business terms but the privacy policy also:
It's too wide to display properly on this blog. Readers are asked kindly to take a look here. [Added 12.5.16: updated version of spreadsheet now available. [Added 3.7.16: updated version of spreadsheet now available.[Added 4.1.17: updated version of spreadsheet now available. [Added 24.9.17: updated version of spreadsheet now available.]]]] The effort is worthwhile. It reveals that GOV.UK Verify (RIP) is a machine for collecting and storing your personal information and sharing it widely in the UK and abroad.
What is the point of GOV.UK Verify (RIP)? Answer, it's a personal information publishing service. That's what the summary spreadsheet shows.
No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.
IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.
The Government Digital Service (GDS) have contracted with nine so-called "identity providers" or "certified companies" to register all us Brits and to supply us with on-line identities, ready for the brave new digital-by-default world.
Armed with these on-line identities, 90% of us will be able one day (in April 2016?) to use public services via GOV.UK Verify (RIP). That's the idea.
GDS are more diffident about this but, later on, these on-line identities may allow us to use private sector services, too.
GBGroup is one of GDS's "identity providers", although you won't see their name when you try to sign up for GOV.UK Verify (RIP) – there they aren't:
It seems unfair. SecureIdentity and Barclays aren't certified, despite GDS's claim above. Neither is the Post Office. That's three mistakes GDS have made on one screen. Four, if you count the suggestion that GOV.UK Verify (RIP) is free.
And yet GBGroup have been certified for ages. Ever since 12 February 2015. Why aren't they allowed to operate as an "identity provider"?
As it happens, if and when GBGroup are let loose on the British public, you still won't see their name on the list. That's not just because their real name is "GB Group plc". It's because they've now stopped trading as "GBGroup" and started trading as "CitizenSafe".
What's more, while they're about it, they seem to have changed the name of ID3global to "CitizenSafe" as well.
You have to be a bit of an identity assurance enthusiast yourself to keep up with some of these "identity providers". Morpho, for example, used to be Sagem Sécurité before they morphed.
When we talk about an "identity provider" being certified, we mean certified by tScheme, the independent experts in measuring trustworthiness.
Verizon are the most heavily qualified "identity provider" according to tScheme. By comparison, GB Group plc or GBGroup or CitizenSafe, whatever they're calling themselves, may not command as much trust:
Approval Profile for Identity Registration Services
✔
✔
Approval Profile for Credential Validation Services
✔
✘
Approval Profile for an Identity Provider
✔
✘
Approval Profile for Credential Management Services
✔
✘
GBGroup/CitizenSafe do not match the profiles for credential validation or credential management? Nor do they match the profile for an "identity provider"? tScheme's approval of their ID3global/CitizenSafe product looks generous.
No surprise, perhaps, that the public haven't been exposed to GBGroup/CitizenSafe yet.
And no surprise either that GBGroup/CitizenSafe have sought assistance. Not just GBGroup/CitizenSafe, but the Royal Mail, too, another "identity provider":
(Reuters) Avoco Secure announces today that they have partnered with Royal Mail Group and GBGroup to provide solutions that will deliver Verified Identity Assurance Services for public services
Royal Mail and GBGroup have been chosen to partner with GOV.UK’s Verify service, to provide verification of individuals so that they can access Government services online, safely and easily ...
"Avoco Secure’s Trust platform is the technology that enables Royal Mail to deliver a verified, scalable, secure, user centric identity assurance service, which will allow users to authenticate themselves to UK Government digital services,” Jim Conning, Managing Director of Royal Mail Data Services stated, "Their industry expertise and proven track record played an important factor in Royal Mail partnering with Avoco” ...
"Avoco are pleased to partner to deliver Identity Assurance as a Service with recognizable and trusted organisations like Royal Mail and GBGroup,” said Gerry O’Brien, CEO, Avoco Secure ...
John Lord, Managing Director at GBGroup commented, “We are pleased to be partnering with Avoco Secure as we believe their Trust Platform will enable a secure, friction free user experience across all government services in the scheme” ...
That's your on-line identity GDS expect you to entrust to GBGroup/CitizenSafe. Or possibly, behind the scenes, to Avoco Secure. Up to you.
GBGroup/CitizenSafe have to communicate with GDS via Twitter:
And there's something odd at the moment on GOV.UK Verify (RIP) – Verizon have disappeared from GDS's list of "identity providers". They were there the other day. Now they've gone.
GOV.UK Verify (RIP) has been designed by GDS. Their pre-eminent design principle is: "start with needs – user needs, not government needs".
That's what they started with and somehow you've ended up potentially being asked to register with an "identity provider" who is certified not to match the profile of an "identity provider". You never felt the need to do that, did you?
Something, somewhere along the line, has gone wrong. It's all got out of hand. GOV.UK Verify? RIP.
----------
Updated 8.3.16
GBGroup/CitizenSafe, please see above, have now been added to the list – Brits can now sign up to GOV.UK Verify (RIP) and help to compile the national identity register via GBGroup/CitizenSafe, the "identity provider" certified by tScheme not to match the profile of ... an "identity provider":
No objection to the word "Next" on the screen above but otherwise please note that Barclays, SecureIdentity and the Post Office aren't certified, GBGroup/CitizenSafe with Avoco Secure somewhere in the mix are certified not to be an "identity provider" and, whatever GDS say, there most certainly is a "charge for this service".
In the continued absence of Verizon, the blushing "identity provider" which appears to have disappeared, the choice for new mooncalves is between Digidentity and Experian.
If you're not a mooncalf and you would simply like to access the odd public service, stick to the Government Gateway. That's worked for the past 15 years or so and it doesn't require you to hand over all your personal information just to submit a tax return, or whatever.
If you're a company, of course, then you'll have to use the Government Gateway because GOV.UK Verify (RIP) doesn't know what a company is. The concept doesn't exist. After four years of development GOV.UK Verify (RIP) still can't verify the identity of a company.
It's not that good at identifying individuals either:
The GOV.UK Verify (RIP) account creation success rate, which GDS promise will be 90% by April 2016, just over three weeks away, fell last week from 72% to 67%.
And the level of assurance delivered by GOV.UK Verify (RIP) falls well below the standard required in a criminal court. OIX, GDS's business partner, say that GOV.UK Verify (RIP) is having trouble meeting the standard required in a civil court.
Remember that Reuters article? The one about the company you'd never heard of, Avoco Secure, and how they're supplying services to the other company you'd never heard of, the one with at least three names, GB Group plc/GBGroup/Citizensafe? To them, and to Royal Mail, the company you have heard of? Well there was news yesterday. Royal Mail has entered the lists.
There are now seven "identity providers" in operation out of GDS's total of nine. Verizon are still missing in action. And PayPal still show no sign of wanting to have anything to do with GOV.UK Verify (RIP).
The GOV.UK Verify (RIP) registration dialogues are identical for Royal Mail and CitizenSafe. The tabs on the browser have the Avoco Secure icon on them and if use Chrome to View Page Source it says the author is Avoco Secure.
Royal Mail completes GOV.UK Verify [RIP] ID provider rollout, said Neil Merrett yesterday, "users wishing to access specific online government services will be able to select the company to verify their identity through a service which will be managed by GB Group (GBG) under the Royal Mail brand".
Royal Mail's name is being used but otherwise their involvement in GOV.UK Verify (RIP) is minimal. They're running a help desk: "Under the terms of their agreement, GBG will manage all technology for the service, with Royal Mail handling call centre services where users may need to clarify technical issues over the phone".
GDS are offering the public Royal Mail as an "identity provider" for GOV.UK Verify (RIP), making the most of Royal Mail's name recognition and public trust. But surreptitiously, behind the scenes, actually your identity will be managed by GB Group plc/GBGroup/CitizenSafe, whom no-one has ever heard of and who are certified by tScheme not to match the profile of an "identity provider".
No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.
IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.
The Government Digital Service (GDS) have contracted with nine so-called "identity providers" or "certified companies" to register all us Brits and to supply us with on-line identities, ready for the brave new digital-by-default world.
Armed with these on-line identities, 90% of us will be able one day (in April 2016?) to use public services via GOV.UK Verify (RIP). That's the idea.
GDS are more diffident about this but, later on, these on-line identities may allow us to use private sector services, too.
GBGroup is one of GDS's "identity providers", although you won't see their name when you try to sign up for GOV.UK Verify (RIP) – there they aren't:
No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.
IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.
The Government Digital Service (GDS) have contracted with nine so-called "identity providers" or "certified companies" to register all us Brits and to supply us with on-line identities, ready for the brave new digital-by-default world.
Armed with these on-line identities, 90% of us will be able one day (in April 2016?) to use public services via GOV.UK Verify (RIP). That's the idea.
GDS are more diffident about this but, later on, these on-line identities may allow us to use private sector services, too.
GDS promised in the past that all "identity providers" would be certified by tScheme, an independent body, expert in measuring trustworthiness. That's meant to give the public confidence in GOV.UK Verify (RIP).
Safran Morpho applied for certification for SecureIdentity on 19 November 2015. These things take time. SecureIdentity may or may not be certified in the end but it doesn't appear on tScheme's roll of trust yet.
Unlike the other "identity providers" who have GOV.UK Verify (RIP) products available, Safran Morpho require you to download an app onto your mobile phone.
Your mobile phone then becomes part of your identity. That may imply that your existence is interrupted, as far as Safran Morpho are concerned, when you change phones.
Long-time DMossEsq readers will know that downloading apps onto your mobile phone is indistinguishable from inviting in a virus.
The SecureIdentity app has the features shown in the mobile phone screenshot opposite.
If you are convinced that you understand what they all mean and if you are happy to give SecureIdentity house room, fine.
If not, there are five other "identity providers" to choose from today – Barclays, Digidentity, Experian, the Post Office and Verizon – to which you should soon be able to add GBGroup, PayPal and the Royal Mail.
You had better read, learn and inwardly digest Safran Morpho's terms and conditions for SecureIdentity and their privacy and cookies policies. They estimate 10 to 15 minutes for registration. Good luck with that.
To register with Safran Morpho, you have to tick the box that says you've read all these documents and you may then be deemed to have freely given your informed consent.
What consent?
Answer, your consent to a lot of personal information about you bouncing around the world's telecommunications networks, in the UK and overseas, between Safran Morpho, unnamed credit referencing agencies, unnamed sub-contractors, government departments, law enforcement agencies, tax authorities, Zendesk, DoubleClick, YouTube and Google, because that's who GDS use for their analytics.
De-registration, by the way, takes at least seven years. That's the minimum length of time Safran Morpho will keep any information they have about you.
The SecureIdentity privacy policy includes:
1.2 The types of personal data that Morpho may collect and hold
Personal data that Morpho may collect include:
- Your full name; - Your date and place of birth - Your postal address; - Your email address; - Your telephone number; - Your user ID (application store account) - Your gender - The data necessary to identify the date, time and duration of a communication - Your static or dynamic IP address - Characteristics of your software platform (Operating System, Browser) - Your passport details - Your Driving License details - Your Marriage Certificate details - Your Birth Certificate details - Your Poll Card details - Your bank account number
1.3 How does Morpho collect your personal data
Morpho usually collects personal data directly from you. For that purpose, Morpho may require you to complete a consent form to acknowledge that you are fully aware of the collection and processing of your personal data.
Morpho may also check your personal data against publicly available information and information already present in our partner companies' databases in order to verify your identity and ensure that you are the person you' re claiming to be.
Personal data that Morpho may check, include:
- Your Credit Record History - Your Electoral Roll History - Your financial court orders records (CCJ, IVA, DRO, Bankruptcy) - Your record in the Land Registry … - Your Directors Register record
We might in certain circumstances verify if you are active on social networks.
Morpho may collect personal data about you because Morpho is required or authorised by law to collect it.
Safran Morpho clearly envisage an intimate relationship with you, including your life in the social media. Not to mention anything that the SecureIdentity app can glean from your sleepless mobile phone, the accounts on it and the network(s) it is attached to.
In the course of that intimate relationship, Safran Morpho can't help collecting a lot of personal information about you:
1.5.1 Disclosure of personal data by Morpho
Morpho may share personal data with:
- Government Digital Service (GDS): the DVLA, the HMPO [Her Majesty's Passport Office] and any other relevant HMG Department in connection with the provision of the Evidence Checking Services
- Its subcontractors (including without limitation third party fraud-prevention agencies and credit agencies) to verify your identity during the SecureIdentity registration process and to provide customer care.
Morpho will not sell, rent or otherwise disclose your personal data to third parties without your informed consent.
Morpho may also share your personal data if it is required to do so by virtue of any legal obligations (such as law enforcement, tax), or in order to enforce Morpho’s [sic] terms and conditions (a copy of which can be seen at www.secureidentity.co.uk/help).
1.5.2 Overseas disclosure by Morpho
Morpho is part of the Morpho Group of Companies ("Morpho Group") which is a global organisation; for the purposes explained in this policy, your information may be transferred to the head office of the Morpho Group, Morpho SAS based in France ...
1.5.3 Marketing communications
Your information may be used by SecureIdentity (Morpho UK) for marketing purposes in connection with the service provided ...
GOV.UK Verify (RIP) has been designed by GDS. Their pre-eminent design principle is: "start with needs – user needs, not government needs". That's what they started with and somehow you've ended up handing over reams of the personal information that defines you, beyond your control, to a lot of strangers.
And all you wanted to do was to obey the law by submitting your tax return. That was the user need. You didn't previously feel the need to help the "identity providers" with their marketing, did you?
You've been able to submit your tax return on-line for years via the Government Gateway. Why do you now also have to send your credit history to all these strangers?
Something, somewhere along the line, has gone wrong. It's all got out of hand. GOV.UK Verify? RIP.
----------
Updated 20.3.17 It's just over a year since the blog post above was written. Yesterday Safran Morpho tweeted this: "'Why is the @GOVUKverify programme happening?' Read the answer & other FAQs on our website", followed by a link to this antique page on their website, copy available here.
Troll along and you read: "Right now 13 government services are connected to GOV.UK Verify [RIP] (7 can be accessed as public beta services). By April next year about 30 government services will be using the system and others will join over 2016/17".
Fiscal 2016/17 ends in 11 days time, 31 March 2017, and there are just 12 services signed up to GOV.UK Verify (RIP), not 30, not even 13.
Safran Morpho are an "identity provider" retained by the Government Digital Service (GDS) to sign victims up to GOV.UK Verify (RIP). There's a choice of "identity providers". Would you choose the one that relies on marketing literature over a year out of date?
Victims "must choose from one of nine certified verification companies to obtain their own personal secure ID". That's what Safran Morpho said over a year ago. There aren't nine "identity providers". Only seven – PayPal never turned up and Verizon pulled out, twice. You want the supplier providing you with a "secure ID" to be strong on the detail ...
All the "identity providers", according to Safran Morpho, are "guided by nine Identity Assurance Principles". You won't be fooled into confusing "guided by" with "compliant with". All nine identity assurance principles are flouted by the "identity providers" and by GDS themselves.
All the "identity providers", according to Safran Morpho, "offer the verification service at no cost". Very old-fashioned marketing, nostalgic even, hands up everyone who believes that GOV.UK Verify (RIP) is free.
"To become a certified verification company a business must be able to meet or exceed high standards set by government and an independent certification body". So they keep saying but of course Safran Morpho have not been certified, their SecureIdentity service remains obstinately absent from the independent certification body tScheme's list of approved services, a full 16 months after applying for approval.
Four "identity providers" have had their services approved. What's wrong with the other three – the Post Office, the Royal Mail and Safran Morpho?
With marketing material like this – out of date, inaccurate, misleading, self-hoisting with petard – does GOV.UK Verify (RIP) need critics?
Updated 21.3.17
It's almost as if Safran Morpho are reading this blog. Yesterday they claimed that GOV.UK Verify (RIP) is connected to 13 UK government services. Today, in a tweet, they have corrected that to 12: "You can now access 12 govt online services @GOVUKverify @secureIDverify incl. @HMRCgovuk s.ripl.com/bfkk03".
That message is reinforced by a silent video which lasts for 10 seconds and on which, unless you're a hawk, the text is illegible.
Better that than the video on the SecureIdentity website – the same three chords repeated for 50 interminable seconds:
Is the product called "secureidentity" or "Secure Identity" or "SecureIdentity"? All three versions appear on the Safran Morpho website. And is the product brought to us by Safran Morpho? Or by Safran? Or by Morpho, "the world leader in government ID"? Which is it? There's a bit of work to do on the branding there ...
... and a bit more work to do on the number of UK government services accessible via GOV.UK Verify (RIP). 13? 12? No, not on the SecureIdentity website, neither of those figures, this time it's eight:
Updated 27.3.17
Safran Morpho's identity assurance product, SecureIdentity or secureidentity or Secure Identity or whatever it's called – how many UK government on-line services can it connect you to? 8? 12? 13? You don't know. Safran Morpho don't seem to know.
That's a bit of a worry, as we were saying on 21 March 2017. Safran Morpho are one of the Government Digital Service's "identity providers". You need to be able to trust them. Otherwise you can't trust GOV.UK Verify (RIP). And it's hard to trust them if they can't count. You don't get the feeling you can rely on them.
23 March 2017, Safran Morpho were tweeting again: "Digital access to govt services is changing: here's a helpful Beginner’s Guide to @GOVUKverify ow.ly/hALP308NvZN #identity #infosec". Click on that link and you learn: "At SecureIdentity we’re one of nine verification services you can choose from" and "The first time you use GOV.UK Verify [RIP] to access services, you’ll be given a choice of nine certified verification companies to obtain your own personal secure ID".
Wrong again. Why do Safran Morpho try to confuse beginners? There has never been a choice of nine "identity providers". Briefly, there were eight. Now there are just seven. And of those seven, just four are certified. Three of them, including Safran Morpho, are not certified.
"Competition delivers greater security", say Safran Morpho. Not if some of the competitors don't know what's going on.
We're "Putting you in control". That's what Safran Morpho suggest. They don't seem to be in control themselves.
And not just them. Aren't GDS supposed to do a bit of quality control? This is their identity assurance ecosystem or market that they're trying to create. And one of their agents is misleading the public. In a properly regulated market, that would be quickly detected and corrected. GOV.UK Verify (RIP) doesn't look properly regulated.
Updated 2.6.17
Remember Safran Morpho? The uncertified "identity provider" to GOV.UK Verify (RIP)? The one that can't count?
No announcement from the Government Digital Service, of course. Presumably GDS know about the transaction. Presumably they don't think you need to know:
Updated 7.10.17
We noted above that Morpho don't bother to update their GOV.UK Verify (RIP) information for the public which still tells people that there are nine "identity providers". There never were nine. Currently there are seven. GDS do nothing to correct Morpho. The public continue to be misled.
We noted also that Morpho has now been sold by Safran. Are the new owners as trustworthy as Safran? Who knows. Again, GDS have not bothered to advise the public.
Log on now, four months after completion of the sale to Advent International and Bpifrance, try to create a GOV.UK Verify (RIP) account via Morpho and you still see Safran branding all over the screens.
Odd.
Odder still given that Morpho is no longer called "Morpho". It's now morphed into"Idemia".
There's no mention of Idemia on any GOV.UK Verify (RIP) web pages. The change has passed GDS by. They fail once again to operate their market competently – as we said in March 2016, "GDS have never created or regulated a market in their lives. And it shows".
And there's no mention of GOV.UK Verify (RIP) on Idemia's web pages, nor of SecureIdentity. GOV.UK Verify (RIP) doesn't exist as far as Idemia are concerned. They're not interested. Understandably so. It's dead.
Morpho's GOV.UK Verify (RIP) service was called "SecureIdentity" among other things. Idemia's is called "Augmented Identity". Good name. GDS should have thought of that.
Behind the good name it's just the same old nonsense – biometrics. The same parcel has been passed now from Visionics and Viisage and Identix and Iridian to L-1 Identity Solutions to Safran to the present private equity investors.
Why do these organisations keep selling it? Because one day the parcel-holder is going to find that there's nothing inside the wrapping paper, just an augmented loss.
We in the UK can continue to trust Sagem SécuritéMorphoOT-Morpho Idemia with our personal information, of course. Otherwise GDS would surely have warned us.
No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.
IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.
The Government Digital Service (GDS) have contracted with nine so-called "identity providers" or "certified companies" to register all us Brits and to supply us with on-line identities, ready for the brave new digital-by-default world.
Armed with these on-line identities, 90% of us will be able one day (in April 2016?) to use public services via GOV.UK Verify (RIP). That's the idea.
GDS are more diffident about this but, later on, these on-line identities may allow us to use private sector services, too.
GDS promised in the past that all "identity providers" would be certified by tScheme, an independent body, expert in measuring trustworthiness. That's meant to give the public confidence in GOV.UK Verify (RIP).
Safran Morpho applied for certification for SecureIdentity on 19 November 2015. These things take time. SecureIdentity may or may not be certified in the end but it doesn't appear on tScheme's roll of trust yet.
The GDS Design Principles state that services should start with user needs. To pass the Digital by Default Service Assessment for a live service, the service manager must demonstrate that the team building [the] service understands user needs and has undertaken research to develop a deep knowledge of who the service users are and what that means for the design of the service.
Younger readers may have gained the impression inadvertently given by GDS that researching user needs is a new invention of GDS's. No. Eliciting user needs has been recognised as part of requirements engineering from the year dot. Please see for example Professor Ian Sommerville's Software Engineering, first published in 1982.
A lot of research into requirements engineering has already been conducted. Please see for example either the British Computer Society's syllabus for their exam in the subject or the US Software Engineering Institute's practice area framework for requirements engineering.
GDS are late to the party with their discovery, (according to Mr Dunn it's a GDS discovery), that users have a "tacit need" for their personal information to be held securely and for the GOV.UK Verify (RIP) registration process not to be "stressful or confusing":
Through the research we have conducted, we have been able to distil 4 tacit user needs for GOV.UK Verify [RIP] beyond the user’s expressed need, and we have been using these to prioritise our work to develop and improve the service.
Who knew?
Everyone.
GDS's repeated claim to give unique prominence to user needs is untenable. The rest of Whitehall and local government have a track record stretching back decades before GDS existed of taking user needs into account.
According to the UK parliament's Public Accounts Committee (PAC) GDS ignore user needs anyway when those needs obstruct GDS's superior creed of digital-by-default, please see The Common Agricultural Policy Delivery Programme (p.5):
GDS’s focus on developing a digital front-end to allow farmers to apply online, which was not a European Commission requirement, was inappropriate for farmers ...
Mr Dunn repeats the creed when he says that "there is assisted digital support in place within each service for those who need support to use a digital service".
The PAC point out that GDS couldn't even provide the support necessary to the Rural Payments Agency (also p.5):
GDS introduced a level of innovation and risk to the Programme, without assessing whether the Department was capable of managing the changes, and did not provide sufficient support during implementation.
He repeats the creed when he says that "we are making sure that GOV.UK Verify [RIP] is interoperable with other national and international standards and systems".
We have yet to see if GOV.UK Verify (RIP) is interoperable with Scotland's separate national identity assurance scheme, myaccount, and whether it is up to the standards required by the European Union's Regulation 910/2014, eIDAS. We need to see this interoperability in ... operation for ourselves, we can't take it on trust.
"We’re building GOV.UK Verify [RIP] for the whole UK adult population. Our demographic coverage target is to be able to serve 90% of the UK adult population by April 2016". That's just a few weeks away and the claimed Account creation success rate by 28 February 2016 was still only 72% according to GOV.UK Verify (RIP)'s dashboard on the GOV.UK Performance platform.
Repeating the creed like that doesn't achieve the 90% coverage target.
Experian is one of GDS's GOV.UK Verify (RIP) "identity providers". They say that they have identified some databases full of our personal information which, if only they could have access to them in addition to all our credit history, would allow them to improve coverage.
What databases are these? Experian won't say. Neither will GDS, despite having promised to, 15 months ago on 1 December 2014. So much for that other contention in the creed to the effect that GDS are uniquely "open".
Turning to the matter of privacy, Mr Dunn says:
Tacit need 2: I need to be safe and secure
Some of the things we do in the service to help meet this need are:
...
designing and building GOV.UK Verify to protect users’ privacy, in line with principles developed by independent privacy and consumer experts ...
The Privacy and Consumer Advisory Group have devised nine principles of identity assurance for GOV.UK Verify (RIP) and GDS do not obviously abide by a single one of them. They just keep dutifully saying that they do.
Mr Dunn repeats the creed when he says that GDS are "requiring GOV.UK Verify [RIP] certified companies [previously known as "identity providers"] to be certified as meeting published standards for identity assurance and information security, and making them liable to their users if they fail to meet the required standards".
How can he say this when he must know that the Post Office, for example, one of GDS's "identity providers", is not certified?
We're talking about tScheme certification here. That's what was promised by GDS back in April 2013. And again in January 2014.
Janet Hughes, the GOV.UK Verify (RIP) programme director, now says "Post Office uses the same system as another provider which has been t-Scheme certified, so we have agreed that there is no need for a second certification of the same system". That's not what was promised.
The Post Office allowed its application for a certificate of trustworthiness to lapse a year ago, on 24 February 2015. Users who think they are registering with the Post Office are actually registered behind the scenes with a different "identity provider", Digidentity.
It's not just the Post Office. Barclays aren't certified and neither are Safran Morpho. And PayPal, another "identity provider", haven't even applied for certification.
Mr Dunn's assertion that "identity providers" are all certified is simply false.
NThis is wrong. Safran Morpho do not limit their liability to £100.But not only are all "identity providers" certified according to Mr Dunn, they are also "liable to their users if they fail to meet the required standards". Not very liable. Take a look at Safran Morpho's terms and conditions, for example. Their GOV.UK Verify (RIP) offering to users is called "secureidentity" and:
According to clause 11.3 they're not liable for any "loss or damage suffered by You which was not a reasonably foreseeable or obvious consequence of Us breaching these Terms and Conditions".
Then there are four more clauses about things they're not liable for, before at clause 11.8 they say that "Our aggregate liability to You arising out of or in connection with the Identity Service shall not exceed £100".
And then clause 11.9 tells users that "Our liability to You shall not include the following business losses that You may incur: lost business data, lost profits, lost earnings, business interruption, and loss of opportunity or reduction in the value of an asset ...".
That elaboration of the creed is not spoken out loud by Mr Dunn.
The creed explicitly includes "putting in place protection and monitoring to protect the service from attack" and "meeting high standards for security". But it excludes any answer to the review of GOV.UK Verify (RIP) conducted by four academics who identified a number of security holes – holes which are not filled by simply repeating the creed.
You'd think that that would be all, wouldn't you.
Well you'd be wrong.
Mr Dunn says that "there are 10 services currently available to the public through GOV.UK Verify [RIP] ...". The GOV.UK performance dashboard for GOV.UK Verify (RIP) only lists nine under Government services, not ten.
One of the government services GOV.UK Verify (RIP) is meant to be connected to is Apply for Universal Credit. Use the Apply in Croydon, Hounslow, Southwark or Sutton button with an appropriate post code and you'll see this:
No sign of GOV.UK Verify (RIP).
Ditto if you use the If you live elsewhere/Start now button, no sign of GOV.UK Verify (RIP), what you'll see is:
There must now be a question whether GOV.UK Verify (RIP) is connected to the Apply for Universal Credit government service at all. The creed seems to be blatantly false.
In March 2015, as a result of the failure of the online application system, the Department had reverted to a ‘paper-assisted digital’ system, requiring a significant amount of manual input and creating a large number of errors.
With GOV.UK Verify (RIP), when GDS promise connections to ten public services, what you get is nine public services, or eight or seven or ...
... and that's just too ambiguous. The creed must be clear. There are too many doubts. Doubts about the number of public services and the security of GOV.UK Verify (RIP) and the question whether its users will be compensated for any losses and the promise that all "identity providers" are certified trustworthy and the control its users have over their personal information and the extent to which GDS are being open with us and the problem of people being excluded and interoperability with other national identity assurance systems and the primacy of user needs and ...
That's not a creed. That's a confused mess. A confused mess that's going live in a few weeks time, in April 2016 if Mr Dunn is to be believed.
The GDS Design Principles state that services should start with user needs. To pass the Digital by Default Service Assessment for a live service, the service manager must demonstrate that the team building [the] service understands user needs and has undertaken research to develop a deep knowledge of who the service users are and what that means for the design of the service.
Sir Jeremy Heywood, Cabinet Secretary and Head of the Civil Service, wishes to increase the level of trust placed by the public in the civil service. As we have seen, here and here.
His chosen method to achieve this objective centres on перестро́йка and гла́сность, i.e. perestroika and glasnost, or innovative transformation and openness, to be delivered by the Government Digital Service (GDS).
We have identified certain problems with the strategy. Among others:
GDS have promised the public that we can use GOV.UK Verify (RIP), the replacement for the Home Office's failed ID cards scheme, to establish our identity on-line and that we can use that identity to access public services. GDS's business partner, OIX, the Open Identity Exchange, tell us that GOV.UK Verify (RIP) is having trouble achieving the requisite level of assurance that people are who they say they are. Which means that relying parties like the Department for Work and Pensions would be irresponsible to rely on GOV.UK Verify (RIP) when they pay benefits, for example, or pensions. GDS's false promise is more likely to destroy trust in the civil service than to inspire it.
In September 2012, the Information Commissioner's Office published advice on data protection which included this: "We also recommend you ... use different passwords for separate systems and devices" (p.8). That was obviously good advice then and it still is, three-and-a-bit years later. You'll find the same advice given worldwide. Here's the US organisation StaySafeOnline.org, for example: "Have a different password for each online account". GDS want you to have a single GOV.UK Verify (RIP) password for all your accounts. They're more interested in convenience than in security. Which diminishes the trust anyone can place in them.
"All your accounts"? Surely that should be "all your public service accounts"? No. The GOV.UK Verify (RIP) literature generally says that the system is designed to make it easier for members of the public to access public services, e.g. "GOV.UK Verify [RIP] is the new way to prove who you are online, so you can use government services like viewing your driving licence or filing your tax". Less publicised, GDS are trying to interest the private sector in GOV.UK Verify (RIP). Not a shining example of гла́сность.
Sir Jeremy's trust problems aren't limited to GDS.
Her Majesty's Revenue and Customs (HMRC) want to maintain tax accounts for us all, on-line. The idea is that we should be able to check these accounts, having logged on with our GOV.UK Verify (RIP) identities, and then quickly confirm them, thereby cutting out the old-fashioned need to submit tax returns. As the Chancellor said in his November 2015 spending review:
1.8 A modern and reformed state
Building on the progress made over the last Parliament in public services, the government will introduce far-reaching reforms to create a more productive state, fit for the modern world. The Spending Review and Autumn Statement is taking action to:
...
make the government simple to deal with by investing £1.8 billion in digital transformation, replacing tax returns with digital tax accounts, and building one simple payment mechanism for all central government services
...
They do it in Estonia, where it takes a person only 19 seconds to complete their tax return because the Estonian Revenue already know everything about their financial affairs anyway:
Should you invest four minutes of your time in watching this BBC film? Yes.
So surely we can do the same in the UK, if only we trust our tax authority as implicitly as the Estonians trust theirs.
The Chancellor has been advised that this is simply a matter of "building on the progress made over the last Parliament in public services".
Let's look at a relevant example – HMRC's introduction in the 2010-15 parliament of RTI, the real-time information system for PAYE/NI, i.e. pay-as-you-earn/national insurance. And let's look at the case of a company well known to DMossEsq which made a mistake one month.
This company, call it "X Limited", calculated the tax due for PAYE/NI Month 2, 6 May 2015 to 5 June 2015, submitted its RTI return on-line and paid the money due to HMRC on-line. All very modern. X Limited paid the money into the correct HMRC bank account. Good. Unfortunately, X Limited specified the wrong reference number.
HMRC had the money. But HMRC is a big place. And as a result of X Limited using the wrong reference number, the PAYE/NI people thought they didn't have the money. So they marked it down as a debt and started accruing interest on it. And five months later, X Limited received a letter telling them they owed HMRC lots of money.
X Limited telephoned HMRC, who agreed to re-allocate the money to the correct reference number.
End of problem?
No.
Two months later, another letter arrived saying X Limited still owed HMRC money. There followed another telephone call, on which HMRC said:
Yes, it can take two months to re-allocate money. Don't worry.
And don't worry about the threatening letters you're about to receive, we can't stop them going out.
And please don't look at your on-line RTI Current Position tax dashboard, the figures are all wrong, we're not letting any new companies see that account, we work from a snapshot.
X Limited don't seem to have claimed their 2015-16 Employment Allowance to date. You should use HMRC's Basic PAYE Tools, which deducts the allowance automatically.
Goodbye.
It turns out that X Limited do use HMRC's Basic PAYE Tools and that the company is flagged as eligible for Employment Allowance and that the entitlement is not automatically deducted from the PAYE/NI payable. So 4. is wrong.
5. is right.
1. is a big dent in the trust shield and needs to be sorted out by HMRC if Sir Jeremy is not to be embarrassed. It shouldn't take two months not to re-allocate money between two reference numbers in the same account. Nor should it take five months to notify the company of a debt. Not in the administration of a "productive state" that's been through years of перестро́йка to make it "fit for the modern world".
2. is another big dent, and it's also a lesson for the team working on GDS's new "platform", GOV.UK Notify. We don't want that turning into an out of control robot in whose processes no human can intervene, gaily accruing interest on non-existent debts while sending out threatening letters, emails, texts, tweets, ...
What about 3., you ask?
Here is X Limited's Current Position account for its n employees, maintained by HMRC, accessed on-line by X Limited, logged on through the Government Gateway because, of course, GOV.UK Verify (RIP) is incapable of identifying companies, which is an embarrassment Sir Jeremy is just going to have to live with:
There's an Amount due in period column. You'd think that that would match up with X Limited's RTI returns. Three of the non-zero figures shown match up and six don't. Ditto for the Amount paid in period column, three match, six don't and the £1,844.78 figure is particularly noteworthy as nothing was paid in that month, which is where we came in some time back.
Clearly, when HMRC's RTI people say "amount due", they don't mean amount due. And when they say "amount paid", they don't mean amount paid. Quite what they do mean is unclear ...
... but it wouldn't take you even 19 seconds to spot that the account is wrong. You wouldn't confirm the figures. And you wouldn't experience that Estonian rush of trust in HMRC that the Chancellor promises.
GDS have been promised £450 million over the next four years, no-one knows why, but it's unlikely they can help HMRC.
"The government will introduce far-reaching reforms to create a more productive state, fit for the modern world". The problems for Sir Jeremy are mounting up. What can he tell the Chancellor? HMRC. Companies House. GDS. They're all threatening the public's trust in the civil service.
----------
Updated 18.2.16
Somewhere under its calm, elegant, swan-like exterior DMossEsq's webbed feet are paddling away. HMRC's, too.
Great day with the awesome @gdsteam leaders. Not feeding trolls is the biggest sign of the strength of our culture. #publicserviceredesign
Unlike GDS, HMRC actually respond to critical comment. We've seen that before. Now, once again, there have been helpful HMRC responses, this time in connection with X Limited's RTI problems, which may turn out to be quite substantially self-inflicted. Dénouement next week, possibly.
Meanwhile, GDS remain openly silent on the matter of their GOV.UK Verify (RIP) problems. They, and their business partner OIX, please see above.
Deaf to criticism, they now claim that GOV.UK Verify (RIP) could help the banks, rather than the other way round. Try this from Don Thibeau, the head of OIX, Digital Identity Across Borders:
Currently, around 50% of bank accounts opened in the UK are by people who ... lack sufficient footprint in the UK to open an account.
We have a Budget coming up, on Wednesday 16 March 2016. The Chancellor may be expected to repeat his objective to "make the government simple to deal with by investing £1.8 billion in digital transformation, replacing tax returns with digital tax accounts, and building one simple payment mechanism for all central government services".
When it comes to "digital transformation in government", we were told two years ago by ex-Public Servant of the Year ex-Guardian man Mike Bracken CBE ex-CDO ex-CDO, ex-executive director of the Government Digital Service and ex-senior responsible owner of the pan-government identity assurance programme now known as "GOV.UK Verify (RIP)", "Estonia is a model for all of us".
Is it? Is Estonia a model for all of us? Are we really, all of us here in the UK, on the road to Estonia? Francis-now-Lord Maude went to Estonia, looking for the future. It is not clear that he found it, nor that the Chancellor will either. The latter might be well-advised to soft pedal on the virtues of "digital tax accounts" in his Budget speech.
The charming BBC film above may attract the Chancellor. The Estonian revenue service may be able to fill in people's tax returns for them and Estonians may be able to confirm their calculations in 19 seconds flat. You may have your doubts about that. But even after "the progress made over the last Parliament in public services" we are nowhere near achieving the 19 second tax return here in Blighty.
Nothing can alter the fact that at the moment HMRC's Current Position account, for example, please see above, does not reflect the current position. The Amount due shown is not always the amount due and the Amount paid shown is not always the amount paid. HMRC know that. The Chancellor should know it, too.
What can be altered is your apprehension of the problem, which began one month when X Limited paid its PAYE/NI bill into the right HMRC account with the wrong reference number.
Firstly, there is HMRC's response, which has been swift and effective. The large debt that HMRC thought was owed by X Limited has been extinguished. In fact, HMRC have informed X Limited that by Month 10 they had paid £2,010.40 more than HMRC thought was due.
Sorting it out required people to talk to each other. There is no provision for that in GDS's Estonian model for public services. GDS regard service providers and their parishioners talking to each other as failure. That doesn't work – the gap between the digital Current Position and the actual current position just gets bigger. HMRC understand that. GDS and the Chancellor should, too.
Second, there is the taxpayer. It's not all HMRC's fault. X Limited, in this case, made several spectacular mistakes. Among others:
Their Month 2 RTI payment was made 35 days after their Month 3 payment because it was only then that they realised that they hadn't paid the Month 2 salaries which they had notified HMRC about with their RTI return 63 days before.
Their Month 3 RTI payment is the one that had the wrong reference, it went into X Limited's Corporation Tax account instead of its RTI account. HMRC's Corporation Tax people knew that there was no Corporation Tax due so they immediately sent a cheque back to X Limited which X Limited immediately put in a file because they knew that HMRC didn't owe them any money. They then forgot about the cheque. It was never cashed. HMRC didn't realise that, which is why they thought that there was a debt and which is why the payment at first couldn't be re-allocated, please see above, ... and so the soap opera goes on.
The GDS stance is that we need more centralised and standardised computer systems. They want a centralised and standardised payment platform, GOV.UK Pay, and a centralised and standardised notification platform, GOV.UK Notify:
How is GDS's GOV.UK Pay going to stop X Limited paying money to HMRC with the wrong reference?
Ms Y at HMRC sorted out the whole goulash X Limited had created in no time.
How is GDS's GOV.UK Notify going to sort out this sort of problem on its own, with no human intervention?
HMRC have a century of experience dealing with the likes of X Limited. GDS don't. HMRC have seen it all before. GDS haven't.
"Good services are verbs", say GDS. And "punctuation can slow people down". Quite which problems these aphorisms of GDS's are the solution to is a matter of ludic debate but they're unlikely to get the Current Position account reconciled.
HMRC are interested in collecting revenue to fund public services.
And GDS?
GOV.UK Verify (RIP), GDS's identity assurance platform on which digital tax accounts (and much else) depend, is due to go live in a month's time, in April 2016. So what are GDS doing? They're re-writing it. They've found a new software engineering methodology, mob programming: "All the brilliant people working on the same thing, at the same time, in the same space, and on the same computer". That's what they're interested in. Good luck, Chancellor.
Sir Jeremy Heywood, Cabinet Secretary and Head of the Civil Service, wishes to increase the level of trust placed by the public in the civil service. As we have seen, here and here.
His chosen method to achieve this objective centres on перестро́йка and гла́сность, i.e. perestroika and glasnost, or innovative transformation and openness, to be delivered by the Government Digital Service (GDS).
We have identified certain problems with the strategy. Among others:
GDS have promised the public that we can use GOV.UK Verify (RIP), the replacement for the Home Office's failed ID cards scheme, to establish our identity on-line and that we can use that identity to access public services. GDS's business partner, OIX, the Open Identity Exchange, tell us that GOV.UK Verify (RIP) is having trouble achieving the requisite level of assurance that people are who they say they are. Which means that relying parties like the Department for Work and Pensions would be irresponsible to rely on GOV.UK Verify (RIP) when they pay benefits, for example, or pensions. GDS's false promise is more likely to destroy trust in the civil service than to inspire it.
In September 2012, the Information Commissioner's Office published advice on data protection which included this: "We also recommend you ... use different passwords for separate systems and devices" (p.8). That was obviously good advice then and it still is, three-and-a-bit years later. You'll find the same advice given worldwide. Here's the US organisation StaySafeOnline.org, for example: "Have a different password for each online account". GDS want you to have a single GOV.UK Verify (RIP) password for all your accounts. They're more interested in convenience than in security. Which diminishes the trust anyone can place in them.
"All your accounts"? Surely that should be "all your public service accounts"? No. The GOV.UK Verify (RIP) literature generally says that the system is designed to make it easier for members of the public to access public services, e.g. "GOV.UK Verify [RIP] is the new way to prove who you are online, so you can use government services like viewing your driving licence or filing your tax". Less publicised, GDS are trying to interest the private sector in GOV.UK Verify (RIP). Not a shining example of гла́сность.
Sir Jeremy's trust problems aren't limited to GDS.
