Sunday, 13 March 2016

RIP IDA – what is the point of GOV.UK Verify (RIP)?

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.

In a few weeks time, in April 2016, according to the Government Digital Service (GDS), GOV.UK Verify (RIP) will go live.

Time for someone at last to summarise the implications.

A spreadsheet has been prepared summarising the terms and conditions of business of the GOV.UK Verify (RIP) services offered by each of GDS's nine "identity providers". Not just the business terms but the privacy policy also:


GOV.UK Verify (RIP) summary spreadsheet
It's too wide to display properly on this blog. Readers are asked kindly to take a look here. [Added 12.5.16: updated version of spreadsheet now available. [Added 3.7.16: updated version of spreadsheet now available. [Added 4.1.17: updated version of spreadsheet now available. [Added 24.9.17: updated version of spreadsheet now available.]]]] The effort is worthwhile. It reveals that GOV.UK Verify (RIP) is a machine for collecting and storing your personal information and sharing it widely in the UK and abroad.

What is the point of GOV.UK Verify (RIP)? Answer, it's a personal information publishing service. That's what the summary spreadsheet shows.

-----  o  O  o  -----

GOV.UK Verify (RIP) would collect a spectacular amount of personal information about us. Nothing like that is needed when we use the Government Gateway, as we have been doing to access public services for 15 years since January 2001.

And the Government Gateway doesn't broadcast our personal information to all corners of the internet the way GOV.UK Verify (RIP) would.

Some of us may want to access public services on-line. It is quite unnecessary to share so much personal information with so many organisations in so many countries at the same time.

Barclays, for example, say that in the name of GOV.UK Verify (RIP) they will collect everyone's "name, address (with 3 years of history), email, mobile phone number, gender, details of your passport, driving licence and bank account, IP address, browser type and version, device type, operating system and version, locale, a unique visitor cookie, user ID, time, URL + We may receive information about you if you use any of the other websites we operate or the other services we provide. We also work closely with third parties to provide aspects of the Identity Service (including sub-contractors, analytics providers, search information providers and credit reference agencies) and we may receive information about you from them".

It's a lot but apparently it's not enough personal information. The "identity providers" aren't going to achieve GDS's goal of being able to register 90% of the population. Not with "just" this mass of personal information. GDS want them to store even more, but they've felt unable for the past year to tell the public what extra information of ours it is that they want.

Having collected it, Barclays will share everyone's personal information with "a credit reference agency (including Equifax), a fraud prevention agency, other member organisations of the fraud prevention agency, other Barclays companies, Barclays business partners, suppliers and sub-contractors, HM Passport Office, DVLA, Verizon, GOV.UK Verify, anyone who buys a Barclays business or Barclays assets" in addition to the public or private services which rely on Barclays' identity verification work.

There is no intention here to suggest that Barclays are unique. They're just being used as an example. The other GOV.UK Verify (RIP) "identity providers" are just the same. (Except that Verizon have for the moment shut up shop to new applicants – will the Barclays service which relies on Verizon survive? – and PayPal have once again bolted.)

-----  o  O  o  -----

Something has clearly gone wrong. All we wanted, some of us, was a way to obey the law for example by submitting our tax returns to HMRC on-line, something we can perfectly well do using the Government Gateway. GDS seem to have missed the point. We did not want to give our credit history to Verizon and we did not want our personal information to be sold when Barclays sell a subsidiary.

Something has clearly gone wrong. GDS repeatedly emphasise that they do not want to create the National Identity Register envisaged for the old ID cards scheme (2002-10, RIP). They have ended up creating nine of them.

GDSDelivering Identity Assurance: You must be certified
Something has clearly gone wrong. GDS repeatedly emphasise that all the "identity providers" are "certified companies". It's easy to check and when you do you find that Barclays isn't certified. Neither is the Post Office nor Morpho (SecureIdentity) nor Royal Mail nor PayPal.


Something has clearly gone wrong. Everyone knows that there is no such thing as unqualified security on the internet. Barclays, to their credit, are realistic and say as much in their privacy policy: "Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access".

And what do GDS say? Unpardonably:


Something has clearly gone wrong. GDS want the GOV.UK Verify (RIP) population register(s) to support a platform for public services offered by multiple central government departments.

HMRC are the pre-eminent suppliers of computerised public services and they have already distanced themselves from GOV.UK Verify (RIP). As have the NHS. And DWP seem to be developing and promoting their own identity assurance procedures for Universal Credit, not GOV.UK Verify (RIP).

If GOV.UK Verify (RIP) goes live next month, some individuals will be able to submit their tax returns to HMRC, but no companies. After four years of development, GOV.UK Verify (RIP) still doesn't work for companies. Or partnerships. Or trusts.

DVLA and HM Passport Office are suppliers to GOV.UK Verify (RIP) – please see the summary spreadsheet – so they don't need it. Rather, it's the other way round. GOV.UK Verify (RIP) needs DVLA and HM Passport Office.

There is no sign of GOV.UK Verify (RIP) being used with GDS's individual electoral registration batch application system. And no reason to believe that it would be capable of helping to compile the national census.

GDS claim that GOV.UK Verify (RIP) supports DEFRA's rural payments scheme. But it can't, because GDS's computerised rural payments scheme has had to be discontinued, it was unusable and farmers currently indent for their payments using pencil and paper.

There is no identity assurance platform for public services ...

... and GOV.UK Verify (RIP) is no use to the private sector either. The private sector has its own platforms already for authenticating account-holders and authorising payments. And it's developing its own new platforms. They don't depend on GOV.UK Verify (RIP). Again, it's the other way round.

Something has clearly gone wrong. In the past, so we are told, Whitehall would specify the requirements for a public service and four years later a computerised system would arrive, not meeting the public's requirements.

GDS repeatedly emphasise that they have overcome that problem by adopting agile software engineering methodologies. And yet what do we see?

Four years after work started, GOV.UK Verify (RIP) arrives, not meeting the public's requirements.

Something has clearly gone wrong. GDS repeatedly emphasise that they pride themselves on the care they take to act responsibly on behalf of the entire nation. They published a blog post the other day, Writing content for everyone, in which they preened themselves over the effort they expend on comprehensibility:
Accessible and inclusive content

At GDS, we always try to design for the least experienced user so no one is excluded from understanding and using a service. We also try to apply the same principle to users with low literacy. By writing for all literacy levels, it means more people can use the government services they depend on.
Some readers can be put off by apostrophes, GDS say – "punctuation can slow people down". Capital letters can deter understanding – "even readers with higher literacy levels can find that reading words all in capitals slows them down".

What are GDS doing luring these people into the treacherous waters of GOV.UK Verify (RIP)?

Something has clearly gone wrong. The Cabinet Secretary is relying on GOV.UK Verify (RIP) to improve public confidence in the civil service. How? If anything, it can only achieve the reverse.

Even after everyone knew it couldn't work it took years to put an end to the NHS's National Programme for IT (NPfIT) and it cost the nation tens of billions of pounds.

If Whitehall have learnt nothing, then the announcement will be made next month that GOV.UK Verify (RIP) has gone live and a lot of people can pretend that it's true, just as a lot of people pretended for years that NPfIT was in robust health.

But that's just the point. GOV.UK Verify (RIP) isn't in robust health. And a lot of people know it. Like NPfIT, like the ID cards scheme, it's dead. RIP.

----------

Updated 8.4.16

Since the post above was written:
  • It has been reported that Verizon have been hacked. Verizon nevertheless claim that "you can be confident that we know how to protect you to the highest standards".
  • Verizon have subsequently returned to registering new victims of GOV.UK Verify (RIP).
  • The "identity providers" summary spreadsheet has been updated accordingly.
  • Digidentity have started to try to sell GOV.UK Verify (RIP) account-holders YubiKeys on the grounds that these devices make the use of GOV.UK Verify (RIP) more secure. They do not answer the question whether it is insecure to use GOV.UK Verify (RIP) without a YubiKey.
  • CitizenSafe have announced that GOV.UK Verify (RIP) replaces the Government Gateway. If the Government Gateway is discontinued, HMRC will no longer be able to collect tax. Do CitizenSafe understand that point? And what are they doing making this announcement? Surely the end of the Government Gateway should be announced by a minister.
  • The NHS have announced that GOV.UK Verify (RIP) is not secure enough for their users' needs.
  • GDS have released data showing that a material percentage of the UK population cannot have its identity verified by GOV.UK Verify (RIP).
The conditions set by GDS themselves which must be satisfied before GOV.UK Verify (RIP) can go live have not been met. GDS continue to announce that GOV.UK Verify (RIP) will nevertheless go live this month, April 2016. It's not their decision, though. It remains to be seen whether their superiors will take the reckless decision to declare GOV.UK Verify (RIP) live.


Updated 22.4.16

Since the previous update:
  • The Office for National Statistics have confirmed that GOV.UK Verify (RIP) will not be used to help compile the 2021 UK national census.
  • Her Majesty's Revenue and Customs have commended their digital personal tax accounts and recommended logging in through the Government Gateway. Logging in through GOV.UK Verify (RIP), they say, restricts you to a limited service.
  • The Government Digital Service (GDS) have taken to dividing their eight remaining "identity providers" into those which work and those which don't. Their recommendation changes frequently but in general new victims of GOV.UK Verify (RIP) ...
    • ... are advised to register with Digidentity, Experian or the Post Office ...
    • ... and they are advised against trying to register with Barclays, CitizenSafe/GB Group, the Royal Mail, Safran Morpho/SecureIdentity or Verizon.
  • The reported account creation success rate has been measured at 71%, still a long way from the 90% required for GOV.UK Verify (RIP) to be declared live.
  • GDS have increased the minimum age for new victims from 19 to 20, thereby cutting GOV.UK Verify (RIP) off from another 1.2% of the population and making it even harder to achieve 90% penetration.
There's a week left before the end of the month. Probably the press releases are already written and nothing can stop the announcement of GOV.UK Verify (RIP) going live some time next week.

Whichever unfortunate ministers and Whitehall officials have their names associated with that announcement are approaching the last weekend on which they can be taken seriously.


Updated 4.5.16

It was too much for them.

No-one wanted their name associated with the declaration that GOV.UK Verify (RIP) is now live.

And so, on 29 April 2016, GDS announced that GOV.UK Verify (RIP) is "nearly there", but not quite. A miss is as good as a mile. GOV.UK Verify (RIP) is not live. After four years of development and two years of testing and several promises that it would go live in April 2016, it didn't. As usual.

Sir Jeremy Heywood, the cabinet secretary, tried to put a brave face on it. Not even he, panjandrum that he is, can disguise the fact that there is nothing there for the relying parties like HMRC to rely on. Nor that GDS themselves continue to say that five of their eight "identity providers" are unlikely to be able to provide you with an identity.

GDS put out one of their amusing little films about GOV.UK Verify (RIP). Apparently the system is safe, simple, fast, secure and private.

It remains the case that about 29% of attempts to create a GOV.UK Verify (RIP) account end in failure. It has particular trouble handling the young, the old, the low-paid and the out of work. It remains the case that account-holders have no control over who sees their data, which can end up anywhere in the world. And that there is still no dashboard for the Government Gateway on GDS's performance platform.

It proved beyond GDS's powers to stop the PR campaign:

Updated 15.5.16

It's been a busy 11 days since the last update and nothing has happened.

GOV.UK Verify (RIP) has still not been declared live. It can't be. It still shows no sign of meeting GDS's "objectives for live". The account creation success rate is down to 68%. The target minimum is 90%. The authentication completion rate is down to 36%. And, unchanged for a month, GDS still tell new GOV.UK Verify (RIP) applicants that five of their "identity providers" are useless. Or, as GDS put it, they're "unlikely to be able to verify you".

No progress there, but there has been an inordinate amount of displacement activity. Verizon have changed their logo. And GDS tarted up their Introducing GOV.UK Verify [RIP] web page on 9 May 2016. You can almost see the space left for all the new services that were due to be connected to GOV.UK Verify (RIP) when it went live in April. But that was not to be.

There was a bit of tweeting on 13 May 2016 about how marvellous it is that one of the country's major retail banks, Barclays, supports GOV.UK Verify (RIP). No recognition that Barclays is one of the "identity providers" GDS says are useless but the Twitter thread did reveal that Lloyds Bank had been in negotiations to join GOV.UK Verify (RIP). No explanation of why those negotiations failed.

6 May 2016 saw the publication of GDS's What kind of fraud do our standards prevent?. Good question.

The answer is spoiled by GDS's failure to mention the ID hub. That's the single point of failure in GOV.UK Verify (RIP) where all communications come together and GDS failed to address how the hub defends against fraud or, to put it another way, how it doesn't promote fraud. Instead, GDS repeated that they have eight "identity providers" (should be three as five of them are useless) and how they're all certified (four of them aren't).

It's unfortunate that on the same day, 6 May 2016, it was reported that Equifax had been hacked. Equifax have been certified trustworthy by tScheme and are relied on by four of GDS's "identity providers" – Verizon, Barclays, CitizenSafe/GB Group and the Royal Mail.

Not a propitious day on which to talk about the standards set by GOV.UK Verify (RIP) for fraud prevention. It's just lucky that GDS don't actually set the standard, whatever they say, and that so few public services are connected to GOV.UK Verify (RIP).

Two days later, 8 May 2016, the US National Institute of Standards and Technology (NIST) issued a new draft of their Digital Authentication Guideline. There's a summary and then there are four detailed documents. NIST's new guideline casts doubt on the way GDS are using levels of assurance in GOV.UK Verify (RIP), it impugns the use of secrets in GDS's recommended identity-proofing procedures and it "deprecates" GOV.UK Verify (RIP)'s two-factor authentication.

It may have occurred to you, too, but what NIST are doing is to raise the question whether it is feasible at all to verify somebody's identity entirely on-line. It's only a hypothesis that it's feasible. The hypothesis could turn out, in practice, to be disproved. In fact it has been. That's why GOV.UK Verify (RIP) can't be declared live.

Where all else has failed, NIST seek salvation in biometrics:
Biometric matching SHOULD be performed locally on claimant’s device or MAY be performed at a central verifier.

Biometrics SHALL be used with another authentication factor that SHALL be revokable.

The biometric system SHALL have a tested equal error rate of 1 in 1000 or better. The biometric system SHALL be operational with a false match rate of 1 in 1000 or better.
As we know, NIST might as well call on astrology. It looks as though online-only identity verification isn't feasible. Not for NIST and not for GDS. GOV.UK Verify? Forget it. RIP ...

... which takes us back to where we started in the blog post above – GOV.UK Verify (RIP) doesn't verify your identity, it's a machine for publishing your personal information far and wide, out of your control, in the UK and abroad.

The Privacy and Consumer Advisory Group say that that's not true. They're wrong.

The Government Gateway is the unsung hero of on-line access to UK public services. It's sat there for 15 years and more, working. It's been instrumental in collecting trillions of pounds of public revenue. The Government Gateway takes much less personal information from you and, to a much greater extent than GOV.UK Verify (RIP), it keeps your personal information under the control of UK government departments.

So what's this we read in PublcTechnology.net on 13 May 2016? Dell appointed to decommission Government Gateway. It's all there on Europa.eu. The Government Gateway will be shut by the end of March 2018. The system that works and provides a modicum of privacy is to be discontinued. The system that doesn't work and that blasts all privacy to kingdom come is to be pursued.

It's a new world we're living in. That's what Stephen Foreshew-Cain, GDS's executive director, told us in Where we’re at, and where we’re going on 8 April 2016. And that's what he told TechUK's Public Service 2030 conference on 10 May 2016. His speech was meant to tell delegates what to expect over the next 15 years or so. Read it, and you will be none the wiser about the new world except for Mr Foreshew-Cain's prediction of the end of parliamentary democracy: "The way that the law is made will have changed".

That's a fairly major contention.

So much so that he quite forgot to mention in his speech that GOV.UK Verify (RIP) will after all go live this month, May 2016. But he did remember to tell a journalist from UKAuthority.com, Verify to go live by end of month. That's how you keep the public informed in the new world.

We'll see. As long as it depends on GDS, it seems unlikely. As Mr Foreshew-Cain told us himself, GDS don't like actually going live. It's the journey that's important to them – "In 2030, and in the years that follow, we shall still be iterating. We shall still be doing the user research, doing the hard work to make things simple ... There’s no definition of done. We’re never done ...".

With the Government Gateway gone, and with GDS busy iterating and researching, let's just hope that HMRC have an alternative up their sleeve to raise the revenue to pay for public services. As things stand, it's "no Government Gateway, no revenue".

But be not disheartened. Even while all around seemed bleak, on 12 May 2016 GDS won a prize. GOV.UK Verify (RIP) was awarded Best Innovation in eGovernment/eCitizen at the European Identity and Cloud Conference 2016. Everyone – even Mr Foreshew-Cain – was, and remains, speechless.

A busy 11 days. As you see. Even if there has been no progress.


Updated 16.5.16

"Read him early. Read him often."

If only DMossEsq followed his own advice he would have remembered to include two more GOV.UK Verify (RIP) incidents in yesterday's review of the 11 days 4-15 May 2016.

Firstly there was Neil Merrett's 6 May 2016 article HSCIC seeks ID authentication market engagement. The National Health Service in England is going to the market to see what's available by way of identity assurance for "over 1 million users and 28,000 system endpoints across 21,000 organisations". If GOV.UK Verify (RIP) isn't obviously good enough for the NHS, is it good enough for you?

Second there was Neil Merrett's other 6 May 2016 article DWP "evaluating" GOV.UK Verify for Universal Credit. "Currently claimants prove their identity by showing ID to their work coach. We are evaluating the Verify system and will announce any plans in due course", said a Department for Work and Pensions spokesperson. Taking their time about it, aren't they. Not a resounding vote of confidence in GOV.UK Verify (RIP).

Read him early, that Neil Merrett, and read him often.

Him, and Mark Say.

Mr Say published an article in UKAuthority.com on 9 May 2016, Questions arise over local 'Government as a Platform': "... There are also questions around the ability of children and old people to obtain identification through GOV.UK Verify [RIP], the role the NHS could play as an identity provider, and how citizen accounts run by local authorities and the Scottish Government could fit into the picture". Local government is clearly no more convinced about the efficacy of GOV.UK Verify (RIP) than central government.

Of course Neil Merrett covered that story as well: "The briefing noted that children and elderly users may find difficulty in being able to authenticate themselves under the current GOV.UK Verify [RIP] arrangements ... Additional concern was also raised that should the NHS choose to deliver its own ID provider solution based around the NHS number, how could it sit alongside GOV.UK Verify [RIP] ... Similarly, local authority citizen account registers and Scotland's mygov.scot account services were also seen as having roles within an increasingly competitive identity provider marketplace ...".

But stay with Mark Say a moment. We have referred to his work a few times over the years. Notably on 19 February 2016: "About 15 central government services are expected to begin using the GOV.UK Verify [RIP] service for online identity assurance when it shifts from public beta to live in April".

Going live is not a big step for GOV.UK Verify (RIP), according to GDS. Those 15 central government services could have begun using GOV.UK Verify (RIP) in April whether or not the system was declared to be live.

They didn't.

That is an incident significant for its absence.

There is a marked reluctance to connect to GOV.UK Verify (RIP). And no evident enthusiasm.

Meanwhile, with 22½ months ahead of it on Death Row, the Government Gateway continues quietly to rake in the PAYE income tax, National Insurance, VAT and Corporation Tax that pays for ... GDS and GOV.UK Verify (RIP).




Updated 23.5.16

Unlike marriages, weddings are public affairs. That's the point of them. Proud or nervous or both, the principals expose themselves in daylight, to their friends and relatives, in front of the municipal authorities, whether civic or ecclesiastical. The solemn ceremony is an open statement made to the community. It looks to the community for authorisation and recognition, and it seeks in return the commitment and respect of the community.

Something similar was called for in declaring GOV.UK Verify (RIP) to be live.

GOV.UK Verify (RIP) "underpins the digital transformation of government", no less. And yet, instead of a proud and clear announcement, its launch in the community on 19 May 2016 was a fly-by-night, hole-in-the-corner affair. Its advent was smuggled surreptitiously into a speech about the ethical framework for data science full of juvenile exuberance and devoid of either ethics or science. Mutual respect? No. Mutual contempt from the very outset.

Why didn't GOV.UK Verify (RIP) go live in April 2016 when it was meant to?

"We haven’t yet finished the Service Standard assessment process" was the official explanation on 29 April 2016. After four years of development and two years of beta testing? Not convincing.

"... the confirmation of the eight certified companies that will authenticate individuals' identities was only completed in the course of the month" was an alternative explanation offered on 10 May 2016.

Someone imprudent decided to announce that GOV.UK Verify (RIP) would go live in April 2016, if we are to believe these explanations, even though the service assessment hadn't been completed and even though the "identity providers" hadn't been "confirmed", whatever that means.

The trouble is that it's becoming ever harder to believe GDS:
  • They talk about eight certified companies when they know perfectly well that only four of them are certified.
  • They tell applicants trying to register for a GOV.UK Verify (RIP) account that five of these companies are useless.
  • They have jettisoned their own GOV.UK Verify (RIP) "objectives for live".
  • Even having moved the posts, they still can't score a goal. GOV.UK Verify (RIP) is in no position to replace the Government Gateway but that's what we are told it will do by 31 March 2018. Starting on 1 April 2018, the UK Exchequer will have no revenue.
  • HMRC, DWP and the NHS are all reluctant, to put it mildly, to rely on GOV.UK Verify (RIP). They are thought to be working on their own identity verification schemes. As Scotland has done.
  • GDS claim that GOV.UK Verify (RIP) is secure, without qualification, when everyone knows that it can't be.
  • Their credibility is further impugned when they claim that GOV.UK Verify (RIP) abides by nine privacy principles when it patently doesn't.
  • And NIST consider that GOV.UK Verify (RIP) provides nothing more than self-certification – it can't do identity-proofing.
There will be triumphant speeches at the noisy reception, probably tomorrow, 24 May 2016. GOV.UK Verify (RIP) will sit at the top table, beaming, while ancient relatives and old friends talk about all the public services that will rely on it.

Check the list carefully. Is each service new to GOV.UK Verify (RIP) or has it been using GOV.UK Verify (RIP) for months already? In the case of newcomer services, why are they announcing their adherence to GOV.UK Verify (RIP) now? Why couldn't they announce it before? Are they reluctant adherents? Is that why GDS missed April? Did arms have to be twisted? Did unwelcome promises have to be made to get them on board?

We may never know why it died but the end of this marriage is in its beginning.

RIP IDA – what is the point of GOV.UK Verify (RIP)?

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.

In a few weeks time, in April 2016, according to the Government Digital Service (GDS), GOV.UK Verify (RIP) will go live.

Time for someone at last to summarise the implications.

A spreadsheet has been prepared summarising the terms and conditions of business of the GOV.UK Verify (RIP) services offered by each of GDS's nine "identity providers". Not just the business terms but the privacy policy also:


GOV.UK Verify (RIP) summary spreadsheet
It's too wide to display properly on this blog. Readers are asked kindly to take a look here. [Added 12.5.16: updated version of spreadsheet now available. [Added 3.7.16: updated version of spreadsheet now available. [Added 4.1.17: updated version of spreadsheet now available. [Added 24.9.17: updated version of spreadsheet now available.]]]] The effort is worthwhile. It reveals that GOV.UK Verify (RIP) is a machine for collecting and storing your personal information and sharing it widely in the UK and abroad.

What is the point of GOV.UK Verify (RIP)? Answer, it's a personal information publishing service. That's what the summary spreadsheet shows.

-----  o  O  o  -----

Monday, 7 March 2016

RIP IDA – GBGroup/ID3global

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.

The Government Digital Service (GDS) have contracted with nine so-called "identity providers" or "certified companies" to register all us Brits and to supply us with on-line identities, ready for the brave new digital-by-default world.

Armed with these on-line identities, 90% of us will be able one day (in April 2016?) to use public services via GOV.UK Verify (RIP). That's the idea.

GDS are more diffident about this but, later on, these on-line identities may allow us to use private sector services, too.

GBGroup is one of GDS's "identity providers", although you won't see their name when you try to sign up for GOV.UK Verify (RIP) – there they aren't:


It seems unfair. SecureIdentity and Barclays aren't certified, despite GDS's claim above. Neither is the Post Office. That's three mistakes GDS have made on one screen. Four, if you count the suggestion that GOV.UK Verify (RIP) is free.

And yet GBGroup have been certified for ages. Ever since 12 February 2015. Why aren't they allowed to operate as an "identity provider"?

As it happens, if and when GBGroup are let loose on the British public, you still won't see their name on the list. That's not just because their real name is "GB Group plc". It's because they've now stopped trading as "GBGroup" and started trading as "CitizenSafe".

What's more, while they're about it, they seem to have changed the name of ID3global to "CitizenSafe" as well.

You have to be a bit of an identity assurance enthusiast yourself to keep up with some of these "identity providers". Morpho, for example, used to be Sagem Sécurité before they morphed.

When we talk about an "identity provider" being certified, we mean certified by tScheme, the independent experts in measuring trustworthiness.

Verizon are the most heavily qualified "identity provider" according to tScheme. By comparison, GB Group plc or GBGroup or CitizenSafe, whatever they're calling themselves, may not command as much trust:
tScheme approval profilesVerizonGBGroup/
CitizenSafe
Base Approval Profile
Approval Profile for Identity Registration Services
Approval Profile for Credential Validation Services
Approval Profile for an Identity Provider
Approval Profile for Credential Management Services
GBGroup/CitizenSafe do not match the profiles for credential validation or credential management? Nor do they match the profile for an "identity provider"? tScheme's approval of their ID3global/CitizenSafe product looks generous.

No surprise, perhaps, that the public haven't been exposed to GBGroup/CitizenSafe yet.

And no surprise either that GBGroup/CitizenSafe have sought assistance. Not just GBGroup/CitizenSafe, but the Royal Mail, too, another "identity provider":
(Reuters) Avoco Secure announces today that they have partnered with Royal Mail Group and GBGroup to provide solutions that will deliver Verified Identity Assurance Services for public services

Avoco Secure (www.avocoidentity.com)

Royal Mail and GBGroup have been chosen to partner with GOV.UK’s Verify service, to provide verification of individuals so that they can access Government services online, safely and easily ...

"Avoco Secure’s Trust platform is the technology that enables Royal Mail to deliver a verified, scalable, secure, user centric identity assurance service, which will allow users to authenticate themselves to UK Government digital services,” Jim Conning, Managing Director of Royal Mail Data Services stated, "Their industry expertise and proven track record played an important factor in Royal Mail partnering with Avoco” ...

"Avoco are pleased to partner to deliver Identity Assurance as a Service with recognizable and trusted organisations like Royal Mail and GBGroup,” said Gerry O’Brien, CEO, Avoco Secure ...

John Lord, Managing Director at GBGroup commented, “We are pleased to be partnering with Avoco Secure as we believe their Trust Platform will enable a secure, friction free user experience across all government services in the scheme” ...
That's your on-line identity GDS expect you to entrust to GBGroup/CitizenSafe. Or possibly, behind the scenes, to Avoco Secure. Up to you.

GBGroup/CitizenSafe have to communicate with GDS via Twitter:


If GDS won't give GBGroup/CitizenSafe their telephone number, perhaps you shouldn't either.

Would you be better off using the Royal Mail as your "identity provider"? With added Avoco Secure? Send them a letter. Time will tell.

Or what about Verizon? They're highly regarded by tScheme. Does that make them more confidence-inspiring?

Verizon may be highly regarded by tScheme but Germany doesn't agree, please see German government terminates Verizon contract over NSA snooping fears.

And there's something odd at the moment on GOV.UK Verify (RIP) – Verizon have disappeared from GDS's list of "identity providers". They were there the other day. Now they've gone.

GOV.UK Verify (RIP) has been designed by GDS. Their pre-eminent design principle is: "start with needs – user needs, not government needs".

That's what they started with and somehow you've ended up potentially being asked to register with an "identity provider" who is certified not to match the profile of an "identity provider". You never felt the need to do that, did you?

Something, somewhere along the line, has gone wrong. It's all got out of hand. GOV.UK Verify? RIP.

----------

Updated 8.3.16

GBGroup/CitizenSafe, please see above, have now been added to the list – Brits can now sign up to GOV.UK Verify (RIP) and help to compile the national identity register via GBGroup/CitizenSafe, the "identity provider" certified by tScheme not to match the profile of ... an "identity provider":

No objection to the word "Next" on the screen above but otherwise please note that Barclays, SecureIdentity and the Post Office aren't certified, GBGroup/CitizenSafe with Avoco Secure somewhere in the mix are certified not to be an "identity provider" and, whatever GDS say, there most certainly is a "charge for this service".

In the continued absence of Verizon, the blushing "identity provider" which appears to have disappeared, the choice for new mooncalves is between Digidentity and Experian.

If you're not a mooncalf and you would simply like to access the odd public service, stick to the Government Gateway. That's worked for the past 15 years or so and it doesn't require you to hand over all your personal information just to submit a tax return, or whatever.

If you're a company, of course, then you'll have to use the Government Gateway because GOV.UK Verify (RIP) doesn't know what a company is. The concept doesn't exist. After four years of development GOV.UK Verify (RIP) still can't verify the identity of a company.

It's not that good at identifying individuals either:
  • The GOV.UK Verify (RIP) account creation success rate, which GDS promise will be 90% by April 2016, just over three weeks away, fell last week from 72% to 67%.
  • And the level of assurance delivered by GOV.UK Verify (RIP) falls well below the standard required in a criminal court. OIX, GDS's business partner, say that GOV.UK Verify (RIP) is having trouble meeting the standard required in a civil court.
But you know all that.


Updated 11.3.16
This is sleazy


Remember that Reuters article? The one about the company you'd never heard of, Avoco Secure, and how they're supplying services to the other company you'd never heard of, the one with at least three names, GB Group plc/GBGroup/Citizensafe? To them, and to Royal Mail, the company you have heard of? Well there was news yesterday. Royal Mail has entered the lists.

There are now seven "identity providers" in operation out of GDS's total of nine. Verizon are still missing in action. And PayPal still show no sign of wanting to have anything to do with GOV.UK Verify (RIP).

The GOV.UK Verify (RIP) registration dialogues are identical for Royal Mail and CitizenSafe. The tabs on the browser have the Avoco Secure icon on them and if use Chrome to View Page Source it says the author is Avoco Secure.

Royal Mail completes GOV.UK Verify [RIP] ID provider rollout, said Neil Merrett yesterday, "users wishing to access specific online government services will be able to select the company to verify their identity through a service which will be managed by GB Group (GBG) under the Royal Mail brand".

Royal Mail's name is being used but otherwise their involvement in GOV.UK Verify (RIP) is minimal. They're running a help desk: "Under the terms of their agreement, GBG will manage all technology for the service, with Royal Mail handling call centre services where users may need to clarify technical issues over the phone".

GDS are offering the public Royal Mail as an "identity provider" for GOV.UK Verify (RIP), making the most of Royal Mail's name recognition and public trust. But surreptitiously, behind the scenes, actually your identity will be managed by GB Group plc/GBGroup/CitizenSafe, whom no-one has ever heard of and who are certified by tScheme not to match the profile of an "identity provider".

This is sleazy.


RIP IDA – GBGroup/ID3global

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.

The Government Digital Service (GDS) have contracted with nine so-called "identity providers" or "certified companies" to register all us Brits and to supply us with on-line identities, ready for the brave new digital-by-default world.

Armed with these on-line identities, 90% of us will be able one day (in April 2016?) to use public services via GOV.UK Verify (RIP). That's the idea.

GDS are more diffident about this but, later on, these on-line identities may allow us to use private sector services, too.

GBGroup is one of GDS's "identity providers", although you won't see their name when you try to sign up for GOV.UK Verify (RIP) – there they aren't:


Saturday, 5 March 2016

RIP IDA – Safran Morpho/SecureIdentity

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.

The Government Digital Service (GDS) have contracted with nine so-called "identity providers" or "certified companies" to register all us Brits and to supply us with on-line identities, ready for the brave new digital-by-default world.

Armed with these on-line identities, 90% of us will be able one day (in April 2016?) to use public services via GOV.UK Verify (RIP). That's the idea.

GDS are more diffident about this but, later on, these on-line identities may allow us to use private sector services, too.

Safran Morpho is one of GDS's "identity providers":


Safran Morpho offer a product called "SecureIdentity".

GDS promised in the past that all "identity providers" would be certified by tScheme, an independent body, expert in measuring trustworthiness. That's meant to give the public confidence in GOV.UK Verify (RIP).

Safran Morpho applied for certification for SecureIdentity on 19 November 2015. These things take time. SecureIdentity may or may not be certified in the end but it doesn't appear on tScheme's roll of trust yet.

Unlike the other "identity providers" who have GOV.UK Verify (RIP) products available, Safran Morpho require you to download an app onto your mobile phone.

Your mobile phone then becomes part of your identity. That may imply that your existence is interrupted, as far as Safran Morpho are concerned, when you change phones.

Long-time DMossEsq readers will know that downloading apps onto your mobile phone is indistinguishable from inviting in a virus.

The SecureIdentity app has the features shown in the mobile phone screenshot opposite.

If you are convinced that you understand what they all mean and if you are happy to give SecureIdentity house room, fine.

If not, there are five other "identity providers" to choose from today – Barclays, Digidentity, Experian, the Post Office and Verizon – to which you should soon be able to add GBGroup, PayPal and the Royal Mail.

You had better read, learn and inwardly digest Safran Morpho's terms and conditions for SecureIdentity and their privacy and cookies policies. They estimate 10 to 15 minutes for registration. Good luck with that.

To register with Safran Morpho, you have to tick the box that says you've read all these documents and you may then be deemed to have freely given your informed consent.

What consent?

Answer, your consent to a lot of personal information about you bouncing around the world's telecommunications networks, in the UK and overseas, between Safran Morpho, unnamed credit referencing agencies, unnamed sub-contractors, government departments, law enforcement agencies, tax authorities, Zendesk, DoubleClick, YouTube and Google, because that's who GDS use for their analytics.

De-registration, by the way, takes at least seven years. That's the minimum length of time Safran Morpho will keep any information they have about you.

The SecureIdentity privacy policy includes:
1.2 The types of personal data that Morpho may collect and hold

Personal data that Morpho may collect include:

- Your full name;
- Your date and place of birth
- Your postal address;
- Your email address;
- Your telephone number;
- Your user ID (application store account)
- Your gender
- The data necessary to identify the date, time and duration of a communication
- Your static or dynamic IP address
- Characteristics of your software platform (Operating System, Browser)
- Your passport details
- Your Driving License details
- Your Marriage Certificate details
- Your Birth Certificate details
- Your Poll Card details
- Your bank account number

1.3 How does Morpho collect your personal data

Morpho usually collects personal data directly from you. For that purpose, Morpho may require you to complete a consent form to acknowledge that you are fully aware of the collection and processing of your personal data.

Morpho may also check your personal data against publicly available information and information already present in our partner companies' databases in order to verify your identity and ensure that you are the person you' re claiming to be.

Personal data that Morpho may check, include:

- Your Credit Record History
- Your Electoral Roll History
- Your financial court orders records (CCJ, IVA, DRO, Bankruptcy)
- Your record in the Land Registry …
- Your Directors Register record

We might in certain circumstances verify if you are active on social networks.

Morpho may collect personal data about you because Morpho is required or authorised by law to collect it.
Safran Morpho clearly envisage an intimate relationship with you, including your life in the social media. Not to mention anything that the SecureIdentity app can glean from your sleepless mobile phone, the accounts on it and the network(s) it is attached to.

In the course of that intimate relationship, Safran Morpho can't help collecting a lot of personal information about you:
1.5.1 Disclosure of personal data by Morpho

Morpho may share personal data with:

- Government Digital Service (GDS): the DVLA, the HMPO [Her Majesty's Passport Office] and any other relevant HMG Department in connection with the provision of the Evidence Checking Services

- Its subcontractors (including without limitation third party fraud-prevention agencies and credit agencies) to verify your identity during the SecureIdentity registration process and to provide customer care.

Morpho will not sell, rent or otherwise disclose your personal data to third parties without your informed consent.

Morpho may also share your personal data if it is required to do so by virtue of any legal obligations (such as law enforcement, tax), or in order to enforce Morpho’s [sic] terms and conditions (a copy of which can be seen at www.secureidentity.co.uk/help).

1.5.2 Overseas disclosure by Morpho

Morpho is part of the Morpho Group of Companies ("Morpho Group") which is a global organisation; for the purposes explained in this policy, your information may be transferred to the head office of the Morpho Group, Morpho SAS based in France ...

1.5.3 Marketing communications

Your information may be used by SecureIdentity (Morpho UK) for marketing purposes in connection with the service provided ...
GOV.UK Verify (RIP) has been designed by GDS. Their pre-eminent design principle is: "start with needs – user needs, not government needs". That's what they started with and somehow you've ended up handing over reams of the personal information that defines you, beyond your control, to a lot of strangers.

And all you wanted to do was to obey the law by submitting your tax return. That was the user need. You didn't previously feel the need to help the "identity providers" with their marketing, did you?

You've been able to submit your tax return on-line for years via the Government Gateway. Why do you now also have to send your credit history to all these strangers?

Something, somewhere along the line, has gone wrong. It's all got out of hand. GOV.UK Verify? RIP.

----------

Updated 20.3.17
It's just over a year since the blog post above was written. Yesterday Safran Morpho tweeted this: "'Why is the @GOVUKverify programme happening?' Read the answer & other FAQs on our website", followed by a link to this antique page on their website, copy available here.

Troll along and you read: "Right now 13 government services are connected to GOV.UK Verify [RIP] (7 can be accessed as public beta services). By April next year about 30 government services will be using the system and others will join over 2016/17".

Fiscal 2016/17 ends in 11 days time, 31 March 2017, and there are just 12 services signed up to GOV.UK Verify (RIP), not 30, not even 13.

Safran Morpho are an "identity provider" retained by the Government Digital Service (GDS) to sign victims up to GOV.UK Verify (RIP). There's a choice of "identity providers". Would you choose the one that relies on marketing literature over a year out of date?

Victims "must choose from one of nine certified verification companies to obtain their own personal secure ID". That's what Safran Morpho said over a year ago. There aren't nine "identity providers". Only seven – PayPal never turned up and Verizon pulled out, twice. You want the supplier providing you with a "secure ID" to be strong on the detail ...

All the "identity providers", according to Safran Morpho, are "guided by nine Identity Assurance Principles". You won't be fooled into confusing "guided by" with "compliant with". All nine identity assurance principles are flouted by the "identity providers" and by GDS themselves.

All the "identity providers", according to Safran Morpho, "offer the verification service at no cost". Very old-fashioned marketing, nostalgic even, hands up everyone who believes that GOV.UK Verify (RIP) is free.

"To become a certified verification company a business must be able to meet or exceed high standards set by government and an independent certification body". So they keep saying but of course Safran Morpho have not been certified, their SecureIdentity service remains obstinately absent from the independent certification body tScheme's list of approved services, a full 16 months after applying for approval.

Four "identity providers" have had their services approved. What's wrong with the other three – the Post Office, the Royal Mail and Safran Morpho?

With marketing material like this – out of date, inaccurate, misleading, self-hoisting with petard – does GOV.UK Verify (RIP) need critics?


Updated 21.3.17

It's almost as if Safran Morpho are reading this blog. Yesterday they claimed that GOV.UK Verify (RIP) is connected to 13 UK government services. Today, in a tweet, they have corrected that to 12: "You can now access 12 govt online services @GOVUKverify @secureIDverify incl. @HMRCgovuk s.ripl.com/bfkk03".

That message is reinforced by a silent video which lasts for 10 seconds and on which, unless you're a hawk, the text is illegible.

Better that than the video on the SecureIdentity website – the same three chords repeated for 50 interminable seconds:



Is the product called "secureidentity" or "Secure Identity" or "SecureIdentity"? All three versions appear on the Safran Morpho website. And is the product brought to us by Safran Morpho? Or by Safran? Or by Morpho, "the world leader in government ID"? Which is it? There's a bit of work to do on the branding there ...

... and a bit more work to do on the number of UK government services accessible via GOV.UK Verify (RIP). 13? 12? No, not on the SecureIdentity website, neither of those figures, this time it's eight:



Updated 27.3.17

Safran Morpho's identity assurance product, SecureIdentity or secureidentity or Secure Identity or whatever it's called – how many UK government on-line services can it connect you to? 8? 12? 13? You don't know. Safran Morpho don't seem to know.

That's a bit of a worry, as we were saying on 21 March 2017. Safran Morpho are one of the Government Digital Service's "identity providers". You need to be able to trust them. Otherwise you can't trust GOV.UK Verify (RIP). And it's hard to trust them if they can't count. You don't get the feeling you can rely on them.

23 March 2017, Safran Morpho were tweeting again: "Digital access to govt services is changing: here's a helpful Beginner’s Guide to @GOVUKverify ow.ly/hALP308NvZN #identity #infosec". Click on that link and you learn: "At SecureIdentity we’re one of nine verification services you can choose from" and "The first time you use GOV.UK Verify [RIP] to access services, you’ll be given a choice of nine certified verification companies to obtain your own personal secure ID".

Wrong again. Why do Safran Morpho try to confuse beginners? There has never been a choice of nine "identity providers". Briefly, there were eight. Now there are just seven. And of those seven, just four are certified. Three of them, including Safran Morpho, are not certified.

"Competition delivers greater security", say Safran Morpho. Not if some of the competitors don't know what's going on.

We're "Putting you in control". That's what Safran Morpho suggest. They don't seem to be in control themselves.

And not just them. Aren't GDS supposed to do a bit of quality control? This is their identity assurance ecosystem or market that they're trying to create. And one of their agents is misleading the public. In a properly regulated market, that would be quickly detected and corrected. GOV.UK Verify (RIP) doesn't look properly regulated.


Updated 2.6.17

Remember Safran Morpho? The uncertified "identity provider" to GOV.UK Verify (RIP)? The one that can't count?

Well forget it.

There is no Safran Morpho.

Safran have flogged the business to some private equity persons and now it's the uncertified OT-Morpho who own all your personal information and who keep track of you via an app/virus on your mobile.


No announcement from the Government Digital Service, of course. Presumably GDS know about the transaction. Presumably they don't think you need to know:



Updated 7.10.17

We noted above that Morpho don't bother to update their GOV.UK Verify (RIP) information for the public which still tells people that there are nine "identity providers". There never were nine. Currently there are seven. GDS do nothing to correct Morpho. The public continue to be misled.

We noted also that Morpho has now been sold by Safran. Are the new owners as trustworthy as Safran? Who knows. Again, GDS have not bothered to advise the public.

Log on now, four months after completion of the sale to Advent International and Bpifrance, try to create a GOV.UK Verify (RIP) account via Morpho and you still see Safran branding all over the screens.


Odd.

Odder still given that Morpho is no longer called "Morpho". It's now morphed into"Idemia".

There's no mention of Idemia on any GOV.UK Verify (RIP) web pages. The change has passed GDS by. They fail once again to operate their market competently – as we said in March 2016, "GDS have never created or regulated a market in their lives. And it shows".

And there's no mention of GOV.UK Verify (RIP) on Idemia's web pages, nor of SecureIdentity. GOV.UK Verify (RIP) doesn't exist as far as Idemia are concerned. They're not interested. Understandably so. It's dead.

Morpho's GOV.UK Verify (RIP) service was called "SecureIdentity" among other things. Idemia's is called "Augmented Identity". Good name. GDS should have thought of that.

Behind the good name it's just the same old nonsensebiometrics. The same parcel has been passed now from Visionics and Viisage and Identix and Iridian to L-1 Identity Solutions to Safran to the present private equity investors.

Why do these organisations keep selling it? Because one day the parcel-holder is going to find that there's nothing inside the wrapping paper, just an augmented loss.

Meanwhile Morpho is in a bit of trouble in Kenya, please see Safran Morpho asks IEBC to push election date to October 26  and French Biometrics Firm OT-Morpho [Idemia] to Sue Kenyans for Defamation Over IEBC System Hacking Claims.

We in the UK can continue to trust Sagem Sécurité Morpho OT-Morpho Idemia with our personal information, of course. Otherwise GDS would surely have warned us.


RIP IDA – Safran Morpho/SecureIdentity

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.

The Government Digital Service (GDS) have contracted with nine so-called "identity providers" or "certified companies" to register all us Brits and to supply us with on-line identities, ready for the brave new digital-by-default world.

Armed with these on-line identities, 90% of us will be able one day (in April 2016?) to use public services via GOV.UK Verify (RIP). That's the idea.

GDS are more diffident about this but, later on, these on-line identities may allow us to use private sector services, too.

Safran Morpho is one of GDS's "identity providers":


Safran Morpho offer a product called "SecureIdentity".

GDS promised in the past that all "identity providers" would be certified by tScheme, an independent body, expert in measuring trustworthiness. That's meant to give the public confidence in GOV.UK Verify (RIP).

Safran Morpho applied for certification for SecureIdentity on 19 November 2015. These things take time. SecureIdentity may or may not be certified in the end but it doesn't appear on tScheme's roll of trust yet.

Thursday, 3 March 2016

RIP IDA – users and their expressed, tacit and created needs for the truth

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.

Last heard of, Stephen Dunn wrote a blog post with Janet Hughes, please see RIP IDA – what they omitted from the obituary. That was about GOV.UK Verify (RIP) and so is his latest contribution, Meeting user needs:
The GDS Design Principles state that services should start with user needs. To pass the Digital by Default Service Assessment for a live service, the service manager must demonstrate that the team building [the] service understands user needs and has undertaken research to develop a deep knowledge of who the service users are and what that means for the design of the service.
Younger readers may have gained the impression inadvertently given by GDS that researching user needs is a new invention of GDS's. No. Eliciting user needs has been recognised as part of requirements engineering from the year dot. Please see for example Professor Ian Sommerville's Software Engineering, first published in 1982.

A lot of research into requirements engineering has already been conducted. Please see for example either the British Computer Society's syllabus for their exam in the subject or the US Software Engineering Institute's practice area framework for requirements engineering.

GDS are late to the party with their discovery, (according to Mr Dunn it's a GDS discovery), that users have a "tacit need" for their personal information to be held securely and for the GOV.UK Verify (RIP) registration process not to be "stressful or confusing":
Through the research we have conducted, we have been able to distil 4 tacit user needs for GOV.UK Verify [RIP] beyond the user’s expressed need, and we have been using these to prioritise our work to develop and improve the service.
Who knew?

Everyone.

GDS's repeated claim to give unique prominence to user needs is untenable. The rest of Whitehall and local government have a track record stretching back decades before GDS existed of taking user needs into account.

According to the UK parliament's Public Accounts Committee (PAC) GDS ignore user needs anyway when those needs obstruct GDS's superior creed of digital-by-default, please see The Common Agricultural Policy Delivery Programme (p.5):
GDS’s focus on developing a digital front-end to allow farmers to apply online, which was not a European Commission requirement, was inappropriate for farmers ...
Mr Dunn repeats the creed when he says that "there is assisted digital support in place within each service for those who need support to use a digital service".

That is questionable, please see GDS & assisted digital – the project that keeps on starting. It is not clear what support GDS are offering members of the public.

The PAC point out that GDS couldn't even provide the support necessary to the Rural Payments Agency (also p.5):
GDS introduced a level of innovation and risk to the Programme, without assessing whether the Department was capable of managing the changes, and did not provide sufficient support during implementation.
He repeats the creed when he says that "we are making sure that GOV.UK Verify [RIP] is interoperable with other national and international standards and systems".

We have yet to see if GOV.UK Verify (RIP) is interoperable with Scotland's separate national identity assurance scheme, myaccount, and whether it is up to the standards required by the European Union's Regulation 910/2014, eIDAS. We need to see this interoperability in ... operation for ourselves, we can't take it on trust.

"We’re building GOV.UK Verify [RIP] for the whole UK adult population. Our demographic coverage target is to be able to serve 90% of the UK adult population by April 2016". That's just a few weeks away and the claimed Account creation success rate by 28 February 2016 was still only 72% according to GOV.UK Verify (RIP)'s dashboard on the GOV.UK Performance platform.

Repeating the creed like that doesn't achieve the 90% coverage target.

Experian is one of GDS's GOV.UK Verify (RIP) "identity providers". They say that they have identified some databases full of our personal information which, if only they could have access to them in addition to all our credit history, would allow them to improve coverage.

What databases are these? Experian won't say. Neither will GDS, despite having promised to, 15 months ago on 1 December 2014. So much for that other contention in the creed to the effect that GDS are uniquely "open".

Turning to the matter of privacy, Mr Dunn says:
Tacit need 2: I need to be safe and secure

Some of the things we do in the service to help meet this need are:
  • ...
  • designing and building GOV.UK Verify to protect users’ privacy, in line with principles developed by independent privacy and consumer experts ...
The Privacy and Consumer Advisory Group have devised nine principles of identity assurance for GOV.UK Verify (RIP) and GDS do not obviously abide by a single one of them. They just keep dutifully saying that they do.

Mr Dunn repeats the creed when he says that GDS are "requiring GOV.UK Verify [RIP] certified companies [previously known as "identity providers"] to be certified as meeting published standards for identity assurance and information security, and making them liable to their users if they fail to meet the required standards".

How can he say this when he must know that the Post Office, for example, one of GDS's "identity providers", is not certified?

We're talking about tScheme certification here. That's what was promised by GDS back in April 2013. And again in January 2014.

Janet Hughes, the GOV.UK Verify (RIP) programme director, now says "Post Office uses the same system as another provider which has been t-Scheme certified, so we have agreed that there is no need for a second certification of the same system". That's not what was promised.

The Post Office allowed its application for a certificate of trustworthiness to lapse a year ago, on 24 February 2015. Users who think they are registering with the Post Office are actually registered behind the scenes with a different "identity provider", Digidentity.

It's not just the Post Office. Barclays aren't certified and neither are Safran Morpho. And PayPal, another "identity provider", haven't even applied for certification.

Mr Dunn's assertion that "identity providers" are all certified is simply false.

N This is wrong. Safran Morpho do not limit their liability to £100.But not only are all "identity providers" certified according to Mr Dunn, they are also "liable to their users if they fail to meet the required standards". Not very liable.

Take a look at Safran Morpho's terms and conditions, for example. Their GOV.UK Verify (RIP) offering to users is called "secureidentity" and:
  • According to clause 11.3 they're not liable for any "loss or damage suffered by You which was not a reasonably foreseeable or obvious consequence of Us breaching these Terms and Conditions".
  • Then there are four more clauses about things they're not liable for, before at clause 11.8 they say that "Our aggregate liability to You arising out of or in connection with the Identity Service shall not exceed £100".
  • And then clause 11.9 tells users that "Our liability to You shall not include the following business losses that You may incur: lost business data, lost profits, lost earnings, business interruption, and loss of opportunity or reduction in the value of an asset ...".
That elaboration of the creed is not spoken out loud by Mr Dunn.

The creed explicitly includes "putting in place protection and monitoring to protect the service from attack" and "meeting high standards for security". But it excludes any answer to the review of GOV.UK Verify (RIP) conducted by four academics who identified a number of security holes – holes which are not filled by simply repeating the creed.

You'd think that that would be all, wouldn't you.

Well you'd be wrong.

Mr Dunn says that "there are 10 services currently available to the public through GOV.UK Verify [RIP] ...". The GOV.UK performance dashboard for GOV.UK Verify (RIP) only lists nine under Government services, not ten.

One of the government services GOV.UK Verify (RIP) is meant to be connected to is Apply for Universal Credit. Use the Apply in Croydon, Hounslow, Southwark or Sutton button with an appropriate post code and you'll see this:


No sign of GOV.UK Verify (RIP).

Ditto if you use the If you live elsewhere/Start now button, no sign of GOV.UK Verify (RIP), what you'll see is:


There is a stray webpage called Sign in with GOV.UK Verify [RIP] - Universal Credit. Try signing in to Universal Credit from there using GOV.UK Verify (RIP), and you're met with:


There must now be a question whether GOV.UK Verify (RIP) is connected to the Apply for Universal Credit government service at all. The creed seems to be blatantly false.

Famously, GDS's assertion that GOV.UK Verify (RIP) is connected to the Claim rural payments government service is definitely false. There is no such digital service. As the PAC say (p.5):
In March 2015, as a result of the failure of the online application system, the Department had reverted to a ‘paper-assisted digital’ system, requiring a significant amount of manual input and creating a large number of errors.
With GOV.UK Verify (RIP), when GDS promise connections to ten public services, what you get is nine public services, or eight or seven or ...

... and that's just too ambiguous. The creed must be clear. There are too many doubts. Doubts about the number of public services and the security of GOV.UK Verify (RIP) and the question whether its users will be compensated for any losses and the promise that all "identity providers" are certified trustworthy and the control its users have over their personal information and the extent to which GDS are being open with us and the problem of people being excluded and interoperability with other national identity assurance systems and the primacy of user needs and ...

That's not a creed. That's a confused mess. A confused mess that's going live in a few weeks time, in April 2016 if Mr Dunn is to be believed.

RIP IDA – users and their expressed, tacit and created needs for the truth

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.

Last heard of, Stephen Dunn wrote a blog post with Janet Hughes, please see RIP IDA – what they omitted from the obituary. That was about GOV.UK Verify (RIP) and so is his latest contribution, Meeting user needs:
The GDS Design Principles state that services should start with user needs. To pass the Digital by Default Service Assessment for a live service, the service manager must demonstrate that the team building [the] service understands user needs and has undertaken research to develop a deep knowledge of who the service users are and what that means for the design of the service.