Monday, 30 January 2017

RIP IDA – OIX to the rescue 1

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.

14 June 2012, we discovered that the Government Digital Service (GDS) had joined the Open Identity Exchange (OIX) in order to help with their moribund identity assurance programme now known as "GOV.UK Verify (RIP)".

23 December 2016, OIX published The value of digital identity to the financial service sector, which explores "the reuse of a GOV.UK Verify [RIP] digital identity in a financial service application process".

Does that report help GDS?

Executive Summary (pp.2-4)
In the Executive summary of their report, OIX tell us that GOV.UK Verify (RIP) "currently has 1 million users, with an ambition to scale to 25 million users by 2020" (p.2).

They're wrong.

Note 1 below demonstrates that there were fewer than 800,000 so-called "verified" accounts in late December 2016, not 1,000,000, and argues that these could represent fewer than 112,000 people.

Note 2 reveals that GDS's ambition is unrealistic in that, at the present rate, it could take until October 2074 to enrol 25 million people. Or March 2425.

And Note 3 questions the quality of GOV.UK Verify (RIP) accounts – are they any use to the financial service sector? To be told as we are seven times during the report that GOV.UK Verify (RIP) is endorsed by the government doesn't answer that question.

OIX say the financial service sector needs "an understandable, convenient, safe and trusted solution to manage and protect our identities online". They may or may not be right about that. The sector may need several such schemes, not just one.

But is GDS's GOV.UK Verify (RIP) a candidate? Given their inability to get the numbers right, confidence in OIX's ability to answer that question is undermined before the reader has even turned to p.3 of their 27-page report.

Participants (p.27)
OIX list eight participants in the production of their report

The list includes Verizon. Note 4 below suggests that Verizon is an odd choice by OIX to use to inspire confidence in GOV.UK Verify (RIP) – Verizon have been dropped from the register of approved "identity providers".

The Post Office are included. Their entry says: "The Post Office is proud to be one [of] the first certified providers of the GOV.UK Verify [RIP] scheme" (p.27).

That sounds straightforward.

Note 5 below demonstrates that it is anything but.

The Post Office isn't certified and it doesn't do any identity assurance work. Without telling the users, that work is actually done for it by another "identity provider", probably Digidentity. And what's more, Digidentity's service is governed by Dutch law, not English.

According to GDS, the other two uncertified GOV.UK Verify (RIP) "identity providers" – the Royal Mail and SecureIdentity – also quietly rely on third parties.

A straightforward proposition might be attractive to the financial service sector. A cloudy proposition, where the Post Office is really Digidentity and the Royal Mail is really GB Group, might not be.

Barclays are included in OIX's list of participants: "We're proud to be the only bank to be selected by UK government as a certified company to provide a safe, secure identity verification service" (p.27).

Unlike the Post Office Barclays are certified but, cloudy again, like the Post Office they don't provide their "safe, secure identity verification service" themselves. The Barclays privacy policy states that: "We may share your personal information with ... Verizon, our technical services partner, so they can perform certain parts of the Identity Service on our behalf".

The participant they don't include in the list is OIX themselves. You might expect OIX to be acting as a professional consultancy which maintains its objectivity by being independent. You might be wrong.

The OIX report is written by Bryn Robinson-Morgan. And according to his LinkedIn entry Mr Robinson-Morgan:
  • worked for the Royal Mail for 7½ years
  • then he worked for the Post Office for 8½ years including over two years on their identity assurance service
  • then he put in 17 months on the Barclays identity assurance service
  • followed by six months producing the OIX report with Innovate Identity, who are one of the five participants we haven't mentioned so far: "Our team have vertical industry expertise in financial services, payments, technology, telecoms, government, online retail, online gambling as well as breadth of geographical knowledge across multiple global jurisdictions ..." (p.27).
If the financial service sector wants an independent assessment of GOV.UK Verify (RIP) it's going to have to look elsewhere.

Financial Sector Analysis (pp.17-20)
OIX conduct a SWOT analysis – strengths and weaknesses, opportunities and threats – to assess the advisability of the financial service sector adopting GOV.UK Verify (RIP).

Under Weaknesses (pp.18-19) OIX note GOV.UK Verify (RIP)'s lack of scale, the failure of GDS to educate people with a digital identity public information campaign, the threats to people's privacy and the absence of any attribute exchange. As OIX say: "A central, commercial, driving force for the adoption of a standards driven digital identity scheme currently does not exist".

Under Threats (p.19) OIX worry that it is not certain that GOV.UK Verify (RIP) will succeed and that the scheme faces competition from Google, Apple, Facebook and Amazon.

The Strengths listed by OIX (p.18) are actually weaknesses:
  • OIX assume that GOV.UK Verify (RIP) provides "a strong identity that has been verified to the highest standards in comparison to existing methods generally deployed" but that's exactly what it doesn't do. (OIX ought to know that.)
  • "With consent and control of the personal data being with the customer", OIX say, "a sense of ownership is established". GOV.UK Verify (RIP) sprays its accountholders' personal information all over the world, out of anyone's control. Like the poor quality low level of assurance identities it peddles, lack of control/loss of ownership is another weakness of GOV.UK Verify (RIP)'s and not a strength.
Which leaves us with the Opportunities (p.19):
  • "Opportunities exist for financial service providers to reduce their costs by reusing an established digital identity". Really? By how much? No answer. When? No answer. OIX provide a SWOT analysis with no figures. And no logic. Just assertion and hope.
  • "Customers who currently abandon the application process can be capitalised upon by removing barriers of privacy ...". How many customers want to be capitalised upon by losing their privacy? No answer.
  • "The development of a unified, trusted brand, can be a catalyst to a reduction in fraudulent applications and opportunistic identity theft". Perhaps it can be. How big would the reduction be? No answer. Equally, a single unified service could make it easier to commit fraud and so increase its incidence rather than reduce it. This particular opportunity could just as well be included under Threats.
During the SWOT analysis on pp.18-19 OIX forget the p.17 "challenge" GOV.UK Verify (RIP) faces in "enabling those with a 'thin' credit file, such as younger people, new to country or those with limited recent financial transactions". Lack of penetration, one more weakness to add to the list.

OIX's hypothesis (p.17) is that: "Financial service institutions would accept an assured digital identity from a third party provider as part of their product application process if an established trust framework met their regulatory and service requirements". They may be right. But they haven't proved that GOV.UK Verify (RIP) is "an established trust framework". It isn't. It's not established. And it's not trusted.

Conclusions (p.25)
"A widely-adopted, fit-for-purpose, trusted, standards-based digital identity scheme could have significant value for the financial services industry ... it could simplify the initial digital engagement with a provider and subsequent transactions ... it could deliver a consistent approach to user identification and management and reduce the cost of onboarding and transactional business processes. It could facilitate the delivery of new services ...  it could provide the basis for delivering new user centric industry models ..." (p.25).

Yes. It could. It could do all sorts of things. The financial service sector probably know that and don't need a 27-page report from OIX to tell them.

They might be interested to know whether GOV.UK Verify (RIP) will be notified under eIDAS (Article 9). OIX don't say.

GOV.UK Verify (RIP) has until 25 May 2018 to comply with GDPR. Are GDS going to make it? The financial service sector might be interested to know but OIX don't say.

They might be interested to know how secure GOV.UK Verify (RIP) is but OIX are silent on the matter. (Not entirely silent, please see Note 6 below.)

They might be interested to know what they're supposed to do with GOV.UK Verify (RIP) which can't verify the identity of companies. Payments can't be authorised by companies via GOV.UK Verify (RIP) because GOV.UK Verify (RIP) doesn't know what a company is, the concept doesn't exist. OIX don't mention that Weakness/Risk. (Or is it a Strength/Opportunity?)

HMRC and Companies House use the Government Gateway for transactions with natural persons, companies, partnerships and trusts. It works and has done for 16 years+. Why are OIX reporting on GOV.UK Verify (RIP) and not the Government Gateway?

It can't be for the financial service sector. Who is this report for?



Note 1
GDS tell us that there were 966,767 accounts on 25 December 2016 of which 185,149 were "... ‘basic accounts’ created as part of a trial between May and July 2015. Basic accounts were not verified by certified companies, but allowed access to government services that required a lower level of certainty about identity". These self-certified "basic accounts" don't count, they are unverified Verify accounts, they should be deducted from the total.

That leaves GOV.UK Verify (RIP) with just 781,618 verified accounts in late December 2016. The OIX claim of 1,000,000 overstates the case by 28%. That's a poor start for the report ...

... and it gets worse. DMossEsq, for example, has created seven GOV.UK Verify (RIP) accounts for himself. He remains nevertheless just one person. GDS say there are 781,618 GOV.UK Verify (RIP) accounts. If everyone has done the same as DMossEsq and created seven accounts for themselves, then there are just 111,660 people involved and not OIX's 1,000,000, which overstates the case by 796%.

GDS's GOV.UK Verify (RIP) statistics go back over two years to October 2014. It could be that as few as 111,660 people have a GOV.UK Verify (RIP) account. By contrast, HMRC signed up 6.7 million users of their new personal tax account service in under 12 months.

Note 2
The ambition of GOV.UK Verify (RIP) is to "scale to 25 million users by 2020".

Since going live on 24 May 2016, GDS have been adding accounts at the rate of 1,172 per day. If 25 million users need 25 million accounts, that could take 21,331 days, which brings us to 18 October 2074, 54 years after GDS's ambitious target date of 2020.

Many of us will be dead by then and many new people will need to be registered. More so if everyone needs seven accounts, in which case we're looking at 18 March 2425, four centuries away.

Note 3
Doubts about the credibility of the OIX report set in before you have even turned to p.3. It's not just the number of GOV.UK Verify (RIP) accounts. It's the quality.

GDS admit that the 185,149 "basic accounts" are associated with a "lower level of certainty about identity". The other 781,618 aren't over-burdened with certainty either:
  • "... the original plan for Verify was for it 'to provide low to medium security ID assurance for citizens, and this hasn’t changed' ...", according to Civil Service World magazine (see also "wildly unrealistic expectations").
  • The US National Institute of Standards and Technology go further. GOV.UK Verify (RIP) doesn't even make it to a medium level of assurance according to them – the 781,618 so-called "verified" accounts are no better than self-certification (see also Table 2-1).
Note 4
"GOV.UK Verify is a federated identity scheme that uses an approved panel of certified private sector companies to confirm the identity of individuals". That's what OIX tell us on p.6.

Verizon is one of the 12 certified companies also known as "identity providers" who signed up to GOV.UK Verify (RIP) – Barclays, Cassidian, Experian, GB Group plc/GBG/CitizenSafe, Digidentity, Ingeus, Mydex, Paypal, the Post Office, the Royal Mail, Safran Morpho SecureIdentity and Verizon.

First Verizon were there on the register of "identity providers". Then, in March 2016, they disappeared. They reappeared in April 2016 and re-disappeared in July 2016, this time perhaps for good – "Verizon ... is no longer a certified company", GDS finally got round to telling the world in January 2017, with no explanation.

A. Consider these comments of OIX's:
  • "... a new approach for digital identities has emerged. One where the user is in control of their identity" (p.5).
  • "Customers are ... demanding greater levels of privacy, control and granular consent" (p.17).
  • "With consent and control of the personal data being with the customer, a sense of ownership is established" (p.18).
  • "Government endorsement being able to reduce customer friction and putting the users in control of their personal data were also seen as strengths" (p.20).
B. Then consider Verizon's claim: "Ultimately, we don’t see ourselves as a data provider; we see ourselves as an ad platform that helps brands and consumers connect". That, and the fine they received for using "supercookies", Verizon fined just $1.4m for stalker supercookies.

B. suggests that Verizon are pulling in the opposite direction from A. when it comes to the ownership and control of personal information.

Perhaps that's why GDS dropped Verizon from the register of "identity providers".

Or perhaps it's something to do with this – German government terminates Verizon contract over NSA snooping fears.

Perhaps GDS didn't drop Verizon, maybe they walked out because there's no money to be made from GOV.UK Verify (RIP).

Maybe Verizon will after all be back in the GOV.UK Verify (RIP) fold one day. They have not one but two identity assurance services approved trustworthy by tSchemeUIS and IPS/IBS.

Confusing, isn't it. No-one knows where they stand. It would help if GDS followed its own advice: "Make things open: it makes things better".

Note 5
Delivering Identity Assurance: You must be certified. That's what GDS promised everyone back in April 2013. "Certification ... is how government, and users, will know that the suppliers can be trusted". What they had in mind was certification by tScheme in the UK or by the Kantara Initiative in the US,

Is the Post Office certified by tScheme?


The Post Office applied for approval of its identity assurance service in February 2014. A year later, its application lapsed:

The claim made by OIX or whoever that the Post Office is certified is false.

GDS claim that all their "identity providers" are certified:

How do GDS square that claim with the fact that neither the Post Office nor SecureIdentity nor the Royal Mail is certified?

A year ago, GDS told us that: "Post Office uses the same system as another provider which has been t-Scheme certified, so we have agreed that there is no need for a second certification of the same system unless and until ...".

Lovers of cockamamie logic will enjoy a related claim made by GDS last month: "It’s worth noting that all of our certified companies are certified by tScheme, but not necessarily separately".

The joke is likely to have worn off by the time it gets to members of the financial service sector. They are unlikely to be able to undertake payments apparently authorised by DMossEsq, whose identity is apparently verified by the Post Office or the Royal Mail or SecureIdentity but isn't really.

GDS refuse to say who the other "identity provider" is whose system the Post Office uses. We think it may be Digidentity's.

Digidentity's identity assurance service is "governed by Dutch law". This also may cause difficulties for the financial service sector.

We have no clue whose identity assurance system SecureIdentity are using.

The Royal Mail are thought to be using GB Group plc's identity assurance scheme, please see the Government Computing website: "From this week, users wishing to access specific online government services will be able to select the [Royal Mail] to verify their identity through a service which will be managed by GB Group (GBG) under the Royal Mail brand".

Please see also the Royal Mail's privacy policy: "In order to verify your identity, we will share your information with our partners, GB Group, who will check it against information held on databases maintained by ...".

It's more complicated than that. When you register with either the Royal Mail or GBG, you find yourself on the website of a third company, Avoco Secure. A user who thinks he or she is opening a GOV.UK Verify (RIP) account through the Royal Mail is actually using Avoco Secure and the account will actually be managed by GBG.

GOV.UK Verify (RIP) should be straightforward. It isn't. The public are being lured in with recognisable brands like the Royal Mail when, behind the scenes, whether they know it or not, they're really dealing with GBG and Avoco Secure. Your dealings with the Post Office turn out to be with Digidentity and to be governed by Dutch law. A more straightforward offering would surely be more attractive to the financial service sector.

Note 6
OIX conducted customer research for their report (pp.10-16) with the terms of reference set out at pp.7-9. The report takes 10 pages to explain that 15 individuals were given a "mid-fidelity clickable prototype" system (p.11) with which to try to open a bank account using a GOV.UK Verify (RIP) identity.

"That this was offered at no charge was highlighted as a positive" (p.13) – is there anyone left who still believes that government and/or bank services are free?

Are the reactions of 15 people to a prototype of any use to the financial service sector?

Apparently these people felt reassured as to the trustworthiness of GOV.UK Verify (RIP) because the government are involved (p.13).

They were using the Post Office to create their GOV.UK Verify (RIP) identity (p.14). This caused "a degree of confusion" (p.14). Were they told that the Post Office had failed to have their identity assurance service approved by tScheme (please see Note 5 above)? Would they still have felt reassured by the government's involvement?

"For most participants, a strong brand recognition was important in their choice of identity provider" (p.14). Were they told that they weren't really dealing with the Post Office, that's just a front, a deception, behind the scenes the identity registration work is actually being performed by another organisation, probably Digidentity, whose brand they probably wouldn't recognise at all (please see Note 5 above)?

Participants were asked "if they felt the process was secure" (p.9). So what if they did feel that it was secure? That has no bearing on the question whether it is secure.

And what did the participants feel after their sessions with the "mid-fidelity clickable prototype"? "Delight", apparently, "in the application journey being frictionless" (p.16).

The financial service sector regulators may not be so easily delighted, much friction to be expected, if the payments industry places any reliance whatever on these research findings of OIX's.


Updated 1.3.17

Project points to using council data in Verify. That's what Mark Say said on 24 February 2017: "A discovery ... project, run by Tower Hamlets and Etive Technologies with the support of the Government Digital Service (GDS) and the Open Identity Exchange (OIX), has provided evidence that an aggregator such as the Digital Log Book could provide supporting evidence to verify the identities of some people who lack the right ‘digital footprint’ in the private sector".

That takes a bit of unscrambling.

"Digital log book" is another name for what we have in the past called a "personal data store (PDS)". Etive Technologies (ET), referred to in Mr Say's article, is a small version of Mydex, the famous promoters of PDSs here in the UK.

ET and Mydex are both small companies. ET claim that there are 11,000+ of their digital log books in existence.

Even if they were bigger, it wouldn't help. We have already demonstrated that a PDS/digital log book is irrelevant when it comes to attribute exchange.

OIX have blogged a bit about their Tower Hamlets project. 12 victims were subjected to user research with a prototype system, not a real one, rather like OIX's methodology above. Watch the video:


Some of the victims say quite clearly that they don't want to share their personal information with all and sundry. Others say that if that's the only way to claim their benefits then they will use digital log books. OIX's conclusion is that everyone (12 people) thinks PDSs are a tremendous idea and what the world needs is another OIX beta/trial.

How secure is ET's service? In what way do ET assist GPG45-style identity proofing? A lot of people have trouble registering with GOV.UK Verify (RIP). Would ET help to improve penetration? By how much? We don't know. We don't know the answer to any of those questions. OIX don't tell us.

All those involved in the registration of GOV.UK Verify (RIP) accounts are meant to be "certified". ET aren't certified. Given that even the Post Office and the Royal Mail and Safran/Morpho SecureIdentity have proved incapable of achieving certification, what chance do ET have?

Mydex never achieved certification either and finally dropped out of the running to become GOV.UK Verify (RIP) "identity providers".

When will OIX learn?

It doesn't matter.

But local authorities do need to realise that they can expect little if any benefit from GOV.UK Verify (RIP), with or without Etive Technologies.

Project points to using council data in Verify?
No it doesn't.

Updated 8.4.17

About 30 percent of attempts to register with GOV.UK Verify (RIP) end in failure. That's what the Government Digital Service (GDS) said. When they used to publish registration/enrolment statistics.

They wanted to get that failure rate down below 10 percent before declaring GOV.UK Verify (RIP) to be "live". In the event, the system is now supposedly live and we haven't the least idea how many people fail to get a GOV.UK Verify (RIP) account because GDS stopped publishing the statistics.

There's clearly still a problem, though, and once again here comes the Open Identity Exchange (OIX) to the rescue.

OIX oversaw an experiment involving GDS, Safran and Timpson. 16 people who had failed to register on-line with GOV.UK Verify (RIP) were invited to try again, off-line, face-to-face, in a Timpson shop, please see Face-to-face identity proofing to help people obtain an assured digital identity.

OIX mislead their readers when they say: "Obtaining a GOV.UK Verify [RIP] digital identity with a certified company - otherwise known as an identity provider - is an online experience" (p.3). Famously, Safran is not a certified company. Neither is Timpson.

Timpson have created a brand name, ArkHive, and OIX say: "Users were happy with the concept of creating an ArkHive account as a way of sharing access to documents with their identity provider" (p.3). An ArkHive account sounds like a personal data store (PDS) and "users" may care to think again before declaring themselves "happy with the concept".

How does visiting a Timpson shop overcome the problem of registering on-line with GOV.UK Verify (RIP)? The answer isn't clear. You have to do a bit of detective work.

OIX tell us that the 16 GOV.UK Verify (RIP) victims turned up at Timpsons with their passport and driving licence, both of which were scanned, then they had their photograph taken, then they went away and some days later they were told whether they had succeeded in registering. How does that work? OIX don't tell us.

We learn a bit about the reactions of the victims:
  • "Participants didn’t like having their photo taken. The process of capturing an ID photo in store was an area of great discomfort for participants, this being due to a natural dislike of their photo being taken, particularly by women" (p.19), for example.
  • And "Participants did not feel comfortable entering a password in the shop. Participants were most uncomfortable with entering a password when setting up their ArkHive account. Entering a password in store was considered the weakest link in the service, since it was a public computer" (p.26). Very sensible of the participants.
  • Then their good sense deserted them: "the process was changed to enable the participants to enter a password in their own time. Two-step authentication using an email address or mobile number allowed the participant to receive a text whilst in store with a temporary code that then prompted them to change their password when they first logged into their ArkHive account. It was clear that participants felt this was secure" (p.26). Why does this feel any more secure than entering your password in the shop?
  • “It’s an online document storage folder as secure as Dropbox, Google Drive or iCloud” – James, 38 (p.20). How does James know that?
  • "The participants’ trust in the service is transferred from its association with GOV.UK. Participants trusted the SecureIdentity brand [Safran] because it was recommended by GOV.UK. That trust then continued to the ArkHive brand as it had been recommended and certified by SecureIdentity [Safran]. Participants trusted the overall service" (p.18). There's not a lot supporting this trust house of cards and a fair amount undermining it (p.10):
The only one with access? Complete control?

But OIX do not tell us how this Timpson/Safran process amounts to face-to-face identity-proofing. Not in so many words, at least. But there's a graphic on p.10, a representation of the "user journey", which includes this at step #3:

Facial recognition technology.

So that's why Safran – the self-proclaimed world leader in biometric identity solutions – are involved in this OIX exercise.

Mass consumer biometrics are utterly unreliable. Facial recognition is the world leader in mass consumer biometrics utter unreliability. The Association of Chief Police Officers (now NPCC) told the House of Commons Science and Technology Committee that they were "not aware of [police] forces [in England and Wales] using facial image software at the moment" and that "the technology is not yet at the maturity where it could be deployed" (para.95).

GDS are being fooled, so are OIX and Timpson, and so are the public if they believe that mass consumer facial recognition biometrics technology will prove anyone's identity.

Why would the financial service sector (please see above) rely on an identity "proved" by facial recognition biometrics? They wouldn't.

Why would Her Majesty's Revenue and Customs pay a tax refund to an identity "proved" by facial recognition biometrics? They wouldn't.

Will mass consumer biometrics help GDS to increase the roll to 25 million GOV.UK Verify (RIP) accountholders in the next three years? No. 25 million times no.

OIX to the rescue? No.

GOV.UK Verify (RIP) will have to look elsewhere for the solution to its on-line registration/enrolment problem.

Updated 11.4.17

If a crook convinces your bank that he or she is you and gets some money out of your account, you slip into the well-oiled machine of the banks' fraud procedures, they compensate you and, if necessary, your new debit card turns up a few days later. That's an integral part of a live service.

The Government Digital Service (GDS) claim that GOV.UK Verify (RIP) is a live service. But they don't have well worked out procedures to follow in the event that your account is hijacked.

We know that because OIX have helped to test a suggested procedure, please see Identity repair in the GOV.UK Verify [RIP] federation:
  • "This report summarises the results of an Open Identity Exchange (OIX) discovery project conducted on the subject of Identity Repair ... The project tested out an online identity repair function ... It also considered how identity repair services should be branded and initiated ... Further work will be conducted following this initial project ..." (p.4).
  • "It is anticipated that this collaborative project will lead onto an alpha project that will design and refine the identity repair function" (p.21).
GDS hope to interest the UK financial service sector in GOV.UK Verify (RIP). Not a chance. Not with GOV.UK Verify (RIP) in this state of fatal vulnerability, with no "repair function".

---  o  O  o  ---

As a matter of interest, you may ask how is the proposed OIX repair function supposed to work? Biometrics (p.17):

Hopeless. GOV.UK Verify, RIP.

RIP IDA – OIX to the rescue 1

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.

14 June 2012, we discovered that the Government Digital Service (GDS) had joined the Open Identity Exchange (OIX) in order to help with their moribund identity assurance programme now known as "GOV.UK Verify (RIP)".

23 December 2016, OIX published The value of digital identity to the financial service sector, which explores "the reuse of a GOV.UK Verify [RIP] digital identity in a financial service application process".

Does that report help GDS?

Friday, 30 December 2016

@gdsteam & HMG's digital transformation strategy

Sir Jeremy Heywood is the Cabinet Secretary and the Head of the UK's Home Civil Service ... He published his review of calendar 2015 in a series of 54 tweets between 23 December 2015 and 3 January 2016 ...
That's what we wrote on 24 January 2016.

No such review of 2016 is being tweeted at the moment by Sir Jeremy.

Perhaps nothing much has happened this year.

@gdsteam & HMG's digital transformation strategy

Sir Jeremy Heywood is the Cabinet Secretary and the Head of the UK's Home Civil Service ... He published his review of calendar 2015 in a series of 54 tweets between 23 December 2015 and 3 January 2016 ...
That's what we wrote on 24 January 2016.

No such review of 2016 is being tweeted at the moment by Sir Jeremy.

Perhaps nothing much has happened this year.

We noted on 8 February 2016 that Sir Jeremy has linked his fate to the fate of the Government Digital Service (GDS): "Sir Jeremy can't keep away from the importance of the digital transformation of government by GDS".

GDS were given a budget of £450 million in the Spending review and autumn statement 2015. That was 13 months ago on 27 November 2015. GDS have never explained what they're going to do with the money. In that sense perhaps nothing much has indeed happened this year.

The department that Sir Jeremy depends on to transform government digitally has operated for more than a year with no published strategy. And the published strategy before that had no academic support.

GDS keep promising to publish their new £450 million strategy. As late as 14 December 2016 ex-Goldman Sachs man Kevin Cunnington, GDS's director general, was telling Civil Service World magazine that the strategy would be published before Christmas: "A new strategy is due out before Christmas which will set out our priorities for digital and a really ambitious transformation agenda for government".

Two days later, 16 December 2016, Computer Weekly magazine were telling us Government delays release of digital transformation strategy until new year. That's not how a smoothly-run publicity machine operates.

The director general says the document will be published before Christmas. Two days later, egg on face, he turns out to be wrong. It's unsettling to see such an about turn.

A GDS strategy document does exist. Derek du Preez, our favourite banshee, told us so on 12 December 2016 in Leaked Government Transformation Strategy leaves lots to the imagination. Why not publish it?

There has to be a good reason to endure the embarrassment of saying you're going to publish a document that's already been divulged to journalists and then not doing so. What is that good reason?

Not just one. There are several good reasons you might suggest.

Before considering those good reasons, note that the delay in publication of the GDS strategy could be a good sign. It could indicate that responsible mandarins are finally looking at GDS's actual skills and not the supposed skills puffed in GDS's PR – reality could be getting a look-in:
  1. Transforming government requires original thought. It requires innovative imagination. There has been no sign of that at GDS in the five years of their existence. GDS always say that it's no good just changing the front end of government services, public administration needs to be thoroughly re-engineered. Then they change the front end and leave it at that. That is the opinion of GDS's first deputy director, Tom Loosemore, now at the Co-op:

  2. Edgy? Revolutionary? Restlessly and tirelessly in search of solutions? No. Slaves to fashion, bound by convention, GDS has already retreated into the comfort of process. They keep doing the same thing. Even when it doesn't work.

  3. Transforming government requires considered experience of public administration and GDS don't have it. As Stephen Foreshew-Cain said when he was briefly executive director of GDS, it's the other departments and their suppliers who "understand their users and services better than we ever will ... They know the policy, the intent of that policy, and the legislation that sits behind it ... They know their users better than anyone. They are by far the best people to meet those user needs".

  4. Transforming government requires some ability to work professionally with the departments of state, their agencies and local government. GDS got off to a bad start with the Electoral Commission, who blamed them for causing delays to the 2012 confirmation pilot for individual electoral registration. Relations broke down with DEFRA's Rural Payments Agency, please see Government Digital Service “hindered delivery” of rural payments programme, Public Accounts Committee says. GDS have been witheringly dismissive of local government for years. That has changed now that GDS find themselves in need of local government. Mike Bracken, GDS's first executive director, told the Americans three years ago that his job was not to collaborate with Whitehall but to route round it. As late as 5 July 2016, he was still saying of Whitehall that it is set up for nothing more than "an intellectual pissing match". Stephen Foreshew-Cain, Mr Bracken's successor at GDS, said that he recognised the need for collaboration but promptly accused other government departments of "decades of inaction and inertia". There are bridges to mend.

  5. Transforming government is held by GDS to involve getting rid of the established "oligopoly" of suppliers (Capgemini, HP, BT, IBM, Fujitsu, Atos, CSC, Capita, ...) and replacing them with small and medium-sized enterprises (20.11.14) on short contracts (not that the SMEs always agree). GDS lack the data processing skills to design, build and maintain large complex computerised systems. Or even small simple ones. After five years, there is barely a dent in the armour of Capgemini, HP and the rest.

  6. Transforming government is held by GDS to involve getting rid of the established "silos" of data maintained by the separate departments of state and replacing them with "canonical registers" shared all across Whitehall to support government as a platform. In their Walter Mitty imagination, GDS would have "domain control for the domain", i.e they would have control over a new single source of truth super-silo-of-all-the-silos, please see Smash the silos. The departments of state might in the circumstances be imprudent to abrogate their constitutional duty in this way.

  7. "Digital transformation" is held by GDS to mean putting public services on the internet: "digital means applying the culture, practices, processes and technologies of the internet era to respond to people’s raised expectations". The caravan has moved on since the internet's hippy innocence of 1995. In addition to the beneficial culture, practices, processes and technologies of the internet era, people now consider also fraud enabled by the internet, and espionage and surveillance and paedophilia and terrorism and pornography and the monetisation of personal information. But GDS are still in 1995, they promise unqualified security that they can't deliver and they promise privacy/confidentiality that ditto.

  8. The digital transformation of government requires universal identity assurance services to support transactions between people and public services. There was no progress in 2016, nothing happened, GDS's GOV.UK Verify (RIP) is still not up to it. No identity assurance, no digital government transformation.
There are more but that's enough good reasons to delay the publication of GDS's strategy for many a Christmas yet. It behoves us all to support Sir Jeremy and Whitehall's other mandarins if they have finally spotted that it is a delusion to suppose that GDS is the obvious centre for government transformation.


Updated 2.1.17

Data at GDS (the Government Digital Service) is "a blog about the tools and techniques used by GDS for data analysis" and back in November GDS told us about how they use artificial intelligence to automate the assessment of user feedback, please see Understanding more from user feedback.

GDS use topic modelling: "In machine learning and natural language processing, a topic model is a type of statistical model for discovering the abstract 'topics' that occur in a collection of documents". A human being reading a piece of user feedback knows what it's about, it's obvious what the topic is. A computer program has to "abstract" it. How?

Answer according to GDS, by using techniques like "Latent Dirichlet Allocation (LDA), Latent Semantic Indexing (LSI) ... and Non-negative Matrix Factorization (NMF)". Using Kullback-Leibler divergence with LDA allows GDS to "find the statistically optimum number of topics" so that, if the words "find" and "contact" for example occur in a piece of user feedback, then "we can see that users are trying to complete the task of finding a way to contact a service".

"This approach can also be used", GDS conclude, "to tackle a range of text analysis challenges ... such as quickly understanding policy consultation responses".

That's quite a leap. One minute GDS are telling us how hard it is to work out algorithmically what a piece of text is about. Next minute we're supposed to believe that natural language processing could assess the merits of a tax expert's response to a consultation conducted by Her Majesty's Treasury.

How close are GDS getting to artificial intelligence that can grasp the semantics of documents written in natural language?

Just before Christmas GDS published Using machine learning to classify user comments on GOV.UK. They're looking at three features of user comments: "the ratio of upper case characters to total characters, the total number of characters entered in the text box, and the ratio of exclamation marks to the total number of characters".

So, not close. You may have been hoping for something sophisticated. Something transformative. In the event, in the name of data science, they're counting exclamation marks.

Updated 7.2.17

Privacy groups urge dropping entire Digital Economy Bill data clause – thus Neil Merrett yesterday, "read him early, read him often", as we always say.

His latest article isn't just about the ghastly Digital Economy Bill. It also covers GDS's dance-of-the-seven-veils national digital transformation IT strategy:
The Cabinet Office has said that the publication of the new GDS strategy was expected to be unveiled by Cabinet Office minister Ben Gummer this week.
All the top performers have left the GDS stage now. Ditto the senior members of the chorus.

There's almost no-one left at GDS to support Mr Gummer as he comes out from behind the curtain and, blinded by the footlights, makes his way to the front of the stage to entertain a packed house wearing nothing more than version 107f, or whatever, of the aforementioned national digital transformation IT strategy. There's ex-Goldman Sachs man Kevin Cunnington, Director General of GDS. And after that, no-one. They've all left.

Support could be provided by drafting in some of the GDS talent of yesteryear.

Maybe it would help to have some razzmatazz from the US or Australia.

GDS could call on the bottomless pool of talent at the Department for Culture Media and Sport, the Department for Work and Pensions and the Department for Business Energy and Industrial Strategy.

John Manzoni or Sir Jeremy Heywood could assist at the unveiling of the long-awaited strategy.

It's going to be lonely. Good luck, Mr Gummer.

Updated 20.2.17

Neil Merrett promised us the publication at last of the long-awaited government transformation strategy please see above and, lo, it finally came to pass a year late on 9 February 2017.

Next day, Computer Weekly magazine served up Government digital strategy ticks the boxes - but real transformation needs more radical ambition. That cool reaction was followed on St Valentine's Day by GDS, HMRC and Verify: so much for cross-government digital collaboration and on 15 February 2017 we got HMRC ID vs Verify [RIP] – what’s the difference, and why it matters.

"Building on the work we have already done", GDS say on pp.11-12, "our priorities for government up to 2020 are ... making better use of GOV.UK Verify [RIP] by working towards 25 million users by
2020 ...".

A fortnight before the publication of GDS's strategy, HMRC had already announced that they were proposing not to use GOV.UK Verify (RIP). Both DWP and the NHS have in the past expressed reservations about using GOV.UK Verify (RIP). Scotland has its own identity assurance scheme, the private sector has several and has no need of the under-performing GOV.UK Verify (RIP) and neither does local government.

The question arises therefore how on earth GDS could possibly achieve 25 million GOV.UK Verify (RIP) users in three years time.

They can't ...

... unless they cheat ...

... in connection with which, cast your mind back all the way to 1 February 2017 and the GDS blog post Growing Verify: services that need less proof of identity. The proposal there is to go back to "basic accounts", GOV.UK Verify (RIP) unverified accounts, self-certification, level of assurance 1 accounts.

Perhaps GDS could get 25 million people to self-certify. The basic accounts created would be of no use whatsoever to relying parties like DWP, the NHS, et al. But GDS would have achieved their strategic target – 25 million sort-of-users.

Updated St Patrick's Day 2017

Neither of them is employed by GDS any more but according to Tom Loosemore and Stephen Foreshew-Cain "digital means applying the culture, practices, processes and technologies of the internet era to respond to people’s raised expectations". GDS haven't advanced any other definition of the word "digital" and we may assume that they are still happy with it.

We have pointed out certain problems with that definition based on the culture of the internet era. The culture includes large dollops of pornography and fraud and it involves the mass destruction of any notion of privacy. GDS surely don't approve of that but they haven't yet distanced themselves from those aspects of the internet era by providing a new definition of "digital".

They probably should do. Today we learn that Gov.UK pulls plug on its YouTube ads amid extremism concerns. Inadvertently, Her Majesty's Government have been paying for advertisements to appear on extremist websites, thereby funding extremism. This discovery is all thanks to an investigation mounted by The Times newspaper, please see for example Taxpayers are funding extremism.

It's time for GDS to provide a serviceable definition of "digital".

Updated 27.3.17

We noted a month ago that the chances of the Government Digital Service (GDS) increasing the number of people registered for GOV.UK Verify (RIP) accounts to 25 million by the year 2020 are nil. If they're lucky.

2074 maybe. Or even 2425. But not 2020.

GDS could cheat. They could count unverified accounts as though they were verified. But that would be cheating. It wouldn't convince anyone. Certainly not the ladies and gentlemen of the UK financial sector who, GDS hope, are looking for a way to use GOV.UK Verify (RIP).

That hope may be in vain but it's all GDS have left. As noted in an interview they gave to Government Computing. Talking about the inability of GOV.UK Verify (RIP) to match the Government Gateway, ex-Goldman Sachs man Kevin Cunnington, director general of GDS, says: "It would be nice if they become a citizen brand called Verify".

"It would be nice". Hope. Wishful thinking. Sad but that's all there is ...

... or not quite all. There's also a plan. A plan for how to achieve 25 million accountholders. What kind of a plan? A concrete one. A very concrete one – Cunnington: “Very concrete” plans mapped for 25m user Verify expansion. There's a "plan" and a "target" and an "ambition" and an "aim". The plan/target/ambition/aim "exists", we are told, and it's "very specific" but it's "not publicly available". So much for the GDS watchword make things open, it makes them better.

Mr Cunnington is openly planning/aiming to include basic, unverified GOV.UK Verify (RIP) accounts "because not all services require you to so formally identify yourself". The 25 million accounts will include millions of self-certifications. You don't need an identity assurance scheme to do that and you don't need to pay "identity providers" to do it for you. It's smoke and mirrors.

"The tax domain was one area Cunnington suggested where this lower level of ID assurance may be relevant to increase the number of Verify users". Really? Does Mr Cunnington really think that Her Majesty's Revenue and Customs will be happy to pay tax refunds to someone whose identity hasn't been verified? We looked at this last November. It's self-deception.

Wishful thinking. Unverified verifications. Smoke. Mirrors. Self-deception. This isn't a strategy. Goldman Sachs wouldn't put up with it. Neither should Whitehall. Nor should we.

Updated 4.4.17

Last week the National Audit Office (NAO) published a new report, Digital transformation in government. They say: "This report examines the role of Government Digital Service [GDS] in supporting transformation and the use of technology across government":
  1. It is not yet clear what role GDS will play in relation to the [Transformation Peer Group] ... (13)
  2. GDS has also struggled to demonstrate the value of its own flagship initiatives such as Verify, or to set out clear priorities between departmental and cross-government objectives (20)
  3. ... there continues to be a risk that GDS is trying to cover too broad a remit with unclear accountabilities (21)
  4. To achieve value for money and support transformation across government, GDS needs to be clear about its role (21)
  5. ... we recommend that ... GDS, departments and other parts of the centre of government should clarify responsibilities for transformation ... (22a)
  6. ... we recommend that ... Roles, responsibilities and plans for delivering the new transformation strategy are more clearly defined (22a)
  7. GDS should undertake a further phase of planning with clear costs, timescales and monitoring arrangements (22a)
  8. ... we recommend that ... GDS improves the clarity, relevance and consistency of guidance and technical standards (22c)
  9. It should make clear the relative status of guidance documents ... (22c)
  10. It should track performance against clear technical and programme measures ... (22d)
  11. It is not yet clear how GDS will measure the [Government Transformation Strategy]’s progress ... (1.13)
  12. ... we examine Government Digital Service’s (GDS’s) role in setting strategy and consider its recent experience of ... developing a clear strategy for government (2.1)
  13. GDS’s experience over the last five years highlights challenges relating to the clarity, completeness and interpretation of the [2012 Government Digital Strategy] (2.3)
  14. It is not yet clear how GDS will prioritise its activities over the next few years, or how it will develop a plan to support its new approach (2.5)
  15. GDS’s role in supporting transformation is not set out clearly in the new Government Transformation Strategy (2.7)
  16. We found that responsibilities between GDS, the [Infrastructure and Projects Authority] and departments are not clearly defined (2.7)
  17. It is not clear who is responsible for driving business transformation in government ... (2.7)
  18. It is also unclear how they will do this (2.7)
  19. In an internal review in 2015, GDS found that there was a lack of clarity about the purpose of the Performance Platform (2.10)
  20. The minutes for four months from September 2016 noted that the Digital Group (which covers Verify and other common services) had to ask [GDS's Advisory Board] to clarify current priorities ... (2.17)
  21. In the new Government Transformation Strategy, GDS has restated the importance of using data to support transformation in government ... It is not yet clear how GDS plans to take forward its work in this area (3.15)
  22. Overview of GDS’s activities to support data transformation ... No overall data strategy to provide clarity of overall purpose (Figure 9)
  23. Lack of clear framework for [Technology Code of Practice] (4.9)
  24. GDS has had to clarify its guidance in response to confusion about requirements for adopting different contracting models (4.12)
  25. It is not clear how new platforms are meeting the greatest need ... (4.16)
  26. Lack of clarity of purpose and a poor understanding of wider government requirements can lead to unanticipated problems ... (4.18)
  27. It is not clear how or when GDS will determine whether continuing with Verify will achieve projected benefits (4.26)
  28. ... the business case is highly reliant on assumptions about savings in departments, and it is not clear whether these are reasonable (4.27)
  29. GDS’s estimate of savings is heavily dependent on avoided costs in departments ... it is not clear that these are good benchmarks (4.31)
  30. It is not yet clear whether Verify will be able to overcome the limitations that have prevented its widespread adoption across government ... (4.33)
  31. GDS has also struggled to demonstrate the value of its own flagship initiatives such as Verify, or to set out clear priorities between departmental and cross-government objectives (Figure 15)
  32. ... there continues to be a risk that GDS is trying to cover too broad a remit with unclear accountabilities (Figure 15)
  33. ... GDS needs to be clear about its role ... (Figure 15)
After a while, you get the point. The NAO were looking for clarity. And didn't find it.

Hardly surprising. GDS have little or no experience of public administration.

If the NAO wanted to learn about digital transformation in government, they'd do better to study HMRC, Her Majesty's Revenue and Customs.

The NAO report will give both local government and the private sector occasion to re-consider the prudence of their involvement, if any, with GDS's identity assurance platform, GOV.UK Verify (RIP). And central government, too: "... this means that departments face weak incentives to adopt Verify" (4.30).

The NAO add nothing to anyone's confidence in GDS's payments and notifications platforms, GOV.UK Pay and GOV.UK Notify. Confidence in GDS's performance platform is further undermined.

Relations between the team, the Office for National Statistics (ONS) and GDS will be strained by the NAO report. What do GDS have to teach and the ONS about data analysis (3.13-15)?

The NAO are silent on GDS's contributions to the discipline of machine learning ...

... but voluble on the failures of GDS's exemplars programme (3.5).

Sir Jeremy Heywood, Cabinet Secretary and head of the civil service, has previously reposed his trust in GDS to improve the public's trust in Whitehall. The NAO report suggests that he may be disappointed.

Updated 14.2.18

Take a look:
From: Team []
Sent: 11 April 2011 12:32
To: 'DMossEsq'
Subject: Re: [Questions] Home Office spend over £25,000

Hi David,

Thanks for getting in touch with and for flagging up that these links are incorrect. It appears that the incorrect URL for the file has been added to the registry, hence the link does not work. I have asked the department to resubmit the correct links. In the interim, you can view the expenditure data on the following page of the Home Office web site:

I hope that this is helpful.

Best regards,

The team
On Thu, Apr 7, 2011 at 5:05 PM, <DMossEsq> wrote:
David Moss sent a message using the contact form at

The returns for November and December 2010 are missing.
Can we the public please see the figures.
Worthy? Yes. Dull? Yes. But look at the date. April 2011. Getting on for seven years ago. And when did get started? Answer, " launched publicly with a beta version in January 2010", eight years ago.

Now roll forward eight years to last Thursday, 8 February 2018, and Kevin Cunnington's blog post, The Government Transformation Strategy - one year on: "We’re helping government make better use of data - to use data as an enabler of public services. We’re also helping government publish data through and registers".

Mr Cunnington is the director general of the Government Digital Service (GDS), his blog post is all about the tremendous achievements of GDS during the year since he finally published his strategy and here he is trying to take the credit for doing the job it's been doing very well since before GDS existed.

GDS try to provide the components for government departments to assemble into systems and Mr Cunnington tells us that: "There are now more than 175 services across government that use one of the common components we operate. For example the Driver and Vehicle Standards Agency [DVSA] uses GOV.UK Notify to remind people when they need to have an MOT test for their vehicle. This service now has more than 500,000 users" and "Bath and North East Somerset Council uses Notify to let residents know about bin collection days".

DVSA send DMossEsq emails to remind him to get MOTs for his two cars. (Is DMossEsq one user in Mr Cunnington's calculus, or two?) Is GDS trying to take the credit for inventing email? Lotus Notes has been providing workflow management since 1989. Should IBM, who now own Lotus Notes, thank GDS?

153 services use GOV.UK Notify out of Mr Cunnington's impressive-sounding 175. So the other components GDS provide rack up just 22 services between them.

"Public sector current receipts are expected to be about £769 billion in 2018-2019". That's what it says in HM Treasury's Red Book (p.5) while Mr Cunnington tells us that "more than £39.3 million in payments has passed through GOV.UK Pay". That's 0.0051105332% of expected receipts. Mr Cunnington doesn't tell us who we should thank for the other 99.9948894668%.

"And we’re tackling the challenge of identity assurance through GOV.UK Verify [RIP]. GOV.UK Verify [RIP] is being used in a range of services [16 of them] across government. For example, HMRC is using it to help people check their income tax online and HM Land Registry will use it to support the launch of a new digital mortgages service". That's Mr Cunnington again.

The story of GOV.UK Verify (RIP) is the story of failure, there is no need to go over it again here, please see DMossEsq passim.

Except for that last bit, "HM Land Registry will use [GOV.UK Verify (RIP)] to support the launch of a new digital mortgages service".

HM Land Registry have created their own electronic signature system. That's what might support their digital mortgage service, not GOV.UK Verify (RIP). GDS and their "identity providers" refuse to accept any liability for their identity assurance failures and, as a result, Parliament is being warned that the taxpayer will have to pick up the cost of any contingent liabilities which arise.

One last example of GDS's success in the first busy year of its strategy: "... we’re building service journeys into GOV.UK – piloting this approach with the ‘Learn to drive a car: step by step’ page. These service journeys take all the content and transactions on GOV.UK and put them into a coherent service journey that users and government understand":

GDS were given four years to 31 March 2020 to spend £450 million

As to the future, "EU Exit is the biggest challenge government faces at the moment and GDS is supporting all departments to meet this challenge".

How much do GDS know about Brexit?

Let's hope it's a bit more than they know about data modelling. And data ethics. And artificial intelligence. And machine learning. And the internet of things. And distributed ledgers/blockchain. And biometrics. And public administration. And ...

Updated 3.12.18

In the UK welfare system we have a benefit called "carer's allowance":
How it works
You could get £64.60 a week if you care for someone at least 35 hours a week and they get certain benefits.

You do not have to be related to, or live with, the person you care for.

You do not get paid extra if you care for more than one person.
Carer’s Allowance can affect the other benefits that you and the person you care for get. You have to pay tax on it if your income is over the Personal Allowance.
Carer's allowance is administered by the Department for Work and Pensions (DWP).

Five- Four-and-a-bit years ago back in July 2014 Mike Bracken, the first executive director of the UK's Government Digital Service (GDS), published a blog post – What we mean when we say "service transformation". Under the tutelage of GDS, DWP Digital had introduced an on-line claim form to supplement the existing paper one:
It’s dramatically faster to use and works beautifully on phones and tablets as well as standard computers.
The paper form issues from "an outdated mainframe computer that churns these things out the same way it was designed to churn them out years ago". Not so with the on-line service:
... when we talk about "transformation", we don't just mean messing about with the hardware and software that makes things happen. We mean thinking about the whole service, getting a multidisciplinary team together, and transforming the experience for users, for the people who are seeking help when they put in a claim. We mean delivering a better experience for them, doing something that makes a genuine difference to their lives.
Thanks to GDS, DWP now has "new ways of working" using "agile techniques". DWP are "making decisions with data", they "release code on a two-week cycle, rapidly iterating on what came before" and "the team is now making use of cloud-based infrastructure and services".

This is "delivery in action, ... The DWP’s Digital Leader Kevin Cunnington [now director general of GDS] has some great people working on this and other projects (and has been busy recruiting more)". DWP will "end up with a truly transformed service, something designed to meet the needs of the people who use it. Something that delivers".

Carer's allowance was exemplar #12 in GDS's failed 25-service transformation plan.

That was July 2014.

Now roll forward to 1 December 2018.

Nothing in the encomium above could prepare you for that day's edition of BBC Radio 4's Money Box which reports that the House of Commons Work and Pensions Select Committee has accused DWP of "shocking ineptitude" and "gross incompetence".

DWP have been over-paying carer's allowance. They are dealing with about 70,000 cases at the moment, out of 850,000 claimants. There has always been some over-payment but never so many cases at once. And DWP are taking so long to identify cases of over-payment that the claimants don't owe just a few weeks-worth of £64.60 but several years-worth. These carers are now being sued by DWP, some of them, for tens of thousands of pounds.

That shouldn't happen. It's inept of DWP and incompetent.

So much for transforming the experience for usersmaking decisions with data and delivery in action. Releasing code on a two-week cycle doesn't seem to have helped and neither do agile techniques, rapidly iterating and making use of cloud-based infrastructure and services.

So much for when we talk about transformation, we don't just mean messing about with the hardware and software that makes things happen. We mean thinking about the whole service ...

With GDS, it's just talk. They say they've transformed the whole system, end to end. In fact, it's just the front end. It's putting lipstick on pigs, please see above.

They say they're making decisions with data but an all-time high of 70,000 investigations into over-payment says they're not.

They say they know how to move government into the internet era and the select committee say they're inept and incompetent.

Money Box reveals that DWP are sent up to date information about the carers' income and about the PAYE/NI that they're paying. That's Pay As You Earn (i.e. income tax) and National Insurance. That is presumably a reference to Her Majesty's Revenue and Customs's RTI system (Real Time Information).

RTI is designed to collect this information every time someone is paid instead of just once a year. The idea is precisely to make the appropriate changes to welfare payments quickly. That clearly isn't happening.

GDS's repeated assertion that data-sharing would ensure better public services is not the simple tautology they claim. It is a dubious hypothesis. Certainly in the case of DWP/HMRC data-sharing it is. 70.000 times over.

Friday, 16 December 2016

RIP IDA – 119 years? Not many people know that.

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.

GDS, the Government Digital Service, were meant to have an identity assurance service "fully operational" by March 2013.

That didn't happen but they have been testing GOV.UK Verify (RIP) since February 2014 ...

... and the system was declared to be live on 24 May 2016.

Between 23 May 2016 and 11 December 2016 237,850 GOV.UK Verify (RIP) accounts were created. That's an average of 1,172 per day.

The Office for National Statistics estimate that there were 50,908,702 people in the UK aged 18 or over in mid-2014.

At the rate of 1,177 1,172 per day, it would take 43,450 days to create 50,908,702 GOV.UK Verify (RIP) accounts. That's more than 119 years.


Updated 10:43

GDS have a number of "identity providers" under contract to provide GOV.UK Verify (RIP) with identity assurance services. Relying parties like HMRC, for example, need to know that the person on the other end of the line applying for a tax rebate really is who they say they are before any money can be legitimately handed out.

These contracts are entered into under the terms of a framework agreement.

There was an early framework agreement covering the test phase of GOV.UK Verify (RIP). Then, on 25 March 2015, GDS announced that they had Framework 2 up and running. There were to be nine "identity providers". PayPal never showed up and Verizon have disappeared so, in the event, there are just seven. Those seven "identity providers" have trouble registering more than about 70% of applicants. Even where an application succeeds, it is unclear how reliable the identity is.

The contract notice for Framework 2 is available on OJEU, the Official Journal of the EU: "The Government's aim is that all the central government services that need identity assurance for individuals will be using GOV.UK Verify [RIP] by March 2016". That didn't happen.

The contracts under Framework 2 last for a maximum of four years. If the registration of adults in the UK is going to take 119 years – please see above – then we must expect it to end under Framework 30.

Updated 12:43

Framework 1 was valued at a ridiculously low £25 million + VAT.

Framework 2 was valued at £150 million: "Estimated value excluding VAT: 150 000 000 GBP". In a UK population of 50,908,702 adults, that's about £2.95 of assurance per person.

Suppose the next 28 framework agreements are valued at the same £150 million. That takes the total for all 30 frameworks to £4,375 million.

We know from the Framework 2 contract notice that: "This procurement competition is managed on behalf of the Contracting Authority by the Crown Commercial Service (CCS)".

We know from a report by the National Audit Office (NAO) that: "... This reduction in CCS’s income will be offset by an increase to an existing levy that suppliers pay when they provide services under CCS frameworks ... The levy is currently around 0.5% and will become around 0.9% of the costs of services provided under CCS frameworks" (para.3.5, p.47). So over the course of the 30 framework agreements, CCS would expect to rake off between £21.875 million commission at ½% and £39.375 million at 0.9%, call it £40 million in round numbers.

That may seem like a relatively small amount of money but, given that the NAO find that CCS add no value whatever, it's a waste: "it is not possible to show that CCS has achieved more than departments would otherwise have achieved by buying common goods and services themselves".

RIP IDA – 119 years? Not many people know that.

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.

GDS, the Government Digital Service, were meant to have an identity assurance service "fully operational" by March 2013.

That didn't happen but they have been testing GOV.UK Verify (RIP) since February 2014 ...

... and the system was declared to be live on 24 May 2016.

Between 23 May 2016 and 11 December 2016 237,850 GOV.UK Verify (RIP) accounts were created. That's an average of 1,172 per day.

The Office for National Statistics estimate that there were 50,908,702 people in the UK aged 18 or over in mid-2014.

At the rate of 1,177 1,172 per day, it would take 43,450 days to create 50,908,702 GOV.UK Verify (RIP) accounts. That's more than 119 years.


Updated 10:43