RIP IDA – OIX to the rescue 2

No need to say it, it goes without saying, it should be obvious to all but,

just in case it isn't obvious to all,

IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",

is the Cabinet Office Identity Assurance programme.

And it's dead.

"If Verify is the answer, what was the question?"

14 June 2012, we discovered that the Government Digital Service (GDS) had joined the Open Identity Exchange (OIX) in order to help with their moribund identity assurance programme now known as "GOV.UK Verify (RIP)".

16 June 2017, OIX published Achieving frictionless customer onboarding, which "looks at the commercial business case for financial service providers to accept digital identities that meet Government standards".

Does that report help GDS?

The author of the report, Tony Lamb, is head of strategy at Royal Mail Data. "In the next four years", he says, "UK Government is forecasting to create c20million (or c40% of the UK adult population) verified digital identities for UK citizens" (p.4). He takes his figures from GDS's Identity Assurance Programme Market Briefing Event in 2014.

He and OIX, his publishers, should know better than that. "Building on the work we have already done our priorities for government up to 2020 are ... making better use of GOV.UK Verify [RIP] by working towards 25 million users by 2020 ...". That's what GDS say in their February 2017 Government transformation strategy (pp.11-12). Three years. Not four years. 25 million. Not 20 million.

It is not helpful to GDS to have their strategy ignored by Royal Mail Data and OIX.

The financial services sector is being asked to rely on GOV.UK Verify (RIP). Royal Mail Data's obfuscation here will not help to nurture any confidence the financial services sector may have in GOV.UK Verify (RIP).

----------

A set of propositions to do with identity assurance was sent to four organisations who were asked to rate their importance. The Royal Mail Data report is compiled from those responses (p.7). The proposition "The number of existing available digital identities is significant for the population" (p.11), for example, scored only 45 out of 100.

Just as well for GDS.

Royal Mail Data had suggested that "having five million verified identities by June 2017 would be somewhat important before the financial service sector would widely adopt the reuse of GOV.UK Verify [RIP]" (p.11) and of course GOV.UK Verify (RIP) had nothing like that number of accounts by the end of last month. As we know, at the present rate, it will take until 2074 for GOV.UK Verify (RIP) to have 25 million users. Or possibly 2425.

"Accelerating the growth of verified identities will make a more compelling case for financial sector reuse" (p.11), say Royal Mail Data. That's one way of putting it.

Another way is to say that the current number of GOV.UK Verify (RIP) accounts is too low for the financial services sector to bother with it. Or as Royal Mail Data also say, "The investment into adoption of GOV.UK Verify [RIP] by the financial service sector would require a critical mass of pre-existing identities" (p.11) – no critical mass, no investment.

----------

The proposition "A reusable digital identity is accessible for all of the eligible UK population" (p.10) scored 80 out of 100, as did "In particular, a reusable digital identity covers socially, financially and digitally excluded demographics" (p.11).

Perhaps volumes could be increased by making it easier to register with GOV.UK Verify (RIP)? "... an LoA1 standard has been defined, with intention being to provide a lower entry bar" (p.11).

"LoA1" is level of assurance 1, self-certification, an unverified identity. Pointless. You don't need GOV.UK Verify (RIP) to not verify identities. You don't need identity providers either. You don't need to pay them to not provide identities. And there's nothing – nothing compelling, at least – that relying parties like government departments and banks can do with an LoA1 identity. LoA1 is useless. OIX know that.

The LoA1 suggestion is manifestly unacceptable – "All customers are verified to the same robust level of assurance" (p.11) scored 75 out of 100. No-one wants to lower the bar. The requirement is to raise it.

"The current proposition is built around assuring identities to LoA2" (p.11). LoA2 isn't that high a level of assurance. And it isn't clear that GOV.UK Verify (RIP) is achieving even LoA2.

"Government and the Identity Providers are working together to understand how the current solutions can be optimised to increase successful applications without increasing security risk" (p.11). They've been working together on this matter for at least two years and they're not getting anywhere. Because they can't. You can't lower the bar and at the same time maintain the level of security risk.

----------

Frictionless: One of the screens you'll see

if you try to register

for a GOV.UK Verify (RIP) account

You'd think we might have finished with p.11 by now. We haven't.

"If GOV.UK Verify [RIP] provided penetration of key segments of the population, who are currently difficult and costly to verify in a digital-only channel, this would be valued by the financial sector. Examples of excluded demographics are those aged under 20, individuals who are new to country and those with a ‘thin’ credit file" (p.11).

Even according to GDS's hopelessly optimistic mathematical models these are exactly the people GOV.UK Verify (RIP) can't reach. There is nothing there for the financial sector to value.

----------

It's not just that GOV.UK Verify (RIP) lacks the critical mass required by the financial services sector and that it fails to reach the unbanked.

There's also this: "The verification process for GOV.UK Verify [RIP] requires around six steps, once the applicant has selected their identity provider" (p.8).

Got that? GOV.UK Verify (RIP) takes six steps.

"A typical bank application process for a current account involves 20-80 steps" (p.8).

The banks require between 20 and 80 steps. Ergo, the six-step GOV.UK Verify (RIP) is not in their league.

----------

"A reusable digital identity supports an end-to-end entirely digital journey" (p.8). That proposition scores 80 out of 100. Why can't GOV.UK Verify (RIP) support an end-to-end entirely digital journey in the financial services sector? Because, after six years in development, it's still in "an early stage of maturity" (p.8). It's still a child and the financial services sector needs an adult.

----------

"The reusable digital identity has a high level of customer awareness" (p.8). That proposition scored 75 out of 100.

GOV.UK Verify (RIP) doesn't have a high level of customer awareness. Royal Mail Data's respondents see that as a risk, with vulnerable people falling prey to fraudsters, "this could ... result in a large number of vulnerable people having their identities compromised and funds stolen" (p.8).

----------

"Successful verification rates are greater than 60%" (p.9), 75 out of 100. Week ending 18 June 2017, two days after Royal Mail Data published their report, the Completion rate for GOV.UK Verify (RIP) was 35% across all services. The child is out of its league.

----------

Obviously enough, GOV.UK Verify (RIP) could only be used by the financial services sector if it met the regulatory requirements. It doesn't (pp.9-10). "This is likely to prohibit uptake" (p.10).

----------

Obviously enough, GOV.UK Verify (RIP) could only be used by the financial services sector if it "delivers operational efficiencies and cost reductions" (p.13). Does it? No-one knows. GDS certainly haven't proved that it does. All that is known is that "New commercial terms will need to be agreed with the existing Identity Providers" (p.13) and with any commercial hub provider(s). I.e. the existing terms are inadequate.

----------

Obviously enough, GOV.UK Verify (RIP) could only be used by the financial services sector if it reduces risk. A new risk model will be required because the GOV.UK Verify (RIP) model is inadequate (p.14).

----------

Progress has been unacceptable over the past six years and "The window of opportunity needs to be seized in the next six months to provide a clearer view of the scale of the opportunity" (p.15). GDS have until the end of the year to show that GOV.UK Verify (RIP) could one day grow up enough to be a candidate for identity assurance in the financial services sector.

----------

The financial services sector numbers companies and trusts among its accountholders. GOV.UK Verify (RIP) can only handle natural persons, not legal ones. You can read the whole of Royal Mail Data's report without being reminded of this lacuna.

----------

"As GOV.UK Verify [RIP] aligns to the broader European standards, it provides a means for the financial sector to provide services in a globally interoperable way" (p.3). "A federated digital identity scheme, GOV.UK Verify [RIP], has been created in the UK in line with the eIDAS regulation." (p.4).

In what way does GOV.UK Verify (RIP) align with the broader European standards? Royal Mail Data forget to answer that question. We may find that it doesn't align with the European standards the financial services sector requires. In particular eIDAS and GDPR. Another lacuna.

----------

The respondents approached by Royal Mail Data were HSBC, Barclays, TSB and "a leading credit card provider" (p.1). Who is the leading credit card provider? Why don't they want their name to be used?

----------

The "project participants" are Royal Mail and Avoco Secure (p.1). Royal Mail are not certified trustworthy by tScheme. In their case, the proposition that "The existing GOV.UK Verify [RIP] service verifies the applicant’s details online, using certified third party Identity Providers" (p.5) is not true.

By GDS's own lights, Royal Mail are therefore unqualified to act as GOV.UK Verify (RIP) identity providers. Royal Mail are only listed as identity providers because they're a recognised brand. Behind the scenes, the identity provider work is actually carried out by GB Group plc, whom more or less no-one has ever heard of. Both Royal Mail and GB Group rely on software provided by Avoco Secure, whom, ditto, more or less no-one has ever heard of.

All of which looks like a cynical deception of the public by GDS, who profess nevertheless to embrace openness, and by Royal Mail.

----------

"Does that report help GDS?", we were asking above. Clearly not. But by drawing attention to the deficiencies of GOV.UK Verify (RIP) it does help the public. Thank you OIX.

----------

Updated 15.7.17 1

GOV.UK Verify [RIP] to be extended to cover other countries next year: "From September 2018, the service will be able to confirm the identities of people from countries other than the UK". So said PublicTechnology.net on 13 July 2017.

September 2018 is over a year away. A safe distance from which to make predictions. Normal practice for the Government Digital Service (GDS).

This announcement about GOV.UK Verify (RIP) being able in a year's time to confirm the identities of people from countries other than the UK may look safe. And positive. But it confirms something that has never been made clear before – GOV.UK Verify (RIP) can't at the moment confirm the identities of people from countries other than the UK. Did you know that? Have GDS ever said that before?

And take a look at GDS's own statistics on the performance of GOV.UK Verify (RIP). The completion rate is defined as "the proportion of visits started on GOV.UK Verify [RIP] that result in successfully accessing a service, following the creation or re-use of a verified account with a certified company". Week ending 9 July 2017, the completion rate stood at 37% across all services. I.e. the failure rate was a whacking 63%.

That's presumably the failure rate for confirming the identities of people from the UK. GDS would surely do better to improve completion for people from the UK first before jumping the gun and taking on all comers.


Updated 15.7.17 2

Famously, HMRC, DWP and the NHS have failed to give their backing to GDS's GOV.UK Verify (RIP) identity assurance service. More than half of the UK local authorities which started trials of GOV.UK Verify (RIP) have now pulled out. And OIX have at least twice demonstrated that GOV.UK Verify (RIP) is useless to the UK financial services sector.

Now the Law Commission have weighed in. Legal gurus give thumbs down to Verify, said the UKAuthority website on 13 July 2017: "The independent body advising the Government on law reform has rejected the GOV.UK.Verify [RIP] digital signature as suitable for authenticating people’s wills".

"Verify does not currently ensure that the person entering the information is in fact the person he or she is purporting to be; rather it focuses on verifying that the person exists" (para.6.67) – if the Law Commission believe that GOV.UK Verify (RIP) leaves it unclear whether you are you, what does that tell the financial services sector? Or local government? Or the NHS or DWP or HMRC?

RIP IDA – OIX to the rescue 2

No need to say it, it goes without saying, it should be obvious to all but,

just in case it isn't obvious to all,

IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",

is the Cabinet Office Identity Assurance programme.

And it's dead.

"If Verify is the answer, what was the question?"

14 June 2012, we discovered that the Government Digital Service (GDS) had joined the Open Identity Exchange (OIX) in order to help with their moribund identity assurance programme now known as "GOV.UK Verify (RIP)".

16 June 2017, OIX published Achieving frictionless customer onboarding, which "looks at the commercial business case for financial service providers to accept digital identities that meet Government standards".

Does that report help GDS?

The zombie stirs, the UK Home Office is on manoeuvres again …

… ID cards are back on the agenda …

… and The Sunday Times couldn't find room to publish the following letter:

From: David Moss Sent: 25 June 2017 23:42 To: 'letters@thetimes.co.uk' Subject: ID cards and border control ‘Bad border controls are worse than none at all’ Dominic Lawson June 25 2017 Sir The regularly excellent Dominic Lawson suggests that the Labour government’s proposed biometric ID card scheme would have worked and that the subsequent 2010 coalition government was wrong to terminate it [1]. Uncharacteristically wrong, he ignores the fact that the biometric technology on which that scheme relied was and remains hopelessly unreliable at the scale required [2,3]. That is why the Home Office gave up on their National Identity Scheme (RIP) long before May 2010. It was not going to help with border control [4] nor with any of the other objectives it was vaguely hoped that it might achieve. The baton was passed from the Home Office to the Cabinet Office and their GOV.UK Verify scheme (RIP) which, after more than five years of development, currently has a failure rate of 65% according to the Government Digital Service’s own performance statistics [5,6]. Mr Lawson and the rest of us will have to find some other suppliers of identity assurance than Whitehall. The mobile phone network operators [7], for example, and the banks are the preferable ports of call. The awful alternatives are the Pied Pipers – Google, Facebook, Amazon, Apple, Microsoft, … [8]. Yours David Moss … Exclusive to The Sunday Times. Refs. 1. https://www.thetimes.co.uk/edition/comment/bad-uk-border-controls-are-worse-than-none-at-all-rmdcvrnpk 2. http://www.dmossesq.com/2015/09/so-where-are-we-on-astrology-13-years.html 3. https://www.theregister.co.uk/2009/08/14/biometric_id_delusion/ 4. http://www.dematerialisedid.com/BCSL/eOdyssey.html 5. https://www.gov.uk/performance/govuk-verify 6. http://www.dmossesq.com/2016/09/rip-ida-govuk-verify-is-no-more-it-has.html 7. http://www.dematerialisedid.com/Mobiles.html 8. http://www.dmossesq.com/2012/04/amazon-google-facebook-et-al-latter-day.html

Nonsense on stilts, five days after Dominic Lawson's article, The Times carried Why I’ve come round to the idea of ID cards by Philip Collins: "Fears about illegal immigration which drove many to vote for Brexit would be answered by a national identity scheme".

----------

Updated 3.9.17

Emma Duncan of The Economist newspaper, writing in The Times newspaper the other day, Beware the growing power of Google, warns readers about the power of the "Pied Pipers" as DMossEsq calls them, please see above, Google and its ilk.

Her case is not assisted by adding in irrelevant swipes at President Trump and the Republicans.

Nor is it assisted by moaning about Brexit.

Least of all is it assisted by this gratuitous claim of hers about the Pied Pipers: "That they know so much about what we do and where we go is troubling enough in itself; combined with the growing power of face-recognition technology, it is downright scary".

Mass consumer biometrics based on face recognition doesn't work. That's been the case for years. It continues to be the case.

Take, for example, the case of the Notting Hill Carnival last weekend, when the police used face recognition to try to spot 500 people on a watchlist. Liberty, the civil liberties organisation, had an observer who was allowed to watch the biometrics operation for a while:

I watched the facial recognition screen in action for less than 10 minutes. In that short time, I witnessed the algorithm produce two 'matches' – both immediately obvious, to the human eye, as false positives. In fact both alerts had matched innocent women with wanted men.

I asked how many false positives had been produced on Sunday – around 35, they told me. At least five of these they had pursued with interventions, stopping innocent members of the public who had, they discovered, been falsely identified.

That's the level of reliability of face recognition with a tiny 500-person watchlist. Scale it up to 70 million people in the UK, and what do you get? You get an appalling waste of taxpayers' money by laughably credulous officials at the Home Office but you don't get anything for Ms Duncan or Liberty to be scared of.

They would do better to mock the official attempt to rely on mass consumer biometrics than to whip up fear. Expressing fear of this flaky technology rather helps the salesmen to close a deal with the latest dupe ...

... and it helps the latest dupe with its latest manoeuvres.

Meanwhile, having confused the issue with Trump, Brexit and biometrics, Ms Duncan lets the Pied Pipers get off scot-free.


Updated 13.9.17

It was a big day yesterday. Apple unveiled its new flagship product, the iPhone X, packed with new facilities like face recognition.

The presentation was hosted by an Apple Vice President, Craig Federighi. According to the Times newspaper:

Apple’s new facial recognition system is so secure that the chance of a stranger unlocking your iPhone X is one in a million. Unfortunately for Apple, when Craig Federighi demonstrated the handset yesterday it proved too secure, apparently not recognising him.

DMossEsq told you so.


Updated 15.9.17

Writing in the Telegraph newspaper yesterday the normally excellent Allister Heath says "we are now only a few years away from the day when facial recognition technology will be sufficiently advanced that, whenever we walk down a street, networks of CCTV cameras, public as well as private, will immediately recognise us".

Why does he say that?

There is no evidence to support his contention.

None whatever.

The zombie stirs, the UK Home Office is on manoeuvres again …

… ID cards are back on the agenda …

RIP IDA – a ridiculous manifesto promise

No need to say it, it goes without saying, it should be obvious to all but,

just in case it isn't obvious to all,

IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",

is the Cabinet Office Identity Assurance programme.

And it's dead.

"If Verify is the answer, what was the question?"

The Conservative Party's 2017 manifesto includes this at p.81:

... we must use common platforms across government and the wider public sector. That must start with the way we identify ourselves online, so that people have one single, common and safe way of verifying themselves to all parts of government. That is why we shall roll out Verify, so that people can identify themselves on all government online services by 2020, using their own secure data that is not held by government. We will also make this platform more widely available, so that people can safely verify their identify to access non-government services such as banking.

As DMossEsq readers know, it may be convenient for people to have "one single, common ... way of verifying themselves to all parts of government" but it isn't "safe".

DMossEsq readers also know that millions of people prefer to use the Government Gateway to access on-line government services, not GOV.UK Verify (RIP).

They know that there are currently only about 12 on-line government services that can be accessed using GOV.UK Verify (RIP) and that the chances that they will all be accessible using GOV.UK Verify (RIP) by 2020 are small.

And they know that their personal information is sprayed all over the world, out of their control, if they open an account with GOV.UK Verify (RIP).

Suppose that you have your accounts with Lloyds bank and that you access them on-line using your GOV.UK Verify (RIP) credentials which you created through the Royal Mail because that's a brand you recognise and trust.

Unbeknownst to you, that means that you have actually been registered by GB Group plc, whom you've never heard of.

GB Group share your personal information with a wide variety of other organisations, which the Royal Mail didn't tell you when you registered.

Suppose that one of them is hacked [Equifax, for example, added 9.9.17] and, for safety's sake, your GOV.UK Verify (RIP) account has to be suspended [if your account isn't suspended, despite the Equifax breach, why isn't it? Surely it should be]. Yours, and millions hundreds of other people's GOV.UK Verify (RIP) accounts.

There's nothing the Royal Mail can do about GB Group suspending you and nothing GDS can do about it either. There's nothing Lloyds can do about it and now you can't access your bank accounts on-line.

Nor can you access any of the on-line government services you need, because you foolishly use the same GOV.UK Verify (RIP) credentials for everything.

That's one risk of inserting GOV.UK Verify (RIP) into the access control processes for banking.

Can anyone remember what the benefit is?

GOV.UK Verify (RIP) is not an attractive prospect and not one single bank anywhere in the world currently allows people to use GOV.UK Verify (RIP) to log on to their on-line accounts.

Millions of us can already log on to on-line banking. We accountholders don't need GOV.UK Verify (RIP) for that ...

... and neither do the banks.

And why would the banks want to risk their relationship with us by dislocating the whole process of authorising access to our accounts just to insert the Government Digital Service into it?

And not just GDS but all of GDS's seven "identity providers" (IDPs), too. And all of the IDPs' uncounted subsidiaries and business partners and suppliers and sub-contractors in the UK and overseas.

It may sound sensible and modern for the Conservatives and any other political party to promise to deploy GOV.UK Verify (RIP) nationwide. It isn't.

----------

Updated 9.9.17

• Up to 44m Britons at risk in Equifax cyberattack
• Equifax hack: 44 million Britons' personal details feared stolen in major US data breach
• The Equifax Hack Didn't Have to Be This Bad
• Breach at Equifax May Impact 143M Americans
• Equifax Breach Response Turns Dumpster Fire
• Equifax: Hackers Gained Access to Sensitive Data, Affecting 143 Million People
• Stand up who HASN'T been hit in the Equifax mega-hack – whoa, whoa, sit down everyone
• Equifax mega-leak: Security wonks smack firm over breach notification plan
• Surprising nobody, lawyers line up to sue the crap out of Equifax
...

• Equifax Hack Exposes Peril of Credit Bureau Model


Updated 9.11.17

It remains a psychiatric mystery how the Government Digital Service (GDS) continue to assure the public that the hopeless identity assurance scheme, GOV.UK Verify (RIP), costs nothing, that it is secure without qualification, that our privacy is maintained, that we have control over our personal information and that the system operates under an ethical framework.

That is presumably the conclusion that McKinsey came to in their investigation of GOV.UK Verify (RIP) in their report to John Manzoni, chief executive of the UK home civil service. The McKinsey report has not been published, though, so we can't be certain.

GOV.UK Verify (RIP) depends for its hesitant and occasional operation [1] on credit rating agencies/data brokers, including Equifax, who were so spectacularly hacked on 13 May 2017, please see above.

DMossEsq can make the point until he, she, it or they is or are blue in the face that GOV.UK Verify (RIP) accountholders have no control over what happens to their personal information once they have handed it over but it has no effect. Absolutely no control. And absolutely no effect.

The great Bruce Schneier has now published his Equifax evidence to the House Committee on Energy and Commerce.

"These data brokers deliberately hide their actions, and make it difficult for consumers to learn about or control their data", he says. Also, "there is no way for consumers to protect themselves. Their data has been harvested and analyzed by these companies without their knowledge or consent. They cannot improve the security of their personal data, and have no control over how vulnerable it is".

Perhaps the Schneier testimony will register with GDS and Mr Manzoni more effectively than DMossEsq's.

Whatever, the public show no enthusiasm for signing up with GOV.UK Verify (RIP) [2], nor do HMRC nor NHS England. We and they don't believe that GOV.UK Verify (RIP) is free, secure, etc ... Only GDS believe that.

Refs.
1. Average failure rate: 62%.
2. Average number of times a GOV.UK Verify (RIP) account is used: 1.5.

RIP IDA – a ridiculous manifesto promise

No need to say it, it goes without saying, it should be obvious to all but,

just in case it isn't obvious to all,

IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",

is the Cabinet Office Identity Assurance programme.

And it's dead.

"If Verify is the answer, what was the question?"

The Conservative Party's 2017 manifesto includes this at p.81:

... we must use common platforms across government and the wider public sector. That must start with the way we identify ourselves online, so that people have one single, common and safe way of verifying themselves to all parts of government. That is why we shall roll out Verify, so that people can identify themselves on all government online services by 2020, using their own secure data that is not held by government. We will also make this platform more widely available, so that people can safely verify their identify to access non-government services such as banking.

As DMossEsq readers know, it may be convenient for people to have "one single, common ... way of verifying themselves to all parts of government" but it isn't "safe".

Half-baked, amateurish, technically-illiterate, misled, misinformed, …

Last Wednesday, 3 May 2017, Jerry Fishenden published a blog post, The canary that ceased to be, where he announced his resignation as co-chair of the Privacy and Consumer Advisory Group (PCAG):

The group has reviewed and commented upon a wide range of government initiatives, including predicting the disaster that become NHS care.data, the fraud risks of ill-considered “data-sharing” (under various guises), the troubled and late-running GOV.UK Verify identity assurance programme, the Office of National Statistics use of data, the “digital transformation” of the electoral roll, Home Office fraud issues, the Investigatory Powers Bill (now Act), and other proposals and ideas from across government.

PCAG is meant to be a safety device like a miner's canary, it's meant to detect officials attempting to "smuggle their often half-baked proposals past Ministers". That's what it's meant to do and that's what it does but ministers have stopped paying attention. Particularly Matt Hancock and Ben Gummer who haven't bothered even to acknowledge letters sent to them by PCAG.

The "disappointingly amateurish and technically-illiterate" Digital Economy Act was the last straw. Mr Fishenden had to resign. PCAG's advice was "repeatedly ignored by officials who should know better" and those officials "repeatedly misled and misinformed" PCAG.

No doubt honest and able people like Mr Fishenden resign all the time, infuriated by official mendacity and incompetence, but it's rare to see them speak out like this ...

... and rarer still to see them loose off another shot a day or two later, please see Gov.uk Verify and identity assurance - it's time for a rethink, in which Mr Fishenden confirms and amplifies DMossEsq's contention that GOV.UK Verify is dead, RIP.

Who knows but there may be yet more to come.

----------

Updated 7.5.17

Jerry Fishenden	Comment
The canary that ceased to be	Government Computing: Independent privacy body co-chair resigns over Whitehall engagement
	UKAuthority: Cabinet Office privacy adviser resigns
	Campaign4Change: Some officials “smuggle their often half-baked proposals past ministers” says Cabinet Office adviser who quits
	Diginomica: How the canary fell off its perch down the privacy policy mine – and nobody cared
	Civil Service World: Government privacy advisor quits after officials ‘repeatedly ignored’ guidance
Gov.uk Verify and identity assurance - it's time for a rethink	Computer Weekly: Ex-government privacy advisor calls for 'fundamental review' of Gov.uk Verify identity scheme
	Government Computing: Privacy and identity expert Fishenden calls for Verify rethink
	Alan Mather
The identity/data divide	"Who knows but there may be yet more to come", we said above and on 23.5.17, lo, happily there was.

Updated 8.5.17

When Jerry Fishenden gave evidence last October, one member of the Digital Economy Bill Committee said: "Dr Fishenden, your exasperation with what is in the Bill is shared by other witnesses".

In fact, his exasperation was more with what was not in the Bill. Control over our personal information is due to be taken out of our hands and given to officials. This is in the interests of data-sharing. But "data-sharing" was not defined in the Bill. The management of our personal information will depend on codes of practice to be followed by officials. But these codes of practice were not included in the Bill.

The Digital Economy Bill has now been enacted and given royal assent. It is a dreadful piece of legislation and it seems to have been the final straw for Mr Fishenden.

"In Francis Maude’s day, the problems with Part 5 (PDF) of the Digital Economy Bill and its associated codes of practice would have been highlighted and fixed with the help of the [Privacy and Consumer Advisory Group], rather than causing Ministerial embarrassment and confusion when they were published in a disappointingly amateurish and technically-illiterate state", says Mr Fishenden in his canary article.

The same claim is repeated by Diginomica*: "Not for the first time, diginomica laments the loss of Lord Maude". And by Campaign4Change: "Fishenden’s departure is further confirmation that since Maude’s departure, the Cabinet Office – apart from the Government Digital Service – has settled back into the decades-old Whitehall culture of tinkering with the system while opposing radical change".

This is not what it looks like from the outside. Francis Maude is on record as saying: "I want to bust the myths around the complexities of data sharing ... we aim to find effective ways of using and sharing data for the good of everyone".

He wanted the government to "deliver more effective, joined-up and personalised public services, through effective data-linking", which he said was not the same as "data-sharing" but he never explained the difference ...

... reminiscent of the Dark Department's (the Home Office's) Paul Maltby, who tried to make the ethical problems of data-sharing go away by changing the name to "data access".

From the outside, to the public, it looks as though Mr-now-Lord Maude was part of the personal information problem, and not the solution.

In his Verify article, Mr Fishenden points out that the Government Digital Service's GOV.UK Verify (RIP) identity assurance scheme stands many of GDS's principles on their head. True, but don't forget, it was designed and developed while Lord Maude was GDS's political boss.

Mr Fishenden's suggestion that the problems of the Digital Economy Act and GOV.UK Verify (RIP) would have been solved if only Lord Maude was still Minister for the Cabinet Office is a baffling distraction from the main point, which is the "half-baked proposals" of "disappointingly amateurish and technically-illiterate" officials who "repeatedly misled and misinformed" the Privacy and Consumer Advisory Group.

Notes
* "The loss of Lord Maude"? It should be made clear that Diginomica are not suggesting that Lord Maude is dead, simply that he is no longer Cabinet Office Minister.


Updated 12.10.17

"Who knows", we said, back in May, please see above, "but there may be yet more to come".

And how.

Jerry Fishenden has published another long essay in Computer Weekly magazine, Will the review of Gov.uk Verify [RIP] fix the UK's digital identity problems?.

"What review?", you ask. The McKinsey review. Manzoni calls in McKinsey to conduct review of online identities for public services. That was David Bicknell's scoop, writing on the Government Computing website nine days ago: "The review ... is believed to have been instituted by Civil Service chief executive and Cabinet Office permanent secretary John Manzoni".

900 staff in the Government Digital Service (GDS), all supposed to advise the rest of the civil service how to be innovative and effective in public administration, and the CEO has to call in external consultants to advise on the central pillar of digital-by-default, GOV.UK Verify (RIP)? It's not a good look, is it.

As do we all, Mr Fishenden wants to help McKinsey with their review. Thus his excellent Computer Weekly article.

It's a long article. What it says is that GDS have been wasting our time and theirs with GOV.UK Verify for six years. RIP.


Updated 13.11.17

Another month, another excellent Jerry Fishenden article in Computer Weekly magazine, Will the review of Gov.uk Verify [RIP] fix the UK's digital identity problems?.

Good question.

They're all good questions.

Many of us have been asking the same questions for years.

It's quite boring repeating yourself. Why the need to repeat ourselves for years at a time?

Because the Government Digital Service never answer.

Do they know the answers? Or are they lost, in over their heads, overcome, submerged, helpless, drowning, rudderless, confused, in need of help, "not up to it" (© Clement Attlee), baffled, over-promoted, out of ideas, stymied, inhibited, directionless, broken down, demotivated, demoralised, guilty, truculent, nervous, defensive, ...?

If people have good answers, they tend to tell you.

The first cut is the deepest. The longer this head-in-the-sand psychopathology is allowed to fester, the more traumatic the eventual confession will be.

Half-baked, amateurish, technically-illiterate, misled, misinformed, …

Last Wednesday, 3 May 2017, Jerry Fishenden published a blog post, The canary that ceased to be, where he announced his resignation as co-chair of the Privacy and Consumer Advisory Group (PCAG):

The group has reviewed and commented upon a wide range of government initiatives, including predicting the disaster that become NHS care.data, the fraud risks of ill-considered “data-sharing” (under various guises), the troubled and late-running GOV.UK Verify identity assurance programme, the Office of National Statistics use of data, the “digital transformation” of the electoral roll, Home Office fraud issues, the Investigatory Powers Bill (now Act), and other proposals and ideas from across government.

PCAG is meant to be a safety device like a miner's canary, it's meant to detect officials attempting to "smuggle their often half-baked proposals past Ministers". That's what it's meant to do and that's what it does but ministers have stopped paying attention. Particularly Matt Hancock and Ben Gummer who haven't bothered even to acknowledge letters sent to them by PCAG.

GDS's commitment to user control of personal information

Public administration in the UK has problems which could be solved if public services became digital by default. That is the raison d'être of the Government Digital Service (GDS).

Digital by default? What does "digital" mean? According to Tom Loosemore, ex-Deputy Director of GDS, "digital means applying the culture, practices, processes and technologies of the internet era to respond to people’s raised expectations".

The reactionaries in Whitehall have hobbled GDS. That's what Jerry Fishenden and Cassian Young say: "It is convenient for institutionally conservative managers to watch the energy behind transformation dissipate harmlessly in the sandbox where the agile insurgents are left to play with their websites", please see Escaping waterfall government and the myth of ‘digital transformation’.

Messrs Fishenden and Young accept Mr Loosemore's questionable prescription. They think GDS have failed to deliver. But they still think it's the right objective – the model for public administration should be changed radically just as "Netflix, Flickr and Airbnb" have changed the dynamics of their markets.

Are they right?

Sir Tim Berners-Lee, inventor of the web, has serious reservations, please see Tim Berners-Lee says privacy needs fixing – and calls for 'algorithmic transparency'. The culture of the internet era has blemishes: "over the past 12 months, I’ve become increasingly worried about three new trends, which I believe we must tackle in order for the web to fulfill its true potential as a tool which serves all of humanity":

The first is control of personal data. Berners-Lee thinks we don't have it any more and that's a bad thing because “As our data is then held in proprietary silos, out of sight to us, we lose out on the benefits we could realise if we had direct control over this data, and chose when and with whom to share it.” “What’s more,” he says, “we often do not have any way of feeding back to companies what data we’d rather not share – especially with third parties – the T&Cs are all or nothing.” He also worries that government surveillance is “increasingly watching our every move online, and passing extreme laws that trample on our rights to privacy”. Repressive regimes use that surveillance to harass opponents, but even benevolent governments have “a chilling effect on free speech and stops the web from being used as a space to explore important topics, like sensitive health issues, sexuality or religion ...”

Embrace the culture of the internet era – as Messrs Loosemore, Fishenden and Young want you to – and as things stand, Sir Tim warns you, you lose control of your personal information. That's how Facebook came to report $27.6 billion of revenue for 2016. That's how Google (Alphabet) came to report revenue of $27.1 billion, not for the whole of 2016, just for the fourth quarter.

Sir Tim is working on a project called Solid to try to "decouple data from web applications (and by extension social networks) so that users can decide where their data resides and how it can be accessed". It might work. We'll see in five years.

In the meantime, any promises to put you in control of your own personal information are false. The Privacy and Consumer Advisory Group (PCAG) is co-chaired by Jerry Fishenden. PCAG insist that any identity assurance scheme should put the user in control. GDS promise that their GOV.UK Verify (RIP) identity assurance scheme complies with PCAG's principles. That promise is false. The inventor of the web says so and he should know.

While claiming to put the user in control, GDS like us to spray our personal information all over the world when we register with GOV.UK Verify (RIP). Their heart really isn't in this privacy lark, is it. They use Eventbrite to organise events. They use Zendesk for user support. They use StatusPage for network monitoring. They use Survey Monkey for user feedback. All the personal information involved is stored and used beyond your control and now GDS want you to upload your CV to Jobvite.

Who?

Take a step back.

GDS have got a lot of situations vacant. For example, they were tweeting yesterday, saying: "We have a fantastic opportunity for a Lead Product Manager to work across the @GOVUKverify product teams https://jobs.jobvite.com/gds/job/oksV4fwv":

https://jobs.jobvite.com/gds/job/oksV4fwv/apply

GDS warn prospective recruits: "If you do not wish for your data to be transferred outside the UK, please click the back button below and check the job description for an email address to send your application to". Click that back button and there is no sign of an email address for prospective recruits to use. Welcome to the culture of the internet era GDS-style.

The Jobvite privacy policy is worth a read. Any problems and you can just write to them at:

Jobvite, Inc.
Attn: Privacy Policy
1300 S El Camino Real, Ste 400
San Mateo, CA 94402

----------

Updated 6.4.17

30 March 2017, and Government Computing tell us Summer launch planned for GOV.UK Verify [RIP] private sector testing: "Three companies are set to provide identity hub services to support the Cabinet Office’s ambitions to link its GOV.UK Verify [RIP] platform with the private sector in a test environment designed to inform a potential live service at a later date".

No idea what that means, but the three companies are Mvine, SiteKit and Safran. An identity hub has a lot of data pass through it and needs to store that data to provide an audit trail. Are they fit companies to provide identity hub services? No idea.

It will take a lot of effort to conduct this GOV.UK Verify (RIP) test. The three companies will have an interest in its success. On cue, three days later, 3 April 2017, Government Computing publish You want my digital identity, I want something in return: "Approaching digital identity as a ‘this for that’ arrangement is the only way the private sector and Government can live in cyber harmony, argues Frank Joshi".

Frank Joshi is "director of Mvine Ltd , an established UK SME specialising in distributed digital identity technologies". "Cyber harmony" is not defined in his article.

The conclusion of Mr Joshi's argument is:

... And that is why for GOV.UK Verify [RIP] to be trusted everyday by us the people, it has to expand to be an everyday part of our lives not just something we use when interfacing with Government for public services.

GOV.UK Verify (RIP) will only become a part of our everyday lives if we trust it. Mr Joshi has got it the wrong way round.

His argument rests on the fact that people hand over a lot of personal information to various private sector suppliers on-line, and we ought to be equally happy to hand it over to public sector suppliers: "So if it’s alright giving information about yourself to commercial firms, why not to those who provide public services?".

The Government Digital Service (GDS) have spent five years and more telling us that GOV.UK Verify (RIP) ensures that our personal information is not collected by the public sector. Instead, it is verified for the public sector by private sector "identity providers". That is the opposite of what Mr Joshi advocates.

"You see", says Mr Joshi, "as people we are willing to consent to certain organisations knowing certain things about us. And that’s perfectly reasonable and normal ... We divulge information about ourselves usually in a something-for-something exchange. Think of it as a 'this for that' or quid pro quo". You should expect to pay the right price for goods and services. Agreed. But what is the right price? Mr Joshi doesn't tell us.

Sir Tim Berners-Lee thinks we're over-paying, please see above. We're handing over too much personal information. Instead of tackling that issue, Mr Joshi goes on to say:

Without turning theoretical on you, it’s helpful to understand why [there is a quid pro quo] with a quick recap of the context. Citizens are free to do whatever we want. In the social contract, as citizens we cede a portion of our freedoms to Government in exchange for them keeping us safe. And we cede a further portion of our freedoms to the rule of law in exchange for protecting us and giving us justice.

Don't know about you, but that looks pretty theoretical to DMossEsq. First "citizens are free". Then, next sentence, "we cede a portion of our freedoms". And next sentence "we cede a further portion of our freedoms". So we're not free according to Mr Joshi and presumably he was just kidding when he said we are.

"A digital footprint is pretty much inescapable. But it should be down to you to give your consent to anyone, supplier or authority, who wants to know attributes about you". That's what Mr Joshi says but if there's no alternative to GOV.UK Verify (RIP), then we will be forced to use it. That's not consent. If Mr Joshi and GDS were to level with us, they would say "it should be down to you to give your consent but it isn't. Sign up or, quid pro quo, go without public services".

The bulk of Mr Joshi's article lists cases where we already manage to use on-line services. So why do we need GOV.UK Verify (RIP)? He doesn't tell us.

Summer launch planned for GOV.UK Verify (RIP) private sector testing? Should be interesting ...


Updated 10.4.17

"Wondering what makes @GOVUKverify different? Watch this 1 min explanatory @gdsteam video: https://www.youtube.com/watch?v=Vtu7eKc6QpY&feature=youtu.be" – that's Safran Morpho's repeated advice on Twitter:



DMossEsq readers, of course, will have watched the video last November when it first appeared on our CretinNet (26.11.16) service.

Our personal information is said to be safer because GOV.UK Verify (RIP) doesn't store it all on a central database.

But GOV.UK Verify (RIP)'s document checking service uses central databases of passport information and driving licence information. And GOV.UK Verify (RIP)'s identity hub must maintain a central database, if only to provide an audit trail.

The video goes on to tell us that we choose a certified company to verify our identity. There are seven "identity providers" to choose from – Barclays, Digidentity, Experian, GB Group, Post Office, Royal Mail and Safran Morpho. Three of them aren't certified – Post Office, Royal Mail and Safran Morpho.

No-one has all the information, according to the video. And of course that's right – depending on what is meant by "all the information", that could be impossible. So to tell us that "no-one has all the information" doesn't add to our knowledge.

What would add to our knowledge would be if the Government Digital Service (GDS) made a video explaining how it's safe for our personal information to be spread around the document checking service, the identity hub and seven "identity providers" plus assorted credit referencing agencies, ISPs, third party fraud prevention agencies, tax authorities, law enforcement agencies, ID Checker, WorldPay, Morpho sub-contractors, Morpho head office, unspecified Barclays companies, business partners, suppliers, sub-contractors and Verizon and thus Zentry LLC, Techmahindra Ltd and Expert Solutions Support Centre, and unspecified analytics and search engine providers.

That list is compiled from the terms and conditions of business and the privacy policies of GOV.UK Verify (RIP)'s "identity providers". It doesn't include the uncertified Mvine and SiteKit, please see above. Nor does it include the uncertified Timpson.

Our personal information is sprayed around all these organisations, it has to be stored for a minimum of seven years, we can't just delete it whenever we want, and it can be stored anywhere in the world. And yet somehow GDS want us to believe that our GOV.UK Verify (RIP) personal information is under our control.

The parting shot on the video is a claim that GOV.UK Verify (RIP) keeps our personal information and our identity secure. What does "secure" mean here? Shared with all and sundry anywhere in the world out of our control?

Wondering what makes @GOVUKverify different? Now you know.


Updated 27.6.17

Nothing changes.

GDS continue to invite job applicants to send their CVs to Jobvite, please see the two tweets alongside, emitted this morning.

And they continue to define "digital" as the embrace of the "culture, practices, processes and technologies of the internet era" even when we learn, as we did this morning, Google hit with record antitrust fine of €2.4bn by Europe: "The regulator found that Google had abused its market dominance as a search engine ...".

Later today we learned that Petya cyber attack: Ransomware spreads across Europe with firms in Ukraine, Britain and Spain shut down: "In Ukraine, government departments, the central bank, a state-run aircraft manufacturer, the airport in Kiev and the metro network have all been paralysed by the hack ... In the UK, the advertising firm WPP said its systems had also been struck down, while in the Netherlands a major shipping firm confirmed its computer terminals were malfunctioning".

That definition of "digital" – it needs to be improved. Its faults are evident but GDS never change. They never learn.

That's a lesson for local government. A lesson they've already learned. More than half of the local authorities who started trials of GOV.UK Verify (RIP) have pulled out.

What kind of recruits will be attracted to these two vacant situations at GDS? Who wants to work for an organisation that can't learn?


Updated 6.7.17

It is three months since Mvine hove into view, please see above.

Mvine are supposed to demonstrate that people can use GOV.UK Verify (RIP) to access private sector services even if they can't use the wretched system to access public services:

Mvine is set up and ready now to offer these services to the private sector using and leveraging its secure distributed digital identity exchange whilst conforming to the standards rules and principles of the Verify digital identity framework. Once the initial trials and test are over, Mvine aims to go live with these services from June 2017 onwards.

That's what it said on the Mvine website when DMossEsq took a copy on 22 June 2017: "Mvine aims to go live with these services from June 2017 onwards".

Take a look now, and the reference to June 2017 has disappeared.

Not another GOV.UK Verify (RIP) deadline missed, surely?

GDS's commitment to user control of personal information

Public administration in the UK has problems which could be solved if public services became digital by default. That is the raison d'être of the Government Digital Service (GDS).

Digital by default? What does "digital" mean? According to Tom Loosemore, ex-Deputy Director of GDS, "digital means applying the culture, practices, processes and technologies of the internet era to respond to people’s raised expectations".

The reactionaries in Whitehall have hobbled GDS. That's what Jerry Fishenden and Cassian Young say: "It is convenient for institutionally conservative managers to watch the energy behind transformation dissipate harmlessly in the sandbox where the agile insurgents are left to play with their websites", please see Escaping waterfall government and the myth of ‘digital transformation’.