Saturday, 2 June 2018
Thursday, 24 May 2018
Understanding the ethos and ethics of identity in public services
Last Friday 18 May 2018 was the Think.Digital Identity for government conference. The following speech was prepared but not delivered:
It's been 17 years since we've seen any progress
in identity
in on-line public services in the UK.
The U-bend is blocked.
And it’s our job as the plumbers here at this conference today
to see if we can unblock it.
Some people would have us believe
that we have a major problem in the UK
identifying ourselves adequately
to access on-line public services.
Those gloomy people are not obviously right.
We're already identifying ourselves to on-line UK central government services
over 400 million times a year
using the Government Gateway.
The Gateway has been in operation since 2001,
it maintains over 50 million active accounts
and it allows us to access 123 public services
400 million times a year.
We don't have any trouble applying for planning permission on-line
with our local authority
and we don’t have any trouble paying their parking fines on-line.
In the private sector,
we Brits participate in a vast and growing on-line economy.
We’ve been able for years to press a few buttons and,
without leaving the house,
pay to have a new dishwasher delivered and installed
and the old one taken away.
Think twice before agreeing that on-line identity in the UK is nothing but problems.
----------
We’re in the internet era now
and that’s the justification given for all sorts of nonsense.
Some people say that the internet era ethos
dictates that we should use the same on-line identity assurance system
in both the public sector and the private sector.
Why?
What’s wrong with having multiple systems?
Nature is our model
and it happens in nature all the time,
where the badly adapted loser species get killed off
while plurality promotes survival.
HMRC have been happy enough with the Government Gateway for 17 years now.
But if the NHS can't use the Gateway and need a different system for their purposes,
fine – let them develop their own.
DWP, too.
And Scotland.
And above all,
because that's where most government takes place,
local government – let local government adopt its own identity assurance systems.
To insist that there should be one and only one identity assurance system
is an ideological neurosis blocking the U-bend.
----------
Some people assert that establishing our credentials to use any on-line service
should be frictionless.
It should be as easy,
they say,
to sign up for on-line government services
as it is to open an account with Amazon.
Piffle.
The only reason it's so easy to open an account with Amazon
is that we've already got a bank account.
And the only reason we've already got a bank account
is that we and our bank overcame the friction
and put in the effort to open it.
Getting a bank account is important.
We would expect the process to involve friction.
It would be suspicious if it didn't.
----------
Some people offer us control over our personal information
when it’s stored in their snazzy innovative identity assurance system.
The suppliers of personal data stores make that offer.
They can't deliver.
It's not in their gift.
The purveyors of open banking offer us that control.
Open banking was supposed to start in the UK on 13 January 2018.
Four months later there's still no sign of it.
The BBC ask us to create an account to use their services
and they, too, promise us control over our personal information.
So does the UK government's identity assurance programme,
popularly known as “GOV.UK Verify (RIP)”.
In the event,
once we've handed it over to these strangers,
it turns out that we have no control whatever over our personal information.
Our personal information can be stored anywhere in the world,
and we haven’t got a clue who’s got access to it
or what they’re doing with it.
These strangers could trash our privacy
and misuse our personal information.
We can't rely on their corporate conscience to stop them from doing so.
This isn’t a question of ethics.
That’s wrong.
We need laws to step in and take control where we can’t because it’s beyond us.
----------
The word "control",
like the word "friction-free",
should be a trigger warning.
Ditto "secure".
That’s another trigger warning.
It is unethical to promise security without qualification
as some identity assurance systems do.
That promise can no more be delivered on
than the promise to give us control over our own personal information.
Better to be like the lumbering old retail banks
who promise in their privacy statements to do what they can,
securitywise,
but warn us that the internet is not a safe space,
there will be breaches.
And that's another thing.
The retail banks are legally obliged to take on liability.
If our bank account is emptied by a fraudster and it's not our fault,
then the banks compensate us.
"Liability" is a word we don't often hear from the internet era promoters.
That's a shame.
Liability is what keeps the retail banks' noses clean.
Always remember,
when presented with a proposed identity assurance system,
to get an answer to the question who’s liable.
----------
Some people place their faith in mass consumer biometrics
to bind us to our digital identities.
Demand proof before joining the faith yourself.
Large-scale field trials used to reveal this flaky technology
to be laughably unreliable.
That gave the biometrics salesmen a problem,
a problem they have solved by not conducting any more large-scale field trials.
Don't fall for it.
"Biometrics"?
Trigger warning.
----------
With no progress in 17 years we've got a growing list
of new and not-so-new
requirements for identity assurance.
Age verification.
Registering to vote.
Voting at elections.
Proof of UK residence rights.
Access to health records.
And more.
We know we can crack these problems.
Despite what the gloom merchants tell us,
we have a good record –
400 million transactions a year is not to be sneezed at.
----------
In unblocking the U-bend,
expect the retail banks to be involved.
It's not going too far to say that their business is identity assurance.
They're good at it.
Expect the mobile phone industry to be involved.
Your ticket to the Royal Academy Summer Exhibition
doesn't have to be a material piece of card
posted to your house.
It could just as easily be a dematerialised digital certificate
transmitted by the Academy
to your phone
using public key infrastructure to authenticate every step of the transaction.
----------
To sum up:
if we want an unbunged-up U-bend in the internet era.
----------
Updated 6.12.18
Think.Digital's 18 May 2018 conference on Identity for Government was followed by Think.Digital's 29 November 2018 conference on Identity for Government.
Any progress in between?
Yes.
In May, despite being dead, GOV.UK Verify (RIP) somehow held the ring. By November the conference was saying Turns out there is very much 'life beyond verify' ...
Where have you heard that before?
In May, despite being silly, the received wisdom was that there should be one national digital ID scheme and only one. But there are other numbers and by November the conference was saying Why HMG needs a 'pantry' full of good ID solutions.
Ring a bell? Please see "to insist that there should be one and only one identity assurance system is an ideological neurosis blocking the U-bend" above and "don't get trussed up in fatuous claims that there must be one and only one identity assurance system – the more the merrier".
It's been 17 years since we've seen any progress
in identity
in on-line public services in the UK.
The U-bend is blocked.
And it’s our job as the plumbers here at this conference today
to see if we can unblock it.
Some people would have us believe
that we have a major problem in the UK
identifying ourselves adequately
to access on-line public services.
Those gloomy people are not obviously right.
We're already identifying ourselves to on-line UK central government services
over 400 million times a year
using the Government Gateway.
The Gateway has been in operation since 2001,
it maintains over 50 million active accounts
and it allows us to access 123 public services
400 million times a year.
We don't have any trouble applying for planning permission on-line
with our local authority
and we don’t have any trouble paying their parking fines on-line.
In the private sector,
we Brits participate in a vast and growing on-line economy.
We’ve been able for years to press a few buttons and,
without leaving the house,
pay to have a new dishwasher delivered and installed
and the old one taken away.
Think twice before agreeing that on-line identity in the UK is nothing but problems.
----------
We’re in the internet era now
and that’s the justification given for all sorts of nonsense.
Some people say that the internet era ethos
dictates that we should use the same on-line identity assurance system
in both the public sector and the private sector.
Why?
What’s wrong with having multiple systems?
Nature is our model
and it happens in nature all the time,
where the badly adapted loser species get killed off
while plurality promotes survival.
HMRC have been happy enough with the Government Gateway for 17 years now.
But if the NHS can't use the Gateway and need a different system for their purposes,
fine – let them develop their own.
DWP, too.
And Scotland.
And above all,
because that's where most government takes place,
local government – let local government adopt its own identity assurance systems.
To insist that there should be one and only one identity assurance system
is an ideological neurosis blocking the U-bend.
----------
Some people assert that establishing our credentials to use any on-line service
should be frictionless.
It should be as easy,
they say,
to sign up for on-line government services
as it is to open an account with Amazon.
Piffle.
The only reason it's so easy to open an account with Amazon
is that we've already got a bank account.
And the only reason we've already got a bank account
is that we and our bank overcame the friction
and put in the effort to open it.
Getting a bank account is important.
We would expect the process to involve friction.
It would be suspicious if it didn't.
----------
Some people offer us control over our personal information
when it’s stored in their snazzy innovative identity assurance system.
The suppliers of personal data stores make that offer.
They can't deliver.
It's not in their gift.
The purveyors of open banking offer us that control.
Open banking was supposed to start in the UK on 13 January 2018.
Four months later there's still no sign of it.
The BBC ask us to create an account to use their services
and they, too, promise us control over our personal information.
So does the UK government's identity assurance programme,
popularly known as “GOV.UK Verify (RIP)”.
In the event,
once we've handed it over to these strangers,
it turns out that we have no control whatever over our personal information.
Our personal information can be stored anywhere in the world,
and we haven’t got a clue who’s got access to it
or what they’re doing with it.
These strangers could trash our privacy
and misuse our personal information.
We can't rely on their corporate conscience to stop them from doing so.
This isn’t a question of ethics.
That’s wrong.
We need laws to step in and take control where we can’t because it’s beyond us.
----------
The word "control",
like the word "friction-free",
should be a trigger warning.
Ditto "secure".
That’s another trigger warning.
It is unethical to promise security without qualification
as some identity assurance systems do.
That promise can no more be delivered on
than the promise to give us control over our own personal information.
Better to be like the lumbering old retail banks
who promise in their privacy statements to do what they can,
securitywise,
but warn us that the internet is not a safe space,
there will be breaches.
And that's another thing.
The retail banks are legally obliged to take on liability.
If our bank account is emptied by a fraudster and it's not our fault,
then the banks compensate us.
"Liability" is a word we don't often hear from the internet era promoters.
That's a shame.
Liability is what keeps the retail banks' noses clean.
Always remember,
when presented with a proposed identity assurance system,
to get an answer to the question who’s liable.
----------
Some people place their faith in mass consumer biometrics
to bind us to our digital identities.
Demand proof before joining the faith yourself.
Large-scale field trials used to reveal this flaky technology
to be laughably unreliable.
That gave the biometrics salesmen a problem,
a problem they have solved by not conducting any more large-scale field trials.
Don't fall for it.
"Biometrics"?
Trigger warning.
----------
With no progress in 17 years we've got a growing list
of new and not-so-new
requirements for identity assurance.
Age verification.
Registering to vote.
Voting at elections.
Proof of UK residence rights.
Access to health records.
And more.
We know we can crack these problems.
Despite what the gloom merchants tell us,
we have a good record –
400 million transactions a year is not to be sneezed at.
----------
In unblocking the U-bend,
expect the retail banks to be involved.
It's not going too far to say that their business is identity assurance.
They're good at it.
Expect the mobile phone industry to be involved.
Your ticket to the Royal Academy Summer Exhibition
doesn't have to be a material piece of card
posted to your house.
It could just as easily be a dematerialised digital certificate
transmitted by the Academy
to your phone
using public key infrastructure to authenticate every step of the transaction.
----------
To sum up:
- Make the most of the mobile phone industry ...
- ... and the banks.
- Remember that mass consumer biometrics is pitifully unreliable.
- Check where the liability lies in any proposed identity assurance system.
- Beware of offers of security without qualification ...
- ... and offers of control over our personal information.
- Embrace friction ...
- ... and don't get trussed up in fatuous claims that there must be one and only one identity assurance system – the more the merrier.
if we want an unbunged-up U-bend in the internet era.
----------
Updated 6.12.18
Think.Digital's 18 May 2018 conference on Identity for Government was followed by Think.Digital's 29 November 2018 conference on Identity for Government.
Any progress in between?
Yes.
In May, despite being dead, GOV.UK Verify (RIP) somehow held the ring. By November the conference was saying Turns out there is very much 'life beyond verify' ...
Where have you heard that before?
In May, despite being silly, the received wisdom was that there should be one national digital ID scheme and only one. But there are other numbers and by November the conference was saying Why HMG needs a 'pantry' full of good ID solutions.
Ring a bell? Please see "to insist that there should be one and only one identity assurance system is an ideological neurosis blocking the U-bend" above and "don't get trussed up in fatuous claims that there must be one and only one identity assurance system – the more the merrier".
Understanding the ethos and ethics of identity in public services
Last Friday 18 May 2018 was the Think.Digital Identity for government conference. The following speech was prepared but not delivered:
It's been 17 years since we've seen any progress
in identity
in on-line public services in the UK.
The U-bend is blocked.
And it’s our job as the plumbers here at this conference today
to see if we can unblock it.
It's been 17 years since we've seen any progress
in identity
in on-line public services in the UK.
The U-bend is blocked.
And it’s our job as the plumbers here at this conference today
to see if we can unblock it.
Tuesday, 15 May 2018
RIP IDA – "Reality bites"
No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.
IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.
"If Verify is the answer, what was the question?"
The Law Commission: "Verify does not currently ensure that the person entering the information
is in fact the person he or she is purporting to be;
rather it focuses on verifying that the person exists" (para.6.67/p.119)
"If Verify is the answer, what was the question?"
The Law Commission: "Verify does not currently ensure that the person entering the information
is in fact the person he or she is purporting to be;
rather it focuses on verifying that the person exists" (para.6.67/p.119)
At their annual jamboree, Sprint 18, on Thursday 10 May 2018 the Government Digital Service (GDS) finally signed the GOV.UK Verify (RIP) death certificate.
"Reality bites", said Nic Harrison, GDS's director of service design and assurance, "we are, frankly, just not going to get hundreds of new services being digitised in the next year to bring on Verify".
By 6 May 2018 there were just 17 on-line public services using GOV.UK Verify (RIP) whereas over 100 had once long ago been expected.
And just 2,237,857 GOV.UK Verify (RIP) accounts have been created since 13 October 2014. At that rate it will take until 28 July 2054 to create 25 million accounts, whereas GDS's target is 2020. Not feasible. 34 years late.
100? No, 17.
2020? No, 2054.
Meanwhile, the Government Gateway is already used to access 123 on-line public services, it already has over 50 million active accounts and it is already used over 400 million times a year.
GOV.UK Verify (RIP) has only been used 3.9 million times since 13 October 2014. The Government Gateway takes just 3½ days on average to achieve the same usage as GOV.UK Verify (RIP) in 1,300 days. Roughly, one Government Gateway day is a GOV.UK Verify (RIP) year.
There's a lot of reality to bite. And it has now well and truly bitten. GDS's job was to provide access to on-line public services. The problem had already been solved by the Government Gateway. Why spend six years trying to solve it again with GOV.UK Verify (RIP)?
There never was a good answer to that question.
And now GDS agree. GOV.UK Verify? RIP.
There is a rearguard action.
GDS now want GOV.UK Verify (RIP) to be taken up by the private sector.
But private sector interest so far is nil. There are no private sector on-line services using GOV.UK Verify (RIP). None.
We all of us use private sector services on-line. It's another problem that's already been solved. We don't need GOV.UK Verify (RIP). GDS's non-performing little cartel of "identity providers" offers us nothing.
And the reality is that that's what the rearguard action will come to. Nothing.
----------
Updated 3&4.6.18
At Sprint 18, 10 May 2018, while Kevin Cunnington delivered sweet nothings from the stage, in the wings Nic Harrison briefed journalists on the mortal effect of reality on GOV.UK Verify (RIP), please see above. Mr Cunnington is the director general of GDS, the Government Digital Service, and it is odd that he delegated this briefing rôle.
GDS wants to take 'hands off control' on digital identity, says Gov.uk Verify boss. That was Computer Weekly magazine. In the words of the UKAuthority.com website, GDS looks to private sector to boost Verify take-up. Or, as Government Computing put it, Brexit brake on Verify spurs GDS to woo private sector on digital identity.
What would "GDS taking its hands off control" mean? How could the private sector "boost" take-up? In what way would the private sector be "wooed"? And how can a brake be a spur?
Not long to wait for the answers, the Think.Digital conference on Understanding the ethos and ethics of identity in public services was coming up on 18 May 2018 and this time we were going to hear from the boss himself: "Speakers already confirmed include the GDS Director General Kevin Cunnington, who will be talking about the next phase of Gov Verify" ...
... except that it's all turning into a French farce, you never know who's going to come out of which door. In the event Mr Cunnington scratched so that once again, when the door opened, with DMossEsq in the audience, it was Nic "reality bites" Harrison who came out on stage.
GOV.UK Verify (RIP) will eliminate fraud, he said, and it will reduce operating costs. Also, GDS is transforming government from end to end step by step and privacy is the cornerstone of everything GDS does. And the Government Gateway will be closed by March 2019 implying, although Mr Harrison didn't make this obvious point, that HMG (Her Majesty's Government) won't be able to collect any tax thereafter. Reality has a bit more biting to do yet.
On the other hand, Mr Harrison did acknowledge for the first time that GOV.UK Verify (RIP) is not unique. Other identity assurance schemes around the world have taken six years to achieve 50% adoption so really we ought to look at GOV.UK Verify (RIP) as a very young system and your patience is called for. This is a first for GDS. Reality has at least nibbled. The pretence of exceptionalism has been dropped.
The completion rate (now "verification success rate") for GOV.UK Verify (RIP) is complicated. It is hard to explain. It stands at 40% or so, i.e. the failure rate is something like 60% but that's not really what it means, Mr Harrison said. You can have too much reality – this may be the prelude to removing the completion rate from GOV.UK Verify (RIP)'s dashboard on the GDS performance platform.
There was some perfunctory vapour about including level-of-assurance-1 self-certified, unverified identities in the statistics for GOV.UK Verify (RIP) – you can see why GDS lost the responsibility for government "data" – and everyone should use one and only one electronic identity and government standards and federated systems and the GOV.UK Verify (RIP) brand and stepping stones to an ecosystem and it all depends on the private sector ...
... but there was no explanation how this will work. The questions raised by Sprint 18 remain unanswered and GOV.UK Verify (RIP) remains dead.
Mr Harrison finished by saying that he looked forward to hearing what the next speaker, Don Thibeau, had to say. Then he sat down. Mr Thibeau got up to speak. Mr Harrison promptly left the building. It's the way he tells 'em.
Updated 4.6.18
Don Thibeau is the head of OIX, the Open Identity Exchange, GDS's business partner on GOV.UK Verify (RIP) and, according to him, speaking at the Think.Digital conference on Identity for government, OIX should lead the public-private partnership (PPP) between GDS and the private sector.
That's a bit confusing when you consider that no organisation has done more than OIX to explain the problems with GOV.UK Verify (RIP) and its inability to attract a single user in the private sector, please see here, here and here for example. And of course Mr Thibeau offered no explanation how this PPP would work.
In a whirlwind tour of the identity assurance world Mr Thibeau told us that:
- The US have cancelled their GOV.UK Verify (RIP) lookalike system, connect.gov (a fact which DMossEsq readers have been apprised of for nearly two years now).
- The nasty authoritarian Chinese are using identity assurance systems to keep the population under constant surveillance. They maintain social credit accounts for everyone and woe betide you if your balance/score goes into the red (Think tank wants GDS to take on creation of single Digital Government Account).
- The nasty authoritarian Russians want access to the personal records of all passengers overflying the mother country (that hasn't been news for at least nine years now, everyone wants that data, please see question 7).
- There is a queue of African states outside the doors of the World Bank all trying to raise loans to deploy identity assurance schemes to promote economic growth (any sign of that working?).
- Open banking and PSD2 could be big (if they ever get started, we've been expecting them in the UK since 13 January 2018 and there's no sign yet).
- Blockchain.
Make of it what you will, Mr Thibeau agreed to take questions at the end of his talk on one condition: "keep the microphone away from David Moss".
Updated 6.6.18
Two presentations at the Think.Digital conference on identity in public services were given by practitioners actually trying to get identity assurance schemes to work:
- Adam Lewis is the Programme director, Citizen Identity & Personal Health Records at NHS Digital. The NHS (National Health Service) for some purposes ("Comparison" purposes) needs level of assurance 3 digital identities and GOV.UK Verify (RIP) only offers level of assurance 2. So for those purposes GOV.UK Verify (RIP) is no use to the NHS.
- Stuart Young is the managing director of Etive Technologies, a company which has worked on identity assurance with Birmingham City Council, the Greater London Authority, the London Borough of Tower Hamlets, Hackney Council and GDS themselves, the Government Digital Service. Mr Young said that in his experience of identity assurance for local authorities:
- GOV.UK Verify (RIP) has "failed most people".
- Local authorities are better at identity proofing and
validationverification (IPV) than banks.
GDS can ignore reality and advocate a public-private partnership all they like but the fact remains, according to Messrs Lewis and Young and others, that GOV.UK Verify (RIP) is useless to the NHS and to local authorities.
Level of assurance? Low
OIX have told us in the past that, with millions of people, GOV.UK Verify (RIP) has trouble reaching even level of assurance 2 (p.11). The problem is GOV.UK Verify (RIP)'s reliance on credit records. Millions of people don't have a comprehensive and up to date credit record and as a result the credit rating agencies can't help with IPV. These people exist. But they can't be added to GOV.UK Verify (RIP)'s population registers. From that point of view, they may as well not exist.
The US National Institute of Standards and Technology (NIST), by the way, consider that GOV.UK Verify (RIP) doesn't really offer level of assurance 2 – NIST reckon it only amounts to level of assurance 1, self-certification. Self-certification has its uses but there's no need to pay "identity providers" to populate GOV.UK Verify (RIP) with unverified identities ...
... and the Law Commission, of course, please see above, consider that GOV.UK Verify (RIP) fails to prove that the person on the end of the line is who they claim to be. After a while you have to ask yourself whether entirely on-line registration is feasible, reality may suggest that GDS are simply attempting the impossible.
Penetration? Limited
GDS used to publish statistics on GOV.UK Verify (RIP)'s account creation success rate. The rate hovered around the 70% mark, i.e. about 30% of the population could not be reached by GOV.UK Verify (RIP). GDS stipulated that GOV.UK Verify (RIP) would not go live until the account creation success rate had reached 90%. It never did, they stopped publishing the statistics and GOV.UK Verify (RIP) went live anyway.
In public administration you can't just ignore millions of people. GOV.UK Verify (RIP) just won't do. Not if it's meant to be the only identity assurance system which is what Nic Harrison wants, please see above, and so do other ideologues.
The public sector needs "universal" coverage, the NHS has to be able to offer services to anyone, DWP (the Department for Work and Pensions) has to be able to pay Universal Credit to anyone and Tower Hamlets has to be able to contribute to the social care costs of anyone. The ideologues need to listen to the practitioners.
The private sector can pick and choose. They don't need "universal" coverage, they can be content with a sub-set of the population. But they do need more than level of assurance 2 for their digital identities. In the finance sector they need more like 4 and even higher.
Partner? Sleeping
When reality really bites, when they confront the real world, GDS will finally have to acknowledge that, to repeat, GOV.UK Verify (RIP) just won't do. GOV.UK Verify (RIP) has nothing to bring to any supposed partnership with the private sector.
Legal persons? None
Both the public sector and the private sector need companies and trusts and partnerships to have electronic identities in addition to natural persons (you and me). GOV.UK Verify (RIP) can't provide them. It can only register natural persons, not legal persons. If they relied on GOV.UK Verify (RIP) HMRC (Her Majesty's Revenue and Customs) couldn't collect corporation tax, PAYE, NI or VAT from companies because GOV.UK Verify (RIP) doesn't know what a company is. No good.
Combustion? Spontaneous
GOV.UK Verify (RIP) has been dying since it went into its public beta phase in October 2014. It's not the young system Nic Harrison pretends, please see above. One problem that has come to light over the years is that your GOV.UK Verify (RIP) identity can spontaneously disappear, you can unpredictably cease to exist – now you are you, now you're not. No good to the NHS. No good to local authorities. No good to the private sector. No good.
Updated 12.11.18
We have recorded above some of the points made at Think.Digital's 18 May 2018 conference on identity in public services.
Now Think.Digital are holding a second conference, this time on 'Understanding the Policy, Practice and Delivery of Public Sector Identity', 29 November 2018.
No DMossEsq speaking this time. No Kevin Cunnington, of course. And no Nic Harrison – reality has bitten and he's left the Government Digital Service (GDS).
Anthony Wilson will be there. He is a colleague at NHS Digital of Adam Lewis, who spoke at the 18 May event when he explained how GOV.UK Verify RIP can't meet the National Health Service's level of assurance requirements. Mr Wilson will no doubt expand on 29 November on NHS Digital's plans to develop its own identity assurance scheme.
And of course Lawrence Hopper will be there on 29 November.
Who?
Lawrence. You know Lawrence. The Head of Policy and Strategy for GOV.UK Verify RIP at GDS.
What does he know about national identity assurance?
Almost entirely anonymous, Google is silent on the question but that doesn't matter because, famously, GDS are handing GOV.UK Verify RIP over to the private sector, please see for example Dowden details Verify’s private sector future and signals end of direct Whitehall funding for identity programme.
Also, GDS haven't been in charge of national identity policy since June 2018, please see for example GDS loses digital identity policy to DCMS. Luckily Andrew Elliot will be there to resolve this mystery. He's the deputy director for digital identity at DCMS, the Department for Digital Culture Media and Sport.
David Alexander will be there, he's Chief Executive of Mydex, the company still flying the flag for personal data stores. Why did Mydex never sign up as "identity providers" to GOV.UK Verify RIP? Perhaps Mr Alexander will tell the audience on 29 November.
How do you protect your personal information? According to Mydex, by collecting it all together in a personal data store in the cloud. That puts you in control, by some new definition of the word "control", the opposite of what is normally understood by it. Never mind the daily diet of cyber breaches which we feed on. And never mind that personal data stores can't support attribute exchange.
The BBC have the same problem. When you hand over all your personal information to a stranger in the cloud the BBC, too, call that "being in control". Attendees could take that up with Colin Brown, lead identity and access management architect at the BBC, another organisation that sees no need to use GOV.UK Verify RIP.
HMRC are having to modernise the Government Gateway to continue to support on-line transactions, as it has for 18 years now, as GOV.UK Verify RIP can't verify the identity of companies. The new version of the Gateway is thought to be going live in March 2019. Will it? Attendees could ask Alison Walsh, the business readiness lead for external government departments, Government Gateway program at Her Majesty's Revenue and Customs. Let's hope the answer is yes, otherwise reality really will bite, we won't be able to pay any tax and there won't be any public services left in the UK, not even GDS.
RIP IDA – "Reality bites"
No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.
IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.
"If Verify is the answer, what was the question?"
The Law Commission: "Verify does not currently ensure that the person entering the information
is in fact the person he or she is purporting to be;
rather it focuses on verifying that the person exists" (para.6.67/p.119)
"If Verify is the answer, what was the question?"
The Law Commission: "Verify does not currently ensure that the person entering the information
is in fact the person he or she is purporting to be;
rather it focuses on verifying that the person exists" (para.6.67/p.119)
At their annual jamboree, Sprint 18, on Thursday 10 May 2018 the Government Digital Service (GDS) finally signed the GOV.UK Verify (RIP) death certificate.
"Reality bites", said Nic Harrison, GDS's director of service design and assurance, "we are, frankly, just not going to get hundreds of new services being digitised in the next year to bring on Verify".
Wednesday, 9 May 2018
RIP IDA – OIX to the rescue 3
No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.
IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
The Law Commission: "Verify does not currently ensure that the person entering the information
is in fact the person he or she is purporting to be;
rather it focuses on verifying that the person exists" (para.6.67/p.119)
is in fact the person he or she is purporting to be;
rather it focuses on verifying that the person exists" (para.6.67/p.119)
14 June 2012, we discovered that the Government Digital Service (GDS) had joined the Open Identity Exchange (OIX) in order to help with their moribund identity assurance programme now known as "GOV.UK Verify (RIP)".
19 April 2018, OIX published Digital Identity in the UK: The cost of doing nothing, a report by Innovate Identity, a consultancy which predictably enough attempts to convince the reader that the benefits of a national digital identity scheme are so great that it doesn't matter what it costs to develop.
Does that report help GDS?
Put it this way:
- On p.1 they say: "The UK is amongst an ever-smaller group of developed nations without a national digital identity infrastructure. The UK has few identity standards, and the market remains fragmented" – not altogether helpful six years or so after GDS started work on GOV.UK Verify (RIP).
- P.3 opens with: "The relatively under-developed digital identity ecosystem in the UK has been the topic of a long and increasingly frustrated discussion".
- P.7 is headed "Inertia in the UK".
- P.8 lists a small sub-set of GDS's missed targets and blames GDS for the low levels of public adoption of GOV.UK Verify (RIP), its limited utility and its failure to be adopted anywhere in the private sector.
- By p.10 you're still less than half way through the report and you read: "The provision of only four attributes by GOV.UK Verify [RIP] ... can alone only satisfy a small part of the data needs that many uses would require".
- ... asserts that GOV.UK Verify (RIP) could help with age verification (p.22). GDS say explicitly that age verification is not one of their objectives for GOV.UK Verify (RIP).
- ... gives the impression throughout that open banking is up and running (pp.1, 5, 6, 10, 22). It isn't. Open banking was due to start in the UK on 13 January 2018. There has been no sign of it yet.
- ... makes it sound as though Aadhaar, the Indian identity assurance scheme, is an unqualified success (p.19). It isn't, please see for example UIDAI On the Defensive Again Amid Aadhaar Fraud Claims. Also Enormous number of complaints of corruption and enrolment process violations against Aadhaar enrolment and update centres under CSC e-Gov, says UIDAI while asking its sibling to close Aadhaar services business (1 crore = 10,000,000).
RIP IDA – OIX to the rescue 3
No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.
IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
The Law Commission: "Verify does not currently ensure that the person entering the information
is in fact the person he or she is purporting to be;
rather it focuses on verifying that the person exists" (para.6.67/p.119)
is in fact the person he or she is purporting to be;
rather it focuses on verifying that the person exists" (para.6.67/p.119)
14 June 2012, we discovered that the Government Digital Service (GDS) had joined the Open Identity Exchange (OIX) in order to help with their moribund identity assurance programme now known as "GOV.UK Verify (RIP)".
19 April 2018, OIX published Digital Identity in the UK: The cost of doing nothing, a report by Innovate Identity, a consultancy which predictably enough attempts to convince the reader that the benefits of a national digital identity scheme are so great that it doesn't matter what it costs to develop.
Does that report help GDS?
Monday, 7 May 2018
RIP IDA – Windrush & ID cards
No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.
IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.
"If Verify is the answer, what was the question?"
The Law Commission: "Verify does not currently ensure that the person entering the information
is in fact the person he or she is purporting to be;
rather it focuses on verifying that the person exists" (para.6.67/p.119)
"If Verify is the answer, what was the question?"
The Law Commission: "Verify does not currently ensure that the person entering the information
is in fact the person he or she is purporting to be;
rather it focuses on verifying that the person exists" (para.6.67/p.119)
4 May 2018 Windrush scandal: no passport for thousands who moved to Britain. That article and hundreds more like it describe the outrageous Windrush generation problem we have in the UK. Home Office officials are threatening some of these British citizens from overseas with deportation. Some of them have lost their jobs. Some their rented homes. Others have been denied the free state healthcare which they are entitled to.
Many commentators have had the same reaction. If only we had ID cards, these disgraceful injustices could have been avoided. Please see for example:
- 21 April 2018 The Windrush scandal makes the case for ID cards
- 24 April 2018 No ID cards, please, I'm British... But I wouldn't mind a unique personal number
- 26 April 2018 ID cards are best way to tackle immigration
- 30 April 2018 Reconsider ID cards, say ex-home secretaries
- 1 May 2018 Home Truths
- 1 May 2018 Why our suspicion of ID cards is out of date
Noticeably, although lots of people's minds turned automatically to ID cards, absolutely no-one's first thought was "this is a job for GOV.UK Verify (RIP), what we all need is a GOV.UK Verify (RIP) account". Whatever the problem, GOV.UK Verify (RIP) is the solution that occurs to no-one.
RIP IDA – Windrush & ID cards
No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.
IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.
"If Verify is the answer, what was the question?"
The Law Commission: "Verify does not currently ensure that the person entering the information
is in fact the person he or she is purporting to be;
rather it focuses on verifying that the person exists" (para.6.67/p.119)
"If Verify is the answer, what was the question?"
The Law Commission: "Verify does not currently ensure that the person entering the information
is in fact the person he or she is purporting to be;
rather it focuses on verifying that the person exists" (para.6.67/p.119)
4 May 2018 Windrush scandal: no passport for thousands who moved to Britain. That article and hundreds more like it describe the outrageous Windrush generation problem we have in the UK. Home Office officials are threatening some of these British citizens from overseas with deportation. Some of them have lost their jobs. Some their rented homes. Others have been denied the free state healthcare which they are entitled to.