Thursday 13 December 2018

RIP IDA – LSE Prof sells CGD a pup

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.

"If Verify is the answer, what was the question?"

The Law Commission: "Verify does not currently ensure that the person entering the information
is in fact the person he or she is purporting to be;
rather it focuses on verifying that the person exists" (para.6.67/p.119)


May 2013, and Alan Gelb and Julia Clark of the Center for Global Development publish a report on biometrics. Not so much a report as an uncritical re-hash of the marketing material used by the biometrics industry. The industry that owes so much to astrology.

It is possible that you had forgotten.

November 2018, and the CGD publish an odd report on GOV.UK Verify (RIP) with a preface by the same Alan Gelb. At least, one assumes that it's the same Alan Gelb.

The report is written by Dr Edgar A Whitley, "an Associate Professor (Reader) in Information Systems in the Department of Management at the London School of Economics and Political Science". That doesn't seem to have helped:

RIP IDA – LSE Prof sells CGD a pup

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.

"If Verify is the answer, what was the question?"

The Law Commission: "Verify does not currently ensure that the person entering the information
is in fact the person he or she is purporting to be;
rather it focuses on verifying that the person exists" (para.6.67/p.119)


May 2013, and Alan Gelb and Julia Clark of the Center for Global Development publish a report on biometrics. Not so much a report as an uncritical re-hash of the marketing material used by the biometrics industry. The industry that owes so much to astrology.

It is possible that you had forgotten.

November 2018, and the CGD publish an odd report on GOV.UK Verify (RIP) with a preface by the same Alan Gelb. At least, one assumes that it's the same Alan Gelb.

Wednesday 17 October 2018

RIP IDA – international ID slapstick, that's the way to do it

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.

"If Verify is the answer, what was the question?"

The Law Commission: "Verify does not currently ensure that the person entering the information
is in fact the person he or she is purporting to be;
rather it focuses on verifying that the person exists" (para.6.67/p.119)

A week ago we learnt that people with a German electronic ID are now able to use it to log on to HMRC:


This has been on the cards, so to speak, for over 10 years now, ever since the inception of the European Union's Project STORK. German students studying at UK universities should be able to access UK public services while they're over here using trusted German identity assurance. Ditto UK students in Germany. And not just Germany and the UK, any EU citizens in any EU country.

Over the years, Project STORK became eIDAS, EU Regulation 910/2014. The German Federal Office for Information Security jumped through all the eIDAS hoops to "notify" their Ausweis identity assurance scheme, it's passed all the tests and, as noted in the Martin Jordan tweet above, Her Majesty's Revenue and Customs now have to accept Ausweis identities.

That's the theory.

In practice, this is the response a German currently gets:


That's the way to do it.

"Something went wrong".

It certainly did.

But where?

Germany? HMRC?

Apparently not. The error message is branded GOV.UK Verify (RIP). Their logo. Their problem.

Speaking of which, GOV.UK Verify (RIP) has been put up for eIDAS membership. It's been "pre-notified" in the lingo:


Will it be as successful as the Germans' Ausweis? Will it be deemed to provide a low level of assurance that the owner of the GOV.UK Verify (RIP) identity is who they say they are? Or a substantial level of assurance or even a high one?

Our EU partners will not be impressed at the rejection of GOV.UK Verify (RIP) by HMRC, DWP (para.3.21), the NHS, Scotland, UK local government and others. Nor will they be mollified when they see US NIST's opinion that GOV.UK Verify (RIP) provides nothing better than self-certification.

It's all about trust, and what are our partners supposed to make of the fact that the Post Office are treated as an "identity provider" (IDP) even though they're not certified by tScheme? It looks underhand making people think they're dealing with the Post Office when really all the identity proofing work is carried out behind the scenes by Digidentity. It undermines trust.

Has GOV.UK Verify (RIP) been pre-notified by the Government Digital Service? That would seem strange:
  • Partly because it is the Department for Digital Culture Media and Sport that has responsibility for the digital economy and for identity policy, not GDS.
  • And partly because it has recently been announced that the UK government will cease funding GOV.UK Verify (RIP) in 18 months' time.
Who will underwrite GOV.UK Verify (RIP) identities after that?

No-one knows. Certainly not the 27 other members of the EU.

As things stand, the probability of GOV.UK Verify (RIP) getting through the eIDAS vetting procedure is not high, not substantial but, if it's lucky, maybe low. Low-to-non-existent.

That's the way to do it.

----------

Updated 23:52

Our European partners may recall that early last month the UK's Infrastructure and Projects Authority recommended that GOV.UK Verify (RIP) be terminated. That's the same GOV.UK Verify (RIP) that we're trying to get approved for use in eIDAS, please see above.

Not confidence-inspiring.

Reality bites. But instead of terminating the scheme, the Senior Responsible Owner is abandoning ship and GDS are letting go of the controls and handing it over to the private sector. Perhaps the private sector will prove better at terminating it.

Not confidence-inspiring.

GOV.UK Verify (RIP) boasted seven "identity providers" until recently – Barclays Bank, CitizenSafe/GB Group plc, Digidentity, Experian, the Post Office, the Royal Mail and SecureIdentity/Morpho.

During the handover to the private sector two of those "identity providers" are dropping out – CitizenSafe/GB Group plc and the Royal Mail.

In reality, the Royal Mail was never a true "identity provider", they just provided a call centre service and all the identity proofing and verification work done in its name was really conducted behind the scenes by CitizenSafe/GB Group plc, another example of GDS's duplicity like the Post Office/Digidentity charade, please see above.

Not confidence-inspiring.

What happens to all the personal information that the Royal Mail and CitizenSafe/GB Group plc amassed while they were still operational? Them and their subsidiaries and partners and contractors? Where's the information gone now? What control do we citizens have over our own personal information? What happens when GDS and DCMS are no longer involved?

Come to that, what's happened to all the personal information Verizon amassed while they were an "identity provider"?

Even for the continuing "identity providers" – Barclays Bank, Digidentity, Experian, the Post Office and SecureIdentity/Morpho – GOV.UK Verify (RIP) doesn't abide by a single one of the identity assurance principles that are meant to govern it.

Not confidence-inspiring.

GDS never answer questions posed by us, the public. Maybe they'll answer the eIDAS authorities.


Updated 18.10.18

Certification of the GOV.UK Verify (RIP) services supplied by "identity providers" is carried out by tScheme. The summary of their certification has now been updated.

The Post Office is most notable as the only "identity provider" to have no tScheme approval whatever.

None of the "identity providers" is certified by tScheme as having any expertise with digital certificates – something of a gap vis-Ă -vis eIDAS, which is all about trust services.

RIP IDA – international ID slapstick, that's the way to do it

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.

"If Verify is the answer, what was the question?"

The Law Commission: "Verify does not currently ensure that the person entering the information
is in fact the person he or she is purporting to be;
rather it focuses on verifying that the person exists" (para.6.67/p.119)

A week ago we learnt that people with a German electronic ID are now able to use it to log on to HMRC:


Thursday 20 September 2018

The Digital Ape: how to live (in peace) with smart machines by Nigel Shadbolt and Roger Hampson

The Digital Ape: how to live (in peace) with smart machines
by Nigel Shadbolt and Roger Hampson

Professor Sir Nigel Shadbolt is well known to DMossEsq's millions of readers as the prophet of the magic of open data. He's the chairman and co-founder of the Open Data Institute and Roger Hampson is one of the ODI's four non-executive directors.

The title "The Digital Ape" is inspired by Desmond Morris's The Naked Ape and extends his evolutionary approach to artificial intelligence. Man has always used tools to overcome his original shortcomings. First there was the hand axe. Now there's artificial intelligence. Messrs Shadbolt and Hampson's argument is that the hand axe didn't destroy the human race, so artificial intelligence won't either.

What can we digital apes look forward to in the brave new artificial intelligence world where we are at peace with our smart machines?

This is a question Professor Sir Nigel has tackled before in conversation with the much lamented journalist, Steve Hewlett:
Just imagine a new world where you look out of the window and see the blue flashing lights, and then someone flies through the door and says "we're here to prevent you from having a heart attack".
Flint hand axe found in Winchester
Nothing as exciting as that in The Digital Ape, where Messrs Shadbolt and Hampson content themselves instead with a relatively dull vision of the fridge automatically ordering butter for you when stocks run low. Also, "the floor will phone social services if Granny has a fall [but will social services answer?]". (This is at Loc 3052 of the Kindle edition of the book which doesn't have page numbers, just Locs/locations.)

Professor Sir Nigel is or at least was in charge of the government's midata programme which he amusingly claimed, five years ago, would allow us to "get to the future more quickly". No sign of that. The apps haven't been developed ...

... and the obvious problems remain unsolved. In a digital ape world where we're permanently under surveillance and all data is open including personal information, Steve Hewlett wanted to know, what happens to privacy? We look to our eminent authors for guidance. In vain:
On the face of it, open data is an idea too simple and right to fail. Assuming that the correct safeguards around private and personal information are in place ... (Loc 3802)
What are the "correct safeguards"? No answer.
Public datasets should definitely be open to all comers, subject to privacy and security concerns ... (Loc 3919)
How "definitely"? What is a "public dataset"? Which datasets would be "subject to privacy and security concerns"? What access if any would there be to these concerning datasets? No answers.
The digital ape needs urgently to debate and define the reasonable boundaries for the collection and analysis of information by government agencies in the age of terror. Restraints and accountability are essential ... (Loc 4023)
Surely this book is the place for that debate. This is the debate that the leaders of the Open Data Institute should be ideally placed to contribute to. What "restraints and accountability"? No answer.
... we badly need conventions that curb the continued weaponisation of the digital realm ... (Loc 4032)
What "conventions"? No answer.
There is no contradiction between the desire to live in a society that is open and secure, and the desire to protect privacy. Open and private apply to different content, handled in appropriately different ways ... (Loc 4069)
What "appropriately different ways"? No answer.
The personal data model is one way to produce a viable alternative [to the Orwellian implications of building one huge public database]. There are obviously problems ... We are certain these are solvable problems ... (Loc 4081)
Why are the authors "certain"? Their certainty doesn't make the reader certain. What are the solutions? No answer.
If we want people to pay the tax they owe, we need some system of collecting it [we already have one, courtesy HMRC, quite an extensive one], and some way of knowing collectively that we have done so. Imagination will be needed to turn all these into data stores held by individuals ... (Loc 4139)
"Some system"? What system? "Some way"? What way? "Imagination" is no answer.
There need to be clear rules for the transparency of algorithmic decision-making, the principles and procedures on which choices about the lives of individuals and groups are being made ... (Loc 4512)
What "clear rules"? What "principles and procedures"? No answers.
We need a new framework to govern the innovations, which might enable individuals, en masse, to temper the continued concentration of ownership and power ... (Loc 4582)
What "new framework"? No answer.

All these questions. We all knew them. That's why we bought the book. To benefit from the experts' ideas. But no. No answers.

So much for "on the face of it, open data is an idea too simple and right to fail ... (Loc 3802)". Nothing "simple" about it. Nothing obviously "right" about it.

How to live (in peace) with smart machines? No idea. Not a clue.

The Digital Ape: how to live (in peace) with smart machines by Nigel Shadbolt and Roger Hampson

The Digital Ape: how to live (in peace) with smart machines
by Nigel Shadbolt and Roger Hampson

Professor Sir Nigel Shadbolt is well known to DMossEsq's millions of readers as the prophet of the magic of open data. He's the chairman and co-founder of the Open Data Institute and Roger Hampson is one of the ODI's four non-executive directors.

The title "The Digital Ape" is inspired by Desmond Morris's The Naked Ape and extends his evolutionary approach to artificial intelligence. Man has always used tools to overcome his original shortcomings. First there was the hand axe. Now there's artificial intelligence. Messrs Shadbolt and Hampson's argument is that the hand axe didn't destroy the human race, so artificial intelligence won't either.

What can we digital apes look forward to in the brave new artificial intelligence world where we are at peace with our smart machines?

This is a question Professor Sir Nigel has tackled before in conversation with the much lamented journalist, Steve Hewlett:
Just imagine a new world where you look out of the window and see the blue flashing lights, and then someone flies through the door and says "we're here to prevent you from having a heart attack".

Saturday 1 September 2018

The Sham ID, called 'Aadhaar': Hoax of the Century

The Sham ID, called 'Aadhaar': Hoax of the Century
by Mathew Thomas

"Achche din is finally here", says the condemned man on the front cover of Mathew Thomas's book.

"Achhe din aane waale hain" was the campaign slogan of Narendra Modi's BJP party in India's 2014 election, "happy days are coming".

For years Mr Modi had opposed Aadhaar. Bad news. That's while he was in opposition. Then he became Prime Minister and now he's a fan. Happy days are here again.

"Stop! He has no Aadhaar card", says the lawyer on the front cover of Mathew Thomas's book.

The funny thing is, no-one does. There is no such thing as an Aadhaar card. Aadhaar cards are part of the extraordinary Indian delusion that is the subject of Mr Thomas's book.

UIDAI, the Unique Identification Authority of India, the people in charge of Aadhaar, have pulled off "the hoax of the century". Not only are there no Aadhaar cards, there is no unique identification either.

Aadhaar doesn't work. One big broken promise, it was meant to help the poor to claim state benefits and it doesn't. It can't.

The politicians know that. The civil servants know that. The media know that. So do the lawyers and so does everyone else. Not least because Mathew Thomas has spent 10 years or so patiently telling them.

And yet ...

... UIDAI goes from strength to strength.

Aadhaar was meant to be a voluntary scheme. First it morphed into being mandatory for state benefits and now it's trying to insert itself into more and more walks of life. You want a passport? Give us your Aadhaar number. You want a mobile phone? Give us your Aadhaar number. You want a bank account? Give us your Aadhaar number. Etc ...

What's going on?

It's baffling.

The politicians and the civil servants et al aren't stupid. And yet they connive in funding Aadhaar.

Alice in Wonderland? The emperor's new clothes? Tulipmania? Pick your metaphor. Whichever you choose, India is undeniably in the grip of some sort of of an extraordinary delusion, a nightmare from which it will finally wake up.

For years, India's Supreme Court has been hearing the tireless Mathew Thomas's cases asserting that Aadhaar is unconstitutional. The court is due to promulgate its latest decision soon. Independent of political parties and of business interests, the judges have the opportunity to rouse India from its slumbers, to say achhe din aane waale hain and to put an authoritative stop to this Aadhaar nonsense.

The Sham ID, called 'Aadhaar': Hoax of the Century

The Sham ID, called 'Aadhaar': Hoax of the Century
by Mathew Thomas

"Achche din is finally here", says the condemned man on the front cover of Mathew Thomas's book.

"Achhe din aane waale hain" was the campaign slogan of Narendra Modi's BJP party in India's 2014 election, "happy days are coming".

For years Mr Modi had opposed Aadhaar. Bad news. That's while he was in opposition. Then he became Prime Minister and now he's a fan. Happy days are here again.

"Stop! He has no Aadhaar card", says the lawyer on the front cover of Mathew Thomas's book.

The funny thing is, no-one does. There is no such thing as an Aadhaar card. Aadhaar cards are part of the extraordinary Indian delusion that is the subject of Mr Thomas's book.

UIDAI, the Unique Identification Authority of India, the people in charge of Aadhaar, have pulled off "the hoax of the century". Not only are there no Aadhaar cards, there is no unique identification either.

Aadhaar doesn't work. One big broken promise, it was meant to help the poor to claim state benefits and it doesn't. It can't.