honestlyreal

Icon

Five questions for Identity Assurance

Identified

We’re getting closer to the launch of the government’s “identity assurance” (IDA) service – providing a way of confirming that people are who they say they are online, when they interact with government services.

There’s much on the IDA team’s blog about progress to date, and much to like. Such as the upfront decision to separate the confirmation of identity bit from what government’s there to do, and to open up a choice of identity providers (IDPs) who’ll be able to offer different ways of creating and using an online identity.

But there’s still too much that isn’t clear about the scheme. And given its importance – it will be essential if there’s going to be a major improvement in transactional services – here’s some of the detail I’d like to see:

1. how does it actually work? (and I don’t mean at the theoretical level described in the “Good practice guides”, but using real examples of real services, processes and data) It’s all well and good saying that I will be able to choose an identity provider, and be able to set up a trusted relationship with them online…but what’s actually going on to make this happen, and to support me once it has? How will they know I am who I say I am? Will they have access to something that only I would know, and if so, what? If they’re an organisation I’ve never (knowingly) had any dealings with before, what will they know about me? If they’re a new entrant to the identity provision market (as some in the running are) – where are they getting their sources to do checks? And, as ever, what’s being passed around to whom, how’s it held, secured, indexed…and all the rest of the usual, essential hygiene issues around personal data?

I have a feeling that as these details emerge we could be in for some interesting food for thought about what information is being shared by whom. But best we start to see some real examples so we can get our heads round it, and to make sure we’re comfortable with who knows what about us. Given we’re dealing with that most treasured currency of all – personal data – I think we need much more transparency about what’s being proposed. And we’ll only have realistic scrutiny if there are realistic proposals to chew on.

2. will government department x actually hand off the responsibility for identity confirmation to identity provider y? This has to happen for the service to work as intended, yet it has big implications for the accountability of delivery. Will heads of service still take responsibility if things go wrong in the checking process, or if they find they’re transacting with fraudulent or misidentified accounts? Who does the service user contact to fix things that go wrong, now that more than one organisation is involved?

Make no mistake, I’d absolutely love to see it happen – so I’d be reassured if a government department made a clear statement of this intention and, furthermore, that it no longer intends (or needs) to operate its own version of identity checking in favour of that provided by an IDP. It’s relatively easy to do new, parallel things in government. But confirmation that there’s actually been a change is usually only provided by stopping doing an old, superfluous thing.

3. following on from that, how will the service be paid for? The IDPs aren’t in it out of the goodness of their hearts – how are they incentivised, how can we have assurance that they’re being paid a fair rate, and what’s the outcome for them financially if they get things wrong, or provide a poor quality service in some other way?

4. who’s watching what I do? We live in sensitive times – aware that beady eyes are watching all that we do online. Who will be watching our transactional exchanges – as we’re identified, and then as we go on to use services? One of the big selling points of using a layer of IDPs independent of government was that there’d be no creation of a vast, centralised database of identity and activity. What’s the assurance that such data capture isn’t happening anyway – creating just such a central viewpoint, albeit one in which lots of separate things connected to us are being indexed together?

5. and lastly – where’s the big picture here? Where’s all this going? Will an identity be reusable across more and more services? What will happen when services require different levels of assurance? (For example, an identity created using some basic checks to access a relatively insecure look-up service might need to be ‘strengthened’ to access something that’s more complex in terms of money or confidentiality. How?) How clear will it be to the user what level of trust they’ve achieved using a particularly identity?

And if more and more services can be accessed using the same online identity, doesn’t that create the “all eggs in one basket” problem, as well as creating a virtual single “person” that government’s dealing with – reviving lots of the problems that IDA is designed to avoid? Are we expecting people to try and reuse the same identity as much as possible, or to create a few at different levels of trust, or to start from scratch every time they touch a new service? If there’s the ability to reuse an existing trust relationship (for example with a bank or a mobile phone company) what effect might that have on fair competition for new customers? And how will government in general address the lack of provision of an IDA option as IDA’s use becomes more widespread. Customer expectation is going to rise (as it should for any useful, improved service) and at some point it’s going to become unacceptable for an area of government even to try using a non-IDA verification method. Or has that already happened?

They’re tricky questions and, as ever, not complete nor perfectly phrased. Please do comment with anything else you’d like to know more about. But I’d really like the IDA team in GDS to share much more of their thinking in these areas – and where there are still details to be ironed out, to be open about them. This will lead to more robust solutions, less uncertainty about the myth and reality of what’s planned, and a lot of external help in planning for and addressing the issues that will inevitably surface when millions of transactions are being supported by IDA.

UPDATE 23 Jan: The Identity Assurance team have published a blog post that gets into more detail on some of these issues, and points to a number of posts to come, on issues ranging from user research to the outcomes of a private beta that will apply identity assurance to two specific “exemplar” services – HMRC’s PAYE and DVLA’s “view driving record” services.

Category: Other

Tagged:

34 Responses

  1. Terence Eden says:

    Perhaps I’m being thick… but I don’t understand what this is actually *for*.

    I’ve not seen a user story or anything like that which explains why I’d want to OAuth service X with Government Department Y.

    I have so few direct dealings with the state that it seems like a solution looking for a problem. Or have I overlooked something fundamental?

  2. The Good Practice Guides on Identity Assurance from CESG and Cabinet Office might help with some of the nuts-and-bolts questions:

    https://www.gov.uk/government/publications/identity-assurance-enabling-trusted-transactions

  3. Paul says:

    They help a little (as mentioned in the fourth para above) ;)

  4. Toby Stevens says:

    I’ve long been concerned that the most pressing question here is point 3 – how will it be paid for? Monetisation will drive IDP behaviours, and the commercial model appears to be very much in flux. In the early days we saw DWP offering to pay per transaction, only for that procurement to be pulled and replaced with the ‘per user per annum’ model for the five current IDPs, but that’s not sustainable either.

    My guess is we’re going to see a shift to an attributes market, where IDPs are not paid by anyone for proof of ID, but are paid for provision of a trusted (i.e. underwritten by a financial warranty) attribute – e.g. “I’ve got Toby on the line, and will confirm that he lives at this address with his wife and two children.”

    The reason this matters so much is because it will determine how users behave, what the role of the ombudsman/authority is in regulating IDA, what companies choose to participate, how else they might exploit data etc. There’s a pressing need for a more public dialogue about the economics of IDA.

  5. James Kemp says:

    One of the things driving the payment arrangements for IDPs is the desire from Cabinet Office to ensure that both citizens and Departments use IDA for authenticating online transactions. If either of those is asked to pay on a per transaction basis there is always the possibility that they would look for a more cost effective way to do it (or not bother with the transaction online). So it appears that central funding of IDPs is the optimal way to make it happen. I would expect that the payment regime would evolve with the service and for there to be commercial renegotiations. Companies only do things that make them money, or which they are legally obliged to do.

    As far as I understand it, the user story on this is that people don’t want a multiplicity of logins for government services, nor do they want to keep telling different parts of government the same thing. However I’ve yet to see any user research backing that up with evidence. Certainly the driver for IDA was a combination of things, including replacing the Government Gateway with something that works (which I know Paul has blogged about several times).

  6. Terence Eden says:

    I’ve tried reading those documents (fun!) not once did I see anything like…

    “As a parent, I want to be able to see how much my weekly child allowance will be. Rather than create an account on childallowance.gov.uk, I want to click the icon that represents my online banking provider and use that to log in.”

    Is that what we’re talking about?

    It just seems so… bizarre. I get that it’s a pain to register several times for various services. And I get that (some) people don’t want a monolithic login. But how is this any better?

    Either I use my credit-card login with everything, or I have to remember that my HSBC account is for Tax, Thames Water is for child support, Home Insurance for Vehicle Excise Duty….

    And what happens when I switch bank? Do I have to set the whole thing up all over again?

    I’m not trying to be obtuse… but what is the clearly defined user need in all this?

  7. Paul says:

    No, you’re not being obtuse. This is why I’m so keen to see it written down from the perspective of an actual user, starting with their need, and stepping through the whole process – front end experience and back end engineering. I think that would be a straightforward way of tackling questions like the ones you’ve raised.

  8. Hi Paul, Nice post, and really helpful in defining the questions we need to answer about what we’re doing. We know that there’s quite a bit of detail still to share, including some of the issues you raise, as we get closer to our first betas. Keep an eye on our blog, you’ll find quite a lot of this ground will be covered in the next few weeks. We’ll be happy to come back and post links in the comments here.

    For example, we’re planning to publish our response to the Privacy and Consumer Advisory Group’s draft Identity Assurance Principles. That will explain how we’re planning to make sure, amongst other things, that the service is transparent, users are in control of their data, users’ privacy is protected and there is no centralised database of identity or activity information about individuals.

    Thanks again for this post, we very much appreciate your input.

  9. Paul says:

    That will certainly be of some use, Steve.

    Will it contain a “user’s view” description of how the service will work to meet a user need – either drawing on proposals for a real service, or using a worked, illustrative example if no commitments can be made at this stage about a real service? I have never seen a description of this nature, and I do try to read as much as I can of what’s published.

    If such a description can’t readily be published – either in the response to the Principles, or as a standalone piece – after all the work that’s gone on, that would give some cause for concern.

  10. Hi Paul. Yes, you’re right, we haven’t yet published a detailed description of the service in the way you’ve suggested. The Good Practice Guides are primarily aimed at departments and service providers to help them assess their risks and needs, rather than explaining how it will work from a user perspective.

    We agree that describing the service from the point of view of users would be a useful approach to showing how the service will work. We’ll either incorporate this into our response to the principles, or produce a separate blogpost.

    Thanks again.

  11. Paul says:

    That’s very good to hear

  12. James Kemp says:

    I plan to write user stories to support development of the IDA interface for a digital transaction that I am responsible for. Currently my department isn’t comfortable using social media or blogs but I’ll be working with GDS colleagues and I am sure we can collaborate effectively to get a proper worked example for a specific service.

    I’ll drop Steve Wreyford an email from my work account when I’m back in the office tomorrow.

  13. […] Five questions for Identity Assurance – honestlyreal […]

  14. David Moss says:

    Some information available here
    http://forum.no2id.net/viewtopic.php?f=2&t=39405
    culled from David Rennie’s talk
    “An overview of 2014 plans for the UK IDAP”
    given to the IDESG conference this week.

  15. Gordon Rae says:

    If I can try and answer your question from the point of view from someone involved in the identity landscape, but outside government:

    1. I think you get into a muddle almost immediately with the question of how an Identity Assurance Provider establishes a relationship with a citizen. The provider is the agent of the citizen, not the agent of the government. They have to know things about me, so that they can vouch for me, but it’s also an essential part of their duties that my provider of choice does not tell the government everthing they know about me! The essence of an authentication scheme is that a relying party (like HMRC or DWP) should be able to ask providers YES/NO questions and make decisions based on the answers it gets.

    There are many important design questions in how government ensures that providers work inexpensively, and are hard to break, fake or corrupt. But the division of powers is not unprecedented. We already have cheques, credit cards, MOT testing stations, and rules for witnessing wills and contracts and who is allowed to decide whether or not our passport photo is appropriately ugly. Terence Eden gives other pertinent examples.

    I expect these design decisions were put on the table at a very early stage, and if this blog post is a coded way of hinting that they were not, tout le monde better change gear and have that conversation now.

    My answer to Q2 is yes they must, bexcause [Q3] this is supposed to reduce costs by removing duplication of effort and hoarding of information, as well as reducing government surveillance and [Q4] ensuring citizens control our data and make well-informed choices about who we share it with.

    Q5: I don’t think that anyone could draw a bigger picture than one that shows how the government can deliver public services while respecting and protecting individual citizens and not wasting money on bureaucracy and idiocy.

    Actually, maybe that IS the bigger picture; the one with all the idiocy left in. No, I’m being cynical, aren’t I?

  16. David Moss says:

    More questions.

    People and organisations can already deal with the UK government on-line via the Government Gateway and have been able to for the best part of 15 years now, please see http://www.gateway.gov.uk/Help/Help.aspx?content=help_government_services_online.htm&languageid=0

    There is nothing new about on-line government transactions.

    Why are GDS ignoring the Gateway? If there are problems with it, why not fix them rather than throwing it away, destroying value and exposing themselves and us to the risks of a new system? How will IDA be better? Are the putative improvements worth the costs and the risks?

    ———-

    Click on the link above, and this is what you’ll see:

    [Edited for readability of this comment thread: Original comment cut and pasted an extensive list of services. They can be viewed in full via the link.]

  17. James Kemp says:

    David, Government Gateway is pretty fundamentally broken for many central government transactions. For a start it doesn’t really validate any identities, although it does require a postal address to use.

    Also one of the things that both coalition parties were elected on was the ending of the national identity register (NIR). Fixing the problems of Government Gateway would simply reinstate the NIR because the gateway is managed by central government.

    GDS have revolutionised government systems development and the way we’re doing new things now is less risky than it used to be. It’s also much faster and focused on user needs.

  18. David Moss says:

    James Kemp @ 4:57 pm January 18 2014, fascinating, thank you.

    It may be a little imprudent to describe the Government Gateway – or any other resource on which so many government departments rely – as “pretty fundamentally broken”. That’s a very serious allegation.

    You need a lot more than just a postal address to register for Gateway services. Depending on the service, a personal name, a company name, a National Insurance number, a tax reference, a company name, company number, an email address, a telephone number, …

    Once you are registered and start using the service, the public authority tends to pick up your bank account details and builds up years of your transaction history – purchases, sales, input and output VAT, gross salary, PAYE, employer and employee National Insurance, …

    You say “it doesn’t really validate any identities”. Far from it. In fact Jerry Fishenden, who designed the Gateway and got it working, objects that it collects too much information, not too little.

    Too much? Too little? One way and another, all that we members of the public can discern is that Whitehall don’t like the Gateway and want to replace it. And any reason will do. Despite the fact that it works.

    HMRC introduce iXBRL for every company in the land? The Gateway handles it. HMRC introduce RTI for every employee in the land? The Gateway handles it. Meanwhile, millions more people every year submit their tax return on-line. Via the Gateway. Not bad for a pretty fundamentally broken system.

    Is there any reason to believe that IDA will be able to equal that record, let alone exceed it? Suppose someone suggested that, four years after the idea was floated, IDA is still pretty fundamentally non-existent? What would be the response?

    The NIR proposed by the old Identity & Passport Service would have required everyone to attend a registration centre and to enrol using their biometrics. IPS had to give up. Mass consumer biometrics technology just isn’t good enough. All the time involved and all the money would have been wasted. But it would have been a serious attempt at registration.

    In IDA, 60 million of us are meant to be registered for £30 million. That’s the budget set by GDS. 50p each. Not a serious attempt at registration.

    If it worked, though, what would we end up with? An NIR in five parts, one for each IDP.

    I may be wrong but I still think we need a convincing answer to the question why IDA isn’t based on the Gateway, a known quantity which exists and manifestly works.

    And why we still know so little about how IDA is meant to work otherwise, despite GDS’s revolutionary focus on user needs, its much-vaunted openness and its less risky and faster software engineering methods.

  19. James Kemp says:

    I worked on the NIR in 2009-10 and it did actually work. The reason it was scrapped was politics rather than economics or technological difficulties. 15,000 people were issued identity cards by IPS. The same technology solution is in use today by 750 post offices to collect biometrics for UK Visas and DVLA.

    My comment on the gateway being broken is not that it doesn’t work for the services that do use it but that there are many more services that cannot use it because it doesn’t meet their requirements. Sure it collects lots of data but no-one is validating what the citizen is telling it. How exactly do HMRC know that the person filling in the self assessment for is actually who they claim they are?

    Validation of an identity is really hard. There is more to it than just collecting information about the identity. You also need to be able to reliably tie that identity to a single individual.

  20. Paul says:

    When passing judgement on the Government Gateway, it’s really important to remember that it’s actually a collection of technologies and functions. David is right in as far as it provides the pipework through which a large number of transactions flow every day. In my post about the Gateway on this site I draw this distinction in the initial “caveat” paragraph.

    The part of the Gateway service that handles the front end of a secure transactional relationship (the use of a username and password) is the bit that’s “broken”. [Broken is used here by James and indeed me in the modern technology vernacular: being systematically unfit for its purpose; not in the sense of being insecure or non-functional.]

    And it’s broken by design. Let me explain. Back in the mists of time (1998/99) I was the Programme Office Manager for the original build of “a Government Gateway”. That programme eventually foundered because mutually acceptable commercial/risk terms could not be agreed; and one of the reasons behind this was that the proposed approach was one of “Registration and Authentication”. You’d sign up to use a service -> TMO -> you’re now identified and trusted -> you use the service.

    This was hard. Very hard. Because the magic was hard to find. It would probably be dependent on some heavyweight central register against which claims could be checked, etc. etc. Anyway. It foundered. And so its urgent replacement was sought.

    Now, there are really only two games in town for the problem that was faced. The central registry approach, as with NIR (or the reuse of other mega-engines of citizenry such as those within DWP), or an approach where brokers act between identity providers and service providers, and ensure that identity can be verified in a more lightweight way, avoiding central registries.

    [Incidentally, Dave Birch has written a lovely piece about an identity broking proposition for Twitter, which I rather like, and which may help in grasping the concepts.]

    But back then the road to an identity broking ecosystem wasn’t nearly so well understood. So the current Gateway did something else; a sort of fudge that allowed it to be built, but which made it “broken” by design.

    It used an approach of “Registration and Enrolment” – spot the language change. You’d register for an unverified Gateway “identity” (and I use the term most loosely) which would effectively work like an insecure, unverified keyring. On that keyring you could then attach secure keys – by going to all the departments you needed to, and jumping through whatever hoop they wanted you to in order to enrol you securely. So provided you waited for your postal confirmation from HMRC, you could end up with your secure key to HMRC’s online systems. If you lost your Gateway name and password, you’d just have to start with a new one, and reattach your secure HMRC key. Not the friendliest user experience in the world…

    Of course we could have seen that trust relationship extended across other departments – with one department effectively acting as the IDP for others – but that would then have led back toward this “central register” problem, with all its political baggage. There was also the tiny issue of where in government such a central register should be owned – but that’s definitely a story for another day.

    So the Gateway just stopped at that point, functionally and developmentally: usable for services once you’d been enrolled, but strategically hopeless. Hopeless in the main because your actual Gateway “identity” (ouch) had nothing to do with the real you. It couldn’t be supported, therefore – you couldn’t contact the Gateway team in Warrington if you forgot your password and expect them to be able to do anything to help you. You were just a number (and they had no way to relate that number to a real person. By design). And you could, and probably did, have lots of Gateway accounts. Because without a master record, nobody would know if you’d signed up twice, by intent or error. (I have at least a dozen separate Gateway log-ins – but only one has my self-assessment enrolment attached.)

    In short – broken. Able to offer a semblance of a service, but a dead duck from the perspective of a supportable, user-focused service.

  21. David Moss says:

    James Kemp @ 1:45 pm January 19 2014, again, thank you, you are providing this thread with useful criteria by which to judge IDA if and when it ever emerges into the light:

    • Does it succeed where, according to you and our kind host @ 3:03 pm January 19 2014, the Government Gateway fails?
    • Does it avoid the resurrection of a National Identity Register?
    • And the political problems which beset the National Identity Scheme/Service?
    • Does it tie or bind people and organisations to a set of data?

    It’s a bit rich to say that the NIR didn’t suffer from technical problems. IPS told the House of Commons Science and Technology Committee that the NIS could only proceed if the failure rate on flat print fingerprint biometrics was under 1%. The Committee pointed out that the failure rate when this technology was tested in the UKPS Biometrics Enrolment trial was 20%. So the NIS shouldn’t proceed. No, no, said IPS, that wasn’t really a trial …

    Then CESG pointed out that DWP’s CIS wasn’t up to the standard required to form the basis of the NIR.

    Those are technical failures. As Harvey Mattinson said, the government’s claims for the NIS were “bunkum”.

    As for the 15,000 UK citizens enrolled, don’t forget that the Home Office paid Manchester Airport and City Airport half a million pounds to get their airside worked signed up. Add in the entire staff of the Home Office and their relatives, an exotic journalist in Manchester and the staff of PA Consulting and you’re practically there – 15,000 people or, to put it another way, 0.03% of the estimated 50 million ID cards required.

    The system is still in use, for some foreign residents, you remind us. (At 100 Post Offices, by the way, not 750.) That’s a disgrace. How many police stations, hospitals, universities, schools, GP surgeries, supermarkets, off licences … have the card-reading equipment needed to check these biometrics residence permits? None, as far as anyone knows. It’s a charade.

    An expensive charade whereby the taxpayer is lavishly funding CSC and VF Holdings Worldwide’s stamp collecting habit – just the sort of waste GDS should be collecting and stamping out.

    Having got that off my chest, I shall now go and rake the leaves while preparing to examine Gordon Rae’s claim @ 5:14 pm January 17 2014 that the IDPs in IDA will be our “agents”. Like estate agents?

    It’s all shadow-boxing until David Rennie and Steve Wreyford give us some meat to get our teeth into.

  22. James Kemp says:

    I never said that there weren’t technical problems with the NIR, I said that it wasn’t abandoned because of technical problems and that it worked when it was deployed. All systems have problems, even the good ones. The NIR operated for less than six months before the election, the policy was controversial and the ballot showed that fewer people wanted it than didn’t. So it quite rightly got canned. That’s how democracy works.

    I stand corrected on the number of post offices used for biometric residence permits, 750 is the number used by DVLA for driving licences. I’d be surprised if anyone outside law enforcement could read the chip on a BRP. While the readers are commercially available why would anyone need to be able to read one? BRPs are routinely checked at the border (along with fingerprints for people with visas who aren’t residents).

    Anyway BRPs are a different solution to a different problem than IDA.

  23. Andrew Watson says:

    James Kemp said (January 19, 2014 at 11:17 pm):

    “I never said that there weren’t technical problems with the NIR, I said that it wasn’t abandoned because of technical problems and that it worked when it was deployed.”

    The NIR/NIS was clearly never designed with remote (online or ‘phone) identity assurance in mind, so it isn’t relevant to this conversation.

    The early NIS use-cases published by the Home Office all revolved around face-to-face identity assurance (“collecting a parcel”, “transferring money at the bank”). By the end, even these had been wiped from the Home Office web site, as it became clear that the scheme had little to do with identity assurance and was simply about building a “new clean database” of the populace for bureaucratic convenience.

    If anyone’s interested, here’s the contemporary analysis I did for the (now defunct) Silicon.com online journal in 2010, calling for the NIS to be scrapped because it was actually an obstacle to achieving online identity assurance:

    http://homepage.ntlworld.com/ajwatson/articles/Silicon_online_verification_paper4.pdf

    So – forget the NIS. It was never going to help with IDA. We’re well rid of it.

    Back on the subject of Paul’s original post – I’d have thought (hoped) that the IDA team would have done some use-case analysis when gathering requirements for the system. Why not just publish those?

    http://en.wikipedia.org/wiki/Use_case

  24. David Moss says:

    It is a joy to read Paul Clarke’s 28 February 2011 How the Government Gateway works.

    … let’s look at what’s really bad about [the Government Gateway] … :

    1. Unsupportable. You can’t find your Gateway ID or password: what do you do? No point approaching the Government Gateway team—they don’t know who you are …

    That is also what’s really good about the Gateway. It’s heart-warming – “they [the Gateway team] don’t know who you are”. The Gateway – assuming that it works as described and that there’s no-one collating/indexing the data behind Paul’s back – can’t become a National Identity Register (NIR). It satisfies one of James Kemp’s important criteria for evaluating IDA.

    To a suspicious mind, the desire to replace the Gateway is the desire to introduce an NIR and should be resisted.

    ———-

    First we get a paragraph beginning “The great genius of the Gateway R&E [register and enrol, as opposed to register and authenticate] design is that”, then we get one beginning “The great folly of R&E is that”. This isn’t a slip, it’s not an unintentional self-contradiction, it’s an accurate and useful depiction of the Gateway.

    Similarly, we read “The Gateway adds no value” and “The Gateway is routinely ignored at the front end because it adds no value” followed by “I will concede that for business-facing transactions … Gateway R&E probably does add some value”.

    Don’t let’s forget that genius is not always a virtue. It can be terrifying and evil. And folly? Not a vice, sometimes lovable and, anyway, time passes and what was once deemed folly can later come to be seen as admirably sensible.

    The Gateway lets people register without creating a register. Genius.

    Many government services have failed to take advantage of the Gateway, Paul Clarke tells us. Foolish them.

    “It’s not Your Account for Government. It never can be. It’s designed not to be”. Good. That’s one bit of value we don’t want added. As Paul Clarke says in the post above:

    And if more and more services can be accessed using the same online identity, doesn’t that create the “all eggs in one basket” problem, as well as creating a virtual single “person” that government’s dealing with – reviving lots of the problems that IDA is designed to avoid?

    If you are invited to dinner with anyone tempting you with the convenience of one single user ID/password to access all government services, take a long spoon.

    The inconvenience of multiple credentials is part of the security of any identity management scheme. You can’t have one without the other. Embrace the inconvenience. Inconvenience is your friend.

    There is no good reason why, if the Gateway can add value for businesses, it can’t add it for individuals. Who registers and enrols for a business service? Answer, an individual. The Company Secretary or whoever.

    Those public services that put individuals off need the attentions of GDS’s interior design specialists. That’s all.

    We have some new criteria to consider adding to James Kemp’s list:

    • It should not be sensible for a fair-minded person to say that IDA adds no value
    • IDA must add the authentication that the Gateway omits, it must go beyond enrolment

    And if IDA can’t measure up against James Kemp’s criteria, then it mustn’t be deployed.

  25. David Moss says:

    We know a few things about the Government Gateway. Is the new “ID hub” proposed for IDA any better? We don’t know. Because we know very little about the hub.

    There is Toby Stevens’s 27 March 2013 article Real Time Identity? which includes this:

    In the IDA model, the government provides a number of ‘federation hubs’, which provide the data-matching, anonymisation and audit services to support interaction between a market of identity providers (IDPs) and the government departments that will consume identity information.

    He’s reporting on the hub(s), he didn’t design it/them and what he’s describing looks impossible. If we users and/or the IDPs and/or the government departments are anonymous, how can transactions be audited? If transactions can be audited, how can any of us be anonymous?

    You get something of the same problem in David Rennie’s talk to IDESG mentioned above @ 1:01 pm January 17, 2014. Between 41’45” and 45’00”, we learn that the IDPs won’t know which government department is asking for assurance and the government departments won’t know which IDP has provided it. Try auditing that.

    In the old days when IDA was part of the G-Digital Programme the hub was described as “stateless”. No memory, no nothing. It’s even sparser than the Gateway.

    How does it add any value? What’s it got that the Gateway doesn’t have?

    Let’s try Steve Wreyford’s 30 October 2013 A hub is born:

    The hub will manage communications between users, identity providers and government service providers. It will allow users to select and register with an identity provider, and then use their assured identity to access digital services.

    There’s the answer. So-called “identity providers” (IDPs). A new concept, not supported by the venerable old Gateway.

    And what do IDPs do? They register people, more or less reliably, i.e. with higher or lower Levels of Assurance (LoAs), and store their details so that they can later give government departments assurance that you are who you say you are.

    That’s what’s new. That’s what IDA’s hub adds. A National Identity Register (NIR), distributed between any number of IDPs, stored in any number of physical databases that could be managed as a single logical database.

  26. David Moss says:

    Let’s move on to discussing the first of Paul Clarke’s questions above, question #2.

    Suppose for the sake of argument that David Moss has applied for and obtained Jobseekers Allowance.

    He did so using DirectGov.

    DirectGov isn’t meant to exist any more. Together with Business Link, it’s meant to have been replaced by GOV.UK. That’s what it says on the GOV.UK home page.

    Well it does still exist. Click on the link and take a look. It’s still there. So’s Business Link. Every time I see that home page, another bit of trust is gnawed away.

    But that’s not the problem now. Today’s problem is that David Moss isn’t entitled to Jobseekers Allowance and after fraudulently collecting £10,000 he is denounced by someone and dealt with harshly by the authorities.

    Following which, an investigatory team goes into DWP and asks them why they paid £10,000 to someone not entitled it. “We were told he was entitled to it”, say DWP. And when the team ask who told them, DWP say “No idea. The ID hub doesn’t reveal who the IDP is”.

    So the team ring David Moss in the road sign-making shop at Wormwood Scrubs and ask him which IDP he used. Then they ask Mydex (an IDP) why they told DWP that David Moss was entitled to Jobseekers Allowance and they say they have no record of ever having communicated with DWP – “the ID hub doesn’t reveal who the relying party is”.

    The investigatory team have one final question – they want to see the IDP’s records on David Moss. “No can do”, say Mydex, “all records are held in hyper secure personal data stores and we don’t hold the individuals’ keys. They do. That way, they have control over their data”. Needless to say, when David Moss is asked for the key, he’s forgotten it.

    Paul Clarke’s question is:

    Will heads of service still take responsibility if things go wrong in the checking process, or if they find they’re transacting with fraudulent or misidentified accounts?

    Not one, but two recent books make it quite clear that no-one in Whitehall ever has taken responsibility if things “go wrong”. It’s a myth to believe that they have. Whitehall is a responsibility-free zone.

    That’s an argument for another day and, anyway, I like myths – let’s stick with Paul Clarke’s question as drafted.

    The thing is that if the ID hub behaves in the way that David Rennie says it does (41’45?-45’00?), then no-one in Whitehall or among their contractors could take responsibility even if they wanted to.

    There is a slim chance of pinning responsibility on a Whitehall department if they’re using the Government Gateway because they did the enrolling. With IDA, there is no chance. Not if the departments “hand off the responsibility for identity confirmation” to the IDPs and not if what we have been told about the hub is accurate – it sounds as if it is “broken by design”.

    Let’s hope that we’ve been misinformed and that the design isn’t that bad. And if it si, then let’s hope that the departments continue to do their own enrolling.

  27. […] range of topics we’re planning to post about, and we’re keen to answer questions like the ones Paul Clarke posed in his recent post. If you have any issues you want us to cover please let us […]

  28. […] topics we’re formulation to post about, and we’re penetrating to answer questions like a ones Paul Clarke acted in his new post. If we have any issues we wish us to cover please let us […]

  29. Paul C says:

    @David Moss

    From my understanding of how the IDA programme will work, your example doesn’t make sense. All the IDP will do is confirm that the person who submitted the request to the Government department is who they claim to be (to the standard of proof set out by their LoA). It will still be for the Gov department to determine whether that person is eligible for that service, and so in your example, it would still be the DWP’s fault for giving benefits to someone who was not entitled to them (or Mr. Moss’s fault for providing fraudulent information about his circumstances to DWP). There would be no need to refer this through to the IDP unless it was proven that Mr.Moss was entitled, but that the person claiming to be him was actually Mr. Smith

  30. David Moss says:

    Paul Clarke @ 4:13 pm February 26, 2014

    You’re quite right.

    To correct my example, let’s say that Mr Smith is entitled to Jobseekers Allowance and Mr Moss isn’t, Mr Moss applies for Jobseekers Allowance in Mr Smith’s name and ends up in the Scrubs when he’s found out £10,000 later.

    DWP are paying Jobseekers Allowance to Mr Smith as far as they know and Mr Smith is entitled to it. So they are doing nothing wrong. They are relying on the fact that they are dealing with Mr Smith because one or more IDPs have assured them that they are.

    If DWP can’t rely on the IDPs’ assurance, there’s no point having IDPs. I agree with you. The RPs shouldn’t have to duplicate the identity assurance work done by the IDPs.

    That’s your question #2 done.

    I took my eye off the ball there. Badly. But my point about the hub still stands.

    If the hub offers the anonymity that David Rennie promised in his IDESG talk – the IDPs don’t know which RP is asking and the RPs don’t know which IDP is answering – then transactions can’t be audited. Unauditable transactions are anathema. The anonymity is going to have to go. At which point, we’re back to the Gateway.

    Could Mr Moss pull off this fraud. I couldn’t. It involves somehow managing to get his hands on real money paid into what DWP take to be Mr Smith’s bank account. How do you do that? I don’t know. It seems to me to be hard enough to get a bank account opened legitimately. But someone must believe that it can be done, otherwise IDA wouldn’t need IDPs. There’s a thought …

    What are these IDPs doing?

    That takes us back to your question #1. Which we can’t answer.

    The public still haven’t been told how the IDPs will actually work. There’s a small class of people currently putting IDA through its paces on HMRC’s PAYE On-line and DVLA’s driver’s record, but that beta, as Steve Wreyford tells us, is closed.

    Which leaves us with just the Good Practice Guides (GPGs) to go on, as you pointed out.

    Registration – GPG45 outlines the work needed to “proof and verify” the identity of an individual. It’s hard work.

    Certification and revocation – GPG44 outlines all the hard work involved in issuing credentials and maintaining them thereafter.

    NB: David Rennie in his IDESG talk said that the IDPs will issue each of their parishioners with a new credential.

    In his speech to the CfA Summit 2013, the senior responsible owner of IDA suggested that the IDPs need to be ready for 45 million users. Suppose for the sake of argument that there are five IDPs and that – worst case – everyone wants a credential from each IDP. That’s 225 million registrations to carry out and 225 million credentials to issue and to maintain thereafter.

    GDS’s IDP budget is £30 million. That allows 13p for each registration and leaves 0.3p maintenance of the credentials. It doesn’t work, does it.

    How can DWP feel assured that Mr Smith is Mr Smith when they know that the IDP vouching for him spent all of 13p checking? And when the unfortunate Mr Smith rings up to get a new credential issued to him, his IDP won’t be able to afford to answer the phone for 0.3p, let alone put his old credential on the revocation list.

    The budget doesn’t allow the IDPs to do the registration, certification and revocation work described by the GPGs. Either the budget has to be increased. Monumentally. Or the IDPs have to do a very different job.

    NB: we know from Janet Hughes’s blog post that GDS will be the only people paying the IDPs for their IDA work, “there’s no charge to the user“, vide your question #3.

    The CEO of Mydex – one of the IDPs – gave a talk describing his idea of what that job could be.

    Let HM Passport Office carry on doing the hard work of registering people, issuing them with passports/credentials, renewing those credentials every 10 years and revoking some of them. Ditto DVLA and its driving licences, banks and bank accounts, examination boards and degree certificates, etc …

    What Mydex will do is store all those credentials in a personal data store, one for each parishioner and then, whatever transaction the parishioner wants to undertake, he or she can just go through Mydex to complete it.

    That looks a mite too centralised to me, one point on which we would each become utterly dependent for every transaction. It creates a central power source. Why do we need IDPs … not for that.

    NB: Mydex gave evidence to the House of Commons Science and Technology Committee (para.6) and confirmed that they would not pay compensation to credential-holders if something goes wrong, e.g. Mr Moss defrauds Mr Smith of £10,000. Obviously they can’t afford to, with only 13.3p to play with per credential-holder. But even if the budget is increased, that lack of responsibility looks like the start of moral hazard, see your question #3, another defective bit of the IDP model.

    Somewhere behind closed doors at the moment, a few people are testing a system – IDA – with a defective ID hub and a defective IDP model. Why?

  31. Paul C says:

    @David Moss,

    Just for clarity, I’m not Paul Clarke, author of this blog and poser of most of the above questions you have answered. I can see how that assumption was made, but feel I should clear it up.

    NB. I promise I was not intending to pose as Mr. Clarke!! I do have a surname beginning with C but try to avoid giving it online where possible…

  32. Paul says:

    Yes, I was temporarily confused there myself. Identity is a very malleable thing, clearly. (Actual Paul Clarke)

  33. David Moss says:

    Where’s all this going?, you ask.

    Estonia.

Leave a Reply

Flickr Photos

_PX63668

_PX63652

_PX63634

_PX63630

_PX63612

_PX63608

_PX63602

_PX63600

_PX63596a

_PX63596

More Photos