Tuesday, 14 January 2014

RIP IDA – Warwickshire County Council

No need to say it, it goes without saying, it should be obvious to all but, just in case it isn't obvious to all, IDA is dead.

IDA is the Cabinet Office Identity Assurance programme. And it's dead.

----------

"Happy new you", says Steve Wreyford.

He's the Government Digital Service man (GDS), you'll remember, the sexton, digging the grave for IDA, GDS's identity assurance programme.

"Identity Assurance gets closer to market", he told us over 18 months ago, on 25 May 2012. Four days later we learned from him that "Identity Assurance goes to Washington", which is all very well, but was IDA coming to the UK?

The answer wasn't clear but, next best thing, OIX – "Cabinet Office joins the Open Identity Exchange". That was 14 June 2012. Then there were months of silence before Mr Wreyford claimed that IDA was "Less About Identity, More About Trust" (4 October 2012). Our privacy would be respected by IDA and we would be in control of our data. How? No answer.

Roll forward to 14 November 2012. "Identity assurance – Stepping Up A Gear". And about time too. After all, at this stage, the promise was that IDA would be ready for 21 million benefit claimants by March 2013. Anyway, at least Mr Wreyford now had seven "identity providers" (IDPs), with the promise of an eighth one coming soon. And indeed, only two months later, on 17 January 2013, PayPal joined the IDP fold, "To Identity and Beyond".

But what's this we read? "Of course, this is just the beginning of the process. The real work of realising our ambitions for identity assurance services can now begin." Were the 21 million benefit claimants going to get IDA by March?

No.

Instead, GDS went off to South Yorkshire "to test the theory that if you make it easy for people to establish their identity when accessing digital public services, people will choose to access them digitally rather than pick up the phone or go to a branch", please see "Identity Alphas", 12 March 2013.

Three people are believed to have taken part in that test, although the figure was later revised upwards to 15. But not to 21 million.

Sextons need a sense of humour and on 15 April 2013 Mr Wreyford wrote "Delivering Identity Assurance: You must be certified", in which he answered the question how do we members of the public know if we can trust a digital service. Answer, the supplier will be certified by tScheme, an organisation that claims to have worked out how to measure trust. But how do you know if you can trust tScheme?

Further, as one fusspot commenting on Mr Wreyford's post said: "Possibly a silly question – and I may not be reading the article correctly – but shouldn't the [identity] providers be certified *before* being appointed?".

Public performers know how to handle this sort of contumely. Quick as a flash, Mr Wreyford organised the "Digital Identity Summit", 15 October 2013, where GDS were joined by "Australia, Canada, Denmark, Japan, New Zealand and Sweden (sadly the United States were unable to join us due to the shutdown)".

Which may be why there was no time to conduct the HMRC PAYE on-line trial which had been promised for October 2013.

Luckily, while he was busy with the summit, CESG helped by producing "Good Practice Guide 46", 18 October 2013, which good practice may or may not have been implemented in the ID hub which appeared from nowhere on 30 October 2013, "A hub is born", which, in turn, brings us, finally, to "Happy new you", where we started: "Before the end of this year [2014] you’ll be able to use our service to prove that you are who you say you are online. A whole new you, if you like".

We've heard that before, of course. IDA was meant to be live in 2013. And in 2012. Will 2014 be any better? Is there a whole new Steve Wreyford, perhaps? A whole new sexton?

It's wrong to concentrate on Steve Wreyford. He's just the sexton. The senior responsible owner of the graveyard is ex-Guardian man Mike Bracken CBE.

He's the one who said all those years ago on 1 March 2012 that: "GDS has been working closely with DWP to revise the OJEU and agree it with other Departments. In the first instance, IDA digital services will be used to support Universal Credit and the Personal Independence Payment, which from 2013 will replace DWP’s current benefit system". That was in "Identity: One small step for all of Government". In the event, DWP missed their deadline. So did GDS.

And he's the one who, on 16 October 2013, gave the Code for America Summit 2013 the impression that IDA already provides proof of identity to 45 million users.

Is there any reason to believe that 2014 will be the year?

We don't know what happened in the South Yorkshire trial. That can't give us any hope. We know that relations with DWP are rocky. Also with the Electoral Commission. We know that the HMRC trial planned for October 2013 didn't take place. And we know that CloudStore keeps falling over ever since GDS took charge of it – we can't have the ID hub falling over, life would stop.

There is one other potential source of hope.

Warwickshire.

Interoperability between central and local government identity assurance schemes

The project highlighted the issue of accurate data matching, specifically the matching of names and addresses originating from different sources. (p.9)

The complexity of data matching may present a significant barrier to implementation by Service Providers. (p.10)

The project has highlighted shortcomings in the user journey arising from the technical implementation of the IDA Scheme. (p.10)

...  considerably more thought needs to be applied in this area [stepping up from LoA1 to LoA2] if it is to become a viable proposition going forward. (p.10)

... at the time of this project, the functionality required to deliver user data directly within the IDA Scheme [to create a new account] had yet to be developed ... The consequence is that the user is faced with a convoluted process when using the IDA Scheme for the first time. (p.11)

User experience testing was performed in a laboratory environment and involved 5 [sic] users on a one-to-one basis with an experienced research facilitator provided by GDS. Each user had extensive experience of online services including internet banking, government services and social media such as Facebook and Twitter ... The feedback from the small sample of users was generally fairly consistent. (p.12)

Most users would be very reluctant to use their social media accounts with a government site, the prevailing view being that their social life is distinctly separate to doing “business” with government. The issue of privacy and the feeling that government would be able to “see my social life”, or that government transactions would appear in their social media profiles, was of concern. (p.12)

The Hub ... users often struggled as they sought to understand how this method of signing in to government services worked. The Hub service provided the user with a link to a video clip that described the scheme and its purpose ... (pp.12-3)

Users were not clear why private sector companies were being used to carry out identity assurance on behalf of government. (p.13)

Some aspects of the registration processes proved annoying to the users ... (p.13)
Warwickshire County Council conducted a trial of IDA – a very limited, primitive trial:

  • They worked with GDS and three of GDS's IDPs – Mydex, PayPal and Verizon (p.7). We don't know when this trial took place. It must have been some time before 3 September 2013 when we learned that PayPal are no longer in the IDA "framework", they've pulled out. One other thing we know is that none of these three is certified by tScheme – as Steve Wreyford has warned us, they are therefore not to be trusted.
  • P.5 of OIX's report on the trial says: "The IDA Scheme will eventually support the four recognized levels of identity assurance (as set out in GPG45). In most cases in local government, online services will require a Level of Assurance 1 or 2 (LoA1, LoA2). ... LoA2 is significant in that it is a level of assurance that would be expected to stand up in a Civil Court of Law in England and Wales, but not in a Criminal Court". That's all they tested. This trial can tell us nothing about IDA being proof against fraud, a criminal offence, obviously.
  • There is some mention of privacy (p.6) but the extent to which users can be confident that they are in control of their own data was not tested. In the absence of any such test users would be well advised to assume that they can have no confidence on that score.
  • "The principle [sic] areas of investigation were ... Users’ acceptance of social media IDs as a means of obtaining personal information for transactions requiring low levels of trust" (p.8). As anyone could have predicted, the sensible people of Warwickshire weren't having any of that nonsense.
  • The idea was to see what happens if users try to use IDA to avail themselves of services provided by (a) Warwickshire County Council and (b) DVLA, the Driver and Vehicle Licensing Agency. But not the real Warwickshire County Council and not the real DVLA: "The project utilised two Service Providers. The first was a mocked-up central government agency, the Driver and Vehicle Licensing Agency (DVLA) and the second a mocked-up WCC site". Again, the results of the trial must be of limited value.
And what were those results?

They are shown in the sidebar alongside. And they are not flattering to IDA.

The Cabinet Office has had since at least 20 September 2010 to work on IDA. Over three years. And there's clearly a long way to go still, before they have a product.

Not a shining example of agile software engineering.

Nor of the "simpler, clearer, faster" motto of GOV.UK – not if users have to stop and watch a video before they can use the ID hub. "The feedback from the small sample of users was generally fairly consistent", we learn. Consistently what? Hostile? Baffled? Incredulous?

Would the Major Projects Authority give IDA an amber/red rating? Or would they go straight to red?

What is it with GDS and data-matching? Why can't they do it? That was one of the problems they had working with the Electoral Commission.

Warwickshire County Council were hoping that IDA would help them to save money, in view of the cuts being made to local government budgets. In the event, they can have no idea how much IDA would cost to operate. For all they know after this trial, it might be cheaper for DWP staff, for example, to visit people at home.

"Cuts in numbers and pay restraints have combined with mounting evidence of unfitness, for example in commissioning and contracting, together with the profound unwillingness of serving civil servants to think outside the Whitehall box – which increasingly resembles a coffin". That was David Walker writing in the Guardian yesterday.

Coffin?

We've got just the man.


No comments:

Post a Comment