Monday, 14 December 2015

RIP IDA – some "identity providers" are less trustworthy than others

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.


GOV.UK Verify (RIP)
"Identity provider" GPG45 service Applied for Granted ("no. of profiles")
.
Barclays Identity Assurance and Provisioning 28 September 2015
digidentity Identity Provider Service for Verify 30 April 2015 (4)
Experian IDaaS 21 October 2014 (4)
GBGroup ID3global 12 February 2015 (2)
Morpho secureidentity 19 November 2015
PayPal
Post Office IDA 24 February 2014, lapsed February 2015
Royal Mail
Verizon UIS 11 February 2015 (5)
.
Not an "identity provider" mentioned by GDS
Equifax Identity Verifier for IdP 10 December 2014 (2)

The Government Digital Service (GDS) want to build trust in their GOV.UK Verify (RIP) identity assurance scheme by being open, "the sunlight of transparency is making things better".

They have appointed nine so-called "identity providers". How do you know you can trust the "identity providers"? Answer, GDS have a number of good practice guides (GPGs) including GPG45 for identity proofing and verification and they have "joined a standards certification organisation (tScheme), who will be one of the initial certification bodies to provide the necessary independent assessment of the framework suppliers for compliance with the guides".

Of GDS's nine "identity providers", only four have been granted approval by tScheme. Does it follow that you can't trust the other five "identity providers" (Barclays, Morpho, PayPal, the Post Office and Royal Mail)? No idea.

Why have PayPal and Royal Mail not even applied to tScheme for approval? No idea.

How long will it take for tScheme to assess the Barclays and Morpho services? No idea.

Did the Post Office fail its tScheme assessment? No idea.

tScheme approval is not homogeneous. Verizon, for example, is approved in five categories, or "profiles" as tScheme call them – base, identity registration, credential validation, identity provider and credential management. GBGroup is only approved in the first two categories, base and identity registration. Is GBGroup less trustworthy than Verizon? No idea.

Different "identity providers" are having to jump through different hoops. Is that any way to operate a market? No idea.

The "identity providers" register you and provide you with an identity by cross-checking your details with the Home Office, the Driver and Vehicle Licensing Agency (DVLA) and the credit referencing agencies. In many cases the level of assurance that you are who you say you are is too low according to OIX, the Open Identity Exchange, GDS's business partner in GOV.UK Verify (RIP).

They want to add other sources to cross-check against and thus to increase the level of assurance. They want the "identity providers" to be able to cross-check with your bank. They may want to add checks against your health records, your education records and your travel records. Would that bring the level of assurance up to an acceptable level? No idea.

The information about you held by the Home Office, DVLA and the others was not collected so that digidentity, Morpho and the others could verify your identity and these "identity providers" can't know, when you first seek to register on-line, that that is you giving permission for them to conduct their checks. Is this identity proofing and verification legal? No idea.

Some people have found GOV.UK Verify (RIP) so hard to use that they give up the on-line attempt to access the public service they need:
  • Farmers, for example, trying to apply for the Basic Payment Scheme.
  • Married couples trying to transfer their marriage allowance – HMRC have been reduced to pointing out that they are not responsible for GOV.UK Verify (RIP), it's GDS's service, not theirs.
  • The NHS have rejected GOV.UK Verify (RIP) and suggest that they themselves, the NHS, would be better at verifying people's identity.
Will other so-called "relying parties" be more prepared to rely on GOV.UK Verify (RIP) than DEFRA, HMRC and the NHS? No idea.

GDS's solution is to create so-called "basic identity accounts". These are accounts maintained by GOV.UK Verify (RIP) that haven't been verified. What is the point of unverified Verify accounts? No idea.

How many people know that the maximum GDS will pay the "identity providers" for four years of their work is £150 million? No idea.

60 million people have to be registered. That's £2.50 each. If we each register with all nine "identity providers", they will get 27.7 pence each. That has to cover initial registration, re-registration every now and again and perhaps 40 transactions if we transact with government 10 times a year:
  • Is that enough to do the job properly? No idea.
  • Is there anything left for profit? No idea.
GDS have been touting GOV.UK Verify (RIP) to the private sector. Will the private sector rely on it for their commercial plans? No idea.

Today GDS published The basis of trust for EU identity assurance. Will our EU partners rely on 27.7 penceworth of GOV.UK Verify (RIP)? No idea.

Will UK companies, partnerships and trusts rely on GOV.UK Verify (RIP)? Currently there is no provision for companies etc .... to be provided with an on-line identity, only individuals, "natural persons" as we're called, as opposed to "legal persons" like companies. Will GOV.UK Verify (RIP) ever be able to provide an identity to a legal person? No idea.

We already have an identity assurance platform which has been used and trusted by natural and legal persons in the UK for over 15 years – the Government Gateway:
  • Why didn't GDS enhance the Gateway? No idea.
  • Why ignore that asset and destroy its value by trying instead to cook up GOV.UK Verify (RIP)? No idea.
Is GOV.UK Verify (RIP) secure? No idea.

Is there any audit trail in GOV.UK Verify (RIP)? No idea.

GDS's unique selling point for GOV.UK Verify (RIP) is that our privacy is respected by there being no central register of information about us – "there is no central storage of information". Any attempt to create such a register would undermine their claim:
  • Are OIX recommending precisely that, collecting all our GOV.UK Verify (RIP) transaction data together, when they propose that we should have signal-sharing? No idea.
  • The four registers maintained by the four current "identity providers" all come together in GDS's identity hub. Is that four physical registers or one single logical register? No idea.
Despite GDS's attempt to build trust by being open the answer to the questions above is, too often, "no idea".

Do you trust GOV.UK Verify (RIP) to provide you with an identity? Which "identity provider(s)" would you choose? Why? You'd better have an answer soon. It's your identity on the line. "No idea" isn't good enough – GOV.UK Verify (RIP) is due to go live in four months time, April 2016.

----------

Updated 15.12.15

According to the WorldNews Network (WN):
Morpho lance SecureIdentity : une nouvelle plate-forme d'identité numérique destinée aux citoyens britanniques (Safran Morpho SA)
The world knows that Morpho has launched SecureIdentity and that SecureIdentity is a new identity assurance platform destined for the Brits. But the Brits don't know ...

... unless they happen to have read today's press release from Safran Morpho:
Morpho launches SecureIdentity: a new digital identity platform for GOV.UK online services

Wokingham, UK - December 15, 2015 - Morpho (Safran), world leader in identity and security solutions, today announced the launch of SecureIdentity, a new digital identity service for British citizens and residents. Morpho is one of the new providers to support the expansion of online services offered through the UK government’s new GOV.UK Verify [RIP] program.
Even then we Brits won't have a clue how SecureIdentity works because even if we read all the promotional literature it doesn't tell us how it works.



That's a damp squib of a launch, isn't it.

Morpho have jumped the gun. Shouldn't the Government Digital Service (GDS) have been given the chance to tell us about SecureIdentity first?

And shouldn't Morpho have waited to see if tScheme assess their SecureIdentity service to be trustworthy before claiming to have launched it as part of GOV.UK Verify (RIP)?

It's going to be a bit embarrassing, a bit œuf on the visage, if tScheme say non. Take a look at the Privacy and Consumer Advisory Group's principle #7, "I can have confidence in the Identity Assurance Service because all the participants have to be certified against common governance requirements". SecureIdentity isn't certified. Not yet. You can't have confidence in it:
Identity Assurance Principle
Summary of the control afforded to an individual
1. User Control
I can exercise control over identity assurance activities affecting me and these can only take place if I consent or approve them
2. Transparency
Identity assurance can only take place in ways I understand and when I am fully informed
3. Multiplicity
I can use and choose as many different identifiers or identity providers as I want to
4. Data Minimisation
My interactions only use the minimum data necessary to meet my needs
5. Data Quality
I choose when to update my records
6. Service User Access and Portability
I have to be provided with copies of all of my data on request; I can move / remove my data whenever I want
7. Certification
I can have confidence in the Identity Assurance Service because all the participants have to be certified against common governance requirements
8. Dispute Resolution
If I have a dispute, I can go to an independent Third Party for a resolution
9. Exceptional Circumstances
I know that any exception has to be approved by Parliament and is subject to independent scrutiny
GDS are committed to abiding by these principles. They want to "embed privacy into the service". They've got a lot of trouble doing so, it's difficult, but surely #7 is the easiest one for GDS to abide by.

It will be embarrassing enough if tScheme fail SecureIdentity. That is not inconceivable. It seems they may have failed the Post Office's IDA service, please see above.

But that may be better than letting SecureIdentity loose on 60 million unsuspecting Brits. Two months ago GDS told us how they are Making GOV.UK Verify [RIP] available to more people:
You can take a photo of yourself instead of answering questions based on credit history
... Now, GOV.UK Verify [RIP] also works for people who don’t want or aren’t able to answer questions about their loans, credit cards or mortgages, or who don’t have enough financial products on their credit file to serve as a basis for security questions.

If you have a smartphone or tablet and a UK passport, you can now - with 2 of the companies [i.e. two of the "identity providers"] - verify your identity without answering questions about your credit history. Instead, you can use an app to scan your identity document and take a photograph of yourself, so the images can be compared.
This face recognition lark is Morpho's schtick. Revealing to 60 million people how utterly unreliable it is, now that would really be embarrassing. Embarrassing for GDS. Remember McCormick.

What was it that Chief Constable Chris Sims, representing the Association of Chief Police Officers, told the House of Commons Science and Technology Committee on 10 December 2014? Oh yes, he said that he was "not aware of [UK police] forces using facial image software at the moment" and that "the technology is not yet at the maturity where it could be deployed" (para.95).

Let's see now. What have we got?

GDS being upstaged by an uncertified "identity provider" launching a product which the police say is too immature to be deployed.

Not the greatest day in the annals of GOV.UK Verify (RIP)'s brief history, not by une longue craie.


Updated 9.1.16

This isn't just embarrassing any more.
It's terminal. 

Four of GDS's "identity providers" offer identity assurance services which have been approved by tScheme – digidentity, Experian, GBGroup and Verizon.

Two of the rest haven't even applied to tScheme – PayPal and Royal Mail. Even if they apply tomorrow, the probability of their services being approved by tScheme in time for GDS's live date in April 2016 is low-to-nil.

Another two of the rest have applied to tScheme – Barclays and Morpho. It is just possible that their services be approved on time but tScheme, quite rightly, don't have a record of falling in with GDS's timetable so don't count on it.

That leaves the Post Office, whose application was made 22 months ago and which has now lapsed, putting the Post Office in the same unapproved boat as PayPal and Royal Mail.

It is getting on for three years since GDS published Delivering Identity Assurance: You must be certified, confirming that all "identity providers" must be certified/approved "to provide the necessary independent assessment ... for compliance with the [CESG identity assurance] guides".

That is a condition that GOV.UK Verify (RIP) must satisfy to inspire and retain the trust of its parishioners. GDS say so.

So does the Privacy and Consumer Advisory Group (PCAG) referred to above. Identity assurance principle #7, certification: "I can have confidence in the Identity Assurance Service because all the participants have to be certified against common governance requirements".

PCAG are committed to ensuring that GOV.UK Verify (RIP) abides by the nine identity assurance principles. They said so in November 2014. They reaffirmed their commitment in September 2015.

And GDS are committed to abiding by the PCAG principles. "GOV.UK Verify [RIP] protects users' privacy. It has been designed to meet the principles developed by our privacy and consumer advisory group", please see GOV.UK Verify hub [RIP] - privacy aspects, June 2015.

PCAG's nine principles are supposed to be our bulwark against the likes of Google, who openly argue that its users have no "reasonable expectation" of confidentiality.

In November 2014, someone suggested that GOV.UK Verify (RIP) abided by not a single one of the principles. But that was just DMossEsq. It doesn't count for anything.

More worrying is when MarkK says the same thing. He knows what he's talking about. And he gets a response from GDS, including this:
Post Office uses the same system as another provider which has been t-Scheme certified, so we have agreed that there is no need for a second certification of the same system unless and until Post Office introduces anything that is different in its system for verifying identities, in which case that would need to be separately certified.
All the "identity providers" need to be certified, says GDS. The Post Office isn't certified. But it's still an "identity provider", says GDS.

Identity assurance principle #7 has been breached. It's as simple as that. Despite PCAG's and GDS's joint commitment, #7 has fallen and the others are going down with it. Like ninepins.

#8, for example: "If I have a dispute, I can go to an independent Third Party for a resolution":
  • Mr King says there is still "no sign of an independent Ombudsman".
  • GDS say "we think the current arrangements for dispute resolution are adequate ...".
GDS are wriggling. They're not delivering what they promised. They can't. Not by April 2016. This isn't just embarrassing any more. It's terminal. Public trust has gurgled down the hole between the promise and the reality. GOV.UK Verify, RIP.


Updated 10.1.16

Where is our thing at?

A copy of this post has been sent to the Privacy and Consumer Advisory Group (PCAG) to see what they have to say about the Government Digital Service's apparent failure to ensure that GOV.UK Verify (RIP) abides by the nine identity assurance principles.

PCAG have their own page on the award-winning GOV.UK where you are advised to email communications to idasupport@digital.cabinet-office.gov.uk.

Back came an email from GOV.UK Verify (Life) Support saying that DMossEsq's communication had been assigned ID no.15834 and that "if you would like to add any further information to this ticket, please reply to this message or include #15834 in the subject line of all future correspondence".

The link in that email leads to a screen asking you to enter your email address and your password so that you can Sign In To Verify [Life] Support. Not having a password, DMossEsq chose the New To Verify [Life] Support? option, clicked on Sign Up and submitted his registration details, only to be told that "A user has already signed up with the given email ... Please use the regular sign-in".

Mystifying.

But if you have a go at signing in with any random character as a password, you are told "Email address / password combination is incorrect, try again or get a new password" – "To reset your password for https://gdshelp.zendesk.com, enter your email address and we'll send you an email with instructions". DMossEsq submitted his email address but no "email with instructions" has been received.

Mystifying.

None of which boring story would normally be told if it wasn't for the fact that, as part of their alchemical digital-by-default transformation of leaden public administration into gold, GDS are gearing up to provide us all with a new platform, GOV.UK Notify:
Government receives millions of calls every year, from people anxious to find out where their thing is at. People have to spend time on hold, and running call centres costs a lot of money.

GOV.UK Notify is going to make it easy to keep people informed, by allowing service teams across government to send text messages, emails or letters to their users, before they get anxious enough to call.
Let's hope that this latest platform in GDS's firmament isn't using the GOV.UK Verify (Life) Support system as its mystifying model.

And let's hope (against hope) that GOV.UK Notify itself abides by PCAG's nine principles of identity assurance.


Updated 11.1.16


The need for PCAG to speak

Five of the Government Digital Service's "identity providers" are not certified and yet GDS assert that GOV.UK Verify (RIP) abides by the principle that they all must be. How can GDS say that? How can they expect anyone to believe them? What other GDS assertions are false?

And what is the Privacy and Consumer Advisory Group's opinion of this state of affairs? PCAG specified the identity assurance principles and GDS volunteered to abide by them – and yet they seem to be flouting all nine principles. Do PCAG find that acceptable?

There's no independent identity assurance ombudsman to appeal to. That's another principle not being abided by. GDS can't be left to mark their own homework, "we think the current arrangements for dispute resolution are adequate ...".

In the circumstances, it would be useful to hear from PCAG. Useful to the general public. And useful to any private sector entrepreneurs who may be lured into developing applications which rely on GOV.UK Verify (RIP).

From: David Moss
Sent: 11 January 2016 19:16
To: 'Verify Support'
Subject: RE: [Verify Support] Re: Failure of GOV.UK Verify to abide by the PCAG identity assurance principles

Dear Vivienne

Thank you for your 11 January 2016 email.

My 9 January 2016 email is addressed to the Privacy and Consumer Advisory Group (PCAG). I am seeking a response from them, not from the Government Digital Service (GDS). The address given on GOV.UK for PCAG is idasupport@digital.cabinet-office.gov.uk, that is where I sent my email and I trust that PCAG have received it.

As you say, Janet Hughes of GDS asserts that GOV.UK Verify abides by the nine PCAG identity assurance principles. My question is, do PCAG agree?

Yours sincerely
David Moss

From: Verify Support
Sent: 11 January 2016 17:19
To: David Moss
Subject: [Verify Support] Re: Failure of GOV.UK Verify to abide by the PCAG identity assurance principles
##- Please type your reply above this line -##
Your request (15834) has been updated. To add additional comments, reply to this email.
Vivienne
Vivienne (Verify Support)
Jan 11, 17:19
Dear Mr Moss
Thank you for your comment, which has been noted. As Janet Hughes said in response to the blog comment you highlighted, GOV.UK Verify has been built to reflect the identity assurance principles, and we have ongoing discussions with our Privacy and Consumer Advisory Group to help us apply them in the detail of everything we do. We are continually developing our approach as part of the development of GOV.UK Verify from beta to live, and beyond.
We appreciate you taking the time to provide feedback about the development of GOV.UK Verify.
GOV.UK Verify Support

David Moss
David Moss
Jan 9, 14:03
Dear Sirs

It seems to a number of people that the Government Digital Service's GOV.UK Verify identity assurance system does not abide by the principles you have established. This, despite PCAG's commitment to ensure that it would, and despite GDS's commitment to do so.

In support of that contention I cite the comments on the co-chairs' blog post GOV.UK Verify: Identity Assurance Principles, copy attached, and my own contribution RIP IDA – some "identity providers" are less trustworthy than others, copy also attached.

I bring this matter to your attention in the interests of the British public who are meant to be able to trust GOV.UK Verify. The basis for that trust is in doubt.

Yours faithfully
David Moss

----------
@DMossEsq
http://DMossEsq.com
Address details removed 
This email is a service from Verify Support. Delivered by ZendeskGQ8-VX9N]


Updated 13.1.16

"Messy and interesting"

Good news, the Government Digital Service (GDS) will pass on an email addressed to the Privacy and Consumer Advisory Group (PCAG):

From: Verify Support [support@gdshelp.zendesk.com]
Sent: 12 January 2016 08:42
To: David Moss
Subject: [Verify Support] Re: Failure of GOV.UK Verify to abide by the PCAG identity assurance principles
##- Please type your reply above this line -##
Your request (15834) has been updated. To add additional comments, reply to this email.
Vivienne
Vivienne (Verify Support)
Jan 12, 08:42
Dear Mr Moss
We will pass your email on to PCAG.
Many thanks
Vivienne
GOV.UK Verify Support
This email is a service from Verify Support. Delivered by Zendesk
[NE9GQ8-VX9N]

There's a lot more for PCAG to consider than just the post above. Neil Merrett's article in yesterday's Government Computing, for example, UK can take global ID assurance standards lead during "messy" 2016:
GOV.UK Verify [RIP] is being developed by the Cabinet Office as a platform to allow users to select one of several pre-chosen companies to perform a check on their identity in order to securely access its online services - rather than relying on a single government database.

At present, there are four companies - Post Office, Experian, Digidentity and Verizon - accredited to support the identity assurance platform. Nine ID providers in total are expected to be accredited to support the service when it goes live from April.
This is Neil Merrett, remember. Read him early. Read him often. That Neil Merrett. He knows that:
  • GOV.UK Verify (RIP) isn't just for accessing GDS's on-line services, GDS are offering its use to the private sector as well.
  • It is questionable whether GOV.UK Verify (RIP) is secure.
  • "Secure" is not equivalent to "not relying on a single government database". GDS rely here on a non sequitur.
  • The GOV.UK Verify (RIP) identity hub has been declared insecure by four academics, one of whom is a member of PCAG (Dr George Danezis).
  • GDS's Government as a Platform strategy relies precisely on assembling a set of "canonical registers", i.e. databases, which will constitute a "single source of truth".
  • The Post Office isn't accredited. Not by tScheme, at least. Their application for approval has lapsed.
  • Having applied for approval fairly late, the chances of Barclays and Morpho being accredited by tScheme by April 2016 are slim to non-existent.
  • The chances of PayPal and the Royal Mail being accredited by tScheme are non-existent – they haven't even applied for approval.
  • Verizon have been banned from government contracts in Germany. Good enough for the UK, not good enough for Germany. Doesn't inspire confidence, does it.
  • Experian in the US didn't even know they were supplying personal information to a fraudster until the US Secret Service told them.
Mr Merrett writes what he writes to give GDS the opportunity to correct the record. If they don't take one opportunity, he gives them another one.

He does it again in the same article:
... with GOV.UK Verify [RIP] set to become a live service this year, he [Don Thibeau] argued the planned launch was likely to bring the complex issues of data use to the forefront of public consciousness, notably around standards for the re-use of information and how permission can be obtained.

"When, for example, can HM Revenue & Customs (HMRC) have access to data I gave permission to another department to use to access services and in what situations can this be re-used? These are the key questions that need to be answered," he said.
You thought that GOV.UK Verify (RIP) abides by all nine of PCAG's identity assurance principles, didn't you, including #1, "I can exercise control over identity assurance activities affecting me and these can only take place if I consent or approve them".

Not a bit of it.

Re-use? Permission? "These are the key questions", according to Mr Thibeau, "that [still] need to be answered".

Mr Thibeau is chairman and president of OIX and chairman of OIX UK, the Open Identity Exchange, GDS's business partner on GOV.UK Verify (RIP). And he says these questions are still unanswered. So how can GDS say that GOV.UK Verify (RIP) abides by the PCAG principles?

They can't.

That, surely, is a matter for PCAG to consider and to comment on in public.

Mr Merrett doesn't stop there. He goes on to discuss "safe harbor". The US is not a safe harbour for our data. The European Court of Justice says so. And yet Experian, for example, reserve the right in their terms and conditions when you sign up with them as an "identity provider" to store your data outside the European Economic Area not excluding in the US, please see Where we store your personal data?.



Are Experian ignoring the law? Are GDS conniving in that by continuing to use Experian as an "identity provider"? What do PCAG make of that?

And what do PCAG make of GOV.UK Verify (Life) Support using Zendesk to bring them and their parishioners "closer together". Clause 3.6 of Zendesk's Terms of Service relies on the US being a "safe harbor" which the ECJ says it isn't. Could PCAG be said to be conniving in GDS's flouting of the law?

But we will stop there and not get lured into areas which even Mr Merrett avoids, such as the question of compensation, if any, when something goes wrong with GOV.UK Verify (RIP) and you suffer as a result. That's quite enough for the moment.


Updated 6 May 2016 1

You may remember that on 9 January 2016 DMossEsq asked for an email to be passed on to PCAG, the Privacy and Consumer Advisory Group, please see above.

You may. DMossEsq had forgotten.

And then on 11 March 2016 a response came in from PCAG. Somewhat late in the day, here it is:
Dear David Moss,

We are writing on behalf of the Privacy and Consumer Advisory Group (PCAG) in response to your emailed question to the Group. You ask whether PCAG agrees that GOV.UK Verify [RIP] abides with the nine PCAG identity assurance principles.

As you will be aware, the nine principles “assume that an Identity Assurance Service is mature and well established”, which is clearly not yet the case. The principles also explicitly acknowledge that “in the early stages of its development there may well be a phasing-in period in relation to each Principle, or that in some cases a Principle might need a degree of initial flexibility” (para 2.4 of the Identity Assurance Principles V3.1 available at [address]).

It might also be helpful to clarify a number of points in the (updated) post you referred to in your emails.

You assert that the Post Office isn’t accredited by tScheme and that their application for approval has lapsed. The Verify team point out that the Post Office is utilising an existing tScheme certified service that has been re-badged. Since the underlying service is unchanged, it was not necessary to certify the “front end” company [so the assertion is correct, the Post Office is not certified].

You note that “Having applied for approval fairly late, the chances of Barclays and Morpho being accredited by tScheme by April 2016 are slim to non-existent.” The Verify team has recently provided greater detail about the certification process [address] and [address] [both of PCAG's links now broken, standard practice with GDS's GOV.UK]. These posts point out the reality that the full certification process can only be completed “after a period of live operation[and thus the reality that Barclays and Morpho had no chance of being accredited by April 2016].

In answer to your question – do PCAG agree with Janet Hughes’s assertion that GOV.UK Verify abides by the nine PCAG identity assurance principles – the answer is currently “Yes”.

We will, of course, continue our close scrutiny of the work of Verify as it moves from Beta to Live. We are continually reviewing the scope and applicability of the nine identity assurance principles as experience of using the Verify service grows.

Yours sincerely,

Dr Jerry Fishenden and Dr Edgar Whitley
Co-Chairs, on behalf of the Privacy and Consumer Advisory Group (PCAG)
It's mystifying but PCAG are adamant – according to them, GOV.UK Verify (RIP) abides by all nine identity assurance principles:
Identity Assurance Principle
Summary of the control afforded to an individual
1. User Control
I can exercise control over identity assurance activities affecting me and these can only take place if I consent or approve them
2. Transparency
Identity assurance can only take place in ways I understand and when I am fully informed
3. Multiplicity
I can use and choose as many different identifiers or identity providers as I want to
4. Data Minimisation
My interactions only use the minimum data necessary to meet my needs
5. Data Quality
I choose when to update my records
6. Service User Access and Portability
I have to be provided with copies of all of my data on request; I can move / remove my data whenever I want
7. Certification
I can have confidence in the Identity Assurance Service because all the participants have to be certified against common governance requirements
8. Dispute Resolution
If I have a dispute, I can go to an independent Third Party for a resolution
9. Exceptional Circumstances
I know that any exception has to be approved by Parliament and is subject to independent scrutiny

Take a look at #6, for example, "I can move / remove my data whenever I want". DMossEsq handed over a lot of personal information to Safran Morpho/SecureIdentity to open a GOV.UK Verify (RIP) account. He then closed the account. Safran Morpho/SecureIdentity say that they need to keep his data for seven years. "I can remove my data whenever I want"? No.

Take a look at #8, for example, "If I have a dispute, I can go to an independent Third Party for a resolution". Name the "independent Third Party". Go on. Name him or her or it. You can't. There isn't one.

Etc ...

Whatever PCAG say, the Government Digital Service simply cannot claim that GOV.UK Verify (RIP) abides by PCAG's nine identity assurance principles.


Updated 6 May 2016 2

If you sign up to GOV.UK Verify (RIP) using Barclays as your "identity provider", you expect Barclays to be your "identity provider". That's fairly straightforward.

Now take a look (hat tip: someone) at the Government Digital Service (GDS) status log for GOV.UK Verify (RIP):


"Verizon will be carrying out this work, however the downtime relates to the Barclays service and not to Verizon"? Are you using Barclays? Or, without knowing it, Verizon? Or both? You don't really know where you are, do you. Or where your personal information is.


Updated 6 May 2016 3

The status log for GOV.UK Verify (RIP) is "Powered by StatusPage.io".

StatusPage.io's Terms of Service say, among other things:
12. Geographic & Technological Restrictions

The Company is based in the United States. Our Website is hosted in the United States and our services are provided from the United States. We make no claims that the Website or any of its content is accessible, appropriate or legal outside of the United States. Access to the Website may not be legal by certain persons or in certain countries. If you access the Website from outside the United States, you do so on your own initiative and are responsible for compliance with local laws.

It is possible that certain information will be stored on servers in multiple other countries on the "cloud" or other similar distributed hosting platforms. If you are a user accessing our Website or services from the European Union, Asia or any other region with laws governing personal data collection, use, and disclosure that differ from United States laws, you are expressly and knowingly consenting to the transfer of your personal information to the United States and other jurisdictions as indicated above, and to our use of your personal information in accordance with our Privacy Policy.
And their Privacy Policy says, among other things: "StatusPage complies with the US-EU Safe Harbor Framework ...".

And the European Court of Justice says that Safe Harbor is no such thing, please see above.

What are the Government Digital Service thinking of?


Updated 7.5.16 1

Why are GDS publishing manifestly false assertions?

Yesterday, the Government Digital Service (GDS) published What kind of fraud do our standards prevent?. They say:
GOV.UK Verify [RIP] doesn’t just use open standards - we have helped set the standards for identity proofing and verification and online authentication for UK government digital services. These documents are jointly published by the Cabinet Office and CESG, the National Technical Authority for Information Assurance. All the certified companies are required to meet those standards, and have to be independently certified to confirm that they do.
Chase down GDS's link and you'll find that the "certified companies" referred to are Barclays, CitizenSafe, Digidentity, Experian, Post Office, Royal Mail, SecureIdentity and Verizon. And according to GDS, "all the certified companies ... have to be independently certified".

All of them?

Yes, all of them.

That's what it says but they're not.

Only four of them are certified – CitizenSafe/GB Group, Digidentity, Experian and Verizon. You can check that for yourself on the tScheme website.

The other four – Barclays, Post Office, Royal Mail and Safran Morpho/SecureIdentity – are not certified. You can check that for yourself. The Barclays, Royal Mail and Safran Morpho/SecureIdentity services are still awaiting approval by tScheme. And the application to register the Post Office's service isn't even awaiting approval, it lapsed over a year ago.

It follows that GDS are misleading the readers of yesterday's blog post.

GDS assert that it can be truly predicated of GOV.UK Verify (RIP) that all of its "identity providers" have been certified. And they haven't been. The assertion is false.

DMossEsq readers will have known to check that assertion ever since 14 December 2015 when this blog post was published, please see opening table above.

Why are GDS publishing manifestly false assertions?




Updated 7.5.16 2

As noted, yesterday the Government Digital Service (GDS) published What kind of fraud do our standards prevent?. They say:
GOV.UK Verify [RIP] doesn’t just use open standards - we have helped set the standards for identity proofing and verification and online authentication for UK government digital services. These documents are jointly published by the Cabinet Office and CESG, the National Technical Authority for Information Assurance. All the certified companies are required to meet those standards, and have to be independently certified to confirm that they do.
Chase down GDS's link and you'll find that the "certified companies" referred to are Barclays, CitizenSafe, Digidentity, Experian, Post Office, Royal Mail, SecureIdentity and Verizon. And according to GDS, "all the certified companies ... have to be independently certified".

Step 1 – Take a look at the handy cut-out-and-keep DMossEsq choose-your-identity-provider app. You will note there that four of GDS's GOV.UK Verify (RIP) "identity providers" share your personal information with Equifax, the credit referencing agency – Verizon, Barclays, CitizenSafe/GB Group and the Royal Mail.

Step 2 – Take a look at the opening table above. Equifax were certified trustworthy by tScheme as long ago as 10 December 2014.

Step 3 – Take a look at one of the current on-line security breach stories, Crooks Grab W-2s from Credit Bureau Equifax. W-2 is a US Internal Revenue Service form which can be used by anyone including crooks to claim tax rebates:
Atlanta-based Equifax’s W-2Express site makes electronic W-2 forms accessible for download for many companies, including Kroger — which employs more than 431,000 people. According to a letter Kroger sent to employees dated May 5, thieves were able to access W-2 data merely by entering at Equifax’s portal the employee’s default PIN code, which was nothing more than the last four digits of the employee’s Social Security number and their four-digit birth year.
Where do these three steps take you?

tScheme approval is not a guarantee against hacking.

tScheme never said it was. But that's what GDS's headline might be taken by the unwary to imply – "what kind of fraud do our standards prevent?".

The unwary may be further misled by GDS's security screen displayed during the GOV.UK Verify (RIP) registration dialogue:


 "It's secure". Just like that. No qualification. GOV.UK Verify (RIP) is secure.

But it's not, is it. Look what's just happened to Equifax. And what's happened to Experian, their fellow credit referencing agency, in the past.

Everyone knows that there is no such thing as unqualified security. For GOV.UK Verify (RIP) or any other system. On the web or anywhere else. Why do GDS keep pretending that there is?


Updated 7.5.16 3

Eight? Or three? Which is it?

As noted, yesterday the Government Digital Service (GDS) published What kind of fraud do our standards prevent?. They say:
GOV.UK Verify [RIP] doesn’t just use open standards - we have helped set the standards for identity proofing and verification and online authentication for UK government digital services. These documents are jointly published by the Cabinet Office and CESG, the National Technical Authority for Information Assurance. All the certified companies are required to meet those standards, and have to be independently certified to confirm that they do.
Chase down GDS's link and you'll find that the "certified companies" referred to are Barclays, CitizenSafe, Digidentity, Experian, Post Office, Royal Mail, SecureIdentity and Verizon. And according to GDS, "all the certified companies ... have to be independently certified".
>
It's easier for GDS's eight "identity providers" to verify some people's identity than others.

Very young people tend not to have a long credit history. That makes it hard to verify their identity, given that GOV.UK Verify (RIP)'s answer to the question "what is a person?" is "something with a long and current credit history".

Very old people often let their passport lapse and have to give up their driving licence which, again, can make it hard to verify their identity the GOV.UK Verify (RIP) way.

You can do an experiment at home. Go through all the preliminaries of signing up for a new GOV.UK Verify (RIP) account to look at your self-assessment tax return.

Don't worry, you can pull out before you have to enter a single item of personal information.

Click on You can also sign in with a GOV.UK Verify account, say it's your first time, Next, Next, Start now, Continue, say you've got a UK driving licence and a UK passport and no foreign ID, you've got a mobile phone on which you can install apps, you're over 20 and you've lived in the UK for the past 12 months.

That's GDS's way of trying to measure how hard it's going to be for an "identity provider" to verify your identity.

With those answers, you must be just about the easiest identity in town to verify. And yet what do you see when you press your last Continue? It varies but at 13:47 today, 7 May 2016, you would have seen something like this:


Despite being the easiest verification case possible, GDS say that five of their "identity providers" are "unlikely to be able to verify you".

GDS are saying that Barclays, CitizenSafe/GB Group, the Royal Mail, Safran Morpho/SecureIdentity and Verizon are useless.

GDS are promoting the Post Office, who are uncertified, ahead of Verizon, for example, who are certified and have been since 11 February 2015.

They're promoting Digidentity, whose contract with you is governed by Dutch law, which you may or may not be expert in, and who want you to buy a YubiKey to improve the presumbly reduced-without-a-YubiKey security of their service ahead of CitizenSafe/GB Group, for example, who specialise in checking criminal records.

Why?

GOV.UK Verify (RIP) is supposed to be a "market" created by GDS or, sometimes, an "ecosystem". Why are GDS sticking their untutored oar in and distorting the market?

Never mind that, GDS are a law unto themselves, but what is the public supposed to make of it? Are there eight "identity providers" or just "three"? Do GDS know what they're doing? They're emitting mixed messages. Confused signals. Which threatens the survival of their own already-dubious little ecosystem.

What is the public supposed to make of it and what are the "relying parties" supposed to make of GDS's bull-in-a-china-shop market regulation?


Updated 7.5.16 4

As noted, yesterday the Government Digital Service (GDS) published What kind of fraud do our standards prevent?. They say:
GOV.UK Verify [RIP] doesn’t just use open standards - we have helped set the standards for identity proofing and verification and online authentication for UK government digital services. These documents are jointly published by the Cabinet Office and CESG, the National Technical Authority for Information Assurance. All the certified companies are required to meet those standards, and have to be independently certified to confirm that they do.
Chase down GDS's link and you'll find that the "certified companies" referred to are Barclays, CitizenSafe, Digidentity, Experian, Post Office, Royal Mail, SecureIdentity and Verizon. And according to GDS, "all the certified companies ... have to be independently certified".

"What kind of fraud do our standards prevent?" – that's one question.

There is another – what kind of fraud does GOV.UK Verify (RIP) invite?

Take another look at the handy cut-out-and-keep DMossEsq choose-your-GOV.UK-Verify-(RIP)-identity-provider app. GDS invite you to:
  • Give your personal information including "title, first name, middle name or initial, surname, any other names you are known by, date of birth, gender, current address, previous addresses in the last three years (and the duration at each address), home telephone number, mobile telephone number and email address. We will also ask you to provide details of official identity documents, such as your passport or driving licence" (to quote just the Royal Mail) ...
  • To any or all of CitizenSafe/GB Group, Digidentity, Experian, Verizon, Barclays, Post Office, Royal Mail, Safran Morpho/SecureIdentity, Callcredit, Her Majesty's Passport Office, the Driver & Vehicle Licensing Agency, any other relevant HMG Department, ID Checker, WorldPay, the third party that hosts our (the Post Office's) website, other companies within the Experian group, the suppliers that we (Digidentity) work with to deliver the service to you, a company within the Verizon Group or other affiliated entity, Equifax, Zentry LLC, Techmahindra Ltd, Expert Solutions Support Centre, GDS, Morpho sub-contractors including third party fraud-prevention agencies and credit agencies, law enforcement and tax authorities, the head office of the Morpho Group Morpho SAS based in France, a fraud prevention agency, other member organisations of the fraud prevention agency, other Barclays companies, Barclays business partners, suppliers and sub-contractors, GOV.UK Verify (RIP), anyone who buys a Barclays business or Barclays assets, the Police and/or other relevant authorities, any company in the GB Group group, business partners, suppliers and sub-contractors, analytics and search engine providers, other companies and organisations for the purposes of fraud protection and credit risk reduction ...
  • Who may store it irrevocably out of your control in any or every country in the world.
What kind of fraud does GOV.UK Verify (RIP) invite?

Easy fraud? Pushover fraud? Shooting-fish-in-a-barrel fraud? Christmas-has-come-early fraud?


Updated 9.5.16

As noted, on 6 May 2016 the Government Digital Service (GDS) published What kind of fraud do our standards prevent?. They say:
GOV.UK Verify [RIP] doesn’t just use open standards - we have helped set the standards for identity proofing and verification and online authentication for UK government digital services. These documents are jointly published by the Cabinet Office and CESG, the National Technical Authority for Information Assurance. All the certified companies are required to meet those standards, and have to be independently certified to confirm that they do.
Chase down GDS's link and you'll find that the "certified companies" referred to are Barclays, CitizenSafe, Digidentity, Experian, Post Office, Royal Mail, SecureIdentity and Verizon. And according to GDS, "all the certified companies ... have to be independently certified".

-----  o  O  o  -----

GDS don't mention the GOV.UK Verify (RIP) identity hub in their what-kind-of-fraud blog post. That is a serious omission in a review of the system's security.

-----  o  O  o  -----

"We have helped set the standards for identity proofing and verification and online authentication for UK government digital services". So say GDS. And what are those standards?
  • GOV.UK Verify (RIP) has trouble proving the identity of the very young and the very old and the low-paid and the unemployed. 30% or more of these people would be excluded from public services if access depended on GOV.UK Verify (RIP).
  • Approximately 30% of attempts to register for a GOV.UK Verify (RIP) account end in failure.
  • The "identity providers" have trouble reaching level of assurance 2 (LOA2) that any given applicant is who they say they are. That's according to OIX, the Open Identity Exchange, GDS's business partner in GOV.UK Verify (RIP). LOA2 is better than LOA1 (self-certification). It's supposedly a high enough standard of proof for a civil court. But not for a criminal court (LOA3) or beyond.
For those few UK government digital services which use GOV.UK Verify (RIP), it's not providing a very successful standard of identity proofing and verification – GDS are looking for 90% penetration of the population and for a 90% account creation success rate. The 70% or so allegedly being achieved in each case is a long way short of GDS's own target for an acceptable system.

Most UK government digital services don't use GOV.UK Verify (RIP). Pace GDS, GOV.UK Verify (RIP) is not the standard for identity proofing and verification and on-line authentication.

-----  o  O  o  -----

Chase down GDS's link to identity proofing and verification and you get to CESG's GPG 45 document (Good Practice Guide 45). There's a lot in there about identity proofing and verification but CESG say nothing about using Verizon, for example, to do the proofing and verification. The use of "identity providers" is something GDS have added.

-----  o  O  o  -----

It would be terribly useful if most people could have their identity proven on-line to a high level of assurance by "identity providers". But it may not be feasible. That possibility must be entertained ...

... particularly when you look at the latest draft digital authentication guideline issued by NIST, the US National Institute of Standards and Technology.

NIST are worried about identity proofing. That relies in part on secrets. At least that's the idea. But of course it doesn't hold water. If the knowledge an applicant is tested on were really a secret then the "identity provider" wouldn't know whether the answer was right.

NIST are worried about levels of assurance. GDS's assumption that an LOA2 is an LOA2 and that's all there is to it is wrong. Some "identity providers" are worse than others – CitizenSafe/GB Group's LOA2, for example, may only be worth a Verizon LOA1.5.

NIST are worried about one-time passwords, those magic numbers GDS send to your mobile and that you key in to your computer to prove that you are you. NIST now "deprecate" them.

And NIST are beginning to lean more and more on biometrics to make on-line identity proofing work:
Biometric matching SHOULD be performed locally on claimant’s device or MAY be performed at a central verifier.

Biometrics SHALL be used with another authentication factor that SHALL be revokable.

The biometric system SHALL have a tested equal error rate of 1 in 1000 or better. The biometric system SHALL be operational with a false match rate of 1 in 1000 or better.
"Equal error rate"? False match rate and false non-match rate are inversely proportional. As one goes up, the other goes down and vice versa. The point at which the two graphs cross is the equal error rate and good luck to NIST finding a mass consumer biometric with an equal error rate that good. Null hypothesis: there aren't any. (You can forget about the fingerprint reader on your iPhone for a start.)

"False match rate"? A false match is what you have when an impostor manages to pass himself off as someone else. NIST want that rate to be measured at 0.1% or lower in operation. But it can't be. You can't measure the operational false match rate because impostors don't nip back to border control to update the statistics and tell the staff that they've just let an impostor through.

Once high performance mass consumer biometrics are needed, you know that the end is nigh for any identity assurance system. Its proponents may as well appeal to astrology.

You see? It may not be feasible for most people to have their identity proven on-line to a high level of assurance by "identity providers". GDS can't be blamed for the failure of GOV.UK Verify (RIP). Not if it's just not feasible – in that case, no-one could have made it work.


Updated 15.11.16

GDS started with nine "identity providers" for GOV.UK Verify (RIP)'s second framework. PayPal never offered a service and Verizon have temporarily pulled out for several months now. There are just seven left.

All "identity providers" are certified. So say GDS, to inspire confidence in us Brits. They're wrong.

Barclays is certified by tScheme. So are Digidentity and Experian. And so are GB Group plc/CitizenSafe (in a small way). That's four. What about the other three?

The Post Office's application for tScheme approval lapsed ages ago. We know that. Two to go.

The Royal Mail applied for approval on 21 December 2015. Approval still hasn't been granted. And this coming Saturday will be the first anniversary of Safran Morpho/SecureIdentity's 19 November 2015 application, still pending, still no approval.

What's taking so long?

What's the problem?

No comments:

Post a Comment