Monday, 7 March 2016

RIP IDA – GBGroup/ID3global

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.

The Government Digital Service (GDS) have contracted with nine so-called "identity providers" or "certified companies" to register all us Brits and to supply us with on-line identities, ready for the brave new digital-by-default world.

Armed with these on-line identities, 90% of us will be able one day (in April 2016?) to use public services via GOV.UK Verify (RIP). That's the idea.

GDS are more diffident about this but, later on, these on-line identities may allow us to use private sector services, too.

GBGroup is one of GDS's "identity providers", although you won't see their name when you try to sign up for GOV.UK Verify (RIP) – there they aren't:


It seems unfair. SecureIdentity and Barclays aren't certified, despite GDS's claim above. Neither is the Post Office. That's three mistakes GDS have made on one screen. Four, if you count the suggestion that GOV.UK Verify (RIP) is free.

And yet GBGroup have been certified for ages. Ever since 12 February 2015. Why aren't they allowed to operate as an "identity provider"?

As it happens, if and when GBGroup are let loose on the British public, you still won't see their name on the list. That's not just because their real name is "GB Group plc". It's because they've now stopped trading as "GBGroup" and started trading as "CitizenSafe".

What's more, while they're about it, they seem to have changed the name of ID3global to "CitizenSafe" as well.

You have to be a bit of an identity assurance enthusiast yourself to keep up with some of these "identity providers". Morpho, for example, used to be Sagem Sécurité before they morphed.

When we talk about an "identity provider" being certified, we mean certified by tScheme, the independent experts in measuring trustworthiness.

Verizon are the most heavily qualified "identity provider" according to tScheme. By comparison, GB Group plc or GBGroup or CitizenSafe, whatever they're calling themselves, may not command as much trust:
tScheme approval profilesVerizonGBGroup/
CitizenSafe
Base Approval Profile
Approval Profile for Identity Registration Services
Approval Profile for Credential Validation Services
Approval Profile for an Identity Provider
Approval Profile for Credential Management Services
GBGroup/CitizenSafe do not match the profiles for credential validation or credential management? Nor do they match the profile for an "identity provider"? tScheme's approval of their ID3global/CitizenSafe product looks generous.

No surprise, perhaps, that the public haven't been exposed to GBGroup/CitizenSafe yet.

And no surprise either that GBGroup/CitizenSafe have sought assistance. Not just GBGroup/CitizenSafe, but the Royal Mail, too, another "identity provider":
(Reuters) Avoco Secure announces today that they have partnered with Royal Mail Group and GBGroup to provide solutions that will deliver Verified Identity Assurance Services for public services

Avoco Secure (www.avocoidentity.com)

Royal Mail and GBGroup have been chosen to partner with GOV.UK’s Verify service, to provide verification of individuals so that they can access Government services online, safely and easily ...

"Avoco Secure’s Trust platform is the technology that enables Royal Mail to deliver a verified, scalable, secure, user centric identity assurance service, which will allow users to authenticate themselves to UK Government digital services,” Jim Conning, Managing Director of Royal Mail Data Services stated, "Their industry expertise and proven track record played an important factor in Royal Mail partnering with Avoco” ...

"Avoco are pleased to partner to deliver Identity Assurance as a Service with recognizable and trusted organisations like Royal Mail and GBGroup,” said Gerry O’Brien, CEO, Avoco Secure ...

John Lord, Managing Director at GBGroup commented, “We are pleased to be partnering with Avoco Secure as we believe their Trust Platform will enable a secure, friction free user experience across all government services in the scheme” ...
That's your on-line identity GDS expect you to entrust to GBGroup/CitizenSafe. Or possibly, behind the scenes, to Avoco Secure. Up to you.

GBGroup/CitizenSafe have to communicate with GDS via Twitter:


If GDS won't give GBGroup/CitizenSafe their telephone number, perhaps you shouldn't either.

Would you be better off using the Royal Mail as your "identity provider"? With added Avoco Secure? Send them a letter. Time will tell.

Or what about Verizon? They're highly regarded by tScheme. Does that make them more confidence-inspiring?

Verizon may be highly regarded by tScheme but Germany doesn't agree, please see German government terminates Verizon contract over NSA snooping fears.

And there's something odd at the moment on GOV.UK Verify (RIP) – Verizon have disappeared from GDS's list of "identity providers". They were there the other day. Now they've gone.

GOV.UK Verify (RIP) has been designed by GDS. Their pre-eminent design principle is: "start with needs – user needs, not government needs".

That's what they started with and somehow you've ended up potentially being asked to register with an "identity provider" who is certified not to match the profile of an "identity provider". You never felt the need to do that, did you?

Something, somewhere along the line, has gone wrong. It's all got out of hand. GOV.UK Verify? RIP.

----------

Updated 8.3.16

GBGroup/CitizenSafe, please see above, have now been added to the list – Brits can now sign up to GOV.UK Verify (RIP) and help to compile the national identity register via GBGroup/CitizenSafe, the "identity provider" certified by tScheme not to match the profile of ... an "identity provider":

No objection to the word "Next" on the screen above but otherwise please note that Barclays, SecureIdentity and the Post Office aren't certified, GBGroup/CitizenSafe with Avoco Secure somewhere in the mix are certified not to be an "identity provider" and, whatever GDS say, there most certainly is a "charge for this service".

In the continued absence of Verizon, the blushing "identity provider" which appears to have disappeared, the choice for new mooncalves is between Digidentity and Experian.

If you're not a mooncalf and you would simply like to access the odd public service, stick to the Government Gateway. That's worked for the past 15 years or so and it doesn't require you to hand over all your personal information just to submit a tax return, or whatever.

If you're a company, of course, then you'll have to use the Government Gateway because GOV.UK Verify (RIP) doesn't know what a company is. The concept doesn't exist. After four years of development GOV.UK Verify (RIP) still can't verify the identity of a company.

It's not that good at identifying individuals either:
  • The GOV.UK Verify (RIP) account creation success rate, which GDS promise will be 90% by April 2016, just over three weeks away, fell last week from 72% to 67%.
  • And the level of assurance delivered by GOV.UK Verify (RIP) falls well below the standard required in a criminal court. OIX, GDS's business partner, say that GOV.UK Verify (RIP) is having trouble meeting the standard required in a civil court.
But you know all that.


Updated 11.3.16
This is sleazy


Remember that Reuters article? The one about the company you'd never heard of, Avoco Secure, and how they're supplying services to the other company you'd never heard of, the one with at least three names, GB Group plc/GBGroup/Citizensafe? To them, and to Royal Mail, the company you have heard of? Well there was news yesterday. Royal Mail has entered the lists.

There are now seven "identity providers" in operation out of GDS's total of nine. Verizon are still missing in action. And PayPal still show no sign of wanting to have anything to do with GOV.UK Verify (RIP).

The GOV.UK Verify (RIP) registration dialogues are identical for Royal Mail and CitizenSafe. The tabs on the browser have the Avoco Secure icon on them and if use Chrome to View Page Source it says the author is Avoco Secure.

Royal Mail completes GOV.UK Verify [RIP] ID provider rollout, said Neil Merrett yesterday, "users wishing to access specific online government services will be able to select the company to verify their identity through a service which will be managed by GB Group (GBG) under the Royal Mail brand".

Royal Mail's name is being used but otherwise their involvement in GOV.UK Verify (RIP) is minimal. They're running a help desk: "Under the terms of their agreement, GBG will manage all technology for the service, with Royal Mail handling call centre services where users may need to clarify technical issues over the phone".

GDS are offering the public Royal Mail as an "identity provider" for GOV.UK Verify (RIP), making the most of Royal Mail's name recognition and public trust. But surreptitiously, behind the scenes, actually your identity will be managed by GB Group plc/GBGroup/CitizenSafe, whom no-one has ever heard of and who are certified by tScheme not to match the profile of an "identity provider".

This is sleazy.


Updated 4.2.19

"Sleazy". That was our last word on the subject. GOV.UK Verify (RIP) lure in victims accountholders pretending that they are registering with the Royal Mail when all the time, behind the scenes, they're really being registered by CitizenSafe.

And now CitizenSafe have uttered their last words, "stay safe":


Stay safe, indeed. But how? What will happen to all the personal information CitizenSafe hold on us, we GOV.UK Verify (RIP) accountholders who signed up via CitizenSafe or via the Royal Mail, whose work was all done for them behind the scenes by CitizenSafe, sleazily without the Government Digital Service (GDS) telling anyone?

CitizenSafe don't bother to answer the question. We have no idea what will happen to our personal information now. We have no control over it. Strange to re-read the identity assurance principles that GDS sleazily pretend to abide by:
  • "I can exercise control over identity assurance activities affecting me and these can only take place if I consent or approve them" – no I can't.
  • "I have to be provided with copies of all of my data on request; I can move / remove my data whenever I want" – doesn't look like it.
At least CitizenSafe contacts its ex-victims. Not a word from the Royal Mail. Not even a letter. But they, too, like CitizenSafe are pulling out of the GOV.UK Verify (RIP) business, leaving GDS with just five "identity providers" out of 12 ...

... and less than 18 months left before they stop funding the funeral.


Updated 8.2.19

5 February 2019, an email arrives from the Royal Mail. It begins ...


... and goes on to say: "When we close your account, most of your personal data will be destroyed, including any information you provided when verifying your identity. However, we are legally required to securely keep information on your account activity for 7 years. This will only be used for audit purposes".

That falls short of the promise that "I can ... remove my data whenever I want".

There is still no acknowledgement of the connection between the Royal Mail and GB Group plc/CitizenSafe. The connection is simple. The Royal Mail relied on CitizenSafe to do their GOV.UK Verify (RIP) identity management work. Given that CitizenSafe were flying the coop, the Royal Mail couldn't stay, they have to leave together.

You can't guess that from the Royal Mail's email nor from their website:


And what about Avoco Secure?

Who?

Another company you've never heard of, another company the Government Digital Service (GD) never told you about, Avoco Secure provided a GOV.UK Verify (RIP) service to both the Royal Mail and CitizenSafe. DMossEsq told you. GDS didn't. Have Avoco Secure got any of your personal data? How would you know? Will they destroy it? How would you know?

"We're building trust by being open - the sunlight of transparency is making things better", as GDS used to say. Your confidence may by now be dented.


Updated 26.8.19 1

Last heard, GOV.UK Verify (RIP) had five "identity providers" signed up to pull in victims.

No more.

They're down to two.

Barclays, Experian and Idemia/Morpho have pulled out, leaving just two – Digidentity and the Post Office.

Of course that's not really two "identity providers", it's just one because the Post Office isn't certified trustworthy by tScheme. Digidentity is. The Post Office isn't. Not that GDS or the Post Office ever make that clear.

Digidentity is the cuddly Dutch "identity provider", right? No. Texan.

Experian alone is thought to account for 44% of GOV.UK Verify (RIP)'s accounts. That's a lot of people who will now have to re-register with Digidentity/the Post Office.

What happens to all the personal information about us that Barclays, Experian and Idemia/Morpho have collected? Will GDS tell us? Probably not. They've never told us when "identity providers" have pulled out before.

Why would people re-register? Look what happened the last time. What is there to stop the Post Office from pulling out?

Would it be wise to leave Digidentity/the Post Office with a monopoly of digital government identity verification?

What are the chances of the Open Banking fraternity opting for GOV.UK Verify (RIP) now? (Unchanged at nil).

What future is there for GOV.UK Verify (RIP)?

None. It doesn't matter how long GDS take to announce that to their public, the answer is the same – none.



Updated 26.8.19 2

The question arises repeatedly why GDS don't tell their public what is happening with GOV.UK Verify (RIP).

Why, for example, did Paypal first agree to act as an "identity provider" and then subsequently refuse to?

Not once, but twice?

No idea. GDS never tell.

Is it a failure of responsibility?

Or do GDS simply have no idea what is going on?

That could be the explanation. Certainly, as at a few minutes ago, GDS were still offering Barclays, Experian and Idemia/Morpho as "identity providers" for new GOV.UK Verify (RIP) victims:


Has nobody told GDS that Barclays, Experian and Idemia/Morpho have flown the coop?



No comments:

Post a Comment