Friday, 28 July 2017

RIP IDA – the last blip on the life support system monitor

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.

"If Verify is the answer, what was the question?"

The Law Commission: "Verify does not currently ensure that the person entering the information
is in fact the person he or she is purporting to be;
rather it focuses on verifying that the person exists" (para.6.67/p.119)

The signs of life are petering out:
  • GOV.UK Verify (RIP) blog posts are now collectors' pieces. Like the Cabinet Secretary's once loud expressions of support for GOV.UK Verify (RIP).
  • The GOV.UK Verify (RIP) team hardly ever tweet.
  • They never go live on a new central government service. The big departments of state look like sorting out identity assurance themselves.
  • Local government is deserting GOV.UK Verify (RIP) even before joining it.
  • The Open Identity Exchange (OIX) publishes one report after another explaining why GOV.UK Verify (RIP) has nothing much to offer the private sector in general and nothing whatever to offer the financial services sector in particular.
  • Cabinet Office ministers come, they are made to say something ridiculous about the importance of GOV.UK Verify (RIP) and then they go.
  • Two executive directors of GDS have left, there weren't even any ripples on the departure of the second one and his replacement, a director general, didn't take the opportunity of his appointment to abandon their apology for a strategy – 25 million GOV.UK Verify (RIP) users by 2013 2020.
There is still the occasional blip on the GOV.UK Verify (RIP) life support system monitor. techUK hosted an encounter between GDS and the UK's technology suppliers earlier this week, a market briefing on GDS's government transformation strategy.

For an organisation claiming that making things open makes them better GDS have been very quiet about this event, which may as well have taken place on board a submarine. The press were excluded ("Press weren’t invited to the event"). Even DMossEsq failed to get in.

But some reports have been published. GDS wants IT suppliers to use its GaaP products – but won’t offer service guarantees, for example, Government needs tech industry skills to deliver on transformation plan, says GDS boss Cunnington, GDS chief to set out plans to meet Transformation Strategy agenda and GDS sets out vendor prospects from its transformation strategy plans.

From those reports it seems that GDS have been working hard on undermining GOV.UK Verify (RIP) by producing a version that doesn't verify people's identity. And that they want suppliers in the technology sector to use GDS's platform components only.

10 out of 10 for trying to be totalitarian but GOV.UK Notify and GOV.UK Pay aren't even live – so how could techUK's members use them and why would they abandon the products they already use? And next to no-one in central and local government and in the private sector wants to use GOV.UK Verify (RIP) – so why would techUK members want to use it, even if it doesn't verify anyone's identity?

The last time Whitehall tried to insert itself into the nation's payment systems the banks and the major retailers said no. On balance, they preferred the UK economy to survive. The same answer is confidently expected this time.

Jerry Fishenden has already explained the need for a rethink. So has Alan Mather in his GDS isn't working series.

Both of them were prime movers in the design and deployment of the Government Gateway, which remains today the main way for individuals and businesses to access central government services on-line, unlikely as that may seem – as Mr Mather says: "the Government Gateway is still there, 16 years old and looking not a day older than it did in 2006 when the [user interface] was last refreshed". They both want to see the Government Gateway replaced but GOV.UK Verify (RIP) is not in their view a feasible replacement.

Messrs Fishenden and Mather have actually done the job. GDS have proved that it's beyond them. What do we do now? There's no point asking GDS. Has anybody asked Messrs Fishenden and Mather?

GDS's much-vaunted digital-by-default government is impossible without identity assurance. The UK isn't going to get that from GOV.UK Verify (RIP), as DMossEsq has said for years with nary a response from GDS, hermetically sealed from reality as they are. Two exemplary public servants saying the same thing carries infinitely more weight. GOV.UK Verify? RIP.

----------

Updated 19.8.17

As we were saying above GOV.UK Verify (RIP)-wise, "Messrs Fishenden and Mather have actually done the job. GDS have proved that it's beyond them. What do we do now? There's no point asking GDS. Has anybody asked Messrs Fishenden and Mather?".

Bryan Glick, the esteemed editor of Computer Weekly magazine, had already published Jerry Fishenden, please see Gov.uk Verify and identity assurance - it's time for a rethink.

He's on the case and in his Gov.uk Verify fails to meet key business case targets Mr Glick also cites Alan Mather and adds the National Audit Office, whose March 2017 report on digital transformation in government calls for more clarity on GDS's rôle. Not just once, 33 times the NAO call for more clarity.

The main burden of Mr Glick's editorial is that GDS have failed to deliver on a single one of the promises made in the business case for GOV.UK Verify (RIP). The business case made to the Treasury is a false prospectus:
  • Too many people have trouble registering in the first place and too many people have trouble subsequently using GOV.UK Verify (RIP) to access public services.
  • 1.4 million GOV.UK Verify (RIP) accounts have been created. With seven "identity providers" to choose from, that could represent just 200,000 people with seven accounts each. GDS are committed to 25 million users by 2020. That's 25 million people. They have just three years to add up to 24.8 million people. At the present rate, that is impossible ...
  • ... it is also pointless if these people create level-of-assurance-1 accounts (LOA1), "little more than a system to set up a username and password", as Mr Glick says. The relying parties like HMRC and DWP and the NHS need properly assured accounts out of it if GOV.UK Verify (RIP) is to be ... reliable. The notion that they or the banks or the major retailers could rely on these LOA1 accounts now being offered by GDS is laughable.
  • Not enough public services have signed up to use GOV.UK Verify (RIP) and so much do they distrust it that they're developing their own identity assurance systems.
  • The promised cost savings do not look like materialising and, when asked about that, GDS avoid the question.
If one of the big systems integrators (SIs) turned in a performance like this GDS and its supporters would quite rightly be among the first to castigate them. There is no good reason to treat GDS differently from Capita, say, or Fujitsu, or any of the other SIs.

GDS have become a big SI themselves, with hundreds of staff, smart offices, influential PR, the connivance of senior officials and politicians, budgets measured in the hundreds of millions of pounds and guaranteed long-term public sector contracts.

We don't need another big SI. We want, need, deserve and pay for delivery and we're not getting it from GDS:
  • Alan Mather and Jerry Fishenden are admirably clear on that point.
  • The NAO imply it with their 33-fold call for clarity.
  • Mr Glick looks as though he agrees.
  • And then there's the Law Commission, please see the rubric above: "Verify does not currently ensure that the person entering the information is in fact the person he or she is purporting to be".
"The first services will be developed and tested by February 2012, with IDA [identity assurance, now GOV.UK Verify (RIP)] due to be rolled out for initial public services by autumn 2012". That's what GDS told Computer Weekly a long time ago. The first in an unbroken series of broken promises, nothing has been achieved in the past five years.

How long can this sleazy misfeasance in public office continue?

Is there any good reason you can think of why it should continue beyond today? What in your opinion would we lose if GOV.UK Verify (RIP) was cremated in 10 minutes time?


Updated 20.8.17

There is a section in Bryan Glick's editorial, Gov.uk Verify fails to meet key business case targets, on the per-user costs of GOV.UK Verify (RIP).

Once-off registration supposedly costs about £8 per new user, he says, and using GOV.UK Verify (RIP) to access public services is supposedly costing a further £4 p.a. or so per user.

The public cannot know how accurate these figures are because they are hidden behind commercial confidentiality. That's GDS's untutored idea of running a market.

The true figures could be lower. If GOV.UK Verify (RIP) ever reached 20 million accounts, they could fall by a factor of four to £2 up-front and £1 p.a. according to Mr Glick.

There again, according to Jerry Fishenden and others, "informally people close to those running the services, both inside government and at the commercial providers, indicate that the charges made by the companies range from around £9 to over £20 per user".

Here we are in the world of rumour and hearsay. We are none the wiser about the costs the taxpayer is paying for the useless GOV.UK Verify (RIP).

Mr Glick goes on to say that "even those lower amounts [£2 and £1 as against £8 and £4] compare unfavourably with commercial online identity tools for consumers. For example, Microsoft’s Azure Active Directory, which is described as 'a cloud-based identity and access management solution for your consumer-facing web and mobile applications', charges just £0.00209 – one-fifth of one penny – per user authentication up to 950,000 users, dropping to £0.00157 for nine million users".

Does it follow that 25 million on-line identities would cost just £39,250 p.a. if only HMG used Microsoft Azure instead of GOV.UK Verify (RIP)?

No of course it doesn't.

Click on the link provided by Mr Glick. That gets you to pricing for the business-to-consumer active directory service of Microsoft's Azure product. Click on the 'Calculator' option and then have fun choosing all the services you would need for 25 million people accessing UK public services. DMossEsq got to $7.7 million per month in no time, before adding UK servers, backup, support, security, networking, ...

It wouldn't necessarily be cheaper to use Azure. It may be a lot more expensive. It's not cheap at any price to use GOV.UK Verify (RIP) – it doesn't work, it's a waste of money. It could be cheap to use Azure, if it works and if the UK doesn't mind losing control of its personal information.

The point to take away is that Microsoft look as though they have a product and GDS don't:



Updated 3.9.17

Edward Lucas of The Economist newspaper, writing in The Times newspaper about 10 days ago, We need digital IDs to beat cyber fraudsters, made no reference to GDS's GOV.UK Verify (RIP). Estonia got a mention. But not GDS.

DMossEsq took him up on this omission in the comments below the line which brought forth this response:
Edward Lucas 7 days ago
@David Moss I didn't mention Verify because it is indeed moribund ...

Updated 12.10.17 1

Disclosure and Barring Service to introduce new digital services. That's what it said on the Government Computing website at the end of August, six weeks ago: "Users will be able to submit barring referrals online and apply online for a basic criminal record check".

Disclosure and Barring Service plans digital push, said the UKAuthority website on the same day, "September launch planned for new online barring referral system with more to follow next year".

Four days before, the Disclosure and Barring Service (DBS) had issued a press release, in which we read: "If you live or work in England or Wales you’ll be able to apply online for a basic criminal record check through DBS from January 2018. As part of the online application you’ll need to prove your identity through GOV.UK Verify [RIP]".

DMossEsq predicts, you will not be surprised to know, that relying on GOV.UK Verify (RIP) will be problematic for DBS. No doubt DBS disagree. Otherwise they wouldn't have elected to use GOV.UK Verify (RIP). We shall see.

DMossEsq makes this prediction also – that, in the case of people registering with GOV.UK Verify (RIP) for the first time, to use the DBS service, they will mostly be recommended to choose GB Group plc, also known as "CitizenSafe", as their "identity provider".

GB Group have the lowest certification of any "identity provider" (apart from the Post Office). So why would applicants be pushed in their direction?

Answer, because GB Group have a proper job as well as their GOV.UK Verify (RIP) hobby: "GBG (GB Group PLC) are the UK’s largest criminal record checking provider".


Updated 12.10.17 2

Borrowers trial our Digital Mortgage service.

"Our digital mortgage service" here means the Land Registry's digital mortgage service: "The aim of the service is to allow conveyancers to create a digital mortgage deed, which can then be signed by the borrower(s) using a digital signature and submitted to us so we can update the register".

Digital mortgages? Digital signatures? Whatever next?

For a long time, the answer seemed to be "nothing". Whatever next? Nothing. That Land Registry blog post about the digital mortgage trial was published well over a year ago, May 2016, and then nothing happened ...

... until July 2017 when the Land Registry published Verifying a secure digital mortgage service: "To ensure the right person is signing the deed, we have been working with the Government Digital Service (GDS) to enable us to use GOV.UK Verify [RIP], the government identity assurance service ... Following some final testing, we aim to have completed the first fully digital remortgage deed later this year".

As with the Disclosure and Barring Service, please see above, DMossEsq predicts that relying on GOV.UK Verify (RIP) will be problematic for the Land Registry.

No doubt the Land Registry disagree. Otherwise they wouldn't have elected to use GOV.UK Verify (RIP). We shall see.

The Law Commission don't believe that GOV.UK Verify (RIP) can assure the Land Registry that "the right person is signing the deed", please see rubric above (para.6.67). No doubt the Land Registry have a good reason for ignoring/flatly contradicting the Commission.

OIX, the Open Identity Exchange, have warned that GOV.UK Verify (RIP) has nothing to offer the financial sector. The Land Registry must know something that OIX don't.

A little patience and all will ultimately be revealed.

For the moment, just take another look at: "Following some final testing, we aim to have completed the first fully digital remortgage deed later this year".

"... the first fully digital remortgage deed". A quick scan of the Land Registry's blog post might leave you with the impression that they're offering a digital mortgage service. They're not. You've got to have a mortgage first. Their service only works if and when you try to re-mortgage, when all the verification and authorisation work has already been done. GOV.UK Verify (RIP) doesn't come into its own until it's not needed.

This isn't the first time. We've come across it before, with the Blue Badge scheme.

The tireless Ian Litton has been trying to lever GOV.UK Verify (RIP) into Blue Badges for years. Since May 2014, or even before that.

Earlier this year a trial was announced to use GOV.UK Verify (RIP) to issue Blue Badges. At least, it looked as though that's what the announcement said. But close reading indicated that the trial only covered the re-issue of Blue Badges when the old one has expired and when all the verification and authorisation work has already been done.

The aspiration is modest. GOV.UK Verify (RIP) has a lot to be modest about.


Updated 12.10.17 3

Could GOV.UK Verify (RIP) help with criminal record checks? Or digital mortgages? Or Blue Badges?

Yes.

If it supported attribute exchange.

And how many of GOV.UK Verify (RIP)'s "identity providers" are certified for attribute registration?

None.


Updated 12.10.17 4

Let's say you've been working on a national identity assurance scheme for six years. GOV.UK Verify (RIP), for example. You've embraced agile software engineering methods. You've made thousands of small amendments to the system over the years, so that it's forever improving. You've conducted hundreds of user research sessions, you know what people want, so that's what you must be delivering. Stands to reason.

And yet.

Central government departments in the main want nothing to do with your scheme. Local government, ditto. And the private sector seems to be getting on perfectly well without you.

What to do?

Apologise and resign?

Not a bit of it. GDS seeks help to make Verify go international.

They haven't managed to go national yet with GOV.UK Verify (RIP) but the Government Digital Service want these helpers to "scope the feasibility of potentially connecting Verify to the eIDAS framework and provide sizings and estimates for the next phase".

eIDAS should "enable UK citizens to use a Verify identity to access services abroad". The framework was published in July 2014, following years of international consultation. Only now do GDS want to connect to eIDAS ...

... or at least potentially connect to it ...

... well, not so much potentially connect to it as scope the feasibility of potentially connecting to it.

"Agile" may not be the first word that comes to mind as you survey this hopeless dereliction.


Updated 13.10.17 1

As we wrote on 28 July 2017: "Messrs Fishenden and Mather have actually done the job. GDS have proved that it's beyond them. What do we do now? There's no point asking GDS. Has anybody asked Messrs Fishenden and Mather?".

There's no point asking GDS how to get a national identity assurance scheme up and running.

That seems to be agreed – John Manzoni, CEO of the UK civil service, has asked McKinsey.

Let's hope he's also in contact with Messrs Fishenden and Mather.


Updated 13.10.17 2

22 September 2017, OIX hosted an identity assurance workshop with six presentations.

OIX, the Open Identity Exchange, is GDS's business partner.

One of the six presentations was given by Kent County Council, which comprises 15 borough and district councils including 1½ million people.

Local government is where government takes place. That's one place where you need functioning identity assurance. The slide deck from Kent's presentation includes this gem:


Kent will not be using GOV.UK Verify (RIP).

Why not?

They don't give as their reason that GOV.UK Verify (RIP) simply doesn't work. Nor that it's too expensive.

The reason Kent give is even more basic: "The costs of using Verify aren't clear".

GDS set out to create an identity "ecosystem" or market. Markets are where goods and services are traded. Without a price, you can't trade.

Six years in, and GDS haven't got to first base – there's no known price for a local authority to use GOV.UK Verify (RIP). "GDS have never created or regulated a market in their lives. And it shows", as we said in March 2016.

Kent's presentation is remarkable in several ways:
  • Sitekit are one of the two hub providers GDS have inveigled into trying to supply GOV.UK Verify (RIP) to the private sector (the other being Mvine). Sitekit have their name on slide ##1-6. If they can't recommend GOV.UK Verify (RIP) to local authorities how can they recommend it to the private sector?
  • From what GDS say, you'd think that local authorities are incapable of digital government. They're all helpless lambs, hopelessly dependent on Lady Bountiful, GDS, up at the manor house. But Kent seem to be getting on with it quite happily without GDS, slide ##7-30.
  • Identity assurance is needed for access control. The model for identity often seems to be based most appropriately on passports. Identity assurance lets you cross borders, e.g. into your office building or into your bank account. But what is the model for passports? Arguably, club membership. Either you're in the club or you're not. How do you become a member? Existing members of the club/community vouch for you, they act as your sponsors or referees. There is no recognition of that anywhere in GDS's model of identity assurance but it looks as though Kent have understood, slide ##23-28:

GOV.UK Verify (RIP) says a person = a passport + a driving licence + a credit history and has become as a result a machine for excluding people. The Kent model looks as though it knows what a community is.


Updated 27.10.17

You know that cybercrime is a growing problem. You know that cybercrime often relies on false identities. You may not know that the British Standards Institution (BSI) have published PAS 499, a draft code of practice for digital identification and authentication, but they have.

A PAS is a publicly available specification and at clause 0.2 the document says: "The PAS builds on ... developments in the move towards combined financial and government identity and authentication requirements; this may include commercial applications for GOV.UK Verify [RIP]".

It's polite of the BSI to suggest that GOV.UK Verify (RIP) could help individuals and organisations to comply with the likes of know-your-customer and anti-money laundering and PSD2 (the new Payment Services Directive) but their specification makes it clear that that is not possible:
  • "0.2 ... This PAS aims to help organizations secure their systems to prevent, as far as realistically possible, fraudulent misrepresentation of a natural or legal person", see also 3.1.19, 3.1.28, 3.1.30, 3.1.31, 3.1.33, A.3 – GOV.UK Verify (RIP) can't register legal persons such as companies, partnerships and trusts so it can't help people trying to comply with PAS 499.
  • "5.2 ... NOTE 2 References within PSD2 towards strong customer authentication requirements considering the use of biometrics suggests that authentication in payment applications look to a Level 4 identity at enrolment (though Level 3 does not preclude the use of biometrics)" – GOV.UK Verify (RIP) has difficulty reaching Level 2, Levels 3 and 4 are quite beyond it.

Updated 15.11.17

OIX, the Open Identity Exchange, have tried several times to come to the rescue of the Government Digital Service's GOV.UK Verify (RIP) identity assurance scheme that can't assure identities.

They're making another rescue attempt the day after tomorrow, Friday 17 November 2017, at an all-day conference, OIX Economics of Identity III, DMossEsq's invitation to which has been mysteriously lost in the GOV.UK Notify system.

Someone called Nic Harrison will be making a keynote speech. Presumably a speech on GOV.UK Verify (RIP). Does anyone know what his involvement is with GOV.UK Verify (RIP), if any?

Jess McEvoy is the programme director of GOV.UK Verify (RIP). Why isn't she speaking at the OIX conference?

Mr Harrison turns out to be a director of GDS, one of the team airlifted out of the distressed Department for Work and Pensions by ex-Goldman Sachs man Kevin Cunnington.

If only from work done by OIX over the years, the other people at the conference will already know that GOV.UK Verify (RIP) has nothing to offer on the economics of identity. Why are GDS attending?

The obvious answer is ... to publicise the conclusions of the McKinsey investigation of GOV.UK Verify (RIP). Turn on, tune in to #EofID this Friday and drop out.


Updated 17.12.17

We mentioned above, 12 October 2017, HM Land Registry's plans to use digital signatures and GOV.UK Verify(RIP) in their new digital mortgage deeds. Their bosses, the Department for Communities and Local Government, issued a consultation on those plans. Herewith one response:
17 December 2017, this document is a response to the Department for Local Government and Communities consultation on improving the home buying and selling process[1]. The response is submitted by David Moss, a member of the public, who is not responding on behalf of any organisation and who is happy for the response to be published and for it to be attributed to him.


Summary:

· The Department assumes that open data will cause innovation in the process of buying and selling homes. No reason is advanced for believing that.
· HM Land Registry have published their intention to rely on digital signatures for mortgage deeds. The Law Commission have reservations about digital signatures which the Department may wish to consider.
· HM Land Registry have published their intention to rely on GOV.UK Verify for the identity assurance required for mortgage deeds. The Law Commission have reservations about GOV.UK Verify and so do central government, local government and the private sector. Again, the Department may wish to consider these reservations before proceeding.
· It may seem obvious that electronic signatures and GOV.UK Verify should be incorporated into HM Land Registry’s plans. It isn’t.
Q10. Are there any particular public sector datasets which you think should be released as open data in order to drive innovation in the home buying and selling process?

1. The assumption being made by the Department in question 10 is that open data causes innovation. It is suggested here that that assumption should be downgraded to a hypothesis. A hypothesis which requires proof before the Department acts on it.
2. The world has had innovation in the past without having open data. The UK has open data now, for example Companies House company information[2], and there is no sign of innovation.
3. The connection between open data and innovation is asserted several times by Mr Stephan Shakespeare in his report An Independent Review of Public Sector Information[3]. Close reading of that report reveals nothing but a hole[4] where there should be an argument to prove that there is a connection.
4. Mr Shakespeare appeared with Professor Sir Nigel Shadbolt before the Public Administration Select Committee[5] four years ago and the two of them asserted that open data will automatically inspire innovation, again without providing any argument to support this assertion. Without that evidence, the belief in the efficacy of open data is no more than a belief in magic[6].
Q9. What should the government do to accelerate the development of e-conveyancing?
5. On 28 July 2017 HM Land Registry published Verifying a secure digital mortgage service[7], where they advocate the use of digital signatures as part of their move to a “fully digital mortgage deed”.
6. The Department may wish to note before proceeding that the Law Commission have reservations about digital signatures. These are set out in Chapter 6 of their consultation document, Making a Will[8], please see paragraphs 6.15 to 6.43.
7. “To ensure the right person is signing the deed”, HM Land Registry say, “we have been working with the Government Digital Service (GDS) to enable us to use GOV.UK Verify[9], the government identity assurance service”.
8. Again, the Department may wish to note the Law Commission’s reservations, expressed at paragraph 6.67: “Verify does not currently ensure that the person entering the information is in fact the person he or she is purporting to be; rather it focuses on verifying that the person exists”.
9. If the Law Commission are right about the deficiencies of GOV.UK Verify, then neither the Land Registry nor any of the other parties involved could be sure that the “fully digital mortgage deed” had been signed by the right person.
10. There are many further reasons for HM Land Registry to be wary of relying on GOV.UK Verify.
11. Among others, in the 126 weeks between 13 July 2015 and 10 December 2017 the completion rate[10] has averaged just under 36%. That is, the failure rate is just over 64%. (Completion rate is defined as “the proportion of visits started on GOV.UK Verify that result in successfully accessing a service, following the creation or re-use of a verified account with a certified company”.) It looks imprudent for HM Land Registry to depend on a system that fails 64% of the time.
12. Also, according to Government services using GOV.UK Verify - May 2016 update[11], there were 13 on-line public services using GOV.UK Verify at the time. Today, there are 15[12]. Just two services have been added whereas, in May 2016, 18 services were going to be added “in the next year”.
13. This failure to convince central government, local government[13] and the private sector[14] to nail their colours to GOV.UK Verify may be taken as a warning by the Department. What would HM Land Registry do if, as seems increasingly likely[15], GOV.UK Verify is discontinued?
(830 words)





Updated 20.1.18

Here we are barely a month since Her Majesty's Land Registry's (HMLR) consultation on digital mortgages closed. There was Christmas in between and you would hardly expect any response yet. And you'd be right. There has been no response.

What you also wouldn't expect is that HMLR would proceed anyway with its imprudent plan to rely on GOV.UK Verify (RIP). But blow me down if that isn't exactly what they're doing.

A written statement to Parliament was issued on 18 January 2018 by The Rt Hon Greg Clark MP, Secretary of State for Business, Energy and Industrial Strategy, please see Departmental contingent liability notification: HM Land Registry digital mortgage service:
HMLR’s new digital mortgage service will enable borrowers to sign mortgage deeds digitally, speed up the re-mortgage process and improve the customer experience. A new liability risk arises with this service because HMLR will certify the identity of a borrower when that person provides a digital signature in advance of registration. This liability sits outside of the scope of HMLR’s existing statutory compensation scheme (Schedule 8, Land Registration Act 2002).

The risk of the new liability occurring is considered low. The new process, where the borrower’s identity has to be verified through GOV.UK Verify [RIP] combined with HMLR’s independent security processes, should in fact reduce the overall risk of fraud. To date GOV.UK Verify [RIP] has not identified a single example of fraud despite in excess of 1.25 million citizens’ accounts having been created using the GOV.UK Verify [RIP] service.
This matter comes under Her Majesty's Treasury's rules for Managing Public Money, please see specifically Annex 5.4 on liabilities. Members of Parliament can object to non-statutory liabilities being taken on:
A5.4.26 The indemnity should not go live until 14 parliamentary sitting days, after the Minute has been laid. Every effort should be made to ensure that the full waiting period falls while parliament is in session.

A5.4.27 If an MP objects by letter, Parliamentary Question or Early Day Motion, the indemnity should not normally go live until the objection has been answered. In the case of an Early Day Motion, the Member(s) should be given an opportunity to make direct personal representations to the minister, eg proactively arranging a meeting with them. The Treasury should be kept in touch with representations made by MPs and of the outcome.
Readers are enjoined to approach their MP and ask him or her to object to HMLR lashing itself to the corpse of GOV.UK Verify (RIP). Suggested text for an approach:
Request that you register an objection re HM Land Registry and GOV.UK Verify

Dear ...

I write to ask you to object to a proposal made on 18 January 2018 by The Rt Hon Greg Clark MP, Secretary of State for Business, Energy and Industrial Strategy, please see Departmental contingent liability notification: HM Land Registry digital mortgage service [1].

HM Land Registry wishes to introduce digital mortgages using a new process “where the borrower’s identity has to be verified through GOV.UK Verify”. GOV.UK Verify is a failed identity assurance scheme introduced by the Government Digital Service, part of the Cabinet Office.

According to the Law Commission: “Verify does not currently ensure that the person entering the information is in fact the person he or she is purporting to be; rather it focuses on verifying that the person exists”, please see Making a will [2], para.6.67 on p.119.

There are many objections to GOV.UK Verify, whose survival is unlikely. The system has been rejected by HMRC and the NHS, by local authorities and by the banks for anything to do with payments. The Law Commission’s objection is among the most cogent, suggesting that GOV.UK Verify cannot meet the requirements of a signature, whether for a will or for a mortgage.

HM Land Registry undertook a public consultation [3], the last date for responses to which was 17 December 2017. No account seems to have been taken of that consultation.

HM Treasury lays down rules for the proper management of public money [4]. The Minister’s proposal is premature and imprudent. He says: “Subject to no objections being received, I intend to authorise the proposal to undertake contingent liability for the digital mortgage service, after the usual 14 parliamentary sitting days” and I would ask you to register an objection within 14 parliamentary sitting days of his 18 January 2018 statement.

Yours sincerely
...

----------

1. https://www.gov.uk/government/speeches/departmental-contingent-liability-notification-hm-land-registry-digital-mortgage-service
2. https://s3-eu-west-2.amazonaws.com/lawcom-prod-storage-11jsxou24uy7q/uploads/2017/07/Making-a-will-consultation.pdf
3. https://www.gov.uk/government/consultations/improving-the-home-buying-and-selling-process-call-for-evidence
4. https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/ 454191/Managing_Public_Money_AA_v2_-jan15.pdf please see in this case Annex 5.4 on liabilities, particularly clauses 5.4.26 and 5.4.27 on objections.

Updated 22.1.18

As you know, the Secretary of State for Business, Energy and Industrial Strategy has bravely taken the decision to rely on GOV.UK Verify (RIP).

Digital mortgages should be digitally signed in the modern 21st century Land Registry and GOV.UK Verify (RIP) is precisely the tool for the job. That is the assumption in the Minister's statement. Ask anyone and they'll tell you, no. It's not the right tool. The number of times GOV.UK Verify (RIP) has been used in the nearly four years of its unhealthy life for digital signatures is zero.

You may have responded to the request above like a responsible citizen and written to your MP asking him or her to raise an objection to this reckless move. In which case you had better have the answers to any questions your MP asks you.

Someone, possibly the Minister, possibly his officials, is worried about the contingent liability that the Land Registry is taking on. That's why the Minister's statement says "the risk of the new liability occurring is considered low".

The Minister digs deeper and adds "the new process ... should in fact reduce the overall risk of fraud". That's a fact, apparently, but somehow the figures for the risk in the current process and the risk in the new process are not quoted. Why does the Minister believe that the risk will be reduced? No answer.

Well , not quite no answer. The Minister does say that "to date GOV.UK Verify [RIP] has not identified a single example of fraud despite in excess of 1.25 million citizens’ accounts having been created using the GOV.UK Verify [RIP] service".

Click on the link and you will find a list of 13 on-line public services that currently use GOV.UK Verify (RIP). None of them involving digital signatures. Signatures which are normally taken to be irrevocable. Digital signatures are serious.

No frauds arising as a result of the use of GOV.UK Verify (RIP) with these 13 services have yet been identified. But then none of these services involve buying assets that cost £226,071 on average in the UK in November 2017 according to the Land Registry. That is a greater incentive for a fraudster than, say, Check your State Pension, one of the existing 13 services. The risk of fraud may increase, not decline.

There were nearly 70,000 property sales in England and Wales in September 2017. That's over £15 billion-worth of transactions. The Minister made his statement because his "department proposes to undertake a contingent liability of £300,000 [or] above". £300,000 is 0.002% of £15 billion. And that's just one monthsworth of property transactions. The probability of fraud had better be very very low.

"... in excess of 1.25 million citizens’ accounts" sounds like a lot of accounts. But is it? You create a GOV.UK Verify (RIP) account by registering with a so-called "identity provider". There are seven "identity providers" at the moment. Each person may create seven accounts for himself or herself. 1,250,000 million accounts may imply as few as 178,571 people.

That's still a decent size number but it's a lot less than 1,250,000 and it's a lot less confidence-inspiring. In fact, it's a bit unnerving. Why doesn't the Minister tell us the number of people involved? Why does he tell us the number of accounts instead?

If you take a look at the GOV.UK Verify (RIP) dashboard on the Government Digital Service's (GDS) performance platform you'll find that 15 public services use GOV.UK Verify (RIP). Not 13. Which is it? Not strong on numbers, the Minister's statement ...

... and not comprehensive. HMRC started a new on-line public service, Personal Tax Account, in December 2015. In February 2017 just over a year later John Manzoni, Chief Executive of the Civil Service, told us that "more than 8 million citizens have now signed up".

That is not mentioned in the Minister's statement. 1,250,000 now starts to look a bit pathetic after all and it's again a bit unnerving that the Minister provides no context, it's not easy for his readers to know if 1,250,000 is a big number or it isn't. And of course 178,571 now looks microscopic.

Most people using HMRC's Personal Tax Account service verify their identity using the venerable Government Gateway system, not GOV.UK Verify (RIP). Not mentioned in the Minister's statement but the question arises anyway, why aren't the Land Registry using the tried and tested Government Gateway?

What is the point of introducing digital signatures? To save time? How much time? The Minister doesn't say. It's going to be hard to argue the case, though. Over half the attempts to use GOV.UK Verify (RIP) fail. That's according to GDS's own statistics. That's time wasted, not time saved.

And remember, even if someone does manage to use GOV.UK Verify (RIP) to digitally sign their mortgage deed, the Law Commission remain unconvinced: “Verify does not currently ensure that the person entering the information is in fact the person he or she is purporting to be; rather it focuses on verifying that the person exists” (para.6.67). The Land Registry will not know who signed any digital mortgage deed.

That should give your MP a basic grounding in the matter, it should indicate that there's something there to object to – a contingent liability is being taken on for no good reason – and that the Minister has a lot of explaining to do.


Updated 23.1.18

As you know, a written statement to Parliament was issued on 18 January 2018 by The Rt Hon Greg Clark MP, Secretary of State for Business, Energy and Industrial Strategy, please see Departmental contingent liability notification: HM Land Registry digital mortgage service:
HMLR’s new digital mortgage service will enable borrowers to sign mortgage deeds digitally, speed up the re-mortgage process and improve the customer experience. A new liability risk arises with this service because HMLR will certify the identity of a borrower when that person provides a digital signature in advance of registration. This liability sits outside of the scope of HMLR’s existing statutory compensation scheme (Schedule 8, Land Registration Act 2002).

The risk of the new liability occurring is considered low. The new process, where the borrower’s identity has to be verified through GOV.UK Verify [RIP] combined with HMLR’s independent security processes, should in fact reduce the overall risk of fraud. To date GOV.UK Verify [RIP] has not identified a single example of fraud despite in excess of 1.25 million citizens’ accounts having been created using the GOV.UK Verify [RIP] service.
There are three traps not to fall into. Anyone who does fall into them may subsequently feel that they have been misled by the Minister's statement:
  1. Digital signature is not a facility included in GOV.UK Verify(RIP)'s meagre repertoire. Despite what you might be misled to think, GOV.UK Verify (RIP) contributes nothing to the proposed digital signing process.
  2. What the Land Registry propose is probably not digital signature at all but something else.
  3. The Exchequer may be taking on the risk of wrongly identifying borrowers whether that mistake is made by GOV.UK Verify (RIP) or by solicitors/licensed conveyancers. Or it may only be covering GOV.UK Verify (RIP) and the conveyancers remain liable. Which is it? The answer isn't clear.
These points 1., 2. and 3., are elaborated below. The upshot is that the Minister may have misled the House and the conveyancing profession with his statement. You are enjoined again to ask your MP to object to the statement. The Minister may anyway now wish to withdraw the statement.

1. Digital signatures and GOV.UK Verify (RIP)
The Land Registry wrote about the proposed digital mortgage service in July 2017, please see Verifying a secure digital mortgage service:
... Using the 'Sign Your Mortgage Deed' service will mean the borrower no longer needs to apply pen to paper and instead will digitally sign their deed online ...

Benefits of digital signatures

... But how can their lender be sure who has applied the digital signature?

Linking up with GOV.UK Verify [RIP]

To ensure the right person is signing the deed, we have been working with the Government Digital Service (GDS) to enable us to use GOV.UK Verify [RIP], the government identity assurance service. By working with GDS we’ve been able to ensure that a borrower can easily progress from verifying their identity to digitally signing their mortgage deed ...

How the identity assurance works

Once it has been confirmed that the borrower is who they say they are through obtaining a Verify account, we will send them a security code by text message. The borrower can then input this code to confirm that they are the person signing the deed ...

... Our digital signature won’t be an electronic representation of a handwritten signature, but a secure way of confirming the content of a deed and the identity of the person signing it. The digital signature means that the content of the deed cannot be tampered with, or the content changed, without invalidating the signature ...
Back then in July the separation was clearer. GOV.UK Verify (RIP) was to be involved in assuring the Land Registry as to the identity of the borrower. With that assurance made, the business of signing the mortgage deed digitally is nothing to do with GOV.UK Verify (RIP), it depends on the borrower using "a security code" sent to them by the Land Registry "by text message".

That's the main point to be established here. Pace the Minister's statement, the Land Registry's proposed digital signing doesn't involve GOV.UK Verify (RIP). It can't. Digital signature is not a facility within GOV.UK Verify (RIP).

En passant, we may remind ourselves that the Law Commission do not believe that GOV.UK Verify (RIP) can confirm that "the borrower is who they say they are" (para.6.67/p.119). The Land Registry would be flat wrong to rely on that confirmation.

2. Digital signature and electronic signature
The quotations above from the Minister's statement last week and from the Land Registry's July 2017 blog post all refer to digital signatures.

"Digital signature" is a technical term. You can read all about it in Wikipedia.

The problem is that back in February 2017 the Land Registry's lawyer wrote a scholarly blog post all about the proposed use of electronic signatures, Executing a document using an electronic signature. And electronic signatures are not the same as digital signatures, please see Wikipedia again.

It may be that she's wrong and the Minister is right. If not, the Minister's statement misled the House.
Executing a document using an electronic signature

HM Land Registry does not give legal advice but we are aware that practitioners want clarity about our policy and practice relating to electronic signatures (e-signatures) on documents and deeds ...

We intend to use our own purpose-built electronic signature solution for the authentication of the new digital mortgage ...

The solution will provide an advanced electronic signature, which is defined in EU Regulation No 910/2014 on electronic identification and trust services for electronic transactions – (the “eIDAS Regulation”) ...

Electronic signatures are not witnessed. Indeed it is not possible for an electronic signature to be physically witnessed in the way that a pen and ink signature can ...

That is why electronic signing relies on trust services, which provide certification as to the identity of the person who is applying the electronic signature, and protection to the integrity of the data that has been signed. Consequently, section 91 of the Land Registration Act 2002, which deals with electronic dispositions for the purpose of land registration, refers to e-signatures being certified (s.91(3)(c)).

Certification of an electronic signature takes the place of witnessing. It effectively transposes a notarial model into the digital environment ...
Back then in February, the Land Registry's proposal was to use electronic signatures. Perhaps the Minister is right. Perhaps that earlier proposal has been withdrawn in favour of using digital signatures instead. Perhaps not. The Minister needs to clarify the situation to the House. Are the proposed signatures digital, as he suggests? Or electronic?

3. Do conveyancers remain liable for identity assurance mistakes?
The Land Registry's February 2017 document includes this: "For the verification of identity, HM Land Registry currently proposes to use a combination of the information provided by the conveyancer together with the GOV.UK Verify [RIP] service".

The Land Registry did not then intend to rely on GOV.UK Verify (RIP) alone for identity assurance. Just as well in view of the Law Commission's strictures. They intended to rely on conveyancers as well.

The July document says "once it has been confirmed that the borrower is who they say they are through obtaining a Verify account, we will send them a security code". That seems to let the conveyancers off the hook.

Some conveyancers may currently believe that their liability in the matter of digital mortgages and identity assurance is nil, that the liability is shouldered entirely by GOV.UK Verify (RIP) which then shuffles it off onto the Exchequer. They may be wrong to believe that. They may still be on the hook. Perhaps the Minister could clarify the matter.


Updated 27.1.18

As The Rt Hon Greg Clark MP says, "HMLR’s new digital mortgage service will enable borrowers to sign mortgage deeds digitally, speed up the re-mortgage process and improve the customer experience. A new liability risk arises with this service because HMLR will certify the identity of a borrower when that person provides a digital signature in advance of registration. This liability sits outside of the scope of HMLR’s existing statutory compensation scheme".

This is odd. GOV.UK Verify (RIP) is supposed to have verified the borrower's identity. That's the point of the system. GDS have contracts with seven "identity providers" who are paid to provide identity assurance to relying parties like HMLR:
  • If they've made a mistake, why aren't the "identity providers" liable?
  • If they're not liable, what is the incentive to do the job properly?
  • Why bother to retain them in the first place?
  • And why bother to insert GOV.UK Verify (RIP) into the conveyance process?
    • It doesn't add anything. Apart from a pointless cost.
    • HMLR's electronic signing doesn't depend on GOV.UK Verify (RIP). It can't. The Law Commission tell us quite clearly that GOV.UK Verify (RIP) doesn't establish that the borrower is who they say they are.
    • The solicitors and licensed conveyancers remain just as much on risk as they ever were.
    • The borrowers hand over reams of valuable personal information to the "identity providers" to register with GOV.UK Verify (RIP), a registration which turns out to have no value to the borrowers nor to the relying parties.
Central government, local government, government agencies, charities and the public private sector can all see that this liability model is hopeless. All except HMLR ..,

... the only relying party that knows it has nothing to rely on and decides absurdly that the solution is to get the taxpayer to pay, again ...,

... having already paid for GOV.UK Verify (RIP).

GOV.UK Verify (RIP) isn't doing the Land Registry any favours. Why is the Land Registry doing GOV.UK Verify (RIP) a favour? That's not its job.


Updated 29.1.18

HM Land Registry (HMLR) have now published a report on their consultation.

Not the December 2017 consultation mentioned above. The Rt Hon Greg Clark MP has been inveigled into proceeding with eMortgages without bothering to refer to that consultation.

No, HMLR's January 2018 response is to a February 2017 consultation, Proposals to amend the Land Registration Rules 2003:
4.4 Twenty respondents questioned whether the GOV.UK Verify [RIP] service was sufficiently robust and adequate to provide identity assurance for those who will be electronically signing digital conveyancing documents, given current levels of identity theft. One respondent stated that Verify is currently shutting out 40% [52% as at 14 January 2018] of those trying to access it. One person suggested that the checking of identity should remain with conveyancers. Others pointed out that as yet, Verify does not allow for identity assurance for companies, charities and legal entities other than individuals. On the other hand, some commented that the use of Verify would lead to more secure [how much more secure?] conveyancing transactions and a significantly reduced [how significantly?] fraud risk ...

4.9 The Public and Commercial Services Union (PCS), one of the two recognised trade unions in HMLR with over 3000 members, gave a detailed response expressing several concerns, particularly-
• lack of parliamentary and public scrutiny [no change there] of each new digital service
• reduction in HMLR caseworker involvement and assessment of applications
• a shift in liability from HMLR to the conveyancer applicants
• favouring larger conveyancing firms over smaller ones
• whether Verify is sufficiently robust for use with digital signatures [or is it electronic signatures?] ...

Verify
4.16 The identity service providers who carry out identity assurance in the GOV.UK Verify [RIP] service are bound by detailed contractual requirements to provide highly robust procedures and results [how highly? they are not liable for errors, the public have to pay]. User security and privacy is at the heart of the Verify service [Security? No. Privacy? No.]. All certified companies were audited [the Post Office failed its audit and yet it is still allowed to act as an "identity provider"] and had to complete a rigorous onboarding process before joining Verify.

4.17 The Government Digital Service, which provides Verify, is scaling up and constantly improving the service [some examples would be welcome, there is little sign of activity]. Nobody is excluded from a service if they cannot be verified by Verify ...

4.19 Verify currently provides ID assurance to assurance level 2 as defined in the government’s guidance document “Identity Proofing and Verification of an Individual” published by CESG (now the National Cyber Security Centre) and the Cabinet Office . HMLR’s use of Verify will not absolve conveyancers and lenders from their duties under the Money Laundering Regulations [bad news for conveyancers who thought that the Minister's absolution covers them], but will be in addition to them. There is nothing to prevent conveyancers from carrying out level 3 checks if they feel they are necessary ...

4.22 With regard to identity assurance for corporate bodies, HMRC is continuing the development of a new Government Gateway service (GG3) [Verify not up to the job that the Gateway has been doing for 17 years], which will provide service credential management for businesses and organisations wishing to use government digital services ...
How has the Minister decided to proceed?


Updated 2.2.18

Mishcon’s £1m ID fraud bill sounds alarm bells. That's what it said in The Law Society Gazette a year ago. There's more where that came from. See for example Dreamvar (UK) Ltd v Mishcon de Reya (a firm) and another [2016] EWHC 3316 (Ch) and Conveyancing fraud: Society seeks to intervene in crucial test of solicitors' liability from the day before yesterday, hat tip as ever: Mark King.

A buyer tried to buy a flat. The money was paid over on completion. Then it turned out that the seller didn't own the flat in the first place. The buyer had been defrauded but that's not the seller's conveyancer's fault, apparently, according to the law. That's what you'll read in the articles above. The buyer's conveyancer, Mishcon de Reya, also followed procedures correctly but the courts have so far ruled that they owe the buyer lots of money anyway. That decision is currently being appealed.

Checking that the property is the seller's to sell looks pretty basic to the whole complicated business of conveyance. How do the conveyancers fail to perform that check successfully? Why can't they just look in the Land Registry's land register and see the records? The problem needs to be resolved by the professional indemnity insurance companies according to some lawyers. Really? It's all down to the difficulty of proving that someone is who they say they are, say others.

This case – and there's a lot of it about, apparently – is presumably one reason for inserting GOV.UK Verify (RIP) into the Land Registry's procedures. The problem is identity fraud. GOV.UK Verify (RIP) prevents identity fraud. QED. GOV.UK Verify (RIP) assures relying parties that a person is who they say they are. End of problem.

Except that that's clearly piffle.

If it was that easy, GOV.UK Verify (RIP)'s "identity providers" would happily shoulder the liability for mistakes because there wouldn't be any. It wouldn't be necessary for The Rt Hon Greg Clark MP to warn the public, Parliament and HM Treasury that the Land Registry is taking on liabilities beyond its allowance.

As it is, the "identity providers" are too frightened to go anywhere near facing that liability. While they shelter comfortably in the happy business of pocketing £30 for every useless GOV.UK Verify (RIP) registration it's the taxpayer who will have to cough up.

The problem is that GOV.UK Verify (RIP) fails to assure relying parties that a person is who they say they are. The Law Commission are unambiguous on the point. Which part of "Verify does not currently ensure that the person entering the information is in fact the person he or she is purporting to be; rather it focuses on verifying that the person exists" is it possible to misunderstand?

GOV.UK Verify (RIP) is not the solution. It is, in that sense, irrelevant to the Minister's written statement to Parliament, Departmental contingent liability notification: HM Land Registry digital mortgage service.

If the Land Registry wants to certify that borrowers are who they say they are, fine, go ahead. But don't pretend that the risks are mitigated by relying on the tawdry GOV.UK Verify (RIP) because they're not.


Updated 9.2.18

As noted, the Government Digital Service (GDS) have all but stopped blogging, tweeting or talking about GOV.UK Verify (RIP), the proposed pan-government UK identity assurance scheme. They don't promote the scheme and they don't defend it from criticism. Their lips are sealed. It's the opposite of "make things open, it makes things better", supposedly the watchword of GDS.

GDS say nothing and, to all intents and purposes, neither so do the "identity providers", Experian et al.

That leaves HM Land Registry, the Ministry of Housing Communities and Local Government and the Department for Business Energy and Industrial Strategy (BEIS) to make the running. Bravely.

The Rt Hon Greg Clark MP has warned Parliament that digital mortgages will incur contingent liabilities and suggested that the risk is mitigated thanks to the use of GOV.UK Verify (RIP). He says that. GDS don't and neither do the "identity providers". He's the one who's exposed.

At least one kind MP has questioned Mr Clark about the wisdom of relying on GOV.UK Verify (RIP). Here is the response from the Under-Secretary of State at BEIS, published here with thanks and without comment for the moment by DMossEsq. See what you make of it:



Updated 11.2.18

In principle, ...
... the earth could be at the centre of the universe. Possibly. Remember that.

Background
HM Land Registry (HMLR) wishes to introduce digital mortgages into the UK. The electronic signatures involved will give rise to contingent liabilities.

The risk of these liabilities materialising is reduced by the insertion of GOV.UK Verify (RIP) into the conveyancing process. So says The Rt Hon Greg Clark MP, Secretary of State for Business Energy and Industrial Strategy (BEIS), who will authorise the assumption of these contingent liabilities unless he hears of any convincing objections.

DMossEsq's MP has kindly submitted some objections and Lord Henley PC, Parliamentary Under-Secretary of State at BEIS has kindly responded as noted above. What are we to make of that response?

Civil servants advise, ministers decide
Let us assume that the response Lord Henley decided to sign – in the old-fashioned way – was written by his officials. Has he been well advised?

Begging the question
"HMLR will use a combination of the information provided by the conveyancer together with the GOV.UK Verify [RIP] service to provide an appropriate level of assurance at the point of signature", say his officials, and "as such, this is an additional level of identity assurance that does not exist in the signing of a paper deed".

Not a good start.

His officials are begging the question. The level of assurance provided by GOV.UK Verify (RIP) may be too low for the job. In which case it adds nothing.

Some old safeguards lost
And the new process dispenses with traditional signatures on paper deeds and with witnessing and with either attendance in person for signature or the exchange of documents by post which provides some check on people's address. Lord Henley's officials fail to include these subtractions in their calculus.

Whose fault is it?
That failure is unfair on conveyancers who, the officials emphasise, remain just as responsible for checking identity as they ever have been: "Conveyancers are liable under the Money Laundering Regulations, and their own Regulators' rules/codes of conduct, to check the identity of their clients. There is nothing in the legislation relating to electronic signatures ... that obviates the need for conveyancers to undertake such checks" ...

... except, confusingly, that now the taxpayer is going to have to cover some unspecified amount of the liabilities. Which is it? Are the conveyancers responsible or aren't they?

Evidence-based policy
Talking of unspecified amounts, what is the probability of liabilities arising? No figure is given by the officials. Greg Clark and Lord Henley and Parliament are being asked to make a decision without the figures you would hope to see in a system of evidence-based policy development. Not businesslike. Not for the Dept of Business, nor for any other organisation. And not responsible.

Fit for purpose?
"GOV.UK Verify [RIP] has been designed as an online tool to prove that users are who they say they are. It has a particular focus on ensuring that the person sat behind a computer screen is the identity they claim to be". What about the person in front of the computer screen, you may ask? Also, if GOV.UK Verify (RIP) does the job it has been designed for, why is there any contingent liability?

It's no answer to be told that "GOV.UK Verify [RIP] certified companies take a holistic approach to identity". What does "holistic" mean here?

Personal information
Lord Henley's officials don't mention it but if you register with GOV.UK Verify (RIP) through a certified company a lot of your personal information is stored by them anywhere in the world they decide and shared with any number of other organisations. This increase in the risk of fraud has been documented for years by DMossEsq, please see here for version 6 of the document based on the terms and conditions of business of the certified companies and on their privacy policies.

That is another component missing from the official calculus. If you sign a deed, you sign a deed. You don't hand over your passport, driving licence and bank loan details to a company you've never heard of like Idemia, for example. But that's what happens with GOV.UK Verify (RIP).

What do BEIS know that NIST and the Law Commission don't?
In order to inspire confidence, Lord Henley's officials tell us that "GOV.UK Verify [RIP] follows the identity guidance ... laid out in Cabinet Office Good Practice Guide 45 [GPG45]".

As it happens, GOV.UK Verify (RIP) has trouble reaching GPG45 level of assurance 2 at the moment.

Even if it could reach level 2, the US National Institute of Standards and Technology (NIST) regard GPG45 level of assurance 2 as no better than self-certification, please see Table 2.1 on p.13 of DRAFT NIST Special Publication 800-63-3 Digital Identity Guidelines, 30 January 2017:

SP 800-63 (NIST)
[GPG45][RSDOPS]STORK 2.029115:2011ISO 29003Government
of Canada
N/AN/ALevel 01N/AN/AN/AN/A
AAL/IAL 1Level 1Level 1QAA Level 1LoA 1LoA 1IAL/CAL 1
AAL/IAL 1Level 2Level 2QAA Level 2LoA 2LoA 2IAL/CAL 2
AAL/IAL 2Level 3Level 3QAA Level 3LoA 3LoA 3IAL/CAL 3
AAL/IAL 3Level 4N/A2QAA Level 4LoA 4LoA 4IAL/CAL 4

That same point is made by Damien Bruneau, author of the Law Commission's 7 July 2017 consultation paper on making a will: "Verify does not currently ensure that the person entering the information is in fact the person he or she is purporting to be; rather it focuses on verifying that the person exists".

Lord Henley's officials criticise the Law Commission for making that statement on the basis that they're out of date.

Theory v. practice
They also say: "The Law Commission's report found that "it is possible, in principle, for the Government, or a Government authorised body, to use Verify to provide for fully electronic wills". It has proved impossible, in practice, to find the Law Commission report which includes this opinion. [Please see 12.2.18 update below]

Absent the full document, this Law Commission imprimatur is weak. "Possible"? How possible? "In principle"? What principle? You could say the same about the earth being at the centre of the universe. No-one would be convinced.

New recruits
On 29 April 2016 Janet Hughes, identity assurance programme director at the time, told us that: "Over 50 government services are planning to adopt GOV.UK Verify [RIP]. Twenty of these are planning to connect to GOV.UK Verify [RIP] in the next year".

There were already 13 services connected on 8 February 2016 according to Ms Hughes: "There are now 13 government services from 5 departments connected to GOV.UK Verify [RIP] ...".

Two years later, are we up to 33? Or 63? No. 15.


Government Gateway
HMRC added eight million users (c.f. John Manzoni, chief executive of the UK civil service) to their personal tax account service in under a year using the Government Gateway, not GOV.UK Verify (RIP). Lord Henley's officials omitted to mention the Gateway.

Local authorities
The Blue Badge GOV.UK Verify (RIP) application which they do mention has been tested for years and still isn't live.

They don't mention the residents' parking permit and concessionary travel GOV.UK Verify (RIP) applications which have been piloted with local authorities since October 2016. Only three local authorities are left out of the 15 which started on residents' parking permits and only two out of the 11 which started on concessionary travel.

Identity assurance in the financial sector
The involvement of GOV.UK verify (RIP) in financial sector applications including Open Banking has been "explored", according to Lord Henley's officials. Indeed it has. Explored and not pursued.

Remember the question?
The answer is no. Lord Henley's officials have provided no reason to believe that GOV.UK Verify (RIP) will mitigate the risks of digital mortgages.


Updated 12.2.18

While reviewing the low-grade advice his officials gave to Rt Hon Lord Henley PC, Parliamentary Under-Secretary of State at the Department for Business Energy and Industrial Strategy, we noted that the source of the Law Commission's opinion "it is possible, in principle, for the Government, or a Government authorised body, to use Verify to provide for fully electronic wills" couldn't be found.

It has now been found by someone who was kind and energetic enough to look. Found where? It turns out to be in the paragraph before the Law Commission opinion that we keep quoting:
6.66 It is possible, in principle, for the Government, or a Government authorised body, to use Verify to provide for fully electronic wills, with the will being executed by the testator entering his or her username and password and then being stored.

6.67 We have concerns, however, as to whether the use of Verify would be sufficient to protect testators from undue influence and impersonation. Verify does not currently ensure that the person entering the information is in fact the person he or she is purporting to be; rather it focuses on verifying that the person exists.44 While the involvement of witnesses generally provides some protection against fraud and undue influence, Verify does not currently have any facility for the participation of witnesses. Furthermore, Verify relies on passwords to control access to the service. There is a risk, therefore, that testators will give their passwords to family members or carers, and might be pressured to do so by persons wanting to abuse them.
The Law Commission are saying that GOV.UK verify (RIP) could work, in principle, but as a matter of fact it doesn't.

Lord Henley's officials are saying that the Law Commission were hopelessly out of date and you can ignore paragraph 6.67 but that the Law commission are completely on top of their game when they give their confidence-inspiring endorsement of GOV.UK Verify (RIP) at paragraph 6.66:
The Law Commission report referenced by Mr Moss did not go into detail about the capabilities of GOV.UK Verify [RIP]; it restated opinions that were collected during a previous consultation by the Office of the Public Guardian called "Transforming the Services: Enabling Digital by Default" (published on 21 51 August 2014). The Cabinet Office guidance was published just before this (in July 2014) and subsequently was likely not considered in the Public Guardian report. Therefore, we do not believe these consultations and reports are a fair reflection of the current capabilities of GOV.UK Verify [RIP] ...

The Law Commission's report found that "it is possible, in principle, for the Government, or a Government authorised body, to use Verify to provide for fully electronic wills".

We welcome recognition by the Law Commission that in principle electronic signing of a will is sufficiently robust and secure in order to make them binding. We recognise that the report also raised some concerns about the use of GOV.UK Verify [RIP]. However, for reasons mentioned previously in this response, we do not believe those consultations and reports considered or recognised all of the current capabilities of GOV.UK Verify [RIP].
10 out of 10 for the cheeky use of quotation in the construction of a meretricious case. But that's not appropriate here, where we're talking about the businesslike and responsible management of public money. HM Treasury are unlikely to be amused.


Updated 13.2.18

Month
Sales
volume
Average
price (£)
Value (£)
2016-07
97,176
215,127
20,905,181,352
2016-08
98,386
215,145
21,167,255,970
2016-09
95,699
214,816
20,557,676,384
2016-10
89,318
214,107
19,123,609,026
2016-11
92,948
215,113
19,994,323,124
2016-12
98,707
215,500
21,271,358,500
2017-01
72,095
215,084
15,506,480,980
2017-02
74,619
215,639
16,090,766,541
2017-03
92,127
215,226
19,828,125,702
2017-04
79,168
218,446
17,293,932,928
2017-05
86,251
219,990
18,974,357,490
2017-06
102,842
222,004
22,831,335,368
12 months
1,079,336
216,378
233,544,403,365
HM Land Registry published their latest UK house price data today.

Take a look at the 12 months to June 2017. Over a million transactions worth over £230 billion.

That's a million buyers and a million sellers, roughly. A million buyers' conveyancers and a million sellers' conveyancers. Roughly. With two million professional indemnity insurance premiums to pay. A million mortgages to take out and a million mortgages to redeem. Roughly. Two million people and two million businesses and two million mortgages. With £230 billion at risk.

All that weight. Resting on GOV.UK Verify (RIP). Rejected by HMRC, DWP and the NHS ...

... but trusted by HM Land Registry, the Ministry of Housing Communities and Local Government and the Department for Business Energy and Industrial Strategy.

Brave. Very brave.


Updated 5.4.18

Digital mortgage signed by borrower and registered at HM Land Registry: "Today, the first digital mortgage deed was entered into the Land Register ... The registration of the deed follows months of collaboration and testing with Coventry Building Society and Enact Conveyancing and uses GOV.UK Verify [RIP] to enable borrowers to securely verify their identity before digitally [electronically?] signing their mortgage deed online".

That's a press release by HM Land Registry today.

Good luck to HM Land Registry Chief Executive and Chief Land Registrar Graham Farrant, who says in the press release that he hopes to roll this service out nationally. Brave. Very brave.

Peter Frost, Chief Operating Officer at Coventry Building Society, says "although this initiative has started with re-mortgages we’re excited about the potential for it to be extended to purchases in the future". Re-mortgages. In other words the identity of the borrower has already been verified properly by other means, it's safe to use GOV.UK Verify (RIP) when it's not being relied on.

Ben Carroll, Enact Conveyancing’s Managing Director, says: "this fully-digitised journey will mean that a customer can sign their mortgage deed online at a time and place of their choosing, securely underpinned by the GOV.UK Verify [RIP] platform". Time will tell.

"And what", you ask, "do the GOV.UK Verify (RIP) team have to say?". Nothing. As usual.

No comments:

Post a Comment