The fraudsters appear to be looting more from DWP and HMRC than the annual spend of GCHQ (even including that paid for by the Americans - i.e. their share of the funding for the joint projects which enable it to do what it does so well). Government issued credentials are also being used to help defraud the private sector on a similar scale. Meanwhile the departmental silos fight the centre over theoretical identity principles instead of taking effective action to stop the bleeding. What happened to "Fighting Identity Crime Together": the programme to address fogging" (the false obtaining of genuine government issued)?
By comparison the few £tens of millions that would-be ID suppliers have wasted on Cabinet Office identity games, or even £hundreds of millions that have been wasted to date on consultants swings and roundabouts at DWP are small beer.
So what is the currnt state of affairs and how has it come about?
I find very difficult to make sense of the National Electronic Identity policy that Cabinet Office (and the European Commission) still believe we should have - despite the great British rhubarb to Government issued ID Cards. As readers of some of my past blogs on the different approaches of Governments and Industry will have appreciated, I have long made a clear distinction between the types of Identity credential that our rulers want us to use and those which merchants and travellers have used for several thousand years. To that distinction I now add a third type, those credentials that dominant technology suppliers wish us to use, so that they can serve us "better" (alias sell our details to who-ever will pay for them, while others break their systems to "acquire" them without paying ).
I did not follow my late father into "The Service" but I learned from him how important it is to give a voice to the experience of Servants of the Crwon who are muzzled by a combination of the Official Secrets Acts (plural), the pernicious "Armstrong Doctrine" (my father's words not mine) and the fiction that "Ministers make policy for Officials to implement".
I am therefore most grateful to Jim Prideaux for giving me the benefit of his experience in tracking, not only what lies behind the Cabinet Office strategy, but some of the consequences. I do not agree with all he says, just as he would never comment on what I have said above, even if he agreed with me, but do read on ....
"The 2005 Manchester ministerial meeting committed European countries to have trans-border access to government services by 2010.
The DWP was then the lead, but as the money ran out it looked at its priorities (notably work and pensions) and slid quietly away from more than token engagement on interesting cross-border challenges. Yes, millions of people would be interested in STORK , but hundreds of millions would not. Anyway, ID was a Home Office headache - a someone-else's problem field.
When the ID card was not just reduced to an optional convenient form of a passport but ceremonially hung drawn and quartered on day 1 of the coalition, and the nascent population register thrown in its grave, the poisoned chalice of ID policy was up for grabs. It's normal for the lowest bid to come from those who least understand the task; there may be a public service equivalent that those who offer the quickest delivery may not appreciate the complexity of what they plan to do.
In early 2011 Francis Maude rightly said that identity assurance is key to the smooth running of public services online and announced that there would be a first prototype of the identity assurance model by October 2011, with a date for implementation from August 2012.
Who pays, and what do they get for it was identified then as an unanswered question, and it seems it still is.
Before anyone points fingers at the civil servants, we should note that, unlike the political senior appointees in the US, those in UK are constitutionally unable to engage in open debate. Blogging is in fashion, but only good news is allowed since anything else could and would be construed as criticism of government policy: a job for the opposition (and backbenchers), pub gossip, bloggers and newspapers.
The 2001 EURIM briefing paper on consultation processes referenced the then Cabinet Office Code of Practice on Written Consultation. This was revised by BIS in 2008 and quietly emasculated in 2012 , when the 12 week period ceased to be mandatory. But even that is about structured one-way consultation for advising on policy/law and not for debate on practical delivery of a service.
Worse is that the change to provision of public services and associated procurement using an open market has not had the consequential changes to Treasury rules to enable genuine collaboration; the carefully crafted anti-corruption processes for spending public funds aren't necessarily relevant when there's no money being spent. The imperious attitude to 'we set the standards' is fine if there is money to back up unique requirements, but UK doesn't have a NIST , Presidential Directives or a sufficient number of Internet users to justify global players giving citizens and denizens of the UK special treatment. The British Standards Institute was the first in the world. Why isn't HMG calling for compliance with British Standards, rather than producing guides and looking surprised when these aren't suitable for demonstrating compliance with a contract?
The 'we're listening' line has picked up unfortunate overtones recently, but consultation with various sectors (and sundry foreign governments) has generated plenty of PowerPoint, It remains essentially one-way. If there were minutes or dispositions of comments it wouldn't be necessary to ask so many questions.
- If the UK operations of OIX were genuinely industry-led, why do they require that Cabinet Office be on an otherwise all American board ?
- Why have no results of the stream of "alpha-project"s been published, even in those cases where the industry partners have been clear that they have no objections on commercial confidentiality?
- How do the (draft) privacy principles apply to the RTI feed from HMRC? They clearly do not for the pathfinders although, unlike pilots, these are handling real data on real people.
There are supposed to be mechanisms for providing additional funds to local government "delivery partners" when they are given additional obligations, but it's not clear that they are getting sufficient information to plan ahead. Worse, fixing shortcomings in Government identity processes as they affect systems such as HMRC RTI by changing requirements on all of the private sector is hiding real costs and making no friends.
Meanwhile the European Commission and Parliament are in denial of the implications on all organisations of the proposed data protection regulation; the identity aspect of which is well down the list of concerns, but it's there in Article 15, and nobody has any idea how much it will cost.
So, for all the talk of a market, who is selling what to whom?
By October 2011 it was clear that the problem which Microsoft with money, a near monopoly, and 15 years had failed to solve was not going to be sorted out by a couple of people in Whitehall over the summer and various cheer-leaders were put forward - learner records, Universal Credit, individual voter electoral registration, lasting power of attorney, parking permits....
Meanwhile DWP knew what they wanted. They issued an OJEU in December for £250m. This was then pulled, and they were 'persuaded' to use and be the lead (bleeding edge) for what they had agreed, under duress, to try. Testing, accreditation and delivery would be needed by Spring 2013 in order to help meet the timetables for the Universal Credit.
On 28 February 2012 a new OJEU announced £25m to set up a framework of competing but inter-operable identity providers. There were over 80 expressions of interests. In May 2012 DWP issued an invitation tender for framework to 44 suppliers and a motley crew of 7 (+1) joined the "framework" for a "Universal Credit, which will go live nationally in October 2013".
There were no responses from the Banks, Mobile Phone Companies or on-line transactions service operators who it had previously been said were expected to bid.
In June the contracts were moved across to GDS with DWP committing to come into line when they could. At this point some part of HMRC became the front runners, for a service to be rolled out in October 2013. DWP published a description of how things would work with a token online aspect and no mention of identity assurance.
The design principles for privacy were circulated for further consultation having been developed and reviewed by those willing to contribute time without payment. The final result has now been published although the submissions to consultation have not The 1911 Parliament Act's introduction of salaries for MPs was to overcome the bias introduced when only those with independent means or beholden to some lobby for support could participate. While paying over the odds to consultants to do nothing much (e.g. the £120 million paid to Accenture on the Universal Credit programme in advance of the pathways trials) is bad, buying in specialist help to support a well-publicised consultation on what is supposedly going to be a cornerstone of future relations between Government and the plebs (you and me) would not seem unreasonable. Any private sector business changing its customer relations policy would base this on serious market research (alias consultation). Endorsement of the draft by the minister necessarily muzzled civil servants, (some of whom have rather more relevant experience, not just within the UK or the public sector, than most public commentators).
The contracts were now down to five. These were still expected to be investing serious effort in developing solutions, but without guidance on any of the missing elements - such as the plans for disputes resolution. Everything is now supposedly open, except that the outline still hasn't been published. If those academics with expertise in this areas who have not been involved in the process (because they were too busy or lacked the funding to do pro-bono work) proceed to find basic flaws in what has been developed, then it will be too late to take easy remedial action.
Independent accreditation is said to be important but of the five still supposedly developing services to use in the "near future" only Experian has so far gained the necessary tick in the box , although Verizon has applied and it's mid-November already.
The idea that industry would fund the development of a new product or services in return for Government assurances of business is not new: remember when shareholders put money into Eurotunnel in return for an assurance that HMG would arrange for a high speed link to London. It had gone into receivership, wiping out their investment before the line was built. At least the Victorian Post Office and Admiralty gave guaranteed mail contracts to help underpin the high speed rail lines of the day to the cities and ports. There may be a difference of scale in the infrastructure investment involved (£billions for rail, £millions for online ID) but, without guarantees of business, why should anyone risk share-holders' money?"