Press cover for the latest phase of the Government Online Identity framework is beginning to emerge. The invitation to tender to become one of up to ten suppliers for the Government Verify Framework was dated on Friday 12th December and published on 17th with a deadline for submission of 6th February. On 12th December the Government Identify Assurance blog carried a reminder that the deadline for submissions of interest in the pilot accreditation programme for suppliers was Monday 15th December. The UKAS notice was issued on November 24th giving three week notice, but UKAS is one of those quangoes of which no-one has ever heard until they learn that they cannot do something because it has not been accredited. I therefore suspect the reminder was either because no-one had responded or because just one response looks like a ‘fix’.
Do read the invitation to tender because it is the first time that the scale and nature of what is intended for this programme will have become clear to many.
Insomniacs will also need the supporting documentation on the CCS Agreements . Two documents have parts redacted. There is provision for changes to reference documents, but it’s not clear which version is to be used for the bid, and some of those currently linked to from the Government Direct blogs have been stated as being well out of date.
Jugglers or Zen experts may be needed to sort out the limitations on how many times subcontractors can be used, but the risk of delay from challenges from lawyers must also be of interest as the contract mechanism is designed to ensure there’s a loser. If someone comes 6th, say, and is then excluded, but would have been included, with exactly the same bid, if there had happened to have been a 7th, they would seem to have a very strong case for complaint on a restriction to trade.
It is also the first time that 3.5 million businesses, let alone those providing their accounting and payroll software, will have an opportunity to appreciate the changes they would have to make in order to play, allowing for the scope of the unanswered questions on the business model and therefore the uncertainty of take-up by anyone other than those parts of the public sector which are given no option.
That leads to a core question. What is the business case, apart from a questionable interpretation of the European Union Regulation on Electronic Identities and Electronic Trust Services?
The good news is that final draft of the regulation was watered down from that which the Digital Policy Alliance described as a “Massive European Own Goal” after it had consulted its members and called for inputs from others and after my own attempt to draw attention to the ticking time bomb, including for DWP and the Universal Credit.
It is, however, a moot point as to whether the UK needs do anything beyond stating which existing identity and trust services it will accept for on-line authentication.
It is not as though this is a new market. As I have pointed out before the issues are not new either. UK and US law on electronic signatures has been clear since 1867 (Supreme Court of New Hampshire judgement on whether a cable authentication is a signature) and we have nearly as many government departments and agencies with fingers in the idenity and autnentication policy pots as we have commercial offerings in what is better viewed as the “Identity and Access Management” market. Other governments, not part of the self-appointed D5 have quietly just done it: Roman Law countries also have a variety of solutions, usually based on “Electronic Notary” services.
Only the digerati who wish to treat our personal information as their oil have a clear “business case” for change and they should be aware that the price of oil can come crashing down after the cartel collapses.
That said, it would be good if Cabinet Office were to have some sensible bids for recognition under the Government Verify programme from organisations that really do merit our trust. In my own case, I would trust Experian but would not wish to provide them with any information about me that they do not already have, in order to check my identity. Also I personally would not wish to have to trust any organisation based outside the UK to authenticate my dealings with HMG. I should add that while it might have some value over current processes, I have little faith that Verify will be much, if at all, more secure than the South Korean National Identity system or those of any of the other ‘D5 leaders‘.
I also await an explanation of the downward trend of ‘live performance’ but am delighted to report that the new system is stated as being required to work in Welsh (albeit in a parenthetical remark).
Merry Christmas and a Happy New Year to all festive-season bidders.