But GOV.UK Verify was meant to be used as the login to allow people to access porn by proving they were over 18, perhaps this was t.may's plan all along, ban porn altogether by slowly removing all the verification options.
It's official: the UK state's expensive-but-comatose digital identity system Verify has been taken off life support. Parliament photo by Shutterstock Identity disorder: Does UK govt need Verify more than we do? READ MORE The minister responsible confirmed to Parliament yesterday that it will halt funding for the project …
So it follows the standard government "big transformational IT project" timeline then?
2011: We've got a brilliant idea... it'll work everywhere and everyone will use it
2013: This great idea works in most places, some people are using it already
2015: This idea works in some places, less people than we hoped are using it
2017: This thing sort of works, somebody is probably using it
2019: C'mere old Yeller...
Or was that the timeline for Google+ I've just quoted, I'm not sure?
Timeline is wildly optimistic from 2013 onwards
2013 : the bidding process is complete, and who would have guessed, we've awarded it to Capita
2015 : lots of money spent, no sign of anything systemwise.
2017 : scope creep, system cost to quintuple.
2018 : errm, it'll be great, honest
2019 :too late to turn back now......
2025 : You can fill in a paper form at a post office, if you're lucky enough to live in a county that still has one.
It sucked lemons!
I tried to use this to get identified last year. You had a choice of four or five identification providers such as banks and the Royal Mail. Each would give you three or four questions to verify that you were you. The kicker was that if you got one answer wrong then you failed verification, and you weren't allowed to go round and try again with that provider. Obviously this was to prevent fraudsters from repeatedly guessing until they got a hit. However the banks only worked if you were an account holder, so most of them were out.
I started with the Royal Mail, but misremembered the year I moved in to my current house (getting the month right wasn't good enough!), so that failed. Then the only bank I had an account with simply wouldn't work and kept taking me back to a question I had already answered.
Re: It sucked lemons!
"I started with the Royal Mail, but misremembered the year I moved in to my current house"
There could also be a problem with Royal Mail not knowing the correct house. I discovered that PAF had the address wrong all the time my parents lived here. Off-hand I couldn't say whether I corrected it before or after we moved in.
Re: It sucked lemons!
smudge: "Genuine question - why would the Royal Mail know the year you moved house?".
They rely on Equifax to provide identity proofing questions. How do Equifax and the other credit rating agencies get this information? How are they allowed to sell it to Royal Mail and the other "identity providers"?
It's the same with the Post Office, who aren't even accredited as "identity providers". Customers who think they're signing up with the Post Office are, behind the scenes, really signing up with Digidentity.
The questions above about the credit rating agencies are unanswered. Here's another one. Why don't GDS explain all this to their parishioners, the users whose interests are supposed to be GDS's only guiding light? Same answer.
Re: It sucked lemons!
> Genuine question - why would the Royal Mail know the year you moved house?
They have scanners that read the address on every envelope and package be it printed or hand written. When you move home they can redirect your mail automatically to your new address at fairly low cost so I know it won't be a manual system. Anyhow, the scanner systems could record details of everything sent to every address and so a quick query of the database would reveal when your name started appearing on letters for your current home.
And they will be recording all that data. If the promise of some big data analytics isn't enough you can bet the government/GCHQ will have demanded it.
Re: It sucked lemons!
When you move home they can redirect your mail automatically to your new address at fairly low cost so I know it won't be a manual system. Anyhow, the scanner systems could record details of everything sent to every address and so a quick query of the database would reveal when your name started appearing on letters for your current home.
I frequently have mail addressed to me at locations not my current home. For example, when I moved out of my parents home, I didn't go around changing all my postal addresses with all the various companies, as I would have dinner at my parents at least once every month (if not weekly) for years after I moved out, so I could just pick up any mail then from entities who I hadn't bothered to update.
At one point when I was moving frequently (living in group houses etc.), I got a post office box and started using that for all my mail. Therefore for about a decade, through about 15 house moves, I had the same postal address, the PO Box.
Therefore any such automated system as you propose would not have any idea of when I moved house, only when I changed address, which could be years after I'd moved house.
Re: It sucked lemons!
"They have scanners that read the address on every envelope and package be it printed or hand written."
The problem with that is it doesn't actually mean anything. The thing about envelopes with your name on them is that they've been sent by someone else. Someone else who may or may not actually be sending things to the correct person at the correct address. For example, despite having lived in my house for years I still get post for both the previous owners and the ones before them. And the majority of the rest is for Mr The Occupier and Mrs Homeowner, because in these days of paperless bills pretty much everything I get is just junk mail (about 40% from Virgin, the massive cockwombles).
A central government identity system that relies on asking everyone except the person involved to guess who might be in a house doesn't really sound like a great idea.
Tried it also last year. Went quite smoothly with RoyalMail, although the photo ID verification was done with low quality selfies that bore little resemblance to my passport picture.
Then SWMBO tried it and failed. Tried again once or twice, making sure the photos were as crisp as possible and matched her passport hairstyle. Fail again. Tried another provider, failed again and gave up.
Gave me zero confidence in their verification process.
Didn't one of the smaller former soviet countries manage to introduce a digital citizens ID which worked and didn't cost too much ?
Mind you, they did have a president who got stuff ... El Reg reported on it years ago (Googles) ....
Re: Estonia ?
Yep, Estonia has something similar
the Dutch have something similar (https://www.digid.nl/en/)
the French have something similar (https://franceconnect.gouv.fr/)
the Swedes have something similar (https://e-legitimation.se/)
the Italians have something similar (https://www.progettocns.it)
Re: Estonia ?
All these countries have one thing in common - a national identity register.
Until the UK bite the bullet and do the same, verifying your identity will always be a case of piecing together info from the private sector and the myriad of siloed public sector databases.
Privacy vs Security
Universal Credit is never going (if it ever does then it will be when we move to Universal Income or when we scrap all benefits), having 1 benefit which scales according to how many 'credits' you have is far more cost effective them having multiple benefits.
The issue isn't UC itself, it is how the government are applying things like sanctions.
"Maybe private prisons"
You didn't realise we already have those? The UK has the second highest proportion of people in private prisons in the world (12% of prisons holding 15% of inmates). First is Australia, not the US as might be expected. Obviously the trend was started by the Conservatives back in the '90s, but the current government is actually the first since then in which the number hasn't increased.
Re: Couldn't roll out ...
UK doesn't need an export tax system by definition, and if the import changes all goes tits-up despite the NAO stating pretty clearly that the HMRC is on track (albeit with risks) we can just continue to operate as we are. Even if the WTO rules don't allow it (and they do) we'd be in full compliance by the time the case was heard even if Trump wasn't grinding the entire workings of the WTO to a halt because they forgot security exemptions are a catch-all in the WTO rules.
This simply isn't a thing.
Also by the way it wasn't just oauth anyway, as I'm sure you actually know.
"The days of creating different user names and passwords for every new website are numbered, thank goodness," promised GDS Maximum Leader Mike Bracken* in November 2011.
What's the difference between using a single username/password on a gateway/portal that fronts a dozen different services, vs creating accounts on each of those same dozen services but using the same username/password for each of those dozen accounts? Surely you get the same user experience (only having to remember one set of username/passwords) and same security( one username/password pair for access to a dozen services)? I'd suggest you'd have a superior user experience not using a portal, because in the single-portal version if you accidentally lock your account you've locked yourself out of a dozen services, whereas with the independent (but same credentials) version you'll still be able to use the other 11 services that you haven't locked.
The difference is the security. When you use the same password on a dozen sites, any one of those sites could have poor security, allowing your credentials to be stolen and used on the other 11. With a central authentication service, only one place has your credentials. That place can* be given maximum protection.
*But it could just be outsourced to a bunch of muppets.
Also, with a single user experience across the services, you could educate users about what to expect in "security messages", and therefore make it less likely that people fall for phishing emails.
Government verification gateway without the verification
Instead of roping in third parties who ask you the number they're thinking of based on the data they've got which may or may not be right, and are only there at great expense to avoid having actual real civil servants verify that you're you, how about this:
1. You set up an account at the government gateway, filling in your details and saying where you're going to get verified (DWP, council, main post offices).
2. You go to wherever it is and prove your ID.
3. They hit a button confirming that you're you and print out the instructions as to how to proceed from now on including a login code.
4. You go back to the government gateway, log in again with the login code, and follow the instructions to download your certificate.
Just an idea...
I tried to use this awful verify system to get a Pension forecast. The amount of personal information shared with people i don't trust put me right off.
Then I realised that I could phone the DWP and after identifying myself, they would POST (remember that?) a forecast.
To me, the only other use for this verify was to log on to HMRC, and my accountant does that for me so I thought "stuff it!"
As the DVLC also used it, I will be OK until 2025 when my driving licence expires! :-)