back to article UK.gov withdraws life support from flagship digital identity system

It's official: the UK state's expensive-but-comatose digital identity system Verify has been taken off life support. Parliament photo by Shutterstock Identity disorder: Does UK govt need Verify more than we do? READ MORE The minister responsible confirmed to Parliament yesterday that it will halt funding for the project …

Bronze badge

But GOV.UK Verify was meant to be used as the login to allow people to access porn by proving they were over 18, perhaps this was t.may's plan all along, ban porn altogether by slowly removing all the verification options.

15
0
Anonymous Coward

But who uses websites to download their porn in this day and age?

1
0
Silver badge

Well, Damian Green MP is a well-known downloader of pornography.

15
0
Anonymous Coward

Exactly

My MP just asks his constituents to produce his porn for him and send it on snapchat.

4
0

Re: Exactly

If he's a tory MP then porn is probably just footage of homeless people and those on benefits being sanctioned

3
3
Joke

So it follows the standard government "big transformational IT project" timeline then?

2011: We've got a brilliant idea... it'll work everywhere and everyone will use it

2013: This great idea works in most places, some people are using it already

2015: This idea works in some places, less people than we hoped are using it

2017: This thing sort of works, somebody is probably using it

2019: C'mere old Yeller...

Or was that the timeline for Google+ I've just quoted, I'm not sure?

36
0
SVV
Silver badge

Timeline is wildly optimistic from 2013 onwards

2013 : the bidding process is complete, and who would have guessed, we've awarded it to Capita

2015 : lots of money spent, no sign of anything systemwise.

2017 : scope creep, system cost to quintuple.

2018 : errm, it'll be great, honest

2019 :too late to turn back now......

2025 : You can fill in a paper form at a post office, if you're lucky enough to live in a county that still has one.

12
0
I&I

Fewer

1
0
FAIL

It sucked lemons!

I tried to use this to get identified last year. You had a choice of four or five identification providers such as banks and the Royal Mail. Each would give you three or four questions to verify that you were you. The kicker was that if you got one answer wrong then you failed verification, and you weren't allowed to go round and try again with that provider. Obviously this was to prevent fraudsters from repeatedly guessing until they got a hit. However the banks only worked if you were an account holder, so most of them were out.

I started with the Royal Mail, but misremembered the year I moved in to my current house (getting the month right wasn't good enough!), so that failed. Then the only bank I had an account with simply wouldn't work and kept taking me back to a question I had already answered.

20
0
Silver badge

Re: It sucked lemons!

Tried Royal Mail last year as well, even though I told them my ID was a non-UK issued passport it let me proceed to putting the passport details in. But then the page kept saying I entered my passport details wrong. It was STILL looking for a UK passport.

14
0

This post has been deleted by its author

Silver badge

Re: It sucked lemons!

I started with the Royal Mail, but misremembered the year I moved in to my current house

Genuine question - why would the Royal Mail know the year you moved house?

Or is it something you have to tell them if you register with them?

15
0
Silver badge

Re: It sucked lemons!

"I started with the Royal Mail, but misremembered the year I moved in to my current house"

There could also be a problem with Royal Mail not knowing the correct house. I discovered that PAF had the address wrong all the time my parents lived here. Off-hand I couldn't say whether I corrected it before or after we moved in.

1
0

Re: It sucked lemons!

smudge: "Genuine question - why would the Royal Mail know the year you moved house?".

Good question.

They wouldn't.

They rely on Equifax to provide identity proofing questions. How do Equifax and the other credit rating agencies get this information? How are they allowed to sell it to Royal Mail and the other "identity providers"?

Royal Mail don't actually do any identity management themselves. That job is farmed out to one of GDS's other "identity providers", GB Group plc, according to Royal Mail's privacy policy: "In order to verify your identity, we will share your information with our partners, GB Group, who will check it against information held on databases maintained by credit reference agencies or fraud prevention agencies, such as those held by Equifax and CallCredit" (para.4.1).

It's the same with the Post Office, who aren't even accredited as "identity providers". Customers who think they're signing up with the Post Office are, behind the scenes, really signing up with Digidentity.

The questions above about the credit rating agencies are unanswered. Here's another one. Why don't GDS explain all this to their parishioners, the users whose interests are supposed to be GDS's only guiding light? Same answer.

14
0

Re: It sucked lemons!

> Genuine question - why would the Royal Mail know the year you moved house?

They have scanners that read the address on every envelope and package be it printed or hand written. When you move home they can redirect your mail automatically to your new address at fairly low cost so I know it won't be a manual system. Anyhow, the scanner systems could record details of everything sent to every address and so a quick query of the database would reveal when your name started appearing on letters for your current home.

And they will be recording all that data. If the promise of some big data analytics isn't enough you can bet the government/GCHQ will have demanded it.

0
2
Silver badge

Re: It sucked lemons!

When you move home they can redirect your mail automatically to your new address at fairly low cost so I know it won't be a manual system. Anyhow, the scanner systems could record details of everything sent to every address and so a quick query of the database would reveal when your name started appearing on letters for your current home.

I frequently have mail addressed to me at locations not my current home. For example, when I moved out of my parents home, I didn't go around changing all my postal addresses with all the various companies, as I would have dinner at my parents at least once every month (if not weekly) for years after I moved out, so I could just pick up any mail then from entities who I hadn't bothered to update.

At one point when I was moving frequently (living in group houses etc.), I got a post office box and started using that for all my mail. Therefore for about a decade, through about 15 house moves, I had the same postal address, the PO Box.

Therefore any such automated system as you propose would not have any idea of when I moved house, only when I changed address, which could be years after I'd moved house.

7
0
Bronze badge

Re: It sucked lemons!

Title deeds are public, so if you own or mortgage your house then there is a public record of when you took possession. And if you rent then the government has a copy of your rental agreement under T.May's security policies that she introduced as Home Secretary.

1
0
Silver badge

Re: It sucked lemons!

"They have scanners that read the address on every envelope and package be it printed or hand written."

The problem with that is it doesn't actually mean anything. The thing about envelopes with your name on them is that they've been sent by someone else. Someone else who may or may not actually be sending things to the correct person at the correct address. For example, despite having lived in my house for years I still get post for both the previous owners and the ones before them. And the majority of the rest is for Mr The Occupier and Mrs Homeowner, because in these days of paperless bills pretty much everything I get is just junk mail (about 40% from Virgin, the massive cockwombles).

A central government identity system that relies on asking everyone except the person involved to guess who might be in a house doesn't really sound like a great idea.

4
0

Re: It sucked lemons!

You're an idiot.

0
9
Silver badge
FAIL

Train Wreck

Totally predictatable - they'd barely started to build the 'rails' when they started the train.

So how much did this particular fiasco cost us? Or do we really want to know?

17
0

Tried it also last year. Went quite smoothly with RoyalMail, although the photo ID verification was done with low quality selfies that bore little resemblance to my passport picture.

Then SWMBO tried it and failed. Tried again once or twice, making sure the photos were as crisp as possible and matched her passport hairstyle. Fail again. Tried another provider, failed again and gave up.

Gave me zero confidence in their verification process.

13
0
Silver badge
FAIL

Estonia ?

Didn't one of the smaller former soviet countries manage to introduce a digital citizens ID which worked and didn't cost too much ?

Mind you, they did have a president who got stuff ... El Reg reported on it years ago (Googles) ....

https://en.wikipedia.org/wiki/E-Residency_of_Estonia

6
0
Len
Silver badge
Unhappy

Re: Estonia ?

Yep, Estonia has something similar

the Dutch have something similar (https://www.digid.nl/en/)

the French have something similar (https://franceconnect.gouv.fr/)

the Swedes have something similar (https://e-legitimation.se/)

the Italians have something similar (https://www.progettocns.it)

etc. etc.

9
0

Re: Estonia ?

All these countries have one thing in common - a national identity register.

Until the UK bite the bullet and do the same, verifying your identity will always be a case of piecing together info from the private sector and the myriad of siloed public sector databases.

Privacy vs Security

0
0
Silver badge

Next

Will they kill Universal Credit, Home Office cheating residents and visitors and PIP assessment?

Maybe private prisons

Closing down offshore UK dependency tax havens and money laundering.

There are SO many things this Government is doing wrong that denies people their rights.

16
5

Government denying people their rights

I think you may have missed a big one. The date 29 March tolls a bell.

This sounded like a pretty simple IT project. Hate to think what might happen with "maximum facilitation" (a piece of Newspeak if I ever heard one).

4
0
Bronze badge

Re: Next

Universal Credit is never going (if it ever does then it will be when we move to Universal Income or when we scrap all benefits), having 1 benefit which scales according to how many 'credits' you have is far more cost effective them having multiple benefits.

The issue isn't UC itself, it is how the government are applying things like sanctions.

4
1
Silver badge

Re: Next

"Maybe private prisons"

You didn't realise we already have those? The UK has the second highest proportion of people in private prisons in the world (12% of prisons holding 15% of inmates). First is Australia, not the US as might be expected. Obviously the trend was started by the Conservatives back in the '90s, but the current government is actually the first since then in which the number hasn't increased.

1
0
Anonymous Coward

Re: Next

yes most agree the idea of UC is a good one a bit like the poll tax both good ideas badly implemented

0
0
Silver badge

Couldn't roll out ...

... a gov version of OAUTH, after 7 years, but will be 100% certain to get an import and export tax system up and running within 6 months.

17
1
Silver badge

Re: Couldn't roll out ...

"... a gov version of OAUTH"

OAF, however - no problem.

2
0
Silver badge

Re: Couldn't roll out ...

UK doesn't need an export tax system by definition, and if the import changes all goes tits-up despite the NAO stating pretty clearly that the HMRC is on track (albeit with risks) we can just continue to operate as we are. Even if the WTO rules don't allow it (and they do) we'd be in full compliance by the time the case was heard even if Trump wasn't grinding the entire workings of the WTO to a halt because they forgot security exemptions are a catch-all in the WTO rules.

This simply isn't a thing.

Also by the way it wasn't just oauth anyway, as I'm sure you actually know.

0
4
FAIL

Wrong questions

I set mine up, but then it always asked for my mobile provider and rejected me (several providers, several brandname changes). It never asked the other check questions, and never got used.

2
0
Silver badge

Why not

Do it all via Facebook?

In any case, it's always handy to have several different IDs in case one of them is rejected for something you really want to do.

1
8
Silver badge

Re: Why not

...firstly because not everyone is on FaceBook...

..secondly would anyone want to have their passport etc. Indexes etc. On FaceBook’s platform?...

...thirdly...

14
0
DJV
Silver badge

keep the vegetable alive

Hah, that immediately reminded me of this!

4
0
Silver badge
WTF?

"The days of creating different user names and passwords for every new website are numbered, thank goodness," promised GDS Maximum Leader Mike Bracken* in November 2011.

What's the difference between using a single username/password on a gateway/portal that fronts a dozen different services, vs creating accounts on each of those same dozen services but using the same username/password for each of those dozen accounts? Surely you get the same user experience (only having to remember one set of username/passwords) and same security( one username/password pair for access to a dozen services)? I'd suggest you'd have a superior user experience not using a portal, because in the single-portal version if you accidentally lock your account you've locked yourself out of a dozen services, whereas with the independent (but same credentials) version you'll still be able to use the other 11 services that you haven't locked.

3
0
Silver badge

The difference is the security. When you use the same password on a dozen sites, any one of those sites could have poor security, allowing your credentials to be stolen and used on the other 11. With a central authentication service, only one place has your credentials. That place can* be given maximum protection.

*But it could just be outsourced to a bunch of muppets.

Also, with a single user experience across the services, you could educate users about what to expect in "security messages", and therefore make it less likely that people fall for phishing emails.

0
0
Silver badge

Government verification gateway without the verification

Instead of roping in third parties who ask you the number they're thinking of based on the data they've got which may or may not be right, and are only there at great expense to avoid having actual real civil servants verify that you're you, how about this:

1. You set up an account at the government gateway, filling in your details and saying where you're going to get verified (DWP, council, main post offices).

2. You go to wherever it is and prove your ID.

3. They hit a button confirming that you're you and print out the instructions as to how to proceed from now on including a login code.

4. You go back to the government gateway, log in again with the login code, and follow the instructions to download your certificate.

Just an idea...

4
0

Re: Government verification gateway without the verification

And a good idea.

You forget though that this is GDS where they take 12 weeks in discovery, do "user research" and come up with a "better" idea, which then "fails fast" in beta.

All at great cost, whilst wearing shorts.

4
0
Silver badge

Does anyone, anywhere have any confidence whatsoever in the government to get any "digital" project off the ground successfully and reasonably close to initial budgets and timelines? In fact, does anyone expect any one of those 3 to be achieved, let alone all 3?

3
0
Silver badge
Black Helicopters

"Does anyone, anywhere have any confidence whatsoever in the government to get any "digital" project off the ground successfully and reasonably close to initial budgets and timelines?"

Here, here, here and here.

0
0
VBF

I tried to use this awful verify system to get a Pension forecast. The amount of personal information shared with people i don't trust put me right off.

Then I realised that I could phone the DWP and after identifying myself, they would POST (remember that?) a forecast.

To me, the only other use for this verify was to log on to HMRC, and my accountant does that for me so I thought "stuff it!"

As the DVLC also used it, I will be OK until 2025 when my driving licence expires! :-)

0
0
Bronze badge

Other countries have managed

Denmark, Estonia and Portugal, probably Norway and Sweden too. But in those cases it's linked to id cards and/or central registers of the population.

Would newer fly in the UK, only secret services are allowed that.

0
0

Verify

I’ve used it for the past few years for tax amongst other stuff without problems, more specifically l found Government Gateway unforgiving of any validation errors and unusable.

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018