Well, they’ve published the tender for the The Identity and Passport Service to set up a framework of suppliers to develop the National Identity Card Programme.

Preface: We at Blindside are independent researchers and writers. We don’t speak for HM Government, or for any department therein. We’ve been asked to help government where we can by independently identifying areas where government can be blindsided by technology. Please assimilate that before continuing.

I cannot in all honest say I believe that the UK Government is ready to begin this work. I do not believe they will invite the right people to the party, nor will they write the correct tender specifications, nor will they police the conversations of those they do (and do not) invite into the framework. As shown below, I don’t believe UK Government has widely published or absorbed internally commonly accepted best practice in the set-up and administration of information gathering and dissemination. This is not about philosophy. It is about basic hygiene.

See here. “Millions of homeowners are being left wide open to identity theft because their personal details are being made available on a Government website, campaigners warned yesterday. Details of their mortgage lender, mortgage value and even a copy of their signature can be found on the Land Registry site for just £3.”

See here. Key quote: “As a result, as Channel 4 revealed earlier this evening, all the details of final year medical students applying for hospital jobs were accessible by the general public. We are not just talking names and address. We are talking everything.”

And then see here. Again, key quote: “Given that Sanjib did the right thing, a year ago, and reported the problem to VFS as well as the British High Commission, why am I bothering to write about it now?

Mainly, it has to be said, because after a year that security hole was gaping as wide open as ever. Although I will refrain from posting precise details here, yesterday afternoon I was able to manipulate the data URL simply by changing what appears to be the date on which the application was made along with a sequence number. Doing this, entirely at random, brings up the visa application details of people ranging from someone who applied yesterday through to some who applied a year ago and I have the screenshots to prove it.”

But there’s more:

“Well after a year of being told about the thing privately and ignoring it the FCO and its outsourcers did, sort of, fix the issue by closing the website and an independent inquiry was launched. The investigator’s report has now been produced and no punches are pulled. Here are some of the relevant paragraphs:

108.
UKvisas recently obtained an expert assessment of the basic data security provided by the VFS online website. The findings were that the site had many security weaknesses, and that many of these weaknesses were amongst the most understood and documented security concerns in the computing industry. The expert view was that none should be present within a securely designed website.
109.
I note that during the technical investigations, several screenshots provided by VFS highlighted wider security concerns. These screenshots of the management console used to access and configure the firewalls also showed users actively engaged in Skype3 conversations and logged onto webmail4 packages. These entities are considered to have poor security when used in isolation. Using them whilst accessing security device management consoles shows that standard acceptable usage policies are either not in place or not followed.”

I cannot in all honesty say I believe that the UK Government is ready to commission a framework agreement to begin work on the National Identity Programme.