Oi, UK.gov, your Verify system looks like a MASS SPY NETWORK

Academic eyeballs architecture, screams in horror


Government “identity assurance” programme Verify contains "severe privacy and security problems" including a major architecture flaw that could lead to "mass surveillance" – according to an academic paper.

Verify was created by the Government Digital Service (GDS) to underpin the online identification of users performing transactions with the government,such as tax self assessment. User uptake of the service so far remains extremely slow.

The original design of the system was intended to provide users with a “federated” method of identifying themselves – i.e. picking a commercial identity provider, such as Experian, to act as a third-party verification agent.

That approach was a deliberate attempt to move away from the big national database projects associated with the Labour governemnt, and the widely hated idea of a national identity card scheme.

However, according to George Danezis, one of the academics who contributed to the University College London paper: Toward Mending Two Nation-Scale Brokered Identification Systems (PDF), those considerations have been "largely nullified."

According to Danezis, the problem lies with the central GDS-built hub, which communicates between the government departments, identity providers and citizens before giving the greenlight to the user.

He said: "The hub sits in the middle, despite different parts of the system being encrypted. The hub can decrypt all the information."

The research paper stated: “If compromised, the hub can even actively impersonate users to gain access to their accounts (and the associated private data) at service providers. This represents a serious danger to citizen privacy and, more generally, to civil liberties.”

“The described vulnerabilities are exploitable and could lead to undetected mass surveillance, completely at odds with the views of the research community whose scientific advances enable feasible solutions that are more private and secure,” it added.

Danezis questioned the reason behind why the system was designed with a single point of failure, but said no explanation has been provided.

He said: "In 2015, it is very strange that this is considered acceptable. If this system had been peer reviewed it would not have been passed even 15 years ago. Perhaps GDS did not have the expertise, or appreciate the need for expertise to deal with this."

Interestingly, the American version of an identity system, the Federal Cloud Credential Exchange, shares similar design flaws, according to the paper. But Danezis said there is no evidence the systems have been deliberately designed in this way by intelligence agencies.

He said CESG, the UK.gov/security services-backed Communications Electronics Security Group, was involved in the process, but said that is to be expected for an identity assurance system.

It was a missed opportunity to not take something that already existed and modify it, said Danezis. "This is a field where a number of solutions already exist," he said, adding: "Maybe it was a case of 'not done here' syndrome."

"I spoke to GDS about this," he said, "and on a personal level they were extremely receptive and open. They even invited me to sit on the advisory board. However, institutionally not has much changed. I was not given any further document access and they did not confirm or deny anything!"

In a blog on the paper published today, GDS, the Government Digital Service, said it welcomes the paper and is working with Danezis: "GOV.UK Verify offers people a convenient, secure way to prove their identity when accessing digital government services. It does not have any other connection with or ability to monitor people or their data."

"I'm not sure if there is a roadmap to address the concerns, or whether they are seen as valid," Danezis concluded. ®

Similar topics


Other stories you might like

  • Want to buy your own piece of the Pi? No 'urgency' says Upton of the listing rumours

    A British success story... what happens next?

    Industry talk is continuing to circulate regarding a possible listing for the UK makers of the diminutive Raspberry Pi computer.

    Over the weekend, UK newspaper The Telegraph reported that a spring listing could be in the offing, with a valuation of more than £370m slapped onto the computer maker.

    Pi boss, Eben Upton, described the article as "interesting" in an email to The Register today, before repeating that "we're always looking at ways to fund the future growth of the business, but the $45m we raised in September has taken some of the urgency out of that."

    Continue reading
  • JetBrains embraces remote development with new IDE for multiple programming languages

    Security, collaboration, flexible working: Fleet does it all, says project lead

    JetBrains has introduced remote development for its range of IDEs as well as previewing a new IDE called Fleet, which will form the basis for fresh tools covering all major programming languages.

    JetBrains has a core IDE used for the IntelliJ IDEA Java tool as well other IDEs such as Android Studio, the official programming environment for Google Android, PyCharm for Python, Rider for C#, and so on. The IDEs run on the Java virtual machine (JVM) and are coded using Java and Kotlin, the latter being primarily a JVM language but with options for compiling to JavaScript or native code.

    Fleet is "both an IDE and a lightweight code editor," said the company in its product announcement, suggesting perhaps that it is feeling some pressure from the success of Microsoft's Visual Studio Code, which is an extensible code editor. Initial language support is for Java, Kotlin, Go, Python, Rust, and JavaScript, though other languages such as C# will follow. Again like VS Code, Fleet can run on a local machine or on a remote server. The new IDE uses technology developed for IntelliJ such as its code-processing engine for features such as code completion and refactoring.

    Continue reading
  • Nextcloud and cloud chums fire off competition complaint to the EU over Microsoft bundling OneDrive with Windows

    No, it isn't the limited levels of storage that have irked European businesses

    EU software and cloud businesses have joined Nextcloud in filing a complaint with the European Commission regarding Microsoft's alleged anti-competitive behaviour over the bundling of its OS with online services.

    The issue is OneDrive and Microsoft's habit of packaging it (and other services such as Teams) with Windows software.

    Nextcloud sells on-premises collaboration platforms that it claims combine "the convenience and ease of use of consumer-grade solutions like Dropbox and Google Drive with the security, privacy and control business needs." Microsoft's cloud storage system, OneDrive, is conspicuous by its absence.

    Continue reading

Biting the hand that feeds IT © 1998–2021