Here we are, it’s 2017, on-demand and pay-as-you-go software is all the rage, cloud is the rising and soon-to-be dominant IT architecture, and yet we’re still talking about software suppliers stiffing their customers with the fine print in licensing contracts.
SAP users have reacted with understandable alarm to their supplier’s High Court victory over one of its largest customers, drinks giant Diageo, claiming nearly £60m in unpaid fees. The case could set a worrying precedent as firms increasingly adopt application programming interfaces (APIs) as a primary means of interacting with corporate systems.
The Diageo case centred on so-called “indirect access” whereby an external customer software application accesses the core SAP system. The supplier argued successfully that every Diageo customer that could come through this interface – 5,800 of them – should be treated as a “user” under the terms of its software licence.
While this may be legally the case, in practical terms it’s clearly absurd. In effect, the ruling implies that any user coming through a third-party app or a web browser through an API into a back-end software system should be licensed in the same way as a user actively logged in to that system.
Think about the implications here as we move to the internet of things (IoT) – theoretically, every one of tens of thousands of sensor devices feeding data through an API into a database could be defined as a “user” and require appropriate licensing fees.
This is not an issue specific to SAP, but to the increasingly outdated model of software licensing offered by what we might have to call 20th century software vendors. If the SAP case sets a precedent, you can be sure that the Oracles, Microsofts and others of the world will rub their hands with glee.
The judge in the Diageo case subtly acknowledged the absurdity. While she upheld the claim based on SAP’s licence terms, willingly signed by Diageo, she implied that the supplier ought to introduce a new category of user for such a situation – one which is priced more realistically for indirect access to the SAP application.
Nobody is suggesting that software vendors shouldn’t be able to set a fair price for their products and license accordingly. But the “per user” style of pricing is outdated – it was developed for 1990s era technology where every user sat at a PC and connected to a server.
Before long, it’s possible we will see situations where every non-admin user is another app, a bot, or an IoT device, where a per-transaction micropayment model might be more appropriate. Old-style software licensing needs to adapt to modern IT realities.
In all the recent talk about whether HM Revenue & Customs (HMRC) is truly committed to the Cabinet Office’s Gov.uk Verify service, there’s been less said about the commitment of the external providers – a factor that could yet sink the controversial identity assurance scheme.
Verify relies on creating a “market” of independent, third-party ID providers who perform the verification process to ensure that users accessing online public services are who they say they are. Currently there are seven organisations fulfilling this role: Barclays, CitizenSafe, Digidentity, Experian, Post Office, Royal Mail and SecureIdentity.
These ID providers (IDPs) retain or access all the personal data about citizens who wish to have a Verify identity – so the data is never passed to the government service that users wish to access. Instead, the external providers simply inform the online service that the user is correctly verified.
It is politically and technically fundamental to the design of Verify that this market exists. Politically, it avoids the creation of a national identity database; allows companies to make a profit; and offers choice to citizen-users. Technically, it means government systems don’t need to perform the complex assurance process for every login or secure transaction.
The return on investment for an ID provider
The attraction for the IDPs is purely commercial – government pays them up-front for every identity they successfully verify, and pays them again once a year whenever a user accesses a digital service. That’s not to mention the prospect of capturing user information that potentially allows them to market other services.
The providers compete for users, sometimes by offering different verification methods that suit different demographics – for example, some low-income users may not have a credit history; farmers found a similar problem when they were the first guinea pigs for Verify, and the fact many don’t have a mortgage became an issue.
Sources with knowledge of Verify suggest that, on average, IDPs receive about £5 per verified user.
Building a system to assure identities is not cheap – one expert with knowledge of government ID systems estimated “low single-digit millions” to develop an external verification service.
If those figures are even close to correct, it suggests each IDP will need perhaps half a million verified users before they start to reach an acceptable profit. They will have been tempted by the prospect of several million users each, and recurring revenue every year.
The Government Digital Service (GDS) has never published full figures for how much it spends on Verify, either. Sources suggest that the 2016/17 budget for Verify was £47m, of which just £4m was capital expenditure. Most of the remaining £43m was due to cover payments to IDPs for successful verifications. With the number of fully verified users still below one million and rising slowly, it’s unlikely GDS will spend all that budget this financial year even it wanted to.
This is where HMRC comes in. The real prize for the IDPs is the existing user base for the tax self-assessment service and HMRC’s personal tax accounts – currently there are 7.4 million registered users, a figure confirmed in the department’s latest update on its single departmental plan.
In an unwitting dig at Verify, HMRC pointed out that it’s already ahead of its target to have seven million users by April 2017. Earlier this month, Cabinet Office minister Ben Gummer set a target for Verify to reach 25 million users in 2020.
It’s an open secret that HMRC doesn’t want to use Verify, and is being forced to play along. The department is developing a successor to the existing Government Gateway system, which covers individuals, business and intermediaries (such as accountants who file tax returns for clients). Understandably, HMRC has no desire to use two separate ID systems, and Verify will not support business or intermediary accounts.
What’s more, HMRC says it doesn’t need the higher level of assurance for user IDs that Verify offers. As a result, GDS is developing a new way of using Verify that works to a lower standard. A pilot project, called basic accounts, was conducted in 2015 but quietly shelved. Basic accounts were not fully verified, but could be upgraded. IDPs in the trial were used to set up basic accounts, but without the same level of identity checking. Presumably – and this is a guess – an IDP would receive less money for completing this simpler transaction.
Eyes on the HMRC prize
IDPs will all have their eyes on the prize of HMRC’s 7.4 million users – that, in the short-to-medium term at least, is where their profit lies. And they know it – sources suggest that every time HMRC has rattled its cage about not using Verify, GDS needed to reassure nervous IDPs that the expected volumes would be delivered.
But it’s not even as straightforward as migrating those 7.4 million people to Verify and allocating them a basic-level identity. Remember – Verify is a market. Users have to be given a choice of which IDP they want to use. Government cannot give all those users to one IDP, nor can they simply divide them up equally, because some IDPs work better for different demographics.
There seems, on the face of it, no obvious way to avoid forcing 7.4 million HMRC users to have to re-create a new identity from scratch using Verify, even if they don’t need to go through the full verification process.
It’s unlikely IDPs will be allowed to market their services directly to those 7.4 million people, so for every one of them there must be a risk that if they lose out on any HMRC user land-grab (if that’s how the migration takes place) then they will struggle to achieve the return on investment they need.
The question for GDS and Verify is, at what point does an IDP decide it’s no longer worth waiting? And if one IDP quits, do the others see that as an opportunity to gain a larger slice of the HMRC pie, or as a sign that Verify is a failure?
The long-term row between HM Revenue & Customs (HMRC) and the Government Digital Service (GDS) over online identity assurance broke into the open this week. HMRC published a blog post that clearly stated the department was rejecting GDS’s Gov.uk Verify system in favour of developing its own tools for users to login to online tax services such as self-assessment.
However, not long after HMRC and the Cabinet Office were approached for comment by Computer Weekly, the blog post was amended and the key paragraph deleted. This is what it originally said:
“HMRC is developing its own identity solution for individuals, businesses and agents. Other departments will use Gov.uk Verify for all individual citizen services.”
HMRC is now backtracking, and told Computer Weekly that the blog was edited “as it was causing some confusion”. The official line from HMRC now states: “HMRC is committed to Verify as the single identification service for individuals and is fully focused on delivering this. The authentication service that HMRC is developing to replace the Government Gateway will complement the existing Verify service for business representatives.”
That’s materially different – almost the exact opposite – of the original blog post. Our sources say HMRC wanted to declare independence all along, and has only played along with GDS and Verify after prompting from senior levels of the civil service.
It’s also interesting to note that the Cabinet Office took over 24 hours to respond to requests from Computer Weekly for their side of the story. It’s easy – if fanciful – to imagine the shouting that echoed down the street from the Cabinet Office at 70 Whitehall to the HMRC building at 100 Parliament Street, a few hundred yards away.
But why is a seemingly trivial technical spat between two Whitehall departments so important to the future of digital government?
In its new government transformation strategy published last week, the Cabinet Office put Gov.uk Verify at the heart of its future plans, setting an ambitious – some would say wildly ambitious – target of 25 million Verify users by the end of 2020. Currently Verify has just 1.1 million registered users.
HMRC, by contrast, claims 50 million active accounts for its existing identity system, based on the 16-year-old Government Gateway, which is being phased out over the next 12 months. Arguably, Verify cannot hit its target without HMRC’s user base. So why not use HMRC’s system across government, instead of Verify?
The two systems, in fact, treat identity very differently.
HMRC says it needs a lower level of identity assurance than Verify currently offers – although work is underway to address that issue in Verify. HMRC’s system does not require proof of identity – it simply sets up a login and password for users, much as any online shopper would do on Amazon or eBay.
Verify, however, aims to establish a legal proof of identity to a level that would satisfy a court, partly as a means of fraud prevention. It does this by commissioning several independent suppliers to offer a service to establish digitally that you are who you say you are – suppliers include the Post Office, Experian and Barclays.
Those third parties use existing data sources such as credit histories, passport and driving licence records to check your identity – but early experience shows that those easily available sources are not enough to assure a large proportion of the population. For example, some people on low incomes often don’t have a credit history because they can’t afford a mortgage or credit cards, and don’t have a passport.
Online vs offline proof of identity
Currently, more than half (54%) of the people who attempt to register on Verify are unable to create a verified user identity – a figure that in the long term is clearly unfit for purpose. The Verify team are working with the independent identity providers to test new sources of data and new methods of verification to improve on the success rate – but it’s slow progress.
HMRC, however, works mostly on the basis that since you’re logging in to give them money – that is, pay your taxes – it’s assumed to be unlikely that someone will pretend to be someone else in order to pay that someone else’s tax.
Under certain circumstances, HMRC does ask for proof of identity, which is performed offline – either you have to send proof of identity by post, or in some cases HMRC posts a verification code to be used instead. Verify aims to complete the entire process online.
Verify creates an identity that meets a significantly higher level of assurance than an HMRC ID. Verify is designed to confirm to the nine identity assurance principles defined by the independent Privacy and Consumer Advisory Group. HMRC makes no attempt to meet all these criteria.
Business and intermediaries
HMRC’s main justification for preferring its own ID system has always been that Gateway and its successor provide a single service that caters not only for individuals but also for businesses and intermediaries (such as accountants who file tax returns on someone’s behalf).
Verify does not, and has never been designed, to provide identity assurance for businesses. Sources say that GDS investigated using Verify as a standard platform for business identity assurance but found the definitions of what a business is across Whitehall to be too varied and divergent to establish an agreed need. HMRC, Companies House, DVLA and others all define businesses in different ways.
The official line from HMRC and Cabinet Office now – since the amendment of that blog post – is that Verify will be used across government for individuals, while HMRC’s system will be used everywhere for businesses and intermediaries. That still seems like an inadequate fudge, requiring two different identity system to be developed and maintained.
How to get 25 million users onto Verify
GDS will easily meet the target of 25 million Verify users if all HMRC’s users are transferred onto the system – although before that happens, Verify will need to support the lower level of assurance that HMRC uses. It would not be acceptable or feasible to force 50 million HMRC account holders to all create a fully verified account to the levels currently demanded by Verify.
Without HMRC, is that target achievable?
GDS hopes that local authorities, banks and other online companies will adopt Verify. Trials are underway with a number of councils, but Whitehall has no power to force them to use the system.
While there could be an advantage to banks and other private sector businesses to using a government-approved identity assurance system, many will be wary of handing over control of such a critical service to government – and to a set of third-party identity providers. Owning the identity verification of customers is as important to a bank as it is to government.
Another potential source of millions of citizen identities is by using Verify in the NHS. While GDS and NHS Digital continue to discuss the use of Verify, the system is currently seen as not appropriate for NHS needs, where ID is less about proving your legal identity, and more about identifying you through your existing NHS number.
Sources suggest that GDS is considering novel ways of accelerating Verify adoption, such as adding Verify to digital services that don’t really need it, or encouraging citizens to “register in advance” in case they should need a government identity in future. Neither seems realistically likely to encourage 25 million people to sign up over the next three years – meeting that target requires over 600,000 new registrations every month before the next general election takes place.
It seems very unlikely that target will be met without HMRC on board.
Why does this matter anyway?
Identity is important on two counts – as the core of digital public services, and as an ongoing political hot topic.
Online identity is the key to delivering digital government – it’s where every service starts from; it’s the primary way that GDS hopes to make the multitude of government services appear to be an integrated whole. If you’re a Verify user, all of the public sector opens up to you online – or at least, that’s the aim.
That’s perfectly sensible – but highly ambitious. It’s one thing to offer a standard login system – as HMRC has done – but another to say you will have an identity assurance system that works to such a high level of proof that every Verify account stands up legally in court.
Quite simply, nobody has ever achieved such a system, anywhere. GDS is at the leading edge of digital identity assurance with what it hopes to deliver. And as they are learning, it’s a difficult task and it takes time.
It’s relatively achievable to develop Verify to digitally assure the identity of most of the population – let’s say, 80%. But to do so for the remaining 20% is a huge challenge – about one in 10 UK citizens have never used the internet, for a start.
It could be argued that getting 80% of the population to use Verify would be enough – but it leaves the government open to accusations of creating a digital divide and excluding millions of people.
GDS has consistently under-estimated the effort required to deliver Verify – or over-estimated its ability to do so – and as a result has continuously under-delivered and missed its own targets.
As recently as December 2014, a National Audit Office report said: “By March 2016, the [Verify] programme plans that all departments will have integrated the common identity assurance service with all of their digital public services.”
As of February 2017, just 12 services are fully live on Verify.
Whitehall departments are frustrated that Verify is taking so long to develop – it affects their own digital plans. They are concerned about GDS’s ability to deliver – and whether GDS will even be around in the long term.
National identity database
When Verify was first conceived, in the early days of the Coalition government, the former National Identity Scheme under Labour had just been scrapped. Prime minister David Cameron had come to power on a promise to end any plan for a national database of UK citizens’ details. Verify, therefore, had to avoid any accusation of creating a national ID database by stealth – and be seen to do so openly enough to avoid political fallout.
That dictated certain design decisions – such as the involvement of multiple independent identity providers, and the avoidance of a central database. HMRC’s ID system, by contrast, uses the more technically simple solution of a single database.
Were the government to opt to use HMRC’s approach to individuals’ online identity, it risks opening up those old claims of a national ID card by stealth – and that remains politically unacceptable.
Whitehall politics dictates the next steps – whether HMRC can be brought into line and commit fully to using Verify for individuals. Despite its recent positive statement to that effect, it’s common knowledge that HMRC’s preference is to go its own way.
GDS needs to dramatically improve the success rate of user verification from its current level of 46%. Verify stands no chance of being widely adopted unless that figure is significantly higher – ideally towards 80%.
Furthermore, currently only 34% of attempts to access a digital service using a registered account are completed. The best-performing service only reaches a 67% completion rate. Both figures are clearly unacceptable if GDS wants Verify to be more widely used.
HMRC will spend the next 12 months developing its replacement for the Government Gateway. If Verify is not able to fully take over individual identity assurance from Gateway by then, it’s as good as dead.
Less than a week after Cabinet Office minister Ben Gummer announced the new government transformation strategy, its central premise is already in question after HM Revenue & Customs (HMRC) rejected one of the core systems at the heart of the digital plan.
HMRC has been in a fight with the Cabinet Office for months over the use of Gov.uk Verify, the online identity assurance service being developed by the Government Digital Service (GDS) as the standard ID platform for the public sector.
Verify is central to the GDS plan – Gummer set a target of 25 million users by 2020 in the new strategy. GDS’s vision of digital government starts from the basis that every citizen who wants to transact online with public services will use Verify to prove who they say they are. GDS is so confident in the system’s eventual ubiquity that it is courting banks, e-commerce companies and local authorities to take part.
But Verify has now been rejected by the department with the biggest single base of online users. The fight is over and HMRC has declared independence.
A blog post published by HMRC programme director Mike Howes-Roberts reveals that the taxman is going its own way and will not be using Verify.
“HMRC is developing its own identity solution for individuals, businesses and agents. Other departments will use Gov.uk Verify for all individual citizen services,” he wrote.
[Update 1: 14 February 3.45pm – This above quote has mysteriously been erased from the original HMRC blog post since this article was published – the screen grab below shows the original version]
Howes-Roberts added: “We’re exploring options around other government departments also using this replacement service. This would be restricted to business and agent-facing services only as Cabinet Office requires all other departments to use Gov.uk Verify.”
The “replacement service” Howes-Roberts refers to is the successor to the Government Gateway – the identity system used by HMRC for tax self-assessment and business tax submissions, which is also at the heart of the Making Tax Digital project. Gateway was introduced in 2001 and is being phased out by March 2018 – it’s old and antiquated and needs replacing, but GDS intended that replacement to be Verify.
Gateway has survived many attempts to phase it out, but has continued to be used for so long for a very simple reason – it works.
Howes-Roberts says that Gateway supports 123 live digital services across government, 406 million identity authentications a year, and has more than 50 million active accounts.
Compare that with Verify, which after nearly five years of development has just 1.1 million users, has been used for 2.6 million authentications, and is used by only 12 online services – and five of those are HMRC services where Verify has been tested against Gateway and, it seems, has lost.
HMRC has continually sidestepped GDS over Verify. One well-placed source told me late last year that HMRC CEO and permanent secretary Jon Thompson told GDS chief Kevin Cunnington that his department had rejected Verify after another attempt to prove that Verify was the better option.
The same source also suggested that HMRC is working on its own version of Gov.uk Notify – the GDS platform for electronic status notifications – despite being told by the Cabinet Office that it should not.
Presumably, Gummer knew about HMRC’s intention when he launched the transformation strategy last week, and still believes that Verify can expand to 25 million users over the next three years – but surely that figure assumed HMRC’s users would be migrated to Verify?
The next largest government service on Verify should be Universal Credit – but that won’t be fully rolled out until 2022. Trials are underway with local authorities, but Whitehall has no power to mandate use of Verify to councils – clearly it can’t even mandate to its own departments.
And will banks and online companies really adopt Verify at scale, if even the government’s own biggest potential user has rejected it?
HMRC’s main issue with Verify has always been that it is only intended for individuals to use, whereas Gateway also offers ID assurance for businesses and intermediaries (such as accountants who file tax returns on behalf of clients). GDS has stubbornly refused to expand Verify for use by organisations as well as individuals – a decision that may prove to be fatal flaw.
It is patently stupid – not to mention a huge waste of money – for government to maintain multiple identity systems for citizens to use when accessing public services. For the greater good, someone has to lose face and take the inevitable flak. If HMRC is developing a successor to Gateway with a user base nearly 50 times that of Verify, why not simply re-use the HMRC system across government?
It would appear that the Gateway replacement is already going to be used across Whitehall for businesses and intermediaries – but with Verify used everywhere except HMRC for individuals. Seriously, who thinks that make sense?
Gummer talked last week about the importance of “culture change” and “collaboration” in delivering digital transformation across government – and he acknowledged that GDS and departments need to work better together. “When money is tight people have to look for new ways to do things, so it encourages reform. It encourages a degree of collaboration which is new,” he said.
If money is tight, it’s plainly nonsensical to develop two systems for the same purpose. If Gummer has failed to get the biggest potential Verify customer on board, what does that say for future attempts to promote collaboration and shared platforms? If culture change is needed, perhaps the culture in the Cabinet Office must do so first.
GDS needs to swallow hard and change course over Verify, no matter how much it feels let down by HMRC’s intransigence. The new transformation strategy promotes the idea of shared platforms, developed for use across government, and it encourages departments to share platforms wherever possible. GDS doesn’t have to build everything itself – and it doesn’t want to.
If HMRC is developing a new pan-government shared identity platform, it should become the standard. Let’s even call it Verify – that way you don’t have to reprint the new transformation strategy.
Update 2: 15 February 11.30am: After the HMRC blog post was amended, HMRC provided the following statement to Computer Weekly: “HMRC is committed to Verify as the single identification service for individuals and is fully focused on delivering this. The authentication service that HMRC is developing to replace the Government Gateway will complement the existing Verify service for business representatives.”
It’s worth noting that this line is almost the exact opposite of what was originally written in the blog post.
The long wait for the new government digital strategy may have caused frustration in some places, but clearly within the Cabinet Office the extensive delays have brought expectations to a peak of frenzy.
The plan – now renamed the government transformation strategy – is billed as “the most ambitious programme of change of any government anywhere in the world” by minister Ben Gummer.
It will be carried out “at pace and scale”, said Government Digital Service (GDS) chief Kevin Cunnington, and will “deliver meaningful change to the people who need it most, faster and more efficiently”.
Moreover, the strategy will “restore faith in our democracy” and fix “the interface between government and the people [which] has become increasingly fraught”, according to Gummer.
Wow. Who needs elections?
In a masterpiece of mixed metaphor, Gummer further went on to label Cunnington, the man charged with leading this once-in-a-lifetime democratic transformation, as the “Che Guevara of digital”.
This is all lovely rhetoric for journalists to chew on, but to paraphrase one of Cunnington’s predecessors, the strategy will be judged on delivery. Let’s not forget that GDS told us in 2013 that it had “400 days to change government”. This is not the first time we’ve been here.
There is little in the objectives of the strategy to criticise – as a statement of where digital government is in the UK, and where it now needs to go, it makes perfect sense.
The plan identifies five core areas: a back-office technology overhaul; developing digital skills; better IT for civil servants; better use of data; and creating shared platforms.
None of these are new, none of them are easy. All of them have – in some shape or form – been tried before, and have yet to be delivered. So perhaps the key question for this strategy is not what it aims to do, but what it will do differently to make it happen.
The plan is peppered with statements like “culture change” and “collaboration”. Gummer admitted publicly for the first time that troubled relations between GDS and departments – especially the Department for Work and Pensions – has been a hindrance in the past that has to be rectified. To his credit, admitting past problems is the first step to overcoming them, and he’s working on that.
Within each of those five core areas you can write a long list of challenges to overcome, raising questions about the feasibility of delivering the transformation strategy by 2020, its stated aim.
But the one hurdle that more than any other stands in the way of success is the same issue that has frustrated GDS leaders for years – the inertia and cultural resistance to change of the siloed and institutionalised civil service structure.
Gummer understands the problem and hopes that the need to save money and deliver on departmental plans will mean his strategy receives a positive welcome across Whitehall. We have to hope he is right, this time. One of his recent predecessors, Francis Maude, forced departments to work with GDS by bashing heads together – Gummer seems more collaborative – but once Maude left, the civil service reverted to type.
The ambition in the strategy is to be welcomed, but perhaps its biggest flaw is that it is not ambitious enough, nor transformational enough.
Former digital economy minister Ed Vaizey said what many people are thinking, in an interview with the Institute for Government published the day before the strategy was launched.
“I would completely re-engineer government. I would abolish government departments, I would have government by task,” he said.
If you really want to transform government through digital means, Vaizey is right – you do away with existing structures and hierarchies and start from the question of what is best for the citizen.
GDS – and the strategy itself – stress the importance of “user need”. But user need is still defined by the requirements of the civil service first, not of citizens. When developing a new digital service – choose one, whether carer’s allowance or Universal Credit or digital tax or any other – “user need” starts from the perspective of the department that owns the service and how its delivery is structured internally.
If you really start from user/citizen need, you don’t have fixed departmental structures. You start from how a citizen wants to interact with public services – and add the fact that for most citizens, that includes local government.
In reality, the transformation called for by the new strategy is a transformation in the way Whitehall departments work together – with the important digital stardust sprinkled on top – and little more. It relies on departments being nicer to each other (and to GDS) than they have at times in the past. It needs the Treasury to allow departmental budgets to be shared, and permanent secretaries to be incentivised to look beyond their role as accounting officer, and to be jointly responsible for delivery of services that are integrated between departments, not siloed within them.
That’s not a fundamental top-to-bottom, root-and-branch transformation of the way government engages with citizens, by any measure. It’s more of a “come along now, chaps, let’s all play nicely” strategy. But perhaps for Whitehall, that really would be a transformation.
If GDPR compliance is not near the top of IT leaders’ priorities for 2017, you have a problem.
GDPR – the European Union’s General Data Protection Regulation – was always going to be a major challenge, given that it widens the scope of issues that organisations need to consider when planning their data strategy.
GDPR introduces mandatory data breach notification for the first time; it brings higher penalties for non-conformance; strengthens citizens’ rights and the rules around obtaining consent to gather and exploit personal data; and it stresses the importance of self-assessment in managing data.
The law comes into force on 25 May 2018 – now less than 14 months away. If you’re in the UK and were hoping that Brexit means you don’t need to worry – think again.
For a start, the UK will still be in the EU by the deadline, so it will be law in the UK too. GDPR is not only for organisations located within the EU area – it covers the use of personal data about EU citizens by anyone, anywhere in the world. If your organisation stores information about an EU citizen, you need to comply, regardless of local laws, or you risk being prevented from trading with the EU.
Moreover, despite all the uncertainty about Brexit, the UK government has quietly confirmed that it intends to introduce new data protection legislation that exactly mirrors GDPR, even after we leave the EU.
The move, announced by digital economy minister Matt Hancock this week, will go some way to alleviating concerns about cross-border data flows post-Brexit. Public debate about the future relationship between the EU and UK concentrates on exports, customs, immigration and trade – glossing over the fact that perhaps the most important exchange that will need to continue is data.
Data, essentially, is what the City moves – not bank notes. Online shopping – it’s all reliant on data, especially when you consider that buying from Amazon, to quote just one example, means trading with a company in Luxembourg. Every UK tech startup or internet business that gathers identifiable data about its visitors needs access to data that flows freely across international borders.
Trade in data is central to the future of the recently announced UK industrial strategy that highlights the importance of science, technology and innovation to economic growth outside of the EU.
For IT leaders, GDPR compliance is going to be essential, but a burden. There’s a lot of work to be done. If you haven’t started already – get moving.
The mere existence of an industrial strategy for the UK – especially one that prioritises science, technology and innovation – is a hugely positive step for everyone in IT. But it’s nowhere near enough – yet – to put in place the foundations to ensure the UK tech sector thrives through Brexit and beyond.
IT is, by its very nature, an international industry. As trade body TechUK pointed out, the UK IT sector is heavily dependent on EU relationships, and anything that makes such partnerships more complicated is going to hold back future development. An industrial strategy for tech must be open, global and collaborative. If Brexit negotiations lead to obstacles in the UK’s trade relations then IT will suffer more than most.
The UK tech community is also more dependent than most on immigration – nearly one in five UK IT workers come from overseas. We already have serious skills shortages that threaten to hold back startups and the digital transformation of companies and government – we cannot lose that imported talent. If anything, we need to be open to more skills to help us grow – unless and until we are able to produce enough home-grown talent, which we are some way from doing.
But it’s not just Europe that is a potential concern. In the US, one of President Donald Trump’s early edicts has been to weaken protections for data held in the US about foreign citizens. This has been a thorny issue for some time – in the past year we’ve seen the longstanding Safe Harbour arrangements, allowing US companies to transfer EU citizens’ personal data, collapse over fears about US intelligence agencies’ bulk data collection activities.
The replacement vehicle – Privacy Shield – could become equally unworkable if Europe maintains the same level of concern about what Trump’s US does with its data.
A successful industrial strategy depends not only on free trade in goods and services, but in data too. Cutting the US or the EU off from the free flow of data would be disastrous – and not just for the tech sector.
The strategy rightly acknowledges the need for better education and skills in science, technology, engineering and maths (Stem) subjects. The proposal for £170m towards new Institutes of Technology promises to create a new generation of Stem-educated workers – but not for years yet. In the short term, government needs to incentivise employers to provide more training in the digital skills we need today. The much-delayed digital economy strategy needs to offer concrete proposals to support the industrial strategy’s aim for more retraining and access to lifelong learning.
A successful industrial strategy depends on people, not politics.
We should take some encouragement that this week’s gathering of the powerful, the rich and the even richer in Davos chose technology risks as one of its key agenda items for discussion.
The World Economic Forum (WEF) has acknowledged that emerging trends such as artificial intelligence (AI), 3D printing, the internet of things and others present potentially huge societal challenges – not to mention established and well-publicised risks such as cyber security.
But it would be even more encouraging if the powerful, the rich and the even richer showed any inclination to actually doing something about it.
The red flags waved at WEF will be familiar to any close observers of the digital revolution.
AI and automation is likely to destroy many existing white-collar jobs – threatening to decimate the middle class the way that working classes were affected by the decline in coal, steel or manufacturing in western countries.
Secure, full-time jobs are already being replaced by self-employment and “flexible” work patterns in so-called “gig economy” companies that are led by technology, such as Uber or Deliveroo – both already the subject of legal cases around workers’ rights.
Who stands to benefit most from these trends – from replacing staff with machines, and reducing the rights of those workers they still need? Could it be the powerful, the rich and the even richer?
Where are the incentives for business leaders to look after the employees displaced by automation, or to train them in the new skills needed for a digital world?
Who has the influence to regulate gig economy firms to protect the employment rights of the workers upon which they depend?
And where are the movements showing how technology can address the popular discontent over the downsides of globalisation, such as growing social inequality?
None of these are insurmountable problems. They are not complicated to solve – but they are hard, and require focus and effort. But the Catch-22 is that the people most inclined to solve the problems don’t have the power to effect change, while the people with the power to effect change are not inclined to solve the problems.
It is, therefore, a positive step that WEF leaders are acknowledging the issues – look at us, we care, honest we do. But there is a long way to go before they start to do something about it.
Wearables, smart homes, smart buildings, smart cities and autonomous vehicles are among the technological breakthroughs that are starting to gain traction.
The Consumer Electronics Show (CES) in Las Vegas gives a glimpse of what the tech pioneers think will be hot in coming years, and the era of internet-connected things is starting to capture people’s imagination.
Internet-connected “things” are not considered computers, according to Forrester principal analyst Jeff Pollard, who, in this week’s issue, assesses the challenges the industry faces. You can’t expect a homeowner to patch his or her internet-connected fridge, heating system or baby monitor, even though – as was demonstrated last year – such things can be exploited to launch massive distributed denial of service (DDoS) attacks, taking down some of the internet’s biggest players.
Worryingly, many of the companies at CES only expect their products to last a couple of years. Two years’ support, while generous in IT terms, is meaningless if the device is embedded in someone’s home or integrated into thousands of street lights in a smart city.
People balk at the idea of paying upfront extended warranties to cover new products such as refrigerators or washing machines for five years.
Smart TVs just a few years old no longer get firmware updates because their operating system is unsupported. That is not very smart, especially if that device could be exploited in a DDoS attack.
Manufacturers want people to buy the latest product, but, as with a smart TV, the one being replaced still works. It may well be used as a second television or handed down to a family member, who will happily plug it into the internet, so it can carry on being exploited.
The use of the internet of things (IoT) to improve society is limited only by our imagination, but at the World Economic Forum in Davos this week, experts will portray IoT nightmare scenarios to business leaders and politicians.
If the Ukrainian power grid can be crippled by an internet attack, what else is possible? Whether or not it is proved to be true that a US presidential election can be influenced by hackers illustrates the possible risks an internet-connected society will need to consider.
A new year brings new challenges, but the CIO faces the same issue every year – to drive the business’s technology agenda while doing more with less overall budget.
Computer Weekly’s annual IT Priorities survey found that while budgets for staff and on-premise servers are falling, IT decision makers are planning to spend more on cloud services.
That should not come as a surprise given that cloud services are well and truly coming of age. In September 2016, the Ministry of Defence became the first tenant in Microsoft’s UK-based Azure datacentre, and in December, AWS’s UK datacentre came online.
But 32% of the CIOs who took part in the IT Priorities survey said hybrid cloud would be their top area of investment this year. In one way, this makes perfect sense: hybrid gives IT departments the flexibility to choose which workloads to deploy in the public cloud and which to keep on-premise.
The challenge for CIOs is that, given a choice, business stakeholders may not feel the urge to move anything to the cloud, especially given current economic uncertainty. In the survey, 28% of respondents said they would implement virtual private networks in 2017.
But in this age of user empowerment, flexible working, cross-organisational collaboration and IT consumerisation, the idea that IT still sees a need for a hard network perimeter, with highly controlled access, seems at odds with modern working practices.
Similarly, you could argue that a hybrid cloud, where most workloads remain on-premise, does not reflect modern IT. It is a similar story with legacy applications.
The IT Priorities survey found that 15% of IT decision makers expect to increase their maintenance budget in 2017. There is nothing wrong with spending more on something that continues to add business value, but how many CIOs are faced with demands for higher and higher maintenance bills from their legacy software providers?
Given that a small but significant proportion of IT decision makers are thinking about investing in cutting-edge initiatives such as the internet of things and machine learning, which are normally way beyond the remit of corporate IT, perhaps 2017 should be the year the CIO breaks free of the chains imposed by traditional IT.