Saturday, August 19, 2006
e None, gov Won - Number 4 in an occasional seris
The scoreline for this occasional series is reading government 2, e-government 1. Sadly for the future of online services, today's topic is not going to improve things for the e-world. I'm not particularly picking out services that are under-performing, but selecting things as they come up in the news or just because some data comes my way that piques my interest. If there are other services I should look at that can redress the balance, leave a comment. What got me thinking today was the latest monthly report (June 2006) from the e-Delivery folks (who are perhaps now the PMDU folks - reliable sources tell me that they have not only fused organisationally but physically too, strengthening the link they had with the CIO, John Suffolk, working for Ian Watmore). It shows the Government Gateway cruising past 12,000,000 transactions since launch. Sure it's only a fraction of the annual total let alone the total that government has handled on paper since then, but it's growing. Except, and this is the kicker, it's not growing as it might have done. For the last few months, the number of transactions from those applying for, or updating, tax credits has held steady at 1,971,889. My memory is vague but I'm pretty sure this service crossed a million transactions in its first year. Indeed, over 447,000 people have enrolled such that they could update their claims electronically every year. Those people have all been disenfranchised. Since November 2005, this service has been closed after apparently wide-scale fraud was discovered and after some £130 million had been falsely claimed. A lot of money, but not as much as has been written off through error or because of the policy of basing claims on prior year earnings with the resultant need to retroactively reclaim money when earnings change in year. Over £2 billion has perhaps been written off because of these problems. These numbers are highly variable. The BBC quotes £2.2bn written off, of which around 15% was the result of fraud. The claim reclamation process was always controversial: you give people money, they spend it; few put aside any "in case the taxman wants it back" - how would you know how much with such involved rules? I advocated making early government services the giver of money to the public (see give and take.gov and this one), rather than the taker so it's time I thought through the implications of this. My thinking originally was that tax payments, whilst the first transaction that almost every government (globally) put on line would attract a niche group of "early adopters" (Geeks?), giving people the chance to actually get money faster from government than usual should result in a rush of traffic. Far more people take money from government through transactions that they initiate than send it - PAYE, one of the larger transactions (27 million employed people), is not self-initiated but handled through less than 2 million employers. Tax credits proved that the rush would come - although perhaps not for the right reasons (as the BBC says, "Low Risk, High Reward, Easy Hours") - with the online service made available months before the paper service, coupled with an advertising campaign that directed people to the website. Interestingly, if you try and access the tax credits site from the home page of HMRC, using the left hand navigation bar, it gives a 404 page. The service availability page tells me that tax credits is "temporarily closed" . 9 months is more than temporary. The rest of the site covers what to do now that you can't do things online: Renewing your claim is more straightforward than you think 1. Wait for your Annual Review Pack to arrive in the post. It will contain everything you need. 2. In the meantime you should get together the documents you'll need to check the details about your award and to work out your income. These include your last payslip or P60 for the tax year 2005-06, any receipts and records for childcare costs, and, if you are self-employed, your Self Assessment tax return. 3. When you receive your Pack read the instructions on your Annual Review form and check that the information we have about your personal circumstances throughout your award are correct and complete. 4. When we write to you, we'll tell you if you need to fill out any forms and when you'll need to return them. If you do, the next step is to give us the information we need and wait for your details to be processed - we'll aim to do this within 30 working days. That would not appear, to me at least, not nearly as straightforward as doing it online. Still, I never qualified for tax credits, although I was one of the first few to try the online calculator so can't be absolutely sure that the online process was easier. I'm rambling. The real point I wanted to get to was to ask "is this the death knell for online receipt of benefits (the give of giveandtake.gov) or is this something else?" The folks at HMRC have been pretty coy about what actually went on, but the folks at the BBC have a handle on a few things: The fraud was made much easier by a devastating security breach at the DWP: the theft of payroll data from the 2003-4 financial year which put names, addresses, dates of birth and national insurance numbers of at least 13,000 DWP employees in criminal hands, most likely thanks to action by insiders. Staff in centres ... have now found that bank accounts have been opened in their names and money siphoned out, potentially destroying their credit ratings. and The new method [of fraud] is an identity theft attack on existing claimants, where a bogus telephone call changes the claimant's registered address. Then, once enough time has elapsed to assuage suspicion, the fraudster changes the bank details as well. Payments, it seems, do not have to go to an account in the name of the claimant - and some accounts are being used to aggregate such fraudulent returns, something which is beginning to be flagged by banks' and building societies' anti-fraud systems. and, perhaps the clincher: The first the claimant knows is that the payments suddenly stop. But if they try to resolve the issue, they then fail the security checks thanks to the fraudulently altered personal information. So we're not really talking about an online fraud here - this isn't about passwords being guessed or accounts being hacked into (take note HSBC). This is about old-fashioned social engineering, stealing data on paper or insiders making off with payroll data. The internet is then used as a quick and easy way to bulk upload the claims into the tax credits system - I can see an offshore "farm" of people now, busily tapping away and getting a few pounds for every claim they put through. That means, presumably, the fraud is still going on now, except that same farm is busy writing out, in neat copperplate, dozens or hundreds of multi-page paper applications. The real issue here is that authentication checks are inadequate across the whole of our paper-based transaction system, whether that is banks, government or loyalty cards. In the modern age, "tell me your mother's maiden name" doesn't cut it - it hasn't cut it for a decade, yet so many services (online and offline still use it). That latter point is what attracted us to digital certificates in late 2000 when the Gateway was first built. If only we and the industry had been able to figure the technology out to make them reliable and useable. But, digital certificates, even if they work well, only secure the online part of the deal - the paper and telephone channels still rely on signatures, the occasional face to face visit and a few chunks of ID that appear to be readily available and certainly available for less than a full year of tax credits claims. Nope, to make this really work, we're going to have to bring together some far more rigorous tests involving, at the very least, dynamic data. Already, HMRC are using this for the online VAT service where you have to provide a wealth of information including how much VAT you paid last time, what your last payment date was and so on. I haven't seen a service aimed at individuals do this yet, but I'd like to know of some. Five years ago, we proposed a link with Experian (the credit checking company which was, at the time, part of GUS but I think is in the process of demerger now) to help with dynamic checks. Indeed, a pilot was run for offline applications at the Passport Office for a short period - although I believe staff didn't like the "probability" assessment that Experian used and so rejected it in the end. Not long after that, we proposed a kind of "Green Shield Stamps" model where you'd get various stamps in a virtual book that indicated the depth of relationship government had with you - if your bank vouched for you and you banked online that would be worth "X" points, if you had paid Self Assessment from that same bank account for the last 3 years that would be worth "2X", when you got to, say, "5X" we'd allow you to claim money from government, to that same bank account. We thought this had a lot of merit, but it didn't get past go and didn't enable us or anyone else (least of all the fraudsters) to collect £200. It had its flaws for sure, not least is that it wouldn't have been any good for the first transaction anyone made - but maybe that's the point? Dynamic data coupled with cross-service enrollment is surely the right way for government to deal with this fraud. For a fraudster to perpetuate over several months a fraud that involves multiple services, making payments to government and using accounts that have been verified by the major banks and their Know Your Customer policies is certainly possible, but the effort is far harder and therefore the payoff in terms of risk/reward not so good. Fraud is much like terrorism though, you squeeze down in one area and another route is found. With the online channel shut, the fraudsters are doing it the old way, that's proving harder now with more focus on it, so they're checking out other means. Has the absence of an online tax credits service put back the journey to ubiquity of e-government? It probably did in November/December when it hit the news. But since then, things have been quiet and people have perhaps forgotten the service even exists - or can't find it when they click on the link anyway. When the service comes back, perhaps quite soon (how temporary can they mean?), there'll be a renwed bout of press interest and, not unlike Self Assessment's Napsterisation (when you could apparently see the tax returns of other people), the press will drive interest and there might be a new rush of usage - that, in turn, could drive cross-usage of other services (after all, it's after 2005 now, 100% is apparently online). It worked for the PRO all that time ago after all. But, I'm calling this as e-government None, government 1, taking the overall tally to 3-1 to the corridors of power in the old fashioned edifices of Whitehall.
Posted by Alan at Saturday, August 19, 2006