
UK Government's Payment Infrastructure Is Now Open Source - edent
https://govukpay-docs.cloudapps.digital/#contribute
======
Nursie
Still got Google Analytics on the page.

I do not feel that reporting every online interaction I have with my
government in the UK, back to a huge corporate in the US, is in any way
appropriate. But I can't even get anyone to engage on the issue.

When I tried to raise it I got directed to a helpdesk ticket on a site run by
an SV helpdesk-as-a-service company.

I appreciate that gov.uk have done some great stuff getting the UK government
online, and their designs and Open Source attitude are refreshing, but this is
a a serious privacy issue.

~~~
robin_reala
GDS’s GA Premium account contractually prevents Google from investigating the
data, and Google self-anonymises with a flag in their API[1]. If you don’t
trust them then that’s fine, but for functionality vs cost it seems to be the
best option.

For what it’s worth, for extremely sensitive projects like GOV.UK Verify other
options are fine; Verify uses a local Piwik instance.

You’re also welcome to block that specific JS or just turn off JS completely
on GOV.UK properties - everything has to work without JS to go live on
GOV.UK.[2]

[1]
[https://support.google.com/analytics/answer/2763052?hl=en](https://support.google.com/analytics/answer/2763052?hl=en)

[2] [https://www.gov.uk/service-manual/technology/using-
progressi...](https://www.gov.uk/service-manual/technology/using-progressive-
enhancement)

~~~
dchest
_GDS’s GA Premium account contractually prevents Google from investigating the
data_

Does it prevent US government from getting this data with a court order?

~~~
TheHeasman
>Google self-anonymises with a flag in their API

Even if they could, they wouldn't be able to find it.

~~~
Matt3o12_
At what point is it, though? From the Client or when it hits the server. If it
is the later, we can’t know if three letter agencies intercept the traffic
before it gets anonymized.

Furthermore, it is often possible to de-anonymize data especially if you have
an extensive knowledge of users and their data such as google. But even then,
you can also de-anonymize data

[https://www.cs.utexas.edu/~shmat/shmat_oak08netflix.pdf](https://www.cs.utexas.edu/~shmat/shmat_oak08netflix.pdf)

[https://www.wired.com/2007/12/why-anonymous-data-
sometimes-i...](https://www.wired.com/2007/12/why-anonymous-data-sometimes-
isnt/)

~~~
robin_reala
The client can’t anonymise the IP as it connects to the Google server which
then will implicitly know it. What the flag does is tell the server to
anonymise it from that point onwards. From my original link:

 _When a customer of Analytics requests IP address anonymization, Analytics
anonymizes the address as soon as technically feasible at the earliest
possible stage of the collection network. The IP anonymization feature in
Analytics sets the last octet of IPv4 user IP addresses and the last 80 bits
of IPv6 addresses to zeros in memory shortly after being sent to the Analytics
Collection Network. The full IP address is never written to disk in this
case._

------
chatmasta
I went through a visa application process for the UK over the past few months.
The main gov.uk site is a very good website for finding information, well
designed, works on mobile, etc. Coming from the US, that was quite refreshing
-- there's no equivalent in the US as everything is scattered across 100
different agency websites in 50 states.

However the "business logic" of gov.uk is still sorely lacking. For the actual
visa application process and payment, I was bounced around between 4-5
different third party websites handling different aspects of the process. I'm
sure further integration with gov.uk is on the roadmap, and it will certainly
be nice.

As a new resident of the U.K., though, I have to admit I've been pleasantly
surprised and very happy with the gov.uk website so far.

~~~
maverick2
Canada's is same way. I am from India, and been in US for about half a decade.
US's process is completely old school.

Canada had plans to integrate all citizen services through one account
dashboard, curious to see how countries roll-out services like those in next
decade or so.

~~~
chatmasta
It will be especially difficult in the US where many of those services are
federated across all fifty states.

------
robin_reala
If you haven’t heard of this before there’s a good introduction to the project
at [https://gds.blog.gov.uk/2015/07/23/making-payments-more-
conv...](https://gds.blog.gov.uk/2015/07/23/making-payments-more-convenient-
and-efficient/)

~~~
peteretep
Linked from that: "Nearly two million adults in the UK do not have a bank
account"

[http://www.bbc.com/news/business-31830117](http://www.bbc.com/news/business-31830117)

~~~
pjc50
Related: [http://www.moneysavingexpert.com/banking/basic-bank-
accounts](http://www.moneysavingexpert.com/banking/basic-bank-accounts)

There is actually a legal requirement for banks to offer no-credit no-fee
accounts, in order to help people get into the banking system and take
advantage of the associated discounts, but obviously they don't advertise it
much.

~~~
catwell
I lived in England for about a year in 2009 - 2010 and I never had a bank
account there. I was willing to open one, but a law (which probably existed to
prevent fraud and laundering) made it very hard to do so without proof of
permanent residence in the UK, which I did not have. Eventually I decided it
was easier for me to upgrade my French Mastercard to the Gold level, where I
had no extra fees when withdrawing or paying in pounds (nowadays I think you
need Platinum for that).

~~~
Reason077
As a French national you would only need 2 things to open a UK bank account:
your French passport and some kind of document that shows you have a UK
address.

Proof of address used to be easy as any utility bill would do, but now days
it's trickier because so much is done online and paper bills don't get sent
out much any more! And, of course, it's a problem if the bills at your house
are in someone else's name. (They won't accept print outs from the Internet
for obvious reasons...)

However, if you're registered for paying tax in the UK then you would
certainly have a letter from Jobcentre Plus or HMRC showing your address. This
would be accepted by your bank.

Another option is to get a UK driver's license, which is pretty easy and
inexpensive if you already have a driver's license from your (EU) home
country.

~~~
toomanybeersies
Not accepting printouts is ridiculous. It's trivial to fake a letter.

I had a similar issue when I was opening a bank account a while ago. I didn't
actually get any bills in the mail, so I printed off my ISP bill, which was a
pdf of what they send you in the mail. Obviously, the printer didn't fold it
to fit in an envelope.

The person at the bank asked if it was a printout or actually from the mail
since it didn't have any creases in it, they said they could only accept it if
it was from the mail.

I told them I would just walk outside, fold it up, and walk back in, it was
exactly the same as what you'd get in the mail. They ended up accepting it,
even though technically they weren't meant to.

It's ridiculous, I don't actually physically receive mail from anything. All
my bills etc. are done electronically, I even sign contracts electronically.

------
rekado
I'm happy to see that they are using GNU Guix:
[https://github.com/alphagov?q=guix](https://github.com/alphagov?q=guix)

------
sitepodmatt
Every interaction I have with a gov.uk portal is a painful UX disater - most
recently passport and driver license, both had a submitting payment stage. I
can't imagine anyone saying 'wow look how at the gov.uk got it right' lets use
their code, a glorified CMS system with forms and payments bolted on - badly -
so badly.

Just rechecked it's still complete crap. They can't support the back button,
no post / redirect pattern, confirm form resubmission.
[https://passportapplication.service.gov.uk/](https://passportapplication.service.gov.uk/)

~~~
robin_reala
The ‘Apply for a passport’ you linked to service is pretty old now and doesn’t
reflect GDS’s current recommendations; as far as I understand it it was more
of a reskin of an already existing system than anything done from the ground
up. However there’s a newer service available from [https://www.gov.uk/apply-
renew-passport](https://www.gov.uk/apply-renew-passport) that is much more
modern and actively developed. I’m not sure why they’re both still up
(although HM Passport Office could probably tell you), but I’m also not sure
how you got to the old one because all of the generic ‘passport’ searches I
did on GOV.UK took me eventually to the newer version.

~~~
sitepodmatt
The link you posted redirects to original UX disaster after answering ten or
so questions (each their own page and a click next). Seems you will only stay
on the new site for booking and paying for a traditional walkin appointment.

~~~
johneth
> (each their own page and a click next)

I think it's made that way so that it works without Javascript.

------
confounded
There are very few positive comments here, but I think it's fantastic that
this progress has been made (even if it's not perfect). I had no idea the
sites could be used without JS at all; that's brilliant!

------
camus2
Interesting, if you check out the tech it's mostly Java for the backend and
Javascript for the front-end.

------
Yakkety1610
does this affect MiCard`s ?

[http://www.manxradio.com/news/isle-of-man-business/micard-
de...](http://www.manxradio.com/news/isle-of-man-business/micard-delivers-
post-office-digital-strategy/)

------
pyb
This looks more like a manual. Where does it say that the infrastructure is
open source ? I didn't see any source code.

~~~
robin_reala
Look at the section marked ‘Key Open Source components’ and click on each
microservice’s name to get to the repo.

~~~
pyb
Well spotted thanks !

