Goodwins: Govt Web project favours Microsoft

A press release arrived from the Cabinet Office, touting a brand-new online service from the Inland Revenue. The form that you use to register going self-employed has been put online - the first of any such - and there was a statement from the Minister saying how exciting it all was.

A press release arrived from the Cabinet Office, touting a brand-new online service from the Inland Revenue. The form that you use to register going self-employed has been put online - the first of any such - and there was a statement from the Minister saying how exciting it all was.

Which, of course, it is. After a slow start, the government has adopted the Web with some enthusiasm, and www.open.gov.uk is now a most useful and well-designed site. This latest innovation seemed interesting: you register and get a smart card, and can then access the form online. Fill it in once, and it gets sent to the three relevant authorities who need to know.

Pausing only to note that no electronic address of any kind was present on the press release, I decided to see how secure the system would be. One of the perennial worries about Internet access to personal data is that some unauthorised person will grab and abuse information that should rightly be secret. The Intelligent Form project was run by EDS, Microsoft and NatWest. Although the consortium worked closely together, it's not too inaccurate to say that EDS did the networking and form distribution, Microsoft did the client software and NatWest managed the user registration and smart card ID.

EDS first. Electronic Data Systems is a large company with a track record of public sector projects. Quite a track record at that - it gets 50 per cent of government contracts and has an effective stranglehold on big database work such as the benefits and tax agencies. I phoned up and was pleasantly surprised by the way the system had been built. "First, the form is digitally signed using 128-bit RSA public-key encryption", said EDS, "and then sent via the Secure Socket Layer to our network. We then distribute the form onwards." Splendid stuff - all these technologies are known, open and reliable, and the use of 128-bit keys makes it as proof against naughtiness as you could ever wish. "The smart card is programmed in Java." EDS continued, "and Microsoft did the client module, the thing you download and run from your browser." "Java?" I asked. "Er, no. OCX."

Alarm bells rang, followed shortly afterwards by the telephone on the desk of the project manager at Microsoft. "Why didn't you use Java?" I asked. "We did use Java!" he said. "Along with dynamic HTML and C++..." "Which is compiled into what?" "Er, a control." Reluctantly, he admitted that this was OCX (aka ActiveX, aka COM) - a Microsoft proprietary standard that will only work with Internet Explorer 4.0. This was necessary, he explained, because that was the only system that would do the job. Further prompting extracted the information that what he actually meant was this was the only system that would support Microsoft's own security certification process. And yes, he admitted, an equivalent system could be built using just Java and that furthermore this was their aim. An aim, unfortunately, without deadline or timetable.

So the Inland Revenue's flagship online form project is dependent on IE 4.0, and will be for the foreseeable future. This raises many, many questions - some of which are still with the Cabinet Office, who are 'looking into' the affair - and the possibility that the system is against European regulations. How was the consortium appointed? Was the project available for open tender? Who set the specifications? Who monitors the results? Who made the decision to restrict access to a single, proprietary browser technology? How does this square with European Council Decision 87/95/EEC that "... in public procurement orders relating to information technology... [open] standards are used as the basis for the exchange of information and data for systems interoperability [Article 5.1]?"

In my opinion, this is a prima face example of a very worrying trend - a supplier in favour with the government is given a high-profile project and allowed to use it in their own interests and against those of the people. I can find no technical justification for the way the project was implemented, and many reasons why it was inappropriate, restrictive and actively dangerous: if you wanted to produce a secure, reliable system that works as widely as possible, would you choose ActiveX or Java?

We await more answers from those concerned, and we'll keep you posted. Meanwhile, be aware that if you want to take part in this latest example of the government's drive towards new technology and more efficient ways of working, you'll have to pay Microsoft for the privilege.