Identity and Privacy Blog

I’ve been a fan of usability guru Jakob Nielsen’s regular update (Alertbox) for a long time. It’s admirable how he keeps re-emphasising the fundamentals again and again.

I suspect that half the reason I read the updates so regularly is the futile hope that somehow- maybe by osmosis- his common sense approach will percolate into my sub-conscious and lead to better outcomes for the online services I’m involved in.

Jakob Nielsen would no doubt laugh at such nonsense, throw up his hands, and demand that I user test to objectively determine that one way or another.

Anyway, his latest piece is on enterprise portals. That is not an area that I often venture into but he had some stuff about single sign-on (SSO) that caught my eye:

“Single sign-on is the Loch Ness monster of the intranet world: People hear about it and even believe it exists, but they’ve yet to see it for real…In our initial research 5 years ago, it was already clear that single sign-on could dramatically improve user productivity and satisfaction, as well as immensely reduce support costs.”

“Our second round of research confirmed single sign-on’s potential — and its elusiveness… True single sign-on was and is extraordinarily rare… We can only conclude that it’s very difficult to achieve, despite its promise.”

What’s true of the enterprise is even more so outside it, for the Internet.

The benefits and business case for enterprise SSO are undoubtedly great. But for the Internet? That’s an area that I personally struggle with, notwithstanding that SSO is the original use case for federation and, to some extent, can be provided by OpenID (provided the person has logged on to the OpenID Provider).

Now, Internet SSO does mean convenience. It surely is a good thing to log on once and then be able to do whatever a person wants across the Internet without logging in again.

What worry me are the security and privacy implications. Those aren’t that big a deal within an enterprise context but are on the Internet. And, within government online services on a national scale, even more so.

From a security perspective, it’s about the loss of keys to the kingdom- passwords are just too easy to compromise. Now, if passwords were used appropriately (i.e. only where there is a low level of identity-related risks) then the consequences from a compromised password wouldn’t be too bad. But, realistically, passwords today protect far too much and a compromised password can be a widespread disaster for the person.

Then, there’s privacy. Using the same username & password to do everything (or lots of things) then raises the possibility of aggregation of information and building profiles.

So is Internet SSO a good thing? Yes, provided it is implemented in a secure and privacy-protective manner. Problem is, can that be achieved in an economical manner (that rules out advanced crypto) for the Internet?

As a term that most of us find intuitively easy to define, it turns out that getting a precise and generally accepted definition of the term ‘identity’ is far from easy.

The first question of course is whether it’s even worth the effort to try and get a precise definition. I think the answer is ‘yes’ for several reasons.

First, identity involves personal information and people expect that government collects and holds their personal information in a secure manner with their privacy appropriately protected.

Secondly, people need to prove who they are many times during a day. While typically people only need to do that with government infrequently, for a government agency it is of critical everyday importance to have confidence in the identity of the person they are dealing with. For example, an agency needs to be sure that government services are being delivered to the right person. Another example is ensuring that the right person has access to their own personal information such as health records or tax records.

On the one hand, people want convenient access to their information and government services. On the other hand, government as a whole has to manage the identity-related risks and ensure that the taxpayer’s money is spent well.

Finally, consider this quote from a recent report by Sir James Crosby to the UK Government, “… those countries with the most effective ID assurance systems and infrastructure will enjoy economic and social advantage, and those without will miss an opportunity. There is a clear virtuous circle. The ease and confidence with which individuals can assert their identity improves economic efficiency and social cohesion…”.

Looking around, both in New Zealand and overseas, we saw that most of the focus on ‘digital identity’ and ‘user-centric identity’. Also, ‘identity management’ is typically defined in technology terms such as ‘authentication’ and ‘authorisation’. And yet, all of these still don’t answer the fundamental question of just what ‘identity’ is in the first place.

To help get us a better insight into the thinking of the academic world and the approaches taken in some other countries, we turned to Victoria University of Wellington. Professor Miriam Lips, with the help of her student Chiky Pang, has now completed her report Identity Management in Information Age Government (PDF, 557 KB) and we have published it on the e-government website.

It turns out that the answer to our questions has a variety of answers. However, it does validate our current approach that one of the useful ways to look at identity is to consider that people have a single, unique identity but many context-dependent partial identities or personas. The result is more of an onion than linear, so that operating at the outer layers of the onion may not have any connection at all with the unique core:

Another interesting insight from the report is the move to an informational definition of identity from a document-based definition. The impact of the Information Age is to make it increasingly necessary for governments to consider identity information- its collection, verification, storage, maintenance, and disposal- rather than just the issue and use of identity documents.

As we look at these issues in finer and finer detail, it remains important to not lose sight of the basics. Such as, people own and control their own identity while government’s role is to manage their identity information well. And, the need to put theory into practice.

So that in the future, when Bill and Jessica want to return home to New Zealand, they have one less thing to worry about.

[Original post at http://blog.e.govt.nz/index.php/2008/07/09/just-what-is-identity/]

I’m just back from attending eGovernment 2008 in Canberra. For me, the big draw was an opportunity to attend a three hour workshop focussed on the UK’s Government Gateway. I sure wasn’t disappointed- the insights into the Government Gateway were quite an eye opener.

Attending the conference also led me to reflect on how online authentication is working for the Queen’s subjects in the UK, Australia, and New Zealand. It’s quite fascinating how each of them reflect diverse approaches and are also very much a product of their times.

First, Australia. Still very PKI focussed, as in standard X.509 certs in the user’s computer. There are some good intentions from the federal policy body AGIMO (Australian Government Information Management Office) to move on to solutions that work for people (not computers) but the mindset of the average government official is definitely digital certs.

A good example of this focus is the success of VANguard. VANguard’s authentication service is probably best described as an authentication broker whose main function is to allow for interoperability of digital certs issued by various CAs. This is a good step so that businesses (it’s mostly business-focussed) can use the same digital cert with multiple RPs. It’s a back-end hub so that various front-ends and portals, such as bizgate in South Australia, can draw on its functionality. Still, it has all the limitations inherent in the old PKI designs.

It’ll be interesting to see how AGIMO’s proposed National e-Authentication Framework will differ from their existing AGAF (Australian Government e-Authentication Framework) which is separate for businesses and individuals.

Back to the UK’s Government Gateway. From the outside, so much of the focus has been on the UK’s plans for a national identity card that people, including me, can’t distinguish the good stuff they have done and are continuing to do in the online authentication space from the bad. Jim Purves, Head of Product Strategy in the Cabinet Office gave terrific insights into the chequered history of the Gateway as well as plans going forward.

The Gateway is very privacy-protective, very focussed on providing authentication and SSO for the UK Government’s online services. They are introducing SAML 2 soon but that also has the downside of continued support for all the current protocols. They’ve had some significant funding challenges in the past but now have “strategic investors” from within government so the future is bright. Trust and confidence in the Gateway is at an all-time high.

Purely speculative on my part but I think they’ve got a big cloud on the horizon- when the national identity card folks come calling. That could potentially lead to a fundamental change in approach. That’s the unfortunate steamrolling impact of the national identity card. Also interesting how they handle pan-European interoperability but, with a strong Liberty Alliance foundation, I imagine they are well placed to handle that.

So, how does NZ stack up? The proper comparison is with the GLS or Government Logon Service (which will be re-branded igovt later this year). There’s no doubt that the GLS is the most privacy-protective of the lot and has all the right moving bits.

Once the IVS or Identity Verification Service and then GOAAMS or Government Online Attribute Assertion Meta System is added to igovt, then it’s a whole new ballgame for NZ.

But, there is clearly one area that the GLS should look at- adding a web services (ID-WSF) capability in addition to the current browser re-direct (ID-FF). That will provide many new opportunities off the same infrastructure, such as acting as an authenticating receiver for XML messages. The UK’s Government Gateway currently does that for all electronic tax filings direct from standard tax and accounting packages.

All in all, interesting times and much thinking…

I started this blog about 11 months back to share and think about “my journey through the identity, privacy, and online authentication space.” Since then, I’ve put in a decent 137 posts; received 211 great comments; and a disgraceful 2,466 spam comments.

I’ve got into trouble with “the authorities” once and learnt from that. Still, I think the many hours of my own time spent on the blog have been personally fulfilling and a very worthwhile effort.

But things change and so it’s time to change tracks on the journey but not stop.

I’m taking on a new role from Tuesday, 1st July in the same organisation- Manager Strategy and Innovation. I will still continue to have a lot of responsibilities and interest in the identity space. At the same time, I will have a very wide remit and therefore only be able to direct a fraction of my time to this area. Already, my frequency of posting has come down quite a bit in the run up to taking on the new role.

On the more positive side, even as I post less on this blog, necessity will drive me to the elusive goal of high-quality posts. Now, that’s a worthy goal!

Sweden is more associated with the icy Björn Borg than throwing people into frenzied criticism.

But that’s just what they seem to have done with their new law giving its National Defense Radio Agency (FRA) the right to intercept all wired communications- including Internet traffic, email, SMS, faxes, and telephone conversations- at will and scan for keywords. So far, the FRA was limited to monitoring radio communications. The new law will allow FRA to monitor all traffic at the border, passing to or from or just through Sweden.

While the Swedish Government has cited the war on terror, FRA happens to be the agency that also has a global reputation for code breaking. It has its origins in intercepting and breaking encrypted transmissions from Nazi Germany. And, Sweden just happens to be a major transit country for cable traffic out of Finland, Russia, and the Baltic States.

Deputy PM Maud Olofsson can’t see why that’s such a big deal, “Sweden has always listened in as a means of ensuring we have the information we need to protect national security. I don’t think that’s a secret.” Sweden simply sees it as an appropriate response to external terrorist threats though most people call that a fig leaf for a more sinister agenda.

The new law, dubbed Lex Orwell, was delayed for a year and then passed narrowly after some last-minute political manoeuvring.

Google’s global privacy counsel, Peter Fleischer, has even gone so far as to club Sweden in the same privacy-invasive category as- wait for it- the US, “By introducing these new measures, the Swedish Government is following the examples set by governments ranging from China and Saudi Arabia to the US Government’s widely criticised eavesdropping programme.”

Even Kiwi commentator Bruce Simpson joined in the frenzy, “If I got blown up in a terror attack, I’d consider that a small price to pay for ensuring that my friends and family weren’t treated like criminals by their own government…I wonder how many others feel likewise but say nothing for fear of being seen as a traitor to ‘the war against terror’.”

Big words indeed.

But, with the Swedes intent on proving they are masters of security theatre, one can only sit back and watch in fascination as another nation steamrolls privacy in the name of security.

It’s interesting to see how some see business opportunity out of government regulation while others see only downsides.

During April’s Identity Conference, Kiwibank boss Sam Knowles complained about how the proposed anti-money laundering law provides no value, only an unnecessary regulatory burden.

For a bank which markets itself as a New Zealand bastion against domination by foreign (i.e. Australian) banks, it would do well to look across the Tasman at the example set by the branchless retail bank ING Direct.

According to an article in Australian IT, “ING Direct has led the way in using anti-money-laundering identification processes to come up with a method for opening an account purely online. The Dutch bank has claimed bragging rights for the first end-to-end online account opening facility in Australia…which uses an almost instant online identity verification process instead of the traditional 100-point security check to allow customers to open savings and term deposit accounts.”

“ING Direct has taken advantage of new AML [anti-money laundering] legislation that allows financial institutions to replace the traditional 100 point security check, which uses physical documents such as passports, with electronic AML compliance checks.”

According to the bank, “We were able to show the Government that electronic verification was robust and an alternative method to face-to-face. The legislation now says you have to conduct verification but it doesn’t prescribe the channel.”

From my perspective, this is cool. It works for people, it works for banks (even more so for branchless retail banks). And, it’s another small step forward in unlocking the Internet’s potential for higher-value transactions.

But the way that ING Direct verifies a person’s identity isn’t without potential flaws. Australian customers fill out an online application form and their identity is checked by FCS OnLine, a third-party identify verification service.

FCS OnLine seems to be offering online identity verification by checking information submitted by applicants against public databases. It’s difficult to see how relying solely on knowledge-based identity verification provides sufficiently robust results. On the other hand, presumably they overcome privacy requirements based on active consent from applicants.

So, if the outcome is desirable but the online identity verification process employed is suspect, it would be desirable for a better process to be used.

What that would be? For a start, one that is robust, economical, and user-centric. Even that’s quite a tall order. And, as far as I know, one that doesn’t exist- yet.

That’s where the wheel turns a full circle and New Zealand banks, including Kiwibank, may one day come out ahead if policy issues related to private sector use of igovt (specifically, the Identity Verification Service) mentioned in a Computerworld article are resolved.

Which raises the question of when is government a justifiable party?

(Hat tip to a colleague for the link to the Australian IT article and getting my blogging juices flowing again.)

Thoughts of war have been on mind recently. The seduction of using force to achieve just outcomes. The futility of war, in many cases, failing to make a lasting difference in addressing the root cause.

The US had Memorial Day, a day of remembrance for military men and women who laid down their lives. Over here, NZ has Tribute08, a time for the country to say sorry to our Vietnam Vets and welcome them home after decades.

The price of war shows up in various ways, with neither side spared. An example is the 100+ US soldiers who commit suicide each year. Or, the continuing unwillingness in NZ to really face up to the damage that Agent Orange continues to do to Kiwi Vietnam Vets and their families.

That’s the mindset with which I read the article, Freedom of the Cyber Seas, recently.

It takes us back to the late 18th century, when the Barbary States ruled the Mediterranean- seizing cargo from those vessels not protected by the European powers; extorting ransom from those that had not paid the ‘protection fee.’ For the newly independent America, the policy was to appease the pirates. By 1786, Barbary extortion demands totalled $1 million- one-tenth of the U.S. government’s entire budget at the time.

Thomas Jefferson was a proponent of Dutch jurist Hugo Grotius’ Mare Liberum or “free seas” doctrine published in 1609. Once Thomas Jefferson became President in 1801, true to his words, he sent in a group of American warships. Four years later, culminating in the Battle of Derna, the Barbary States were defeated and “free access to the world’s oceans a fundamental component of U.S. sovereignty” was established.

The authors’ purpose is of course not to give us a history lesson. Rather, it is to draw a parallel with “a new version of the high seas–the cyber seas” that threatens US military and economic interests. They call on the US to abandon the policy of appeasement to keep data flowing through global networks without hindrance.

Fortunately, they aren’t advocating what the US Air Force does, “America needs a network that can project power by building an af.mil robot network (botnet)… America needs the ability to carpet bomb in cyberspace to create the deterrent we lack.” They thankfully think that respecting international law is a good thing and recommend “policies, legal frameworks and enforcement mechanisms for Internet commerce and communications.”

Their plan is however not without a hard edge. Inspired by the US war on drugs, “the president also must charge an appropriate federal organization with the charter of patrolling the cyber seas–issuing challenges where necessary and taking proactive defensive action to disrupt organized threats. This organization must work closely with the law enforcement and intelligence communities to identify bad actors and devise strategies to exploit the vulnerabilities associated with online criminal activity.”

Even though this is a very US-centric view of the world, it does raise some interesting thoughts and parallels. What is the world going to do about the modern-day pirates? What is the Internet equivalent of the war with the Barbary States (today’s Russia and Eastern Europe)?

And, finally, the sobering thought that piracy on the high seas was not wiped out by a US victory in the Battle of Derna. Far from it as anyone familiar with piracy in the Malacca Straits.

So, what are we going to do? And will there be a lasting solution?

I’ve been taking a break from blogging- holiday as well as presenting at/attending AusCERT.

One of the interesting things over this period was the Radio New Zealand broadcast of The Digital Shadow (audio, approx. 28 minutes). It looked at the digital tracks that people leave behind in their everyday lives.

The broadcast starts with an interesting observation, “For the first time the amount of digital information generated about us is exceeding the information created by us.” And, there’s a lot of it- digital information about you but not by you. This is our digital shadow.

An interesting nugget in the broadcast is that Wellington City Council has only 3 CCTVs at present. I thought they’d have many more as CCTVs seem to be the weapon of choice for city authorities around the world. Not so surprisingly, the 3 CCTV cameras in Wellington are in a continuous recording loop but are only actively monitored during major events.

The broadcast also features Dick Hardt and Eve Maler discussing the collection of personal information while people are online.

Right at the end- the last 6 minutes- is the reason why I dug out the recording in the first place. As I mentioned previously, for the Government track at the Identity Conference in Wellington, we had four students start off by debating the relative importance of digital and physical identity in the future. The idea was to hear first-hand the views of future users of government online services.

These students were subsequently interviewed by Radio New Zealand and their views are featured in the last part of the broadcast. Fascinating stuff, especially about Facebook and Bebo. Worth a listen.

Had a look around to see the media coverage sparked off by the Identity Conference in Wellington. Given the wide range of things covered, I thought it would provide a good indicator for what the media thinks is news-worthy about identity.

1. The Dom Post was at its in-your-face best, making the Privacy Commissioner’s call for protecting your ‘digital shadow’ as the number one news story (first page, top left). Digital information about people is the “new currency” so maybe it made a good replacement for the usual pessimistic economic lead.

On another note, her full presentation includes, “So should the responsibility to manage identity fall to the public or private sector? Who would you rather have handling your identity? Is it as simple a question as whether we have Microsoft or SSC? I am, of course, being flippant, but the public sector cannot afford to assume it has natural dominion. It is a case of gaining, and then maintaining, New Zealanders’ trust. Identity-driven systems must reflect the multiplicity of modern New Zealand. Those systems must give people options, flexibility and control.”

2. Across at NZ Herald, Peter Griffin blogged (The search for Identity 2.0) about Dick Hardt’s presentation. Good choice but I do wish savvy tech folks understand the difference between identification and authentication. Otherwise we’re going to continue getting some pretty weird conclusions like the need for government-issued photo ID cards to access online services. I sometimes wonder if people take the cards metaphor too far.

3. Still with Peter Griffin but this time in his role as a news reporter, is Identity thieves sharpen their act. The story covers most of the dangerous downsides of the Internet. One particular quote from Dean Winter of TradeMe caught my eye, “Who in New Zealand do we go to and say we’ve identified a botnet?… We get a fantastic response from the hosts of some of these fraudulent networks. But it is still standing at the bottom of the cliff.”

Eve Maler’s obviously found the time and a decent enough broadband connection in Wellington to post her thoughts, Everyday identity and human-centered design. She has a link to her presentation as well as the inspiring work of Don Norman’s usability work in the 80s that continues to be so relevant.

Varied coverage reflecting the varied perspectives of the Conference…

For some time now, we’ve been aware of a paradox: we are building and operating user-centric services but use government-centric language to describe them. The launch of the igovt website is a small yet important step towards changing that.

Take the Government Logon Service (GLS) as an example. According to our website, which is intended for a government agencies audience, “In a nutshell, the GLS is an all-of-government shared service to manage the logon process for online services of participating agencies.”

The very name, description, and use of a Three Letter Acronym are so government-centric. What does an average person, say a student who just wants to check his/her account online, make of this? Do we really want to try and explain to people what a “logon” is?

There is of course logic in using government-centric language, especially in the early days of a new service for which there are few, if any, precedents and mental models. Describing as accurately as possible what a service does from a functional perspective allows for precision. It helps external experts and interest groups get an in-depth understanding of what the service does and, sometimes more importantly, what it doesn’t.

But it is more than choice of language alone. It’s also about perspective.

Protecting privacy has been a major driver for the all-of-government authentication services. An important way of designing in privacy is the separation of who a person is (identity) from what they do online (activities) so that data aggregation and building profiles of people aren’t possible. Two different government departments operate two different services based on their respective strengths.

This world-leading approach has been highly acclaimed by privacy experts. Yet, from the view of a person or organisation interested in getting better and quicker government services, it just means more complexity that they have to try and understand and overcome to get to what they are really interested in- the service they want.

The second issue therefore is that people don’t want to integrate and coordinate government’s services; they want government to do that. This desire is reflected at a strategic level in the Development Goals for the State Services. At an everyday level, it means that we had to find a way for our privacy-protective design to be presented to people as a single, integrated online service without diluting the design itself.

And, it was apparent that the time to act was now, before the Identity Verification Service was launched and before future authentication services further increased complexity.

The result is igovt. It is not “just another brand” but, over time, will represent a significant shift. A shift to using user-centric language; a shift to government integrating multiple online services from multiple government agencies for people without any dilution of security and privacy protection; a shift to making it easier and more convenient for people and organisations to get government’s services.

Though there are many models we can learn from, there aren’t any tried and trusted models that we can simply adopt. It is therefore neither possible nor appropriate to try and make the shift in one giant leap. Instead, it’s more of a journey from inside-out thinking to outside-in, learning along the way.

The next step in this journey is to re-brand and re-describe GLS as the first igovt service.

[Original post at http://blog.e.govt.nz/index.php/2008/04/23/why-igovt/]