Changing tracks

I started this blog about 11 months back to share and think about “my journey through the identity, privacy, and online authentication space.” Since then, I’ve put in a decent 137 posts; received 211 great comments; and a disgraceful 2,466 spam comments.

I’ve got into trouble with “the authorities” once and learnt from that. Still, I think the many hours of my own time spent on the blog have been personally fulfilling and a very worthwhile effort.

But things change and so it’s time to change tracks on the journey but not stop.

I’m taking on a new role from Tuesday, 1st July in the same organisation- Manager Strategy and Innovation. I will still continue to have a lot of responsibilities and interest in the identity space. At the same time, I will have a very wide remit and therefore only be able to direct a fraction of my time to this area. Already, my frequency of posting has come down quite a bit in the run up to taking on the new role.

On the more positive side, even as I post less on this blog, necessity will drive me to the elusive goal of high-quality posts. Now, that’s a worthy goal!

Sweden: Lex Orwell

Sweden is more associated with the icy Björn Borg than throwing people into frenzied criticism.

But that’s just what they seem to have done with their new law giving its National Defense Radio Agency (FRA) the right to intercept all wired communications- including Internet traffic, email, SMS, faxes, and telephone conversations- at will and scan for keywords. So far, the FRA was limited to monitoring radio communications. The new law will allow FRA to monitor all traffic at the border, passing to or from or just through Sweden.

While the Swedish Government has cited the war on terror, FRA happens to be the agency that also has a global reputation for code breaking. It has its origins in intercepting and breaking encrypted transmissions from Nazi Germany. And, Sweden just happens to be a major transit country for cable traffic out of Finland, Russia, and the Baltic States.

Deputy PM Maud Olofsson can’t see why that’s such a big deal, “Sweden has always listened in as a means of ensuring we have the information we need to protect national security. I don’t think that’s a secret.” Sweden simply sees it as an appropriate response to external terrorist threats though most people call that a fig leaf for a more sinister agenda.

The new law, dubbed Lex Orwell, was delayed for a year and then passed narrowly after some last-minute political manoeuvring.

Google’s global privacy counsel, Peter Fleischer, has even gone so far as to club Sweden in the same privacy-invasive category as- wait for it- the US, “By introducing these new measures, the Swedish Government is following the examples set by governments ranging from China and Saudi Arabia to the US Government’s widely criticised eavesdropping programme.”

Even Kiwi commentator Bruce Simpson joined in the frenzy, “If I got blown up in a terror attack, I’d consider that a small price to pay for ensuring that my friends and family weren’t treated like criminals by their own government…I wonder how many others feel likewise but say nothing for fear of being seen as a traitor to ‘the war against terror’.”

Big words indeed.

But, with the Swedes intent on proving they are masters of security theatre, one can only sit back and watch in fascination as another nation steamrolls privacy in the name of security.

Banking on online identity verification

It’s interesting to see how some see business opportunity out of government regulation while others see only downsides.

During April’s Identity Conference, Kiwibank boss Sam Knowles complained about how the proposed anti-money laundering law provides no value, only an unnecessary regulatory burden.

For a bank which markets itself as a New Zealand bastion against domination by foreign (i.e. Australian) banks, it would do well to look across the Tasman at the example set by the branchless retail bank ING Direct.

According to an article in Australian IT, “ING Direct has led the way in using anti-money-laundering identification processes to come up with a method for opening an account purely online. The Dutch bank has claimed bragging rights for the first end-to-end online account opening facility in Australia…which uses an almost instant online identity verification process instead of the traditional 100-point security check to allow customers to open savings and term deposit accounts.”

“ING Direct has taken advantage of new AML [anti-money laundering] legislation that allows financial institutions to replace the traditional 100 point security check, which uses physical documents such as passports, with electronic AML compliance checks.”

According to the bank, “We were able to show the Government that electronic verification was robust and an alternative method to face-to-face. The legislation now says you have to conduct verification but it doesn’t prescribe the channel.”

From my perspective, this is cool. It works for people, it works for banks (even more so for branchless retail banks). And, it’s another small step forward in unlocking the Internet’s potential for higher-value transactions.

But the way that ING Direct verifies a person’s identity isn’t without potential flaws. Australian customers fill out an online application form and their identity is checked by FCS OnLine, a third-party identify verification service.

FCS OnLine seems to be offering online identity verification by checking information submitted by applicants against public databases. It’s difficult to see how relying solely on knowledge-based identity verification provides sufficiently robust results. On the other hand, presumably they overcome privacy requirements based on active consent from applicants.

So, if the outcome is desirable but the online identity verification process employed is suspect, it would be desirable for a better process to be used.

What that would be? For a start, one that is robust, economical, and user-centric. Even that’s quite a tall order. And, as far as I know, one that doesn’t exist- yet.

That’s where the wheel turns a full circle and New Zealand banks, including Kiwibank, may one day come out ahead if policy issues related to private sector use of igovt (specifically, the Identity Verification Service) mentioned in a Computerworld article are resolved.

Which raises the question of when is government a justifiable party?

(Hat tip to a colleague for the link to the Australian IT article and getting my blogging juices flowing again.)

Freeing the cyber seas

Thoughts of war have been on mind recently. The seduction of using force to achieve just outcomes. The futility of war, in many cases, failing to make a lasting difference in addressing the root cause.

The US had Memorial Day, a day of remembrance for military men and women who laid down their lives. Over here, NZ has Tribute08, a time for the country to say sorry to our Vietnam Vets and welcome them home after decades.

The price of war shows up in various ways, with neither side spared. An example is the 100+ US soldiers who commit suicide each year. Or, the continuing unwillingness in NZ to really face up to the damage that Agent Orange continues to do to Kiwi Vietnam Vets and their families.

That’s the mindset with which I read the article, Freedom of the Cyber Seas, recently.

It takes us back to the late 18th century, when the Barbary States ruled the Mediterranean- seizing cargo from those vessels not protected by the European powers; extorting ransom from those that had not paid the ‘protection fee.’ For the newly independent America, the policy was to appease the pirates. By 1786, Barbary extortion demands totalled $1 million- one-tenth of the U.S. government’s entire budget at the time.

Thomas Jefferson was a proponent of Dutch jurist Hugo Grotius’ Mare Liberum or “free seas” doctrine published in 1609. Once Thomas Jefferson became President in 1801, true to his words, he sent in a group of American warships. Four years later, culminating in the Battle of Derna, the Barbary States were defeated and “free access to the world’s oceans a fundamental component of U.S. sovereignty” was established.

The authors’ purpose is of course not to give us a history lesson. Rather, it is to draw a parallel with “a new version of the high seas–the cyber seas” that threatens US military and economic interests. They call on the US to abandon the policy of appeasement to keep data flowing through global networks without hindrance.

Fortunately, they aren’t advocating what the US Air Force does, “America needs a network that can project power by building an af.mil robot network (botnet)… America needs the ability to carpet bomb in cyberspace to create the deterrent we lack.” They thankfully think that respecting international law is a good thing and recommend “policies, legal frameworks and enforcement mechanisms for Internet commerce and communications.”

Their plan is however not without a hard edge. Inspired by the US war on drugs, “the president also must charge an appropriate federal organization with the charter of patrolling the cyber seas–issuing challenges where necessary and taking proactive defensive action to disrupt organized threats. This organization must work closely with the law enforcement and intelligence communities to identify bad actors and devise strategies to exploit the vulnerabilities associated with online criminal activity.”

Even though this is a very US-centric view of the world, it does raise some interesting thoughts and parallels. What is the world going to do about the modern-day pirates? What is the Internet equivalent of the war with the Barbary States (today’s Russia and Eastern Europe)?

And, finally, the sobering thought that piracy on the high seas was not wiped out by a US victory in the Battle of Derna. Far from it as anyone familiar with piracy in the Malacca Straits.

So, what are we going to do? And will there be a lasting solution?

Your digital shadow

I’ve been taking a break from blogging- holiday as well as presenting at/attending AusCERT.

One of the interesting things over this period was the Radio New Zealand broadcast of The Digital Shadow (audio, approx. 28 minutes). It looked at the digital tracks that people leave behind in their everyday lives.

The broadcast starts with an interesting observation, “For the first time the amount of digital information generated about us is exceeding the information created by us.” And, there’s a lot of it- digital information about you but not by you. This is our digital shadow.

An interesting nugget in the broadcast is that Wellington City Council has only 3 CCTVs at present. I thought they’d have many more as CCTVs seem to be the weapon of choice for city authorities around the world. Not so surprisingly, the 3 CCTV cameras in Wellington are in a continuous recording loop but are only actively monitored during major events.

The broadcast also features Dick Hardt and Eve Maler discussing the collection of personal information while people are online.

Right at the end- the last 6 minutes- is the reason why I dug out the recording in the first place. As I mentioned previously, for the Government track at the Identity Conference in Wellington, we had four students start off by debating the relative importance of digital and physical identity in the future. The idea was to hear first-hand the views of future users of government online services.

These students were subsequently interviewed by Radio New Zealand and their views are featured in the last part of the broadcast. Fascinating stuff, especially about Facebook and Bebo. Worth a listen.

ID Conference coverage

Had a look around to see the media coverage sparked off by the Identity Conference in Wellington. Given the wide range of things covered, I thought it would provide a good indicator for what the media thinks is news-worthy about identity.

1. The Dom Post was at its in-your-face best, making the Privacy Commissioner’s call for protecting your ‘digital shadow’ as the number one news story (first page, top left). Digital information about people is the “new currency” so maybe it made a good replacement for the usual pessimistic economic lead.

On another note, her full presentation includes, “So should the responsibility to manage identity fall to the public or private sector? Who would you rather have handling your identity? Is it as simple a question as whether we have Microsoft or SSC? I am, of course, being flippant, but the public sector cannot afford to assume it has natural dominion. It is a case of gaining, and then maintaining, New Zealanders’ trust. Identity-driven systems must reflect the multiplicity of modern New Zealand. Those systems must give people options, flexibility and control.”

2. Across at NZ Herald, Peter Griffin blogged (The search for Identity 2.0) about Dick Hardt’s presentation. Good choice but I do wish savvy tech folks understand the difference between identification and authentication. Otherwise we’re going to continue getting some pretty weird conclusions like the need for government-issued photo ID cards to access online services. I sometimes wonder if people take the cards metaphor too far.

3. Still with Peter Griffin but this time in his role as a news reporter, is Identity thieves sharpen their act. The story covers most of the dangerous downsides of the Internet. One particular quote from Dean Winter of TradeMe caught my eye, “Who in New Zealand do we go to and say we’ve identified a botnet?… We get a fantastic response from the hosts of some of these fraudulent networks. But it is still standing at the bottom of the cliff.”

Eve Maler’s obviously found the time and a decent enough broadband connection in Wellington to post her thoughts, Everyday identity and human-centered design. She has a link to her presentation as well as the inspiring work of Don Norman’s usability work in the 80s that continues to be so relevant.

Varied coverage reflecting the varied perspectives of the Conference…

Why igovt?

For some time now, we’ve been aware of a paradox: we are building and operating user-centric services but use government-centric language to describe them. The launch of the igovt website is a small yet important step towards changing that.

Take the Government Logon Service (GLS) as an example. According to our website, which is intended for a government agencies audience, “In a nutshell, the GLS is an all-of-government shared service to manage the logon process for online services of participating agencies.”

The very name, description, and use of a Three Letter Acronym are so government-centric. What does an average person, say a student who just wants to check his/her account online, make of this? Do we really want to try and explain to people what a “logon” is?

There is of course logic in using government-centric language, especially in the early days of a new service for which there are few, if any, precedents and mental models. Describing as accurately as possible what a service does from a functional perspective allows for precision. It helps external experts and interest groups get an in-depth understanding of what the service does and, sometimes more importantly, what it doesn’t.

But it is more than choice of language alone. It’s also about perspective.

Protecting privacy has been a major driver for the all-of-government authentication services. An important way of designing in privacy is the separation of who a person is (identity) from what they do online (activities) so that data aggregation and building profiles of people aren’t possible. Two different government departments operate two different services based on their respective strengths.

This world-leading approach has been highly acclaimed by privacy experts. Yet, from the view of a person or organisation interested in getting better and quicker government services, it just means more complexity that they have to try and understand and overcome to get to what they are really interested in- the service they want.

The second issue therefore is that people don’t want to integrate and coordinate government’s services; they want government to do that. This desire is reflected at a strategic level in the Development Goals for the State Services. At an everyday level, it means that we had to find a way for our privacy-protective design to be presented to people as a single, integrated online service without diluting the design itself.

And, it was apparent that the time to act was now, before the Identity Verification Service was launched and before future authentication services further increased complexity.

The result is igovt. It is not “just another brand” but, over time, will represent a significant shift. A shift to using user-centric language; a shift to government integrating multiple online services from multiple government agencies for people without any dilution of security and privacy protection; a shift to making it easier and more convenient for people and organisations to get government’s services.

Though there are many models we can learn from, there aren’t any tried and trusted models that we can simply adopt. It is therefore neither possible nor appropriate to try and make the shift in one giant leap. Instead, it’s more of a journey from inside-out thinking to outside-in, learning along the way.

The next step in this journey is to re-brand and re-describe GLS as the first igovt service.

[Original post at http://blog.e.govt.nz/index.php/2008/04/23/why-igovt/]

igovt public consultation

There were so many insights from attending focus groups during the igovt public consultation that it’s hard to pick just one. Certainly, one that made a lasting impression was a lady with a disability who spoke emotively about how the service would make a huge positive difference for her in getting services from government. For her, the notion of having to prove who she was once to government and then being able to choose to use the Internet to verify her identity- both across government and the private sector- was compelling.

So, what was the igovt public consultation all about?

Late last year the Department of Internal Affairs, with the support of the State Services Commission, consulted with people about igovt. Specifically, the consultation was about the Identity Verification Service, one of the two igovt services.

The details and context for the service have evolved since the previous public consultation in 2003. It was therefore important to seek the views of the public about key aspects of the proposed service before the service design was finalised.

Public consultation was also essential for continuing the transparency that has been a hallmark of developing igovt services. In particular, for services based on policy principles such as opt-in and acceptability, it is important to check with people that the service design has resulted in a service that is indeed of value to them.

The public consultation process asked people to get information from the website and send in submissions. At the planning stage for the consultation it was clear that we needed to be more proactive to get deeper and wider participation.

21 focus groups were therefore held in 8 places across New Zealand- Whangarei, Manukau, Tokoroa, New Plymouth, Porirua, Westport, Christchurch, and Invercargill. The workshops were three hours long and included a demonstration of how the service would work. It turned out that the demonstration was critical in helping people understand the service and thereby provide well-informed responses.

I was personally present at a few of these workshops to do the demonstration and also answer any questions about the service that people had. For me, it was an immensely rewarding experience. To get firsthand insight into people’s views is far richer and meaningful than getting it from a report.

The public consultation report (PDF) has now been received and published with a Summary Report.

[Original post at http://blog.e.govt.nz/index.php/2008/04/17/igovt-public-consultation/]

Snippets

1. I’ll be chairing the “Managing Identity: Government” workstream on the second day of the Identity Conference (30th April). Rather than take a conventional approach (yawn!), we’re going to start off by hearing the views of future users of government’s services. This will be in the form of a debate: “This house believes that in the future my digital identity should be more important than my physical identity.”

Two students each will present their views for and against the motion. These teenagers are truly amazing- articulate, opinionated, and very cool. I’m really looking forward to hearing them.

Following this, we’ll get into what government is doing on the igovt front and how the gap between the expectations (as voiced by the students) and the current plans for identity-related services can be bridged. I’ll chip in with a conceptual framework for looking at identity.

2. Good article in the NZ Herald by Anthony Doesburg on igovt called Bringing government services to the iPod generation. Quite timely given that we’re going to be hearing from the iPod generation at the Identity Conference. The boss is quoted in the article as saying, “We’ve proved we can build a secure, privacy-friendly identity verification service. It’s intended to underpin identity verification for all online government services.”

3. One of my colleagues presented at the recent Concordia workshop at RSA 2008. The slides aren’t up yet but the notes are. We are interested in SAML 2 – InfoCards interop and so are close to Concordia’s Scenario 1a. This work builds off the Microsoft New Zealand Innovation Centre work in progress. As my colleague noted at the Concordia workshop, we’ve got some new interesting use cases coming up.

4. A Google search led to my finding a presentation called A Model for New Zealand’s Identity Verification Service apparently given by Prof. Clark Thomborson (University of Auckland) at Trust 2008 in Austria last month. This is intriguing. As far as I know (and I may be wrong), Prof. Thomborson has developed this on his own, without collaborating with the guys who have designed the service. That’s fine but my problem is that I can’t understand his presentation. Anyway, it sounds complimentary, I think, so that’s great.

No real debate on the need for transparency

There is an interesting pair of articles in Wired that looks at government and transparency and ends up as a non-debate.

The first round was fired by Bruce Schneier in The Myth of the ‘Transparent Society’. He takes on books like David Brin’s “The Transparent Society” that argue, “In a world of ubiquitous surveillance, you’ll know all about me, but I will also know all about you. The government will be watching us, but we’ll also be watching the government.”

Bruce believes that this doesn’t work “because it ignores the crucial dissimilarity of power” between government and people. He gives the example of a police officer stopping a person and demanding ID. Divulging the person’s identity gives the police officer great power over the person while divulging the officer’s ID doesn’t give the same level of power to the person over the officer.

He then goes on to call for greater openness in government to reduce the difference in relative power between “the governors and the governed.”

In general, I agree with Bruce even though the specific example of the police officer demanding ID doesn’t quite work for me. If I’m lawfully required to show ID to a police officer, I’d expect that the laws would be followed, i.e. the checks and balances in the system- provided they work- are in place to reduce the power differential. However, I do agree that given the greater ability of government to act in a negative manner, it has a higher moral duty to be more open, to reduce the power differential, and make to sure the checks and balances work effectively.

In a counterpoint to Bruce’s article, David Brin wrote an article called David Brin Rebuts Schneier In Defense of a Transparent Society. I think he goes off on a bit of a tangent, challenging Bruce on a relatively minor point about whether or not an open society is a new concept or not.

David Brin goes on to say a lot of things without actually conveying anything. At the end of it all, to me, both seem to agree that transparency is critical- replace David’s “elites” with Bruce’s “people with power” and I think they are actually saying the same thing.

The topic of transparency in government is echoed by, somewhat surprisingly, Bill Gates. At a recent conference on Latin American government he said, “I think it’s been phenomenal. I think the quality of governance has improved, and can improve a lot more, because of that Internet transparency.” He went on to give the example of the Scandinavian countries making all government information available online.

This lines up well with Bruce Schneier’s and David Brin’s call for greater transparency in government.

So, at the end of all that, it’s a bit of a non-debate but a sound conclusion nevertheless: openness and transparency by government in dealing with people is vital and an essential prerequisite for privacy.