Posts filed under ‘identity’
From the perspective of a person keen to see identity federation the norm, a single federation protocol is the best thing. That allows a focus on the real challenges of federation- the business and process challenges. It relegates arcane discussions about SAML and WS-Federation to the few people who really want to talk about the nuts and bolts.
In reality, that’s probably unachievable. If nothing else, that was the biggest lesson from the ODF vs. OOXML saga.
The next best thing is true interoperability between protocols with standard products supporting multiple protocols out of the box. This doesn’t take away all the costs, complexity, and risks but is still an acceptable outcome.
The next best thing to the next best thing is a major vendor promising to move towards the next best thing. To that end, Microsoft’s announcement that the beta version of Geneva will not only support SAML 2.0 as a token format but also as a single sign-on protocol is very welcome. Geneva is Microsoft’s future identity platform, replacing ADFS (Active Directory Federation Services).
Specifically, Geneva will support the SAML 2.0 Lite/Web SSO profile. Happily enough, it will also support the US Government’s GSA profile which seems to be an attractive offering for US Government agencies.
So, come 2010 or whatever the usual announcement-to-real world deployment cycle takes, deployers of federation can increasingly focus on benefiting from identity portability rather than the underlying technical challenges.
On the Internet, Anonymous has become a badge, a group, an idea. It’s all a bit nebulous really. It could quickly just fizzle out. On the other hand, it might just be the start of something new, something big, an emergent phenomenon.
Let’s start with meme. According to Wikipedia, a meme is an “idea or behaviour that can pass from one person to another by learning or imitation.” Examples of memes include ideas, theories, practices, fashions, habits, etc. The word was coined by Richard Dawkins in 1976 that has caught on as “a convenient way of discussing a piece of thought copied from person to person.”
Next, Internet memes. Again, according to Wikipedia, an Internet meme is “used to describe a catchphrase or concept that spreads quickly from person to person via the Internet.” There is a very interesting timeline of Internet memes that has some of the great viral distractions that the Internet has spawned. Have a look but be warned that it can hook you for hours. Like George Bush and Google. Or, the Star Wars political commercial.
Most people are familiar with the use of anonymous as a default name for a person on the Internet whose identity is unknown. Post a comment without identifying yourself and it’s likely to be accredited to anonymous.
But then anonymous began emerging as Anonymous, a sort of an in-joke. Many people think it originated from the site 4chan, an image-based bulletin board where anyone can post comments and share images anonymously. Definitely not for the faint-hearted. Almost anything is acceptable. That’s led to a clique with their own language, norms, jokes, values… culture?
In turn, that’s led to a movement on the Internet, perhaps one that can be best described as an Internet meme.
In an often-quoted article in the Baltimore City Paper called Serious Business, “anons” are linked with repeated attacks on the Church of Scientology, called Project Chanology, “a battle that pits an anarchic, leaderless group of mostly young and tech-savvy activists organized through online forums and chat rooms against a religion formed in the 1950s whose adherents believe a science-fiction writer laid down the course to world salvation.”
Their words are ominous, “We are Anonymous. We are Legion. We do not forgive. We do not forget. Expect us.”
Anonymous has been linked with more attacks. Such as a DDoS attack on the SSOH (Support Online Hip Hop) website; even the attack on Republican vice presidential candidate Sarah Palin’s personal Yahoo! Mail email account.
Anonymous has now become a movement, a moniker for a wide range of leader-less groups, from fringe elements on a path of reckless destruction to activists united in a sort of superconsciousness.
It could amount to nothing, a passing ripple in Internet history. Or, it could also become something far more potent, such as a rallying cry for the anti-establishment, a new breed of cyber-vigilantes.
In many ways, Anonymous is the child of the Internet. Do we get the children we deserve?
I spent the day at the privacy forum “Privacy is your business” today in Wellington and wanted to put down some notes while things are still fresh.
I haven’t seen any media coverage yet but understand there will be some. As usual, I expect to see the stories and wonder if they are reporting about the same event that I attended.
In any case, I missed the highlight of the day as I was at a parallel stream- of the usually mild-mannered John Edwards in full flight, taking on the reps from the Office of the Ombudsmen and Office of the Privacy Commissioner. Pity that (missing it, not the taking on bit). Other than that and a small jibe about direct marketing at the end, there was just too much agreement on how great privacy is so that discussions were somewhat uni-dimensional.
Things got off to a good start. I was intrigued by one concept in Minister Lianne Dalziel’s speech, “… trusting interpersonal relationships are no longer the primary enabler of personal information transfer; technology is. Modern privacy law either ensures the individual retains some degree of control over the transfer or approximates a trusting interpersonal relationship – an honest broker as it were.” The notion of an “honest broker” to build trust in an information age is worth thinking about.
The next interesting point came from an insight into the Law Commission’s thinking about its Review Of Privacy. Sir Geoffrey Palmer and Professor John Burrows made it clear that wholesale restructuring of the Privacy Act was not on the agenda. The principles-based approach will be retained and only holes- surveillance, the tort of privacy, and sentencing anomalies- will be filled.
At a later stage, Privacy Commissioner Marie Shroff repeatedly referred to the Privacy Act as a modern piece of legislation. I think the sub-text was that the Act didn’t need major restructuring but the message was delivered in a classically indirect manner.
The next nugget was a point made by TradeMe’s Mike O’Donnell. In his usual straightforward manner, he squarely took on the issue of TradeMe requiring to release customer information to the authorities.
He talked about their disappointment that personal details of 10,000 customers was handed over to the police who then passed it on to defence lawyers and, from there, a person in jail. TradeMe has a stringent requirement that information requests “must specify enabling legislation, be specific and limited- no fishing trips.” But, once these criteria were met, they will and do hand over customer information. Whether it’s Google or TradeMe or any other firm dependent upon maintaining peoples’ trust, handing over their customers’ information is painful.
One other thing I missed out on was asking Inspector John Walker of NZ Police why people “volunteer” to give their DNA samples. This was something that the 2007 Privacy & Human Rights Report issued by Privacy International highlighted as worrying.
Finally, two more interesting things. First, the very sensible perspective of local government (from Laurie Gabites of Wellington City Council) that CCTVs have a very limited role in public spaces. They look at them as a way of pro-actively avoiding incidents escalating but that requires active monitoring and big resources- money and people- that are better spent on more effective things.
Secondly, from Barbara Craig of Victoria University, the notion of mediated public spaces as the new commons for teenagers. Another concept worthy of further thought as we struggle to understand the “third space” (after home and school) of today’s kids.
Overall, the forum today had some interesting moments. If only they had some mavericks to stir things up…
There have been some negative reports around Snapper and its approach to privacy so I decided to take a look.
Snapper is a stored-value contactless smartcard that can be used in Wellington’s buses and as an alternative to cash/EFTPOS for low value purchases. It’s similar to Oyster, Octopus, etc. but with a more secure chip.
Losing a Snapper card is like losing cash. So people will soon be able to register their cards online. If a registered card is lost, the person can transfer the balance to a new card.
After that, it’s all downhill. A very slippery, steep decline at that.
For example, to set up an online account, Snapper says “we will collect personal information from you, including your name, title, email address, password, gender, date of birth, telephone numbers, postal or physical addresses, preferences, demographic information, and other personal information.”
Why? What possible justification can they have to collect this information? Incidentally, this probably makes it downright illegal.
Not being satisfied with that, they go on to say that “the information we collect when that Card is used will be associated with any personal information about the card holder that you supply.” So, they want both personal information plus profiling information. Wow! Considering the range of uses for the Snapper card outlined- everyday purchases, loyalty card, building access control, ticketing and event access- they seem more intent on being a datamart than a smartcard company.
Still not satisfied with that, they go on further to envisage Snapper being used as an identity card. They will then “collect additional information about you, which may include:
- your date of birth
- any relevant licences or endorsements that you hold
- other attributes relevant for identification purposes (for example, which school or university you attend)”
I’m left shaking my head in wonder. Did a dinosaur somehow survive the Ice Age?
I can’t see how they can verify the information people give. So, despite their warnings of giving incorrect personal information, I’m willing to bet that a lot of people will do just that.
And yet, the solution for the most part is actually quite simple. Snapper could use pseudonymous identity rather than real identity. Leaving aside tracking usage or their notion of becoming an identity card (which I can’t even begin to imagine as even remotely realistic), using pseudonymous identity could keep everyone happy.
Otherwise, I’ll just stick to good old anonymous cash, thank you.
I was both moved and intrigued by Robin Wilton’s plea to support an e-petition “to create a dedicated Military & Veterans Hospital within the UK.”
Moved because it seemed to be a worthy thing to do; intrigued because I wanted to see how they would verify that I met the condition of being a British citizen or resident to sign the petition.
Turns out that all that’s required is a valid address and postcode. If you’re an expat, you don’t even need that. So, “Earnest Hope” became the 41,380th person to sign the e-petition.
It left me wondering just how many other signatures are from people like me? And, does it really matter if the bulk of them are actually from eligible folks?
Also, isn’t there a better way for checking online whether a person is a UK citizen/resident?
That got me thinking about how to verify whether or not a person is a New Zealand citizen or resident. In-person checking is simple enough but what about an online check? Can’t think of a simple way that already exists.
On reflection, it turns out that a trusted system may actually be untrustworthy.
I was looking at some of the recorded presentations that I missed at the Managing Identity in New Zealand conference in April. If the delightful Wordle tool could make word clouds from videos, then one of the prominent words in the presentations would be “trust.” There were probably few, if any, presentations that didn’t use that word in conjunction with identity systems.
Just what is the relationship between identity systems and trust? Given that every presenter thought it is a critical component of an identity system, it’s worth trying to uncover the relationship between the two.
To me the word trust seemed to cover a wide spectrum of meanings- different people used the word to mean different things. At one extreme is what I’d call technical trust while at the other is business trust.
A good example of technical trust is Stefan Brand’s presentation about Credentica’s U-Prove™ technology. He would probably define trust in terms of protocols, cryptographic proof, encryption, non-repudiation, digital signatures, message integrity, unlinkability, etc. Trust would, in this case, be the outcome from the technical features of an identity system.
At the other extreme is what a person like the Privacy Commissioner means by trust. She used it to mean “protect them [people] from the many possible harms that can arise from misuse of their personal information”; “to give credible, proveable reassurances”; and “people to feel too insecure to give out their information, and crippling e-govt and e-commerce systems.” She goes on to quote a minister that “Damage the trust of citizens and you damage the notion of citizenship, and governing becomes that much harder.”
I visualise the relationship between technical trust and business trust as two concentric circles. The smaller, inner one is technical trust and the larger, outer one business trust to represent:
- technical trust is a sub-set of business trust, i.e. it is impossible to achieve business trust without first getting technical trust; and
- technical trust on its own is insufficient, i.e. for an identity system to be trustworthy, it must have both technical trust and business trust. Otherwise, we get a (technically) trusted system that is untrustworthy from a business or user perspective.
Vendors of identity systems tend to focus on technical trust and make passing references to business trust. That’s one of the things that make the Liberty Alliance attractive- it has a focus on both technical and business trust.
As an aside, locally we seem to be getting there as evidenced by a recent post Govt moves forward with online ID by Richard Wood.
I’ve been a fan of usability guru Jakob Nielsen’s regular update (Alertbox) for a long time. It’s admirable how he keeps re-emphasising the fundamentals again and again.
I suspect that half the reason I read the updates so regularly is the futile hope that somehow- maybe by osmosis- his common sense approach will percolate into my sub-conscious and lead to better outcomes for the online services I’m involved in.
Jakob Nielsen would no doubt laugh at such nonsense, throw up his hands, and demand that I user test to objectively determine that one way or another.
Anyway, his latest piece is on enterprise portals. That is not an area that I often venture into but he had some stuff about single sign-on (SSO) that caught my eye:
“Single sign-on is the Loch Ness monster of the intranet world: People hear about it and even believe it exists, but they’ve yet to see it for real…In our initial research 5 years ago, it was already clear that single sign-on could dramatically improve user productivity and satisfaction, as well as immensely reduce support costs.”
“Our second round of research confirmed single sign-on’s potential — and its elusiveness… True single sign-on was and is extraordinarily rare… We can only conclude that it’s very difficult to achieve, despite its promise.”
What’s true of the enterprise is even more so outside it, for the Internet.
The benefits and business case for enterprise SSO are undoubtedly great. But for the Internet? That’s an area that I personally struggle with, notwithstanding that SSO is the original use case for federation and, to some extent, can be provided by OpenID (provided the person has logged on to the OpenID Provider).
Now, Internet SSO does mean convenience. It surely is a good thing to log on once and then be able to do whatever a person wants across the Internet without logging in again.
What worry me are the security and privacy implications. Those aren’t that big a deal within an enterprise context but are on the Internet. And, within government online services on a national scale, even more so.
From a security perspective, it’s about the loss of keys to the kingdom- passwords are just too easy to compromise. Now, if passwords were used appropriately (i.e. only where there is a low level of identity-related risks) then the consequences from a compromised password wouldn’t be too bad. But, realistically, passwords today protect far too much and a compromised password can be a widespread disaster for the person.
Then, there’s privacy. Using the same username & password to do everything (or lots of things) then raises the possibility of aggregation of information and building profiles.
So is Internet SSO a good thing? Yes, provided it is implemented in a secure and privacy-protective manner. Problem is, can that be achieved in an economical manner (that rules out advanced crypto) for the Internet?
As a term that most of us find intuitively easy to define, it turns out that getting a precise and generally accepted definition of the term ‘identity’ is far from easy.
The first question of course is whether it’s even worth the effort to try and get a precise definition. I think the answer is ‘yes’ for several reasons.
First, identity involves personal information and people expect that government collects and holds their personal information in a secure manner with their privacy appropriately protected.
Secondly, people need to prove who they are many times during a day. While typically people only need to do that with government infrequently, for a government agency it is of critical everyday importance to have confidence in the identity of the person they are dealing with. For example, an agency needs to be sure that government services are being delivered to the right person. Another example is ensuring that the right person has access to their own personal information such as health records or tax records.
On the one hand, people want convenient access to their information and government services. On the other hand, government as a whole has to manage the identity-related risks and ensure that the taxpayer’s money is spent well.
Finally, consider this quote from a recent report by Sir James Crosby to the UK Government, “… those countries with the most effective ID assurance systems and infrastructure will enjoy economic and social advantage, and those without will miss an opportunity. There is a clear virtuous circle. The ease and confidence with which individuals can assert their identity improves economic efficiency and social cohesion…”.
Looking around, both in New Zealand and overseas, we saw that most of the focus on ‘digital identity’ and ‘user-centric identity’. Also, ‘identity management’ is typically defined in technology terms such as ‘authentication’ and ‘authorisation’. And yet, all of these still don’t answer the fundamental question of just what ‘identity’ is in the first place.
To help get us a better insight into the thinking of the academic world and the approaches taken in some other countries, we turned to Victoria University of Wellington. Professor Miriam Lips, with the help of her student Chiky Pang, has now completed her report Identity Management in Information Age Government (PDF, 557 KB) and we have published it on the e-government website.
It turns out that the answer to our questions has a variety of answers. However, it does validate our current approach that one of the useful ways to look at identity is to consider that people have a single, unique identity but many context-dependent partial identities or personas. The result is more of an onion than linear, so that operating at the outer layers of the onion may not have any connection at all with the unique core:
Another interesting insight from the report is the move to an informational definition of identity from a document-based definition. The impact of the Information Age is to make it increasingly necessary for governments to consider identity information- its collection, verification, storage, maintenance, and disposal- rather than just the issue and use of identity documents.
As we look at these issues in finer and finer detail, it remains important to not lose sight of the basics. Such as, people own and control their own identity while government’s role is to manage their identity information well. And, the need to put theory into practice.
So that in the future, when Bill and Jessica want to return home to New Zealand, they have one less thing to worry about.
[Original post at http://blog.e.govt.nz/index.php/2008/07/09/just-what-is-identity/]
I’m just back from attending eGovernment 2008 in Canberra. For me, the big draw was an opportunity to attend a three hour workshop focussed on the UK’s Government Gateway. I sure wasn’t disappointed- the insights into the Government Gateway were quite an eye opener.
Attending the conference also led me to reflect on how online authentication is working for the Queen’s subjects in the UK, Australia, and New Zealand. It’s quite fascinating how each of them reflect diverse approaches and are also very much a product of their times.
First, Australia. Still very PKI focussed, as in standard X.509 certs in the user’s computer. There are some good intentions from the federal policy body AGIMO (Australian Government Information Management Office) to move on to solutions that work for people (not computers) but the mindset of the average government official is definitely digital certs.
A good example of this focus is the success of VANguard. VANguard’s authentication service is probably best described as an authentication broker whose main function is to allow for interoperability of digital certs issued by various CAs. This is a good step so that businesses (it’s mostly business-focussed) can use the same digital cert with multiple RPs. It’s a back-end hub so that various front-ends and portals, such as bizgate in South Australia, can draw on its functionality. Still, it has all the limitations inherent in the old PKI designs.
It’ll be interesting to see how AGIMO’s proposed National e-Authentication Framework will differ from their existing AGAF (Australian Government e-Authentication Framework) which is separate for businesses and individuals.
Back to the UK’s Government Gateway. From the outside, so much of the focus has been on the UK’s plans for a national identity card that people, including me, can’t distinguish the good stuff they have done and are continuing to do in the online authentication space from the bad. Jim Purves, Head of Product Strategy in the Cabinet Office gave terrific insights into the chequered history of the Gateway as well as plans going forward.
The Gateway is very privacy-protective, very focussed on providing authentication and SSO for the UK Government’s online services. They are introducing SAML 2 soon but that also has the downside of continued support for all the current protocols. They’ve had some significant funding challenges in the past but now have “strategic investors” from within government so the future is bright. Trust and confidence in the Gateway is at an all-time high.
Purely speculative on my part but I think they’ve got a big cloud on the horizon- when the national identity card folks come calling. That could potentially lead to a fundamental change in approach. That’s the unfortunate steamrolling impact of the national identity card. Also interesting how they handle pan-European interoperability but, with a strong Liberty Alliance foundation, I imagine they are well placed to handle that.
So, how does NZ stack up? The proper comparison is with the GLS or Government Logon Service (which will be re-branded igovt later this year). There’s no doubt that the GLS is the most privacy-protective of the lot and has all the right moving bits.
But, there is clearly one area that the GLS should look at- adding a web services (ID-WSF) capability in addition to the current browser re-direct (ID-FF). That will provide many new opportunities off the same infrastructure, such as acting as an authenticating receiver for XML messages. The UK’s Government Gateway currently does that for all electronic tax filings direct from standard tax and accounting packages.
All in all, interesting times and much thinking…
It’s interesting to see how some see business opportunity out of government regulation while others see only downsides.
For a bank which markets itself as a New Zealand bastion against domination by foreign (i.e. Australian) banks, it would do well to look across the Tasman at the example set by the branchless retail bank ING Direct.
According to an article in Australian IT, “ING Direct has led the way in using anti-money-laundering identification processes to come up with a method for opening an account purely online. The Dutch bank has claimed bragging rights for the first end-to-end online account opening facility in Australia…which uses an almost instant online identity verification process instead of the traditional 100-point security check to allow customers to open savings and term deposit accounts.”
“ING Direct has taken advantage of new AML [anti-money laundering] legislation that allows financial institutions to replace the traditional 100 point security check, which uses physical documents such as passports, with electronic AML compliance checks.”
According to the bank, “We were able to show the Government that electronic verification was robust and an alternative method to face-to-face. The legislation now says you have to conduct verification but it doesn’t prescribe the channel.”
From my perspective, this is cool. It works for people, it works for banks (even more so for branchless retail banks). And, it’s another small step forward in unlocking the Internet’s potential for higher-value transactions.
But the way that ING Direct verifies a person’s identity isn’t without potential flaws. Australian customers fill out an online application form and their identity is checked by FCS OnLine, a third-party identify verification service.
FCS OnLine seems to be offering online identity verification by checking information submitted by applicants against public databases. It’s difficult to see how relying solely on knowledge-based identity verification provides sufficiently robust results. On the other hand, presumably they overcome privacy requirements based on active consent from applicants.
So, if the outcome is desirable but the online identity verification process employed is suspect, it would be desirable for a better process to be used.
What that would be? For a start, one that is robust, economical, and user-centric. Even that’s quite a tall order. And, as far as I know, one that doesn’t exist- yet.
That’s where the wheel turns a full circle and New Zealand banks, including Kiwibank, may one day come out ahead if policy issues related to private sector use of igovt (specifically, the Identity Verification Service) mentioned in a Computerworld article are resolved.
Which raises the question of when is government a justifiable party?
(Hat tip to a colleague for the link to the Australian IT article and getting my blogging juices flowing again.)