Posts filed under ‘igovt’
I was both moved and intrigued by Robin Wilton’s plea to support an e-petition “to create a dedicated Military & Veterans Hospital within the UK.”
Moved because it seemed to be a worthy thing to do; intrigued because I wanted to see how they would verify that I met the condition of being a British citizen or resident to sign the petition.
Turns out that all that’s required is a valid address and postcode. If you’re an expat, you don’t even need that. So, “Earnest Hope” became the 41,380th person to sign the e-petition.
It left me wondering just how many other signatures are from people like me? And, does it really matter if the bulk of them are actually from eligible folks?
Also, isn’t there a better way for checking online whether a person is a UK citizen/resident?
That got me thinking about how to verify whether or not a person is a New Zealand citizen or resident. In-person checking is simple enough but what about an online check? Can’t think of a simple way that already exists.
On reflection, it turns out that a trusted system may actually be untrustworthy.
I was looking at some of the recorded presentations that I missed at the Managing Identity in New Zealand conference in April. If the delightful Wordle tool could make word clouds from videos, then one of the prominent words in the presentations would be “trust.” There were probably few, if any, presentations that didn’t use that word in conjunction with identity systems.
Just what is the relationship between identity systems and trust? Given that every presenter thought it is a critical component of an identity system, it’s worth trying to uncover the relationship between the two.
To me the word trust seemed to cover a wide spectrum of meanings- different people used the word to mean different things. At one extreme is what I’d call technical trust while at the other is business trust.
A good example of technical trust is Stefan Brand’s presentation about Credentica’s U-Prove™ technology. He would probably define trust in terms of protocols, cryptographic proof, encryption, non-repudiation, digital signatures, message integrity, unlinkability, etc. Trust would, in this case, be the outcome from the technical features of an identity system.
At the other extreme is what a person like the Privacy Commissioner means by trust. She used it to mean “protect them [people] from the many possible harms that can arise from misuse of their personal information”; “to give credible, proveable reassurances”; and “people to feel too insecure to give out their information, and crippling e-govt and e-commerce systems.” She goes on to quote a minister that “Damage the trust of citizens and you damage the notion of citizenship, and governing becomes that much harder.”
I visualise the relationship between technical trust and business trust as two concentric circles. The smaller, inner one is technical trust and the larger, outer one business trust to represent:
- technical trust is a sub-set of business trust, i.e. it is impossible to achieve business trust without first getting technical trust; and
- technical trust on its own is insufficient, i.e. for an identity system to be trustworthy, it must have both technical trust and business trust. Otherwise, we get a (technically) trusted system that is untrustworthy from a business or user perspective.
Vendors of identity systems tend to focus on technical trust and make passing references to business trust. That’s one of the things that make the Liberty Alliance attractive- it has a focus on both technical and business trust.
As an aside, locally we seem to be getting there as evidenced by a recent post Govt moves forward with online ID by Richard Wood.
I’m just back from attending eGovernment 2008 in Canberra. For me, the big draw was an opportunity to attend a three hour workshop focussed on the UK’s Government Gateway. I sure wasn’t disappointed- the insights into the Government Gateway were quite an eye opener.
Attending the conference also led me to reflect on how online authentication is working for the Queen’s subjects in the UK, Australia, and New Zealand. It’s quite fascinating how each of them reflect diverse approaches and are also very much a product of their times.
First, Australia. Still very PKI focussed, as in standard X.509 certs in the user’s computer. There are some good intentions from the federal policy body AGIMO (Australian Government Information Management Office) to move on to solutions that work for people (not computers) but the mindset of the average government official is definitely digital certs.
A good example of this focus is the success of VANguard. VANguard’s authentication service is probably best described as an authentication broker whose main function is to allow for interoperability of digital certs issued by various CAs. This is a good step so that businesses (it’s mostly business-focussed) can use the same digital cert with multiple RPs. It’s a back-end hub so that various front-ends and portals, such as bizgate in South Australia, can draw on its functionality. Still, it has all the limitations inherent in the old PKI designs.
It’ll be interesting to see how AGIMO’s proposed National e-Authentication Framework will differ from their existing AGAF (Australian Government e-Authentication Framework) which is separate for businesses and individuals.
Back to the UK’s Government Gateway. From the outside, so much of the focus has been on the UK’s plans for a national identity card that people, including me, can’t distinguish the good stuff they have done and are continuing to do in the online authentication space from the bad. Jim Purves, Head of Product Strategy in the Cabinet Office gave terrific insights into the chequered history of the Gateway as well as plans going forward.
The Gateway is very privacy-protective, very focussed on providing authentication and SSO for the UK Government’s online services. They are introducing SAML 2 soon but that also has the downside of continued support for all the current protocols. They’ve had some significant funding challenges in the past but now have “strategic investors” from within government so the future is bright. Trust and confidence in the Gateway is at an all-time high.
Purely speculative on my part but I think they’ve got a big cloud on the horizon- when the national identity card folks come calling. That could potentially lead to a fundamental change in approach. That’s the unfortunate steamrolling impact of the national identity card. Also interesting how they handle pan-European interoperability but, with a strong Liberty Alliance foundation, I imagine they are well placed to handle that.
So, how does NZ stack up? The proper comparison is with the GLS or Government Logon Service (which will be re-branded igovt later this year). There’s no doubt that the GLS is the most privacy-protective of the lot and has all the right moving bits.
But, there is clearly one area that the GLS should look at- adding a web services (ID-WSF) capability in addition to the current browser re-direct (ID-FF). That will provide many new opportunities off the same infrastructure, such as acting as an authenticating receiver for XML messages. The UK’s Government Gateway currently does that for all electronic tax filings direct from standard tax and accounting packages.
All in all, interesting times and much thinking…
It’s interesting to see how some see business opportunity out of government regulation while others see only downsides.
For a bank which markets itself as a New Zealand bastion against domination by foreign (i.e. Australian) banks, it would do well to look across the Tasman at the example set by the branchless retail bank ING Direct.
According to an article in Australian IT, “ING Direct has led the way in using anti-money-laundering identification processes to come up with a method for opening an account purely online. The Dutch bank has claimed bragging rights for the first end-to-end online account opening facility in Australia…which uses an almost instant online identity verification process instead of the traditional 100-point security check to allow customers to open savings and term deposit accounts.”
“ING Direct has taken advantage of new AML [anti-money laundering] legislation that allows financial institutions to replace the traditional 100 point security check, which uses physical documents such as passports, with electronic AML compliance checks.”
According to the bank, “We were able to show the Government that electronic verification was robust and an alternative method to face-to-face. The legislation now says you have to conduct verification but it doesn’t prescribe the channel.”
From my perspective, this is cool. It works for people, it works for banks (even more so for branchless retail banks). And, it’s another small step forward in unlocking the Internet’s potential for higher-value transactions.
But the way that ING Direct verifies a person’s identity isn’t without potential flaws. Australian customers fill out an online application form and their identity is checked by FCS OnLine, a third-party identify verification service.
FCS OnLine seems to be offering online identity verification by checking information submitted by applicants against public databases. It’s difficult to see how relying solely on knowledge-based identity verification provides sufficiently robust results. On the other hand, presumably they overcome privacy requirements based on active consent from applicants.
So, if the outcome is desirable but the online identity verification process employed is suspect, it would be desirable for a better process to be used.
What that would be? For a start, one that is robust, economical, and user-centric. Even that’s quite a tall order. And, as far as I know, one that doesn’t exist- yet.
That’s where the wheel turns a full circle and New Zealand banks, including Kiwibank, may one day come out ahead if policy issues related to private sector use of igovt (specifically, the Identity Verification Service) mentioned in a Computerworld article are resolved.
Which raises the question of when is government a justifiable party?
(Hat tip to a colleague for the link to the Australian IT article and getting my blogging juices flowing again.)
There’s been a lot of national interest in this colossal undertaking at Te Papa. Experts have been poking at it, looking at what’s inside. Given its size, the experts have been taking it slow but the NZ Herald thinks that “an initial examination had still yielded a lot of useful information.”
The Conference was two full-on days. Having been quite closely involved, it’s hard for me to stand back and be objective. However, based on hurried conversations, it does seem to have lived up to the high expectations of a global-quality event looking at identity from multiple perspectives.
All five of the international speakers- Malcolm Crompton, Eve Maler, Roger Clarke, Dick Hardt, and Stefan Brands- were great. Dick Hardt was a clear crowd favourite doing what he does best- 1137 slides (give or take a few hundred) of a localised (as opposed to a localized) Identity 2.0 presentation. That’s one of those things you can find new things to enjoy each time.
Malcolm also came across very well as did Eve. Roger was at this combative best while Stefan was probably more engaging in yesterday’s open debate at which he handled tricky questions like ongoing IP issues with IBM over Idemix and the contribution of David Chaum to his patents. Stefan also provided the interesting tidbit of how the Microsoft acquisition was hastened by competitors’ interest.
The senior public service Chief Executives, Minister, and Privacy Commissioner all hit the right pitch with considered views. And, lest we forget, there was the official launch of igovt.
The final panel discussion chaired by John Campbell helped round off the Conference with a business focus. The workstreams in between catered for niche academic and sector interests. One of these that I particularly enjoyed was an insight into Maori perspectives of identity, whakapapa, and the opportunities/challenges that the Internet presents.
So, all in all, two days well spent. Compared to some of the international conferences that I’ve been to, a focus on managing identity and poking at it from many angles gave the Identity Conference a distinctive identity of its own. One that was also distinctively Kiwi.
For some time now, we’ve been aware of a paradox: we are building and operating user-centric services but use government-centric language to describe them. The launch of the igovt website is a small yet important step towards changing that.
Take the Government Logon Service (GLS) as an example. According to our website, which is intended for a government agencies audience, “In a nutshell, the GLS is an all-of-government shared service to manage the logon process for online services of participating agencies.”
The very name, description, and use of a Three Letter Acronym are so government-centric. What does an average person, say a student who just wants to check his/her account online, make of this? Do we really want to try and explain to people what a “logon” is?
There is of course logic in using government-centric language, especially in the early days of a new service for which there are few, if any, precedents and mental models. Describing as accurately as possible what a service does from a functional perspective allows for precision. It helps external experts and interest groups get an in-depth understanding of what the service does and, sometimes more importantly, what it doesn’t.
But it is more than choice of language alone. It’s also about perspective.
Protecting privacy has been a major driver for the all-of-government authentication services. An important way of designing in privacy is the separation of who a person is (identity) from what they do online (activities) so that data aggregation and building profiles of people aren’t possible. Two different government departments operate two different services based on their respective strengths.
This world-leading approach has been highly acclaimed by privacy experts. Yet, from the view of a person or organisation interested in getting better and quicker government services, it just means more complexity that they have to try and understand and overcome to get to what they are really interested in- the service they want.
The second issue therefore is that people don’t want to integrate and coordinate government’s services; they want government to do that. This desire is reflected at a strategic level in the Development Goals for the State Services. At an everyday level, it means that we had to find a way for our privacy-protective design to be presented to people as a single, integrated online service without diluting the design itself.
The result is igovt. It is not “just another brand” but, over time, will represent a significant shift. A shift to using user-centric language; a shift to government integrating multiple online services from multiple government agencies for people without any dilution of security and privacy protection; a shift to making it easier and more convenient for people and organisations to get government’s services.
Though there are many models we can learn from, there aren’t any tried and trusted models that we can simply adopt. It is therefore neither possible nor appropriate to try and make the shift in one giant leap. Instead, it’s more of a journey from inside-out thinking to outside-in, learning along the way.
The next step in this journey is to re-brand and re-describe GLS as the first igovt service.
[Original post at http://blog.e.govt.nz/index.php/2008/04/23/why-igovt/]
There were so many insights from attending focus groups during the igovt public consultation that it’s hard to pick just one. Certainly, one that made a lasting impression was a lady with a disability who spoke emotively about how the service would make a huge positive difference for her in getting services from government. For her, the notion of having to prove who she was once to government and then being able to choose to use the Internet to verify her identity- both across government and the private sector- was compelling.
So, what was the igovt public consultation all about?
Late last year the Department of Internal Affairs, with the support of the State Services Commission, consulted with people about igovt. Specifically, the consultation was about the Identity Verification Service, one of the two igovt services.
The details and context for the service have evolved since the previous public consultation in 2003. It was therefore important to seek the views of the public about key aspects of the proposed service before the service design was finalised.
Public consultation was also essential for continuing the transparency that has been a hallmark of developing igovt services. In particular, for services based on policy principles such as opt-in and acceptability, it is important to check with people that the service design has resulted in a service that is indeed of value to them.
The public consultation process asked people to get information from the website and send in submissions. At the planning stage for the consultation it was clear that we needed to be more proactive to get deeper and wider participation.
21 focus groups were therefore held in 8 places across New Zealand- Whangarei, Manukau, Tokoroa, New Plymouth, Porirua, Westport, Christchurch, and Invercargill. The workshops were three hours long and included a demonstration of how the service would work. It turned out that the demonstration was critical in helping people understand the service and thereby provide well-informed responses.
I was personally present at a few of these workshops to do the demonstration and also answer any questions about the service that people had. For me, it was an immensely rewarding experience. To get firsthand insight into people’s views is far richer and meaningful than getting it from a report.
[Original post at http://blog.e.govt.nz/index.php/2008/04/17/igovt-public-consultation/]
In response to my post When is government a Justifiable Party? Kim Cameron expressed some concerns. In summary, these were creating an attractive target for hackers; the collapsing of “previously independent contexts together”; “minimize disclosure and aggregation of information”; and, finally, Kim’s opinion that he “wouldn’t touch this kind of challenge without Information Cards.”
I need to first clarify that, as Kim pointed out, this is a personal blog. The official position remains that igovt services are for the use of people and organisations interacting with government.
Issues that may arise if igovt services are extended to the private sector are being considered. These issues include thinking about whether government is a justifiable party or not in such transactions. A final recommendation to government will only be made after thinking this through and a further Privacy Impact Assessment (PIA) looks at all the issues and mitigations proposed.
It’s important to keep in mind the context. We are talking about the dangers of social networking where sites such as Facebook and Bebo are unwilling and unable to do their bit in keeping our kids safe online. It is important that responsible people try to work out a solution that works for both these websites and their customers.
Kim makes some good points which, thankfully, have already been considered.
The most important architectural consideration is that igovt splits identity verification (who you are) from authentication (your online activities) into two separate services run by two different government departments. The first is provided by the proposed Identity Verification Service and the second by the Government Logon Service using pseudonymous identifiers.
This has the additional benefit of providing protection from hackers. Guaranteeing a hacker will never get through an online service is impossible. Instead, in addition to data encryption, splitting data into silos such that no single breach- external or internal- results in getting all the information is a sensible design approach. In fact, this is precisely the “very distributed, encrypted information storage” that Kim advocates.
Another important part of defence-in-depth is to minimise the amount of data stored. In the case of the Identity Verification Service, it is restricted to four identity attributes- name, date of birth, place of birth, and sex. I’d expect private businesses (including social networking sites) to use the identity verification as a one-off and not the authentication component to log on a person each time they access the online service. This hardly qualifies for Kim’s description of “handling ‘digital explosives’ of a greater potency than has so far been the case anywhere in the world.”
Next, the collapsing of independent contexts. On the contrary, we aren’t looking at collapsing contexts. Indeed, if anything, context separation is strengthened by the use of service-specific identifiers. The Identity Verification Service creates a persistent, meaningless identifier per service to avoid data sharing by Service Providers even if they collude. This is somewhat similar to the Austrian ID system.
Protecting and enhancing the underlying trust relationship between people and government is too important to rely on technological solutions alone. Sure, good technology is vital but, in my opinion, needs to be complemented by other instruments: oversight, independent assessments by experts, public consultation, policies, designing in privacy (such as separation of identity and authentication as well as use of service-specific identifiers) and, last but not the least, legislating the privacy protection.
For example, the power of choice is at least as important as getting the technical solution right.
I think Information Cards are really good, hence my mixed reaction to Microsoft’s acquisition of U-Prove and my exchange with Kim about continuing to make U-Prove widely available. But to think that technological solutions alone- no matter how great they are- can, in themselves, provide adequate trust in government is simply unrealistic.
Constructive criticism is a positive thing- it makes good things better. However, it requires people engaged in the debate to take the effort to fully understand what’s being discussed. In the spirit of promoting this, I invite interested people to take a look at the presentation I did in September last year at the Technology and Privacy Forum hosted by the Office of the Privacy Commissioner, New Zealand which describes both the big picture and the detail of privacy protection.
As a final word, as you’ll see from slide 15 of the presentation, the one thing that I do agree with Kim is that the laws of identity are applicable!
In my first official post on the SSC blog, I mentioned that April is Identity Month, a time for NZ government agencies to talk about identity management.
The first event of the month was yesterday when the Biometrics Institute organised its 2008 Annual New Zealand Conference. I co-presented with a colleague about igovt and then was on the “Biometric Data Management and Data Security Issues” panel. The panel discussion gave me an opportunity to talk about the dangers of using static identifiers like biometrics and gave the example of Germany’s unfortunate interior minister.
The highlight of the month is the Identity Conference on 29th and 30th April but there are two more events around the same time that are worth having a look at:
First, a barcamp focussing on User-Centric Identity on 25th and 26th April. Secondly, the Office of the Privacy Commissioner’s next Technology and Privacy Forum has Marek Kuziel on 28th April talking about “OpenID Enabled New Zealand.”
With so much happening, it’s heaven for the identityrati in Wellington. And, with apologies to the people across the ditch, where the bloody hell are you?
A recent article in CR80News called Social networking sites have little to no identity verification got me thinking about the Laws of Identity, specifically Justifiable Parties, “Digital identity systems must be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship.”
The article itself makes points that have been made before, i.e. on social networking sites “there’s no way to tell whether you’re corresponding with a 15-year-old girl or a 32-year-old man…The vast majority of sites don’t do anything to try to confirm the identities of members. The sites also don’t want to absorb the cost of trying to prove the identity of their members. Also, identifying minors is almost impossible because there isn’t enough information out there to authenticate their identity.”
In the US, this has thrown up business opportunities for some companies to act as third party identity verifiers. Examples are Texas-based Entrust, Dallas-based RelyID, and Atlanta-based IDology. They rely on public and financial records databases and, in some cases, government-issued identification as a fallback.
Clearly, these vendors are Justifiable Parties.
What about the government? It is the source of most of the original information. Is the government a Justifiable Party?
In describing the law, Kim Cameron says “Today some governments are thinking of operating digital identity services. It makes sense (and is clearly justifiable) for people to use government-issued identities when doing business with the government. But it will be a cultural matter as to whether, for example, citizens agree it is “necessary and justifiable” for government identities to be used in controlling access to a family wiki or connecting a consumer to her hobby or vice.” [emphasis added]
So, in the US, where there isn’t a high trust relationship between people and the government, the US government would probably not be a Justifiable Party. In other words, if the US government was to try and provide social networking sites with the identity of its members, the law of Justifiable Parties predicts that it would fail.
This is probably no great discovery- most Americans would have said the conclusion is obvious, law of Justifiable Parties or not.
Which then leads to the question of other cultures…are there cultures where government could be a Justifiable Party for social networking sites?
To address, I think it is necessary to distinguish between the requirements of social networking sites that need real-world identity attributes (e.g. age) and the examples that Kim gives- family wiki, connecting a consumer to her hobby or vice- where authentication is required (i.e. it is the same person each time without a reliance on real-world attributes).
Now, I think government does have a role to play in verifying real-world identity attributes like age. It is after all the authoritative source of that information. If a person makes an age claim and government accepts it, government-issued documents reflects the accepted claim as, what I call, an authoritative assertion that other parties accept.
The question then is whether in some high trust societies, where there is a sufficiently high trust relationship between society and government, can the government be a Justifiable Party in verifying the identity (or identity attributes such as age alone) for the members of social networking societies?
I believe that the answer is yes. Specifically, in New Zealand where this trust relationship exists, I believe it is right and proper for government to play this role. It is of course subject to many caveats, such as devising a privacy-protective system for the verification of identity or identity attributes and understanding the power of choice.
In NZ, igovt provides this. During public consultation held late last year about igovt, people were asked whether they would like to use the service to verify their identity to the private sector (in addition to government agencies). In other words, is government a Justifiable Party?
The results from the public consultation are due soon and will provide the answer. Based on the media coverage of igovt so far, I think the answer, for NZ, will be yes, government is a Justifiable Party.