Just what is ‘identity’?

As a term that most of us find intuitively easy to define, it turns out that getting a precise and generally accepted definition of the term ‘identity’ is far from easy.

The first question of course is whether it’s even worth the effort to try and get a precise definition. I think the answer is ‘yes’ for several reasons.

First, identity involves personal information and people expect that government collects and holds their personal information in a secure manner with their privacy appropriately protected.

Secondly, people need to prove who they are many times during a day. While typically people only need to do that with government infrequently, for a government agency it is of critical everyday importance to have confidence in the identity of the person they are dealing with. For example, an agency needs to be sure that government services are being delivered to the right person. Another example is ensuring that the right person has access to their own personal information such as health records or tax records.

On the one hand, people want convenient access to their information and government services. On the other hand, government as a whole has to manage the identity-related risks and ensure that the taxpayer’s money is spent well.

Finally, consider this quote from a recent report by Sir James Crosby to the UK Government, “… those countries with the most effective ID assurance systems and infrastructure will enjoy economic and social advantage, and those without will miss an opportunity. There is a clear virtuous circle. The ease and confidence with which individuals can assert their identity improves economic efficiency and social cohesion…”.

Looking around, both in New Zealand and overseas, we saw that most of the focus on ‘digital identity’ and ‘user-centric identity’. Also, ‘identity management’ is typically defined in technology terms such as ‘authentication’ and ‘authorisation’. And yet, all of these still don’t answer the fundamental question of just what ‘identity’ is in the first place.

To help get us a better insight into the thinking of the academic world and the approaches taken in some other countries, we turned to Victoria University of Wellington. Professor Miriam Lips, with the help of her student Chiky Pang, has now completed her report Identity Management in Information Age Government (PDF, 557 KB) and we have published it on the e-government website.

It turns out that the answer to our questions has a variety of answers. However, it does validate our current approach that one of the useful ways to look at identity is to consider that people have a single, unique identity but many context-dependent partial identities or personas. The result is more of an onion than linear, so that operating at the outer layers of the onion may not have any connection at all with the unique core:

Another interesting insight from the report is the move to an informational definition of identity from a document-based definition. The impact of the Information Age is to make it increasingly necessary for governments to consider identity information- its collection, verification, storage, maintenance, and disposal- rather than just the issue and use of identity documents.

As we look at these issues in finer and finer detail, it remains important to not lose sight of the basics. Such as, people own and control their own identity while government’s role is to manage their identity information well. And, the need to put theory into practice.

So that in the future, when Bill and Jessica want to return home to New Zealand, they have one less thing to worry about.

[Original post at http://blog.e.govt.nz/index.php/2008/07/09/just-what-is-identity/]

igovt public consultation

There were so many insights from attending focus groups during the igovt public consultation that it’s hard to pick just one. Certainly, one that made a lasting impression was a lady with a disability who spoke emotively about how the service would make a huge positive difference for her in getting services from government. For her, the notion of having to prove who she was once to government and then being able to choose to use the Internet to verify her identity- both across government and the private sector- was compelling.

So, what was the igovt public consultation all about?

Late last year the Department of Internal Affairs, with the support of the State Services Commission, consulted with people about igovt. Specifically, the consultation was about the Identity Verification Service, one of the two igovt services.

The details and context for the service have evolved since the previous public consultation in 2003. It was therefore important to seek the views of the public about key aspects of the proposed service before the service design was finalised.

Public consultation was also essential for continuing the transparency that has been a hallmark of developing igovt services. In particular, for services based on policy principles such as opt-in and acceptability, it is important to check with people that the service design has resulted in a service that is indeed of value to them.

The public consultation process asked people to get information from the website and send in submissions. At the planning stage for the consultation it was clear that we needed to be more proactive to get deeper and wider participation.

21 focus groups were therefore held in 8 places across New Zealand- Whangarei, Manukau, Tokoroa, New Plymouth, Porirua, Westport, Christchurch, and Invercargill. The workshops were three hours long and included a demonstration of how the service would work. It turned out that the demonstration was critical in helping people understand the service and thereby provide well-informed responses.

I was personally present at a few of these workshops to do the demonstration and also answer any questions about the service that people had. For me, it was an immensely rewarding experience. To get firsthand insight into people’s views is far richer and meaningful than getting it from a report.

The public consultation report (PDF) has now been received and published with a Summary Report.

[Original post at http://blog.e.govt.nz/index.php/2008/04/17/igovt-public-consultation/]

Me, My Spouse and the Internet

It’s become a bit of a worn cliché to say that the Internet is changing everything. Many things are obvious- from the read-write web to social networking to online transacting.

But there are also less obvious, more tectonic shifts happening. These are slow societal shifts that will ultimately change the shape of society itself. These deep changes are not readily apparent amongst the constant shrill of everyday headlines. Nevertheless, they are happening- every day, all the time, in imperceptible increments- leading to fundamental shifts stretching over years.

So it was with interest (and with a vested interest) that I read the results of the survey results from the UK’s Oxford Internet Institute as a part of a project called Me, My Spouse and the Internet. As the Institute’s Director said, “This study is a dramatic illustration of the potential for the Internet to reconfigure social relationships.”

The results from the study show the role played by the Internet in the relationships of a representative sample of over 2,000 married Internet users in UK. Some highlights include:

1. 20% of married Internet users admitted to reading their partner’s emails and text messages; 13% to having checked their partner’s browser history.

2. 6% of married Internet users first met their partner online. Just over a third of these were through an online dating site. People meeting future partners online had greater education and age gaps.

3. Face-to-face communication was (still) the most reported way for married Internet users to discuss personal matters and resolve problems but other channels were also used, including text messaging (27% of users), and email (14% of users).

4. Disclosing a partner’s intimate details and other shady online activities got a big thumbs down from partners.

Hmmm… there doesn’t seem to be anything about what married Internet users think about their partner’s blogging activity yet. Or if there any blogging widows out there. That’s a sign for me to move on…

The EC Strikes Back

It goes by the rather bureaucratic name of “Working Party set up under Article 29 of Directive 95/46/EC.” Its suggestions don’t have the force of law. But anyone ignoring its Opinion does so at their own peril.

“A key conclusion of this Opinion is that the Data Protection Directive generally applies to the processing of personal data by search engines, even when their headquarters are outside the EEA…” means that the EC is likely to impose the provisions of the Data Protection Directive on even the US-based search engines such as Google and Yahoo and hold them to the responsibilities of data controllers.

The Working Party refers to its earlier Opinion of June 2007 to re-affirm that “unless the Internet Service Provider is in a position to distinguish with absolute certainty that the data correspond to users that cannot be identified, it will have to treat all IP information as personal data, to be on the safe side.” In other words, IP addresses are personal information and therefore the full weight of data protection laws applies. Google was, as one would expect, quick to defend its practices.

The Working Party covered a broad swath of issues, saying it expects search engines, among other things, to:

• Use personal data- ranging from search query histories to IP addresses and unique cookie identifiers- only for “legitimate purposes”
• Destroy and anonymise that data when it’s no longer legitimately useful
• Inform users about data collection and storage practices
• Set cookies to have a lifetime “no longer than demonstrably necessary”
• Dissociate a user’s IP address or other identifier from his or her stored search queries
• Allow users to see whatever “personal data” is being stored about them, whether it be their past search queries or other data “revealing their behaviour or origin”
• Respect Web site operators’ desires to opt out of having their properties crawled, indexed, and cached through use of mechanisms like the robots.txt file or the Noindex/NoArchive tags
• Do more to prevent personally identifiable information- such as Social Security numbers, credit card numbers, telephone numbers, and e-mail addresses- from creeping into search results

This could become a big deal…with huge implications for both search engines and people.

Webstock recordings now available

The Easter Bunny has done his magic and recordings from last month’s Webstock conference are now online. There’s hours of great quality presentations to sit back and enjoy.

I had earlier posted comments on day 1 and day 2.

For Kiwis, my pick is the interview (“fireside chat”) of TradeMe’s Sam Morgan (streaming video, mp3). For the identityrati there is Simon Willison on OpenID and decentralised social networks (streaming video, mp3).

Very cool stuff.

EC report: New trust pact required

Frank Wilson has authored the latest in a series of Think Papers for the European Commission entitled “Trust and Identity in Interactive Services: Technical and Societal Challenges” (PDF).

In this Paper, he says “… our governments and citizens must together develop an agreement on the acceptable ways of gathering, storing and using data about citizens within a secure electronic service environment.”

“The future of electronic service provision in all European societies relies on development of a citizen-centred European trust network to underpin and facilitate the many secure electronic service networks under development at present.”

I interpret this in two ways.

First, that data breaches of government-held personal information, such as that in the UK recently, undermine the basic trust relationship between government and people. As I mentioned in my first post on this topic, “The real issue goes to the heart of governance and government: trust… The hard reality is that it is about trust and a loss of trust strikes at the very foundation of government.”

Secondly, if the trust fabric is strong, people and government can both benefit substantially from richer user-centric online services that require an identity backbone. The trust pact ensures that a framework that protects privacy and offers user-control is in place, i.e. a framework that both reflects and enhances the trust relationship. Without such a trust relationship, efforts in building a user-centric identity or information metasystem that involves the government as an Identity Provider is inherently flawed.

How, then, should the trust relationship be built and nurtured? The Think Paper offers a somewhat simplistic view on that vital question by recommending “achieving a balance between the need to hold data and the duty to use it and protect it responsibly.” Hopefully, a future Think Paper will do more justice to this critical question.

Why phishing works

Frankly, sometimes I tire of hearing about user stupidity. The moaning of “if only users could be more careful” and “we need to educate our users better” ignores the reality of how online security really works in practice.

Phishing works because most online customers are unable to protect themselves. Expecting them to do so is simply a false hope and makes for poor security outcomes.

A study by Rachna Dhamija, J D Tygar, and Marti Hearst of Harvard University and UC Berkeley called Why Phishing Works (pdf 851 KB) provides empirical evidence about which malicious strategies are successful at deceiving general users. The study concludes that:

“…even in the best case scenario, when users expect spoofs to be present and are motivated to discover them, many users cannot distinguish a legitimate website from a spoofed website. In our study, the best phishing site was able to fool more than 90% of participants.” (emphasis added)

The study is worth reading in detail as it shows how common steps websites expect customers to take are, by a wide margin, unrealistic and amount to a flawed approach to online security.

The padlock, address bar changing colour, presence of favicon, animated graphics, “accept temporary certificate for this session”… all of these were either invisible or wrongly interpreted by most users.

Time for a test. If you saw the URL www.bankofthevvest.com would you accept it as that of Bank of the West? Look carefully, it should be “west” not “vvest” (i.e. “w” not two “v”s). This one fooled all but one of the participants.

Got me too.

Liberty Alliance: NZ case study

Liberty Alliance has just published a case study called New Zealand Sets the Pace for SAML 2.0 Deployments (pdf, 249 KB). It represents a lot of effort put in by my colleagues and Liberty- well done guys!

The Case Study is quite comprehensive and contains updated information about the work that the New Zealand Government is doing in the area of identity management and authentication. It also highlights the natural synergy between organisations deploying user-centric federated identity management systems and Liberty.

In my first post to this blog, I had mentioned “User-centric Information Sharing: A key enabler to transform government” as an area of interest in NZ going forward. The Case Study has some more information related to this in the section called Developing the Notion of Attribute Authorities.

Data location matters

Dale Olds in The physical location of data matters writes, “…it matters to me in real, tangible ways who runs the servers and where my data is stored ‑‑ and who is liable when there is a failure.”

From an international perspective, while this is of course true, there are bigger issues than just operational issues and liability.

For many non-Americans top of mind when they think about the physical location of their data is the USA Patriot Act. This law presents two particularly thorny issues regarding their data stored in the US.

First, the bar is set very low. US law enforcement agencies can access the data if they consider it relevant to their investigations. This is far easier to meet than the normal test of probable cause.

Second, if data is accessed in this manner, the data holder (the US-based vendor) is not allowed to tell the overseas data owner that their data has been accessed, even if the vendor is contractually bound to do so.

Both of these angles and more are well covered in a report from the Information & Privacy Commissioner of British Columbia, Canada (pdf, 1.29 MB). It was published in October 2004 but still remains relevant.

There is another angle for data location that is top of mind for organisations that outsource IT or back-office functions internationally. That’s privacy and protection of personal information from unauthorised access, especially from insiders of the vendor’s company.

NZ’s Privacy Commissioner recently gave a presentation that includes concerns for personal data held overseas.

It’s no wonder that most organisations prefer to keep their data onshore. Data location does indeed matter.

NZ: the luxury of physical security

The latest Unisys Security Index confirms what most Kiwis intuitively know- we’re not terribly worried about our physical security.

For many people visiting New Zealand from overseas, particularly countries fighting the global war on terror, there comes a realisation of the extent to which physical security is now driving the agenda in their home countries.

The August 2007 survey (pdf, 351 KB) puts the NZ index at a relatively low 108 out of 300. That’s 5 points down from the last survey in April and is the lowest ever since the index was launched in NZ a year back. Since the last survey, the National Security component of the index has fallen 7 points to 93.

Comparatively, Australia’s index is currently at 134 and Singapore’s 188.

So what are people in NZ worried about? The top three are:

1. Other people obtaining credit card / debit card details.

2. Unauthorised access to or misuse of personal information.

3. Security of shopping / banking online.

The luxury of physical security shifts the focus to better online security, protecting privacy, and fighting identity fraud.

Problem is, these are “soft” issues. It’s hard to get people to rally behind better online security and the rest; it’s so much easier to prioritise and direct resources into the “hard” issue of physical security.