Posts filed under ‘trust’
When HMRC (Her Majesty’s Revenue and Customs) lost personal information of nearly half the UK population, I called it “mind boggling”. I also thought that it would be the last time I’d write about data breaches. What could top that?
Never underestimate the Brits. They’ve now pushed the bar even higher.
All it took was a flash drive found in the car park of a pub, The Orbital. It had user names and the hashed passwords of Government Gateway accounts, which provides centralised authentication to important online services such as tax returns. Worse, the flash drive had the source code, security software, and a step-by-step guide to how the Government Gateway works. And, the fact that it belonged to Daniel Harrington, an IT analyst at Atos Origin, the company which manages the Government Gateway.
The flash drive was lost about two weeks ago. Daniel must have just started to believe that his prayers had been answered with the flash drive forever lost. No such luck. Tellingly, it was turned into a newspaper (The Mail on Sunday) rather than given back to the government.
The point isn’t that the flash drive was lost. What was all that data doing on it in the first place? The Prime Minister is pointing the finger at Atos Origin which is fingering Daniel for breaching operating procedures. Really? Sounds exactly like Chancellor Alistair Darling pointing to a junior official in the HMRC case. It really shouldn’t be so easy to evade accountability.
Why was the flash drive unencrypted? The passwords were encrypted but, throw enough resources at it, and it shouldn’t be that hard to break. It’s impossible to say how many copies of the flash drive may be in circulation.
Some will use this to question the UK’s plan for a National Identity Card. Others will again proclaim the death of passwords. Yet others will cry that it’s the tip of the iceberg- who knows how many other unreported breaches of this magnitude are happening around the world? I’m sure at least a few will wonder what if it had been biometric templates.
Me, I mourn the blows to trust in government and online services all over the world. And the frightening reality that past lessons are simply being ignored, taking us ever closer to a tipping point.
On reflection, it turns out that a trusted system may actually be untrustworthy.
I was looking at some of the recorded presentations that I missed at the Managing Identity in New Zealand conference in April. If the delightful Wordle tool could make word clouds from videos, then one of the prominent words in the presentations would be “trust.” There were probably few, if any, presentations that didn’t use that word in conjunction with identity systems.
Just what is the relationship between identity systems and trust? Given that every presenter thought it is a critical component of an identity system, it’s worth trying to uncover the relationship between the two.
To me the word trust seemed to cover a wide spectrum of meanings- different people used the word to mean different things. At one extreme is what I’d call technical trust while at the other is business trust.
A good example of technical trust is Stefan Brand’s presentation about Credentica’s U-Prove™ technology. He would probably define trust in terms of protocols, cryptographic proof, encryption, non-repudiation, digital signatures, message integrity, unlinkability, etc. Trust would, in this case, be the outcome from the technical features of an identity system.
At the other extreme is what a person like the Privacy Commissioner means by trust. She used it to mean “protect them [people] from the many possible harms that can arise from misuse of their personal information”; “to give credible, proveable reassurances”; and “people to feel too insecure to give out their information, and crippling e-govt and e-commerce systems.” She goes on to quote a minister that “Damage the trust of citizens and you damage the notion of citizenship, and governing becomes that much harder.”
I visualise the relationship between technical trust and business trust as two concentric circles. The smaller, inner one is technical trust and the larger, outer one business trust to represent:
- technical trust is a sub-set of business trust, i.e. it is impossible to achieve business trust without first getting technical trust; and
- technical trust on its own is insufficient, i.e. for an identity system to be trustworthy, it must have both technical trust and business trust. Otherwise, we get a (technically) trusted system that is untrustworthy from a business or user perspective.
Vendors of identity systems tend to focus on technical trust and make passing references to business trust. That’s one of the things that make the Liberty Alliance attractive- it has a focus on both technical and business trust.
As an aside, locally we seem to be getting there as evidenced by a recent post Govt moves forward with online ID by Richard Wood.
Had a look around to see the media coverage sparked off by the Identity Conference in Wellington. Given the wide range of things covered, I thought it would provide a good indicator for what the media thinks is news-worthy about identity.
1. The Dom Post was at its in-your-face best, making the Privacy Commissioner’s call for protecting your ‘digital shadow’ as the number one news story (first page, top left). Digital information about people is the “new currency” so maybe it made a good replacement for the usual pessimistic economic lead.
On another note, her full presentation includes, “So should the responsibility to manage identity fall to the public or private sector? Who would you rather have handling your identity? Is it as simple a question as whether we have Microsoft or SSC? I am, of course, being flippant, but the public sector cannot afford to assume it has natural dominion. It is a case of gaining, and then maintaining, New Zealanders’ trust. Identity-driven systems must reflect the multiplicity of modern New Zealand. Those systems must give people options, flexibility and control.”
2. Across at NZ Herald, Peter Griffin blogged (The search for Identity 2.0) about Dick Hardt’s presentation. Good choice but I do wish savvy tech folks understand the difference between identification and authentication. Otherwise we’re going to continue getting some pretty weird conclusions like the need for government-issued photo ID cards to access online services. I sometimes wonder if people take the cards metaphor too far.
3. Still with Peter Griffin but this time in his role as a news reporter, is Identity thieves sharpen their act. The story covers most of the dangerous downsides of the Internet. One particular quote from Dean Winter of TradeMe caught my eye, “Who in New Zealand do we go to and say we’ve identified a botnet?… We get a fantastic response from the hosts of some of these fraudulent networks. But it is still standing at the bottom of the cliff.”
Eve Maler’s obviously found the time and a decent enough broadband connection in Wellington to post her thoughts, Everyday identity and human-centered design. She has a link to her presentation as well as the inspiring work of Don Norman’s usability work in the 80s that continues to be so relevant.
Varied coverage reflecting the varied perspectives of the Conference…
1. I’ll be chairing the “Managing Identity: Government” workstream on the second day of the Identity Conference (30th April). Rather than take a conventional approach (yawn!), we’re going to start off by hearing the views of future users of government’s services. This will be in the form of a debate: “This house believes that in the future my digital identity should be more important than my physical identity.”
Two students each will present their views for and against the motion. These teenagers are truly amazing- articulate, opinionated, and very cool. I’m really looking forward to hearing them.
Following this, we’ll get into what government is doing on the igovt front and how the gap between the expectations (as voiced by the students) and the current plans for identity-related services can be bridged. I’ll chip in with a conceptual framework for looking at identity.
2. Good article in the NZ Herald by Anthony Doesburg on igovt called Bringing government services to the iPod generation. Quite timely given that we’re going to be hearing from the iPod generation at the Identity Conference. The boss is quoted in the article as saying, “We’ve proved we can build a secure, privacy-friendly identity verification service. It’s intended to underpin identity verification for all online government services.”
3. One of my colleagues presented at the recent Concordia workshop at RSA 2008. The slides aren’t up yet but the notes are. We are interested in SAML 2 – InfoCards interop and so are close to Concordia’s Scenario 1a. This work builds off the Microsoft New Zealand Innovation Centre work in progress. As my colleague noted at the Concordia workshop, we’ve got some new interesting use cases coming up.
4. A Google search led to my finding a presentation called A Model for New Zealand’s Identity Verification Service apparently given by Prof. Clark Thomborson (University of Auckland) at Trust 2008 in Austria last month. This is intriguing. As far as I know (and I may be wrong), Prof. Thomborson has developed this on his own, without collaborating with the guys who have designed the service. That’s fine but my problem is that I can’t understand his presentation. Anyway, it sounds complimentary, I think, so that’s great.
In response to my post When is government a Justifiable Party? Kim Cameron expressed some concerns. In summary, these were creating an attractive target for hackers; the collapsing of “previously independent contexts together”; “minimize disclosure and aggregation of information”; and, finally, Kim’s opinion that he “wouldn’t touch this kind of challenge without Information Cards.”
I need to first clarify that, as Kim pointed out, this is a personal blog. The official position remains that igovt services are for the use of people and organisations interacting with government.
Issues that may arise if igovt services are extended to the private sector are being considered. These issues include thinking about whether government is a justifiable party or not in such transactions. A final recommendation to government will only be made after thinking this through and a further Privacy Impact Assessment (PIA) looks at all the issues and mitigations proposed.
It’s important to keep in mind the context. We are talking about the dangers of social networking where sites such as Facebook and Bebo are unwilling and unable to do their bit in keeping our kids safe online. It is important that responsible people try to work out a solution that works for both these websites and their customers.
Kim makes some good points which, thankfully, have already been considered.
The most important architectural consideration is that igovt splits identity verification (who you are) from authentication (your online activities) into two separate services run by two different government departments. The first is provided by the proposed Identity Verification Service and the second by the Government Logon Service using pseudonymous identifiers.
This has the additional benefit of providing protection from hackers. Guaranteeing a hacker will never get through an online service is impossible. Instead, in addition to data encryption, splitting data into silos such that no single breach- external or internal- results in getting all the information is a sensible design approach. In fact, this is precisely the “very distributed, encrypted information storage” that Kim advocates.
Another important part of defence-in-depth is to minimise the amount of data stored. In the case of the Identity Verification Service, it is restricted to four identity attributes- name, date of birth, place of birth, and sex. I’d expect private businesses (including social networking sites) to use the identity verification as a one-off and not the authentication component to log on a person each time they access the online service. This hardly qualifies for Kim’s description of “handling ‘digital explosives’ of a greater potency than has so far been the case anywhere in the world.”
Next, the collapsing of independent contexts. On the contrary, we aren’t looking at collapsing contexts. Indeed, if anything, context separation is strengthened by the use of service-specific identifiers. The Identity Verification Service creates a persistent, meaningless identifier per service to avoid data sharing by Service Providers even if they collude. This is somewhat similar to the Austrian ID system.
Protecting and enhancing the underlying trust relationship between people and government is too important to rely on technological solutions alone. Sure, good technology is vital but, in my opinion, needs to be complemented by other instruments: oversight, independent assessments by experts, public consultation, policies, designing in privacy (such as separation of identity and authentication as well as use of service-specific identifiers) and, last but not the least, legislating the privacy protection.
For example, the power of choice is at least as important as getting the technical solution right.
I think Information Cards are really good, hence my mixed reaction to Microsoft’s acquisition of U-Prove and my exchange with Kim about continuing to make U-Prove widely available. But to think that technological solutions alone- no matter how great they are- can, in themselves, provide adequate trust in government is simply unrealistic.
Constructive criticism is a positive thing- it makes good things better. However, it requires people engaged in the debate to take the effort to fully understand what’s being discussed. In the spirit of promoting this, I invite interested people to take a look at the presentation I did in September last year at the Technology and Privacy Forum hosted by the Office of the Privacy Commissioner, New Zealand which describes both the big picture and the detail of privacy protection.
As a final word, as you’ll see from slide 15 of the presentation, the one thing that I do agree with Kim is that the laws of identity are applicable!
A recent article in CR80News called Social networking sites have little to no identity verification got me thinking about the Laws of Identity, specifically Justifiable Parties, “Digital identity systems must be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship.”
The article itself makes points that have been made before, i.e. on social networking sites “there’s no way to tell whether you’re corresponding with a 15-year-old girl or a 32-year-old man…The vast majority of sites don’t do anything to try to confirm the identities of members. The sites also don’t want to absorb the cost of trying to prove the identity of their members. Also, identifying minors is almost impossible because there isn’t enough information out there to authenticate their identity.”
In the US, this has thrown up business opportunities for some companies to act as third party identity verifiers. Examples are Texas-based Entrust, Dallas-based RelyID, and Atlanta-based IDology. They rely on public and financial records databases and, in some cases, government-issued identification as a fallback.
Clearly, these vendors are Justifiable Parties.
What about the government? It is the source of most of the original information. Is the government a Justifiable Party?
In describing the law, Kim Cameron says “Today some governments are thinking of operating digital identity services. It makes sense (and is clearly justifiable) for people to use government-issued identities when doing business with the government. But it will be a cultural matter as to whether, for example, citizens agree it is “necessary and justifiable” for government identities to be used in controlling access to a family wiki or connecting a consumer to her hobby or vice.” [emphasis added]
So, in the US, where there isn’t a high trust relationship between people and the government, the US government would probably not be a Justifiable Party. In other words, if the US government was to try and provide social networking sites with the identity of its members, the law of Justifiable Parties predicts that it would fail.
This is probably no great discovery- most Americans would have said the conclusion is obvious, law of Justifiable Parties or not.
Which then leads to the question of other cultures…are there cultures where government could be a Justifiable Party for social networking sites?
To address, I think it is necessary to distinguish between the requirements of social networking sites that need real-world identity attributes (e.g. age) and the examples that Kim gives- family wiki, connecting a consumer to her hobby or vice- where authentication is required (i.e. it is the same person each time without a reliance on real-world attributes).
Now, I think government does have a role to play in verifying real-world identity attributes like age. It is after all the authoritative source of that information. If a person makes an age claim and government accepts it, government-issued documents reflects the accepted claim as, what I call, an authoritative assertion that other parties accept.
The question then is whether in some high trust societies, where there is a sufficiently high trust relationship between society and government, can the government be a Justifiable Party in verifying the identity (or identity attributes such as age alone) for the members of social networking societies?
I believe that the answer is yes. Specifically, in New Zealand where this trust relationship exists, I believe it is right and proper for government to play this role. It is of course subject to many caveats, such as devising a privacy-protective system for the verification of identity or identity attributes and understanding the power of choice.
In NZ, igovt provides this. During public consultation held late last year about igovt, people were asked whether they would like to use the service to verify their identity to the private sector (in addition to government agencies). In other words, is government a Justifiable Party?
The results from the public consultation are due soon and will provide the answer. Based on the media coverage of igovt so far, I think the answer, for NZ, will be yes, government is a Justifiable Party.
Leading Kiwi blogger Russell Brown was quite complimentary about the blog launched by the State Services Commission. He made particular mention of the guidelines for staff blogging that are also available to everyone under a Creative Commons licence.
Blogging guidelines are a good thing for both employer and employee. They help make clearer the boundaries and expectations. Navigating the minefield of blogging as an employee is hard and therefore guidelines are a real must to even get started.
Blogging as a government employee is even harder (see a previous post about this). Yet, the risks have to be taken by both government and employee if more two-way open government is to be achieved.
On the other side of the world, the UK Government has also resolved to issue guidelines for blogging and social networking by civil servants. It’s difficult to take the claim at face value that the move is not connected with the case of Civil Serf.
Civil Serf is the pseudonym for a 33-year old Londoner civil servant, thought to be working for the Department for Work and Pensions. Her nom de plume reflects her intent to slag off the government and civil service. There’s always a ready audience for insider revelations and dirt, especially if it is about big corporates and governments.
I will, however, point out that the word serf comes from the Latin servus, meaning slave. Civil Serf is hardly bound to and required to serve the government- presumably she made a choice to work in the public service. And part of that choice was to adhere to a set of rules and regulations.
What about freedom of speech? Sure, that’s critical and legally protected but in this case I think Civil Serf probably breached the spirit if not letter of UK’s Civil Service Code. No employer, government or private, is going to take kindly being put down in public. A recent example is the worker fired by Warehouse for her comments on Bebo.
Anyhow, Civil Serf’s blog has disappeared after the Sunday papers on 9th March wrote about her. Since November last year, her comments were tellingly often quoted by mainstream journalists working for the Telegraph and Times. There’s a good video of the story at puffbox.
Almost universally, comments to stories about the Civil Serf saga at various online sites are on her side, praising her for an insider’s view of “government ineptitude and hypocrisy.”
While there are merits to both sides of the arguments about Civil Serf, there is no doubt that the Internet provides a powerful tool for people to air their views pseudonymously. And, while not an unbounded right, freedom of speech is a cherished right that is benefiting hugely from the Internet’s inherent support for pseudonymity.
In the UK, “Data Sharing Review: A consultation paper on the use and sharing of personal information in the public and private sectors” has been issued as a part of the review being run by Information Commissioner Richard Thomas and Dr Mark Walport, director of the Wellcome Trust.
I expect that this review, once completed, is going to lead to significant insights and, possibly, new approaches to protecting privacy. Not only will it have a major impact in the UK, governments around the world should be tracking the progress and results of the review.
The consultation document says, “Personal information is shared and used every day by both public authorities and private organisations. The scope and methods of information sharing varies greatly – ranging from an individual piece of personal information being shared once between two public authorities to the regular and wholesale sharing of personal information between two or more databases.”
Views are sought “on the scope of personal information sharing – i.e. what personal information is shared – and on the spectrum of information sharing – i.e. in what way is personal information shared.”
The consultation document asks 28 questions across seven sections:
- Scope of personal information sharing, including benefits, barriers and risks of data sharing and data protection
- The legal framework
- Consent and transparency
- International comparisons, and
- Additional questions.
The recent fiasco that saw personal information of half the country’s population lost makes it timely. I’m looking forward to the promised publication of the results online.
Reports from across the Tasman say that Australia’s new government has pulled the plug on the Access Card. The ID card that wasn’t supposed to be an ID card has been controversial and Labour seems to have decided that former Prime Minister John Howard’s baby should be aborted.
The official website has already been changed so clearly the government wants to move on.
The Access Card saga is a classic tale of how not to implement a major government initiative. Lack of consistent and clear messages compounded by a lack of transparency and trust has always made it difficult to separate fact from political noise.
As David Vaile of the Australian Privacy Foundation once put it, “The problem with the Access Card project is that it involves collecting the data first, connecting systems, and then deciding what to use it for.”
Privacy and civil liberties advocates are apprehensive that the reports of the death of the Access Card have been greatly exaggerated. They are keeping a watch out for any proposal to re-introduce the card in a new form, as was the case with the Australia Card.
I don’t think they need to worry. As the UK has shown, ID cards for countries that traditionally haven’t had them are now so passé.
Even though I have no connection with Passport Canada, for some reason I’m feeling terribly let down by them.
My disappointment may stem from an agency making an elementary security mistake and, rather than fixing the problem, repeating it and looking foolish.
Or, it might be that it is incidents like these that collectively undermine trust people have in dealing with government agencies online.
Sigh…government agencies dealing with sensitive personal information simply have to do better.
What happened? According to Globe and Mail, a security flaw in their website allowed passport applicants to view the personal details (including social insurance number, date of birth, address, driver’s licence number, and gun ownership) of other applicants by simply changing one character in the URL displayed in the address bar. A very, very basic mistake and, worse, evidence of appalling testing.
The site was taken down but when it was put up again, a few key strokes were still all it took to reveal personal information. All the while, Passport Canada was in a public denial mode.
Their website says about Web Security that “Passport Canada is taking the measures necessary to protect the confidentiality of the personal information you provide and to ensure that your electronic transactions with us are secure.”
The problem is, when fine words don’t match reality, public cynicism results. And that hurts.