Privacy and government as a Justifiable Party

April 7, 2008 at 11:11 pm 4 comments

In response to my post When is government a Justifiable Party? Kim Cameron expressed some concerns. In summary, these were creating an attractive target for hackers; the collapsing of “previously independent contexts together”; “minimize disclosure and aggregation of information”; and, finally, Kim’s opinion that he “wouldn’t touch this kind of challenge without Information Cards.”

I need to first clarify that, as Kim pointed out, this is a personal blog. The official position remains that igovt services are for the use of people and organisations interacting with government.

Issues that may arise if igovt services are extended to the private sector are being considered. These issues include thinking about whether government is a justifiable party or not in such transactions. A final recommendation to government will only be made after thinking this through and a further Privacy Impact Assessment (PIA) looks at all the issues and mitigations proposed.

It’s important to keep in mind the context. We are talking about the dangers of social networking where sites such as Facebook and Bebo are unwilling and unable to do their bit in keeping our kids safe online. It is important that responsible people try to work out a solution that works for both these websites and their customers.

Kim makes some good points which, thankfully, have already been considered.

The most important architectural consideration is that igovt splits identity verification (who you are) from authentication (your online activities) into two separate services run by two different government departments. The first is provided by the proposed Identity Verification Service and the second by the Government Logon Service using pseudonymous identifiers.

This has the additional benefit of providing protection from hackers. Guaranteeing a hacker will never get through an online service is impossible. Instead, in addition to data encryption, splitting data into silos such that no single breach- external or internal- results in getting all the information is a sensible design approach. In fact, this is precisely the “very distributed, encrypted information storage” that Kim advocates.

Another important part of defence-in-depth is to minimise the amount of data stored. In the case of the Identity Verification Service, it is restricted to four identity attributes- name, date of birth, place of birth, and sex. I’d expect private businesses (including social networking sites) to use the identity verification as a one-off and not the authentication component to log on a person each time they access the online service. This hardly qualifies for Kim’s description of “handling ‘digital explosives’ of a greater potency than has so far been the case anywhere in the world.”

Next, the collapsing of independent contexts. On the contrary, we aren’t looking at collapsing contexts. Indeed, if anything, context separation is strengthened by the use of service-specific identifiers. The Identity Verification Service creates a persistent, meaningless identifier per service to avoid data sharing by Service Providers even if they collude. This is somewhat similar to the Austrian ID system.

This then leaves Identity Provider collusion. Kim places his faith in technological solutions such as U-Prove and Idemix. On this, I differ with Kim.

Protecting and enhancing the underlying trust relationship between people and government is too important to rely on technological solutions alone. Sure, good technology is vital but, in my opinion, needs to be complemented by other instruments: oversight, independent assessments by experts, public consultation, policies, designing in privacy (such as separation of identity and authentication as well as use of service-specific identifiers) and, last but not the least, legislating the privacy protection.

For example, the power of choice is at least as important as getting the technical solution right.

I think Information Cards are really good, hence my mixed reaction to Microsoft’s acquisition of U-Prove and my exchange with Kim about continuing to make U-Prove widely available. But to think that technological solutions alone- no matter how great they are- can, in themselves, provide adequate trust in government is simply unrealistic.

Constructive criticism is a positive thing- it makes good things better. However, it requires people engaged in the debate to take the effort to fully understand what’s being discussed. In the spirit of promoting this, I invite interested people to take a look at the presentation I did in September last year at the Technology and Privacy Forum hosted by the Office of the Privacy Commissioner, New Zealand which describes both the big picture and the detail of privacy protection.

As a final word, as you’ll see from slide 15 of the presentation, the one thing that I do agree with Kim is that the laws of identity are applicable!

Entry filed under: authentication, government, identity, igovt, Info_Cards, NZ, personal_info, privacy, security, strategy, trust, Web_2.0.

NZ: Identity Month The EC Strikes Back

4 Comments Add your own

  • 1. Adair  |  April 8, 2008 at 7:52 am

    Technically all this is a bit (way!), above my head, but as I’m still a Kiwi at heart, and struggling with the woeful immorality and foolishness of the UK Govt’s. ‘National Identity Register’ scheme I would like to think that NZ can do it better.

    The whole idea of putting a government in control of personal data required for the validating and/or permitting of everyday transactions fills me with concern. All eggs in one basket, absolute power corrupts, wickedness through incompetence if not by design—these are all ideas and scenarios we have seen played out in societies throughout history. People have struggled and died working to corral the engine of state into being more servant than master.

    When I use cash—to take a monetary example—within the country where I live and earn my living, I do not go running to the bank, let alone the government, to ask permission to conduct that transaction; and the privacy and anonymity of the parties is preserved, even from each other unless they choose to reveal extra information. The integrity of the cash validates the transaction—identity and personal detail is generally not exposed, or even relevant.

    Whatever digital systems are put in place to protect people and institutions and enable legitimate transactions to be conducted straight forwardly, must surely, like the cash transaction, by default preserve the privacy and anonymity of the parties involved, and that must include absolute separation from the agency charged with ensuring the integrity of the system (except where there is an absolute need to reveal it, e.g. applying for a passport, etc.)

    Otherwise we are simply setting ourselves up as hostages to fortune, and turning a blind eye to everything we know about governments, power, and human nature. I never want myself, or anyone else, to be in a situation where either by accident or intent my ‘life’ can genuinely be switched off—no government, or any agency, should ever be given the means to have or have access to such a switch. State and private agencies have more than enough tools and power at their disposal as it is, fortunately it is by and large dispersed and incompatible. Inefficiency is not all bad!

  • 2. Vikram  |  April 8, 2008 at 9:43 am

    Thanks Adair. I share your sentiments.

    It is clear that people should be able to have a way to identify themselves when they need to. Your example of using cash is a great example where identity does not need to be verified.

    However, in some cases, people do have to be able to prove they are who they say they are.

    The solution to this needs to follow some core principles such as opt-in (people choosing whether or not they want to use it), privacy protective (which includes most of what you’ve said including data aggregation), security, convenience, acceptability, etc.

    An important element is a fit-for-purpose solution; one that is able to provide people with a way to remain anonymous or pseudonymous or identified to a high level of confidence depending upon the requirements of the situation.

    The solution most certainly is not a national ID card or register. It will almost certainly put people (not government) in control. It will also be distributed so, as you say, all the eggs are not in one basket. By distributed, I mean data is in silos and context separation.

    While agreeing with everything you said, I can’t help but think about your last remark. Inefficiency surely cannot be a good thing. Inefficiency as a way to protect privacy is a poor substitute for efficient, privacy-protective solutions. In my opinion, this is like relying on obscurity for security.

  • 3. Adair  |  April 8, 2008 at 8:56 pm

    New Note 93

    I take your point about ‘inefficiency’. My comment was tongue in cheek, but also with the implication that one person’s efficiency can be someone else’s oppression, e.g. the Nazi’s efficiency (for its time), in processing Jews, etc.

    The concern about the Labour Govt’s/Civil Service’s proposal here in the UK, is that, although it has recently been adapted (again!), to a somewhat more distributed model, it nevertheless continues to concentrate the power in the hands of the Govt. It is effectively a ‘land-grab’ by the state over personal identity and its use.

    It is even more invidious and reprehensible than that because while the Govt. attempts to take over ownership of personal identity it is ‘irresponsible’ ownership. All the responsibility and risk will be bourne by the individual. The state will effectively take no responsibility for errors or abuse of the system.

    As you can tell I, and others, feel somewhat passionately about what is being enacted here. Hopefully, behind the scenes, wiser and more morally grounded heads will ultimately prevail. At least there is some growing public and commercial recognition that the whole thing is highly likely to become another first rate British farce—but at what cost if it goes ahead?

    A system where I/we know that our control and use of our personal identity is strongly supported by the resources of the state, but where they state makes no claim to ‘own’ my identity, and actively prevents that, would be far more constructive and help cement a constructive and trust based relationship between the state and the individual—a symbiosis.

    (ps – due to a slip of the keyboard this comment has also ended up on a blog entry for the 18 Dec.!)

  • 4. Vikram  |  April 8, 2008 at 11:11 pm

    Thanks again Adair.

    I’m going to limit myself to saying that the name of my blog- yes2privacy- is derived from no2id. Need I say more?


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed

This blog is no longer updated. See the About page for more info. I'm currently active on Twitter.

Follow me on twitter


%d bloggers like this: