Posts filed under ‘Aus’

Authenticating the Queen’s subjects

I’m just back from attending eGovernment 2008 in Canberra. For me, the big draw was an opportunity to attend a three hour workshop focussed on the UK’s Government Gateway. I sure wasn’t disappointed- the insights into the Government Gateway were quite an eye opener.

Attending the conference also led me to reflect on how online authentication is working for the Queen’s subjects in the UK, Australia, and New Zealand. It’s quite fascinating how each of them reflect diverse approaches and are also very much a product of their times.

First, Australia. Still very PKI focussed, as in standard X.509 certs in the user’s computer. There are some good intentions from the federal policy body AGIMO (Australian Government Information Management Office) to move on to solutions that work for people (not computers) but the mindset of the average government official is definitely digital certs.

A good example of this focus is the success of VANguard. VANguard’s authentication service is probably best described as an authentication broker whose main function is to allow for interoperability of digital certs issued by various CAs. This is a good step so that businesses (it’s mostly business-focussed) can use the same digital cert with multiple RPs. It’s a back-end hub so that various front-ends and portals, such as bizgate in South Australia, can draw on its functionality. Still, it has all the limitations inherent in the old PKI designs.

It’ll be interesting to see how AGIMO’s proposed National e-Authentication Framework will differ from their existing AGAF (Australian Government e-Authentication Framework) which is separate for businesses and individuals.

Back to the UK’s Government Gateway. From the outside, so much of the focus has been on the UK’s plans for a national identity card that people, including me, can’t distinguish the good stuff they have done and are continuing to do in the online authentication space from the bad. Jim Purves, Head of Product Strategy in the Cabinet Office gave terrific insights into the chequered history of the Gateway as well as plans going forward.

The Gateway is very privacy-protective, very focussed on providing authentication and SSO for the UK Government’s online services. They are introducing SAML 2 soon but that also has the downside of continued support for all the current protocols. They’ve had some significant funding challenges in the past but now have “strategic investors” from within government so the future is bright. Trust and confidence in the Gateway is at an all-time high.

Purely speculative on my part but I think they’ve got a big cloud on the horizon- when the national identity card folks come calling. That could potentially lead to a fundamental change in approach. That’s the unfortunate steamrolling impact of the national identity card. Also interesting how they handle pan-European interoperability but, with a strong Liberty Alliance foundation, I imagine they are well placed to handle that.

So, how does NZ stack up? The proper comparison is with the GLS or Government Logon Service (which will be re-branded igovt later this year). There’s no doubt that the GLS is the most privacy-protective of the lot and has all the right moving bits.

Once the IVS or Identity Verification Service and then GOAAMS or Government Online Attribute Assertion Meta System is added to igovt, then it’s a whole new ballgame for NZ.

But, there is clearly one area that the GLS should look at- adding a web services (ID-WSF) capability in addition to the current browser re-direct (ID-FF). That will provide many new opportunities off the same infrastructure, such as acting as an authenticating receiver for XML messages. The UK’s Government Gateway currently does that for all electronic tax filings direct from standard tax and accounting packages.

All in all, interesting times and much thinking…


July 2, 2008 at 11:45 pm 1 comment

Banking on online identity verification

It’s interesting to see how some see business opportunity out of government regulation while others see only downsides.

During April’s Identity Conference, Kiwibank boss Sam Knowles complained about how the proposed anti-money laundering law provides no value, only an unnecessary regulatory burden.

For a bank which markets itself as a New Zealand bastion against domination by foreign (i.e. Australian) banks, it would do well to look across the Tasman at the example set by the branchless retail bank ING Direct.

According to an article in Australian IT, “ING Direct has led the way in using anti-money-laundering identification processes to come up with a method for opening an account purely online. The Dutch bank has claimed bragging rights for the first end-to-end online account opening facility in Australia…which uses an almost instant online identity verification process instead of the traditional 100-point security check to allow customers to open savings and term deposit accounts.”

“ING Direct has taken advantage of new AML [anti-money laundering] legislation that allows financial institutions to replace the traditional 100 point security check, which uses physical documents such as passports, with electronic AML compliance checks.”

According to the bank, “We were able to show the Government that electronic verification was robust and an alternative method to face-to-face. The legislation now says you have to conduct verification but it doesn’t prescribe the channel.”

From my perspective, this is cool. It works for people, it works for banks (even more so for branchless retail banks). And, it’s another small step forward in unlocking the Internet’s potential for higher-value transactions.

But the way that ING Direct verifies a person’s identity isn’t without potential flaws. Australian customers fill out an online application form and their identity is checked by FCS OnLine, a third-party identify verification service.

FCS OnLine seems to be offering online identity verification by checking information submitted by applicants against public databases. It’s difficult to see how relying solely on knowledge-based identity verification provides sufficiently robust results. On the other hand, presumably they overcome privacy requirements based on active consent from applicants.

So, if the outcome is desirable but the online identity verification process employed is suspect, it would be desirable for a better process to be used.

What that would be? For a start, one that is robust, economical, and user-centric. Even that’s quite a tall order. And, as far as I know, one that doesn’t exist- yet.

That’s where the wheel turns a full circle and New Zealand banks, including Kiwibank, may one day come out ahead if policy issues related to private sector use of igovt (specifically, the Identity Verification Service) mentioned in a Computerworld article are resolved.

Which raises the question of when is government a justifiable party?

(Hat tip to a colleague for the link to the Australian IT article and getting my blogging juices flowing again.)

June 16, 2008 at 11:51 pm 6 comments

Aus: If everyone was your Brother

Why worry about Big Brother if everyone is your Brother?

It’s becoming more common to tap into the wisdom of the crowds, peoples’ power, citizen journalism. Major news channels like CNN and BBC now routinely include videos shot by everyday people which, in many cases, allow broadcasting footage that would otherwise never have been captured.

But, I think the New South Wales Police in Australia are going too far and, in my opinion, are close to promoting vigilantism.

According to an article in ZDNet Australia NSW Police ask public to be cameraphone cops, “NSW Police Minister, David Campbell, has revealed details of a new project encouraging citizens to capture video and photographic evidence of crimes on their phones and upload it securely over the Web to law enforcement agencies.”

OK, so I risk my life, jump over the fence, and through a gap in my neighbour’s curtains covertly use my mobile phone to film him putting a plastic bottle in the recycle bin without washing it first. Am I a hero or just a male version of a Desperate Housewife?

And what about that awful driver who can’t get his around a simple rule: at an intersection, when both cars are turning right, if the other car is on your right, that car has the right of way otherwise you have the right of way? Quick, whip out the mobile phone.

And what about that awful lady who thinks that just because the dog park is five steps from her gate, she doesn’t have to put her dog on a leash? Quick, whip out the mobile phone.

And what about…

March 27, 2008 at 9:39 pm 2 comments

SmartGate coming

Given front page news that SmartGate “would be tested in Wellington in the next few months and available for all trans-Tasman travel in time for the 2011 Rugby World Cup,” I was curious to see what reaction it would evoke in NZ.

Not too much. Over at NZ Herald, Peter Griffin in a blog post was cautiously welcoming (once he got an ePassport). Other than that, I haven’t come across anything. Not sure if that is a good thing or a bad thing.

SmartGate is an Australian self-service automated passport checking system that involves a kiosk and a gate. Step 1 checks if a traveller can use the automated option including the immigration and customs checks. Notably, this step includes “The photo in the ePassport is electronically retrieved and stored in a database.”

In Step 2, at the gate, a camera compares an image of the traveller’s face using facial recognition against the image stored in the database.

For eligible travellers who pass the Step 1 checks, SmartGate should reduce airport queues. Despite it’s troubled past, it’s believed to be operating smoothly in Brisbane and Cairns International Airports. An interim solution is also working in Sydney and Melbourne International Airports. Currently, only Australians and Kiwis can use SmartGate in these airports.

According to the FAQs, “All personal data collected via SmartGate, (including the photograph), will be treated in the same way as information collected manually upon arrival.” Also worth noting on the positive side is that the system is optional (see earlier post about the power of choice) and does not use fingerprints (see earlier post about this).

Still, an Australian system, biometrics, some unanswered questions… I would have thought some of these would lead to greater public interest in NZ; though not necessarily negative as Peter Griffin’s post shows.

March 26, 2008 at 10:33 pm Leave a comment

Aussie for privacy

New York governor Eliot Spitzer might have saved himself a whole lot of trouble if he was instead an Australian ministerial staffer.

The Australian Government has ordered over 315 staff to fill out a 25-page form and undergo an in-depth interview about their personal finances, drug habits and sexual history to get security clearance. The reason? To protect them from blackmail.

In what is perhaps the understatement of the year, Cabinet Secretary John Faulkner said that “Some staff find it intrusive.”

Gaining security clearance includes requiring staff to list their history of sexual partners, reveal extra-marital affairs and detail homosexual experiences.

Privacy advocates like Roger Clarke point out that “It’s a given that sensitive data, stored in large databases will inevitably leak.”

With apologies to Foster’s (see this iconic commercial if you’re not familiar about this reference), is this Australian for privacy?

March 17, 2008 at 11:08 pm 2 comments

Privacy Gateway

In the UK, OGC (Office of Government Commerce) has developed a very successful project review methodology for the British Government called Gateway. After being adopted in Australia, it is now being implemented in New Zealand by the State Services Commission for major capital projects.

According to a presentation given at a 2007 government IT conference, Gateway reviews will be a key part of monitoring and quality Assurance of major ICT-enabled business Government projects.

It was therefore interesting to see that the UK’s Information Commissioner’s Office (ICO) wants compulsory Privacy Impact Assessments to be part of the Gateway review process. A senior official is quoted in Computing as saying, “We do not want the government to develop systems that may contravene data protection law and cost millions of pounds to put right. And we do not want systems to be developed that will not enjoy public confidence because people feel that their privacy is being eroded.”

The OGC has rejected an across-the-board approach of requiring Privacy Impact Assessments for all projects reviewed. Instead, it favours a case by case approach.

It is worth keeping an eye on how this plays out in the UK and whether that flows into NZ.

March 6, 2008 at 10:26 pm 1 comment

NZ, Aus: Limit fingerprints

Recent reports from both sides of the Tasman have once again shown public resistance to widespread fingerprinting. At least for citizens…

In NZ, following significant negative reactions from public consultation, police will only have the power to collect and store fingerprints “for the purpose of enabling the commencement of a prosecution.” Police will not be able to require fingerprints from people suspected of non-prosecutable offences, such as minor traffic infringements, or for routine identity checking.

Further, they would have to destroy those records as soon as practical once they decide not to arrest or charge a person with an offence, or if the person is acquitted.

This is quite a change from the original proposal that led to a very interesting debate about mobile scanners in Parliament.

Across the Tasman, ZDNet Australia reports that “there is a culture of resistance to fingerprinting in the community- a factor which may be holding back government from adopting the technology…Fingerprinting in Australia is not seen as an inviting technology.”

Further, CIO Magazine reports that despite a new ISO standard to provide a security framework for using biometrics for authentication of individuals in financial services (ISO 19092:2008), Australian banks are likely to restrict themselves to only exploring more use of voice verification.

As the ZDNet article points out, the Australian government continues to have a big interest in introducing biometrics. And, just as in other countries such as the UK, they want to start with non-citizens.

Not surprisingly, their choice is a group of people who have limited capacity to object.

March 3, 2008 at 11:20 pm Leave a comment

Older Posts

This blog is no longer updated. See the About page for more info. I'm currently active on Twitter.

Follow me on twitter

Error: Twitter did not respond. Please wait a few minutes and refresh this page.