Posts filed under ‘government’

Showing us a better way

The UK Government’s competition Show Us a Better Way is living up to its name. The competition is run by the Power of Information Taskforce.

The page About This Competition describes it eloquently:

“The government produces masses of information on what is happening around the UK. Information on crime, on health, on education. However, this information is often hidden away in obscure publications or odd corners of websites. Data tucked away like this isn’t of use to the ultimate owner of that information YOU.”

Refreshingly, the government goes on to say, “We’re confident that you’ll have more and better ideas than we ever will.

The Guardian newspaper, which has been campaigning for freeing up government data since 2006, has been an enthusiastic supporter of the competition. With a decent prize pool of £80,000, there has been plenty of interest with over 450 people entering the contest.

In addition to five ideas that need further work and four prototypes that are already running, the judges have announced the five ideas that will be built:
• Can I Recycle It? : recycling information based on post code
• UK Cycling : planning cycling routes
• Catchment Areas : boundaries of school catchment areas
• Location of Postboxes : nearest one to wherever you are
• LooFinder : a mobile texting or website for the nearest public toilet

The first of these, Can I Recycle It, was the overall winner.

A US-equivalent competition, Apps for Democracy, run by the District of Columbia has pulled in 47 submissions over the 30 days it ran.

Clearly, the idea has international appeal for governments. For New Zealand, there are some key messages:

1. While there are already some very good examples of government agencies freeing up their data, such as Statistics NZ’s, Making More Information Freely Available, doing more can unleash much greater creativity. People will themselves work out what problems to solve, where the opportunities are, and ways to add social and/or economic value.

2. The five ideas that emerged winners are all based on geospatial data. Perhaps this reflects the attractiveness of visualisation and the growing popularity of Google Maps. Geospatial data should therefore get priority attention.

3. Governments aren’t typically associated with competitions and cash prizes but, handled right, they could potentially be a viable way to stimulate interest. And, it’s a great way for people to know what data (including formats) the government already makes available.

4. However, even the success of Show Us a Better Way doesn’t imply that all the underlying issues have been resolved. For example, about the time the winners were announced, the Ordinance Survey (which owns all of UK’s mapping data) sent a reminder that its data was free for non-commercial use only. Worse, it ruled out letting people use its data with Google Maps due to licensing issues. This may stall all the five winning ideas. It’s a reminder that licensing, copyright, and pricing all need to be addressed before data is truly free.

5. Also, there is a need to figure out what ‘free’ actually is. Is it the UK-style freely available or the US-style free of cost?

6. This is also a reminder of the non-rival nature of data and information, i.e. one person’s use doesn’t stop others from also using the same data and information for the same or different purpose. Freeing up data can therefore have a multiplier effect since the marginal benefit of providing an extra unit is the sum of the marginal benefits received by each of the individual users.

To go back to the beginning, the Power of Information review highlighted how “The cost-benefit calculations that historically underpinned what information is collected, who can use it, and how it is paid for are rapidly becoming outdated.”

And that raises some opportunities and challenges that New Zealand needs to seize.

[Original post at http://blog.e.govt.nz/index.php/2008/11/17/showing-us-a-better-way/]

November 17, 2008 at 10:18 pm 1 comment

UK: Raising the breach barrier, again

When HMRC (Her Majesty’s Revenue and Customs) lost personal information of nearly half the UK population, I called it “mind boggling”. I also thought that it would be the last time I’d write about data breaches. What could top that?

Never underestimate the Brits. They’ve now pushed the bar even higher.

All it took was a flash drive found in the car park of a pub, The Orbital. It had user names and the hashed passwords of Government Gateway accounts, which provides centralised authentication to important online services such as tax returns. Worse, the flash drive had the source code, security software, and a step-by-step guide to how the Government Gateway works. And, the fact that it belonged to Daniel Harrington, an IT analyst at Atos Origin, the company which manages the Government Gateway.

The flash drive was lost about two weeks ago. Daniel must have just started to believe that his prayers had been answered with the flash drive forever lost. No such luck. Tellingly, it was turned into a newspaper (The Mail on Sunday) rather than given back to the government.

The point isn’t that the flash drive was lost. What was all that data doing on it in the first place? The Prime Minister is pointing the finger at Atos Origin which is fingering Daniel for breaching operating procedures. Really? Sounds exactly like Chancellor Alistair Darling pointing to a junior official in the HMRC case. It really shouldn’t be so easy to evade accountability.

Why was the flash drive unencrypted? The passwords were encrypted but, throw enough resources at it, and it shouldn’t be that hard to break. It’s impossible to say how many copies of the flash drive may be in circulation.

Some will use this to question the UK’s plan for a National Identity Card. Others will again proclaim the death of passwords. Yet others will cry that it’s the tip of the iceberg- who knows how many other unreported breaches of this magnitude are happening around the world? I’m sure at least a few will wonder what if it had been biometric templates.

Me, I mourn the blows to trust in government and online services all over the world. And the frightening reality that past lessons are simply being ignored, taking us ever closer to a tipping point.

November 3, 2008 at 11:17 pm 1 comment

The next best thing to the next best thing

From the perspective of a person keen to see identity federation the norm, a single federation protocol is the best thing. That allows a focus on the real challenges of federation- the business and process challenges. It relegates arcane discussions about SAML and WS-Federation to the few people who really want to talk about the nuts and bolts.

In reality, that’s probably unachievable. If nothing else, that was the biggest lesson from the ODF vs. OOXML saga.

The next best thing is true interoperability between protocols with standard products supporting multiple protocols out of the box. This doesn’t take away all the costs, complexity, and risks but is still an acceptable outcome.

The next best thing to the next best thing is a major vendor promising to move towards the next best thing. To that end, Microsoft’s announcement that the beta version of Geneva will not only support SAML 2.0 as a token format but also as a single sign-on protocol is very welcome. Geneva is Microsoft’s future identity platform, replacing ADFS (Active Directory Federation Services).

Specifically, Geneva will support the SAML 2.0 Lite/Web SSO profile. Happily enough, it will also support the US Government’s GSA profile which seems to be an attractive offering for US Government agencies.

So, come 2010 or whatever the usual announcement-to-real world deployment cycle takes, deployers of federation can increasingly focus on benefiting from identity portability rather than the underlying technical challenges.

Cool.

October 30, 2008 at 12:11 am Leave a comment

Esther Dyson on privacy

With so much happening around the world- the financial markets, politics, rugby (Union and League) – it seems terribly mundane to be writing about identity and privacy issues. C’est la vie!

It’s interesting to see that a leading magazine such as Scientific American focus on The Future of Privacy as the theme for its September issue. Another sign of privacy becoming a mainstream issue.

There seems to be a lot of interesting articles but the one that I picked first was How Loss of Privacy May Mean Loss of Security. Besides the title, what drew me was that the author is Esther Dyson. What’s so special about her? Lots of stuff that you can Google but the one fascinating fact is that, for the Personal Genome Project, she and nine other people will post their full genome sequences and accompanying health information online.

She remarked that “I was recently in the market for health insurance. I asked my insurance broker if he would like a copy of my genome, and he politely declined.”

Undoubtedly a person who’s going to have some radical views about privacy…and the article has some gems.

For example, perhaps linked to the above, her view is that “the coming flood of medical and genetic information is likely to change the very nature of health insurance.” She doesn’t see this as requiring a privacy trade-off. Instead, she believes the problem is making cheap and plentiful health insurance available balanced by “mandating subsidies paid by society to provide affordable insurance to those whose high health risks would otherwise make their insurance premiums or treatment prohibitively expensive.”

Hmmm…so how is cheap and plentiful health insurance actually going to be made available in the first place?

She asks the question “What is the best way to limit government power?” The answer seems hard to swallow, “Not so much by rules that protect the privacy of individuals, which the government may decline to observe or enforce, but by rules that limit the privacy of the government and of government officials.”

Another suggestion seems better, “We should be able to monitor what the government does with our personal data and to audit (through representatives) the processes for managing the data and keeping them secure.”

On information privacy in general, while not new, she puts it elegantly, “Much of the privacy that people took for granted in the past was a by-product of friction in finding and assembling information. That friction is mostly gone.”

She goes on to say that, “Rather than attempting to define privacy for all, society should give individuals the tools to control the use and spread of their data.” Disappointingly, the tools she praises are the very limited access controls that Facebook and Flickr provide.

If that’s the best tools we’re going to get, I think we’ve got a long, long way to go before loss of privacy isn’t a mainstream issue any longer!

September 17, 2008 at 11:01 pm Leave a comment

Semantic Web & OAuth

I must confess that for a long time I never got this semantic web thing. Now, with the zeal of the recently converted, I see possibilities everywhere.

Part of the reason it took time was an automatic reaction against something being called Web 3.0 (or is it 4.0?). I’m still trying to really understand Web 2.0. Learning about the next big thing could always wait.

Another reason was how early enthusiasts described the semantic web. Calling it the machine readable web doesn’t even begin to make sense.

As far back as 1999, Tim Berners-Lee in Weaving the Web said, “I have a dream for the Web [in which computers] become capable of analyzing all the data on the Web – the content, links, and transactions between people and computers. A ‘Semantic Web’, which should make this possible, has yet to emerge, but when it does, the day-to-day mechanisms of trade, bureaucracy and our daily lives will be handled by machines talking to machines. The ‘intelligent agents’ people have touted for ages will finally materialize.”

Now that’s visionary. Even today, I’m barely beginning to understand that vision.

Thankfully, and perhaps ironically, the very Web 2.0 service Slideshare has some presentations that explain things in a way that we mere mortals can understand. My first pick are the two presentations from Freek Bijl- the first one covers the basics and the second one the technologies. Another one is from Marta Strikland called The Evolution of Web 3.0. This has a great Web 3.0 Meme Map on slide 15 and a comparative list of Web 2.0 and 3.0 on slide 27.

Being more of a graphics person, the final aha came from the one below, thanks to Project 10x (also worth looking at is the original Semantic Social Computing presentation from Mills Davis).

With the semantic web also comes a whole new set of acronyms. A starter list is RDF, SPARQL, SWRL, XFN, OWL, and OAuth. In particular, OAuth being the authentication one is interesting.

OAuth is described as “An open protocol to allow secure API authentication in a simple and standard method from desktop and web applications.” The basic promise is attractive- access to data while still protecting the account credentials. That has the advantage of not requiring people to give up their usernames and passwords to get access to their data. OAuth is a much-improved version of closed proprietary protocols such as Flickr’s API. Importantly, it has support for non-browser access such as desktop applications and mobile services.

So, what are the practical applications of the semantic web? Within the government space, a clear winner is being able to automate the collection of data from multiple government websites and search, filter, or otherwise manipulate the result.

As a simple example, if all government websites had the contact details of their media contact using hCard, it would be easy to have an always up-to-date list that can be displayed, indexed, searched, loaded into an address book, mapped, etc. Even as a relatively simple first step, this would be a big step forward for government.

September 3, 2008 at 11:43 pm Leave a comment

UK: e-petition and proof of citizenship

I was both moved and intrigued by Robin Wilton’s plea to support an e-petition “to create a dedicated Military & Veterans Hospital within the UK.”

Moved because it seemed to be a worthy thing to do; intrigued because I wanted to see how they would verify that I met the condition of being a British citizen or resident to sign the petition.

Turns out that all that’s required is a valid address and postcode. If you’re an expat, you don’t even need that. So, “Earnest Hope” became the 41,380th person to sign the e-petition.

It left me wondering just how many other signatures are from people like me? And, does it really matter if the bulk of them are actually from eligible folks?

Also, isn’t there a better way for checking online whether a person is a UK citizen/resident?

That got me thinking about how to verify whether or not a person is a New Zealand citizen or resident. In-person checking is simple enough but what about an online check? Can’t think of a simple way that already exists.

That is where GOAAMS (slides) comes in…

August 3, 2008 at 9:14 pm Leave a comment

Identity systems and trust

On reflection, it turns out that a trusted system may actually be untrustworthy.

I was looking at some of the recorded presentations that I missed at the Managing Identity in New Zealand conference in April. If the delightful Wordle tool could make word clouds from videos, then one of the prominent words in the presentations would be “trust.” There were probably few, if any, presentations that didn’t use that word in conjunction with identity systems.

Just what is the relationship between identity systems and trust? Given that every presenter thought it is a critical component of an identity system, it’s worth trying to uncover the relationship between the two.

To me the word trust seemed to cover a wide spectrum of meanings- different people used the word to mean different things. At one extreme is what I’d call technical trust while at the other is business trust.

A good example of technical trust is Stefan Brand’s presentation about Credentica’s U-Prove™ technology. He would probably define trust in terms of protocols, cryptographic proof, encryption, non-repudiation, digital signatures, message integrity, unlinkability, etc. Trust would, in this case, be the outcome from the technical features of an identity system.

At the other extreme is what a person like the Privacy Commissioner means by trust. She used it to mean “protect them [people] from the many possible harms that can arise from misuse of their personal information”; “to give credible, proveable reassurances”; and “people to feel too insecure to give out their information, and crippling e-govt and e-commerce systems.” She goes on to quote a minister that “Damage the trust of citizens and you damage the notion of citizenship, and governing becomes that much harder.”

I visualise the relationship between technical trust and business trust as two concentric circles. The smaller, inner one is technical trust and the larger, outer one business trust to represent:

– technical trust is a sub-set of business trust, i.e. it is impossible to achieve business trust without first getting technical trust; and

– technical trust on its own is insufficient, i.e. for an identity system to be trustworthy, it must have both technical trust and business trust. Otherwise, we get a (technically) trusted system that is untrustworthy from a business or user perspective.

Vendors of identity systems tend to focus on technical trust and make passing references to business trust. That’s one of the things that make the Liberty Alliance attractive- it has a focus on both technical and business trust.

As an aside, locally we seem to be getting there as evidenced by a recent post Govt moves forward with online ID by Richard Wood.

July 27, 2008 at 11:38 pm 2 comments

Elusive SSO

I’ve been a fan of usability guru Jakob Nielsen’s regular update (Alertbox) for a long time. It’s admirable how he keeps re-emphasising the fundamentals again and again.

I suspect that half the reason I read the updates so regularly is the futile hope that somehow- maybe by osmosis- his common sense approach will percolate into my sub-conscious and lead to better outcomes for the online services I’m involved in.

Jakob Nielsen would no doubt laugh at such nonsense, throw up his hands, and demand that I user test to objectively determine that one way or another.

Anyway, his latest piece is on enterprise portals. That is not an area that I often venture into but he had some stuff about single sign-on (SSO) that caught my eye:

“Single sign-on is the Loch Ness monster of the intranet world: People hear about it and even believe it exists, but they’ve yet to see it for real…In our initial research 5 years ago, it was already clear that single sign-on could dramatically improve user productivity and satisfaction, as well as immensely reduce support costs.”

“Our second round of research confirmed single sign-on’s potential — and its elusiveness… True single sign-on was and is extraordinarily rare… We can only conclude that it’s very difficult to achieve, despite its promise.”

What’s true of the enterprise is even more so outside it, for the Internet.

The benefits and business case for enterprise SSO are undoubtedly great. But for the Internet? That’s an area that I personally struggle with, notwithstanding that SSO is the original use case for federation and, to some extent, can be provided by OpenID (provided the person has logged on to the OpenID Provider).

Now, Internet SSO does mean convenience. It surely is a good thing to log on once and then be able to do whatever a person wants across the Internet without logging in again.

What worry me are the security and privacy implications. Those aren’t that big a deal within an enterprise context but are on the Internet. And, within government online services on a national scale, even more so.

From a security perspective, it’s about the loss of keys to the kingdom- passwords are just too easy to compromise. Now, if passwords were used appropriately (i.e. only where there is a low level of identity-related risks) then the consequences from a compromised password wouldn’t be too bad. But, realistically, passwords today protect far too much and a compromised password can be a widespread disaster for the person.

Then, there’s privacy. Using the same username & password to do everything (or lots of things) then raises the possibility of aggregation of information and building profiles.

So is Internet SSO a good thing? Yes, provided it is implemented in a secure and privacy-protective manner. Problem is, can that be achieved in an economical manner (that rules out advanced crypto) for the Internet?

July 15, 2008 at 11:16 pm 1 comment

Just what is ‘identity’?

As a term that most of us find intuitively easy to define, it turns out that getting a precise and generally accepted definition of the term ‘identity’ is far from easy.

The first question of course is whether it’s even worth the effort to try and get a precise definition. I think the answer is ‘yes’ for several reasons.

First, identity involves personal information and people expect that government collects and holds their personal information in a secure manner with their privacy appropriately protected.

Secondly, people need to prove who they are many times during a day. While typically people only need to do that with government infrequently, for a government agency it is of critical everyday importance to have confidence in the identity of the person they are dealing with. For example, an agency needs to be sure that government services are being delivered to the right person. Another example is ensuring that the right person has access to their own personal information such as health records or tax records.

On the one hand, people want convenient access to their information and government services. On the other hand, government as a whole has to manage the identity-related risks and ensure that the taxpayer’s money is spent well.

Finally, consider this quote from a recent report by Sir James Crosby to the UK Government, “… those countries with the most effective ID assurance systems and infrastructure will enjoy economic and social advantage, and those without will miss an opportunity. There is a clear virtuous circle. The ease and confidence with which individuals can assert their identity improves economic efficiency and social cohesion…”.

Looking around, both in New Zealand and overseas, we saw that most of the focus on ‘digital identity’ and ‘user-centric identity’. Also, ‘identity management’ is typically defined in technology terms such as ‘authentication’ and ‘authorisation’. And yet, all of these still don’t answer the fundamental question of just what ‘identity’ is in the first place.

To help get us a better insight into the thinking of the academic world and the approaches taken in some other countries, we turned to Victoria University of Wellington. Professor Miriam Lips, with the help of her student Chiky Pang, has now completed her report Identity Management in Information Age Government (PDF, 557 KB) and we have published it on the e-government website.

It turns out that the answer to our questions has a variety of answers. However, it does validate our current approach that one of the useful ways to look at identity is to consider that people have a single, unique identity but many context-dependent partial identities or personas. The result is more of an onion than linear, so that operating at the outer layers of the onion may not have any connection at all with the unique core:

Another interesting insight from the report is the move to an informational definition of identity from a document-based definition. The impact of the Information Age is to make it increasingly necessary for governments to consider identity information- its collection, verification, storage, maintenance, and disposal- rather than just the issue and use of identity documents.

As we look at these issues in finer and finer detail, it remains important to not lose sight of the basics. Such as, people own and control their own identity while government’s role is to manage their identity information well. And, the need to put theory into practice.

So that in the future, when Bill and Jessica want to return home to New Zealand, they have one less thing to worry about.

[Original post at http://blog.e.govt.nz/index.php/2008/07/09/just-what-is-identity/]

July 9, 2008 at 7:52 pm Leave a comment

Authenticating the Queen’s subjects

I’m just back from attending eGovernment 2008 in Canberra. For me, the big draw was an opportunity to attend a three hour workshop focussed on the UK’s Government Gateway. I sure wasn’t disappointed- the insights into the Government Gateway were quite an eye opener.

Attending the conference also led me to reflect on how online authentication is working for the Queen’s subjects in the UK, Australia, and New Zealand. It’s quite fascinating how each of them reflect diverse approaches and are also very much a product of their times.

First, Australia. Still very PKI focussed, as in standard X.509 certs in the user’s computer. There are some good intentions from the federal policy body AGIMO (Australian Government Information Management Office) to move on to solutions that work for people (not computers) but the mindset of the average government official is definitely digital certs.

A good example of this focus is the success of VANguard. VANguard’s authentication service is probably best described as an authentication broker whose main function is to allow for interoperability of digital certs issued by various CAs. This is a good step so that businesses (it’s mostly business-focussed) can use the same digital cert with multiple RPs. It’s a back-end hub so that various front-ends and portals, such as bizgate in South Australia, can draw on its functionality. Still, it has all the limitations inherent in the old PKI designs.

It’ll be interesting to see how AGIMO’s proposed National e-Authentication Framework will differ from their existing AGAF (Australian Government e-Authentication Framework) which is separate for businesses and individuals.

Back to the UK’s Government Gateway. From the outside, so much of the focus has been on the UK’s plans for a national identity card that people, including me, can’t distinguish the good stuff they have done and are continuing to do in the online authentication space from the bad. Jim Purves, Head of Product Strategy in the Cabinet Office gave terrific insights into the chequered history of the Gateway as well as plans going forward.

The Gateway is very privacy-protective, very focussed on providing authentication and SSO for the UK Government’s online services. They are introducing SAML 2 soon but that also has the downside of continued support for all the current protocols. They’ve had some significant funding challenges in the past but now have “strategic investors” from within government so the future is bright. Trust and confidence in the Gateway is at an all-time high.

Purely speculative on my part but I think they’ve got a big cloud on the horizon- when the national identity card folks come calling. That could potentially lead to a fundamental change in approach. That’s the unfortunate steamrolling impact of the national identity card. Also interesting how they handle pan-European interoperability but, with a strong Liberty Alliance foundation, I imagine they are well placed to handle that.

So, how does NZ stack up? The proper comparison is with the GLS or Government Logon Service (which will be re-branded igovt later this year). There’s no doubt that the GLS is the most privacy-protective of the lot and has all the right moving bits.

Once the IVS or Identity Verification Service and then GOAAMS or Government Online Attribute Assertion Meta System is added to igovt, then it’s a whole new ballgame for NZ.

But, there is clearly one area that the GLS should look at- adding a web services (ID-WSF) capability in addition to the current browser re-direct (ID-FF). That will provide many new opportunities off the same infrastructure, such as acting as an authenticating receiver for XML messages. The UK’s Government Gateway currently does that for all electronic tax filings direct from standard tax and accounting packages.

All in all, interesting times and much thinking…

July 2, 2008 at 11:45 pm 1 comment

Older Posts


This blog is no longer updated. See the About page for more info. I'm currently active on Twitter.

Follow me on twitter

Feeds