Posts filed under ‘USA’

Showing us a better way

The UK Government’s competition Show Us a Better Way is living up to its name. The competition is run by the Power of Information Taskforce.

The page About This Competition describes it eloquently:

“The government produces masses of information on what is happening around the UK. Information on crime, on health, on education. However, this information is often hidden away in obscure publications or odd corners of websites. Data tucked away like this isn’t of use to the ultimate owner of that information YOU.”

Refreshingly, the government goes on to say, “We’re confident that you’ll have more and better ideas than we ever will.

The Guardian newspaper, which has been campaigning for freeing up government data since 2006, has been an enthusiastic supporter of the competition. With a decent prize pool of £80,000, there has been plenty of interest with over 450 people entering the contest.

In addition to five ideas that need further work and four prototypes that are already running, the judges have announced the five ideas that will be built:
• Can I Recycle It? : recycling information based on post code
• UK Cycling : planning cycling routes
• Catchment Areas : boundaries of school catchment areas
• Location of Postboxes : nearest one to wherever you are
• LooFinder : a mobile texting or website for the nearest public toilet

The first of these, Can I Recycle It, was the overall winner.

A US-equivalent competition, Apps for Democracy, run by the District of Columbia has pulled in 47 submissions over the 30 days it ran.

Clearly, the idea has international appeal for governments. For New Zealand, there are some key messages:

1. While there are already some very good examples of government agencies freeing up their data, such as Statistics NZ’s, Making More Information Freely Available, doing more can unleash much greater creativity. People will themselves work out what problems to solve, where the opportunities are, and ways to add social and/or economic value.

2. The five ideas that emerged winners are all based on geospatial data. Perhaps this reflects the attractiveness of visualisation and the growing popularity of Google Maps. Geospatial data should therefore get priority attention.

3. Governments aren’t typically associated with competitions and cash prizes but, handled right, they could potentially be a viable way to stimulate interest. And, it’s a great way for people to know what data (including formats) the government already makes available.

4. However, even the success of Show Us a Better Way doesn’t imply that all the underlying issues have been resolved. For example, about the time the winners were announced, the Ordinance Survey (which owns all of UK’s mapping data) sent a reminder that its data was free for non-commercial use only. Worse, it ruled out letting people use its data with Google Maps due to licensing issues. This may stall all the five winning ideas. It’s a reminder that licensing, copyright, and pricing all need to be addressed before data is truly free.

5. Also, there is a need to figure out what ‘free’ actually is. Is it the UK-style freely available or the US-style free of cost?

6. This is also a reminder of the non-rival nature of data and information, i.e. one person’s use doesn’t stop others from also using the same data and information for the same or different purpose. Freeing up data can therefore have a multiplier effect since the marginal benefit of providing an extra unit is the sum of the marginal benefits received by each of the individual users.

To go back to the beginning, the Power of Information review highlighted how “The cost-benefit calculations that historically underpinned what information is collected, who can use it, and how it is paid for are rapidly becoming outdated.”

And that raises some opportunities and challenges that New Zealand needs to seize.

[Original post at]

November 17, 2008 at 10:18 pm 1 comment

The next best thing to the next best thing

From the perspective of a person keen to see identity federation the norm, a single federation protocol is the best thing. That allows a focus on the real challenges of federation- the business and process challenges. It relegates arcane discussions about SAML and WS-Federation to the few people who really want to talk about the nuts and bolts.

In reality, that’s probably unachievable. If nothing else, that was the biggest lesson from the ODF vs. OOXML saga.

The next best thing is true interoperability between protocols with standard products supporting multiple protocols out of the box. This doesn’t take away all the costs, complexity, and risks but is still an acceptable outcome.

The next best thing to the next best thing is a major vendor promising to move towards the next best thing. To that end, Microsoft’s announcement that the beta version of Geneva will not only support SAML 2.0 as a token format but also as a single sign-on protocol is very welcome. Geneva is Microsoft’s future identity platform, replacing ADFS (Active Directory Federation Services).

Specifically, Geneva will support the SAML 2.0 Lite/Web SSO profile. Happily enough, it will also support the US Government’s GSA profile which seems to be an attractive offering for US Government agencies.

So, come 2010 or whatever the usual announcement-to-real world deployment cycle takes, deployers of federation can increasingly focus on benefiting from identity portability rather than the underlying technical challenges.


October 30, 2008 at 12:11 am Leave a comment

Freeing the cyber seas

Thoughts of war have been on mind recently. The seduction of using force to achieve just outcomes. The futility of war, in many cases, failing to make a lasting difference in addressing the root cause.

The US had Memorial Day, a day of remembrance for military men and women who laid down their lives. Over here, NZ has Tribute08, a time for the country to say sorry to our Vietnam Vets and welcome them home after decades.

The price of war shows up in various ways, with neither side spared. An example is the 100+ US soldiers who commit suicide each year. Or, the continuing unwillingness in NZ to really face up to the damage that Agent Orange continues to do to Kiwi Vietnam Vets and their families.

That’s the mindset with which I read the article, Freedom of the Cyber Seas, recently.

It takes us back to the late 18th century, when the Barbary States ruled the Mediterranean- seizing cargo from those vessels not protected by the European powers; extorting ransom from those that had not paid the ‘protection fee.’ For the newly independent America, the policy was to appease the pirates. By 1786, Barbary extortion demands totalled $1 million- one-tenth of the U.S. government’s entire budget at the time.

Thomas Jefferson was a proponent of Dutch jurist Hugo Grotius’ Mare Liberum or “free seas” doctrine published in 1609. Once Thomas Jefferson became President in 1801, true to his words, he sent in a group of American warships. Four years later, culminating in the Battle of Derna, the Barbary States were defeated and “free access to the world’s oceans a fundamental component of U.S. sovereignty” was established.

The authors’ purpose is of course not to give us a history lesson. Rather, it is to draw a parallel with “a new version of the high seas–the cyber seas” that threatens US military and economic interests. They call on the US to abandon the policy of appeasement to keep data flowing through global networks without hindrance.

Fortunately, they aren’t advocating what the US Air Force does, “America needs a network that can project power by building an robot network (botnet)… America needs the ability to carpet bomb in cyberspace to create the deterrent we lack.” They thankfully think that respecting international law is a good thing and recommend “policies, legal frameworks and enforcement mechanisms for Internet commerce and communications.”

Their plan is however not without a hard edge. Inspired by the US war on drugs, “the president also must charge an appropriate federal organization with the charter of patrolling the cyber seas–issuing challenges where necessary and taking proactive defensive action to disrupt organized threats. This organization must work closely with the law enforcement and intelligence communities to identify bad actors and devise strategies to exploit the vulnerabilities associated with online criminal activity.”

Even though this is a very US-centric view of the world, it does raise some interesting thoughts and parallels. What is the world going to do about the modern-day pirates? What is the Internet equivalent of the war with the Barbary States (today’s Russia and Eastern Europe)?

And, finally, the sobering thought that piracy on the high seas was not wiped out by a US victory in the Battle of Derna. Far from it as anyone familiar with piracy in the Malacca Straits.

So, what are we going to do? And will there be a lasting solution?

June 1, 2008 at 10:28 pm 1 comment

When is government a Justifiable Party?

A recent article in CR80News called Social networking sites have little to no identity verification got me thinking about the Laws of Identity, specifically Justifiable Parties, “Digital identity systems must be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship.”

The article itself makes points that have been made before, i.e. on social networking sites “there’s no way to tell whether you’re corresponding with a 15-year-old girl or a 32-year-old man…The vast majority of sites don’t do anything to try to confirm the identities of members. The sites also don’t want to absorb the cost of trying to prove the identity of their members. Also, identifying minors is almost impossible because there isn’t enough information out there to authenticate their identity.”

In the US, this has thrown up business opportunities for some companies to act as third party identity verifiers. Examples are Texas-based Entrust, Dallas-based RelyID, and Atlanta-based IDology. They rely on public and financial records databases and, in some cases, government-issued identification as a fallback.

Clearly, these vendors are Justifiable Parties.

What about the government? It is the source of most of the original information. Is the government a Justifiable Party?

In describing the law, Kim Cameron says “Today some governments are thinking of operating digital identity services. It makes sense (and is clearly justifiable) for people to use government-issued identities when doing business with the government. But it will be a cultural matter as to whether, for example, citizens agree it is “necessary and justifiable” for government identities to be used in controlling access to a family wiki or connecting a consumer to her hobby or vice.” [emphasis added]

So, in the US, where there isn’t a high trust relationship between people and the government, the US government would probably not be a Justifiable Party. In other words, if the US government was to try and provide social networking sites with the identity of its members, the law of Justifiable Parties predicts that it would fail.

This is probably no great discovery- most Americans would have said the conclusion is obvious, law of Justifiable Parties or not.

Which then leads to the question of other cultures…are there cultures where government could be a Justifiable Party for social networking sites?

To address, I think it is necessary to distinguish between the requirements of social networking sites that need real-world identity attributes (e.g. age) and the examples that Kim gives- family wiki, connecting a consumer to her hobby or vice- where authentication is required (i.e. it is the same person each time without a reliance on real-world attributes).

Now, I think government does have a role to play in verifying real-world identity attributes like age. It is after all the authoritative source of that information. If a person makes an age claim and government accepts it, government-issued documents reflects the accepted claim as, what I call, an authoritative assertion that other parties accept.

The question then is whether in some high trust societies, where there is a sufficiently high trust relationship between society and government, can the government be a Justifiable Party in verifying the identity (or identity attributes such as age alone) for the members of social networking societies?

I believe that the answer is yes. Specifically, in New Zealand where this trust relationship exists, I believe it is right and proper for government to play this role. It is of course subject to many caveats, such as devising a privacy-protective system for the verification of identity or identity attributes and understanding the power of choice.

In NZ, igovt provides this. During public consultation held late last year about igovt, people were asked whether they would like to use the service to verify their identity to the private sector (in addition to government agencies). In other words, is government a Justifiable Party?

The results from the public consultation are due soon and will provide the answer. Based on the media coverage of igovt so far, I think the answer, for NZ, will be yes, government is a Justifiable Party.

April 2, 2008 at 10:54 pm 2 comments

US: Admiring the TSA

Blogs and government aren’t a natural fit. The open, bi-directional flow of information in blogs contrasts with the carefully controlled, uni-directional flow of information that governments are typically associated with.

The US Air Force case is the norm. According to Wired, “The Air Force is tightening restrictions on which blogs its troops can read, cutting off access to just about any independent site with the word “blog” in its web address.” Ironically, according to online audits conducted by the US Army, official Defense Department websites post material far more potentially harmful than anything found on soldiers’ blogs.

That’s where the Homeland Security’s Transportation Security Administration (TSA) comes in. TSA is commonly associated with passenger and baggage screening at US airports, a role that is hardly going to endear them to most people. There has been any number of criticisms over their operations, not the least of which is indulging in security theatre.

It’s probably the last organisation that you’d think of running a blog. Not only do they have a blog, they have a great, open blog. The stated purpose is “to facilitate an ongoing dialogue on innovations in security, technology and the checkpoint screening process.”

For TSA it is reasonable to have a moderated blog and certainly their Comment Policy is both sensible and fair. Still, it would be justified for people to be a bit cynical about just how open the TSA’s blog would be to comments.

Yet, they are. Take the case of their latest post The Truth Behind the Title: Behavior Detection Officer. It has attracted 90 comments so far, most of which are far from complimentary. A typical pithy one is, “This program is a complete waste of time and money. I can’t believe we’re paying for this.”

Others provide more measured criticism (“TSA, what’s the false hit rate for this program?”) and a few are supportive.

Despite a lot of justified criticism against the TSA, I’ve got to, reluctantly, praise them for their willingness to engage with people openly. In my book, that’s admirable.

March 4, 2008 at 11:33 pm 5 comments

The power of choice

Over the past few days, the topic of choice has coincidentally come up several times. I mean real choice, not something compulsory dressed up as choice.

My favourite example of “no choice” choice is the I-94W form. People from Visa Waiver countries, such as New Zealand, fill this up on arrival in USA. It’s got a beauty in the fine print, “I hereby waive any rights to review of appeal of an immigration officer’s determination as to my admissibility, or to contest, other than on the basis of an application for asylum, any action in deportation.” Why have laws that give people rights and then ask them to sign a form giving up those rights as a pre-condition to accepting the form? Do I really have a choice?

No, the kind of choice I’m talking about is the personal details that people choose to disclose in social networking sites. People choosing to get chipped to avoid the hassle of carrying a security card to enter a work site. The kind of free choice associated with appearing on a reality show or those mid-morning talk shows.

The point is that if these people had no choice, if a thing is mandatory, then there would be a massive violation of their privacy. So, consideration of choice is central to privacy.

That makes it a target for subversion, such as the US example. There are also issues of informed choice, applying one’s mind, and allowing for people to make different choices.

The centrality of choice was highlighted in the The Economist’s Special Report on identity, “Identity Parade.” The article makes the important point that “The hard lesson for governments is that citizens will adopt technology when it is both optional and beneficial to them, but resist it strenuously when it is compulsory, no matter how sensible it may seem.”

An example used in the article is the choice people make for the sake of convenience when entering Dubai, “Ask the average traveller from a developed country whether he would like to be fingerprinted by an authoritarian regime and have the results stored indefinitely in its computer, and he will probably say no. But when such procedures save time, scruples go out of the window.”

Making something compulsory triggers a mindset of overcoming a hurdle. Making it opt-in gets people making conscious or unconscious evaluation of costs, benefits, and risks.

And that is the power of choice.

February 29, 2008 at 10:04 pm 4 comments

NZ: how big is identity theft?

Just how big a problem identity theft is in New Zealand has been a barren debate so far. In the absence of official statistics and research, the debate has largely been opinions vs. extrapolation of overseas data.

That makes the report “The Experience of E-Crime, Findings from the New Zealand Crime and Safety Survey 2006” for the Ministry of Justice very welcome even though it seems to only cover a sub-set of the wider identity theft and identity fraud problems.

A nationally representative random sample of 5,400 people was surveyed between February and June 2006. Chapter 4 of the report presents the findings on identity theft in two categories:

– Of card users, 2.3% said that somebody had used a credit, bank or debit card or card number, without permission, to steal from them.

1.1% reported that someone had misused personal information about them to obtain new credit cards or loans, run up debts, open other accounts, or otherwise commit theft, fraud, or some other crime.

– Overall, 2.8% reported that one or the other of the two forms of identity theft they were asked about had occurred once or more and 0.4% of respondents reported both forms of identity theft.

Now, 2.8% extrapolated to the NZ population equates to about 93,000 people aged 15 or more that have suffered from credit card fraud or identity fraud during the January 2005 to June 2006 period.

It is interesting to see how this compares with results from other countries.

However, a great deal of caution is required due to the differences in terminology and the varying definitions of identity theft / identity fraud. In fact, the NZ Police website has a good, clear differentiation between identity theft and identity fraud.

Various reports from the US put the number of US adult victims of identity fraud in the region of 8.5-9 million in 2007. This amounts to about 3.2% of the US population aged 15 or more which isn’t drastically different than the 2.8%.

The 2006 KPMG Fraud Survey however tells a different story from the perspective of NZ and Australia businesses:

– 61% of respondents believed fraud was a major problem for business.

– Amongst 2,146 of Australia and New Zealand’s largest organisations across the public and private sectors, respondents reported 546 cases of identity fraud.

So, if about 3% of the country’s adult population is a victim of identity theft each year and 3 out of 5 large organisations believe it is a major problem, is it a problem that is a priority to address? I believe it is.

February 8, 2008 at 11:39 pm 5 comments

The REAL problem: identity inflation

One of the problems with a compulsory national ID system- including a de facto one like REAL ID- is “identity inflation” or sometimes also referred to as “identity creep.”

Since everyone has a gold standard ID, government and businesses find it easier and easier to require one. Soon, situations that previously required only lower quality proof of identity or no identity at all, now require an ID card. Government and businesses find that they have an increasing number of problems that the ID card can “solve.”

There are certainly examples of this happening before. The British ID cards went from 3 functions during World War II to 39 by the time it was abolished.

There are certainly examples of this happening now. In the final regulations, the Department of Homeland Security limited the required use of REAL ID to just three situations: boarding commercial airplanes, entering federal buildings, and entering nuclear power plants. However, only five days later, a senior official from that agency floated the idea of making customers show a REAL ID-compliant driver’s license to purchase over-the-counter cold medicine containing pseudoephedrine to combat illegal drug production.

The senior official went on to say, “The last thing I want to talk about, and very briefly, is the civil liberties objections to REAL ID, because I don’t understand them.” What a gem. He probably doesn’t realise just how accurate his words were! In any case, irony is hardly a strong suite for most government types.

Interestingly, in a generally pro-REAL ID article in Time, this was the one issue over which some concern was expressed, “The great leap forward from a longer arm for the law to “1984” will have to be made by the private sector. How well a watchful federal government will actually be able to track its citizens will depend on how many places demand to see your driver’s license. Airports already do. So do some supermarkets, if you’re buying beer. But what about malls? Movie theaters? Sports stadiums?”

A final perspective of identity inflation comes from, where else, the UK. Identity inflation is also about having more and more information held about people. Currently, the law specifies 50 categories of information that the National Identity Register can hold on each citizen. Why not, gradually, increase that? After all, what’s a few more pieces of information? All for the greater good, the public interest, and all the right stuff. Government’s got a problem to solve? Let’s store that one piece more of information that will “solve” the problem.

As I’ve said before, my opinion is that the REAL problem is more Franz Kafka than George Orwell.

February 6, 2008 at 9:46 pm 3 comments

NZ: Privacy reality check

I spend a lot of my working day thinking about identity-related online services. Protection of privacy in these services is axiomatic. Not only does it make good sense to me, it’s also mandated as one of the policy principles by Cabinet.

The 2007 Privacy & Human Rights Report issued by Privacy International provides a reality check. Across the 47 countries surveyed, the Report says that, “The 2007 rankings indicate an overall worsening of privacy protection across the world, reflecting an increase in surveillance and a declining performance of privacy safeguards.”

New Zealand gets a red colour indicating “Systemic failure to uphold safeguards” as does Australia. Canada gets a yellow for “Some safeguards but weakened protections” while USA and UK get a black for being “Endemic surveillance societies.” Top of the heap is Greece but even it gets only a 3.1 rating out of 5.

The Report lists nine key aspects for New Zealand’s ranking. This seems to have prompted a leading blogger in The New Zealand Herald to call it ‘Systematic failure’ to protect our privacy who goes on to say “From biometric passports to greater sharing of information among Government departments to greater use of surveillance technology, we would certainly seem to be following the lead of countries in the black category. But privacy is a touchy issue for Kiwis and rightly so. Just listen to talkback radio whenever talk of a national ID card emerges in the media.”

According to the Report, of particular concern for NZ is:

– “Court of appeal has had some problematic decisions regarding privacy complaints” and

– “DNA database based on order from high court judge, violent crimes, and convicted burglars; though voluntary samples can be included and increasingly this is being pushed by the police, resulting in more than 80% of samples on database being given ‘voluntarily’.”

I think what’s missing from the Report is people’s perception of the state of privacy in the country being reviewed. Perceptions can be as (if not more) important than the reality.

On that front, in my opinion NZ is doing fine but, as the Report shows, things could be better.

February 4, 2008 at 11:04 pm 2 comments

Biometrics in the Sky

From the outside, it seems that one of the central beliefs in the US government is that if they can collect every person’s biometrics on Earth and put that into a database, then they can substantially solve all their security problems. Federal authorities have pursued this approach almost single-mindedly over the past few years.

Sometimes these efforts have been overt. A good example is the US-VISIT Program where visitors to the US have to endure lengthy delays as everyone’s fingerprints (currently both index fingers but soon all ten) and photograph are taken.

For me personally, after a 12-13 hours flight, the thought of another two hours standing in a line to get my fingers squashed by a “friendly” official so that the fingerprint reader gets an acceptable reading within a couple of attempts means that I try to avoid travelling to or via the US altogether.

In classic government doublespeak, the benefits of US-VISIT are touted as “Protects the privacy of our visitors” and “demonstrate that we remain a welcoming nation.” Yeah, right!

Sometimes the US efforts to collect the biometrics of every single human being have been more subtle. I think the current “Server in the Sky” concept falls into this category. Police from the International Information Consortium (US, UK, Canada, Australia, and NZ) will be able to exchange biometrics and personal information about criminals and suspects. New Zealand is “considering joining the consortium.”

These five countries already share intelligence amongst themselves and co-operate in running Echelon, the global eavesdropping service that can listen into telephone, radio, and email communication.

What’s subtle about this is that anything submitted for matching also gets added to the US biometrics database. And that’s another step forward in the grand plan to collect the world’s biometrics.

What’s wrong with this? Why shouldn’t we all do our bit in the fight against global terror and criminals? If you haven’t done anything wrong, surely you have nothing to fear from having your biometrics in a US database?

You do… because the central belief that collecting the world’s biometrics will substantially solve all the US’s security problems is wrong. Because the US federal authorities have not proven themselves worthy of such trust. Because the US has a long history of subsequent misuse to achieve more pressing national security concerns. Because “acceptable collateral damage” from data inaccuracies means a lot of grief for some innocent people.

January 16, 2008 at 9:02 pm Leave a comment

Older Posts

This blog is no longer updated. See the About page for more info. I'm currently active on Twitter.

Follow me on twitter