In preparation of a Government Roundtable at the RSA conference in London last month I wrote the following positioning paper on Identity Management topics that governments should be concerned about. I hope some colleague in government will find it useful.
– Improve trans border security cooperation and collaboration
– Improve interoperability of eID systems across
– Improve cyber security/ fighting cyber crime related to identity theft
– Tackling the most pressing cyber vulnerabilities and risks.
– Open Government principles
– Healthcare: Patent Records automation
– Models for successful public-private partnership
– New authentication approaches
– Stress points between Privacy Protection and Security Imperatives
1. Improve trans border security cooperation and collaboration
Most citizens understand intuitively that governments need to collaborate in order to combat International crime and terrorist organizations. Very often this is implemented by governments giving law enforcement and border agencies of other countries or supra national organizations federated access to travel and immigration related information systems and national crime data bases. Serious issues around privacy protection can result when entire copies of data bases are swapped between regimes that have incompatible policies in place with regards to protecting such privacy sensitive information.
User authentication levels may differ wildly between countries. Classification of information sensitivity is often based on different standards and cultural differences will play a large part in determining which groups merit inclusion in such data bases or not.
A good example of incompatible policies in the United Kingdom is the National DNA Database (NDAD) where in Scotland people arrested but not convicted are routinely removed, whereas in England current practice is to store such records for a hundred years. (By the way; the UK Government was convicted by the European Court of Human Rights over this practice .
So where a UK Police Officer may well be aware that among the ten million records contained in the UK NDAD data base there are 850,000 records of innocent citizens; his Europol or French counterpart, with whom this data is exchanged, may infer the wrong conclusions about the mere existence of an identity on the database.
The lack of international standards for information security policy mapping and agreed corresponding authentication requirements is a problem for governments. This makes safeguarding privacy and maintaining appropriate levels of security in international collaboration a tough nut to crack!
2. Improve interoperability of eID systems across Europe
The aim of the European STORK  project is to establish a European eID Interoperability Platform that will allow citizens of one participating country to establish e-relations across borders by presenting their national eID.
This presents the same policy and standards incompatibility as mentioned above, but on an even greater scale. There are already huge differences in what passes for a qualified digital signature between countries en in some countries there is huge opposition to introducing e-ID cards.
This may be an area where private industry may be able to offer a better solution. See point 8: New authentication approaches.
3. Improve cyber security/ fighting cyber crime related to identity theft
According to figures published by the US Federal trade commission  and here in the UK by the fraud prevention service CIFAS  Identity Theft is one of the Fastest Growing Crime categories. Yet….
· 44% of Britons still don’t shred documents containing sensitive information before placing them in the bin
· Only 54% of us routinely check our financial statements – and just 45% of us follow-up missing post
· Only 69% report lost or stolen documents
· Some councils are refusing to take paper that has been shredded (it clogs up their machines…)
The fact that our identities in cyber space are still scattered around hundreds if not thousands of information silos makes them vulnerable to attack in the weakest links. Many people, faced with the difficulty of remembering hundreds of sets of usernames and passwords, resort to using the same combination over and over again. This means that if an identity thief captures one of these sets, they may quickly take over a host of other accounts protected by the same weak authentication method.
4. Tackling the most pressing cyber vulnerabilities and risks.
The changes in network security associated with de-perimeterization  and the associated de-layering of legacy systems inevitably drives closer architectural attention to users as the central organizing principle by which we try and fix these cyber vulnerabilities and mitigate the associated risks.
This means moving from the traditional model of trying to keep the bad people out to letting only the right people in. In technical terms this means moving away from maintaining long unmanageable Access Control Lists (ACL) and Group Membership lists to a form of ‘claims based’ access control and user centric Identity management. The application simply checks if a verified claim is present in a token signed by the Identity Provider (IdP).
Claims have a lot in common with the abstractions of role-based access control (RBAC) that organizations are already using inside their firewalls, the main difference being claims are issued by a trusted Identity Provider.
Naturally such a shift now makes the Identity Provider a honey pot for cyber attacks. The premise here is that the identity provider is much better placed to fend off such attacks as it will be their core business.
5. Open Government principles
This brings us neatly to the following attention point for Governments: Should Governments always be their own Identity Provider or in some cases are they better of relying on the efforts of Private Industry?
On his first full day in office, United States President Barack Obama issued a Memorandum on Transparency and Open Government .
Open government is the political doctrine which holds that the business of government and state administration should be opened at all levels to effective public scrutiny and oversight .
Members of the OpenID Foundation (OIDF) and the Information Card Foundation (ICF) were quick to assert from that memorandum that open identity technologies and open government fit together perfectly. This argument is tenuous.
The main argument seems to be that it would save costs for everyone. From the government’s standpoint, it means not having to design, deploy, and maintain independent identity systems for different domains and applications. It also eliminates the need to become an identity provider except where the government is actually the authoritative source of the required identity information.
Kim Cameron’s Laws of Identity  would seem to argue a different case. The fifth Law “Pluralism of Operators and Technologies” would seem to suggest that Citizens would rather keep their public and private identities apart and I quote:
In many cultures, employers and employees would not feel comfortable using government identifiers to log in at work. A government identifier might be used to convey taxation information; it might even be required when a person is first offered employment.”
This argument can be extended, in that citizens also would not feel comfortable using an Information Card or OpenID used mainly in transactions of a private nature in their dealings with Government.
“But the context of employment is sufficiently autonomous that it warrants its own identity, free from daily observation via a government-run technology.”
Something that is to the benefit of citizens and tax payers is the notion of joined up government  in the sense that one government issued identity should exist that can be used across different government portfolios, with the possible exception of Health records. Most tax payers would agree that people who are in the highest tax brackets at the Inland Revenue have no business getting housing subsidies or other forms of social welfare payments administered by local government.
More information on Open Trust Frameworks for Open Government can be obtained from a white paper from the OpenID Foundation and Information Card Foundation .
6. Healthcare: Patient Records automation
Patient’s records systems like the one administered for the UK National Health Service are a special area for government Identity Management . First of all not all countries have a National Health Service and sometimes this is more an area of concern for private industry as it is in the US.
In the United Kingdom the National Programme for IT in the NHS is one of the world’s largest public technology projects. It is expected to cost at least £12.7bn and is currently about four years behind schedule. Larhe IT service providers like Fujitsu decided to end all involvement with the scheme. Accenture also decided to pull out and BT is nursing its wounds.
The EU has issued a directive to the pharmaceutical industry that they need to be able to uniquely identify about a million registered medical doctors and give insight in their dealings with them around clinical trials and payments offered. In the there is a very similar requirement from the FDA.
Health care records is one area where citizens would prefer perhaps a little less ‘open’ and ‘joined’ up government initiatives around identity integration due to the very personal and private nature of such records.
That is why under a Tory government in the UK health records could be even be transferred to Google or Microsoft according to a recent article in the Times  and there probably would not be a mass revolt over this. There are many people concerned that Google already know too much about us, because of the way we constantly leave digital breadcrumbs of both personal data and behavioural data behind as we surf the World Wide Web.
Verizon Business itself is currently investigating how we can provide this service as part of our growing Identity Provider Business.
7. Models for successful public-private partnership
In Belgium Verizon Business for years has been running a successful public-private partnership with FedICT  whereby Verizon Business manages a Single Sign-On solution that can be leveraged by Relying Parties across the government spectrum from federal to local government level. Interestingly we see repeated at a national level what I remarked at an international level. Hence can a user authenticated on a local government portal be considered authenticated strongly enough to seamlessly do a tax return on-line? In other words are the registration policies at local and national levels of the same strength?
From a technological point of view the solution and partnership is a resounding success with the Verizon managed Access Gateway performing millions of authentications daily.
8. New authentication approaches
We are all clear that good old username and password based solutions have had their day and that something more robust like two factor authentication with good anti phishing properties is urgently needed.
In countries like Belgium , where the Government has heavily invested in a PKI based eID card, it would be foolish to not try and leverage that investment for things like e-Voting and signing one’s on-line tax returns. Yet in other countries, especially here in the UK , there is a groundswell of opposition to the idea of an e-Id card that people have to carry about.
The need to strongly authenticate a user doing things like submitting an on-line tax return with Inland Revenue or e-voting is universally accepted.
Today, CIOs in public administrations just like in private industry are watching two different user-centric solutions rise in popularity: CardSpace from Microsoft and OpenID from the open source community.
Recently bloggers have begun to query how ‘user centric’ OpenID really is?  While the original intention was pure user centric, the developing community is pushing it in a direction that encourages users to use big-company-provided identities instead of being their own IdP. An analogy can be made between self issued Information Cards and managed cards.
Conventional wisdom indicates that, with the advent of Vista and Windows 7 on countless PC desktops, Information Cards will become the de-facto way users will manage their identity information. CIOs need to take note: On a global scale, employers are expected to issue Information Cards to their employees, governments to their citizens, etc.
Even in countries like Belgium a cloud based identity, rather than a physical card that requires a card reader, would suffice in most Citizen to Government cyber transactions. Digitally signing with an e-Id card could be the exception rather than the rule and reserved for certain key actions.
One could argue that the previously mentioned EU STORK project is a misguided goal of the EU. Why stop at EU borders? The internet does not respect national borders. This is where a global portable e-Identity, where citizenship of one or more countries is just another verifiable claim, makes more sense than trying to set up all sorts of trust bridges between Certificate Authorities of different nations.
9. Stress points between Privacy Protection and Security Imperatives
I would like to finish this introduction on government and Identity by drawing attention to a valid viewpoint raised by Bob Blakley of the Burton Group . In his personal blog  Bob explains that most of us in the Information Security Business assume without saying that ‘privacy’ means ‘keeping personal information secret’. By that definition privacy is an illusion.
But ‘keeping personal information secret’ is the wrong definition of privacy. As long as your personal information is secret, you don’t even have a privacy problem. It’s only when somebody else knows your personal information that you may have a privacy problem.
None of us would mind if a medic has access to our health care records, if we were lying injured on the side of a road. We would mind however if our insurance companies had the same access. Privacy is about context.
This is not a problem that technologists like us can solve. This primarily is a problem that needs to be addressed by educating the people authorized to access personal information. They must understand that they can use ‘secret’ information only in the right context and for a justifiable purpose.
Blakley rightly observes technology can’t solve privacy problems, because they’re not technology problems. He points out technology can make privacy problems worse, by making it easy to do antisocial things, or by making it hard to recognize the sensitivity of personal information and lowering our awareness that we’re in a social situation and need to behave sociably.
Blakley also encourages us not to give up hope like SUN CEO Scott McNealy famously said: “Privacy is dead – Get over it!”
Zero-knowledge or minimal disclosure transactions are starting to become more technically feasible using Information Cards and should be used where possible. This will go a long way in preventing us leaving an identity trail in each web site we visit, including government web sites.
Technology needs to be designed that help users use information responsible e.g. ensuring personal information that is exchanged (a health record, say) always comes with metadata indicating who collected it, for what purpose it was collected, and under what terms and conditions it may be used. Secure Audit trails open to independent inspection, can give citizens further confidence that their trust in government systems is not misplaced and privacy will be protected as well as is possible.
Footnotes and references
[ 1] http://www.genewatch.org/sub-563146 [ 2] http://www.eid-stork.eu/ [ 3] http://www.identitytheft.com/index.php/article/fastest_growing_crime_in_the_country [ 4] http://www.cifas.org.uk/default.asp?edit_id=896-57 [ 5] http://www.opengroup.org/jericho/deperim.htm [ 6] http://www.whitehouse.gov/the_press_office/Transparency_and_Open_Government/ [ 7] http://en.wikipedia.org/w/index.php?title=Open_government&oldid=293620033 [ 8] http://www.identityblog.com/stories/2005/05/13/TheLawsOfIdentity.pdf [ 9] http://www.vgso.vic.gov.au/resources/publications/ccl/vgso%20april%202009%20seminar%20ssa%20joined%20up%20government%20working%20paper.pdf  http://openid.net/docs/Open_Trust_Frameworks_for_Govts.pdf  http://www.nhs.uk/nhsengland/healthrecords/Pages/Overview.aspx  http://www.timesonline.co.uk/tol/news/politics/article6644919.ece  http://en.wikipedia.org/wiki/Fedict  http://netmesh.info/jernst/digital_identity/is-openid-still-user-centric  http://www.burtongroup.com/Guest/Idps/PrivacynotSecrecy.aspx  http://identityblog.burtongroup.com/bgidps/2009/10/gartner-gets-privacy-dead-wrong.html