Moving forward, user-centric Identity Management is clearly an interesting alternative to centralized systems. The promise of a solution where the user has choice over how and what identity information is shared with Service Providers is worth working towards. It is not surprising that user-centricity is finding its way into pilots and initial implementations in the public sector.
It is becoming clear to me that user-centric IAM is a philosophy / model / strategy that is well-suited to government implementations because it has potential to return ownership of identity information to individuals, many of whom access multiple public services.
If they can avoid it, Canadian governments do not want to hold identity information outside their highly secured core registries. These government departments recognize that our relatively tough privacy laws prohibit retention of information beyond what is needed to deliver a service. Storing additional identity information, or unnecessarily storing the same information in more than one place, increases the risk of breaches and identity fraud.
Adopting user-centric strategies can reduce the volume of sensitive data to be managed, move privacy decisions closer to the user and make governments more compliant with their own legislation and policies. Perhaps most importantly, as Dick Hardt’s Identity 2.0 presentation made it clear, user-centric IdM allows the creation of privacy- and user-driven solutions that mimic the real-world we live in.
This is possible because many systems do not necessarily require identification, but rather authorization. Or if they do need identity information, they need it to support a transaction and have little need to store it after the transaction is completed.
Think about an e-commerce transaction using a credit card. The system does not actually need to permanently store identity information. Rather, it needs to know that you have the funds to cover the transaction. The key information is the card number. Your name is only provided to support the transaction, i.e. to verify that the card being used can be matched to an accountable card holder. If these authorization elements are present in the transaction (and not disputed later) then the business can be conducted. The storing of the name information beyond a reasonable dispute period (say 45 days) is unwarranted.
When faced with breaches of identity information, goverments may soon find themselves needing to identify less. It may seem counter-intuitive, but for certain low-value business transactions, a government organization may not actually want to know very much about those individuals, or at least they don’t want to have to store information about them in local databases. What they do want is to ensure that these citizens are authorized to access the system and the information it contains.
An example of a provincial service that could likely dispense with traditional retention of identity information would be a system that issues a fishing license. When issuing the license, it is important for the individual to properly identify themselves so that their name can be printed on the actual license document. The license then authorizes the named individual to fish, so after the transaction it is important to have that identity information on the card to support an enforcement officer’s needs for proving ‘eligibility’. While the issuing department may make a case for retaining the identity information in a license database, does it need to have its own Identity Provider service — chock full of duplicated identity information? Can it not simply trust one of several provincial or federal Identity Providers?
In time, this user-driven approach should result in fewer identity providers and many more relying service providers. In a provincial government, there could conceiveably be three or four identity providers. These could be linked to key registries such as HR (for internal users) or public education, health or motor vehicles (for citizens). Add to this a federally provided IdP, perhaps based on tax records or a passport database, and citizens would have real variety in IdP services.
Moving to user-centric IdM with real choice in identity provider services can provide greater privacy protection and reduce the complexity of government electronic service delivery.
Mike
The problem here is – as always – that with server-based identity providers, it not really clear what is user-centric and what is IdP-centric. The key issue to solve in your approach (with which I generally agree) is:
How to make sure the IdM is not able to track what the user is doing?
That is the crucial point when you want to preserve user privacy, which is absolutely needed (empirically as well as normatively) when we talk about government agencies as identitys providers.
OpenID and Liberty certainly do not meet these criteria, CardSpace might if they solve the patent issues with releasing the Credentica approach as an open standard. What are the current discussions about this in Canada?
I think that the tracking of user activity still matters to most governments due to their need for audit. The difference to me is that there are probably many government transactions are sufficiently low in value that they don’t justify identification and audit. Governments (and private-sector organizations) are too used to asking for identity that they might forget this.
Most of what is happening here emerges at conferences and we don’t really have a wide-spread sharing of information going on yet. Despite having produced thought-leaders like Kim Cameron, Dick Hardt and (partially) Stephan Brands, there isn’t what I would call an active discussion in Canada around IdM.
That may change as the Pan-Canadian IdM&A Strategy gains more momentum. Just this week, the Alberta Government issued an RFP to develop a strategy based on Pan-Canadian, and that may well spur more activity in 2009/2010.
We’ll see…
Mike
Sorry if I was not clear enough. I meant “tracking across different government sites or services”. Of course there has to be an audit trail for many official transactions, but the IdM should not lead to a unified digital identifier for every citizen at all services, which would make dragnet investigations and other privacy desasters much more easy to do. (In Germany, such a unified “citizen serial number” is actually unconstitutional.)
Ah, yes, and we have very similar practices/laws here. Where government ministries need to provide connected citizen data, it is regulated and performed under privacy rules — although there are broader information sharing agreements for ‘like’ departments, e.g. Higher Education and Primary Education.
When I worked on a previous government IAM system design some years ago, the system was specifically architected so that the information could not be linked by any one participant. Undisclosed identifiers provided the links between the user account and each application/service they wanted to access. Only the system operator could access the identifier and linking operations were prohibited.
Mike