As reported on localgov.co.uk, Croydon council has had to suspend its use of Twitter after a member of the council staff used the account to criticise a reporter. I find the statement they released slightly bizarre:
A spokesman said: 'We need someone to find out how Twitter works, review its potential and then enlighten others as to how best it may be used for legitimate, professional purposes.
'As yet there are no rules about using this kind of channel.
'As with email and the internet a few years back, guidelines will be developed if the media enters common usage.
So if you do not know how it works or what you are going to use it for; you created the account it because….?
Any Government organisation has to be aware that any form of communication will come under scrutiny from the press, citizens and other organisations. No new channel of communication should be opened without at least some basic guidelines – and the classic is don't put anything in print (paper or internet) that would cause you problems if it was on the front page of a national newspaper.
I would be interesting to see if there are any basic generic guidelines for both Twitter and Blogging. One of the best I have seen in this area is from the US Air Force on how to deal with comments on your blog. It is clear and simple - just what you need.
Like all things there are good and bad examples of Gov 2.0. One of the main drivers for Gov 2.0 should be a reduction in cost of communication with citizens and I came across two separate examples with different outcomes.
Spenta, a Spanish partner who specialises in SharePoint, CRM and .net development and do most of the work on the CSP Demo image and CodePlex for CSP, pointed me at this article about the Barcelona Mayors’ Blog, and the cost of it which is being called into question.
The complaint is that he has spent €315,000 annually on his blog which has 23,000 readers a month, and even after this expense he is not answering the questions being posted by these citizens. The main cost seems to have arisen from the cost of 6 people used to write the blog for him, which seems a little over the top…
On a more positive note I was looking at the Neighbourhood America website (they are global, despite the name) who provide SaaS Gov2.0 solutions. In one of their case studies they worked with the United States Health Care Working Group and the team responsible for reaching out to citizens. This team have to find out what health care coverage and services they want, and how they are willing to pay for it.
Using social software they managed to reduce the cost per participant from $250 to $7.50 and quadruple the number or participants. A far better set of figures than they managed to get in Barcelona.
It does not matter how good your tools are, you need to put them to effective use to get good results.
I know when someone first started to describe to me the concept that the government should not hold data about me, but rather I should hold it instead – it took me a little while to understand why this was a good thing.
A paper has been released by the Centre for Policy Studies (an independent right wing think tank) entitled “Its ours – Why we, not government, must own our data” by Liam Maxwell that takes you through some of the arguments in this area.
In its summary it points out:
In 2009/10, the UK Government will spend about £16.5 billion on IT, equivalent to 1.4% of GDP. However, much IT spending is currently wasted. Only 30% of projects succeed.
A clear choice is emerging for the future of government IT:
− Either to continue with the Transformational Government agenda. This relies on the State holding, in the words of the Treasury’s adviser, a “deep truth about the citizen, based on their behaviour, experiences, beliefs, needs and rights”, with huge centralised databases directing public services to the point of need (as judged by the State).
− Or to abandon expensive and failing centralised IT projects and yield control of personal information to individual citizens. This is the approach that has been increasingly effective in the private sector.
Having worked in this sector for a while now, both in the UK and worldwide it is terrifying to see the money that is thrown a huge doomed IT projects. As you go into the report there are some other staggering statistics.
when the DWP analysed its communications with customers, it found that the take-up was tiny. More than half of the “customer base” (51%) were able to access services online by mid 2008. But out of the 142 million contacts with the public, only 340,000 (about 0.25%) used the online services.
and also
The high cost of government IT provision – £16.5 billion this year, and growing – is equivalent to £700 for every household in the country, or almost £300 for every man, woman and child. To put this in perspective, the State spends approximately 60% more every year on administrative IT than it does on drugs for the National Health Service.
No other organisation spends anywhere as much on IT, even though they process similar amounts of data on each individual. For while central government spends £300 per person per year, Google, MSN and online banks spend between £10 and £60 per person per year.
The quotes like this keep on rolling out for the first 21 pages, before it starts to look that the alternative. The paper is quote good, however I would prefer something with less of a party political bias. One other area they do not touch on, and I think is one of the most interesting is around cost. How does the private sector make money on holding your data – is it through advertising or even selling data to third parties?
I am rather enjoying Andrea DiMaio’s latest post – It is time to explore the dark side of Government 2.0. As I have noted a few times here, here and here not everything is always rosy in the Gov 2.0 garden. One of the issues that I see is the speed at which governments are feeling that they need to adopt Gov 2.0, and they are not going into it with their eyes open.
One of my current concerns is the weight being given by governments to online polls and the influence that social media seems to have on them. The first and foremost concern is around the digital divide; there is a significant percentage of the population without internet access – but even then there is a significant percentage that are unlikely to engage with the government online. My mother and father have a PC and (finally after a lot of nagging) have broadband; however they will not be going near Facebook, Twitter or any other Social Media and nor are they likely to engage in any online petitions. Is their voice less valid?
What I fear is that we move into a world where whoever shouts loudest online can influence the direction of government. Petitions whether online or offline are not a replacement for democracy they just indicate what one group of people think about a subject. As I commented in this post, just because 2 million people clicked a link saying that they did not want road tolls – there was no debate, no understanding of the pro’s and con’s and no-one asked the other 50 odd million people in this country what they felt.
What is great about online engagement is that it lowers the barrier of entry to engagement. As a citizen, I do not have to attend town hall meetings if the information and engagement is also done online. However because the barrier to entry is lower, it is also more susceptible to spamming (for want of another word). For example, my brother sent me a link to a poll on the 10 Downing Street web site. Did I agree with its sentiments – kind of. Did I click the link – of course, my brother asked me to.
Don't get me wrong, I do believe that online engagement is important, and will become ever more important – but it should not be given more weight than it deserves, especially given its limitations in representing a cross section of the population and also the ease with which media and pressure groups can gain online support.
Gov 2.0 can and will effect all levels of governments and associated agencies. Over on the Headstar e-government blog there is a case study of Web 2.0 in Local Government which sparked my interest for two reasons.
Firstly and totally unrelated to the subject in hand is that it is about Brighton and Hove City Council which is where I went to school and strangely enough I was there on Wednesday with my Father and Brother watching Sussex take on the might of the Australian cricket team. A glorious day was had by all and the Sussex team played fantastically well. (To my Australian readers that is a photo of Philip Hughes being comprehensively bowled out for 15 runs while being bathed in bright English sunlight. Yes, both events can happen in England, it is just that neither of them happen enough for our liking)
The second point in the post was about their use of Yammer which in many ways is similar to Twitter, but with one important difference. Whereas Twitter is open to anyone, Yammer restricts you to communicating within your own organisation (restricted by email domain eg @microsoft.com). Instead of answering the question ‘what are you doing?’, instead you answer the question ‘What are you working on?’.
I have tried Twitter, but if I am honest its noise to relevant data ratio is just too high. Like most people over the course of a day I am monitoring multiple inputs. Phone, SMS and Instant Messaging are pretty well 100% relevant – there is a 1:1 connection between you and the person connecting with you.
Email is next down on the list. Microsoft does email like no other company I know with many people having 100+ mails a day to deal with. I would like to say that the noise to relevant data ratio is better than it is, but I do sometimes spend too much time wading through emails.
Below that are Blogs. I subscribe to nearly 90 blogs and a fair amount of that is noise, but I also get a enough relevant data out of it to be a worthwhile investment.
Bottom of the list is Twitter. I subscribed to it not for social reasons, nor to keep up on day to day events, but to get information relevant for my job. I am sorry, but the noise to relevant data ratio was just to low – it was not worth my investment. It took up too much time and gave me too little in return.
I think over time Twitter is going to settle down as more of a social service – keeping up with friends, current affairs etc. But where people are trying to use it as part of their daily job to help team collaboration and information sharing, I don't think it works.
That is where I think Yammer or another similar service will fill that gap. No offence, but I don't care what you are doing – I however am interested in what you are working on, what you have read that is relevant to your role, information that I can use in my daily work.
Companies and organisations will inevitably move to use social computing as part of their day to day activities, but the usage is sometimes subtly different to the use of non-commercial services and I think the assumption that tools such as Twitter and FaceBook can be used successfully in a corporate/public sector environment is wrong.
Tim Berners-Lee has published a set of notes that he has written after talks with various people in the UK and US governments. They are pretty rough and high level, but interesting to see the direction he is taking after his appointment.
It is good to see a health dose of realism already coming through, I hope it continues:
There are two philosophies to putting data on the web. The top-down one is to make a corporate or national plan, by getting committees together of all the interested parties, and make a consistent set of terms (ontology) into which everything fits. This in fact takes so long it is often never finished, and anyway does not in fact get corporate or national consensus in the end. The other method experience recommends is to do it bottom up. A top-level mandate is extremely valuable, but grass-roots action is essential. Put the data up where it is: join it together later.
A wise and cautious step is to make a thorough inventory of all the data you have, and figure out which dataset is going to be most cost-effective to put up as linked data. However, the survey may take longer than just doing it.
For any government agencies out there looking to put data online, you should take a serious read of these notes as they have some good solid advice.
There is so much being written about Gov 2.0, about what it means to different people - however we have no ‘formal definition’. Personally I am one of those people who does not really care if we cannot all agree on a definition – Gov 2.0 will continue to change, lets not tie it down.
I rather liked the one a colleague of mine, Bill Gaylor (Public Sector Architect at Microsoft) spotted on GovLoop – Next Generation Government: Mobile, Measurable, Malleable
- Mobile: the idea that work is no longer a place, but a set of tasks that can be performed anywhere – whether that’s in a government-owned building in a major metropolitan center or a privately-owned family farm in the middle of Minnesota. In the private sector, this type of flexible work environment is already commonplace
- Measurable: But now you wonder: How will we know if anyone is really getting any work done in this brave, new, mobile environment? Well, I have a ready answer for you! We make sure that every aspect of our work is measurable. What better builds trust between manager and employee than a clear set of tasks with target dates and appropriate metrics? If I know what needs to get done and by when, why does the how and where matter?
- Malleable: Finally, when I heard words like inclusive, responsive, open, efficient, transparent, and innovative, I needed another “m” word…and malleable came to mind. Dictionary.com tells us this word means “capable of being shaped or formed; able to adjust to changing circumstances; adaptable.” As collaborative technologies make our democracy even more participatory, enabling citizens to become more actively engaged in decision-making processes through projects like the Open Government Initiative or the Recovery Dialogue on IT Solutions
Now you may agree or disagree, but different people want different things from Gov 2.0 and we should not constrain ourselves with a strict definition. Take for example the entry on Wikipedia for Government 2.0, I have to admit I think it misses the point a bit:
Government 2.0 is neologism for attempts to apply the social networking and integration advantages of Web 2.0 to the practice of government. Government 2.0 is an attempt to provide more effective processes for government service delivery to individuals and businesses. Integration of tools such as wikis, development of government-specific social networking sites and the use of blogs, RSS feeds and Google Maps are all helping governments provide information to people in a manner that is more immediately useful to the people concerned.
I think it is far more that just applying Web 2.0 to Government. As a technologist is frustrates me that people think they can install Gov 2.0; that by having a Twitter feed they have ticked the Gov 2.0 box.
So, I don't think we need a strict definition of Gov 2.0; I just think that some definitions are better that others.
(note to self, don't start writing a series of posts unless you have them all ready to publish otherwise they seem to go on forever!)
eID for Governments Federation for Government Overview Identity Providers Authentication Methods Do you need strong authentication? Tokens and Claims Another post in the “eID for Governments” and we need to cover off what happens when a user bearing a SAML token arrives back on the site they want to access.
The process the site needs to go through is simple:
- Is the token from an STS I trust
- Is the signature in the SAML token valid
- Does the user have the claims I want.
As long as we pass those test we can then allow the user in and give them the roles, determined by their claims.
This is again why I like federation, we now have a consistent authorisation model. Instead of writing new code for every new way of authenticating we just need to add in that we trust a new STS and make sure the claims they are sending can be linked up to something that we understand.
Even if your site has its own authentication, but architecturally splitting the authentication into an STS means that you have a structured way of authorising users. When you need to change it and add other provides or methods, you just have to configure new STS’s rather than changing the code in your site.
Kim Cameron explains this very clearly in his PDC session Identity Roadmap for Software + Services (i cannot get the embedded video to play, if you cannot then you can get to the recording here and the slides are here). As he says, the first two lines of every connected application (actually these tend to be large and complex blocks of code) is:
- Who are you?
- What are you allowed to do?
We need to have a consistent architecture for dealing with authentication and authorisation, developers have spent too much time writing complex logic into their application to deal with it. All the major vendors are coming together and working on the same standards, hopefully one day soon authentication and authorisation can be handled by the platform rather than in code.
Andrea DiMaio the Gartner eGov blogger posted yesterday about Governments needing to be “employee-centric” to get Gov2.0 to work – ie. without support from within their own organisations and from their own employees their transformation efforts will fail. The post entitled Citizen-Driven Government Must Be Employee-Centric, Too outlines his arguments and there is also further research if you have access to Gartner docs.
Anyone who has worked within or with governments will understand this position; the type of change that is needed to enact Gov2.0 can only really come from within – mandating policies will not deliver the results that are needed, only empowered employees can deliver it.
However I think we still need more. We need governments to start understanding how all of their decisions and actions impact upon the goal to transform the way government works. Current systems, policies and legal frameworks need to be triaged and actively worked upon to bring them into line with the open and transparent goals of governments.
The same way new policies and initiatives in government have to be examined for potential environmental impact, why cannot the same be done to see if there is any impact on their transformation goals?
Hopefully the UK government will be positively influenced by Tim Berners-Lee (see my post Gov2.0 and Data) and be more proactive in opening up data; but they need to get this sort of thing ingrained into their DNA rather than just use it when they want to.
An important thing happened today, and hopefully it will influence the Gov2.0 direction that the UK takes. The Cabinet Office has announced that Tim Berners-Lee is helping the UK government to be more open and accessible on the web. So aside from some kudos points for getting the inventor of the world wide web to help, why is this such a big thing?
His talk at TED outlines his position and is well worth watching; we need to get data onto the web in a format that we can link together. In his words:
‘a web for open, linked data that could do for numbers what the Web did for words, pictures, video: unlock our data and reframe the way we use it together’
There is vast amounts of data on the web, but it is designed to be read by humans rather than computers – and it gets really tricky to reverse engineer links back in. An example of this is the new Google Squared project that tries to take data on the web and present it in a tabular form – ie linked. For example, try searching for US Presidents and it shows a nice list of Presidents, all works well because it is a pretty simple query. Now add an additional column of ‘weight’, and now we start to hit problems. Richard Nixon is apparently 11 pounds and Harry Truman is a pretty impressive 66,200 pounds.
It is just a really good example of what happens if you do not link data. Without that link specified, you have to infer link. Harry Truman’s weight of 66,200 pounds is actually the weight of the propeller on the US aircraft carrier ‘USS Harry S. Truman’, not really what we wanted.
A better example of Linked data can be found at dbpedia.org which has taken all the structured data within Wikipedia and hosted it as raw linked data. So I can now query my home town Oxford and get back raw data such as location, famous people who live here etc etc and also linked data, for example it is on the A420 and therefore linked to Swindon and Chippenham (not the most gripping example I know…). With linked data, someone (with more inspiration that me) can mine this data and use it. 
Take for example Hans Rosling and his use of statistics on TED (again well worth watching), this is what you can do when you start linking data.
There are still issues, can you trust the data, is it correct? For example Oxford does not have a population of 38 as reported. The problem is Wikipedia should feed off the dbpedia site and then add the text around it, that would ensure better quality data.
Another way of doing this is through Microformats, which allow us to build context into the data on a web page to allow machines to consume it For example the HTML:
<span>The British Prime Minister, Gordon Brown lives at
10 Downing Street, London SW1A 2AA</span>
and compare it to:
<span>The <span class="Job Title">British Prime Minister</span>,
<span class="Name">Gordon Brown</span> lives at
<span class="Address1">10 Downing Street</span>,
<span class="City">London</span> <span class="PostCode">
SW1A 2AA</span></span>
The first example we have to infer what the data is within the human readable text, the second can be easily and accurately read by computers. Once rendered within a browser both will look the same to a human, but radically different to a computer.
We need to publish data in a structured manner, and then build web sites that consume that data. Just building websites and including data means that we have to infer what the data means.
Without a doubt Cloud Computing is going to open up a whole new world of possibilities. Looking through the volumes that have already been written about Could Computing this quote is often referenced when talking about the business impact:
What happened to the generation of power a century ago is now happening to the processing of information. Private computer systems, built and operated by individual companies, are being supplanted by services provided by a common grid — the Internet — by centralized data-processing plants. Computing is turning into a utility, and once again the economic equations that determine the way we work and live are being rewritten.
Nicholas Carr, The Big Switch – Rewiring the World from Edison to Google, 2008
Great punchy analogy; however I think it is far too simplistic to compare computing power to the creation of electricity. The business decision to either run your own generator or buy in electricity in is pretty binary, there are only a few situations that warrant both (normally when people’s lives are at stake). However computing is a far more complex beast, computing power can exist on everything from high end servers to phones and can be used in offices, home, in the streets, underwater, airplanes – it is a far more complex scenario.
I think Cloud computing can be seen in the same way as we moved from the Bronze Age to the Iron Age. People did not throw out all of their existing ideas, processes and tools; and different areas of the world moved at different rates. Some things were left alone, some things were enhanced, some things were replaced, and it opened up possibilities to design new things that were previously not possible. Bronze has not gone anywhere, we still use it today – but it is complemented with other metals each with its own strengths, weaknesses and costs.
We need to understand how cloud computing fits, where it should be used and sometimes more importantly where it should not be used. As we become more comfortable with it, and as we better understand its strengths and weaknesses we will adopt it more. Don’t get me wrong, Cloud Computing will be huge, but it is not going to replace everything we have.
One area where I see Governments utilising Cloud Computing for its strengths is hosting public data, as it not affected by the data sovereignty issues. There have been a number of initiatives in the UK and US (if anyone has any international examples, please reply with them). This latest example is the 'Open Data Government Initiative' from Microsoft, showing how a Government can host public data on the Azure platform. The code to do this is going to be released as open source on Microsoft’s Open Source site CodePlex so that people can get their hands on it.
The site currently shows US data that is publically available, and in the era of Gov 2.0 and greater transparency it is good to see more and more examples of this.
![UK_Passport[1]](http://blogs.msdn.com/blogfiles/james_brown/WindowsLiveWriter/TokensandClaims_A01A/UK_Passport%5B1%5D_thumb.jpg "UK_Passport[1]")
So where were we….
The last thing that we looked at was authenticating somebody at the identity provider. If we assume that this was successful we now need to be passed back to the original site so we can gain access to whatever we were trying to get to.
However, just because we have been authenticated somewhere does not mean that we are going to be authorised on the original site to perform whatever action it was. For example, I can authenticate against the UK Government Pension site that gives me permission to view my pension, but not being retired there is a significant number of actions I cannot perform.
We need to pass something back that states who has authenticated me and gives information that the original site can use to determine if I can perform the action. The most commonly accepted way of doing this is via a SAML token (Security Assertion Markup Language), which contains a set of claims digitally signed to ensure it has not been changed.
What is a ‘Claim’
‘A Claim is a statement made by one entity about another entity’. This could be Microsoft making the statement that I work for them, or the UK Driving Licence agency making the statement that I have a valid UK driving license.
The Identity Provider knows where this request came from, and can therefore generate a set of claims that are relevant for the requesting site. This could be anything from an ID number (like Social Security number), to proof that I am over 18. You should restrict the information you send to the information that is needed, you should not leak additional information if it is not needed.
Notice as well that the Identity Provider was not asked to authenticate the action; it was not asked ‘Can this person perform action X’, it was instead asked to provide information so that original site could make that decision.
Tokens contain claims
All the token is, is a wrapper for the claims. It adds elements like a unique ID, expiry stamp, issuer etc etc. and most importantly it has a digital signature that means that you can check the contents have not be tampered with.
A real world example of a token would be your passport. It was issued by an identity provider (your government), it is protected by anti-tamper devices and contains statements about you from your Government (your name, your photo etc).
The power of Identity Providers and Claims
Claims are immensely powerful, and to be honest is what we have been using in the real world for 100’s of years. Combine them with the concept of ‘Identity Providers’ and they really shine as the same data from different people comes with different levels of trust.
A perfect example of this is the note in the window of my local wine and spirits store that reads “We only accept Passports and Driving Licences for proof of age, letters from your mum will not be accepted”
(Taking a quick break from my Identity posts…)
I am currently out attending the Local and Regional Government Solutions Forum in Bilbao, which is turning into a great event. One thing that has just been announced is the Microsoft Business Value Framework. This is a three layer model that links technology solutions to the UK published government indicators. It is there to show the business how investments in technology can improve the following business imperatives:
- National Performance Indicators
- Cost Savings
- CO2 efficiencies
This two-step assessment tool helps you identify your current maturity level and provides a tailor-made report detailing the benefits that your organisation could expect from moving to the next maturity level.
A beta version has gone online here which the UK team will be tweaking over the coming months and there is a more comprehensive offline tool that is going to become available as well.
At the session in Bilbao we also had Jan Duffy the Research Director from Government Insights and Health Insights, IDC talk about the tool and they are going to release a paper assessing it. Once I have a link I will post it up.
A great first day, and now on to dinner (the food in this region is so very very good!)
So before I move off the authentication topic, I just wanted to put forward a question. Do we need strong authentication for Government Online Services?
The answer has to come down to ‘what am I doing online’. I personally perform a vast amount of functions online, and many for me are more sensitive than the information I exchange with my Government online – for example my banking (of which I need nothing more than a Password and 3 letters from a Passphrase to access). I am not saying that we should ignore security requirements at all, however we have to balance the cost to the 
service provider (the Government), with the cost to me (more secure authentication tends to be more complex for me) against the confidentiality of what I am accessing. If you do not get the balance right, people will not adopt the online service and sites will not implement it. It is the age old debate of balancing security and usability.
Take paying tax in the real world. I can write a cheque with my name on it and my signature, and send it with a letter saying I want to pay someone else's tax and it will be accepted by the Government. Therefore for the process of paying tax online, how much security do we need when there is effectively none in the offline world?
Excluding health, will online Government services ever be more sensitive than my bank account? If you tie an unrealistic level of security to a process (ether too high or too low) people will not use it.
Taking certificates as an example; these can often have a cost to the citizen to obtain a certificate, and a cost to renew that certificate. As a person I have to weigh up the cost financially, the cost of my time and the security that I require. Given a choice of paying for a certificate to submit a few online forms a year, or using the paper based versions… I will probably use the paper based versions.
Even in this web 2.0 enabled world we live in, unless there is a greater benefit to get me online, I am happy to stay in a paper based world.
I am not saying that Governments should not adopt technologies like Smartcards, I just think we need to be careful not to default to the most secure answer when the process does not warrant it.
One of the the primary roles of the Identity Provider is to authenticate the user that has been sent there. There are a number of long standing ways of doing this, like User ID and Password which although having some pretty basic flaws it is still in widespread use and doesn't seem to be going anywhere in a hurry.
There are a few of things to bear in mind when talking about authentication methods and Government services. Firstly is frequency of use; many Government services are annual, so you could be having people logging in once a year. This brings its own issues, it rules out password expiry for a start, and secondly it means that people are going to write things down.
The second issue is around what do people do when they need their authentication reset? Who do they phone? Is there going to be a central helpdesk, or if I am trying to access the Contoso City Council site should I not phone them? The answer often comes down to cost and political desire.
Finally we have to remember that Authentication is not a guarantee of who someone is, but rather it is the same person returning. As we provide stronger authentication methods, we also need to increase the assurance that we are dealing with the correct person.
User ID and Password
This is the most common authentication method in the world, I won’t go through all of its flaws as they are pretty well known; however I would prefer to concentrate on its strengths. Its huge strength is simplicity and cost effectiveness. If you are looking at providing authentication to a large population size, you need a method that can scale easily at low cost. I am not talking about scale in a performance sense, but more management, education and distribution. The User ID and Password is the most understood of all the computing paradigms and requires no training or special equipment.
Passphrase
This is something that the banks have rolled out very successfully. It involves someone picking 3 characters from a know passphrase. Again, like passwords it has its problems. It is prone to attack from Trojan’s; they can take screen captures on mouse clicks as well as record key strokes. However, like the User ID and Password, it scales well.
Shared Secrets
This is more commonly used as a password reset mechanism, asking a set number of questions along the lines of ‘What is your mother’s maiden name’, ‘Where were you born’ etc. Although easy for people to use and understand, it is open to social engineering attacks. There have been a number of quite high profile hacks, the last big one was on the US Vice-President nominee Sarah Palin who had her Yahoo email account hacked by someone who just looked up the answers to the questions on Wikipedia. With people posting more and more info to FaceBook, Friends Reunited, etc etc answering question like mother’s maiden name and where you were born get easier to answer, and for those people like Sarah Palin who have their entire lives examined by the press, these questions get very trivial to answer.
Certificates / Smartcards
This is the most common secure method of authenticating used in both business and more commonly now by Governments; however the cost and complexity is a significant step up from User ID and Password, but then again it is infinitely more secure.
The distribution of ‘soft certificates’ has never really been practical. You can download the certificate easily enough onto the machine, but it is difficult to then move that certificate from machine to machine.
So that is where SmartCards come in as the certificate is not on the machine, but rather held on the card. However, you now need a piece of hardware to read that certificate which most home PC’s and many business PC’s do not have. So there is a cost in distributing and supporting card readers.
The other cost is the production of certificates themselves. All certificates have to have a ‘trusted root’ and this is provided by people like VeriSign who are Certificate Providers. However the Certificate Providers charge for this, so there will be a cost in every certificate produced. Alternatively a Government can become an Certificate Provider themselves, but this in itself is not a cheap option.
Finally, you now need to get sites to support certificate authentication. They are going to have to add the code to accept and validate the certificates which is not easy (of course with federation you only need to do that on the Identity Providers rather than all the sites…)
EMV
This is something that we are starting to see being looked at. EMV (Europay, Mastercard and VISA) is the standard used to authenticate your purchase with a PIN number in the retailer. It is used extensively across Europe, and if the banks have their way it will be going worldwide. It is seen to have a number of advantages over certificates around cost and complexity.
Firstly the cards themselves are far cheaper as they do not have to hold a proper certificate just a set of crypto keys, and you do not have to have a Certificate Provider to provide the certificates. So if you are looking at distributing large number of cards, the cost is far lower (which is why the banks never adopted certificates).
The card readers are also separate from the computer, so no driver issues. To authenticate you put your card in, type in the number given to you by the web site, type in your PIN, and then the card reader gives you a number to back type into the web site – challenge and response. The other nice addition is that as it is all numeric, you can do it over a phone line.
The downside is the cost of the readers; they are coming down in price as the banks are starting to distribute them to customers. I will probably do a separate post on this technology as it looks rather promising.
CardSpace and Information Cards
Information Cards are a virtual representations of your identity that are stored on your computer. You can have multiple cards, supplied by different Identity Providers and they support things like User ID and Password, Certificates and also can be the an identity themselves.
CardSpace is a cross industry attempt and providing a common and secure way of authenticating people over the internet. I will do another post explaining it in more details, but there is more info here and more technical info here.
There are other technologies out there, but the ones above are the most common ones that are seen in the Government and Citizen identity space.
