More about online identification

September 15th, 2009 at 9:00 am by David Farrar

The Dom Post reports:

Internal Affairs has given businesses until Wednesday week to come up with proposals on how they could use and help support its $122 million online identity verification and log-on service. …

Several banks have expressed interest in using igovt to authenticate the identity of new customers, so that they can open bank accounts online.

Internal Affairs suggested that the system could also be used by online auction sites to verify traders’ identities.

Trade Me head of trust and safety Chris Budge says that could appeal, but it has questions over the use of a single ID and the risk of fraud.

A secure identity verification service could really open up both the public and private sectors online. I love the idea of being able to go to a bank online and say “I am David Farrar born on this date, and living at this address and here is the Government’s verification that I am whom I claim”. This then allows the bank to take you as a customer without you having to go to a branch.

With secure online verification, you should over time be able to access your credit history, your police file, your tax details online. You might even be able to use it for blog commenting, trade me auctions etc.

Some may say, how is this different from current systems such as Open ID. It will come down to the verification. For example it is possible one might actually have to turn up to an office with your passport to get verified as being that person, and given a login and password/s to verify who you are. And they could, once they have confirmed who you are, check your latest address with NZ Post for example.

I’ve not closely followed the exact details of the scheme being implemented, but the concept is something I am very supportive of.

Tags:

30 Responses to “More about online identification”

  1. Jeff83 (745 comments) says:

    Ignoring the whole concern about all your information being linked to one number and the potential for governmental abuse, the key concern is how safe / secure is this system. So many systems have security vunerabilities, imagine the chaos if the system which everyone used was compromised.

    Definitely has positive aspects however.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  2. getstaffed (9,186 comments) says:

    Internal Affairs has given businesses until Wednesday week to come up with proposals on how they could use and help support its $122 million online identity verification and log-on service.

    I would have expected that the potential uses would have been identified as part of the initial business case. And it’s odd that with $122m on the clock, the industry consultation appears to be happening just now, and with a timeframe of only a couple of days.

    Jeff83 – It [apparently] uses secure token keychain ID’s. I’ve worked with these things before. They’re bloody secure.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  3. davidp (3,581 comments) says:

    There are two aspects here:

    1. Identity verification, which is what the article and you have talked about mostly. This is a verified electronic identifier that you can use to prove who you are online.

    2. Login. This is a single userid and password that you should be able to use to login to every government web site.

    Login has been running for years, while identity verification is being developed at the moment. Then hasn’t been a lot of uptake for login amongst government agencies for a variety of reasons. This consultation being done by DIA is mostly an exercise in seeing whether the private sector might be able to make use of the services and, in doing so, generate a critical mass of users.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  4. getstaffed (9,186 comments) says:

    critical mass of users

    Most identify verification system I’ve worked with have created a mass of critical users! An ups to DIA for taking this on though. It would be good to see some common login capability spanning govt and private sector services.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  5. Richard Hurst (855 comments) says:

    “A secure identity verification service….”

    The key word there is ‘secure’. Data held electronically can be corrupted, stolen or simply become inaccessible if the agency holding it doesn’t keep up with technology changes in digital storage. In comparison a passport or a drivers license etc in physical form are free from viruses, computer glitches, incorrect data entry, electronic theft or concerns over updating to new storage formats. But digital I.D would be far more convenient, in the long run save money and remove the need for physical storage space for physical paper copies of I.D. But any electronic I.D must be secure or its not worth doing.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  6. Jack5 (5,137 comments) says:

    It’s a bit close to a national identity card policy for an easy decision.

    You can see the benefits, especially for businesses selling online, but it means more bureaucrats and more power for the bureaucracy.

    In the meantime I prefer voluntary validation through independent agencies. The banks could give incentives for customers who use them, and fuck the bankers any way.

    Perhaps we need a new debate on compulsory identity cards first. They have benefits in the age of illegal immigrants and mobile fraudsters, but again provide a lot of potential political power to governments. Would you want an identity card scheme under a Clark regime?

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  7. malcolm (1,952 comments) says:

    It’ll be a failure. It already looks like one. Salient facts:

    – Run by the Government
    – $122M spent
    – No government service using it (why?)
    – Seemingly no government service planning to use it?
    – Trying to get banks etc interested (desperation/justification?)

    Why would a bank want to get involved in a government run scheme like this? It will be a shambles. If there were economies to be gained by joining forces on a single system, the banks would have done this themselves. Of course if the government spends an absolute fortune developing a system and gets everyone in NZ on it, then the banks may well adopt it, but only if it saves them noney. I.e. the taxpayer subsidises the banks.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  8. anonymouse (715 comments) says:

    With secure online verification, you should over time be able to access your credit history,

    Given that credit data is held by a private company that makes money flogging this off to anyone who ponys up the $$$, I don’t ever think you will need to prove yourself to such a degree.

    Also I suspect that most of the data that the credit companies “require” in order to produce a free copy of your credit history for you, is used to update their records, rather than authenticate you

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  9. Rod (180 comments) says:

    So, a national identity card being introduced by stealth. No chance that this project started under Helengrad, I suppose?
    To the barricades, my friends! The long feared spectre of Big Brother (or was that to be Big Sister, until we put a stop to it last November?) is almost upon us!

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  10. malcolm (1,952 comments) says:

    Jack5 wrote:

    It’s a bit close to a national identity card policy for an easy decision.

    I agree. This is a National ID Card by stealth. I’m not suggesting it was conceived like that, but that is what it would become.

    The govt needs to make a case for such, before spending $122M. The UK have been having the National ID Card debate for years now, and each benefit the govt has suggested (fighting terrorism, fraud, policing etc) has been shown to be well overstated. And the cost is horrendous. I believe the scheme has now been put on hold.

    The govt does these things the wrong way around. First get the services online, with a level of login/authentication sufficient for the job and see how well they work and are used. Then worry about some fancy single login/auth system after they’ve shown that the services work, are used and are cost effective.

    Here’s a mental exercise. Imagine how the govt would have gone about creating Trademe. First, before anything else they’d get everyone in NZ to register for the new service at the Post Office, then they’d run login training classes in every library around the country. Mobile training courses where there are no libraries. Meanwhile they’d let a contract worth $1.3B to a consortium of IBM, Fujitsu, Google, Microsoft, NZ Motor Trade Association and Contact Energy to create NOCSS (National Old Crap Selling System) and would create a Minister for NOCSS (Sue Bradford say). Eight years later the service would be released on the public, after a perfectly modest and normal 69% budget over-run and after login-training refresher courses. Initially you’d only be able to sell clothing as Google and Microsoft got into an IP dispute about the technology behind the Childrens’ Toys module. Meanwhile Sue would have made the point that poorer people are disadvantaged because they can’t afford a computer so the government would have instigated a $200M scheme to give everyone a free laptop at the checkout of Pak n Save and come around to you house and show you how to call Telecom to get broadband connected.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  11. davidp (3,581 comments) says:

    This isn’t a national identity card. Because it isn’t a card.

    The scenario that identity verification is designed to address is that you want to register for, say, online tax. Obviously IRD won’t just set up an online account for me to look at davidp’s tax details without knowing that I’m actually davidp. So I’d have to visit their offices and show them something like a drivers license. Which is actually a card. Under IVS, I could prove my identity online by using my IVS identity and credentials without needing to physically visit them.

    Mutliply that by the number of government offices that you’d need to visit to show your drivers license in order to register for online accounts to manage your rates, your student loan, or (in future) your electronic health records, and you can see the savings for the public and for government.

    The banks seem to be interested because they already need to establish identity before opening accounts. Typically you need to show them your drivers license, again, or passport. They’ll be able to use IVS identities to do this, and so they’ll be able to open bank accounts or share trading accounts or whatever electronically without you having to visit a branch. They’re also interested because anti money laundering legislation means that they’ll have to start identifying the people behind certain financial transactions. They really don’t want to force you to visit a branch, drivers license in hand, before you can transfer money.

    People like TradeMe are interested because it’ll reduce fraud. IVS will allow them to know that I am actually davidp, rather than Victor M’butu of Lagos.

    Malcolm… “The govt does these things the wrong way around.” For the most part, the applications are already in place, and are being retrofitted with the logon and IVS services. Or new applications are being implemented with login and IVS integrated. It really isn’t that difficult. Say you’re the new government recruitment web site, which went online a couple of months ago… You either implement your own login system and force applicants to set up new recruitment user IDs and passwords, along with the associated infrastructure and service desk. Or you spend a few thousand bucks to integrate the site with the igovt login service, and let applicants use the same user ID and password they already use for other government web sites. It’s a no-brainer to me.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  12. malcolm (1,952 comments) says:

    Davidp, are you involved in some way with this project?

    If so, can you give a brief list of the govt services that are planned to use this login/auth system? You mention a few in your last post, but in your earlier post you said there hasn’t been a lot of uptake for login amongst government agencies for a variety of reasons.

    You mentioned a government recruitment website. This doesn’t need a highly secure login/auth system. There are millions of recruitment websites out there, not one of which would have spent $122M on login/auth.

    It surely is a National ID system. OK, so there’s no card at the moment, but the card isn’t the issue. It’s the system behind the card or the login which is the National ID system. It would become a single point of ID for everything. E.g we’re currently required to carry our drivers licence, and there’s no reason to imagine that we wouldn’t similarly be required to prove our ID when stopped by the police, for example.

    So in a matter of years we could have a system where any government agency can ask you to prove who you are, and you’d be obliged to tell them. If you can’t for some reason, or don’t want to, you’re suspect.

    I don’t want to sound all conspiratorial, but there are a lot of privacy and liberty issues with a National ID system. Not to mention a single point of failure for spectacular identity fraud.

    This shouldn’t slip in under radar. The debate in the UK was long and it has now been put on hold.

    cheers

    Malcolm

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  13. Kris K (3,570 comments) says:

    Guys – I have the SOLUTION!

    It’s portable, unable to be used by anyone except the ‘owner’, you can’t lose it, it’s not able to be readily duplicated, it can be used for all purposes where identification is required, it would have the added benefits of being able to be tracked by GPS (a hostage-taker’s nightmare), and would do away with the need for cash, and, of course finally, we already have the technology to facilitate immediate implementation.

    You may ask, “What is it, and how would it work?”

    Here IT is:
    I suggest we place a microchip in either/both the right hand (most people are right handed) and/or the forehead.
    As everything is computerised I suggest we put scanners adjacent to (or in as standard) all computers, eftpos and banking ‘hole in the walls’, customs (immigration control), and at critical points around cities/towns (to cover for when satellites are out of range), etc.
    By simply passing your hand over the scanner, or walking through/nearby a scanning gate you would be identified and validated for the particular activity you wish to carry out.

    Sounds too simple, and of course it is.
    Coming soon to a town near you. It is rumoured that our very own Aunty Helun will ensure that NZ is the first country to implement this beneficial technology. Sign up – before they make it compulsory.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  14. Kris K (3,570 comments) says:

    By the way, I expect royalties for my ‘original’ suggestion. 1% should about cover it.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  15. malcolm (1,952 comments) says:

    Kris K

    By simply passing your hand over the scanner, or walking through/nearby a scanning gate you would be identified and validated for the particular activity you wish to carry out.

    So I could cut your hand off and then take all your money from the ATM? That sounds like an excellent system.

    cheers

    Malcolm

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  16. side show bob (3,660 comments) says:

    What the hell, why not give everyone a bar code on the forehead and a RF chip in the arse. It’s going to come to it sooner or later. Kris K is right, the bloody bureaucrats would give their left nuts to implement something like this they just lack the courage and a good excuse at the moment. But give the bastards time they will dream up another emergency ( pig flue, global warming, your carbon footprint and other such bullshit ) and they will have a chip in us before you can blink.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  17. Kris K (3,570 comments) says:

    malcolm 12:11 pm

    By simply passing your hand over the scanner, or walking through/nearby a scanning gate you would be identified and validated for the particular activity you wish to carry out.

    So I could cut your hand off and then take all your money from the ATM? That sounds like an excellent system.

    Admittedly that is one of the few downsides. But I promise to put up one hell of a fight!
    You could also chop off my head and scan that.

    I do think, though, that in either case the trail of blood may be a bit of a give away, not to mention the screams from others in the ATM queue when you scan said object. I suggest you carry it out late at night when there are no witnesses.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  18. peterwn (3,271 comments) says:

    Any ID system should be processor and operating system independent. There should be no ‘lock in’s’ to particular processor and operating system just because it happens to have the lion’s share of the market. The system should be free of patents if need be by legislating to cancel any relevant NZ patents and paying the patent owners reasonable compensation.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  19. Kris K (3,570 comments) says:

    side show bob 12:22 pm,

    I think the US miliatary already chip all/most of their soldiers, etc, and can track them via GPS/satellite.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  20. side show bob (3,660 comments) says:

    Kris K, we now have to chip all cattle, food safety or some bullshit excuse like that. Start with dogs, then cows then work your way up the food chain.

    If the US military is chipped then why can’t they find prisoners taken in battle?

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  21. Kris K (3,570 comments) says:

    side show bob 12:53 pm,

    Kris K, we now have to chip all cattle, food safety or some bullshit excuse like that. Start with dogs, then cows then work your way up the food chain.

    I did some engineering work for a local meat works. They were even talking of using chips for ‘stock’ control for all carcasses; and even right down to individual meat pack level, so that all meat products could be traced back to the parent works/farm. I don’t know how the end consumer was to prevent swallowing these chips – maybe their size made it a non issue.

    If the US military is chipped then why can’t they find prisoners taken in battle?

    Maybe they do, and they’re just not telling?

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  22. malcolm (1,952 comments) says:

    Kris, you’re getting your ‘chips’ confused.

    A GPS thing would currently be the size of a small phone and need a lot of power. I.e. like a GPS navigator you get for the car. Not suitable for ‘chipping’ a person. And not implanted into US soldiers. It would make an unsightly bulge.

    The meat works example you are using is almost certainly a passive RFID chip. Very small but can only be read when energised by a closely held reader. Not by a satellite.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  23. davidp (3,581 comments) says:

    malcolm>If so, can you give a brief list of the govt services that are planned to use this login/auth system?

    I went to the briefing and I’ve worked on the identity side of IT off and on for several years. I’m not a member of either project team.

    The objective is that ALL government web sites that require the general public to login will, eventually, be “federated” with igovt and therefore allow the public to login using their igovt login ID. This will save a reasonable amount of money for the government, since they’re implementing login once rather than hundreds of times. But the main benefit is to the public… You’ll only need to remember one user ID and password to interact with government electronically, rather than lots. I have to remember plenty of passwords already and I really don’t want to remember dozens more as government places more services online.

    Who is using igovt login at the moment? From memory… Statistics, Police, jobs.govt.nz, one of the Auckland city councils, and probably some others. Why aren’t more using it? Inertia. Agencies thinking that federation is difficult or costly… it isn’t. Agency IT groups wanting to do their own thing, rather than collaborate. Probably some others.

    I don’t know how the $122million figure has been arrived at. It doesn’t feel realistic to me, given the small number of people working on the two services and the reasonably low cost of the infrastructure and software required. But the money has been spent already and they’re both up and running, so you might as well use them in order to gain the benefits. The costs of operating them is negligible and the marginal cost of federating new applications to the services is trivial, and yields operational savings for the application.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  24. malcolm (1,952 comments) says:

    Thanks David,

    I’m quite interested as I followed the debate in the UK re the ID Cards and same privacy and liberty issue would seems to apply to this system.

    $122M is an awful lot for what you describe. But I have no doubt the government could spend this amount.

    cheers

    Malcolm

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  25. davidp (3,581 comments) says:

    Malcolm… they’ve put a lot of work in to the privacy side of things. You don’t need any sort of identification to sign up for an igovt login ID… it is anonymous. The service doesn’t ever pass the login ID to federated agencies, only an agency-specific “Federated Login Tag”. That means that IRD will know the person logging in as one FLT, while Health will know you as another FLT, and so the two agencies can’t get together and compare your tax and health records. Well they can’t without also involving DIA and breaking the law.

    In terms of identity verification, you have to positively identify yourself to government to receive a variety of services. I suspect that most people think that persons applying for social welfare benefits should have to identify themselves so that MSD can ensure that you’re not claiming two benefits under different names. IVS is just a cheaper and easier way to do this that means you don’t have to carry around a drivers license or passport. I believe that signing up for IVS won’t be compulsory, so you can continue to carry around your drivers license or passport if you prefer. At least for now.

    In terms of privacy, there are some tricky issues around health information. Should you need to identify yourself to access government funded health services? If you don’t, then visitors to NZ can access these for free. If you do, then you make it hard for, say, teens to access sexual health related services anonymously.

    Also, a lot of people would be happy for government to match identities and data across agencies, so that MSD could check that they weren’t paying a benefit to someone who IRD thought was employed. Or MSD weren’t paying a benefit to someone who owes the government a fortune in fines. I tend to come down on the side of government efficiency in these cases… but then I see the huge amounts of money that government spends trying to maintain clean data across multiple identities or suspected identities which would not be required if people had a single social security number as they do in the US, or the equivalent in most of Europe.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  26. malcolm (1,952 comments) says:

    David, thanks for that additional information.

    cheers

    Malcolm

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  27. Kris K (3,570 comments) says:

    malcolm 1:31 pm,

    Kris, you’re getting your ‘chips’ confused.

    A GPS thing would currently be the size of a small phone and need a lot of power. I.e. like a GPS navigator you get for the car. Not suitable for ‘chipping’ a person. And not implanted into US soldiers. It would make an unsightly bulge.

    The meat works example you are using is almost certainly a passive RFID chip. Very small but can only be read when energised by a closely held reader. Not by a satellite.

    I was more referring to the ability to locate soldiers while in the field. I think GPS satellites directly energise something like an RFID located in the soldier. So more the GPS technology, rather than an actual GPS receiver inside the soldier.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  28. Steve (4,560 comments) says:

    Any electronic ID held on a secure database has to be recoverable by someone if the system crashes completely.
    That someone is the danger man who is either trusted by us or targeted by others.
    Just remember when you next format your computer hard drive. The data is just unseen, not deleted. Recovery is reasonably simple.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  29. G (82 comments) says:

    Malcolm, as Davidp mentioned, IVS is opt-in. Indeed govt agencies using it are required to maintain offline systems (i.e. MSD can’t close all the branches and tell people to apply online).

    For a list of agencies, see http://www.i.govt.nz. For some good info on it all, see http://www.dia.govt.nz/diawebsite.nsf/wpg_URL/Resource-material-Identity-Verification-Service-Index?OpenDocument (BTW, DIA have a fucking shit website. C’mon a government agency now in charge of government technology stuff has a website dating from what looks like 1997? It doesn’t even work properly in Firefox).

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote
  30. malcolm (1,952 comments) says:

    Thanks G, I’ve have a look.

    Vote: Thumb up 0 Thumb down 0 You need to be logged in to vote