Day: August 25, 2006

Advanced auditing at Centrelink

Phil at Improving New Account Opening speculates about Centrelink's auditing system while making the important point – not necessarily related factually to this incident – that auditing systems can themselves raise privacy issues.

Kim Cameron's Identity Blog highlighted the case of more than 100 Australian government employees being forced out of a single agency for snooping on client information. According to the Sydney Morning Herald article, hundreds more were demoted or faced salary deductions as punishment.

Interestingly I have a little insight into some of the Centrelink agency's online applications. Despite this, the rest of the specifics to Centrelink in this post are wild speculation, so take them with a pinch of salt.

The agency provides a range of online services to Australians, especially around benefits and financial support, and enables users to perform many interactions and transactions with the agency online. This leads to approximately 80 million online transactions per week. As I understand it, before going online the agency had struggled with how to counter individual users claiming that information they had (or had not) provided online was incorrectly recorded, leading to incorrect payment of benefits and other issues. This would mean that cases that led to litigation would be hard to defend. The requirement for non-repudiation rested with the agency and this proved difficult for them to address.

Here is where the wild speculation starts. Centrelink is considered a gold-standard in the Australian government for an online service that is secure and trusted. It employs a website monitoring application called WebCapture that for online transactions records both the information presented to a user, the forms they see and the documents requested, alongside any information that users enter into forms, the options they select, links they follow and buttons they click. This information is recorded on the web-server, stored to a repository and may be played back by authorized users as a virtual video recording of the entire transaction. As I understand it, the captured, replayable transaction has been tested in court as having appropriate legal weight to provide non-repudiation: the logged in user did perform the transaction, and this is exactly the information they were presented and they responded with.

I am guessing if some of the employees in question used this monitoring capability to snoop on customer information that they couldn't access in other systems. WebCapture information is held in an extremely secure repository, with metadata passed to a standard database. The question is whether the agency effectively designed and enforced their security policies with respect to accessing this data. A system's security is only a strong as the security policies you define for it. In this case, it may be that the WebCapture repository or associated database was the subject of poor IT security policy enforcement or poor governance around the maintenance of those policies or the users that could access it.

If this scenario is actually true, it highlights an issue that should be obvious, but may have been missed in this case. As we add additional layers of software into our infrastructure, if they are not subject to good IT governance and management processes they may be fraudulently used to access personal data and transactions, or lead to other security issues. Every new layer of infrastructure needs to be managed – personal data does not just reside in the database anymore.

With good governance and management of the systems and security policies using best practices like ITIL, a system like WebCapture can provide undeniable proof of transactions performed by clients, protecting the organization from false claims and litigation. This is a huge benefit to an organization like Centrelink. There is no substitute for good management of data in all IT systems, not just the database.

 

Aggregation through a single identifier

Through the miracle of pingbacks I just came across Terrell Russell's blog, This Old Network.   Poking around, I was led to his cool proposal for MicroIDs, which I like and will discuss later.  I also found many interesting pieces, including today's interesting reflection related to issues addressed in my fourth law of identity:

First, our friend the search engine…

Search data recently released from AOL allows anyone with some intrepid follow-up skills and some social engineering to quickly narrow in on unique individuals – individuals who never considered their independent searches were being aggregated by their ISP. A recent flurry of activity designed to protect us from the search engines signals a slumbering uneasiness with this situation. Something dark has been uncovered and in the short term there is much handwaving and interest. However, as time passes, we’ll fall back into our ‘normal’ ways and continue to put our most personal information-seeking into that gloriously simple bare single box. “It’s just too convenient”, you say. “They’ve done nothing wrong.”

And here’s where the discussion changes. It’s not about Google. Or MSN. Or Yahoo. It’s about one person. Or one subpeona. The fact that it’s all being aggregated is the problem. The fact that there’s a potential for negligence, court-order or simple employee curiosity has profound implications for a great number of people. That is what makes this discussion so important.

Note that the reason employees could inappropriately access sensitive information was because it was sitting in databases they could get to – not because it was present on a card in someone’s wallet. 

Centralized databases worry me way more than any other aspect of this technology.

– Kim Cameron

We need to understand that our daily breadcrumbs – our attention – our personal interests in where we’re going and what we’re looking for and what we’re buying, are all being sucked up and stored with a unique identifier. We need to realize we’re broadcasting our attention and that it has great value to those who would suck it up. Inform yourself and make a conscious decision about where you spend your time and what you look for. You’re not alone while you surf. AOL has shown us the light.

And onto IM…

Most users think they’re anonymous behind their instant messenger accounts. They think their words aren’t being recorded. You think your friend on the other end of the IM doesn’t have her auto-logging turned on? And that it’s not fully searchable later? Severe paranoia and tin-foil hats notwithstanding, you’re being very naive.

And that’s just your friends. How about when the person on the other end reports you?

Earlier this week the UK government-funded Child Exploitation & Online Protection Centre announced a partnership with Microsoft Messenger. Messenger will be putting a button on the toolbar to allow any user to ‘report abuse’ to the authorities. This is a dangerous precedent. How is this any different than the Terrorist Information and Prevention System (TIPS) program proposed by the US back in 2002?

How much money will be tied up in the next 12 months because of this trigger being too easy to pull? How many prank reports will eat through the government funding? How will danah boyd react to the feeding frenzy this will create once the first one is ‘caught’?

Be aware of what you project. Be aware that this is a global medium. Be aware that it’s being broadcast and recorded. This Internet thing will be around for a while.

This should give those who think that maybe we should just back off identity issues and let things take “their natural course”, reason for pause.  I certainly hope that the “panic button” referred to above is limited to use within communities whose members consent to it.

 

David Weinberger – lover of the status quo?

David Weinberger at Joho the Blog has a thoughtful piece on privacy and anonymity that more or less wraps up the ongoing thread between him, Eric Norlin, Ben Laurie and others including myself.

It's long and detailed, so I suggest you check it out at Joho (don't get distracted by his piece about Snakes on a Plane.) 

While I have the chance I'll mention that I really don't like the way David uses the phrase “real world” – and counterposes it to the Internet. 

But here's what I wanted to discuss:

My fear is that we are in the process of building a new platform for identity in order to address some specific problems. We will create a system that, like packaged software, has defaults built in. The most important defaults in this case will not be the ones explicitly built into the system by the software designers. The most important defaults will be set by the contingencies of an economic marketplace that does not particularly value anonymity, privacy, dissent, social role playing, the exploration of what one is ashamed of, and the pure delight of wearing masks in public. Economics will drive the social norms away from the social values emerging. That is my fear.

Economics will drive the social norms?  Why isn't it possible that social behavior will also drive our economics?  Is there a cluetrain?

An obvious example might be the ability to market more effectively without ANY personally identifying information about an indvidual.  This sounds counterintuitive until you take into account the fact that people are willing to reveal more about themselves – and their needs – when they are not individually identified.

I have confidence that the people designing these systems are going to create the right software defaults. The people I know firsthand in this are privacy fanatics and insistent that individuals be in control of their data. This is a huge and welcome shift from where digital ID was headed just a few years ago. We all ought to sigh in relief that these folks are on the job.

I'm not sure if fanatics is the right word. Once you see that privacy is security from the point of view of the individual, then it just becomes a normal part of security modelling. 

But, once these systems are in place, vendors of every sort will of course require strong ID from us. If I want to buy from, say, Amazon, they are likely to require me to register with some ID system and authenticate myself to them…far more strongly and securely than I do when I pay with a credit card in my local bookstore. Of course, I don't have to shop at Amazon. But why won't B&N make the same demand? And Powells? And then will come the blogs that demand I join an ID system in order to leave a comment. How long before I say, “Oh, to hell with it,” and give in? And then I've flipped my default. Rather than being relatively anonymous, I will assume I'm relatively identified.

Where is the proof for this?  Vendors will want to do whatever lets them sell most effectively.  Pseudonymous relationships, as I mentioned above, may well be perfect for this.  Amazon sells to me by knowing what I like to read and watch – not by knowing my name.  Next generation credit and delivery systems will allow us to purchase without revealing anything about who we are or where we live to the merchant. 

With an identity platform in place, a payment transaction can be a one-time transaction guaranteed by a bank.  No name or credit card number is necessary.

WIth an identity platform in place, delivery can be done by giving the merchant a one-time transaction number linked to my Fedex account – without the merchant needing to know where I live or take responsibility for product delivery.

Why would merchants want to keep all the liability of the material world if they can reduce their costs and increase their sales by moving on into the virtual one?  Doesn't that sound real? 

Does that matter? I think it does, for the political, social and person reasons mentioned above. Don't make me also argue against being on one's best behavior and against being accountable for everything one does! I'm willing to do it! I will pull this car over and do it! Just try me!

The basic problem is, in my opinion, that the digital ID crew is approaching this as a platform issue. Most places on the Web have solved the identity problem sufficiently for them to operate. Some ask for the three digits on the back of your credit card. Some only sign you up if you confirm an email. Some only let you on if you can convince an operator you know the name of your first pet and the senior year season record of your high school's football team. Sites come up with solutions as needed.

David, David, David.  You think the current situation is so good for your privacy?  You like the increasing proliferation of personally identifying information that characterises the current technology?  You're happy with the way enterprises and governments build their centralized systems?  They aren't.  Everyone realizes that our current ways of doing things are too dangerous – and much of that comes from the fact that we have been forced to store information we don't need precisely because there has been no identity platform.

Good. Local solutions to local problems are less likely to change norms and defaults. But the push is on for an identity management platform. It's one solution — federated, to be sure — that solves all identity problems at once. If you want to change a social default, build a platform. That's not why they're building it, but that will (I'm afraid) be the effect. It's not enough that anonymity be possible or permitted by the platform. The default isn't about what's permitted but about what's the norm. If the default changes to being naked at the beach, saying, “Well, you can cover up if you want to,” doesn't hide the fact that wearing a bathing suit now feels way different. Yes, there's something wrong – and distracting – about the particulars of this analogy. But I think the overall point is right: We're talking about defaults, not affordances.

There are serious problems caused by weaknesses in current identity solutions. Identity theft is nothing to sneer at, for example. But are we sure we want to institute a curfew instead of installing better locks?

Is it better to have been born, or not to have been born? (Yes, I know what the ancients said.) 

There are dangers – do we therefore have to submit to a long sleep?