Back from DC and Toronto I’m feeling recharged and reinvigorated. The Gov 2.0 expo was fantastic, it was great to meet colleagues from around the world in person. The FCM AGM was equally exciting with a great turnout for our session on Government 2.0 and lots of engagement from the attendees.
So, now that I’m in a good mood, it’s only natural that I’m suddenly burning up about some awesomely poor decisions being made at the provincial level and that may also may be in the process of being made at the federal level.
Last year at the BC Chapter of the Municipal Information Systems Association conference I stumbled, by chance, into a session run by the British Columbia government about a single login system it was creating for government website. So I get that this sounds mundane but check this out: it would means that if you live in BC you’ll have a single login name and password when accessing any provincial government service. Convenient! Better still, the government was telling the municipalities that this system (still in development) could work for their websites too. So only one user name and password to access any government service in BC! It all sounds like $30 million (the number I think they quoted) well spent.
So what could be wrong with this…?
How about the fact that such a system already exists. For free.
Yes, OpenID, is a system that has been created to do just this. It’s free and licensed for use by anyone. Better still, it’s been adopted by a number of small institutions such as Google, Yahoo, AOL, PayPal, and Verisign and… none other than the US government which recently began a pilot adoption of it.
So let me ask you: Do you think the login system designed by the BC government is going to be more, or less secure that that an open source system that enjoys the support of Google, Yahoo, AOL, PayPal, Verisign and the US Government? Moreover, do we think that the security concerns these organizations have regarding their clients and citizens are less strict than those of the BC government?
I suspect not.
But that isn’t going to prevent us from sinking millions into a system that will be less secure and will costs millions more to sustain over the coming decades (since we’ll be the only ones using it… we’ll have to have uniquely trained people to sustain it!).
Of course, it gets worse. While the BC government is designing its own system, rumour has it that the Federal Government is looking into replacing Epass; it’s own aging website login system which, by the by, does not work with Firefox, a web browser used by only a quarter of all Canadians. Of course, I’m willing to bet almost anything that no one is even contemplating using OpenID. Instead, we will sink 10’s of millions of dollars (if not more…) into a system. Of course, what’s $100 million of taxpayer dollars…
Oh, and today’s my birthday! And despite the tone of this post I’m actually in a really good mood and have had a great time with friends, family and loved ones. And where will I be today…? At 30,000 ft flying to Ottawa for GovCamp Canada. Isn’t that appropriate? :)
eaves.ca 
I think if Yahoo and Google (who's that?) are comfortable with it, our government should be too. I also think you're right in that they won't use it, considering the lead BC is showing.Happy Birthday!
Happy Birthday then :) I think OpenID can be secure for any kind of (open) Government. Here in Bulgaria we are trying to put more security on OpenID protocol for example. Maybe you have to push your government to think about openness and compatibility and to implement some kind of open technology as we are trying here :)All the best,Bogo
Well said David. Readers of this post may be interested in the Kantara Initiative. Kantara Initiative Mission:”Foster identity community harmonization, interoperability, innovation, and broad adoption through the development of open identity specifications, operational frameworks, education programs, deployment and usage best practices for privacy-respecting, secure access to online services.”Stephen
Happy Birthday, Dave.Using OpenID as a protocol is a great idea, but don't confuse it with security. There are still many problems with OpenID in terms of a security model, the most notable being the possibility for phishers to do a “honeypot” attack and then have access to all the systems for which the single sign-on was working.Also, the support from the major players you cite is unidirectional – they allow for you to use their existing authentication systems as OpenID providers (in other words, they support the protocol) but they don't accept OpenID as a way of signing into their services.
I am not saying if the system the BC government is creating is a good idea or not, but I don't believe OpenID is as good as you claim. You say major companies use it, including Google. I have only seen Google using it for comments on blog posts. I cannot use OpenID with my Gmail account, Google maps, Google docs, … And authenticating comments on blogs is not exactly the most security critical thing I can think of. OpenID is no good if everybody wants to provide it but no one wants to accept it.And OpenID isn't exactly free. OpenID provides no connection between an OpenID identity and your identity as a Canadian citizen. That connection would still have to be created and maintained by the government at the cost of several million dollars.You also cannot rely on citizens choosing a secure third party OpenID provider. People will just use Facebook, which will in turn give everybody unlimited access to all your private data shared between you and the government. :) That said you may not be able to rely on the government choosing a secure third party either… In the country where I live (Denmark), the government is also creating one new Single sign-on system, and they have tried for years without great success. That system also sucks big time, but even through I am sure there are many cheaper and more secure solutions, they are still hard to find.
EPass is atrocious. OpenID sounds nice, but I suspect we as outsiders are ignorant of any number of reasons why it won't work. One that comes to mind is where identities are stored. For example, universities here are discouraged from using Google Docs because it means the data is on a US server, and therefore subject to PATRIOT act subpoenas. This apparently conflicts with privacy legislation in Canada.
Mike – agreed on both fronts. The question is, strategically, which system (and which standard) is going to be more robust in 2 years or 5 years? The one we develop on our own or the one that a number of major players support. Given the US government's move into this space I suspect that development is going to be fairly rapid – but open to push back on that…
Jesper, I agree about it not being free – my point wasn't that it would be free to maintain, but free to develop (or, at least a significantly lower cost). Also, at least with open ID, since it is open, you may get to choose from a variety of support vendors which could lower the price (or simply support in house). By building the system in house we'll be stuck with a system that only a few people understand and can support… driving up the cost. Of course, I suspect our experience will be like of Denmark's, with things proceeding slowly…
Happy Birthday!I'm a huge OpenID fan…they absolutely should be considering it, at the very least.
great post. i think this post over at technologyreview is a compliment, highlighting a personal interest of mine — the connection between ID and browsers and the focus that needs to be put in outfitting browsers for maximum user/agency affects.http://is.gd/cwZTf
Was going to comment, but Jesper hit the nail right on the head (particularily his third paragraph).I can't speak for the BC solution, but the federal solution will be built using open-standards and will be very OpenId-like.
Great post and Happy Birthday! Certainly lots to chew on…My concern with OpenID is related to where the information on citizens is kept. I'm assuming that the information OpenID would keep on citizens would reside on servers in the U.S. If so, all of that information fall under the USA PATRIOT ACT and, as a result, would be accessible to U.S. government agencies. The USA PATRIOT ACT permits U.S. government agencies to access any information stored in the U.S. with very little probable cause. Hosting may be an issue with the B.C. and Canadian governments.
I hate to contradict you , ok wait I love to contradict but from an official unpublished recommendation going to be shown to governments across Canada in June there is this snippet “OpenID/OAuth, SAML1.1/2.0, Ws-fed 1.1, Information Cards 1.0 etc”We are trying to support multiple formats and openID is one we use here in Nanaimo. OpenID is a two part issue with goverment sites. Lets take filing taxes for example.Imagine you could sign into your taxes with openID, lets say google.Now google, an American company knows you've files your taxes and even when you signed in. This is currently against the law in Canada. Option 2, Canada or the provinces provide openID's. This works much better as the usage data and profile data is all local to Canada. Now with this openID you can sign in and pay your federal taxes but you can also pay your city taxes on a city website. All we have to do it accept openID and it's done. We would verify you are who you are in our own way. This could be that we just always trust the Canadian Government or we could ask you for a code that we physical mailed to you.Think of it this way. When you when you got on the plain to fly home who provided your ID? BC or Canada (passport or drivers license) . How about when you purchased some beer? Well then again it was government ID. Governments have been in business for ages and I think it won't take much to educate people that online should work the same way.When you bought the beer you handed the clerk your home address and name and lots of personal information. Whats the difference if you use this online. In my perfect world openID.gov.bc.ca is my one identity online and I give up using google for login.
Jeff – this is great news! (happy to be contradicted by reports I can't access :) ).Completely agree with you on option 2 as well. Just wish there was more talk of it…
Christopher, this is great news (and not what I had heard). Thank you for sharing!
Right – support for the OpenID API is definitely something we'd want, but I would not want the CCRA to allow the use of OpenID. The potential for data theft is pretty incredible, and serious. I think OpenID as a way to identify yourself is great, but from there you'll also want a secondary PIN based system to secure transactions.
Thanks for this post David – I think it’s excellent that this debate is happening, but I do need to set the record straight on what we here in BC are doing (and not doing).First and foremost, you certainly got my attention with the title of your post! I was reading with interest to see who in Canada was wasting $30M – imagine my surprise when I saw it was me! Since I know that we’ve only spent about 1% of that so far I asked Ian what exactly it was he presented at the MISA conference you mentioned (Ian works for me). While we would certainly like someone to give us $30M, we are not sure where you got the idea we currently have such plans.That said I would like to tell you what we are up to and really encourage the debate that your post started. I personally think that figuring out how we will get some sort of Identity layer on the Internet is one of the most important (and vexing) issues of our day. First, just to be clear, we have absolutely nothing against OpenID. I think it has a place in the solution set we need, but as others have noted we do have some issues using foreign authentication services to access government services here in BC simply because we have legislation against any personal info related to gov services crossing the border. I do like Jeff’s thinking about whom in Canada can/will issue OpenID’s here. It is worth thinking about a key difference we see emerging between us and the USA. In Canada it seems that Government’s will issue on line identity claims just like we issue the paper/plastic documents we all use to prove our Identities (driver’s licenses, birth certificates, passports, SIN’s, etc.). In the USA it seems that claims will be issued by the private sector (PayPal, Google, Equifax, banks, etc.). I’m not sure why this is, but perhaps it speaks to some combination of culture, role of government, trust, and the debacle that REALID has become.Another issue I see with OpenID relates to the level of assurance you get with an OpenID. As you will know if you look at the pilots that are underway in US Gov, or look at what you can access with an OpenID right now, they are all pretty safe. In other words “good enough” assurance of who you are is ok, and if someone (either the OpenID site or the relying site) makes a mistake it’s no big deal. For much of what government does this is actually an acceptable level of assurance. We just need a “good enough” sense of who you are, and we need to know it’s the same person who was on the site before. However, we ALSO need to solve the MUCH harder problem of HIGH ASSURANCE on-line transactions. All Government’s want to put very high-value services on-line like allowing people access to their personal health information, their kids report cards, driver’s license renewals, even voting some day, and to do these things we have to REALLY be sure who’s on the other end of the Internet. In order to do that someone (we think government) needs to vouch (on-line) that you are really you. The key to our ability to do so is not technology, or picking one solution over the other, the key is the ID proofing experience that happens BEFORE the tech is applied. It’s worth noting that even the OpenID guys are starting to think about OpenID v.Next (http://self-issued.info/?p=256) because they agree with the assurance level limitation of the current implementation of OpenID. And OpenID v.Next will not be backward compatible with OpenID.Think about it – why is the Driver’s License the best, most accepted form of ID in the “paper” world. It’s because they have the best ID proofing practices. They bring you to a counter, check your foundation documents (birth cert., Card Card, etc.), take your picture and digitally compare it to all the other pictures in the database to make sure you don’t have another DL under another name, etc. Here in BC we have a similar set of processes (minus the picture) under our Personal BCeID service (https://www.bceid.ca/register/personal/). We are now working on “claims enabling” BCeID and doing all the architecture and standards work necessary to make this work for our services. Take a look at this work here (http://www.cio.gov.bc.ca/cio/idim/index.page?).I really encourage you to take a look at the education link and tell me what you think. Also, the standards package is getting very strong feedback from vendors and standards groups like the ICF, OIX, OASIS and Kantara folks. This is really early days and we are really trying to make sure we get it right – and spend the minimum by tracking to Internet standards and solutions wherever possible.Sorry for the long post, but like I said – this is important stuff (at least to me!) Keep the fires burning!Thanks – Dave.
David, Although the major consumer brands (Google, Yahoo!, Microsoft, AOL) have deployed or announced support for OpenID, and the US Gov has announced they will support it — OpenID 2.0 does not provide the capabilities for moving any identity claim besides verifying an email address. OpenID v.Next may enable that.I have followed the BC Gov work and they are world leading in architecting an identity system that is distributed and would enable reuse of identity claims. The leading protocol at the time was InfoCards — which have lost favour as of late — the BC Gov did not go out and invent a new identity protocol.Contrary to your statement that it was one username and password, it was an infocard — not the same thing — and really is the same architecture as OpenID — and was also the architecture that the US GSA chose for higher level transactions.Running a large pilot in the government costs money, even if the protocol is free (which was the case for both infocard and OpenID)wrt. ePass, I agree … they are re-inventing stuff and not tracking the open web trends — unlike the BC Gov.In case you don't know my identity, I am one of the authors of OpenID, sit on the OpenID board, and chair the OpenID Tech Committee.– Dick
Great and Thank you for commenting. We totally agree on the fact that BC should issue identity. Trust would be easier if the ID comes from gov.bc.ca then you trust it if not then you don't accept it. Every citizen gets an ID (like a drivers license) and they use it. Now here is the catch. For this is be really useful it has to be usable elsewhere. Let me log into this blog with my BC Online ID via openID. Let me log into any openID site with it but don't share details. When I log into this site with google they get a username like google.com/user/long_random_number. This random number is different for every site. When I log into Nanaimo.ca and SecretNanaimo.ca they can't even tell I'm the same person. Unless I tell Google to share my email. They don't know anything about me except that I am who I was before, or at least according to Google I am who I said I was, for them this is enough.If I used BC online ID it would mean I know my BC online password and I use it often, it becomes second nature, like showing my BC ID (I don't drive) when I go to a bar. Advantage to citizens is their login becomes second nature and they are reminded about how wonderful the government is every time they log in.Advantage to government is that people don't forget their login's and we can (only if we want) track where they log in so we can really know what our citizens are doing.
Dave I agree with your comments. I have been impressed with the identity architecture BC is working on. It would be great to see the province take the lead on this so municipalities can leverage the infrastructure and ID proofing, and give citizens one ID to use. It would be even better to have a federal government e-ID so citizens could have one ID to use for all levels of government, but getting the feds and all the provinces to agree on a standard may be too difficult to achieve.
Thanks for this post David – I think it’s excellent that this debate is happening, but I do need to set the record straight on what we here in BC are doing (and not doing).First and foremost, you certainly got my attention with the title of your post! I was reading with interest to see who in Canada was wasting $30M – imagine my surprise when I saw it was me! Since I know that we’ve only spent about 1% of that so far I asked Ian what exactly it was he presented at the MISA conference you mentioned (Ian works for me). While we would certainly like someone to give us $30M, we are not sure where you got the idea we currently have such plans.That said I would like to tell you what we are up to and really encourage the debate that your post started. I personally think that figuring out how we will get some sort of Identity layer on the Internet is one of the most important (and vexing) issues of our day. First, just to be clear, we have absolutely nothing against OpenID. I think it has a place in the solution set we need, but as others have noted we do have some issues using foreign authentication services to access government services here in BC simply because we have legislation against any personal info related to gov services crossing the border. I do like Jeff’s thinking about whom in Canada can/will issue OpenID’s here. It is worth thinking about a key difference we see emerging between us and the USA. In Canada it seems that Government’s will issue on line identity claims just like we issue the paper/plastic documents we all use to prove our Identities (driver’s licenses, birth certificates, passports, SIN’s, etc.). In the USA it seems that claims will be issued by the private sector (PayPal, Google, Equifax, banks, etc.). I’m not sure why this is, but perhaps it speaks to some combination of culture, role of government, trust, and the debacle that REALID has become.Another issue I see with OpenID relates to the level of assurance you get with an OpenID. As you will know if you look at the pilots that are underway in US Gov, or look at what you can access with an OpenID right now, they are all pretty safe. In other words “good enough” assurance of who you are is ok, and if someone (either the OpenID site or the relying site) makes a mistake it’s no big deal. For much of what government does this is actually an acceptable level of assurance. We just need a “good enough” sense of who you are, and we need to know it’s the same person who was on the site before. However, we ALSO need to solve the MUCH harder problem of HIGH ASSURANCE on-line transactions. All Government’s want to put very high-value services on-line like allowing people access to their personal health information, their kids report cards, driver’s license renewals, even voting some day, and to do these things we have to REALLY be sure who’s on the other end of the Internet. In order to do that someone (we think government) needs to vouch (on-line) that you are really you. The key to our ability to do so is not technology, or picking one solution over the other, the key is the ID proofing experience that happens BEFORE the tech is applied. It’s worth noting that even the OpenID guys are starting to think about OpenID v.Next (http://self-issued.info/?p=256) because they agree with the assurance level limitation of the current implementation of OpenID. And OpenID v.Next will not be backward compatible with OpenID.Think about it – why is the Driver’s License the best, most accepted form of ID in the “paper” world. It’s because they have the best ID proofing practices. They bring you to a counter, check your foundation documents (birth cert., Card Card, etc.), take your picture and digitally compare it to all the other pictures in the database to make sure you don’t have another DL under another name, etc. Here in BC we have a similar set of processes (minus the picture) under our Personal BCeID service (https://www.bceid.ca/register/personal/). We are now working on “claims enabling” BCeID and doing all the architecture and standards work necessary to make this work for our services. Take a look at this work here (http://www.cio.gov.bc.ca/cio/idim/index.page?).I really encourage you to take a look at the education link and tell me what you think. Also, the standards package is getting very strong feedback from vendors and standards groups like the ICF, OIX, OASIS and Kantara folks. This is really early days and we are really trying to make sure we get it right – and spend the minimum by tracking to Internet standards and solutions wherever possible.Sorry for the long post, but like I said – this is important stuff (at least to me!) Keep the fires burning!Thanks – Dave.
David, Although the major consumer brands (Google, Yahoo!, Microsoft, AOL) have deployed or announced support for OpenID, and the US Gov has announced they will support it — OpenID 2.0 does not provide the capabilities for moving any identity claim besides verifying an email address. OpenID v.Next may enable that.I have followed the BC Gov work and they are world leading in architecting an identity system that is distributed and would enable reuse of identity claims. The leading protocol at the time was InfoCards — which have lost favour as of late — the BC Gov did not go out and invent a new identity protocol.Contrary to your statement that it was one username and password, it was an infocard — not the same thing — and really is the same architecture as OpenID — and was also the architecture that the US GSA chose for higher level transactions.Running a large pilot in the government costs money, even if the protocol is free (which was the case for both infocard and OpenID)wrt. ePass, I agree … they are re-inventing stuff and not tracking the open web trends — unlike the BC Gov.In case you don't know my identity, I am one of the authors of OpenID, sit on the OpenID board, and chair the OpenID Tech Committee.– Dick
Great and Thank you for commenting. We totally agree on the fact that BC should issue identity. Trust would be easier if the ID comes from gov.bc.ca then you trust it if not then you don't accept it. Every citizen gets an ID (like a drivers license) and they use it. Now here is the catch. For this is be really useful it has to be usable elsewhere. Let me log into this blog with my BC Online ID via openID. Let me log into any openID site with it but don't share details. When I log into this site with google they get a username like google.com/user/long_random_number. This random number is different for every site. When I log into Nanaimo.ca and SecretNanaimo.ca they can't even tell I'm the same person. Unless I tell Google to share my email. They don't know anything about me except that I am who I was before, or at least according to Google I am who I said I was, for them this is enough.If I used BC online ID it would mean I know my BC online password and I use it often, it becomes second nature, like showing my BC ID (I don't drive) when I go to a bar. Advantage to citizens is their login becomes second nature and they are reminded about how wonderful the government is every time they log in.Advantage to government is that people don't forget their login's and we can (only if we want) track where they log in so we can really know what our citizens are doing.
Dave I agree with your comments. I have been impressed with the identity architecture BC is working on. It would be great to see the province take the lead on this so municipalities can leverage the infrastructure and ID proofing, and give citizens one ID to use. It would be even better to have a federal government e-ID so citizens could have one ID to use for all levels of government, but getting the feds and all the provinces to agree on a standard may be too difficult to achieve.
Pingback: How to Engage with Social Media: An Example | eaves.ca
I like this comment and it’s definitely still relevant. Seems like there is some movement in the government to adopt OpenID that I’ve posted here – http://openconcept.ca/blog/mgifford/when_will_we_see_openid.gc.ca