Wednesday, January 31, 2007

Identity Puzzles

Someone sent me a link to a new (to me at least) identity-related website. It's called "about me now" and is a .org site. https://www.aboutmenow.org/AboutMe/AboutMeHome.do When I first visited the site, admittedly with IE7, I was confronted with this message "There is a problem with this website's security certificate. The security certificate presented by this website was not issued by a trusted certificate authority. Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server. We recommend that you close this webpage and do not continue to this website. " Naturally, IE recommended that I close the page and not continue to the site. Ignoring IE's recommendation, I carried on. In the FAQ section, I found this "All details provided by you are kept on a secure VeriSign certificated server. The server is placed behind a dedicated firewall and is only accessible under specified circumstances. For reasons of security we will not give any further details." ummm. The site's goals are all about (and these are quotes): -Enabling people to look after personal information online -Improving the accuracy of information held about citizens -Giving people greater control over who sees personal data held electronically -Limiting private sector access to citizen details -Building a website to hold citizen consents and those, it says, will give obvious benefits to us as citizens, thus: - YOU control YOUR data so it’s more accurate, - As council partners will share your information, you will need to notify changes of details only once, - YOU will say which private sector subscribers see your personal details, - And they will only see what you want them to see, - You can withdraw or alter your private sector permissions at any time. Apprently it's run by 4 councils who have "won" £685,000 from a government fund on innovation. The councils have added £240,000 of their own money to help make it work The registration button takes me to a page that allows me to pick a - you guessed it - userid and password and a magic question that (better than usual) isn't fixed to the usual name your dog/your cat/your mother's maiden name. I'm still nervous based on the elemetary security error that the home page presented. But I'm bearing with it. Sadly I missed the prize draw stage. 4 lucky people won ipod nano gadgets. 10 others won free passes for 1 month to a local leisure centre (everyone else who entered won 2 months free use of the leisure centre). Next up, I'm asked to enter: Name/Address Date/Place of Birth Mobile/Home Phone/Email Marital Status/Dependents/Employment Status Contact Method/Preferred Payment Method Council Tax Number And, of course, my Boots Advantage Card number. I'm stunned. Boots aren't even listed as a partner. I'm excluding from moving any further, not perhaps because I don't have a Boots card , but because (I think - it doesn't actually tell me this) that I don't live in the domain of the 4 sponsoring councils. Can't think of a better way of spending nearly a million quid. Well, actually, here's a go at it: I'd start with this aim from the FAQs "To provide citizens with the ability to self-administer the sharing of their personal information between participating organisations according to a secure repository of consents (permissions). To enable the citizen to control who can do what, provide a record of current consents and a full audit trail of access requests. The project has established a 'Proof of Concept' pilot operation to: a) prove the various technical components developed to provide management of consent b) learn lessons for the future with regard to citizen engagement, participating organization business engagement, technical engagement, commercial model development and operational organisation. The pilot is based around the process of notification of Change of Address" And I'd rephrase it about the problem that they want to solve. As it reads they're trying to solve a problem I'm not sure that I have which is who can access what data about me and then, when they do, tell me who looked at it. Then it moves quickly to a technology proof of concept before leaping to lessons about engagement and commercial models. Is that really the problem? At the moment, dealing with government is entirely non-transparent. I have no idea what data any given government entity holds about me, even less idea about what they do with it and, so far, I'm not wondering much. The reason I'm not wondering much is that I know that government is inefficient about knowing much about me. They write to me about the same thing several times, they lose my NHS patient records (more than once), they collect tax from me based on declarations that I make and compare in the background to declarations from my bank/stockbroker/accountant/employer. So perhaps the questions to test are: 1) What data does government say it needs from me to make its job easier (does it really want my boots card number, even if I had one) 2) If they had certain bits of data, what would they do with it? If there was a single place where my date of birth was available, what would that save? Would it reduce the costs of government operations, or reduce the time I spend doing certain things? Would paper forms arrive pre-filled? Tell me the business case that we're trying to prove. 3) What risks am I facing? If government sent me pre-filled in forms and they were intercepted, would that make me more or less susceptible to identity theft? If the data were shared with certain partners (Boots?) what would additional risks would I be exposed to? 4) If the proposed list of data were secured behind the firewall and a valid certificate (whatever that means to the average person), what would I need to access it and what risks would I run with each method? Userid/password versus token versus digital certificate versus through-routing from my bank 5) What would happen if, having set all this data up, I didn't update it at some point in the future? What decisions would be taken incorrectly? What would happen then? I think the balance of questions is not about technology or engagement, it's about what the case is for doing something different from the way it's done now, without reverting to the standard "it will be more efficient" - well, tell me how, tell me what will change. If I switched and everyone I know switched to this new method, would my council tax go down? Would the street lights be on more? Would there be less dog crap on the streets? If you want to solve the engagement problem, now that we're beyond the early adopters, you're going to need to do more to tell me what the plan is. And I'd rather you didn't start with the technology - I'm pretty sure that there is more than enough out there to do whatever is needed; what isn't out there is what you want to do, how you want to do it and what risks will be run (for me and you). Convince me you've solved these issues.

1 comment:

  1. Anonymous1:22 pm

    I think there's two questions here...

    1) is the site real? Or is it some form of data gathering scam. That is, not run by the Government.

    I hope it is run by Government, otherwise it should certainly have been pulled down by now.

    Assuming it is,

    2) Why does it not use the secure 'Government Gateway' technology, instead to reinventing an unbelievable wheel?

    ReplyDelete