Peter Watkins

24
Government of British Columbia Identity Information Management SCENARIOS FOR THE FUTURE OF THE CANADIAN PAYMENTS SYSTEM NOVEMBER 3, 2010

Transcript of Peter Watkins

Page 1: Peter Watkins

Government of British Columbia

Identity Information ManagementSCENARIOS FOR THE FUTURE OF

THE CANADIAN PAYMENTS SYSTEMNOVEMBER 3, 2010

Page 2: Peter Watkins

2

Dilemma For Online

Opportunity For Fraud / Abuse

First Name

Last Name

Address

CreditCard#

$12.00 Book

?

Page 3: Peter Watkins

3

Dilemma For Online

First Name

Last Name

Address

CreditCard#

$12.00 Book

?

Page 4: Peter Watkins

4

Dilemma For Online

First Name

Last Name

Address

CreditCard#

$12.00 Book

?

• Financial sector has been trail blazer for government in relation to online services.

• The pain vs. gain equation.• Threat model is an industry unto itself.

$7000.00 credit limit$5000.00 account balance

Page 5: Peter Watkins

5

Government Cards at Counters

• Why do most really important government services need to happen in-person?– Because the FIRST thing that happens is we ask you for

your ID. We need to know who you are.– Citizens prove their ID with cards that we (Government)

issue to them.– Government documents do not work online

– Paper processes only– Downloading a PDF form to fill out does not count as “online”

• Despite this it is Government that runs some of the best ID verification and registration processes (birth, death, driving)

Page 6: Peter Watkins

6

Banks Know About Government And Identity Information

….

Source: Access to Basic Banking Services Regulations (SOR/2003-184)

Page 7: Peter Watkins

7

Government Analogues for Online Banking and Commerce

Blood test in morningView results in evening

Change your kids school and courses online

Renew your autoplan online and confirm no outstanding fines or fees are due

Schedule doctor visit online without phone call or email

View your kids report card on-line

Online income assistance, injured worker, courts filing...

How can Government make the move to online when identity information is land-

locked by paper documents?

Page 8: Peter Watkins

8

Dilemma For Online Government

Not Appropriate

First Name

Last Name

Address

Personal Health #

Lab ResultsPrescription History

?

No way for service provider to be confident about who is at the keyboard.

Unable to put valuable information and services online.

Page 9: Peter Watkins

9

Dilemma For Online Government

What’s the consequence of misuse of Health Care Number?

• Government has no means of “absorbing” the risk

First Name

Last Name

Address

Pers. Health#

Lab ResultsPrescriptions

?$ Health limit?

Receive wrong med’s?Privacy violated?

Page 10: Peter Watkins

10

Learning from Financial Sector

• Shared “secrets”– Credit Card number, name, address, “CCV” number

• Passwords– Account numbers– Email address

• One-time password token / fob• Etc..

None of these are adequate to the task.

Page 11: Peter Watkins

11

The On-Line World

• Governments are in the business of identity services.– Can no longer run and hide from this duty just because the

internet has happened.– Governments need to issue “digital” credentials just like we

issue paper/plastic ones.

• Credentials need to be:– Issued from a high quality verification and registration process– Protected against forgery, fraud and abuse– Convenient and easy to use– Respectful of, and enhance, privacy protections– Reusable across all types of government services and

jurisdictions– Reusable to convey trusted identity information to third

parties over the internet when desired

Page 12: Peter Watkins

12

Identity Information Management

First Name: DavidLast Name: Watkins

Address: 1’st AvePersonal Health#: 1234 567 890

Lab ResultsPrescription History

+ PassCode

Identity information NOT stored in chip in card.

Page 13: Peter Watkins

13

Identity Information Management

First Name: DavidLast Name: Watkins

Address: 1’st AvePersonal Health#: 1234 567 890

Lab ResultsPrescription History+ PassCode

• Service provider asks client for trusted identity information and receives it from the client along with proof of who is backing it.

• Card used as authentication credential for obtaining identity information.

• Result is assurance of who is at the keyboard.

• Medical services plan client

• Name• Date of birth / age• Current address

Page 14: Peter Watkins

14

Improved: Minimized Information Requests

Age: Over 19 = Yes

Enhances PrivacyEnhances In-Person Services

• Name• Date of birth / age• Current address

Page 15: Peter Watkins

15

Improved: Verified Access to Services

Personal Health #: 1234 567 890

• Assurance that client is eligible.• Assurance needle is going into correct

person’s arm.• Assurance that records looked up and

generated are for correct client.

• Medical services plan client

Page 16: Peter Watkins

16

Online Self-Service Becomes Feasible

Requested Identity Information

Online Self-Services+ PassCode

Blood test in morningView results in evening

Change your kids school and courses online

Renew your autoplan online

Schedule doctor visit online without phone call or email

Change your address online with government & utilities

Online income assistance, injured worker, courts...

Page 17: Peter Watkins

17

Financial Sector To Do’s• Update online banking and commerce

– Infrastructure for contactless chip and pin• Contactless readers and associated systems: home use, as well as

at retail / merchant– Train the public through their experience with bank and credit

cards– Get us out of Payment Card Industry Compliance problem $$$$

• Change the bank card / credit card transaction flow to eliminate disclosure of identifiers to merchants

• Ensure new infrastructure is open for leverage by government issued contactless chips– Through government membership in a trust-framework that establishes

rules and standards

• Advocate for government to ensure identity information management works trans-nationally to avoid trade barrier

• New forms of banking transactions that make appropriate use of government backed identity information– New accounts for individuals and/or businesses– Mortgages, auto loans, insurance– ...

Page 18: Peter Watkins

18

Government To Do’s• Modify existing identity verification and registration procedures to

issue trusted credentials for online– In the Canadian federation this falls mostly to provinces

• Provide policy based trust-frameworks establishing rules and good conduct– Identity information related “Trustmark(s)” certifiably used by government and

private business– Ensure these work on trans-national basis to avoid creation of new form of trade

barrier

• Provide online services and infrastructure for government backed identity information in a “citizen” centric way– In the Canadian federation this falls mostly to provinces– Open to private sector through membership in a trust-framework that

establishes rules and standards and through the protocol of asking the client to provide information

• Enable improved privacy practices– Minimize information requests in first place– Proper use of any information as provided

• Initiate a move to online self-service– Make use of government backed identity information– Often need to make use of payment cards as well– Ex: Compensation for health care providers working with injured workers, auto

accidents– Ex: Student loans– Ex: Income assistance– ...

Page 19: Peter Watkins

19

Possibilities

Requested Identity Information

+ PassCode

Page 20: Peter Watkins

20

Possibilities

Requested Identity Information

+ PassCode

Page 21: Peter Watkins

21

Possibilities

Requested Identity Information

+ PassCode

“Trusted” Authentication

Credentials

Identity Information Services

Online Services

Page 22: Peter Watkins

22

Conclusion

• Financial sector and Government sector operate as foundational components of Canada

• Mutual need for improved methods for identity information management services, credentials, cards, authentication

• Need to work together to enable a next-generation of online services• Public and private

Page 24: Peter Watkins

24