Peter Watkins
-
Upload
catalyticgov -
Category
Leadership & Management
-
view
69 -
download
0
Transcript of Peter Watkins
Government of British Columbia
Identity Information ManagementSCENARIOS FOR THE FUTURE OF
THE CANADIAN PAYMENTS SYSTEMNOVEMBER 3, 2010
2
Dilemma For Online
Opportunity For Fraud / Abuse
First Name
Last Name
Address
CreditCard#
$12.00 Book
?
3
Dilemma For Online
First Name
Last Name
Address
CreditCard#
$12.00 Book
?
4
Dilemma For Online
First Name
Last Name
Address
CreditCard#
$12.00 Book
?
• Financial sector has been trail blazer for government in relation to online services.
• The pain vs. gain equation.• Threat model is an industry unto itself.
$7000.00 credit limit$5000.00 account balance
5
Government Cards at Counters
• Why do most really important government services need to happen in-person?– Because the FIRST thing that happens is we ask you for
your ID. We need to know who you are.– Citizens prove their ID with cards that we (Government)
issue to them.– Government documents do not work online
– Paper processes only– Downloading a PDF form to fill out does not count as “online”
• Despite this it is Government that runs some of the best ID verification and registration processes (birth, death, driving)
6
Banks Know About Government And Identity Information
….
Source: Access to Basic Banking Services Regulations (SOR/2003-184)
7
Government Analogues for Online Banking and Commerce
Blood test in morningView results in evening
Change your kids school and courses online
Renew your autoplan online and confirm no outstanding fines or fees are due
Schedule doctor visit online without phone call or email
View your kids report card on-line
Online income assistance, injured worker, courts filing...
How can Government make the move to online when identity information is land-
locked by paper documents?
8
Dilemma For Online Government
Not Appropriate
First Name
Last Name
Address
Personal Health #
Lab ResultsPrescription History
?
No way for service provider to be confident about who is at the keyboard.
Unable to put valuable information and services online.
9
Dilemma For Online Government
What’s the consequence of misuse of Health Care Number?
• Government has no means of “absorbing” the risk
First Name
Last Name
Address
Pers. Health#
Lab ResultsPrescriptions
?$ Health limit?
Receive wrong med’s?Privacy violated?
10
Learning from Financial Sector
• Shared “secrets”– Credit Card number, name, address, “CCV” number
• Passwords– Account numbers– Email address
• One-time password token / fob• Etc..
None of these are adequate to the task.
11
The On-Line World
• Governments are in the business of identity services.– Can no longer run and hide from this duty just because the
internet has happened.– Governments need to issue “digital” credentials just like we
issue paper/plastic ones.
• Credentials need to be:– Issued from a high quality verification and registration process– Protected against forgery, fraud and abuse– Convenient and easy to use– Respectful of, and enhance, privacy protections– Reusable across all types of government services and
jurisdictions– Reusable to convey trusted identity information to third
parties over the internet when desired
12
Identity Information Management
First Name: DavidLast Name: Watkins
Address: 1’st AvePersonal Health#: 1234 567 890
Lab ResultsPrescription History
+ PassCode
Identity information NOT stored in chip in card.
13
Identity Information Management
First Name: DavidLast Name: Watkins
Address: 1’st AvePersonal Health#: 1234 567 890
Lab ResultsPrescription History+ PassCode
• Service provider asks client for trusted identity information and receives it from the client along with proof of who is backing it.
• Card used as authentication credential for obtaining identity information.
• Result is assurance of who is at the keyboard.
• Medical services plan client
• Name• Date of birth / age• Current address
14
Improved: Minimized Information Requests
Age: Over 19 = Yes
Enhances PrivacyEnhances In-Person Services
• Name• Date of birth / age• Current address
15
Improved: Verified Access to Services
Personal Health #: 1234 567 890
• Assurance that client is eligible.• Assurance needle is going into correct
person’s arm.• Assurance that records looked up and
generated are for correct client.
• Medical services plan client
16
Online Self-Service Becomes Feasible
Requested Identity Information
Online Self-Services+ PassCode
Blood test in morningView results in evening
Change your kids school and courses online
Renew your autoplan online
Schedule doctor visit online without phone call or email
Change your address online with government & utilities
Online income assistance, injured worker, courts...
17
Financial Sector To Do’s• Update online banking and commerce
– Infrastructure for contactless chip and pin• Contactless readers and associated systems: home use, as well as
at retail / merchant– Train the public through their experience with bank and credit
cards– Get us out of Payment Card Industry Compliance problem $$$$
• Change the bank card / credit card transaction flow to eliminate disclosure of identifiers to merchants
• Ensure new infrastructure is open for leverage by government issued contactless chips– Through government membership in a trust-framework that establishes
rules and standards
• Advocate for government to ensure identity information management works trans-nationally to avoid trade barrier
• New forms of banking transactions that make appropriate use of government backed identity information– New accounts for individuals and/or businesses– Mortgages, auto loans, insurance– ...
18
Government To Do’s• Modify existing identity verification and registration procedures to
issue trusted credentials for online– In the Canadian federation this falls mostly to provinces
• Provide policy based trust-frameworks establishing rules and good conduct– Identity information related “Trustmark(s)” certifiably used by government and
private business– Ensure these work on trans-national basis to avoid creation of new form of trade
barrier
• Provide online services and infrastructure for government backed identity information in a “citizen” centric way– In the Canadian federation this falls mostly to provinces– Open to private sector through membership in a trust-framework that
establishes rules and standards and through the protocol of asking the client to provide information
• Enable improved privacy practices– Minimize information requests in first place– Proper use of any information as provided
• Initiate a move to online self-service– Make use of government backed identity information– Often need to make use of payment cards as well– Ex: Compensation for health care providers working with injured workers, auto
accidents– Ex: Student loans– Ex: Income assistance– ...
19
Possibilities
Requested Identity Information
+ PassCode
20
Possibilities
Requested Identity Information
+ PassCode
21
Possibilities
Requested Identity Information
+ PassCode
“Trusted” Authentication
Credentials
Identity Information Services
Online Services
22
Conclusion
• Financial sector and Government sector operate as foundational components of Canada
• Mutual need for improved methods for identity information management services, credentials, cards, authentication
• Need to work together to enable a next-generation of online services• Public and private
24