Government On-Line
Download
Report
Transcript Government On-Line
Government of Canada
Gouvernement du Canada
Privacy By Design
April 2005
Brenda Watkins
Director,
Policy & Business Strategies
ITSB, PWGSC
Cathy Ladds
Manager,
Public Opinion Research
CIOB, TBS
Government of Canada
Gouvernement du Canada
The Canadian Landscape:
Recent headlines from Canadian newspapers:
ID Theft Affects one-quarter of Canadians
Stolen laptop exposes data of 100,000
There’s No Safe Place
Hacker alert: Report finds surge in on-line attacks
2
Government of Canada
Gouvernement du Canada
Quotes from Concerned Canadians:
“I don’t think anything electronic is protected or secure, always
hackers somewhere.”
“It’s just like the movies. If someone wants to get your
information it’s not that difficult.”
“The Government has access to more of my private information
than anyone in the private sector – even banks.”
“If NASA can be hacked so can anybody. How can I be totally
sure about the safety of my personal information.”
“As I do not trust government, I would doubt that they are
secure at all. Government is too cheap.”
3
Government of Canada
Gouvernement du Canada
Our Research Approach:
Over the past 4 years, Government of Canada initiated
both qualitative & quantitative studies related to privacy,
security and authentication issues.
Senior management recognizes that public attitudes and
awareness needs to be consistently monitored so that
trends are identified and analysed – especially important
is how these attitudes drive behaviours
Many federal departments have collaborated on national
research studies to support the development of the
Government of Canada’s Secure Channel/On-Line
Authentication Service
4
Government of Canada
Gouvernement du Canada
Privacy, Security and Authentication Research:
When it comes to these issues, Canadians are strongly
influenced by the media, friends and family.
Canadians are worried about the safety of the data they
may send over the Internet – in focus groups, we
regularly hear about:
Identity theft
Hacking
Viruses
Government computers being lost/misplaced
Private sector accessing public sector data
Use of biometrics to improve security – 66% of Canadians
agree with the use of fingerprint scan by government if it
means better service and lower risk of identity theft
5
Government of Canada
Gouvernement du Canada
Privacy, Security and Authentication Research (2):
Ipsos Reid’s Government Services Study found that
maintaining security, confidentiality of personal
information is the most important aspect of Government
of Canada service delivery – 72% considered it to be
very important
48% of Canadians think it is somewhat to extremely
likely that they will experience a serious invasion of
personal privacy in the next two years
48% of Canadians think the federal government has one
large database for all personal information
6
Government of Canada
Gouvernement du Canada
Privacy, Security and Authentication Research (3):
56% of Canadians want to have more than one
electronic passport/password for their dealings with
different federal departments as they do not want any of
their personal information shared between departments
However, 70% of Canadians indicated they would prefer
to have only one government identity card that
contains their personal information that they could
use in all their transactions with the federal
government
Impact of privacy policy – 33% of Canadians would be
much more likely to use on-line government services if
there was an easy to understand privacy policy that
clearly spells out how their personal information is
used and what rights they have
7
Government of Canada
Gouvernement du Canada
Citizens’ Expectations for an On-Line
Authentication Service:
Convenience and speed
Simplicity and ease of use – language levels, no jargon, KISS
A system that has world-class security and uses world-class
technology
Protection of personal information
Authorized consent before any data sharing takes place
In most instances – one password/log in for all government
transactions
Choice – option of being able to work through other channels
Education and information – to increase awareness of secure service
offerings and to help people use the system
Access to humans – for help, support, questions, etc.
8
Government of Canada
Gouvernement du Canada
Key Messages From the Research:
Governments must consider privacy
and security as part of its electronic
service delivery initiatives
Electronically delivered programs and
services must be well-designed and
easy to use
9
Government of Canada
Gouvernement du Canada
Responding to the Research
How the federal government
developed and implemented a
single, privacy-friendly
authentication service for secure
access to Government On-Line
Services
10
Government of Canada
Gouvernement du Canada
Canadians’ Concerns and Expectations
The research revealed:
Canadians’ privacy and security concerns
about government electronic service delivery
Canadians hold government to a higher
standard when it comes to protecting their
information
The Solution:
An authentication service that provides privacy
and security for GOL transactions
11
Government of Canada
Gouvernement du Canada
Government On-Line Authentication Service
Ensures that on-line participants are who they claim
to be
Maintains data integrity and confidentiality of
personal information
Provides evidence for non-repudiation
Permits differing levels of authentication for different
service offerings
Provides secure electronic signatures
12
Government of Canada
Gouvernement du Canada
GOL Authentication Service Strategy
To implement a common authentication service
that:
Is user-friendly and manageable
Respects privacy principles
Supports a range of functional and security
needs
Is extensible, scalable and interoperable
Offers simple, efficient registration process
Is economic and strategic
13
Government of Canada
Gouvernement du Canada
GOL Authentication Service Strategy (2)
Prerequisites:
On-line credentials must be secure and
“portable”
Browser is the client’s preferred on-line tool
Privacy principles must be rigorously observed
Phased roll-out
14
Government of Canada
Gouvernement du Canada
Authentication Service – Privacy By Design
GOL Authentication Service was a PIA Pathfinder
project – privacy was built in from the outset
Underwent four iterative PIAs:
Conceptual PIA of vision
Requirements PIA of proposed architecture
design
Dataflow – including screen flows and
implementation
Final PIA on production system
Demonstrated that Privacy Impact Assessments
are an essential architectural tool
15
Government of Canada
Gouvernement du Canada
Use of Public Key Infrastructure (PKI)
PKI provides a secure inter-operable infrastructure
but the technologies and processes raise some
specific privacy concerns:
Bind identity to a digital certificate (distinguished
names)
Have the potential to reveal information about
user from use of certificate (inference)
Raise the question of collection and sharing of
information between government services
registration, directory
The challenge was to develop an enterprise-wide
PKI-based solution that respects privacy principles
16
Government of Canada
Gouvernement du Canada
epass – A Revolutionary Solution
Access to GOL services is via “epass” – a secure
electronic credential
Differs from traditional PKI implementations:
epass certificate is anonymous – it is not
bound to the identity of an individual or entity
the only identifying data in an epass is a
randomly generated, unique number (MBUN –
Meaningless But Unique Number)
Impossible to deduce anything about the
epass holder
Developed in strict adherence with privacy laws
and policies
17
Government of Canada
Gouvernement du Canada
How epass Enhances Privacy
Registration process:
User creates unique user ID and password
Encryption and signing keys are generated
and stored in double-encrypted profile
accessible only to the user
The user identifies recovery questions and
answers during registration process
epass is issued and downloaded to the user’s
browser
NO identifying information is contained in the
epass – only the MBUN
18
Government of Canada
Gouvernement du Canada
How epass Enhances Privacy (2)
The program is responsible for authenticating the
epass holder’s identity
The authentication process is as rigorous as
nature of the transaction dictates
Once the program is satisfied as to the identity of
the epass holder, the epass MBUN is mapped to
the program information
Mapping information is kept by each department
or program in a separate secure database
19
Government of Canada
Gouvernement du Canada
epass-enabled GOL Services
CRA Address Change On-line and My Tax Account
HRSD/SDC Record of Employment
Veterans Affairs Pension Submissions Service
CRTC filings (applications)
Atlantic Canada Opportunities Agency grants and
contributions filing service
Passport Online
Telefilm Canada – final submissions application
Health Canada’s electronic regulatory system for
pesticide applications
Over 573,000 epasses issued!
20
Government of Canada
Gouvernement du Canada
Recognition
For the fifth time, Accenture rates Canada #1 in
e-government maturity – specifically mentioning
epass as a contributing factor
Four GTEC gold medals since 1999
Federal Privacy Commissioner
acknowledgement: “…the creative approach they
have taken in addressing many of the privacy
risks associated with more conventional on-line
client authentication models.”
21
Government of Canada
Gouvernement du Canada
GOL – Enhancing Democracy
By implementing responsive, privacy-friendly and
secure electronic access to a growing number of
federal programs and services, GOL strengthens
Canadian democracy by bringing government
closer to citizens
22
Government of Canada
Gouvernement du Canada
For More Information
Cathy Ladds (613) 946-3048
[email protected]
Brenda Watkins (613) 781-7695
[email protected]
23