The march towards “single sign-on” authentication for communication between citizens and their governments may have just become a little longer. On May 15, the Gartner consulting group blasted Microsoft Passport after a researcher in Pakistan unearthed a major security flaw in the online authentication system, a flaw that could have made personal and financial user account information available to hackers. Microsoft had acknowledged the problem a week earlier, and said it had plastered it over, but Gartner nevertheless advised companies that have signed on with the system to suspend or radically modify the service until at least November 2003.
As many as 200 million users around the world use Passport, whether they know it or not. If they have signed on with Microsoft’s Hotmail or Messenger Instant Messaging service, for example, they are automatically Passport users.
Gartner says the problem raises doubts about every Passport “identity” ever issued, whether the flaw was exploited by hackers or not. First introduced in 1999, the Passport service has endured a series of setbacks that might have deterred a company with shallower pockets or less determination. Separate investigations by the European Community and the Federal Trade Commission in the United States brought specific instructions to Microsoft for privacy and security improvements.
Not content with that rebuke, Gartner seems confident that worse is on the way. “As with any piece of software with serious security flaws,” it warned, “more vulnerabilities will likely surface in Passport.”
In the meantime, besides breaking their connections with Passport, Gartner advises “financial institutions, credit card issuers, retailers and other enterprises that use Passport for any meaningful business purpose” to contact customers who use Passport and let them know that Microsoft has issued a security advisory.
And what has all this to do with the public sector? The fact is that the Gartner warning has serious implications for e-government. Citizens may not do many transactions with government, but they want those dealings to be private and secure, as well as easy and convenient.
Since September 2002, federal managers have been taking lessons from ePass Canada, an identity confirmation system for sending personal information to the government. Quietly introduced for one application, the Canada Customs and Revenue Agency’s Address Changes Online service, it became available to other departments and agencies in March 2003.
As designed, a single ePass will allow citizens to use different online services as they become available, in confidence that the transactions are secure and
their information remains confidential. Canadians with a slight mistrust of their government will have the choice of using separate ePasses for every transaction.
As most government managers know, there is an elaborate set of rules and regulations about how citizens’ private information can be sliced, diced and shared in the bureaucratic back office. At the federal level at least, the Secure Channel has been designed to withstand the most rigorous scrutiny.
But public confidence is fragile. When it comes to technology, people are unpredictable, to say the least. We know that the same person who wouldn’t consider sending credit card information across the Internet will cheerfully let an unknown server in a restaurant keep it for 20 minutes.
At first glance, it may seem pointless to worry about citizen trust in e-government. After all, most of us only have one transaction with the federal government every year, when we pay taxes (albeit several with the province and perhaps several dozen with municipal agencies).
But there are several good reasons to be concerned. E-government will be asked to carry an increasingly heavy load as Canadians age and place heavier demands on an overloaded health care system. Many public servants will retire and never be replaced by human beings. E-learning will need secure, interactive areas.
As governments develop “business lines” and build “business cases” for putting services online, the setback to Microsoft’s business may have a powerful impact on how Canadians deal with e-government.
Richard Bray is an Ottawa journalist who specializes in high technology. A former reporter and producer with the CBC, he is also a former editor of Ottawa Computes. He may be reached at [email protected].