Comments on Identity Verification Service
I just heard today that the Department of Internal Affairs is consulting on an opt-in single sign-on identity verification service (IVS) that may be used by government agencies to identify us online when interacting with said agencies.
I have included my submission below for reference.
We would like to know whether you are likely to use the Internet to verify your identity with a government agency.
Yes – but it must work on any operating system and web browser. I use a variety of operating systems and web browsers including:
- Operating Systems – Apple OS X, Fedora Core Linux, and Microsoft Windows
- Browsers – Firefox and Safari
I will not be able to use the service if it is tied to Microsoft Internet Explorer/Windows platform. I expect that all the good work that the State Services Commission has been doing on standards and interoperability will be applied to IVS as well.
We would like to hear from you regarding the type of services you might want to access that require you to verify your identity.
- Inland Revenue for management of personal/business taxes, KiwiSaver?
- Government Electronic Tender Service (GETS)
- NZ Qualifications Authority for NZQA Learner’s Record
- Local Government
We would like to know what you think of being able to verify your identity with businesses and other organisations.
I would support the service being made available to local government.
I am initially dubious about IVS being made available to businesses until such time as more details are made available. I trust the Government to run their IT systems to a higher level of security than most businesses. I am also concerned that if the IVS was made available to non-governmental users, that uptake may well make the IVS to be more than an opt-in service – businesses may use incentives that Government cannot to strongly promote registration and use of the service.
I would however support a limited number of business sectors to utilise the IVS – in particular those that provide online financial services such as banks, fund managers and sharebrokers. It is preferable to have them using a national framework rather than having a token for each organisation AND government on my keyring. Note that this would present some risks – in particular the risk of a distributed-denial-of-service (DDOS) attack against the IVS infrastructure. If the IVS does grow to become widely used, and includes the financial sector, then a DDOS against poorly planned IVS infrastructure may have significant negative consequences – even if just in perception of the service. Naturally, as IVS grows in usage, it would have the potential to become national critical infrastructure and would need to be managed as such.
We would like to know whether you believe that verifying your identity using the Internet can be sufficiently secure.
I believe it can be sufficiently secured for most purposes, but even the use of tokens does not guarantee that a person won’t be able to verify themselves as someone else. Compare this to someone that obtains both an ATM card (token) and PIN (username/password) from an individual under duress and then uses these to withdraw another individuals money from an ATM. It may be possible to undertake fraud using IVS authentication details obtained from a person under duress – and perhaps log into the Inland Revenue website and direct a tax refund to an alternative account for example (should Inland Revenue opt to provide such a service once IVS is available).
We would like to hear from you about whether you believe the identity verification service will ensure your privacy is protected.
At this stage it sounds as though the privacy would be sufficiently protected.
We would like to hear whether you think the identity verification service will be useful to you.
At this stage the IVS sounds useful, however at this point the main services I use are Inland Revenue’s. If more services are provided online, the value of the IVS will increase.
We would like your thoughts on whether people who don’t have a New Zealand passport or grant of citizenship should be able to register in the initial phase of the service.
Yes – they should be able to register at the initial stage. Consider tourists on a working visa that are likely to at a minimum require relationships with Inland Revenue whilst working and travelling around the country. These people are likely to be able to receive benefits from the system, and their registration could be linked to the visa application process – if they choose to opt-in at the time. They may be able to undertake all their Government communications and interaction online, without having to deal with the hassle of having a postal address.
We are interested to know whether you feel that people should pay to use the service.
No – citizens should not have to pay to register for the service or the initial token. If the initial token is lost, then the user should be charged a reasonable fee for replacement.
The main benefits from the service are to Government agencies in the improved verification of citizen identity. An all-of-government approach to identity services is likely to produce significant savings to Government agencies by creating more efficient registration and identification processes. This will cut down on staff and processing associated with verifying identities. These cost savings should be used to fund the development and ongoing maintenance of the service without instituting user-pays charging.
In addition, user-pays charging is likely to reduce the uptake of the IVS.
Kind regards
Gavin Treadgold