Privacy and open government: conversations with EPIC and others about OpenID

A few days ago I proposed a way to offer more privacy to people visiting government web sites. This blog builds on that proposal, which was largely technical, by examining the policy and organizational issues that swirl around it.

My ideas are informed by a discussion I had with Lillie Coney, Associate Director of the Electronic Privacy Information Center. The blog is also inspired by two comments on the earlier blog and brief email I exchanged with one commenter, which intertwine with Coney's in intriguing ways.

As I said in the first blog, my proposal focused on a very narrow question driven by the Obama Administration's interest in revising a memorandum from 2000 concerning the use of cookies in web browsers. The proposal suggested a way to better approach anonymity, but didn't look at the related social and political issues:

• The kinds of privacy and the degree of privacy people want
• When it's appropriate to make visitors identify themselves, or at least to provide some persistent identity
• Whom people trust to maintain identity information

This blog offers a number of points about those issues. The sections are:

• Can the government be your friend?
• Anonymity, pseudonymity, and participation
• Who should run an OpenID server?
• Thought experiment: could federal agencies offer anonymous authentication for whistle-blowers?

Can the government be your friend?

The kinds of government/public collaboration pursued by CIO Vivek Kundra and others in the Obama administration sees people doing much more than submitting ideas. The administration wants information sharing and an exchange of ideas that allow both sides to reveal vulnerabilities.

But as one commenter pointed out on my previous blog, the government has a lot of power that should make us hesitate before sharing too much. Coney, whose work at EPIC includes a focus on domestic surveillance, pointed to an incident where the Las Vegas Review-Journal was served a subpoena requiring it identify readers who had posted online comments about an article involving a case with the Internal Revenue Service. (The newspaper is fighting the subpoena.) Some agencies have enough power to be scary. And some agency heads may take heavy-handed measures without even being malicious or vindictive--just out of a concern for security.

So you may be living it up like Obama, Gates, and Crowley on one agency's web site, forming great relationships and having an extremely productive discussion, only to discover that your comments come back to bite you when you tussle with an entirely different agency. And of course, the data you give these sites lasts forever.

Such promiscuous information sharing is supposedly outlawed by the 1974 Federal Privacy Act. This oft-cited law, along with the 1966 Freedom of Information Act, remain centerpieces in the armory of those protecting personal privacy in the U.S. However, the Federal Privacy Act creates many exceptions for agencies that want to opt out from its rules, and fails to cover private contractors. Coney says, "EPIC's goal is to develop fair information practices that are enforceable and transparent to protect users of government information."

Having studied the privacy policies requested by different agencies, Coney finds them in two camps. Agencies whose mission is to reach and out and help people, such as the Department of Health and Human Services, favored as much privacy as possible--the same goal Kundra has expressed many times. On the other hand, law enforcement and other agencies concerned with protecting the public would like to log all accesses and try to attach personal information to all visits--even access to public information.

That last policy puzzles me. If the government offers information freely, Carl Malamud or I or anybody can grab it and put it on another web site. There is no way to track who accesses free and open information. Tracking access in the hope of preventing criminal use is not only obnoxious but futile.

In short, forming a partnership with government takes a bit more consideration than friending someone on Facebook. The new age of government participation we're hearing about, then, rests on some assurances to the public. Personal information should not be collected unless absolutely necessary, and should not be used for purposes unrelated to the reason for capturing it, especially by other government entities.

We're all excited about the expanding collaboration between government and citizens, but the historic change intensifies the need to take a fresh look at laws and policies on a regular basis, just as the OMB has done in requesting comments on their cookie policy.

Anonymity, pseudonymity, and participation

People phone anonymous tips in to the police all the time. To allow the same kind of anonymity online would be just an invitation to spam. In fact, anyone with something to hide would make sure to flood the system with irresponsible accusations just to drown out the people who have legitimate crimes to report. (The FBI tip site asks you to identify yourself.)

The proposal in my previous blog delivers pretty good pseudonymity, allowing someone to submit repeated comments with the assurance that they all come from the same person, but without surrendering personal information.

One commenter on my blog asked whether we can really trust the government to protect pseudonymity. Well, of course they can always trace you if they want to. Even non-government actors can do that, as we've just seen from the recording industry's testimony at Joel Tenenbaum's trial. Privacy is a cat-and-mouse game in which both sides have escalating levels of attacks and parries.

Tracking you through contact information

Attack: My proposal let people leave a contact, such as an email address or Twitter account, where the government could report information about their account. Although the government should promise not to misuse the contact, it could be used to identify a visitor.

Parry: Leaving a contact is optional, and you can manage your account without leaving one. You can also use a free email address from popular providers.

Tracking by IP address and time

Attack: The government can require your ISP to provide your identity based on the time you were logged in and the dynamic IP address they assigned you.

Parry: Find an open wireless access point or use an onion routing network.

Who should run an OpenID server?

From this point on, I'll assume that OpenID will be used by federal agencies in some configuration, because that's the only technology with a widespread implementation that can provide the protections discussed in this blog.

One of the central policy questions we have to deal with, then, is whom we should trust with our OpenID account. My proposal called on the federal government to run an OpenID server for all its agencies, mostly because I want the government to kick the habit of using commercial services for such essential information-age functions. (See my earlier blogs, Five projects for Open Source for America and themes from the Personal Democracy Forum conference.)

Coney and I discussed several options for ensuring reliable servers. There's no reason not to allow multiple options. Running an OpenID server is pretty easy. If EPIC had a hankering to serve up privacy directly, this is its chance. The problem is whether visitors can trust any particular server 1) to stay up, 2) not to go out of business, 3) not to leak information, 4) not to abuse the information for private gain, and 5) not to cave in to government pressure and release information outside of the scope of the law.

Here are a few options.

The federal government runs its own dedicated server

Pros: The government can probably do the best job of guaranteeing that the server stays up and is not broken into. The government is not depending on outside entities for this essential function.

Cons: A central OpenID server offers a compelling target, and a stream of recent news reports shows that government agencies suffer from the same security lapses as private companies. Furthermore, many people don't trust the government to protect their privacy and feel more secure with a private server.

The federal government regulates the organizations that provide servers

Pros: Personal data is stored in a variety of private servers, complicating attacks, while the government ensures they are run professionally.

Cons: Defining service-level agreements and quality control is difficult, and legislating or regulating it is even more difficult.

The organizations that provide servers define a code of conduct and monitor compliance

Pros: Self-regulation is much lighter-weight than laws and regulations, and the experts who know the technical and business issues the best will be in charge of ensuring quality.

Cons: Self-regulating privacy agreements--we've seen that before! The failures of TRUSTe and P3P leave us twice-scarred and reluctant to try again. (See my article Promises, Promises, Promises.) Still, TRUSTe and P3P provided no protection because the organizations creating privacy policies were disingenuous and lacked an interest in truly protecting privacy. A sincere self-regulatory effort by new organizations committed to privacy might succeed.

The federal government sets up a dedicated agency that is monitored by a private firm or non-profit

Pros: This was suggested by Coney. It combines the reliability of the government with the disinterested independence of an outside observer.

Cons: Malicious actors in the government agency may succeed in hiding bad behavior from the monitors, whose inspections would quickly settle into an uninspired routine. Moreover, the requirements that the monitor has to enforce are just as complex as in the previous solutions.

Free market: let each visitor choose a server and take his chances

Pros: This leads to the most diversity, which is a strength in the area of security. And if a server goes down, how much is lost? The visitor can open a new account elsewhere and rebuild the lost personal information.

Cons: No one can evaluate the competence and reliability of another organization's server, and weaknesses don't become apparent until disaster strikes.

As usual, the policy, organizational, and social issues in deploying a technology are thornier than the technology itself. I still think the architecture I offered in my proposal to OMB provides a good basis for building any of the systems considered in this blog.

Thought experiment: could federal agencies offer anonymous authentication for whistle-blowers?

I'll end this blog by exploring an identity system that would allow an agency to authenticate a pseudonymous whistle-blower by verifying "Yes, this is a current employee" or "Yes, this is a former employee" without giving further information about that individual.

I believe that any such authentication system would have to be based on a two-tier approach such as I laid out in my OpenID proposal. The system I lay out in this section is too complex, organizationally and technically, for the government to implement at this point, but it shows the tools available to privacy advocates.

1. Each government agency participating in the authentication program sets up a server to digitally sign IDs. Another server hosts accounts for every employee.
2. Each employee is encouraged to create an account on the OpenID server and to keep it secret.
3. When logged in at his or her agency account, the employee submits his or her account name with the agency's digital signature. This produces an unforgeable string that combines verification of the employee with verification of the agency.
4. At any time, the employee can post information to any web site that accepts an OpenID login, using the employee's secret OpenID account. The employee includes the string obtained in the previous step. By checking the signature, anyone can verify that the employee had an account at one time on the agency server. Because the text revealed underneath the signature is the account name, it proves that the person who obtained the signature is the same person posting information currently.

In order to masquerade as an agency employee, someone would have to obtain both the employee's signed string and access to the employee's secret account on the OpenID server. This might be possible if the employee is lax in protecting the information (for instance, by putting it unencrypted on a cell phone and losing it). Other problems with this system include:

• There is no way to revoke the signature, unless the agency revokes all signatures at once. Thus, there is no way to tell whether the employee is still employed. This may be acceptable.
• This system would allow any employee to leak any agency information without personal repercussions. That's probably not a policy we want to foster.

Technology confers power, and so does anonymity. Technical, legal, and policy experts are all needed to study the implications of the systems we have for participation, and the systems that are proposed to replace them.