EDIT: This has also been Reposted on the PrivacyCampDC Blog
In looking toward participating in PrivacyCampDC this Saturday, there are a number of privacy issues I’m concerned about regarding the movement toward open government. While I am totally in favor of transforming government through transparency, participation and collaboration, I think it puts privacy at greater risk. Whatever our answer in addressing this, it will involve tradeoffs.
What’s Changed? The movement toward Open Government changes the nature of the relationship between the government and its citizens. Previously, the government was responsible for providing services to citizens, who merely consumed them. Now we are entering an era of two way transparent participation and collaboration, in which citizens will be responsible for assisting Federal Agencies with sensemaking, priority setting and policy making. In short, citizens are being asked to roll up their sleaves to help the Federal Government in providing the right services.
How does this Affect Privacy? I would contend that like many statutes, the movement towards Open Government renders the operational details of the Privacy Act problematic at best. Two way participation and collaboration is often based on trust. This has implications both for the privacy details of the citizen and and the government employee they are engaged in discussions with. As long as the citizen is merely a receptor of a government service, a citizen’s identity is often not needed. Two-way participation implies a relationship, which more often than not may necessitate giving up privacy data. Worse, as more and more government services are web-enabled, the citizen will be forced to provide their personally identifyable information (PII) in more and more places. The opportunity for data spillage and identity theft is only going to increase.
Low Level Participation & Collaboration: For the lowest levels of participation, such as “What question do you want the President to answer?,” there is no need to request PII, such as name, email address, etc. But even at a “Level 1″ Identity Assurance level (as definined by OMB M-04-04 as “Little or no confidence in the asserted identity’s validity”), we can imagine scenarios where a user who wants his/her privacy maintained still would want to maintain an ongoing profile to continue participation in a conversation. An example of this would be if a citizen submitted an idea in Phase I of the Open Government Directive, and then got asked follow-up questions - this would mean they require a persistent identity that exists over multiple sessions.
Worse, when we move up the participatory scale privacy options virtually disapear. If for example, a professor of nanotechnology at MIT wants to weigh in on a patent request at the United States Patent and Trademark office, her comments may only be taken seriously with regards to her credentials on the subject. If she wanted to assert her credentials in nanotechnology to be taken more seriously by the patent lawyers reviewing the request, she would have to identify herself in some validated way.
Government Employee Privacy? Currently, privacy policies include government employee information as PII. If a government employee participates in informal discussions online with citizens, how will their privacy be protected? One possibility is they use an alias, but in doing so, they reduce the level of trust they build up in interacting with the target sector of the public. As an example of this, if the GS-15 responsible for giving guidance to state healthcare policy makers to implement the S-CHIP legislation, the use of an alias would impact the believability of their comments.
OpenID Options to Improve Privacy and Access: The use of OpenID for Level 1 Identity Assurance offers some possibilities to assist both in preservation of privacy data, usabilty and security. Chris Messina, Joseph Smarr and John McCrea have a great socialweb.tv episode that discusses some options for the use of OpenID in Open Government settings. Here’s a few ideas I’ve been mulling about since watching that and then talking with David Recordon, Chris Messina and others:
- Use of External OpenID Providers to Hide Identity While Requesting Information: Government collaboration websites should allow unvalidated external OpenID users to do basic things like subscribing to activity streams. This in essence would be similar to a citizen going to a Federal Office and anonymously getting the information they need by picking up the available documents.
- Use of External OpenID Providers to Use Multiple identities When Participating in Open Govt Conversations: Citizens should have the option of in effect, automatically using multiple identities in participating in government conversations. In this use case, an OpenID provider would provide a different token to the government site every time a citizen made a post command (added a new comment or discussion). The only connection that could be made is that all the comments came from the same OpenID provider. If the provider was Yahoo, for instance, this would in effect remove all traceability to connect the citizen’s comments.
- Use of External OpenID Provider to Use a Single Identity When Participating in Open Govt Conversations: In this use case, a citizen may want to build a recognizable profile which ties together their various comments. This would lead to them establishing trust in a community similar to what is done on most social software sites. The difference here would be they would only be providing a non-identifyable OpenID token, without email address, name, etc.
Lack of a Single Government Identity Has a Cost: As we start providing government services online, the privacy problems begin to involve an ever greater chance of a citizen’s information being carelessly exposed. When we move toward a time in the very near future where you can request a change of address to your social security check at the ssa.gov (and medicaid services along everywhere else a change of address needs to be applied), file your taxes on the IRS Website, check the status of your educational grant online, change your voter registration online and so forth, it would be an absolute nightmare for all concerned if the government maintained each citizen’s information separately in each agency (or worse and far more likely, in each agency website that provided services). If the citizen had a single, validated and highly protected profile, a change of address would be simplistic. But in the online world, the change of address in every website the citizen engages in could be a nightmare. Worse, because their PII is scattered across a myriad of webservers, it becomes far easier to have their identity stolen. If one system is penetrated, an identity theif has a better chance of social engineering the rest.
Likewise, if the citizen has a single stored identity for the services that matter, the government can begin to do some fairly cool bundling of services. For instance, wouldn’t it be far more friendly for the government to send you to a “Retirement Planning” website once you hit a certain age, that automatically enrolls you in receiving social security checks, medicaid and medicare, and gives you basic advice & services on money matters when living on a fixed income? If we go down the current path, the citizen will need to register and share their authenticated PII with each and every service they apply separately for - this is both riskier from an exposure standpoint and far more burdensome.
- Government OpenID Provider: If there was something like a “Citizens.gov” site that citizens could authenticate to, a myriad of benefits would emerge. While the citizen would be forced to serve up their real identity, they could use that OpenID token to authenticate to all other government websites. This may actually mean their PII is MORE secure, as its only housed in one place instead of all the various Federal websites. As an added benefit, the government could offer a yahoo-like portal interface that shows the citizen the status of all their services, where they participated on, etc.