1 / 14

Privacy-enhancing Technologies and Identity Management

Privacy-enhancing Technologies and Identity Management. Brenda Watkins Director Policy and Business Strategies Information Technology Services Branch. Outline.

chesmu
Download Presentation

Privacy-enhancing Technologies and Identity Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy-enhancing Technologies and Identity Management Brenda Watkins Director Policy and Business Strategies Information Technology Services Branch

  2. Outline How the federal government developed and implemented a common, privacy-friendly authentication system for secure access to Government On-line (GOL) services

  3. Government On-line Transactions: Canadians’ Concerns and Expectations • Surveys consistently revealed Canadians’ concerns that their Government On-line transactions could potentially allow their private information to become public or end up in the wrong hands • Expect the government to be more diligent than the private sector or banks in protecting the privacy and security of their information

  4. GOL Authentication Services • Ensure that on-line participants are who they claim to be • Maintain data integrity and confidentiality of personal information • Provide evidence for non-repudiation • Permit differing levels of authentication for different service offerings • Provide secure electronic signatures

  5. GOL Authentication Strategy • To implement a common PKI authentication service for Canadians to conduct business with governmentthat would: • be more user-friendly and manageable • support a range of functional and security needs • be extensible, scalable and interoperable • offer simple, efficient registration process • be both economic and strategic • Prerequisites: • on-line credentials must be secure and “portable” • browser is the client’s preferred on-line tool • privacy principles must be rigorously observed • Phased roll-out

  6. Privacy by Design • GOL transactions are governed by the same privacy protections as paper-based transactions: • Federal law (Privacy Act) • Federal policies and guidelines (Privacy & Data Protection) • Developed Privacy Impact Assessment Policy to ensure that privacy is built into all federal on-line services • GOL Authentication Services served as a successful pathfinder project demonstrating PIA is an essential architectural tool when initiated early and updated as required • 4 iterative PIAs undertaken prior to initial launch to progressively assess conceptual models, build requirements and design throughout development • National focus testing of user experience

  7. PKI – Privacy-Enhancing, But … • Binds identity to a digital certificate (distinguished names) • Potential to reveal information about user from use of certificate (inference) • Question of collection and sharing of information between government services • registration, directory

  8. epass –An Elegant (and Revolutionary) Solution • Access to GOL services is via “epass” – a secure electronic credential • Differs from traditional PKI implementations: • epass certificate is anonymous – it is not bound to the identity of an individual or entity • the only identifying data in an epass is a randomly generated, unique number (MBUN – Meaningless But Unique Number) • Impossible to deduce anything about the epass holder • Developed in strict adherence with privacy laws and policies

  9. How epass Enhances Privacy • Registration process • User creates unique user ID and password • Encryption and signing keys are generated and stored in double-encrypted profile accessible only to the user • The user identifies recovery questions and answers during registration process • epass is issued • NO identifying information is contained in the epass – only the MBUN

  10. How epass Enhances Privacy … 2 • The program is responsible for authenticating the epass holder’s identity • The authentication process is as rigorous as nature of the transaction dictates • Once the program is satisfied as to the identity of the epass holder, the epass MBUN is mapped to the program information

  11. epass-enabled GOL Services • CRA Address Change On-line • HRSD/SDC Record of Employment • CRTC filings (applications) • Health Canada’s electronic regulatory system for pesticide applications One-quarter million epasses issued!

  12. Coming Soon • Atlantic Canada Opportunities Agency • Passport Office • PWGSC - My Services • Veterans Affairs medical records system • CRA expanding use of “MyAccount”

  13. GOLD MEDALS TO ROE AND SECURE CHANNEL Recognition • For the fourth year in a row, Accenture has ranked Canada #1 in e-government maturity – specifically mentioning epass as a contributing factor • Four GTEC gold medals since 1999 – two this year: • Record of Employment • Secure Channel Project 2003: for epass 1999: for first implementation of a national government PKI policy • Federal Privacy Commissioner acknowledgement: “…the creative approach they have taken in addressing many of the privacy risks associated with more conventional on-line client authentication models.”

  14. REGISTRATION DEMONSTRATION

More Related