Privacy, security and one login to rule them all?

Government techies wrestle with building privacy and security into services from the ground up.

"One ring to rule them all" - Frodo Baggins looking at the ring of Sauron.

Trust, privacy and security were at the center of a panel discussion Thursday at the U.S. Digital Services’ DigitalGov Citizen Services Summit.

“We can build all the beautiful digital services that we want, but if people don’t trust them, they’re not going to use them,” said the Transportation Department’s Chief Data Officer Dan Morgan.

Could commercial credentials and a new attitude toward privacy be the keys to future success?

The use of “sensitive information” could enable government to provide “amazing” new levels of service, said NIST privacy engineer Sean Brooks, but citizen concerns about privacy – “big brother” tracking them – necessitate a careful balance.

The sheer weight of logins is taxing, too.

The General Services Administration’s Jennifer Kerber lamented the pain of creating unique usernames and passwords for each government service online.

“What if I had the opportunity to bring a credential I trust to the government?” she queried.

It’s exactly what she and her GSA colleagues are working to create with, a service that allows users to connect with government using private credentials they already have and trust, such as through Google or PayPal.

Agencies don’t track which particular credential is provided, nor do they track the digital exhaust so often used for marketing purposes, Kerber said. They simply know the person’s identity has been verified by a trusted third party, saving users hassle and government money.

It’s still in the early stages and only a handful of agencies are integrating the service, but it holds potential.

“If you’re a consumer, you don’t care [about technicalities],” Kerber said. “You want convenience and you want trust.”

NIST’s Brooks said privacy, security and the ways agencies and people talk about them all need an overhaul.

“If I could eliminate the word creepy from all future conversations about privacy I would,” he said, noting that the word is often used in privacy/security conversation, but it doesn’t address the real problems and challenges.

When it comes to credentials and digital services, “privacy, security, interoperability and user friendliness,” should be the guiding principles, all considered and built into digital services from the ground up, Brooks said.

Both Brooks and Kerber noted that the “5,000-word privacy statement that makes the lawyers happy” is not a good model for the future of digital services – organizations need to shoulder responsibility for privacy and security, rather than shunting it onto users’ backs.

In pursuit of better practices, Brooks noted, NIST will be  releasing a draft privacy engineering document for public comment “soon.”

He said he hopes to get input from the people currently getting their hands dirty in the field: “People who are actually trying to build stuff and do things.”