The government’s igovt identity management system lacks a visible security analysis, says a University of Auckland researcher, Yu-Cheng Tu.
Tu says despite public consultations, there is no visible follow-up to satisfy the public that security concerns had been addressed.
The output from the public consultation “clearly identifies the goals and policy for what is to be achieved in igovt”, says a paper Tu wrote jointly with supervisor Clark Thomborson.
“Moreover, it also demonstrates government’s attempt to appreciate its citizens with user-focused [identity management] design and public consultations. These can possibly avoid rejection of the services from the public.”
However, Tu says, this is still not evidence of a formal security analysis.
She expressed her doubts at the Australasian Computer Science Week in Wellington last month, giving an outline of what she thinks should have been publicly shown to have been considered.
However, a spokesperson for the State Services Commission (SSC) assures Computerworld that adequate security evaluation has been done on the Government Logon Service – the currently operational side of igovt – and “a similar programme is in place for the igovt identity verification service.
“Participants in these activities have included both internal and independent security experts as well as the GCSB,” says the SSC. For “obvious reasons”, the Commission cannot discuss the details of the evaluations.
Computerworld asked for evidence of public involvement in the security analysis.
The Commission cited a report on the public consultation, called “What People Said”.
As suggested by the title, this is a subjective evaluation of likely strengths and weaknesses of the system by focus groups and other public commentators.
Security looms large in contributors’ apprehensions and a number of comments highlight specific security risks.
A security analysis, Tu says, should have stated the security objectives of the system — after consultation with appropriate stakeholders — and analysed the information flowing through it and the possible threats to confidentiality, integrity and availability.
The last, in particular, appears to be missing, she says; there is no evidence that those who framed the system seriously considered the likelihood of a denial-of-service attack, which could snarl up the provision of government services by many agencies to members of the public online.
A formal analysis, Tu says, should have thought through a set of “misuse cases” — possible ways in which citizens, agency staff or others involved with the system could misuse it or render it inoperable.
In particular, the Identity Verification Service, the facet of igovt that is concerned with the public’s interaction with government agencies, should have been formally and publicly evaluated with regard to the risk of one person impersonating another and obtaining access to their confidential information, Tu says.
Also, the risk of enough personal data being allowed into the possession of the staff of an agency to permit illicit data matching should have been assessed.
The Department of Internal Affairs was asked by Computerworld under the Official Information Act to provide as much detail as can be released on any security analysis of igovt.
Last week, the DIA transferred the inquiry back to the SSC, as the more relevant agency, under Section 14 of the Act. The SSC had not produced any documents by press-time.