The SSC’s e-government unit is seeking public opinion on how to authenticate people's identity before they access government services online.
At this stage it is seeking comment only on general concepts of how the user prefers to accomplish the task, such as through a central authentication agency or by dealing with each agency independently, and whether personal information will be sent by a central agency to the agency providing the service. Questions of what information will be used for authentication and other implementation aspects will be the result of a second consultation process, happening perhaps next year.
“We are working towards a staged implementation over 2005-2006,” says spokesman Edwin Bruce. Government has set a target of 2007 for a large majority of government transactions to be available online.
Bruce points out that the various agencies have their own hardware and software upgrade cycles, and for some it will not be cost-effective to dive into authenticated online transactions as soon as the framework has been settled and implemented.
The first aspect to be explained to public individuals and groups is the difference between supplying personal identity evidence, a one-time process that will establish you are who you say you are, and “registration” to receive a service. This process will usually require your proven persona to provide further evidence that you are entitled to perform the transaction or access the information sought.
Typically, when you first identify yourself to the system, presenting material evidence like a passport or driver’s licence, you identity will be stored and you will be given some token, such as an ID and password, to register to access information or perform transactions at each particular government agency.
The four basic “models” to be discussed are:
- A central authentication agency generates and holds the personal authentication, and also holds other information about you. Having verified your identity, it sends the pertinent parts of that additional information to the individual agency from which services are sought. This might, for example, allow many fields on an application form to be automatically filled in.
- A central agency merely verifies identity and leaves it to the client to supply all other information when registering with the service-providing agency.
- Similar to the first model, but giving the user a number of authentication agencies to choose from. Some people, Bruce notes, might be willing to trust, say, Internal Affairs, with their identifying information but not, say, Inland Revenue. Others might prefer an authority in their iwi or church to perform the authentication task. “It’s a matter of trust,” Bruce says. He concedes that some would see option three as wasteful duplication, but others would view it as a positive sign of government’s willingness to be flexible.
- Similar to what happens at present, as in individual government agencies provide their own authentication of the customer’s identity as well as collecting the data necessary to deliver the service. But central standards not yet used will be imposed on the quality of the authentication process.
The public comment period for the first phase is due to end on April 7. Further information can be found here.