OpenID Pilot Program to be Announced by US Government

Written by Marshall Kirkpatrick / September 9, 2009 3:51 AM / 14 Comments

Ten private companies, a number of US Government Federal Agencies primarily in the Health sector and the OpenID and Information Card Foundations will announce this morning in Washington DC the launch of a pilot program to allow members of the public to log in to participating government websites with their credentials from approved independent websites.

That's right - someday soon you'll be able to log in to the websites of the Department of Health and Human Services, the National Insititute of Health and other government agencies with your accounts from Google, Yahoo and similar services. Below we discuss the privacy protection steps being taken, the usability issues and the ultimate significance of this announcement.

Don't worry, your doctor will not store your medical records under your Twitter handle yet. The pilot program is stepping first into a phase of public discussion, it is participated in only by Identity Providers that have undergone extensive scrutiny (Twitter's not included) and participants say that individual privacy is being treated with the utmost regard. If they can pull it off, these organizations could make using the .gov web easier and more effective than it's ever been before.

Participating companies include Yahoo!, PayPal, Google, Equifax, AOL, VeriSign, Acxiom, Citi, Privo and Wave Systems. On the government side is the Center for Information Technology (CIT), National Institutes of Health (NIH), U.S. Department of Health and Human Services (HHS), and "related agencies."

Conversation about whether and how best to implement a system of Federated Identity across government websites has been underway for at least the last 6 months. We wrote about the first public rumblings this summer. Kaliya Hamlin explains the state of the conversation in detail on her blog.

The two biggest questions will be protection of privacy and user experience.

Privacy Protections

OpenID board member and Facebook employee David Recordon explained to us tonight that participating government sites are not allowed to pass personal information about users from one site to another, even though we'll be logging in with the same accounts. Instead, when we authenticate ourselves with Google, Yahoo, Verisign or whoever our Identity Provider of choice is, that website will pass a different, unique URL to the government site we're logging in to.

The identity providers will keep track of all the unique URLs used to identify us to different government sites and we'll just need to remember one log-in. That means you'll need to trust your identity provider to keep your private information separated between agencies - it won't be up to the government sites themselves to do so.

While government identity systems have long raised fears of totalitarian control and a single sign-on system sounds even worse - having private identity providers hide and broker the connections between a user's account with one agency and another could substantially alleviate concerns about centralization.

User Experience

User experience has been one of the biggest issues around systems of federated identity since they began to proliferate. No decisions have been made yet about exactly how users will log in to these government sites, but we will be given a limited number of choices between providers that have been government approved. (If you own a domain that's an OpenID provider, you won't be able to use that.)

Most likely users will be presented with an array of logos to click on, launching a new window to communicate just with the identity provider. Once a user proves who they are to the identity provider, that company will then vouch for the user to the government site.

Why Is This Important?

This is a significant move for three reasons. First, it could make securely accessing government websites much easier for users. That would increase use of government services online and could kick off a virtuous circle of increased web-savvy service in response to increased citizen interest.

Second, federated identity provides not just easy "single sign-on" but also offers the opportunity for users to carry personal information with them from one website to another. This "payload" of information can help new websites we use quickly personalize our experience and deliver more intelligent service. That's likely to be complicated when it comes to privacy-centric areas like health, but there's a lot of potential there. If Google knows you've made plans to travel to another country soon, and if you're willing to expose that information to a government website, then the site could offer health-specific information about the country you plan on visiting for example. That's a long ways off, but it's part of the big vision of data portability.

Finally, when any large institution puts its weight behind an open standard then that creates more incentive for other institutions to get on board with the standard as well. Federated Identity systems like OpenID and Info Cards have seen growing amounts of support from different companies, but as that support grows then the information available to innovate on top of grows, the number of opportunities for users to access innovative services built on top of standards grows and the incentive for still more companies to get on board with open data, innovative technology and data portability grows as well.

To draw the standard railroad analogy, if one large railroad network adopts the new standard of rail sizes then trains that run on standard rails can travel further, the passengers can go new places and other networks have more interest in adopting the standard as well. On the information super-highway, the network of government websites are a very big railroad (if you will).

The pilot program will remain a discussion for some time. The OpenID and Information Card Foundations are good places to visit if you'd like to participate in the conversations that will inform later implementation.

Comments

Subscribe to comments for this post OR Subscribe to comments for all ReadWriteWeb posts

Deleted a comment asking about privacy and hacking concerns because it was left by someone with a link to a payday loan site and I'm sick of those kinds of commenters. Note that first comment raised the concern about centralization of information leading to increased vulnerability though.

Posted by: Marshall Kirkpatrick | September 9, 2009 4:29 AM

Where is the EFF in all this? Are they participating? If no, why not?

http://www.eff.org/issues/privacy

Posted by: Todd | September 9, 2009 4:52 AM

Todd, I was told that *now is the point* where the EFF should join the conversation, along with others.

Posted by: Marshall Kirkpatrick | September 9, 2009 5:08 AM

Ok, but did the "Ten private companies, a number of US Government Federal Agencies" step up and call folks at the EFF, ask them to participate?

http://www.eff.org/about/contact

EFF guys may not be aware of this "pilot program". I want to see the "Ten private companies, a number of US Government Federal Agencies" voluntarily invite the EFF, not hide from them and only take action if there's a law suit later.

Posted by: Todd | September 9, 2009 5:27 AM

Excellent post about thinking outside the box. It really is all how you look at it.

Posted by: david hausdorff | September 9, 2009 7:31 AM

Makes sense. I mean if a professor at UCSB can have access to everything at Lawrence Livermore Labs....why wouldn't they be able to see other government research on the same topics?

Posted by: Wine of Month Club | September 9, 2009 8:57 AM

Goods and bads: it promises a great deal of convenience for me, as described at the Information Card site. Yet it implies the need for an extreme deal of trust in the carrier(s), and a method of persuasion and enforcement of that trust. I rack my brain, imagining.

Posted by: fjpoblam | September 9, 2009 10:19 AM

>> "If you own a domain that's an OpenID provider, you won't be able to use that."

What's wrong with my OWN openid provider? I find it to be more secure than all those companies.

Posted by: jorge | September 9, 2009 10:21 AM

This is exactly backwards. The Government of, for and by the People should be providing the tokens that can be used to access sites like Google, without sites like Google ever knowing anything about you other than that your government vouches for your legal identity, age, citizenship, gender, marriage-status, ability to enter into contracts and minimal other information legally-necessary to anyone wanting to do free commerce with you. Those results should be returned to the site you're logging into pre-encrypted with that site's public-key. A federal law should prohibit redistribution of information decrypted from the Federal Identity Provider and prohibit the Federal Provider from tracking law obeying people's use of private or government services. It really is that simple, yet the idea of Google and PayPal authenticating citizens to access their own government is perverse, at best.

Posted by: website reader | September 9, 2009 12:36 PM

@Todd: Indeed, several privacy groups participated in the initial conversation that we had a few months. Personally I've been in touch with the EFF, but you're absolutely right: we need much more feedback and involvement from these folks.

During this pilot, I personally hope to hear their perspective on how we can make our approach more robust and responsible.

@fjpoblam: completely true. Picking an identity provider will or should become as important as picking your bank.

@jorge: I'm with you. I need to look into this more — and understand the Open Trust Framework better. One of the challenges that we face is getting the user experience right — and avoiding phishing. For now, buttons are one way to ensure that you're sent to a "certified" identity provider; I would prefer that individual OpenID providers are supported — and hopefully this pilot will give a chance to flesh out that opportunity.

@website reader: Well, that's an interesting idea, but it seems that most US citizens don't actually trust the government, making a government-run IdP less attractive to the marketplace.

Additionally, there's a question of what recourse you might have if the government, say, lost your OpenID or "broke it" somehow... if you sued the government in such a circumstance, what kind of redress would you expect?

Posted by: factoryjoe.com | September 9, 2009 1:40 PM

I love the idea that openID is getting traction, but I'm really put off by the "you can't do your own provider" nonsense. There needs to be some sort of way for private providers to get in on this - maybe we can sign an affidavit taking responsibility for our own domain or something?

Posted by: brickpile.com | September 9, 2009 3:33 PM

OpenID Pilot Program to be Announced By US Government - Here's What It Means http://bit.ly/3a36s [from http://twitter.com/marshallk/statuses/3860760668]

Posted by: Marshall Kirkpatrick | September 12, 2009 10:56 PM

Marshall, I was just annoyed because the FCC's broadband initiative ONLY has Facebook Connect for login (no other "account creation" process visible). It's not the first site that I've seen with only FBC.

I don't understand why agencies are privileging ONE private business (Facebook) and why OpenID wasn't used from the get-go for sites like the FCC's venture. This is far different from health info or travel (I don't "log in" to federal sites dealing with those two issues and, quite frankly, don't plan to).

Posted by: Kathy E Gill -kegill | September 14, 2009 10:52 PM

This is fantastic. Here’s to open government and the open web! I believe OpenID will continue to be the most convenient and trustworthy open identity standard on the Web. Open standards create a better Internet for everyone, and the U.S. government's adoption of OpenID is a huge endorsement of OpenID and a big step forward for open standards. from SEO Rider

Posted by: Tom | November 9, 2009 3:27 AM