NATIONAL TRUSTED IDENTITIES FRAMEWORK (NTIF)

Transcription

1 NATIONAL TRUSTED IDENTITIES FRAMEWORK (NTIF) DISCUSSION PAPER Fr: Department f Prime Minister and Cabinet 26 SEPTEMBER 2012

2 TABLE OF CONTENTS 1 INTRODUCTION THE CHALLENGE STIMULATING GREATER TRUST ONLINE CONSEQUENCES OF FAILURE TO ACT STEPS SO FAR AREAS OF FOCUS FOR AN NTIF ROADMAP KEY ACTIVITIES REALISTIC TIMEFRAME FOCUS ON GOVERNMENT ROLE FIRST APPROACH TO A ROADMAP STEPS FOR OPTIONS FOR FURTHER STEPS Enable ptin Encurage ptin Transfrm ptin DIAGRAM OF NTIF ROADMAP OPTIONS CONSULTATION PROCESS THIS PAPER CONSULTATION METHODS QUESTIONS FOR CONSULTATION METHODS OF PROVIDING FEEDBACK September 2012 DRAFT Infrmatin Integrity Slutins

3 Intrductin 1 INTRODUCTION Infrmatin Integrity Slutins (IIS) 1 has been engaged t assist the Department f Prime Minister and Cabinet (PM&C) t cnduct cnsultatins with key stakehlders, acrss the gvernment, business and cmmunity sectrs, n the steps necessary t imprve trust in the digital envirnment. A key part f this is t develp a Natinal Trusted Identities Framewrk (NTIF). This dcument is designed t facilitate this cnsultatin. The details f the cnsultatin prcess are set ut in Sectin 6. 2 THE CHALLENGE STIMULATING GREATER TRUST ONLINE T d business r prvide services effectively nline, rganisatins (including gvernments) need t be sure that the persn they are dealing with is trustwrthy. At the same time, fr peple t fully participate in the nline ecnmy, they need t trust rganisatins and service prviders. Bth need t feel cmfrtable with and understand security and privacy arrangements. Fr sme, this is nt currently the case resulting in less than full participatin in the digital ecnmy. The media regularly reprts n nline scams, significant data breaches and identity fraud as we grapple with hw t safely and securely digitise identities. Organisatins and gvernment agencies build their wn slutins fr delivering trust, each with its wn user name and passwrd r ther mechanisms fr administering it. Each slutin has its wn checks t verify identity and many ask fr mre identity infrmatin than they need abut a persn. While these slutins meet the separate needs, they are nt designed t be interperable and cannt easily share resurces. In turn, peple must use each slutin separately and ften in very different ways. Peple need t manage an array f credentials, including usernames, passwrds and cards. They have little r n cntrl ver what identity and ther persnal infrmatin they are asked t prvide fr accessing services. Once the infrmatin is given, they have little visibility ver what it is being used fr, wh accesses it, r where t g when there is a prblem. Fr many peple this is annying r unsettling but fr sme this is just t high a price t pay fr nline services. At the same time, private sectr activities t stimulate trust appear t have been slwed by perceptins this is nt an area in which prfit can be made. Fr this and a number f ther reasns a natinal market fr the prvisin f cnvenient and interperable digital identity services has nt develped in Australia. Similar t the US, UK, Canada and NZ, Australia recgnises the imprtance f supprting the develpment f this fledgling market t meet the identity management needs f sciety and gvernments as they cntinue t adpt nline services fr mre persnal and mre sensitive interactins. The ability t imprve verall trust in the nline envirnment will greatly assist in reducing the current inefficiencies fr business and gvernment and lack f data prtectin and cnvenience fr peple. Key jurisdictins, such as the US, UK, Canada and NZ have recgnised that a key part f the slutin is t develp an verarching framewrk fr establishing trust amng participants in the area f digital identities that wuld cver bth public and private sectr. In Australia s case we are calling 1 Infrmatin abut IIS can be fund at 26 September 2012 Infrmatin Integrity Slutins Page 3/12

4 Cnsequences f failure t act this a Natinal Trusted Identities Framewrk (NTIF). While increasing trust, such a framewrk culd als create an envirnment f greater certainty in which the private sectr may feel mre cnfident abut develping and prviding relevant services. Building trust nline and creating a market the lng-term visin. An NTIF culd prmte the develpment f a natinal market in digital identity prducts and services. By applying cnsistent standards fr all participants in this market, an NTIF culd allw a digital identity that is trusted by ne participant (such as a bank) t be trusted by anther (such as a gvernment agency). Enhanced nline trust and security will bring new pprtunities and a greater willingness t develp innvative ideas t drive Australia s ecnmy. This wuld lead t imprved access t services, new prducts and markets fr cnsumers and industry, and mre prductive ways f ding business. An NTIF wuld be citizen-centric, vluntary and wuld seek t enhance the privacy f individuals and businesses by giving peple cntrl ver the disclsure f their persnal infrmatin. An NTIF wuld be a cllabrative venture aimed at achieving trust in the digital identities f individuals, businesses, gvernment agencies, ther rganisatins and devices. In this way, an NTIF wuld be ne f the enablers f the future digital ecnmy by helping users take full advantage f the scial benefits and cmmercial pprtunities available thrugh greater nline engagement. While this cnsultatin has an eye t the lng-term visin, its aim is t understand hw t reach a medium-term pint. Then, develpments in the digital identity space can be examined, and the prgress f larger partner ecnmies reassessed. 3 CONSEQUENCES OF FAILURE TO ACT Withut a natinal framewrk that prvides a crdinated respnse t the issue f trusted identities and which supprts the develping digital identity services market t prvide the required trusted services and prducts there is a risk: Fr business that: it will nt get the assistance in managing identity infrmatin that it needs; it will nt gain the efficiencies that can be derived frm mutual trust and reliance n thers credentials r verified identity infrmatin; it is shut ut f pprtunities t prvide digital identity services that it is well psitined t prvide; and gvernment will impse identity infrmatin requirements that are expensive and difficult t meet. Fr peple that: they d nt trust initiatives being develped because the agenda fr having them is nt clear (fr example, is it t address gvernment risks? private sectr risks? r a persn s risks?); 26 September 2012 Infrmatin Integrity Slutins Page 4/12

5 Steps s far unexpected big picture privacy, security, usability r access issues arise because there is n crdinated verview f all the initiatives being undertaken r the way all the initiatives fit tgether; slutins d nt give peple the cntrl and chices that they want and need in rder t create trust and cnfidence in the nline envirnment; and they may nt take full advantage f the scial benefits f the nline envirnment. Fr gvernment that: it may cntinue t undertake digital identity services that culd be mre efficiently and effectively delivered by the private sectr; it may nt develp plicies that best supprt the digital ecnmy and Australia s diverse needs; it may impse undue r t light regulatin n prviders f digital identity services and prducts resulting in stifling the market r a lack f prtectin fr privacy and persnal data; ptins are implemented that will lck the gvernment int slutins that becme rapidly ut-f-date r hard t change r expensive t change in the future; it develps initiatives that are nt scalable r viable because they are nt relevant t the risks that ther agencies r private sectr rganisatins face; its initiatives will unnecessarily duplicate r verlap effrts being undertaken elsewhere in gvernment r the private sectr (r vice versa); and its slutins develped are nt interperable, r easily interperable with ther gvernment, private sectr r internatinal initiatives r appraches. Fr Australia : digital prductivity within Australia will nt be fully realised. Many Australians may nt fully seize the ptential pprtunity t increase prductivity and enable innvatin. Sme Australians may nt engage in nline activities due t a lack f trust; internatinal cmpetiveness will decline as ther natins adpt strategies t maximise the prductivity f their digital ecnmies. Many cuntries are already mre advanced than Australia; and internatinal nline transactins will be hampered by a lack f interperability. 4 STEPS SO FAR The gvernment began this prcess f cnsidering what might be needed t achieve trust in the nline envirnment with the Cyber White Paper Public Discussin Paper (2011) and the Cyber White 26 September 2012 Infrmatin Integrity Slutins Page 5/12

6 areas f fcus fr an NTIF radmap Paper Plicy Prpsal: Natinal Trusted Identities Framewrk (2011). Recgnising the critical imprtance f invlving all key sectrs f Australia in the prcess, it als began cnsultatins with all key public, private sectr and cmmunity stakehlders at a wrkshp held at Natinal ICT Australia in Sydney in 20 December These were the first steps in cnsidering whether a natinal trusted identities framewrk might be needed. The key cnclusins frm this cnsultatin were: that the scpe f an NTIF needed t be mre clearly defined in rder t determine such matters as: the level f gvernment invlvement needed t create a viable market the standards and accuntability needed the kind f technlgies that might need t be develped r deplyed; business and individuals must be able t see what s in it fr them in rder fr there t be a viable market; and that a mix f gvernment and private sectr invlvement in an NTIF is apprpriate with gvernment having a leadership rle but with private sectr prviding services where efficient, viable and apprpriate taking int accunt usability, privacy, security and equity f access. Nting the risks f inactin, the Gvernment is cmmitted t the develpment f a NATIONAL trusted identities framewrk (NTIF). Building n the valuable engagement with key stakehlders that began in December 2011, the Gvernment has been refining the scpe f the NTIF and the ptins available fr prgressing it. The fllwing sectins aim t d this. 5 AREAS OF FOCUS FOR AN NTIF ROADMAP 5.1 KEY ACTIVITIES The NTIF visin requires attentin t the fllwing areas in rder t prmte trust in digital identities and the nline envirnment generally in a cst effective and efficient way: 1. The creatin f a natinal market fr trusted digital identity services. 2. The adptin f an verarching framewrk that prvides natinal gvernance fr digital identities. 3. The adptin f cnsistent identity rules and standards that allw trust arrangements between disparate nline systems (e.g. inter-federatin). 4. The enhancement f peple s cntrl ver their privacy and persnal data nline. 5.2 REALISTIC TIMEFRAME The NTIF gal f an efficient market prviding trusted digital identity services is nt achievable in the shrt-term due t key gaps. These include viable ecnmic mdels, gvernance arrangements, natinal rules and standards and lack f user-centric tls that empwer peple and enhance privacy while ensuring security. 26 September 2012 Infrmatin Integrity Slutins Page 6/12

7 Apprach t a radmap Therefre, develping a radmap fr hw t begin t fill the gaps say within the next 3-5 years wuld seem t be the mst practical apprach. Attempting t plan activities beynd this is unlikely t be useful in such a dynamic envirnment where slutins are rapidly evlving. A mid-term apprach will als enable Australia t be infrmed by internatinal develpments. Australia s strategic partners are mre advanced in their jurney t the shared visin, and are als each taking a slightly different apprach with their radmaps. This apprach will enable Australia t benefit frm their experience in deciding its lnger term strategy. 5.3 FOCUS ON GOVERNMENT ROLE FIRST In develping a natinal market fr trusted digital identity services, it seems practical fr the radmap t first fcus n the Gvernment s rle in encuraging this market. It is in the best psitin t undertake a number f key first steps that are achievable in within the next 2-3 years. These include: Enable market: It is in the best psitin t undertake fundatinal market enabling activities such as establishing and implementing verarching gvernance structures that prvide fr clse and sustained multi-stakehlder invlvement, including the develpment and implementatin f cnsistent rules and standards and pssibly sme pilt activities Extend gvernment services: It can expand its existing refrm initiatives t see hw they may be able t address knwn issues in a way that culd benefit the whle ecnmy, r lead by example Raise awareness: It is well psitined t undertake natinal awareness raising activity abut the need fr safe and secure use f digital identities and the need fr peple t exercise as much cntrl as pssible ver their digital identity infrmatin. Building n these activities the Gvernment is als in a very strng psitin t influence the market in digital identity services. It has very significant demand fr high-integrity digital identity services and is in a psitin t influence the market depending n the extent t which it cntinues t keep meeting this demand itself, r whether it mves t an apprach where it lks t the private sectr t take ver the supply f these services r t prvide new services t meet this demand. Shuld the private sectr becme a key supplier t gvernment, the gvernment is als in the psitin t drive further demand fr digital identity services by mandating their use acrss gvernment. This culd trigger further private sectr activity in the market. Fr example, private suppliers culd ffer the ex-gvernment sectr services t ther sectrs e.g. financial institutins, r develp value-add prducts n the back f the cre slutins suite. 6 APPROACH TO A ROADMAP Taking int accunt the fcuses prpsed abve, the fllwing steps and ptins fr an NTIF radmap are utlined fr cnsideratin and cnsultatin. 6.1 STEPS FOR During this perid the key activities wuld be t take steps that are achievable and wuld lay the fundatin fr further market develpment. 26 September 2012 Infrmatin Integrity Slutins Page 7/12

8 Apprach t a radmap The mst imprtant f these wuld be market enabling activities t establish a trust framewrk and fllwing frm that standards and rules which wuld enable a digital identity market by creating certainty, interperability and the necessary privacy and security prtectins. At its mst basic level, these are likely t cnsist f: identifying the key rles f participants in prviding digital identity services; develping standards and plicies that each participant must meet r cmply with in rder t be trusted and able t interperate with participants in ther trust framewrks, fr example: data quality prtecting privacy prtecting security technical interperability custmer service and cmplaints handling prcess fr apprval/accreditatin; and an verarching structure t make sure gvernance is crdinated and trust is built in a way that meets gvernment, private sectr and cmmunity needs and requirements. Other key activities wuld be thse that extend gvernment services and raise awareness as identified abve. 6.2 OPTIONS FOR FURTHER STEPS In the fllwing perid three pssible ptins fr gvernment activity in prgressing NTIF activity are prpsed fr discussin ENABLE OPTION In this ptin, having undertaken the fundatinal activities utlined fr the perid , befre undertaking any further activity, the gvernment wuld assess the impact f these activities n the develpment f a market that prvides safe, secure and trusted digital identity services. It wuld als cnsider develpments internatinally t assess whether there are develpments there that culd be used in Australia. Taking int accunt these utcmes and develpments, new pririties and steps fr meeting the NTIF visin wuld be develped ENCOURAGE OPTION In this ptin, the gvernment, withut assessment f the fundatinal activities, wuld take tw additinal steps t influence the develpment f a market in trusted digital identity services. These wuld be: t require all gvernment agencies t try t have their digital identity needs met by the private sectr and nly if this is nt achievable wuld agencies be able t develp the slutins themselves; and at the same time, the gvernment wuld take measured steps t transitin the services it currently prvides int the hands f the private sectr. Fllwing this, the gvernment wuld reassess the success f these steps in stimulating a market. 26 September 2012 Infrmatin Integrity Slutins Page 8/12

9 Apprach t a radmap TRANSFORM OPTION In this ptin, withut assessment f the fundatinal activities, the gvernment wuld: require all gvernment agencies t try t have their digital identity needs met by the private sectr, and nly if this is nt achievable, wuld agencies be able t develp the slutins themselves; and in ne mve, privatise all f its digital identity services. A diagram setting ut each f the ptins is belw. 26 September 2012 Infrmatin Integrity Slutins Page 9/12

10 Transfrm Optin Encurage Optin Enable Optin visin Diagram f NTIF radmap Optins Enable market Gvernment creates the trust framewrk, gvernance, standards, etc, which enable a digital identity market. 7 DIAGRAM OF NTIF ROADMAP OPTIONS Extend Gvernment services Gvernment leads by example. Raise awareness Gvernment raises natinal awareness in regards t: Using Digital identities; Enhancing privacy; Cntrlling persnal data Reassess strategy and pririties t realise the visin Enable market Gvernment creates the trust framewrk, gvernance, standards, etc, which enable a digital identity market. Extend Gvernment services Gvernment leads by example. Raise awareness Gvernment raises natinal awareness in regards t: Using Digital identities; Enhancing privacy; Cntrlling persnal data Encurage market Demand Gvernment mandates a privateprvider first apprach t prcurement f all new identity slutins. Encurage market - Supply Gvernment incrementally transitins existing services t the private sectr. Reassess strategy and pririties t realise the visin Enable market Gvernment creates the trust framewrk, gvernance, standards, etc, which enable a digital identity market. Extend Gvernment services Gvernment leads by example. Raise awareness Gvernment raises natinal awareness in regards t: Using Digital identities; Enhancing privacy; Cntrlling persnal data Encurage market - Demand Gvernment mandates a privateprvider first apprach t prcurement f all new identity slutins. Encurage market - Supply Gvernment privatises its digital identity services. Reassess strategy and pririties t realise the visin 26 September 2012 Infrmatin Integrity Slutins Page 10/12

11 Cnsultatin prcess 8 CONSULTATION PROCESS 8.1 THIS PAPER The issue f addressing trust in the nline envirnment is ptentially very brad and hard t grapple with in a meaningful and practical way. As a result, this paper seeks t set ut the issues in a way that: reflects the current gvernment plicy and prgramme envirnment; seeks t narrw dwn the prpsed fcus f activity t the extent pssible; and gives as much detail as pssible n pssible appraches and takes int accunt what is realistic t achieve in the medium term (3-5 years). In this way it hpes t facilitate detailed, practical and cnstructive cmment that will be useful input t the business case that PM&C is preparing. The will be distributed t stakehlders and will frm the basis fr cnsultatins. 8.2 CONSULTATION METHODS PM&C has cmmissined Infrmatin Integrity Slutins t cnduct cnsultatins which include: tw cmbined stakehlder wrkshps n 10 Octber and 30 Octber (invitees will be thse wh were invlved in the 20 December 2011 grup with sme pssible additinal stakehlders t fill any sectral gaps); meetings r wrkshps with particular sectrs; sme face t face meetings if particularly asked fr r desirable; and the chance t prvide written feedback n the Discussin Paper. 8.3 QUESTIONS FOR CONSULTATION D yu understand hw a digital identity services market culd assist with increasing nline trust? D yu have a mental picture f a natinal market fr trusted identity services? What are its key features? Wh are the main actrs? D yu think the benefits f a natinal framewrk justify investment in it? What are the cnsequences f nt having an NTIF? D yu think there is a rle fr federal gvernment in rder t achieve a viable natinal market fr safe and useable identity services? If s, what d yu think is the best way fr gvernment t get invlved? facilitating the develpment f a natinal gvernance framewrk? stimulating either supply f r demand fr digital identity services r bth? Which particular strategies fr stimulating supply r demand d yu think the gvernment shuld fcus n first? Shuld they d ne r bth? 26 September 2012 Infrmatin Integrity Slutins Page 11/12

12 Cnsultatin prcess What identity services d yu think gvernment shuld cntinue t prvide fr the next 5 years versus lng-term? Fr example, shuld it cntinue as the authritative surce f identity data thrugh birth certificates, passprts, drivers licences? shuld it cntinue t prvide its wn digital identity services such as scial services cards, digital certificates fr businesses, user accunts and passwrds? shuld it cntinue t prvide validatin services fr key identity dcuments, digital credentials and digital signatures? Which f the three ptins fr creating a market utlined in the paper d yu think the gvernment shuld adpt? What wuld the gvernment need t d, at a minimum, t encurage private players t ffer digital identity services? Is it simply a matter f there nt being clear standards arund? If s, what particular standards are needed? Fr example, are standards needed fr technical design, technlgies, business design t ensure interperability, privacy, useability, and individual cntrl. Or is it because there are n current private sectr drivers (and thus gvernment wuld need t g t market t stimulate change)? 8.4 METHODS OF PROVIDING FEEDBACK IIS will handle feedback frm yu n this paper and is respnsible fr rganising and hlding meetings. Yu can prvide feedback in the fllwing ways: feedback t: Christine Cwper at ccwper@iispartners.cm Call: Fixed line r mbile Ask fr a meeting: We wuld like t receive feedback by COB Wednesday 24 Octber September 2012 Infrmatin Integrity Slutins Page 12/12