Public Works andGovernment ServicesCanada

Travaux publics etServices gouvernementauxCanada Canada

Brenda WatkinsDirector

Policy and Business StrategiesInformation Technology Services Branch

Privacy-enhancing Technologies and Identity

Management

Privacy-enhancing Technologies and Identity

Management

2

Outline

How the federal government developed and implemented a common, privacy-friendly authentication system for secure access to Government On-line (GOL) services

3

Government On-line Transactions: Canadians’ Concerns and

Expectations Surveys consistently revealed Canadians’

concerns that their Government On-line transactions could potentially allow their private information to become public or end up in the wrong hands

Expect the government to be more diligent than the private sector or banks in protecting the privacy and security of their information

5

GOL Authentication Services

Ensure that on-line participants are who they claim to be

Maintain data integrity and confidentiality of personal information

Provide evidence for non-repudiation Permit differing levels of authentication for

different service offerings Provide secure electronic signatures

6

GOL Authentication Strategy To implement a common PKI authentication service

for Canadians to conduct business with government that would:– be more user-friendly and manageable – support a range of functional and security needs– be extensible, scalable and interoperable– offer simple, efficient registration process– be both economic and strategic

Prerequisites:– on-line credentials must be secure and “portable”– browser is the client’s preferred on-line tool– privacy principles must be rigorously observed

Phased roll-out

7

Privacy by Design GOL transactions are governed by the same privacy

protections as paper-based transactions:– Federal law (Privacy Act)– Federal policies and guidelines (Privacy & Data Protection)

Developed Privacy Impact Assessment Policy to ensure that privacy is built into all federal on-line services

– GOL Authentication Services served as a successful pathfinder project demonstrating PIA is an essential architectural tool when initiated early and updated as required

– 4 iterative PIAs undertaken prior to initial launch to progressively assess conceptual models, build requirements and design throughout development

National focus testing of user experience

8

PKI – Privacy-Enhancing, But …

Binds identity to a digital certificate (distinguished names)

Potential to reveal information about user from use of certificate (inference)

Question of collection and sharing of information between government services– registration, directory

9

epass –An Elegant (and Revolutionary) Solution

Access to GOL services is via “epass” – a secure electronic credential

Differs from traditional PKI implementations:– epass certificate is anonymous – it is not bound to

the identity of an individual or entity– the only identifying data in an epass is a

randomly generated, unique number (MBUN – Meaningless But Unique Number)

– Impossible to deduce anything about the epass holder

Developed in strict adherence with privacy laws and policies

10

How epass Enhances Privacy

Registration process– User creates unique user ID and password– Encryption and signing keys are generated

and stored in double-encrypted profile accessible only to the user

– The user identifies recovery questions and answers during registration process

– epass is issued– NO identifying information is contained in the

epass – only the MBUN

11

The program is responsible for authenticating the epass holder’s identity

The authentication process is as rigorous as nature of the transaction dictates

Once the program is satisfied as to the identity of the epass holder, the epass MBUN is mapped to the program information

How epass Enhances Privacy … 2

12

epass-enabled GOL Services

CRA Address Change On-line HRSD/SDC Record of Employment CRTC filings (applications) Health Canada’s electronic

regulatory system for pesticide applications

One-quarter million epasses issued!

13

Coming Soon

Atlantic Canada Opportunities Agency Passport Office PWGSC - My Services Veterans Affairs medical records system CRA expanding use of “MyAccount”

14

RecognitionGOLD

MEDALS TO

ROE AND

SECURE

CHANNEL

For the fourth year in a row, Accenture has ranked Canada #1 in e-government maturity – specifically mentioning epass as a contributing factor

Four GTEC gold medals since 1999 – two this year:– Record of Employment– Secure Channel Project2003: for epass1999: for first implementation of a national government PKI policy

Federal Privacy Commissioner acknowledgement: “…the creative approach they have taken in addressing many of the privacy risks associated with more conventional on-line client authentication models.”

15

REGISTRATION DEMONSTRATION