Ten private companies, a number of US Government Federal Agencies primarily in the Health sector and the OpenID and Information Card Foundations will announce this morning in Washington DC the launch of a pilot program to allow members of the public to log in to participating government websites with their credentials from approved independent websites.
That’s right – someday soon you’ll be able to log in to the websites of the Department of Health and Human Services, the National Insititute of Health and other government agencies with your accounts from Google, Yahoo and similar services. Below we discuss the privacy protection steps being taken, the usability issues and the ultimate significance of this announcement.
Don’t worry, your doctor will not store your medical records under your Twitter handle yet. The pilot program is stepping first into a phase of public discussion, it is participated in only by Identity Providers that have undergone extensive scrutiny (Twitter’s not included) and participants say that individual privacy is being treated with the utmost regard. If they can pull it off, these organizations could make using the .gov web easier and more effective than it’s ever been before.
Participating companies include Yahoo!, PayPal, Google, Equifax, AOL, VeriSign, Acxiom, Citi, Privo and Wave Systems. On the government side is the Center for Information Technology (CIT), National Institutes of Health (NIH), U.S. Department of Health and Human Services (HHS), and “related agencies.”
Conversation about whether and how best to implement a system of Federated Identity across government websites has been underway for at least the last 6 months. We wrote about the first public rumblings this summer. Kaliya Hamlin explains the state of the conversation in detail on her blog.
The two biggest questions will be protection of privacy and user experience.
Privacy Protections
OpenID board member and Facebook employee David Recordon explained to us tonight that participating government sites are not allowed to pass personal information about users from one site to another, even though we’ll be logging in with the same accounts. Instead, when we authenticate ourselves with Google, Yahoo, Verisign or whoever our Identity Provider of choice is, that website will pass a different, unique URL to the government site we’re logging in to.
The identity providers will keep track of all the unique URLs used to identify us to different government sites and we’ll just need to remember one log-in. That means you’ll need to trust your identity provider to keep your private information separated between agencies – it won’t be up to the government sites themselves to do so.
While government identity systems have long raised fears of totalitarian control and a single sign-on system sounds even worse – having private identity providers hide and broker the connections between a user’s account with one agency and another could substantially alleviate concerns about centralization.
User Experience
User experience has been one of the biggest issues around systems of federated identity since they began to proliferate. No decisions have been made yet about exactly how users will log in to these government sites, but we will be given a limited number of choices between providers that have been government approved. (If you own a domain that’s an OpenID provider, you won’t be able to use that.)
Most likely users will be presented with an array of logos to click on, launching a new window to communicate just with the identity provider. Once a user proves who they are to the identity provider, that company will then vouch for the user to the government site.
Why Is This Important?
This is a significant move for three reasons. First, it could make securely accessing government websites much easier for users. That would increase use of government services online and could kick off a virtuous circle of increased web-savvy service in response to increased citizen interest.
Second, federated identity provides not just easy “single sign-on” but also offers the opportunity for users to carry personal information with them from one website to another. This “payload” of information can help new websites we use quickly personalize our experience and deliver more intelligent service. That’s likely to be complicated when it comes to privacy-centric areas like health, but there’s a lot of potential there. If Google knows you’ve made plans to travel to another country soon, and if you’re willing to expose that information to a government website, then the site could offer health-specific information about the country you plan on visiting for example. That’s a long ways off, but it’s part of the big vision of data portability.
Finally, when any large institution puts its weight behind an open standard then that creates more incentive for other institutions to get on board with the standard as well. Federated Identity systems like OpenID and Info Cards have seen growing amounts of support from different companies, but as that support grows then the information available to innovate on top of grows, the number of opportunities for users to access innovative services built on top of standards grows and the incentive for still more companies to get on board with open data, innovative technology and data portability grows as well.
To draw the standard railroad analogy, if one large railroad network adopts the new standard of rail sizes then trains that run on standard rails can travel further, the passengers can go new places and other networks have more interest in adopting the standard as well. On the information super-highway, the network of government websites are a very big railroad (if you will).
The pilot program will remain a discussion for some time. The OpenID and Information Card Foundations are good places to visit if you’d like to participate in the conversations that will inform later implementation.