Building Digital Trust in Government Processes
Like most people today, I love doing business over the internet -- researching, shopping, keeping up on the latest news.
And like most people, I take for granted, simply assume, that the site I’m visiting is protecting me and my data. In other words, there is an inherent trust between the me and the website. But we’ve all heard war stories of fraudulent sites stealing data, misleading people, or worse. It’s really not fun (to say the least) when that trust is violated. On the flip side, companies and government agencies who offer online transactions are as concerned, if not more, about the people that they are interacting with.
Trusted Digital Government
There is a movement afoot in the government sector termed "Trusted Digital Government". This effort necessitates trusted interactions between agencies, employees, citizens and partners – all adhering to practices that protect one another when doing business together.
When we think of trust, we generally think of the people involved. Can this person be trusted with my credit card information, for instance? Trust, however, actually spans a wide range of touchpoints when doing business; including but not limited to:
- Trusted Identity
- Trusted Users
- Trusted Devices
- Trusted Documents
- Trusted Behaviors
- Trusted Apps
- Trusted Data
Trust begins with knowing who you are doing business with – the identity of the person. There are many ways to prove identity, and they vary both with the criticality of the transaction as well as the agency.
For instance, if a person is simply downloading a form in advance of a transaction, authenticating their identity isn’t critical. However, if that same person is responsible for authorizing a $300,000,000 contract, well, the identity of the individual would certainly be of vital importance.
The Federal government, ever concerned about validating the identity of individuals, uses Client Certificates -- Smart Cards – to prove identity. These certificates are issued in the form of Common Access Card (CAC) or Personal Identity Verification (PIV) cards, or derived credentials, after a thorough vetting process including a background check.
[More about CAC & PIV cards here: E-Signing with Smart Cards in U.S. Government Agencies]
Depending on how the business is being transacted, the actual device may come into question. Is the device you’re transacting business on owned by the agency? Is it a public device? The answers to these questions either instill or jeopardize trust. Think about using a computer at a public library and having the browser remember your login. This would definitely constitute a security risk!
Next, we look at the application being used. Has the application been provided by the agency? Consider the difference between a mobile banking app that’s provided by your bank, versus a banking app you can downloaded from an app store. How secure would you feel transacting online? The app provider can call into question the trust of the process.
Let’s look at the transaction as a whole. Can we trust that what is being performed – and by whom – is done so in a way that does not place anything or anyone at risk?
When all is said and done, can you prove the trust of the transaction? Do you have in your possession all of the necessary audit data and evidence to guarantee (in court if necessary) what transpired and who participated in the transaction?
What about proof of compliance, from start to finish, throughout the transaction? Can an electronic signature, for example, be executed by a trusted individual, on a trusted device, within a trusted app? The answer is yes. E-signature is the perfect model of a trusted transaction that verifies every aspect of the process – to the point where you can even replay, step by step, what a person saw and did, during the entire signing ceremony!
Well, need to go do some holiday shopping… hope I can trust the web stores!