Access America--Access America--Fulfilling the VisionFulfilling the Vision

of Electronic Service Deliveryof Electronic Service Delivery

Peter N. Weiss

Information Policy and Technology

Office of Management and Budget

peter_weiss@omb.eop.gov

Access America

Electronic commerce, electronic mail, and electronic benefits transfer sensitive information within government, between the government and private industry and individuals, and among governments.

-Vice-President Al Gore,

“Access America”

-available at: gits.gov

NPR (Reinventing Government):

Reengineer needed processes, get rid of those no longer needed, and focus on customer service. Electronic forms, commerce, and information security regarded as vital.

Government Paperwork Elimination Act (GPEA) P.L. 105-277 (Title VII)

Agencies to automate interactions with outside partners/customers within five years to the extent practicable.

OMB, in consultation with Commerce and others, to promulgate policies and procedures within 18 months.

Procedures are to encourage both electronic filing and electronic recordkeeping, particularly by employers.

PRA: Paperwork Reduction Act

•Reduce the reporting burden on the public.

•Measures include the number of hours the burden imposes.

•Pre-GPEA emphasis on electronic forms focused on the process to move the form from paper to electronic.

•Actual burden is not substantially reduced.

Other Applicable Laws

GPRA: Government Performance and Results Act

Clinger-Cohen Act (Information Technology Management Act of 1996)

Putting It All Together

Need to reduce burden to the public

Provide customer service in a fundamentally better way

Electronic forms are not, by themselves, necessarily enough

GPEA

GPRANPR

PRA

Clinger-Cohen

CUSTOMER SERVICE

LESS TIME TO ACCESSEASIER TO FILLFASTER TO SUBMITQUICKER RESPONSE AND PROCESSING

Opportunities?

GPEA provides reason to streamline service delivery

Build intelligence into electronic forms to enhance automated processing

Electronic signatures further enables electronic processing

GPEA, technology and infrastructure combined gives powerful reason to move forward

OMB’s Implementing Guidance

64 Fed. Reg. 10896 (Fri., March 5, 1999) Comments due: July 5, 1999 Send e-comments to: gpea@omb.eop.gov

Paperwork Elimination

Security: weigh the magnitude of the risk and select an appropriate combination of technology and practice to cost-effectively minimize risk and maximize benefits to agency and to customers

Computer Security Act risk-based standard

Electronic Signature: GPEA Definition (§ 1709(1))

A method of signing an electronic message that--– (A) identifies and authenticates a particular

person as the source of the electronic message; and

– (B) indicates such person’s approval of the information contained in the electronic message.

Signature:UCC Definition (§ 1-201(39))

Any symbol executed or adopted by a party with present intention to authenticate a writing.

Legal Effect and Validity

Electronic records submitted or maintained in accordance with procedures developed under this title, or electronicsignatures or other forms of electronic authentication usedin accordance with such procedures, shall not be deniedlegal effect, validity, or enforceability because such recordsare in electronic form.

-GPEA, section 1707

Factors to Consider in Planning Electronic Systems

Nature of the participants to the transaction

– interagency, intra-agency, public– level of trust based on experience with

other participants or trading partners

Type of transaction– type of activity involved in the transaction

(administrative, regulatory, law enforcement

– contract for goods or services– instrument creating financial or legal

liability– involves inherently sensitive or private

information

Factors to Consider (cont.)

Recordkeeping needs regarding the transaction– One-time information request and

response– Audit– Potential for dispute by a participant– Potential for dispute by a third party– Evidentiary considerations

Factors to Consider (cont.)

Privacy in Electronic Commerce

These electronic systems must protect the information’s confidentiality, assure that the information is not altered in an unauthorized way, and be available when needed.

-Vice-President Al Gore,

“Access America”

Privacy Act (5 U.S.C. 552a)

Federal databases containing personal identifying information in support of PINs, biometrics, or digital signatures are “systems of records.”

Contractor-maintained databases containing personal identifying information, e.g. contracted CA/RA services, are usually covered “systems of records.” Possible exception if certificates are generally available, e.g. SET.

Section 1708 of GPEA

Except as provided by law, information collected in the provision of electronic signature services for communications with an executive agency, as provided by this title, shall only be used or disclosed by persons who obtain, collect, or maintain such information as a business or government practice, for the purpose of facilitating such communications, or with the prior affirmative consent of the person about whom the information pertains.

Privacy and Disclosure: Basic Principles

Electronic authentication should only be required where needed

Tailor authentication needs to the transaction and the participants

Avoid collecting information that is more detailed than required

Inform participants that information collected will be managed consistent with the Privacy Act, Computer Security Act, and any other applicable laws.

Practical Implications/Good Practices

Collect it only if you need it. Disclose conditions and limits of use. Provide reasonable personal access with ability

to correct and/or update. Articulate and disclose protective policies and

measures. Destroy personal information when no longer

needed; important to determine appropriate retention period.

Electronic Commerce Trust Requirements

Authentication - ensure that transmissions and their originators are authentic (identity).

Data integrity - ensure that exchanged data is not reasonably subject to intentional or unintentional alteration.

Confidentiality - limit access to authorized entities.

Authentication/Identity Techniques

Personal Identification Numbers (PINS)

Automated teller machines (with token)

IRS TeleFile, SEC EDGAR (without token) Cryptographic Digital Signatures

Public and private sector pilots, some production applications

Biometrics

Can be used in conjunction with digital signatures

Others: SSL, S/MIME, route certificates

What do they have in common?

PINs, Digital Signatures, and Biometrics require the collection or maintenance of identifying information:

Directly:

Employee to employer

Taxpayer to IRS, Applicant to SSA Or indirectly:

Subscriber to Certification/Registration Authority

How do they differ?

PINs and biometrics/signature dynamics tend to be one to one within a single application, i.e. automates the stovepipes.

Cryptographic digital signatures can be used for multiple applications utilizing digital certificates as a component of a Public Key Infrastructure, i.e. can cut across stovepipes.

The bottom line:

Designing an automated system with better authentication and privacy than paper-based systems is not difficult,

BUT...

...it must be perceived by the user, oversight, and advocacy communities as being better.

– Yoda

Learn from others’ experiences!

Case in point: SSA’s PEBES

Electronic Commerce Sources

"Access America" - Government Information Technology Services Board

http://www.gits.gov

"Framework for Global Electronic Commerce"

http://www.ecommerce.gov

Federal Public Key Infrastructure Steering Committee

http://gits-sec.treas.gov

Overview of Current Electronic Signature

Technologies

Personal ID Number (“PIN”)

User enters name and password, or PIN.

PIN is a “shared secret” (known both to the user and to the system)

System checks the PIN to authenticate the user.

Smart Card

Plastic card containing an embedded chip that generates, stores and/or processes data

Computer reads data from the chip when the user enters a PIN or biometric identifier

Assists with implementation

Digitized Signature

Graphical image of a handwritten signature

Software compares a graphical image with the digitized representation

May be combined with PIN or biometric for higher level of security

Shared Private Key (Symmetric) Cryptography

User – signs document and – verifies signature using the same secret

key (long string of numbers) Secret key is shared between the sender

and the recipient, thus not the best authentication mechanism

Public/Private Key (Asymmetric Cryptography) - Digital Signatures

• Two keys, mathematically linked• One is kept private, other is made public• Private not deducible from public• For digital signature: One key signs, the

other validates• For confidentiality: One key encrypts, the

other decrypts

Digital Signature Overview

Access with Trust

Describes an essential technological and institutional means of fostering safe, secure electronic interactions, a “Public Key Infrastructure,” or PKI, using cryptographic-based “digital signatures.”

Available at: gits-sec.treas.gov

Challenges

Registration/identity proofing Private keys in hardware vs. software Interoperability within Federal agencies Interoperability outside Federal agencies Digital signature acceptance Directory management Making “the business case”

What PK Technology AllowsWhat PK Technology Allows

Authentication

Non-repudiation

Data integrity

Confidentiality

The Critical Questions

• How can the recipient know with certainty the sender’s public key? (to validate a digital signature)

• How can the sender know with certainty the recipient’s public key? (to send an encrypted message)

The Answer: A PK CertificateThe Answer: A PK Certificate

• A document which is - • Digitally signed by a Certification

Authority,• Based on identity-proofing done by a

Registration Authority,• Containing the individual’s public key,• Some form of the individual’s identity, and• A finite validity period

Public Key Infrastructure

• Registration Authorities to identity proof users

• Certification Authorities to issue certificates and CRLs

• Repositories (publicly available data bases) to hold certificates and CRLs

• Separate from CRLs, mechanisms for status checking of certificates (OCSP)

Agency Implementation

Use and manage electronic signature technology to:

– maximize the ability to authenticate the identity of the originator

– ensure integrity of the contents of the filing