| Subject | 2009 Outstanding MOICA Applications Award Ceremony and Seminar, 24th March 2009 – Keynote address by Mr James Kelaher, Australia |
|---|---|
| Date | 2009-05-18 |
| Announcement Unit | Information Center, Ministry of the Interior |
| Content |
Minister Liao, award winners and nominees, honourable guests, ladies and gentlemen … good morning and congratulations on another fine MOICA awards ceremony. Some of you may remember that I attended last year’s MOICA Awards Ceremony and it is my great pleasure to return and speak again this year. I wish to thank my colleagues at the Ministry of Interior for their kind hospitality. One of the important objectives of this annual ceremony is to recognise the outstanding efforts that have been made to identify and meet citizen needs for e-government services using the MOICA card and PKI. In that connection, I will today offer some comments and encouragement, based on what is happening around the world. Firstly, let me briefly mention a little about myself. Approximately half of my career has been in government and the other half has been in business. In government I have held a rank equivalent to major general in the Australian Defence Department and I have been the chief operating officer of the Australian Federal Police. I have also been the chief executive of Australia’s Medicare (which is equivalent to your BNHI) and I have been the chair of the Australian government’s PKI authority (called HeSA). I also chaired a major government task force that recommended the introduction of a citizen smart card for all Australians. Since leaving the government I have become a director of Smartnet, a business that has many appointments as an expert adviser on the introduction of on-line services and the digital economy. My company has provided advice ranging across health, social services, disability services, postal services, biometrics, smart cards, financial services, privacy, high speed broadband technology and options for voluntary and mandatory adoption of new citizen services. I am a member of the National Consultative Committee on Security and Risk and of the global Health-e- Nation Advisory Committee. In a little over a week’s time I will be speaking with Asia-Pacific leaders in Bangkok regarding government smart health card programs. I mention this background because I believe that it is relevant to my role here today and the remarks which I will be making. The on-line world holds great potential for people, governments and business; increasingly we refer to this world as the ‘digital economy’. In the digital economy, people can access and transmit information at any time and from any place. In many countries, the digital economy is creating important new opportunities to overcome domestic short-comings in service delivery as well as opening up tremendous new global business prospects. This is just as true in my country as it is in Taiwan – it is a global phenomenon. However, as all of you here know, two of the most challenging issues for the digital economy are trust and identity. Since the beginning of human civilization we have used face to face interactions and physical artefacts, such as documents and seals, to legitimate things like identity and to create trust in processes that rely on identity and authentication. But the digital economy allows people to invent and take on new identities virtually at will and, using the internet, almost any official document can be found, copied and forged within minutes. So, while we all want to use the digital economy to save time and to reach out across distances, we also realise that it can create new risks. This creates significant challenges for governments. On the one hand many of us impatiently urge our national governments to win ground for us in the global digital economy, while many also their government to be at the leading edge of vigilant and effective risk protection. For example, leading governments around the world have introduced digital signature mechanisms and PKI to enable on-line authentication and to address the issues of identity and trust in the digital economy. However despite this many citizens (and bureaucracies and businesses) have struggled with how to exploit these solutions. Virtually every week a new analysis pops up somewhere around the world analysing this situation. While, historically, many of these analyses have been somewhat limited, there is now a substantial body of experience developing. What we are seeing are some interesting common trends. Of course we could easily write a book about this subject. But for the purposes of this morning’s discussion, I want to highlight seven areas in which new learnings are pointing the way towards improved solutions to identity and trust in the digital economy. I think that each of these areas have some relevance to ensuring the continuing success of the MOICA card and to the Mid-Term Plan for e-Government that has been promoted by the Executive Yuan since 1998. These seven areas are: • Better registration solutions
I have observed many signs that Taiwan and the MOI, in particular, are aware of these considerations. However the solutions are not always easy; they often require governments and officials to lead the way in changing deeply ingrained processes. Sometimes enlisting the support of colleagues in government can be the greatest obstacle.• Better use of technology to support choice and to overcome the need for cumbersome processes • More widespread experience in using chip cards with computers, terminals and point of sale equipment • Government and private sector organisations working together to enable digital credentials to be used in private sector transactions as well as those with government • Progress in understanding how to address concerns regarding privacy and liability protection • Recognition that storage and access to digitally signed documents and work flows is a key driver of adoption, and • Recognition that unless nations, businesses and bureaucracies address ‘digital divide issues’ uptake and use will continue to be limited. Let me give you a few examples. Better Registration Methods While some countries have national ID systems, others do not; the majority of countries have determined that citizens will not use a single ID for all services. For example in many countries, including Taiwan, there is a separate ID system for health. As a result, there can tend to be quite onerous and repetitive registration processes. This tends to discourage people from undergoing registration for any new form of identity – such as a new ‘on line’ identity. Only those that are convinced of the benefits will be prepared to make the effort. This raises three related points: • How can we ‘electronically’ register people for on-line ID’s and digital certificates
Obviously, the answer in all three cases is a resounding ‘YES’. • How can we make it possible for people who are already registered to use their digital ID as widely as possible • Should we enable people to interchangeably use their digital tokens, including using only one, if they wish to? Through my company’s work I have seen some fine examples of this in Scandinavia and in parts of Asia. However in numerous other countries governments are going out of their way to avoid giving people what they want. As a result, there are quite a few examples of adoption and usage levels that have plateaued at a level well below the tipping point for mass adoption. This is leading to some very expensive failures. Better Use of Technology to Support Choice In recent years the capacity of switching software to ‘broker’ transactions between many different parties, using data from a variety of sources has developed rapidly. This has given us new tools to resolve the movement of transactions across multiple - otherwise incompatible – systems. It has also enabled us to use technology to make registration processes easier, less restrictive and more reliable, and to avoid creating massive new data bases – where the ownership and protection of data can be extremely problematic. I have seen some very successful examples of this in Europe such as in Belgium, as well as in Australia and in Malaysia. Of course the situation in each country is subtly different and each solution needs to reflect local circumstances, but it is very interesting to draw on the successful solutions of others. In this field, I have learned that the issues tend to be very similar wherever you go. Growing Experience in Using Chip Cards and PKI Technology As people, businesses, governments and software vendors become more familiar with chip technology we are finding that the business processes for using PKI and digital signatures are improving. As a result, people are finding it much easier to use PKI-embedded solutions and therefore resistance levels are lower. However new technologies are coming that will make these processes even more easy and more natural, such as PIN generators with a display that actually sits on the chip card and, of course, PKI applications that run on mobile phones. If PKI is to be widely used it must be ubiquitous. Using Digital Credentials for Private Sector Transactions If PKI is to be ubiquitous, then it must be used – appropriately and consistently– in private sector as well as government applications. For example, our MOICA ‘internet ID’ and ‘internet signature’ must be useful and accepted everywhere. Typically, one of the greatest concerns of citizens is that government and private sector uses of information needed to be compartmentalised. This is driven by a deep distrust of government capacity to protect personal information from misuse. In many respects governments have not done enough to address these concerns, particularly in areas such as privacy and liability protection. I will deal with various policy aspects of these subjects in a moment. However there are also new technologies and business processes becoming widely available that do not require data to be shared between organisations (whether government or private), even though several may simultaneously be contributing pieces of data to a transaction. This is enabling people to see more clearly that their privacy need not be threatened by governments and private sector organisations working together to deliver services on-line and in real time. A good example is the new e-ticketing and e-passport processes of airlines – where multiple parties collaborate electronically. We are also starting to see good progress being made in e-health – where the previous, often threatening emphasis on ‘unique and universal’ patient identifiers has given way to new numbering and switching solutions that do not require a single health data base for individuals. In fact, we now realise that such a concept was not only extremely unsettling for many people (including health professionals); it was never really feasible. Better technology and a more enlightened understanding of how it can be used is enabling significant obstacles in moving transactions across government and private sector boundaries to be practically, simply and safely overcome. Progress in Addressing Privacy and Liability Issues Two major policy shifts are developing in this area: both are overdue. Firstly, we are beginning to see a recognition by many governments around the world that, despite various legislative ‘frameworks’ for privacy protection, one of the deepest concerns that citizens have is that governments themselves are not prepared to be held accountable for privacy protection. For example, government employees are most frequently the ones who are caught breaching citizen privacy. While a range of often low-level sanctions apply, they have tended to miss the point: the ‘government’ is generally not being held to account for the pain that can be caused to individuals by its privacy failures. This is changing, for example there is an emerging recognition that responsibility for privacy protection must reside with the organisation that first collected the information (generally a government agency). And that any loss or misuse of that information, wherever it subsequently occurs, should be sheeted home to the agency that first collected the data. In addition, governments are starting to recognise that in the event of a privacy breach, the agency CEO should bear major responsibility for ‘systemic failure’, just as would occur for any other corporate failure. In combination, these two developments appear to herald a tidal change in government approaches to privacy that will potentially have long term implications for improved agency performance and citizen trust. Another more technical area that is emerging is in the area of liability protection. Governments are starting to realise that they have a role to play in underwriting new national identity services. This is particularly important for promoting adoption and use by third parties. There is a very useful parallel here. Many years ago, when credit cards were first introduced, people (and merchants) were very concerned about the initial open-ended exposure that they carried if a card was stolen or misused. Originally, issuing banks would not take any responsibility for addressing these liability issues. This contributed to the public unease that inhibited early attempts to encourage the adoption of credit cards. It was only after governments and financial institutions cooperated to set personal liability limits that this concern dissipated. I believe that one of the first examples of this was in the US, with the passage of the Electronic Funds Transfer Act of 1978, which capped individual liability for unauthorised use of a credit card at $50. Since then most governments and financial institutions have collaborated to follow suit: adopting a consistent, systemic approach to address the liability risks faced by users of national and international financial systems. There are now a number of cases of governments realising that similar approaches to underpin national on-line identity schemes are necessary. Otherwise there will be no ‘trust’ in the reliability of these identities or their value – by either the identity holder or those parties whom we want to support better quality on-line interactions as part of a national digital economy strategy. Storage and access to digitally signed documents and work flows is a key driver of adoption Embracing PKI means that many of the processes that accompany the use of a digital signature also need upgrading, such as how digitally signed documents will be authoritatively identified, stored and copied. Despite the passage of laws that give equal status to digital signatures, many organisations, both government and private sector, have not implemented mechanisms to give effect to digital signatures by their clients. This is undoubtedly partly caused by a reluctance to invest in new digital signature processes if a majority of the population is still using handwritten signatures. However, we are starting to see numerous examples of successful use of digital certificates and PKI within ‘closed’ environments. For example, in the management of property transactions, procurement, financial instruments and some aspects of e-health. In the USA there is an increasing use of digital signatures for car leasing, mortgages and procurement contracts. This has contributed to the development of sophisticated ‘multi-party’ digital workflow products and digital document vaults. One of the reasons that these systems work so well is that there are audit controls, system administrators, work flow management tools, and so forth. In other words, there are a whole lot of value adding services that create trust and confidence in a PKI environment that is intensively used and relied upon by a large number of users. When thinking about new MOICA applications, particularly involving third parties, it is essential to consider how the needs of these other parties for a more attractive alternative business process can be satisfied. Otherwise the proposition may appear piecemeal and unattractive; not offering any viable alternative to the business processes that they presently use, despite all the acknowledged shortcomings. One area where governments can lead is in the area of instituting ‘whole of government’ approaches to digital workflow management that embed and exploit the power of PKI. This is typically an area that governments have been slow to recognise and address. As a result, PKI initiatives can become fragmented, inconsistent and clumsy. I also believe that a greater focus on this area will yield significant, appropriate opportunities for collaboration between government and business in the area of digital economy infrastructure and services. Unless nations, businesses and bureaucracies address ‘digital divide issues’ uptake and use will continue to be limited In order to achieve widespread take-up of PKI, digital signatures and on-line authentication, people need the tools and they need the motivation. If people don’t have any capacity to access on-line services, then they will not try to do so. Similarly, if people don’t have a reason to use on-line services, they will not be interested in finding out how. In one sense, governments need to fully commit to the digital economy, by making new services available on line and giving all people in the community the access they need. While this is partly a generational issue, it is also about equity and fairness. The nations that best deal with these subjects will ultimately be the most successful in extracting value from the digital economy. However there is also room for tactical thinking about incentives; identifying appealing new services that shift people toward using MOICA cards, PKI and on-line authentication. This is something that one of my colleagues from eBay has highlighted as part of the eBay strategy for attracting customers. The incentives offered need not be large. Something that causes people to start to use PKI and cards such as MOICA on a regular basis will make a significant difference to achieving permanent conversion. Obviously there is also some room for making ‘legacy’ methods less attractive over time to get majority adoption of on-line PKI services, but this needs to be handled with care and subtlety …. So, what is the relevance of all of this to MOICA and today’s conference? I think that the MOICA card and all of the other parts of Taiwan’s digital economy strategy are first rate. But as I think you would all appreciate, some aspects of my comments today indicate that the work is not yet finished! There are two areas that in the coming year I would like to encourage you to think deeply about. I believe they are at the core of widespread adoption and success and, ultimately, to a thriving world-leading digital economy. The first area is to be tireless in seeking opportunities to provide stronger support for PKI workflow management across government processes, Such as through introducing value-adding tools for document and information management in a ‘whole of government’ PKI environment. The second area is in removing barriers to private sector and private citizen use of the MOICA card and credentials. Examples include property transactions, corporate filings, tax filings and share trades. However, perhaps the most outstanding example is in the area of government subsidies and concessions. I am presently involved in several projects related to the delivery of government health and welfare subsidies to merchants at the point of sale, including, in the case of Malaysia, government petrol subsidies. These initiatives reduce fraud, simplify paperwork and reporting for merchants, and reduce roll-out costs by leveraging existing EMV card infrastructure at the retail level. In my view, this area of using the MOICA card and its related infrastructure to deliver and manage subsidies at the point of sale has major long-term potential. This is something that I will be speaking more about with my MOI colleagues in coming days. Well, I think that is enough from me for the moment. Let me close by thanking the Minister and the MOI for their hospitality in inviting me here and let me congratulate the award nominees and winners. I look forward to meeting and talking with all of you during the remainder of the conference and I hope that there will be further opportunities to exchange information and experience. |
:::
