Aardvark Daily

Please visit the sponsor!

Aye Gov (igovt), t'is a worry

The government realises that using the internet to interact with citizens could be a great way to streamline those communications and save everyone a great deal of time, money and effort.

For that reason, they've been working away on a system that's been called igovt.

The idea behind this strategy is that everyone who needs or wants to interact with a government department online will be issued a unique identity that will allow them to authenticate themselves when accessing those sites and services on the internet.

What a great idea.

And with the might of the state's coffers and organisational skills behind it, what could possibly go wrong?

Well for a start, it seems that only a simple name/password combo is being used to perform the authentication online.

Sure, to get these login credentials you will need to front up with a mountain of identifying documentation, such as your passport, drivers license or whatever -- but once you've got that login ID and password you're good to go.

It has been proven time and time again that single-factor authentication systems are bad -- very bad.

They make ID theft so easy that it's almost ridiculous.

If you allow people to choose easily-remembered passwords then they become trivial for any hacker worthy of the title to break.

If you issue people with a strong (cryptic and long) password then it's inevitable that many will resort to writing that ID and password down so as to avoid forgetting it and once again -- this creates huge risk.

Has the government not heard that ID theft is one of the largest (and most lucrative) crimes of the 21st century?

Surely, something like igovt that is so critical as to require strong documentary evidence in order to gain an ID in the first place deserves the protection of a system a whole lot stronger than just a name and password?

Okay, I'm being a little unfair -- there is a two-factor option built into the system.

When you register with igovt, you'll be asked for your mobile number. When any government agency needs a higher level of authentication than the ID/password pair, it'll send an SMS to your mobile containing a second-factor code that you'll then have to key into the site.

Sounds great eh?

But what happens when you decide to get a new mobile and can't be bothered transferring your number?

You'll have to go through a whole separate process to update that mobile number on your igovt record. No, you won't be able to do it yourself online or that's the first thing an ID thief would do once they'd gotten your ID/password pair (duh!).

Of course if you don't have a mobile phone (and believe it or not, some folks don't) then you're stuffed I guess.

Similarly, if you're one of the few people who don't have a drivers licence or passport I have no idea how you're going to get an igovt login.

One has to wonder -- whether your igovt login effectively the equivalent of a virtual ID card -- you know, the thing that was roundly rejected by Kiwis when mooted a decade or two ago.

How long (I wonder) before access to the internet may be conditional on the igovt system authenticating your identity each time you log on?

Might the pressure bring bought to bear by various industries see such a "authenticated access" clause built into the ACTA convention currently being thrashed out behind closed doors by our politicians?

And let's not forget -- we're still engaged in "the war against terror" so unless you can prove who you are, you may be considered a terrorist by default.

Okay, I've drawn some long bows here but I think we should all have in the back of our minds that "from tiny acorns, giant oak trees grow" -- and so it is with government's desire to regulate, control and monitor those who it is elected to serve.

The igovt authentication system may be a great idea -- but it also has huge potential for misuse, abuse and overuse.

Please visit the sponsor!

Have your say on this...

PERMALINK to this column

Oh, and don't forget today's sci/tech news headlines

Rank This Aardvark Page

Change Font