The other week I wrote a blog post titled Canadian Governments: How to Waste millions online ($30M and Counting) in which I argued that OpenID should be the cornerstone of the government's online identification system. The post generated a lot of online discussion, much of which was of very high quality and deeply thoughtful. On occasion, comments can enhance and even exceed a post's initial value, and I'd argue this is one of these cases - something that is always a joy when it happens.

There was however, one comment that struck me as particularly important, not only because it was thoughtful, but because the type of comment is so rare. This is because it came from a government official. In this case, from Dave Nikolejsin, the CIO of the Government of British Columbia.

Everything about Mr. Nikolejsin's comment deserves to be studied and understood by those in the public and private sector seeking to understand how to engage the public online. His comment is a perfect case of how and why governments should allow public servants to comment on blogs that tackle issues they are themselves addressing.

What makes Mr. Nikolejsin's comment (which I've reprinted below) so effective? Let me break out the key components:

  1. It's curious: Given the nature of my blog post a respondent could easily have gone on the offensive and merely countered claims they disagreed with. Instead Mr Nikolejsin remains open and curious about the ideas in the post and its claims. This makes readers and other commentators less likely to attack and more likely to engage and seek to understand.
  2. It seeks to return to first principles: The comment is effective because it is concise and it tackles the specific issues raised by the post. But part of what really makes it shine is how it seeks to identify first principles by talking about different approaches to online ID's. Rather than ending up arguing about solutions, the post engages readers to identify what assumptions they may or may not have in common with one another. This won't necessarily makes people more likely to agree, but they'll end up debating the right thing (goals, assumptions) rather than the wrong thing (specific solutions).
  3. It links to further readings: Rather than try to explain everything in his response, the comment instead links to relevant work. This keeps the comment shorter and more readable, while also providing those who care about this issue (like me) with resources to learn more.
  4. It solicits feedback: "I really encourage you to take a look at the education link and tell me what you think.Frequently comments simply retort points in the original post they disagree with. This can reinforce the sense that the two parties are in opposition. Mr. Nikolejsin and I actually agree far more than we disagree: we both want a secure, cost effective, and user friendly online ID management system for government. By asking for feedback he implicitly recognizes this and is asking me to be a partner, not an antagonist.
  5. It is light: One thing about the web is that it is deeply human. Overly formal statements looks canned and cause people to tune out. This comment is intelligent and serious with its content, but remains light and human in its style. I get the sense a human wrote this, not a communications department. People like engaging with humans. They don't like engaging with communication departments.
  6. Community Feedback: The comment has already sparked a number of responses which contain supportive thoughts, suggestions and questions, including some by those working in municipalities, as experts in the field and citizen users. It's actually a pretty decent group of people there - the kind a government would want to engage.

In short, this is a comment that sought to engage. And I can tell you, it has been deeply, deeply successful. I know that some of what I wrote might have been difficult to read but after reading Mr. Nikolejsin's comments, I'm much more likely to bend over backwards to help him out. Isn't this what any government would want of its citizens?

Now, am I suggesting that governments should respond to every blog post out there? Definitely not. But there were a number of good comments on this post and the readership in terms of who was showing up makes commenting on a post likely worthwhile.

I've a number of thoughts on the comment that I hope to post shortly. But first, I wanted to repost the comment, which you can also read in the original post's thread here.

Dave Nikolejsin <dave.nikolejsin@gov.bc.ca> (unregistered) wrote: Thanks for this post David – I think it’s excellent that this debate is happening, but I do need to set the record straight on what we here in BC are doing (and not doing).

First and foremost, you certainly got my attention with the title of your post! I was reading with interest to see who in Canada was wasting $30M – imagine my surprise when I saw it was me! Since I know that we’ve only spent about 1% of that so far I asked Ian what exactly it was he presented at the MISA conference you mentioned (Ian works for me). While we would certainly like someone to give us $30M, we are not sure where you got the idea we currently have such plans.

That said I would like to tell you what we are up to and really encourage the debate that your post started. I personally think that figuring out how we will get some sort of Identity layer on the Internet is one of the most important (and vexing) issues of our day. First, just to be clear, we have absolutely nothing against OpenID. I think it has a place in the solution set we need, but as others have noted we do have some issues using foreign authentication services to access government services here in BC simply because we have legislation against any personal info related to gov services crossing the border. I do like Jeff’s thinking about whom in Canada can/will issue OpenID’s here. It is worth thinking about a key difference we see emerging between us and the USA. In Canada it seems that Government’s will issue on line identity claims just like we issue the paper/plastic documents we all use to prove our Identities (driver’s licenses, birth certificates, passports, SIN’s, etc.). In the USA it seems that claims will be issued by the private sector (PayPal, Google, Equifax, banks, etc.). I’m not sure why this is, but perhaps it speaks to some combination of culture, role of government, trust, and the debacle that REALID has become.

Another issue I see with OpenID relates to the level of assurance you get with an OpenID. As you will know if you look at the pilots that are underway in US Gov, or look at what you can access with an OpenID right now, they are all pretty safe. In other words “good enough” assurance of who you are is ok, and if someone (either the OpenID site or the relying site) makes a mistake it’s no big deal. For much of what government does this is actually an acceptable level of assurance. We just need a “good enough” sense of who you are, and we need to know it’s the same person who was on the site before. However, we ALSO need to solve the MUCH harder problem of HIGH ASSURANCE on-line transactions. All Government’s want to put very high-value services on-line like allowing people access to their personal health information, their kids report cards, driver’s license renewals, even voting some day, and to do these things we have to REALLY be sure who’s on the other end of the Internet. In order to do that someone (we think government) needs to vouch (on-line) that you are really you. The key to our ability to do so is not technology, or picking one solution over the other, the key is the ID proofing experience that happens BEFORE the tech is applied. It’s worth noting that even the OpenID guys are starting to think about OpenID v.Next (http://self-issued.info/?p=256) because they agree with the assurance level limitation of the current implementation of OpenID. And OpenID v.Next will not be backward compatible with OpenID.

Think about it – why is the Driver’s License the best, most accepted form of ID in the “paper” world. It’s because they have the best ID proofing practices. They bring you to a counter, check your foundation documents (birth cert., Card Card, etc.), take your picture and digitally compare it to all the other pictures in the database to make sure you don’t have another DL under another name, etc. Here in BC we have a similar set of processes (minus the picture) under our Personal BCeID service (https://www.bceid.ca/register/personal/). We are now working on “claims enabling” BCeID and doing all the architecture and standards work necessary to make this work for our services. Take a look at this work here (http://www.cio.gov.bc.ca/cio/idim/index.page?).

I really encourage you to take a look at the education link and tell me what you think. Also, the standards package is getting very strong feedback from vendors and standards groups like the ICF, OIX, OASIS and Kantara folks. This is really early days and we are really trying to make sure we get it right – and spend the minimum by tracking to Internet standards and solutions wherever possible.

Sorry for the long post, but like I said – this is important stuff (at least to me!) Keep the fires burning!


Link to original post