I guess this is going to be a series of blog posts on this subject. For me, this is a lot of thinking out loud and trying to figure out whether there’s something in here for me to tackle (with my nonexistent spare time), so I appreciate the comments.
As commenters Oxa and Chris (in the post before last) note, OpenID is one of these emerging protocols that would seem to be helpful here. Sort of. Here’s the technical side of the problem we face: When a citizen signs a letter (or joins into one of these many-to-one communications), how does the congressional office know that that signature is legit? Currently, the only authentication in the process is citizens providing at least seemingly-real addresses, but as one staffer at the CMF conference noted, there are people (maybe not many, but at least one) who are using other people’s names and addresses when submitting letters to Congress.
A technical solution here would be for congressional offices to implement some (whatever it might be) form of authentication, and someone at the conference (apologies I forget who) mentioned conceivably using the e-Authentication system (in development) at GSA (iirc). That would authenticate people against bank accounts, possibly. (And someone else at the conference raised the question of whether that was fair to all.)
The problem gets a little bit worse if someone wants to implement one of these communications methods outside of the Capitol. In this case, not only does one have to do the authentication as above (and probably without the GSA’s help), but one has to then be able to convince congressional offices that the signatures being relayed are legit. It’s one thing to authenticate at the time of signature, and quite another to be able to prove to someone else that you did the authenticating. (Well, proving may not be necessary. Trust is another solution.)
Of course, these issues have been completely solved at the lowest technical level in the world of encryption. The issue here is a matter of how to implement it so it’s not limited to geeks with PGP keys and congressional offices with geeky staffers who can verify PGP signatures.
But, now as for OpenID in particular. Actually it doesn’t solve the problem because there is no way to tie an OpenID to a real-world name and home address, which is what we really need. OpenID, for readers who haven’t seen it yet, is a sort of global login identifier that you would use to log in at any website, rather than giving a different username and password for each website you use. It’s a great idea because, most interestingly, it is a completely decentralized system, and an open standard.
OpenID is certainly a good place to start if you want to build a system that is going to have broad applicability (i.e. “open use” ?) beyond verifying signatures on letters to Congress. How to co-opt OpenID into this is an open question, as far as I know. (I’ve talked about it ever so briefly with Andrew Lee at Fantasy Congress. And, also, I noticed that the idea of authentication was listed on the Gateway to Gov wiki some time ago, just to mention. Also, I know people in the OpenID and FOAF communities have thought of issues like this, but I don’t believe anyone has tackled it head-on.)
To do the actual authenticating, really the only practical way that I know of is using credit card billing addresses — charging users a nominal fee to authenticate, and then returning the money (or not).
So here’s the bottom line as I see it now: An authentication system is the primary thing we need if we’re going to have new forms of congressional communication. Building the core of this system based on credit card billing addresses should take about a week. I would do it myself except that the system must process credit cards and possibly needs to hold onto some personal information (certainly not the credit card number, but a name, home address, and an encryption key, for instance), which makes the site a huge liability and responsibility.
Make a Suggestion
2 responses so far ↓
Oxa Koba // Oct 6, 2007 at 11:34 pm
The issue of authentication and government is certainly a sticky matter.
Personally, off the cuff, I am less than comfortable with basing certification on financial data like my credit card number. Statistically, not everyone has a credit card or a financial picture that would benefit from a credit card. I personally did not seek out a credit card until well after I was out of college. Using a credit card based model would have made me ineligible for such a system for nearly seven years. Perhaps a model that has more to do with voter identity certification could help.
I am vaguely aware of a contemporary debate about how to confirm the identity of citizens during elections when the arrive at the polls. Is there a method of relating voter identity to county election roles? Could county election officials be charged (via the FEC) with providing electronic authentication to their citizens and representatives? I am sure policies and systems vary widely state by state, but is there any chance the FEC could be enlisted to create a system where by a voter has a ID that congressional staffers can authenticate against and trust?
Or another idea. The House / Senate cooperatively provides a web-based system to their members offices, where by via the members website, a citizen can create an account of sorts with a communication ID. The citizen provides a mailing address. The system uses USPS to send a postcard with a confirmation number to that postal address. It would be slow, but once a citizen has the used the confirmation number to create an ID it is valid until the county of their voter registration changes. If you are not registered to vote, you are prevented from communicating electronically with your congressmen.
Talking through this, I see that there are a lot (!) of obstacles to building a system of trust. Sigh.
Joshua Tauberer // Oct 8, 2007 at 4:27 pm
Both of those are, in principle, workable solutions to the authentication problem. But, I can’t really see them being implemented in reality.
Leave a Comment