Many workers in human services, she told me, are reluctant to provide data that would be useful to improve the services. She’d like to track homeless people as they move from one jurisdiction to another for instance, to provide better continuity of service and find out what works and what doesn’t. The agency staff are afraid that sinister forces within government will misuse data. While we have no lack of sinister forces in government, it appears that the people needing human services are more at risk of snooping by random staff people, facilitated by the awful security practices just mentioned.
I’m not surprised that employees would treat passwords as just one of the many random impediments they have to bypass each day to do their jobs. Given how many regulations reflect political grandstanding rather than life on the street, and how many well-meaning regulations outlive their usefulness, workers have to interpret the rules in a (shall we say) creative manner. I’m sure many employees in private industry get through the day the same way; it’s not limited to government. But an even deeper issue is at work.
Security systems are, to many ill-trained workers, indistinguishable from the other odd computing annoyances they suffer from every day. From the beginning of data centers over fifty years ago, we’ve felt that computer systems were impersonal and somewhat supernatural. Like too many government regulations, we’re never told why the rules in place, and nobody can seem to update them.
To this day, our passivity is reinforced by designers’ rigidity. We perform a certain operation fifty times a day and still have to press a button in an “Are you sure?” dialog box. We have to go to one menu to enter a header on a document, and another menu far away to add fields to that header. We assume that elements of Microsoft Office’s interface take on the immutability of a force of nature (and reproduce those elements in all sorts of other products) until suddenly a new release changes them.
It becomes inconceivable that a particular element of our daily computing, such as a requirement to enter a password, might actually have been rationally designed by some human being and put in to protect us.
Luckily, savvy computer users complain. They also call for more adaptable systems. I know that the drive in the computer industry nowadays is to make systems more intuitive and easier to use, but I don’t know whether we can anticipate the needs of every user enough to achieve those goals. What we can do it make systems more open, document them better, and make them easier to change. And then maybe employees will start to become responsible guardians of security procedures. As a security researcher at CERT confirmed for me recently, no computer system can be secure if the end-user undermines the policy.
One problem that most bureaucracies seem to have is the "enter the same data many times" problem. When you go to the hospital, you can end up writing your name and address five different times on five different forms; same at the state department of motor vehicles; etc. I'd guess that one of the problems with government computer systems is that your username and password fall into this category: you have to keep entering them over and over, and sometimes they're not the same username and password (because different systems have different rules for what is a valid username or password). I certainly feel like life got a lot easier after my browser (Firefox) started encrypting all auth creds with a master password, so that it was safe to let it remember creds between sessions. Effectively, that master password is now my one password. All the other stuff is implementation details.
In general, this is the problem that OpenID is meant to solve. But then the problem becomes that all your eggs are in one basket: if someone gets access to your OpenID creds, they get access to everything. Maybe OpenID has some system whereby you can have different levels of password (low-, medium-, high-security) for the same username?
Auditing might help. If every system logs all accesses, and there is a credible threat that the logs will be audited from time to time, then people will behave responsibly while logged in, and identity theft would be more easily detected. In particular, it might be good idea (in OpenID) if at any time I could view a summary of *all* places where I'd logged in, and for how long, in reverse chronological order. Maybe that summary could even be emailed to me once a week. The online summary has to be read-only, though. That way if someone cracks my OpenID creds, they can only view the summary, not change it.
Governments aren't the only ones with these kinds of problems. I am a consultant who works for mostly private corporations and I have seen some doozies. One great example was this unix sysadmin who simply didn't want to adhere to the IT security policy we crafted for a secured printing system. His ONLY job was to install the Linux systems and then hand over the keys to us for integration testing for the next phase of the project. Instead of installing them and just leaving it at that, the jerk created himself a user account on every box and put an suid shell script in it so he could gain root anytime he wanted. I guess he thought we were dumb and wouldn't notice something so obvious. His excuse was that he didn't want to adhere to the IT process for obtaining elevated privileges because "it would take too long". Anyway, we tried to have the guy fired but he was a nephew or something of someone important and was simply moved to another division, presumably to continue his idiotic habits.