[OpenID] Applicability of OpenID to Federal Govt Social Software sites (U)

Dickover, Noel, CTR, NII/DoD-CIO Noel.Dickover.ctr at osd.mil
Wed Jan 28 21:29:11 UTC 2009 

UNCLASSIFIED

Hi David, thanks for the response.  I absolutely agree that if the
government site is collecting personally identifiable information, they
need to conduct a Privacy Impact Assessment, and take all the security
precautions, and acquire all the necessary certifications and so forth
with storing this information.  Frankly, that whole process is a real
bear to get through.  And perhaps, for many types of interaction, the
government shouldn't be collecting this information anyways.   

The goal I'm exploring would be to alleviate the need for the Federal
Government to collect personally identifiable information at all
(depending on the site of course).  So instead of just allowing users to
use an OpenID account to login to the government site as one of many
options, I'm wondering if we restrict logins to OpenID accounts or
others like it (leaving open the possibility for competition), can we
alleviate the Federal Government the need of storing any personally
identifiable information? If we can get to the point that there is no
personally identifiable info in the govt app's database, than there
won't be a privacy impact.  If possible, this would result in huge cost
and time savings in setting up collaboration sites with the public. For
instance, in your wiki example below, if someone uses an OpenID account
from Yahoo.com for instance, does your wiki database still store their
personal information?

Regarding the OpenID Attribute Exchange Extension, are there instances
where sites using OpenID can display this information on the app's user
profile page, or accordingly, restrict certain parts of that information
based on user controls within their app?  

Thanks again for the response.


Best,
  Noel  


-----Original Message-----
From: David Recordon [mailto:david at sixapart.com] 
Sent: Wednesday, January 28, 2009 2:38 PM
To: Dickover, Noel, CTR, NII/DoD-CIO
Cc: general at openid.net
Subject: Re: [OpenID] Applicability of OpenID to Federal Govt Social
Software sites (U)

Hi Noel,
I definitely think you're on track here with the idea of allowing people
to login to the site using an account they already have elsewhere via
OpenID.  The OpenID community uses a hosted wiki product
(http://wiki.openid.net/) where people are able to sign in using OpenID
to edit the pages versus most traditional wikis which first require that
you create a new account.  This can be especially useful as people
interact with more than one site within a community; for example, I can
use the same OpenID to login to our wiki and blog/CMS.

In terms of the legal aspects, my understanding is that if you're still
collecting personally identifiable information you'll want to make sure
that OpenID users still agree to your terms of service.   That said,
using the OpenID Attribute Exchange Extension allows you to
programatically request information such as their name, timezone, or
email address so that they don't need to type it in.

In terms of current US Government implementations of OpenID the main one
I'm aware of is that Change.gov supports OpenID sign in for commenting
via the service Disqus.  I was also out at the Smithsonian last week
where I learned about a project there which will be accepting OpenID
sign in as well.

Cheers,
--David

On Jan 28, 2009, at 11:25 AM, Dickover, Noel, CTR, NII/DoD-CIO wrote:


	UNCLASSIFIED 

	Greetings, 

	I'm interested in knowing whether anyone has looked at using
OpenID for Federal government-based social software sites. I'm currently
working on implementing a wiki-based site for the US Department of
Defense called DoD Techipedia.  The external portion of this will allow
interaction between government officials and industry representatives.
In looking at the larger issue, many people working these issues in
government are trying to work through the potential privacy impacts of
keeping public data on a government website.  It occurred to me that
perhaps we should be looking at using something like OpenID for managing
the external users to our systems.

	The hope would be that if users manage their own personal data
through OpenID, the Federal Govt doesn't need to be responsible, or
liable, for it.  Am I on target here?  If so, what would be necessary to
make this happen?  Or more to the point, has anyone already addressed
this issue?


	Thanks in advance, 

	Best, 

	Noel Dickover 
	DoD CIO, IT Investments and Commercial Policy Directorate 
	Social Software and Emerging Technologies 
	703-601-4729x152 
	Noel.Dickover.ctr at osd.mil 
	  

	_______________________________________________
	general mailing list
	general at openid.net
	http://openid.net/mailman/listinfo/general

More information about the general mailing list