Digital Gov

Privacy, security and one login to rule them all?

"One ring to rule them all" - Frodo Baggins looking at the ring of Sauron.

Trust, privacy and security were at the center of a panel discussion Thursday at the U.S. Digital Services’ DigitalGov Citizen Services Summit.

“We can build all the beautiful digital services that we want, but if people don’t trust them, they’re not going to use them,” said the Transportation Department’s Chief Data Officer Dan Morgan.

Could commercial credentials and a new attitude toward privacy be the keys to future success?

The use of “sensitive information” could enable government to provide “amazing” new levels of service, said NIST privacy engineer Sean Brooks, but citizen concerns about privacy – “big brother” tracking them – necessitate a careful balance.

The sheer weight of logins is taxing, too.

The General Services Administration’s Jennifer Kerber lamented the pain of creating unique usernames and passwords for each government service online.

“What if I had the opportunity to bring a credential I trust to the government?” she queried.

It’s exactly what she and her GSA colleagues are working to create with, a service that allows users to connect with government using private credentials they already have and trust, such as through Google or PayPal.

Agencies don’t track which particular credential is provided, nor do they track the digital exhaust so often used for marketing purposes, Kerber said. They simply know the person’s identity has been verified by a trusted third party, saving users hassle and government money.

It’s still in the early stages and only a handful of agencies are integrating the service, but it holds potential.

“If you’re a consumer, you don’t care [about technicalities],” Kerber said. “You want convenience and you want trust.”

NIST’s Brooks said privacy, security and the ways agencies and people talk about them all need an overhaul.

“If I could eliminate the word creepy from all future conversations about privacy I would,” he said, noting that the word is often used in privacy/security conversation, but it doesn’t address the real problems and challenges.

When it comes to credentials and digital services, “privacy, security, interoperability and user friendliness,” should be the guiding principles, all considered and built into digital services from the ground up, Brooks said.

Both Brooks and Kerber noted that the “5,000-word privacy statement that makes the lawyers happy” is not a good model for the future of digital services – organizations need to shoulder responsibility for privacy and security, rather than shunting it onto users’ backs.

In pursuit of better practices, Brooks noted, NIST will be  releasing a draft privacy engineering document for public comment “soon.”

He said he hopes to get input from the people currently getting their hands dirty in the field: “People who are actually trying to build stuff and do things.”

About the Author

Zach Noble is a former FCW staff writer.


  • People
    Federal CIO Suzette Kent

    Federal CIO Kent to exit in July

    During her tenure, Suzette Kent pushed on policies including Trusted Internet Connection, identity management and the creation of the Chief Data Officers Council

  • Defense
    Essye Miller, Director at Defense Information Management, speaks during the Breaking the Gender Barrier panel at the Air Space, Cyber Conference in National Harbor, Md., Sept. 19, 2017. (U.S. Air Force photo/Staff Sgt. Chad Trujillo)

    Essye Miller: The exit interview

    Essye Miller, DOD's outgoing principal deputy CIO, talks about COVID, the state of the tech workforce and the hard conversations DOD has to have to prepare personnel for the future.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.