Canadian census debacle

http://trends.newsforge.com/trends/06/05/04/233250.shtml?tid=136&tid=2&tid=132 contains a lively debate about the Canadian Census vs open source.

http://www.digital-copyright.ca/node/2425 is another review of the situation.

I too am very frustrated with the situation. As soon as I realized that the Java applet involved was in fact Entrust’s TruePass, I realized what had happened.

Once filled out, the Census information is considered “Protected”. That is, it is classified information, and its classification is just above Top-Secret.

If you want to collect information of that classification, you have to use systems that have been evaluated for that classification. It turns that there is only one such system available: the Entrust TruPass system. They wrote it for Java on the theory that it was cross-platform, but the evaluation process requires that it be evaluated on specific pieces of hardware and software.

That means that the version of Safari, IE, Firefox, etc. and the versions of Java involved had to be locked down.

So, actually, they are violating the process - most end-user systems can not be guaranteed to actually be close to the evaluated platform. This should be a show-stopper. (I’ve been through this process)

Where is the real bug? It’s in the evaluation (Common) criteria, which were basically designed before the Internet, and were first applied in 1995.

We in the open source community are actually fortunate that they even got to doing anything other than IE— but that’s only because the whole ePass system is targetted for widespread use by the Government of Canada.

Frankly, I find the whole ePass system of dubious value. Yes, finally, client side certificates… but how did they get enrolled? Are they being left on my desktop? can I put them on a USB key? what else is going on? My understanding is that the on-the-wire protocols are actually relatively standard, but the cryptography isn’t used to protect me, but to assure SecureChannel that they are in fact talking to a “legitimate” copy of TruPass.

Why are those Performance Specifications not mentioned on the web sites? It’s a violation of NAFTA 1007 to use the brand names as they have been used. The web site should go off line for THAT reason alone. This is really a scandal larger than Gomery. The amount of money involved is 10x that of Gomery.

Next problem: the helpdesk people were clearly not briefed or trained, and the Bell people that were contacted were clearly NOT qualified to be doing this work. Sure, Bell did some work. They procured the Entrust Toolkits, and typed “make”

When it comes down to it, this Java Applet another chink in the war over who owns my computer. See Bruce Schneier’s comments: http://www.wired.com/news/columns/1,70802-0.html

The purpose of the Java Applet is not to make sure that your information is secure. That’s easily accomplished with run-of-the-mill SSL. If you wanted more traceability and the ability to communicate multiple times, you’d use client side certificates. The purpose of this Applet is to protect the servers from being abused by network connections. In this case, it’s very effective, as it keeps the system from being used as well.

This is in the same way that the barely legible words-in-pictures (such as on gmail.com, or yahoo, or random web logs) are designed to keep away robots. It’s not about covering our asses, or protecting our privacy — it’s about covering theirs.

What can we do about this:

  • make governments realize that saying “Please use product X” is in fact an endorsement of that product.
  • make governments procure products using proper Performance Specifications
  • this isn’t about Microsoft vs Linux. It’s about interoperability. Interoperability benefits Microsoft too: they are currently fighting against having SAP being listed as a “requirement”

In practice, this won’t really happen until we have some Linux, BSD and Mac using members of parliament. Ones who refuse to run the junk that the Parliament of Canada (a department with a whole file of procurement violations) provides them. They will have to make a “federal case” of it. So, ask candidates what browser they use on their computer. Expect your MPs to be sufficiently technologically saavy to understand the question. We expect them to understand economics, and it’s a lot more complicated.