Canadian census debacle

Canadian census debacle - http://trends.newsforge.com/trends/06/05/04/233250.shtml
contains a lively debate about the Canadian Census vs open source.

http://www.digital-copyright.ca/node/2425 is another review of the situation.
I too am very frustrated with the situation. As soon as I realized that the
Java applet involved was in fact Entrust's TruPass, I realized what had
happened.

Once filled out, the Census information is considered "Protected". That is,
it is classified information, and its classification is just above
Top-Secret.

If you want to collect information of that classification, you have to use
systems that have been evaluated for that classification. It turns that there
is only one such system available: the Entrust TruPass system. They wrote it
for Java on the theory that it was cross-platform, but the evaluation process
requires that it be evaluated on specific pieces of hardware and software.

That means that the version of Safari, IE, Firefox, etc. and the versions of
Java involved had to be locked down.

So, actually, they are violating the process - most end-user systems can not
be guaranteed to actually be close to the evaluated platform. This should be
a show-stopper. (I've been through this process)

Where is the real bug? It's in the evaluation (Common) criteria, which were
basically designed before the Internet, and were first applied in 1995.

We in the open source community are actually fortunate that they even got to
doing anything other than IE--- but that's only because the whole ePass
system is targetted for widespread use by the Government of Canada.

Frankly, I find the whole ePass system of dubious value. Yes, finally, client
side certificates... but how did they get enrolled? Are they being left on my
desktop? can I put them on a USB key? what else is going on? My understanding
is that the on-the-wire protocols are actually relatively standard, but the
cryptography isn't used to protect me, but to assure SecureChannel that they
are in fact talking to a "legitimate" copy of TruPass.

Why are those Performance Specifications not mentioned on the web sites?
It's a violation of NAFTA 1007 to use the brand names as they have been
used. The web site should go off line for THAT reason alone. This is really
a scandal larger than Gomery. The amount of money involved is 10x that of
Gomery.

Next problem: the helpdesk people were clearly not briefed or trained, and
the Bell people that were contacted were clearly NOT qualified to be doing
this work. Sure, Bell did some work. They procured the Entrust Toolkits, and
typed "make"

When it comes down to it, this Java Applet another chink in the war over who
owns my computer. See Bruce Schneier's comments: http://www.wired.com/news/columns/1,70802-0.html

The purpose of the Java Applet is not to make sure that your information is
secure. That's easily accomplished with run-of-the-mill SSL. If you wanted
more traceability and the ability to communicate multiple times, you'd use
client side certificates. The purpose of this Applet is to protect the
servers from being abused by network connections. In this case, it's very
effective, as it keeps the system from being used as well.

This is in the same way that the barely legible words-in-pictures (such as on
gmail.com, or yahoo, or random web logs) are designed to keep away
robots. It's not about covering our asses, or protecting our privacy --- it's
about covering theirs.

What can we do about this:

  • make governments realize that saying "Please use product X" is in fact an
    endorsement of that product.
  • make governments procure products using proper Performance
    Specifications
  • this isn't about Microsoft vs Linux. It's about
    interoperability. Interoperability benefits Microsoft too: they are
    currently fighting against having SAP being listed as a "requirement"

In practice, this won't really happen until we have some Linux, BSD and Mac
using members of parliament. Ones who refuse to run the junk that the
Parliament of Canada (a department with a whole file of procurement
violations) provides them. They will have to make a "federal case" of it.
So, ask candidates what browser they use on their computer. Expect your MPs
to be sufficiently technologically saavy to understand the question. We
expect them to understand economics, and it's a lot more complicated.
[Michael's Musings]