Issue 11 - June 2001
First it was Windows-only tax returns. Now it's an entire authentication platform built on, and exclusively supporting, Microsoft software. But the signs are that Whitehall is having difficulty defending its proprietary-only policy for e-government...
As we go to press, the authentication service www.gateway.gov.uk, flagship of the UK government's ambitious policy of providing a complete range of services electronically by 2005, restricts access to anybody not running a combination of Windows and Internet Explorer. Mac users can enter the Gateway site but cannot do anything useful. Windows users running any version of Mozilla or Opera are barred from entry. Anybody else, including those running Linux or Unix of any flavour, is not welcome. They are told that they are running an unsupported browser.
Like much discrimination, this was probably due more to ignorance rather than design on the part of the commissioning body, the Office of the e-Envoy - an unfortunate consequence of the government following the current fashion among large organisations of outsourcing technological development. Many technologists would argue that companies which follow this policy will eventually regret the disappearance of in-house technical know-how. A significant irony is that the government's current sites, run by the soon-to-be-defunct CCTA, are a good example of how well-designed websites should be: fast, efficient, uncluttered, and standards-compliant, so much so that the www.open.gov.uk site carries a claim to that effect. Interestingly, the CCTA sites run on Linux, and include the MI5, GCHQ and Royal family websites. It's also a fair bet that the CCTA sites were designed and maintained at a fraction of the cost of their replacements.
The Microsoft tax
There is some history behind the development of the Government Gateway. Rumours say that the site was pulled from the previous developer and handed to Microsoft 15 weeks before its launch. As such the site is considered to be a great achievement, and well worth the £18 million-plus already spent. It is unlikely that the Microsoft employees spent much effort testing the Gateway on anything but Microsoft software. Nevertheless, the site declares explicitly, in more than one place, that users are required to be running Windows to achieve anything meaningful. Critics say that such a state of affairs is untenable, not just because companies that use other operating systems cannot gain access to pay their tax and the like, but also because the implication is that the government is committed to one vendor.
The Gateway is already a functioning service, used among others by the Inland Revenue to allow online payments and by Customs & Excise for VAT dealings - but only if the customer has pre-paid the Microsoft tax. Not every organisation uses Windows and Internet Explorer on the desktop. Linux and Netscape is a perfectly reasonable choice for an organisation, and we feature one such, Reliance Mutual, in this issue. As dealing electronically with government becomes more widely accepted, the demand will undoubtedly arise for automated transactions, and for transactions originated from servers and secure mobile devices as well as from traditional desktop clients. Can the government really be intending to force UK organisations to run Microsoft operating systems on all of their devices in order to do business with agencies, departments and local authorities?
If your name's not down...
The current bar to the service is twofold. The first, and more trivial, bar simply excludes non-Microsoft/Mac OS users from the site, although site managers do plan to allow limited, information-only access in the near future (and it is actually already possible to gain access to gateway.gov.uk using the excellent Guidescope proxy service to 'spoof' the identity of one's web browser and OS).
The second, and far more serious, issue is that individuals and organisations not running Microsoft products are prevented from using the Gateway's authentication service, due to the requirement for proprietary PKI technologies on the client computer. The site claims that other browsers do not give proper support for SSL and digital certificates. This is not true. For instance, the PSM (Personal Security Manager) module that comes with Mozilla provides perfectly good 128-bit SSL support. There is no problem providing server-authenticated HTTPS services with standards-compliant browsers. SSL's mutual-authentication mode requires the user to sign a token in order to start a session, and provides the server with assurance that (a) the client has a certificate that was issued by a trusted CA (certification authority); (b) the certificate has not been tampered with since it was issued; (c) the user also has the correct private key for that certificate; and (d) the client remains the same for the duration of the session. Points (a) and (b) together mean that you can use the information in the certificate (which was placed there by the CA when it issued the certificate) to gain whatever assurances the CA was able to obtain about the identity of the user, and to make the relevant mapping between this identity and the user's rights to use the service. Point (d) means that you can continue to use this throughout the session to establish rights for any particular operation you want to carry out.
The Cabinet Office says that authentication is "dependent on the client having commercially available PKI software already installed, and the user obtaining an X.509 certificate". The current certificates have been arranged with ChamberSign and EquiFax. EquiFax is an agency that collects credit information on UK citizens. The problem with authentication is not the certification as such, but the proprietary PKI software. It is doubtful whether this software offers any real security advantages to the user, but the advantage from the government's point of view is of non-repudiation and an extra dimension of fraud prevention. Nonetheless, the problem is not one that is encountered on sites that, for instance, handle banking, and still has the effect of tying the end user into a specific technology that is apparently available only to Microsoft clients.
Democracy and freedom
The Gateway has provoked high profile and sustained criticism for its neglect of standards and dependency on proprietary software. The e-government website KableNET reports Scott McNealey, chairman and CEO of Sun Microsystems, telling UK government officials on 4 May that the Office of the e-Envoy had been carrying on "like a dope fiend" in its approach to the Gateway project. Allowing Microsoft to develop the Government Gateway using its .NET strategy, which requires the use of other Microsoft products, was the "dot not" option, according to McNealy, who advised the UK instead to work with companies "with a tradition of not trying to hijack standards".
Meanwhile Bob Young, CEO of Red Hat, laments: "Here's Britain, the foundation of democracy and freedom, building its govermental infrastructure on proprietary binary-only technology from a known predatory monopolist. In a free market democracy our governmental infrastructures should be permanently open to competitive bid. You should never be locked into a single-source supplier. That's just a fundamental architectural mistake."
Public criticism has been combined with more softly-softly approaches, ranging from a Freedom of Information Request by Jason Kitcat of the FREE Project (developers of the GNU.FREE voting software) to less easily documented 'words to the wise'. Encouragingly, this appears to be having the desired effect as regards the material issue of access and interoperability. The e-Envoy's office has acknowledged that the current exclusive setup is not defensible, and has commissioned the prominent UK open source organisation netproject to specify how to build a PKI using open source. The objective is to take part in the interoperability trials being conducted by the government's Computer and Electronic Security Group later this year. The work is being co-ordinated by Dr Andrew Findlay, who will be giving an update on progress at netproject's LDAP server workshop on 28 June.
netproject director Eddie Bleasdale comments: 'The importance of this contract is that the UK government has recognised the need for at least one vendor-neutral entrant to the PKI Interoperability Trials." Dr Findlay adds: "Among the benefits to flow from this will be the provision of a non-proprietary 'neutral ground' where vendors will be able to work directly with the code at both ends of a communication." The e-Envoy's office has also expressed its intention to invite input and advice from the open source/free software community on these issues using the GovTalk website (see Key Links).
Caspar Bowden, director of the Foundation for Information Policy Research, speaks for many in welcoming this decision: "It looks as if the e-Envoy's office is recognising that free software solutions can have huge benefits, but may require seedcorn funding initially." Finally, and in a surprising context, we appear to be witnessing the first, tentative moves by the UK to catch up with European governments like Germany and France in their understanding of the need to support open source/free software.
Office of the e-Envoy
World Wide Web Consortium
The FREE Project
Foundation for Information Policy Research