NSTIC at a Crossroads

Updated January 11, 2011. After the January 7, 2011 NSTIC conference at Stanford, I revisited this blog, which originally posted after an October, 2010 conference call with representatives from the FTC, DHS and the White House cybersecurity staff. The topic was the emerging National Strategy for Trusted Identities in Cyberspace (NSTIC). They are a dedicated staff with a thankless job. My hat is off to them for reaching out to me and other privacy advocates.

NSTIC is a high-level national plan to in for trustworthy, virtual identities. The goals of NSTIC are ostensibly to:

  1. Secure online transactions.
  2. Provide high levels of identity assurance online
  3. Foster innovation and new services
  4. Improve Privacy

If done correctly, NSTIC could indeed improve privacy. If done incorrectly, NSTIC could have a devastating effect on privacy, create centralized Identity Reporting Agencies, analogous to today’s Credit Reporting Agencies, all without functionally improving security.

Fair Information Practice Principles (FIPPs)

FIPPs are globally recognized principles which just about everyone agrees should govern the collection, storage, use, and dissemination of personal information. FIPPs include:

  • Notice and Awareness
  • Choice and Consent
  • Access and Participation
  • Integrity and Security
  • Enforcement and Redress
  • Others, like Data Minimization

In general, FIPPs are as non-controversial as “motherhood and apple pie.” But the United States has adopted the Notice and Consent legal regime where most of these FIPPs may be waived upon notice and consent. And since FIPPs can be adverse to the business interests of companies like Google, clickwrap agreements often include waivers of most privacy rights or expectations. For the most part, these “checkbox” agreements are enforceable.

Although the current draft of the NSTIC Implementation Plan makes liberal references to FIPPs, I am afraid that they might not mean much in practice, within the United States’ Notice and Consent legal regime.

IdP Regulation

In the most simple trusted identity framework, there are three participants: The User (Me), the Relying Party (RP), and the Identity Provider (IdP). Consider a typical transaction between a User and RP, let’s say me and Pandora. Federal law prohibits providers from collecting personal information on kids under 13 years old without a parent’s consent. Even though Pandora asks for my date of birth, they don’t need my date of birth; they just need to know I’m over 13.

That’s where Identity Providers come in. As a User I can assert to Pandora (the Relying Party) that I’m over 13. Then I send Pandora to a trusted, accredited third party Identity Provider. The IdP essentially says, “Yes, Aaron is over 13 years old, but we’re not giving you his date of birth.” The relying party has the information it needs, but not my date of birth. Pandora is satisfied, and my privacy between me and Pandora is enhanced. For discussion purposes, I’ll call this “retail privacy.”

But retail privacy is only half of the transaction. Since the transaction must go through an IdP, the IdP now has a record of my transaction, as well as all of my other transactions and behaviors, along with my date of birth and other personal information [Please see Jim Fenton's comment about attribute providers, below]. What if Pandora was allowed to purchase enriched information about me from my IdP later, without my knowledge or consent?

Essentially, this is the status quo, and the current draft of NSTIC would not prohibit such purchase from taking place. For ease of reference, I’ll call this “wholesale privacy.” Currently, data warehouses sell billions of dollars in personal information without the knowledge or consent of the data subjects. In this rather probable vision of NSTIC, “retail privacy” between the user and relying party increases, but the increased privacy is illusory unless the IdP is under strict regulations to keep the information private.

The privacy concerns of today – data collection and behavioral marketing practices of very large online service providers – are trivial compared to the new capability to piece together an Identity Ecosystem Participant’s inter-transactional history which, by definition, each Identity Provider in the Identity Ecosystem will have.

It is likely that the market will self-select a handful of large IdPs, who will be custodians of a large amount of Identity Ecosystem participant information, including inter-transactional history. While providing retail privacy to consumers and end-node Identity Ecosystem participants, IdPs will also amass huge warehouses of individual transactional data which may dwarf Transunion, Equifax, and Experian in sheer volume and data richness. This information will have huge economic value, and without strictly enforcing the FIPPs, each IdP will be under strong economic pressures to collect, mine, re-purpose, sell, and share the information with the highest bidder—often the very parties from whom users are trying to keep it.

Unless implemented properly, NSTIC could have a devastating effect on wholesale privacy, rendering any improvements in retail privacy illusory. Absent strict regulation, NSTIC has the potential to turn Identity Providers into pseudo-centralized Identity Reporting Agencies which are further removed from the public view and opaque to users.

But as of now, the NSTIC Strategy document and the Implementation Plan lack crucial detail about regulating IdPs. By definition, Identity Providers will be able to link all of an individual’s personal transactions. Without regulation, larger IDPs will be able to market, share or otherwise derive value from vast storehouses of transactional data, much like today’s credit reporting agencies.

At the very least, NSTIC must mandate the development of context-specific privacy standards for IdPs. Although I’m willing to participate in their development, frankly I’m not too optimistic that adequate protections will be implemented.

Other Points

I have other less substantial critiques of NSTIC, including a lack of detail on redress, whether NSTIC will truly preserve anonymity, or whether by definition any anonymity within the NSTIC framework will be able to be “unwound” to discover the individual’s true identity. Others have legitimate concerns that NSTIC may turn into a defacto National ID. And let’s face it, NSTIC will not solve many security problems. We will still have nodes of failure, risk of fraud, and errors in data.

At this point, NSTIC is at a crossroads. NSTIC could either be really good, or really bad for privacy. I’m hoping for the best, but I’ve learned not to hold my breath.

  1. #1 by Jim Fenton on January 10, 2011 - 3:57 pm


    In the NSTIC framework, there is a fourth type of participant: the attribute provider. All of the information about the user doesn’t come from a single IDP; different attributes will come from different places because we trust different parties for different types of information. This mitigates the centralization of the information somewhat.

    You’re right, though, there is the potential for IDPs to behave badly. It is my hope that privacy considerations will be a factor in IDP accreditation to participate in the Identity Ecosystem.

  2. #2 by Titus on January 10, 2011 - 4:13 pm

    You’re absolutely right. For clarity’s sake, I failed to mention the attribute provider. Thank you for the clarification and correction.

    In any implementation, an IdP will acquire attributes from different locations/ attribute providers. Ideally, the IdP will “forget” these attributes as soon as the transaction is completed. However, nothing in the NSTIC requires them to do so. Absent any kind of regulation, IdPs will have strong economic incentives to retain third party attributes. In a familiar implementation, an IdP may even penalize users if they refuse to allow the attributes to be stored with the IdP. Penalties may include higher fees, slower service, or more clicks.

    Even if IdPs voluntarily forget third-party attributes, we have learned that many of these attributes are unnecessary to establish identity or build a rich profile. IdPs will have direct access to a rich transactional history. And absent regulation, I don’t understand why any reasonable IdP would voluntarily forget this information. It’s just not in their interest.

    I agree that the NSTIC technical specifications theoretically allow for a near-Utopian privacy protections. But unfortunately the technology doesn’t require good behavior.

    Perhaps I am missing something in NSITC, but I don’t see any of these protections. Please let me know if you see the necessary regulatory protections. Or alternatively, help me understand the economic incentives that would encourage IdPs to behave properly. I just don’t see them.

  3. #3 by Stephen Wilson on January 10, 2011 - 4:17 pm

    Well said.

    NSTIC’s core claim to be privacy enhancing is lifted from the now orthodox Identity Metasystem, and its ideas of minimal disclosure and “verified anonymity”. These are good ideas for sure but as implemented they come with huge privacy costs that outweigh the benefits.

    It’s incredibly ironic that in minimising disclosure of PI between individual and service provider, the identity metasystem neccesitates new disclosures of PI to IdPs. As was the case with Big PKI 15 years ago, the IdPs are likely to be start-up companies. Even if they are themselves scrupulous with privacy, there’s the risk of hostile takeover leading to breaches and exploitation. Indeed it’s the aggregation of masses of PI that will make IdPs valuable (ala Facebook).

    Fundamentally, the Disclosure Limitation privacy principle dictates that when designing transaction systems we should seek to avoid adding intermediaries. But the Identity Metasystem is dominated by intermediaries — novel new intermediaries that are without precedent in regular business. If I want to transact anonymously, revealing just the minimal attributes relevant to the business at hand, it defies logic that I should have to involve a new broker, to whom I divulge my identity and who then hides that identity from the service provider.

    Federated Identity systems like NSTIC are much harder to build than first appears, mainly because they introduce radical legal arrangements and business models (like IdPs making new money from issuing identities). Minimum disclosure and “verified anonymity” actually have elegant technological solutions using smart devices, keeping things pure and simple between customers and service providers.

  4. #4 by Andy Steingruebl on January 10, 2011 - 4:21 pm

    Do you believe the situation is any worse than the exists today where many types of third-party tracking sites already have this data without any of the benefits to the user of identity assertion? Does the new NSTIC world actually make anything worse? I’m not convinced it does, and by making those third-party IdPs actually explicitly part of the transaction we have a more meaningful chance to get user consent, where we don’t have any of that today absent some of the proposed DNT features.

  5. #5 by Titus on January 11, 2011 - 11:54 am

    In its current draft, I believe that the technology which underpins NSTIC is privacy-agnostic. The technology will permit (but not require) NSTIC to be very privacy-enhancing, provided IdPs strictly adhere to well-established FIPPs.

    On the flip side, the technology will permit (but not require) NSTIC to nearly annihilate privacy by combining the worst of what we have today (e.g. practical lack of consent, aggregation, lack of control over personal information, etc.) combined with new capabilities for massive surveillance of detailed transactional information.

    The technology enables, but does not dictate policy. The market will exploit technology and therefore create policy, absent restraining regulation. When I look at the market incentives currently in place, they all tend to diminish privacy. When Google and Facebook become the world’s largest IdPs, their business models will dictate how they utilize the technology. And let’s face it, if we have to rely on Google and Facebook to protect user privacy, then privacy may very well be dead.

    I do not think that the market will come to the rescue of privacy. Consequently, regulation must. Because the current draft of NSTIC lacks any meaningful regulatory framework, I am nearly resigned to the fact that the most likely implementation of NSITC will result in the creation of the next generation of credit reporting bureaus: Identity Reporting Bureaus/ or IdPs.

  6. #6 by Stephen Wilson on January 11, 2011 - 3:43 pm

    I do believe that NSTIC will make things worse, for it normalises a much more complicated way of transacting, where numerous new parties are involved whenever a customer to access a service.

    The technology really does dictate policy because the architecture, based as it is on OIX and the “Identity Metasystem”, institutionalises new intermediaries in routine online transactions. At present, customers and service providers, or buyers and sellers, are usually in a bilateral relationship, in which most it not all of their transaction details are private. Under NSTIC, IdPs and others are joined to routine transactions; you won’t access any service on your own anymore but instead you will have an identity broker confirm your credentials, or notarise your attributes. The metasystem architecture is well intended but it’s arbitrary insofar as there are other decentralised ways to achieve the objectives of verified anonymity, identity security, interoperability etc. So the proposal will in fact constrain policy. It undoes major privacy principles by disclosing and collectiong personal information to new players where ordinarily customers and service providers would have conducted their business in private.

    The NSTIC is represented as inherently privacy enhancing because it has mechanisms for minimising disclosure to merchants, banks and other service providers. True, but on the other side of the ledger, it creates all sorts of new disclosures to third parties.

    All privacy and security systems involve tradeoffs. Are the tradeoffs I mention going to be worth it in NSTIC? To answer the question, let’s be careful not to overestimate the effectiveness of federated identity systems. The prospect of streamlining the number of different identities is probably exagerated. Past experience of Big PKI, Single Sign On in general (now often called Simplified Sign On) and OpenID shows that rationalising identities is harder than it looks. General purpose identities always come with fine print, like liability caps, usage conditions, and exclusions. Nobody is using OpenID in serious business. The popular use cases casually mentioned (imagined) in NSTIC dispatches (like a student using her university card to log in to her bank) are easier said than done. If the high end use cases don’t eventuate, then the net benefit of NSTIC will be negative.

  7. #7 by Bob Pinheiro on January 13, 2011 - 1:04 am

    It’s not necessarily true that IdPs need to be involved in every routine transaction. U-Prove technology provides a way to allow identity claims to be transmitted to a relying party without the knowledge of the IdP that issued the claim. U-Prove tokens that encode the claim can be “long lived”, and stored on an active client on the user’s device. So a long-lived token can be used with multiple relying parties without the knowledge of the IdP that issued the token. If, on the other hand, a cloud-based “identity agent” is used to store the token, it may be more of a challenge to maintain privacy.

  8. #8 by Mike Young, Esq. on September 13, 2011 - 4:07 am

    The propensity for this to be abused by the government in violation of individual privacy rights outweighs the benefits of such a system. When we see the feds obtain ex parte orders in non-emergency situations to such down websites accused of online piracy, there’s little reason to believe that restraint will be shown when some bureaucrat makes the decision to abuse “trusted” identities for the War on Terror, to protect the consumer, for the children, or simply out of boredom.

(will not be published)