Updated January 11, 2011. After the January 7, 2011 NSTIC conference at Stanford, I revisited this blog, which originally posted after an October, 2010 conference call with representatives from the FTC, DHS and the White House cybersecurity staff. The topic was the emerging National Strategy for Trusted Identities in Cyberspace (NSTIC). They are a dedicated staff with a thankless job. My hat is off to them for reaching out to me and other privacy advocates.
NSTIC is a high-level national plan to in for trustworthy, virtual identities. The goals of NSTIC are ostensibly to:
- Secure online transactions.
- Provide high levels of identity assurance online
- Foster innovation and new services
- Improve Privacy
If done correctly, NSTIC could indeed improve privacy. If done incorrectly, NSTIC could have a devastating effect on privacy, create centralized Identity Reporting Agencies, analogous to today’s Credit Reporting Agencies, all without functionally improving security.
Fair Information Practice Principles (FIPPs)
FIPPs are globally recognized principles which just about everyone agrees should govern the collection, storage, use, and dissemination of personal information. FIPPs include:
- Notice and Awareness
- Choice and Consent
- Access and Participation
- Integrity and Security
- Enforcement and Redress
- Others, like Data Minimization
In general, FIPPs are as non-controversial as “motherhood and apple pie.” But the United States has adopted the Notice and Consent legal regime where most of these FIPPs may be waived upon notice and consent. And since FIPPs can be adverse to the business interests of companies like Google, clickwrap agreements often include waivers of most privacy rights or expectations. For the most part, these “checkbox” agreements are enforceable.
Although the current draft of the NSTIC Implementation Plan makes liberal references to FIPPs, I am afraid that they might not mean much in practice, within the United States’ Notice and Consent legal regime.
In the most simple trusted identity framework, there are three participants: The User (Me), the Relying Party (RP), and the Identity Provider (IdP). Consider a typical transaction between a User and RP, let’s say me and Pandora. Federal law prohibits providers from collecting personal information on kids under 13 years old without a parent’s consent. Even though Pandora asks for my date of birth, they don’t need my date of birth; they just need to know I’m over 13.
That’s where Identity Providers come in. As a User I can assert to Pandora (the Relying Party) that I’m over 13. Then I send Pandora to a trusted, accredited third party Identity Provider. The IdP essentially says, “Yes, Aaron is over 13 years old, but we’re not giving you his date of birth.” The relying party has the information it needs, but not my date of birth. Pandora is satisfied, and my privacy between me and Pandora is enhanced. For discussion purposes, I’ll call this “retail privacy.”
But retail privacy is only half of the transaction. Since the transaction must go through an IdP, the IdP now has a record of my transaction, as well as all of my other transactions and behaviors, along with my date of birth and other personal information [Please see Jim Fenton's comment about attribute providers, below]. What if Pandora was allowed to purchase enriched information about me from my IdP later, without my knowledge or consent?
Essentially, this is the status quo, and the current draft of NSTIC would not prohibit such purchase from taking place. For ease of reference, I’ll call this “wholesale privacy.” Currently, data warehouses sell billions of dollars in personal information without the knowledge or consent of the data subjects. In this rather probable vision of NSTIC, “retail privacy” between the user and relying party increases, but the increased privacy is illusory unless the IdP is under strict regulations to keep the information private.
The privacy concerns of today – data collection and behavioral marketing practices of very large online service providers – are trivial compared to the new capability to piece together an Identity Ecosystem Participant’s inter-transactional history which, by definition, each Identity Provider in the Identity Ecosystem will have.
It is likely that the market will self-select a handful of large IdPs, who will be custodians of a large amount of Identity Ecosystem participant information, including inter-transactional history. While providing retail privacy to consumers and end-node Identity Ecosystem participants, IdPs will also amass huge warehouses of individual transactional data which may dwarf Transunion, Equifax, and Experian in sheer volume and data richness. This information will have huge economic value, and without strictly enforcing the FIPPs, each IdP will be under strong economic pressures to collect, mine, re-purpose, sell, and share the information with the highest bidder—often the very parties from whom users are trying to keep it.
Unless implemented properly, NSTIC could have a devastating effect on wholesale privacy, rendering any improvements in retail privacy illusory. Absent strict regulation, NSTIC has the potential to turn Identity Providers into pseudo-centralized Identity Reporting Agencies which are further removed from the public view and opaque to users.
But as of now, the NSTIC Strategy document and the Implementation Plan lack crucial detail about regulating IdPs. By definition, Identity Providers will be able to link all of an individual’s personal transactions. Without regulation, larger IDPs will be able to market, share or otherwise derive value from vast storehouses of transactional data, much like today’s credit reporting agencies.
At the very least, NSTIC must mandate the development of context-specific privacy standards for IdPs. Although I’m willing to participate in their development, frankly I’m not too optimistic that adequate protections will be implemented.
I have other less substantial critiques of NSTIC, including a lack of detail on redress, whether NSTIC will truly preserve anonymity, or whether by definition any anonymity within the NSTIC framework will be able to be “unwound” to discover the individual’s true identity. Others have legitimate concerns that NSTIC may turn into a defacto National ID. And let’s face it, NSTIC will not solve many security problems. We will still have nodes of failure, risk of fraud, and errors in data.
At this point, NSTIC is at a crossroads. NSTIC could either be really good, or really bad for privacy. I’m hoping for the best, but I’ve learned not to hold my breath.