The technology really does dictate policy because the architecture, based as it is on OIX and the “Identity Metasystem”, institutionalises new intermediaries in routine online transactions. At present, customers and service providers, or buyers and sellers, are usually in a bilateral relationship, in which most it not all of their transaction details are private. Under NSTIC, IdPs and others are joined to routine transactions; you won’t access any service on your own anymore but instead you will have an identity broker confirm your credentials, or notarise your attributes. The metasystem architecture is well intended but it’s arbitrary insofar as there are other decentralised ways to achieve the objectives of verified anonymity, identity security, interoperability etc. So the proposal will in fact constrain policy. It undoes major privacy principles by disclosing and collectiong personal information to new players where ordinarily customers and service providers would have conducted their business in private.

The NSTIC is represented as inherently privacy enhancing because it has mechanisms for minimising disclosure to merchants, banks and other service providers. True, but on the other side of the ledger, it creates all sorts of new disclosures to third parties.

All privacy and security systems involve tradeoffs. Are the tradeoffs I mention going to be worth it in NSTIC? To answer the question, let’s be careful not to overestimate the effectiveness of federated identity systems. The prospect of streamlining the number of different identities is probably exagerated. Past experience of Big PKI, Single Sign On in general (now often called Simplified Sign On) and OpenID shows that rationalising identities is harder than it looks. General purpose identities always come with fine print, like liability caps, usage conditions, and exclusions. Nobody is using OpenID in serious business. The popular use cases casually mentioned (imagined) in NSTIC dispatches (like a student using her university card to log in to her bank) are easier said than done. If the high end use cases don’t eventuate, then the net benefit of NSTIC will be negative.

On the flip side, the technology will permit (but not require) NSTIC to nearly annihilate privacy by combining the worst of what we have today (e.g. practical lack of consent, aggregation, lack of control over personal information, etc.) combined with new capabilities for massive surveillance of detailed transactional information.

The technology enables, but does not dictate policy. The market will exploit technology and therefore create policy, absent restraining regulation. When I look at the market incentives currently in place, they all tend to diminish privacy. When Google and Facebook become the world’s largest IdPs, their business models will dictate how they utilize the technology. And let’s face it, if we have to rely on Google and Facebook to protect user privacy, then privacy may very well be dead.

I do not think that the market will come to the rescue of privacy. Consequently, regulation must. Because the current draft of NSTIC lacks any meaningful regulatory framework, I am nearly resigned to the fact that the most likely implementation of NSITC will result in the creation of the next generation of credit reporting bureaus: Identity Reporting Bureaus/ or IdPs.

NSTIC’s core claim to be privacy enhancing is lifted from the now orthodox Identity Metasystem, and its ideas of minimal disclosure and “verified anonymity”. These are good ideas for sure but as implemented they come with huge privacy costs that outweigh the benefits.

It’s incredibly ironic that in minimising disclosure of PI between individual and service provider, the identity metasystem neccesitates new disclosures of PI to IdPs. As was the case with Big PKI 15 years ago, the IdPs are likely to be start-up companies. Even if they are themselves scrupulous with privacy, there’s the risk of hostile takeover leading to breaches and exploitation. Indeed it’s the aggregation of masses of PI that will make IdPs valuable (ala Facebook).

Fundamentally, the Disclosure Limitation privacy principle dictates that when designing transaction systems we should seek to avoid adding intermediaries. But the Identity Metasystem is dominated by intermediaries — novel new intermediaries that are without precedent in regular business. If I want to transact anonymously, revealing just the minimal attributes relevant to the business at hand, it defies logic that I should have to involve a new broker, to whom I divulge my identity and who then hides that identity from the service provider.

Federated Identity systems like NSTIC are much harder to build than first appears, mainly because they introduce radical legal arrangements and business models (like IdPs making new money from issuing identities). Minimum disclosure and “verified anonymity” actually have elegant technological solutions using smart devices, keeping things pure and simple between customers and service providers.

In any implementation, an IdP will acquire attributes from different locations/ attribute providers. Ideally, the IdP will “forget” these attributes as soon as the transaction is completed. However, nothing in the NSTIC requires them to do so. Absent any kind of regulation, IdPs will have strong economic incentives to retain third party attributes. In a familiar implementation, an IdP may even penalize users if they refuse to allow the attributes to be stored with the IdP. Penalties may include higher fees, slower service, or more clicks.

Even if IdPs voluntarily forget third-party attributes, we have learned that many of these attributes are unnecessary to establish identity or build a rich profile. IdPs will have direct access to a rich transactional history. And absent regulation, I don’t understand why any reasonable IdP would voluntarily forget this information. It’s just not in their interest.

I agree that the NSTIC technical specifications theoretically allow for a near-Utopian privacy protections. But unfortunately the technology doesn’t require good behavior.

Perhaps I am missing something in NSITC, but I don’t see any of these protections. Please let me know if you see the necessary regulatory protections. Or alternatively, help me understand the economic incentives that would encourage IdPs to behave properly. I just don’t see them.

In the NSTIC framework, there is a fourth type of participant: the attribute provider. All of the information about the user doesn’t come from a single IDP; different attributes will come from different places because we trust different parties for different types of information. This mitigates the centralization of the information somewhat.

You’re right, though, there is the potential for IDPs to behave badly. It is my hope that privacy considerations will be a factor in IDP accreditation to participate in the Identity Ecosystem.