The Department of Commerce released the National Strategy for Trusted Identities in Cyberspace (NSTIC, pronounced “N-Stick”). From a privacy perspective, the 52-page April 15, 2011 Final Draft is a big improvement over the June 25, 2010 Draft.
Also on April 15, 2011, Identity Finder released a 39-page analysis on NSTIC’s effect on Privacy. I was the principal author. The report supports the aspirations of NSTIC, but warns that success is far from assured. NSTIC faces multiple unresolved hurdles to implementing privacy and security in a de-centralized, national framework of interoperable identity systems.
If done well, an ideal NSTIC Identity Ecosystem could establish:
- High levels of identity assurance online, increasing trust between Users and service providers
- More secure online transactions
- Innovation and new services
- Improved privacy and anonymity
- Increased convenience for Users and savings for service providers
Through extensive analysis, Identity Finder has found that to successfully implement its visions of privacy, security, and secure identities, NSTIC cannot rely on the private sector alone. Identity technologies may be used for profit, or to preserve privacy, but rarely both. While the private sector is best positioned to develop and maintain the framework of federated identity systems, federal policy must balance individuals’ need for privacy and security. In order to be successful, NSTIC must be supported by regulations that:
- Hold all Identity Ecosystem Participants to legal and technical standards which implement Fair Information Practice Principles (FIPPs) and baseline privacy and security protocols
- Create incentives for businesses to not commoditize human identity
- Compensate for an individual’s unequal bargaining power when establishing privacy policies
- Subject Identity Providers to similar requirements to the Fair Credit Reporting Act
- Train individuals on how to properly safeguard their Identity Medium to avoid identity theft
- Ensure that consumers and advocates have a meaningful voice in the development of NSTIC policy
While we’re concerned about the unsolved techological hurdles, we are even more concerned about the policy and behavioral vulnerabilities that a widespread identity ecosystem would create. We all have social security cards and it took decades to realize that we shouldn’t carry them around in our wallets. Now we will have a much more powerful identity credential, and we are told to carry it in our wallets, phones, laptops, tablets and other computing devices. Although NSTIC aspires to improve privacy, it stops short of recommending regulations to protect privacy. The stakes are high, and if implemented improperly, an unregulated Identity Ecosystem could have a devastating impact on individual privacy.
If NSTIC fails to implement the necessary regulations, the resulting Identity Ecosystem could turn into a free-for-all Identity marketplace, and create the following risks:
- Powerful identity credentials which, if lost or stolen will enable hyper-identity theft
- A false sense of control, privacy, and security among Users
- New ways to covertly collect Users’ personal information
- New markets in which to commoditize human identity
- Few consumer protections against abuse or sharing personal information with third parties
- No default legal recourse against participants who abuse personal information without consent
I’ll be writing more blog posts in the coming days exploring some of NSTIC’s unsolved policy hurdles, and why individuals, businesses, and policy-makers should care.