Archive for category Privacy
NSTIC envisions a secure “Identity Ecosystem Framework,” or “the overarching set of interoperability standards, risk models, privacy and liability policies, requirements and accountability mechanisms that structure the Identity Ecosystem.” While the Identity Ecosystem will provide value to any participant which needs to verify a User’s identity, the Ecosystem will provide tremendous opportunities to streamline the further commoditization of human identity. Without regulation, the NSTIC Identity Ecosystem will create new markets for businesses which thrive on the commoditization of human identity. I identify this resulting market as the “Identity Ecosystem Marketplace.” An Identity Marketplace already exists, and has been admirably illustrated by Luma Partners, LLC and Improve Digital.
The Identity Ecosystem Marketplace includes at least six major roles, as illustrated here. A single organization may fill multiple roles in any given Identity Ecosystem transaction. Some of the definitions here may differ or even conflict with official NSTIC definitions, usually because the official definitions lack clarity within the context of this analysis.
Even outrageous statements on controversial topics often contain flecks of truth. This is an attempt to pan through the muddy waters of NSTIC media coverage in relation to NSTIC to as a “National ID,” identify the golden flecks and nuggets of truth, and frame the debate on this important topic.
As NSTIC develops, we can expect to hear more soundbytes in the public media invoking fear, uncertainty, and doubt (FUD) around NSTIC as a National ID, Internet Passport, Internet ID, or Online Driver’s License. Some of the fear is warranted. Some of it is not. All of the risk and uncertainty should be measured to the fullest extent possible, without freaking out.
Frankly, I do not have a comprehensive definition for a “National ID” right now. Jim Harper, director of Information Policy Studies at the Cato Institute, and author of Identity Crisis: How Identification Is Overused and Misunderstood would have a much better answers than me. Notwithstanding, I have a few comments which I hope will add some clarity to the discussion:
Instituting any sort of national identification can have serious and unanticipated consequences, and should be the subject of a robust public policy debate. History, present and past, is replete with examples of extreme abuse of government-issued identification. To give just two examples, identification credentials played key roles in both the Holocaust and Rwandan Genocide. Other, less dramatic forms of abuse exist wherever identity credentials are issued. For example, the U.S. National ID, commonly known as the Social Security Number, is regularly used to commit crimes we now refer to as “Identity Theft.”
NSTIC is NOT a National ID
Several commentators have expressed skepticism to downright disdain for NSTIC as a back-door approach to instituting a National ID. NSTIC’s defense to these accusations is simple and true, but incomplete: NSTIC is NOT a National ID.
NSTIC itself is not an identification system, much less a National ID. NSTIC is a framework for setting up a structure of interoperable federated identity systems. Each system will be owned and operated by various independent private companies and public institutions, using various technologies with various levels of identity assurance, security, and trust levels. NSTIC is policy, not technology or identification credentials. In fact, I am guilty of a techical faux pas by using the term “NSTIC credential,” since no such thing actually exists. But unfortunately I don’t have a better shorthand way of saying,
“Voluntary identification credentials issued by an accredited private or government Identity Provider which complies with the ‘overarching set of interoperability standards, risk models, privacy and liability policies, requirements, and accountability mechanisms that structure the Identity Ecosystem,’ which are implemented using a range of technologies, mediums, and authentication protocols.”
So I say “NSTIC credential” instead.
I do not attempt to establish a comprehensive definition for a “National ID” here. But when government-issued identification is used to separate individuals into groups, and centralization decreases the transaction costs associated with classifying human identity, bad things can happen.
I decline to call NSTIC a “National ID.” Instead, it is much more prudent to discuss attributes which may be similar or dissimilar to a centralized, federal-government-issued National ID card. I hope that the following table can focus the public discussion on this matter, which is currently lacking articulation.
How NSTIC is Not Like a National ID
How NSTIC Might be Like a National ID
NSTIC credentials are not owned, issued, or managed by the Federal Government, except for IDs issued to government employees.
If adopted by a majority of state governments, NSTIC credentials could become standard in State IDs and drivers licenses. The Federal Government could also embed an NSTIC credential in passports.
Identity Provider Databases are not under government control, except for a few run by the Federal Government for government employees.
Identity and personal information which enters the Identity Ecosystem Marketplace is subject to very little protection against government search and seizure under the 4th Amendment.
NSTIC is voluntary for the private sector and private citizens.
If adopted by State governments, which control a substantial portion of the identification market, NSTIC credentials could become mandatory and displace private sector identity competitors.
NSTIC credentials are not yet required to access government benefits.
Access to electronic government services may one day require an NSTIC credential.
NSTIC credentials are not primarily designed to classify individuals by a status such as race, religion, age or gender.
NSTIC credentials are designed for classifying people by roles and access to resources; the supporting technology could be easily adapted to expand identity profiles compiled by the private sector that may include age, gender, political beliefs, religion, race, socioeconomic status, etc.
Identity and Transaction Information is not stored in a single, centralized government database.
Identity and Transaction Information is stored in thousands of private databases which may be centralized by the private sector, purchased by the government, or accessible to law enforcement with little due process.
An NSTIC credential is designed for online transactions only.
With more of our lives and business conducted online, widespread adoption of the NSTIC framework could mean that an NSTIC credential may become a functional requirement for participating in online life, with real-life consequences.
I agree with the Center for Democracy and Technology’s Jim Dempsey who said,
The Obama Administration is not planning to create a government ID for the Internet. In fact, the Administration is proposing just the opposite: to rely on the private sector to develop identities… for online commerce.… [T]he government needs an identity ecosystem or identity infrastructure. It needs it for its own services as well as part of the solution to the broader Cybersecurity problem as well as one of the foundations of eCommerce, but the government cannot create that identity infrastructure. Because if it tried to, it wouldn’t be trusted.
I hope this table helps to frame the discussion about NSTIC as a National ID.
Those even remotely familiar with Washington politics know that everything is political. A few agencies such as the Census bureau, attempt to stay above the political fray with varying degrees of success. The National Institute of Standards and Technology (NIST) is arguably the gold standard of apolitical federal agencies. NIST has learned through experience to remain staunchly apolitical by focusing strictly on standards, science, and technology while keeping their noses and fingers well away from policy. As a result, NIST enjoys a good deal of transpartisan respect. NIST zealously (and appropriately) guards its reputation by avoiding policy and politics.
That’s why I’m both excited and worried about NIST’s role in the National Strategy for Trusted Identities in Cyberspace (NSTIC, pronounced “N-Stick”). On one hand, this emerging framework will benefit substantially from NIST’s knowledge and capability in technology standards development; and let’s face it, the Department of Commerce was one of the few agencies politically neutral enough to host NSTIC. NIST’s NSTIC team includes notable and respected scientists, academics, and technologists. But as our recent Whitepaper on NSTIC’s policy hurdles illustrates, NSTIC policy requires as much development as the technology.
That’s what makes NIST’s role in NSTIC unique: NIST must not only support the development of standards and technology, but must also develop the policy governing the use of the technology. Or, to paraphrase Scott David, NIST must develop both the “tools” and the “rules.” In recognition of these challenges, the NSTIC team also includes respected policymakers and thinkers led by Jeremy Grant, himself a universally respected policymaker. NSTIC needs both tools and rules to avoid abuse, and the inclusion of policymakers on the NSTIC team is essential to develop both.
In Washington everything is political, especially policy. Very soon the policy and governance debate will begin, and proverbial political bullets will begin flying from every direction. I believe that Jeremy Grant and his team will work hard to navigate the impending battlefield of industry, advocates and government interests. But even intelligent, dedicated and respected public servants like Jeremy Grant and his team need the support and political cover of their agency, NIST. And when the negotiations get divisive, political and ugly, NIST has a tendency to wash its hands of such riff-raff and retreat back into its comfort zone of apolitical academic and scientific research.
Among the worst imaginable disasters for NSTIC is if NIST doesn’t have the stomach for policy development and quietly cajoles the NSTIC team back into NIST’s comfort zone of standards and technology, ceding the policy to those with the most firepower.
Then truly, the war will be lost.
Advocates must watch carefully for signs of a NIST retreat from its uncomfortable role as policymaker. Mr. Jeremy Grant, we do not envy your position; you have our support, and we hope that NIST will support you too.
The Department of Commerce released the National Strategy for Trusted Identities in Cyberspace (NSTIC, pronounced “N-Stick”). From a privacy perspective, the 52-page April 15, 2011 Final Draft is a big improvement over the June 25, 2010 Draft.
Also on April 15, 2011, Identity Finder released a 39-page analysis on NSTIC’s effect on Privacy. I was the principal author. The report supports the aspirations of NSTIC, but warns that success is far from assured. NSTIC faces multiple unresolved hurdles to implementing privacy and security in a de-centralized, national framework of interoperable identity systems.
If done well, an ideal NSTIC Identity Ecosystem could establish:
- High levels of identity assurance online, increasing trust between Users and service providers
- More secure online transactions
- Innovation and new services
- Improved privacy and anonymity
- Increased convenience for Users and savings for service providers
Through extensive analysis, Identity Finder has found that to successfully implement its visions of privacy, security, and secure identities, NSTIC cannot rely on the private sector alone. Identity technologies may be used for profit, or to preserve privacy, but rarely both. While the private sector is best positioned to develop and maintain the framework of federated identity systems, federal policy must balance individuals’ need for privacy and security. In order to be successful, NSTIC must be supported by regulations that:
- Hold all Identity Ecosystem Participants to legal and technical standards which implement Fair Information Practice Principles (FIPPs) and baseline privacy and security protocols
- Create incentives for businesses to not commoditize human identity
- Compensate for an individual’s unequal bargaining power when establishing privacy policies
- Subject Identity Providers to similar requirements to the Fair Credit Reporting Act
- Train individuals on how to properly safeguard their Identity Medium to avoid identity theft
- Ensure that consumers and advocates have a meaningful voice in the development of NSTIC policy
While we’re concerned about the unsolved techological hurdles, we are even more concerned about the policy and behavioral vulnerabilities that a widespread identity ecosystem would create. We all have social security cards and it took decades to realize that we shouldn’t carry them around in our wallets. Now we will have a much more powerful identity credential, and we are told to carry it in our wallets, phones, laptops, tablets and other computing devices. Although NSTIC aspires to improve privacy, it stops short of recommending regulations to protect privacy. The stakes are high, and if implemented improperly, an unregulated Identity Ecosystem could have a devastating impact on individual privacy.
If NSTIC fails to implement the necessary regulations, the resulting Identity Ecosystem could turn into a free-for-all Identity marketplace, and create the following risks:
- Powerful identity credentials which, if lost or stolen will enable hyper-identity theft
- A false sense of control, privacy, and security among Users
- New ways to covertly collect Users’ personal information
- New markets in which to commoditize human identity
- Few consumer protections against abuse or sharing personal information with third parties
- No default legal recourse against participants who abuse personal information without consent
I’ll be writing more blog posts in the coming days exploring some of NSTIC’s unsolved policy hurdles, and why individuals, businesses, and policy-makers should care.
This is the seventh post in a series about data breaches you can prevent. We’ve covered Phones and Personal Computing Devices , Your Browser, Your Inbox, Your Thumb and External Drives, Your Old Computer, and Your Cloud Backup . Finally, we’ll discuss Your Network Drives.
Most companies have an internal corporate network with one or more shared network drives. If your company network drive is typical, it’s a layered mess of multiple naming conventions, files from employees who haven’t been around for years, and old documents with unrecognizable file extensions. Frankly, it’s impossible for anyone to know exactly what’s there.
This is the fifth post in a series about data breaches you can prevent. We’ve covered Phones and Personal Computing Devices , Your Browser, and Your Inbox, and Your Thumb and External Drives. Next we’ll discuss Your Old Windows 95 Computer.
Technology has made it easier than ever to be a digital pack rat. Cheap and plentiful memory probably means that you have backed-up a copy of your old 256 MB hard drive, which you also have stashed somewhere in your basement. Before blindly making back-up copies of old hard drives, make sure that you first delete any information you don’t want to save.
This post is the fourth in a series about data breaches you can prevent. We’ve covered Phones and Personal Computing Devices , Your Browser, and Your Inbox. Here we’ll explore Your Thumb and External Drives.
Just about anything that can store information can be used to store sensitive personal information. Whether you use an external drive to back up sensitive data, or use a thumb drive to transfer large files from one computer to another. The Law of Portable Device Breaches (which I just made up) says that the risk of losing a device, and the information thereon, is directly proportional to its portability. In real terms, this extremely scientific law means that you’re more likely to leave your cell phone at the bar than your desktop computer.
Laptops, desktop computers and smartphones all have built-in internet browsers. A typical browser can store hundreds of passwords and usernames, credit card numbers, contact information, and browsing history. Even though we use our smart phone browsers to do a significant number of online transactions, typical smart phone browsers do not allow users the same degree of privacy control as desktop browsers.
Remember when cell phones were telephones? Those days are long gone. The current generation of smart phones are powerful computing devices which just happen to also make phone calls.
A friend of mine recently received the following email from Walgreens:
December 10, 2010
Dear Valued Customer,
We recently became aware of unauthorized access to an email list of customers who receive special offers and newsletters from us. As a result, it is possible you may have received some spam email messages asking you to go to another site and enter personal data. We are sorry this has taken place and for any inconvenience to you.
Read the rest of this entry »