NSTIC envisions a secure “Identity Ecosystem Framework,” or “the overarching set of interoperability standards, risk models, privacy and liability policies, requirements and accountability mechanisms that structure the Identity Ecosystem.” While the Identity Ecosystem will provide value to any participant which needs to verify a User’s identity, the Ecosystem will provide tremendous opportunities to streamline the further commoditization of human identity. Without regulation, the NSTIC Identity Ecosystem will create new markets for businesses which thrive on the commoditization of human identity. I identify this resulting market as the “Identity Ecosystem Marketplace.” An Identity Marketplace already exists, and has been admirably illustrated by Luma Partners, LLC and Improve Digital.

The Identity Ecosystem Marketplace includes at least six major roles, as illustrated here. A single organization may fill multiple roles in any given Identity Ecosystem transaction. Some of the definitions here may differ or even conflict with official NSTIC definitions, usually because the official definitions lack clarity within the context of this analysis.

Major Identity Ecosystem Roles and Concepts

• A Subject or User is an individual or Non-Person Entity (NPE) which must assert its identity to a Relying Party in order to receive a benefit such as access to a trusted network, bank account access, or access to premium content online.
• An Attribute Provider (AP) creates, stores and allows others (such as the Identity Provider and Relying Party) to access or analyze User Attributes, usually under conditions. An Attribute Provider is also usually a Third Party. In the Identity Ecosystem, an Attribute Provider must be trusted as an authoritative source of information. Typical examples of attribute providers might be a government title registry, national credit bureau, or commercial marketing database.
• An Attribute is a fact related to a User. Attributes may include traditional PII, information about authority, roles, rights, privileges, or any other fact asserted by a User, Attribute Provider, or Third Party. NSTIC defines “Attribute” as “a named quality or characteristic inherent in or ascribed to someone or something.”
• An Identity Provider (IdP) is an organization certified as trustworthy through an accreditation authority. An IdP issues a credential, which corresponds to a piece of information known to the User (such as a password), a biometric attribute, or information stored on an Identity Medium (not represented herein). An IdP is responsible for verifying the credential when used as evidence of a User’s identity. An IdP may collect attributes about the User from Attribute Providers, store those attributes, and compare them against assertions made by the User to a Relying Party. Identity Providers do not guarantee the correctness of attributes obtained from Attribute Providers, but may instead confirm that a Claim made by a User matches information from Attribute Providers. Identity Providers may share User attributes, personal information, and Transaction Information with Relying Parties, Third Parties, Parent Companies and Attribute Providers, in accordance with the Data Usage Policy.
• A Data Usage Policy is a contract between a User and Identity Provider, governing the use and disclosure of User information held by the Identity Provider.
• Transaction Information is a record of the benefit provided to the User from the Relying Party, and is analogous to a receipt. Transaction Information may include the name of a product purchased, a log of network access and User activity, or services provided.
• Identity Medium refers to the physical device that stores an NSTIC-compatible identity credential. Examples of Identity Mediums include cell phone apps, smart cards, or USB computer dongles. Identity Media are not visually represented, and are not required for a transaction.
• A Relying Party (RP) is a person or NPE that requires some degree of identity assurance and possibly User Attributes before it will provide a benefit to the User.
• A Parent Company is a company which owns or is affiliated with the Identity Provider and/or the Relying Party in such a way that by action of law, ownership or contract, the Parent Company has right to access and use the Identity Provider or Relying Party’s data assets, unless expressly prohibited by law or regulation.
• A Third Party is any person, organization, system, or device which has no direct affiliation with the User or the transaction in question. A familiar example of a Third Party is an online advertiser.
• For purposes of my discussions, I define a Claim as an assertion that an Attribute is truthful or correct. A Claim may be made by any party. Examples of User Claims are, “I am over 18 years old,” “I am a constituent or citizen,” or “I am authorized to enter your network.” Claims are not visually represented here. In technical circles, a “claim” is an assertion that may be derived by comparing or analyzing one or more Attributes.
• According to NSTIC, the Identity Ecosystem Framework is “the overarching set of interoperability standards, risk models, privacy and liability policies, requirements, and accountability mechanisms that structure the Identity Ecosystem.”
• The Identity Ecosystem Marketplace is the Identity Marketplace created by the Identity Ecosystem, where Identity Ecosystem Participants may commoditize and trade User identities and Attributes in exchange for benefits. Not all Identity Ecosystem transactions necessarily commoditize human identity. The exchange of identity information in many e-commerce transactions is ancillary to the transaction, and the User pays directly for the benefit of the transaction (e.g. a money transfer, music or movie download). Notwithstanding, the Identity Ecosystem Marketplace enables Participants to more easily commoditize identity as an additional source of revenue. NSTIC recognizes that Participants should not be allowed to buy and sell identity information within the Ecosystem, but does not yet identify a credible mechanism to enforce this requirement.
• Fair Information Practice Principles (FIPPs) are Transparency, Individual Participation, Purpose Specification, Data Minimization, Use Limitation, Data Quality and Integrity, Security, and Accountability and Auditing. NSTIC identifies FIPPs as core requirements in the Identity Ecosystem, but stops short of mandating FIPPs.

The NSTIC guiding principles are:

• Identity solutions will be privacy-enhancing and voluntary.
• Identity solutions will be secure and resilient.
• Identity solutions will be interoperable.
• Identity solutions will be cost-effective and easy to use.

Through these guding principles NSTIC aims to accomplish its primary goals of:

• Privacy
• Convenience
• Efficiency
• Ease-of-use
• Security
• Confidence
• Innovation, and
• Choice.

Future posts will explore the interaction of these roles in the Identity Ecosystem Marketplace, and under what conditions NSTIC will be able to meet its goals.

As NSTIC develops, we can expect to hear more soundbytes in the public media invoking fear, uncertainty, and doubt (FUD) around NSTIC as a National ID, Internet Passport, Internet ID, or Online Driver’s License. Some of the fear is warranted. Some of it is not. All of the risk and uncertainty should be measured to the fullest extent possible, without freaking out.

Frankly, I do not have a comprehensive definition for a “National ID” right now. Jim Harper, director of Information Policy Studies at the Cato Institute, and author of Identity Crisis: How Identification Is Overused and Misunderstood would have a much better answers than me. Notwithstanding, I have a few comments which I hope will add some clarity to the discussion:

Instituting any sort of national identification can have serious and unanticipated consequences, and should be the subject of a robust public policy debate. History, present and past, is replete with examples of extreme abuse of government-issued identification. To give just two examples, identification credentials played key roles in both the Holocaust and Rwandan Genocide. Other, less dramatic forms of abuse exist wherever identity credentials are issued. For example, the U.S. National ID, commonly known as the Social Security Number, is regularly used to commit crimes we now refer to as “Identity Theft.”

NSTIC is NOT a National ID

Several commentators have expressed skepticism to downright disdain for NSTIC as a back-door approach to instituting a National ID. NSTIC’s defense to these accusations is simple and true, but incomplete: NSTIC is NOT a National ID.

NSTIC itself is not an identification system, much less a National ID. NSTIC is a framework for setting up a structure of interoperable federated identity systems. Each system will be owned and operated by various independent private companies and public institutions, using various technologies with various levels of identity assurance, security, and trust levels. NSTIC is policy, not technology or identification credentials. In fact, I am guilty of a techical faux pas by using the term “NSTIC credential,” since no such thing actually exists. But unfortunately I don’t have a better shorthand way of saying,

“Voluntary identification credentials issued by an accredited private or government Identity Provider which complies with the ‘overarching set of interoperability standards, risk models, privacy and liability policies, requirements, and accountability mechanisms that structure the Identity Ecosystem,’ which are implemented using a range of technologies, mediums, and authentication protocols.”

So I say “NSTIC credential” instead.

I do not attempt to establish a comprehensive definition for a “National ID” here. But when government-issued identification is used to separate individuals into groups, and centralization decreases the transaction costs associated with classifying human identity, bad things can happen.

I decline to call NSTIC a “National ID.” Instead, it is much more prudent to discuss attributes which may be similar or dissimilar to a centralized, federal-government-issued National ID card. I hope that the following table can focus the public discussion on this matter, which is currently lacking articulation.

I agree with the Center for Democracy and Technology’s Jim Dempsey who said,

The Obama Administration is not planning to create a government ID for the Internet. In fact, the Administration is proposing just the opposite: to rely on the private sector to develop identities… for online commerce.… [T]he government needs an identity ecosystem or identity infrastructure. It needs it for its own services as well as part of the solution to the broader Cybersecurity problem as well as one of the foundations of eCommerce, but the government cannot create that identity infrastructure. Because if it tried to, it wouldn’t be trusted.

I hope this table helps to frame the discussion about NSTIC as a National ID.

That’s why I’m both excited and worried about NIST’s role in the National Strategy for Trusted Identities in Cyberspace (NSTIC, pronounced “N-Stick”). On one hand, this emerging framework will benefit substantially from NIST’s knowledge and capability in technology standards development; and let’s face it, the Department of Commerce was one of the few agencies politically neutral enough to host NSTIC. NIST’s NSTIC team includes notable and respected scientists, academics, and technologists. But as our recent Whitepaper on NSTIC’s policy hurdles illustrates, NSTIC policy requires as much development as the technology.

That’s what makes NIST’s role in NSTIC unique: NIST must not only support the development of standards and technology, but must also develop the policy governing the use of the technology. Or, to paraphrase Scott David, NIST must develop both the “tools” and the “rules.” In recognition of these challenges, the NSTIC team also includes respected policymakers and thinkers led by Jeremy Grant, himself a universally respected policymaker. NSTIC needs both tools and rules to avoid abuse, and the inclusion of policymakers on the NSTIC team is essential to develop both.

In Washington everything is political, especially policy. Very soon the policy and governance debate will begin, and proverbial political bullets will begin flying from every direction. I believe that Jeremy Grant and his team will work hard to navigate the impending battlefield of industry, advocates and government interests. But even intelligent, dedicated and respected public servants like Jeremy Grant and his team need the support and political cover of their agency, NIST. And when the negotiations get divisive, political and ugly, NIST has a tendency to wash its hands of such riff-raff and retreat back into its comfort zone of apolitical academic and scientific research.

Among the worst imaginable disasters for NSTIC is if NIST doesn’t have the stomach for policy development and quietly cajoles the NSTIC team back into NIST’s comfort zone of standards and technology, ceding the policy to those with the most firepower.

Then truly, the war will be lost.

Advocates must watch carefully for signs of a NIST retreat from its uncomfortable role as policymaker. Mr. Jeremy Grant, we do not envy your position; you have our support, and we hope that NIST will support you too.

Also on April 15, 2011, Identity Finder released a 39-page analysis on NSTIC’s effect on Privacy. I was the principal author. The report supports the aspirations of NSTIC, but warns that success is far from assured. NSTIC faces multiple unresolved hurdles to implementing privacy and security in a de-centralized, national framework of interoperable identity systems.

If done well, an ideal NSTIC Identity Ecosystem could establish:

• High levels of identity assurance online, increasing trust between Users and service providers
• More secure online transactions
• Innovation and new services
• Improved privacy and anonymity
• Increased convenience for Users and savings for service providers

Through extensive analysis, Identity Finder has found that to successfully implement its visions of privacy, security, and secure identities, NSTIC cannot rely on the private sector alone. Identity technologies may be used for profit, or to preserve privacy, but rarely both. While the private sector is best positioned to develop and maintain the framework of federated identity systems, federal policy must balance individuals’ need for privacy and security. In order to be successful, NSTIC must be supported by regulations that:

• Hold all Identity Ecosystem Participants to legal and technical standards which implement Fair Information Practice Principles (FIPPs) and baseline privacy and security protocols
• Create incentives for businesses to not commoditize human identity
• Compensate for an individual’s unequal bargaining power when establishing privacy policies
• Subject Identity Providers to similar requirements to the Fair Credit Reporting Act
• Train individuals on how to properly safeguard their Identity Medium to avoid identity theft
• Ensure that consumers and advocates have a meaningful voice in the development of NSTIC policy

While we’re concerned about the unsolved techological hurdles, we are even more concerned about the policy and behavioral vulnerabilities that a widespread identity ecosystem would create. We all have social security cards and it took decades to realize that we shouldn’t carry them around in our wallets. Now we will have a much more powerful identity credential, and we are told to carry it in our wallets, phones, laptops, tablets and other computing devices. Although NSTIC aspires to improve privacy, it stops short of recommending regulations to protect privacy. The stakes are high, and if implemented improperly, an unregulated Identity Ecosystem could have a devastating impact on individual privacy.

If NSTIC fails to implement the necessary regulations, the resulting Identity Ecosystem could turn into a free-for-all Identity marketplace, and create the following risks:

• Powerful identity credentials which, if lost or stolen will enable hyper-identity theft
• A false sense of control, privacy, and security among Users
• New ways to covertly collect Users’ personal information
• New markets in which to commoditize human identity
• Few consumer protections against abuse or sharing personal information with third parties
• No default legal recourse against participants who abuse personal information without consent

I’ll be writing more blog posts in the coming days exploring some of NSTIC’s unsolved policy hurdles, and why individuals, businesses, and policy-makers should care.

If you think that the tangle of Cat5 in your server room is a mess, wait until you look at your network drive file structure. Licensed from Stock Exchange.

This is the seventh post in a series about data breaches you can prevent. We’ve covered Phones and Personal Computing Devices , Your Browser, Your Inbox, Your Thumb and External Drives, Your Old Computer, and Your Cloud Backup . Finally, we’ll discuss Your Network Drives.

Most companies have an internal corporate network with one or more shared network drives. If your company network drive is typical, it’s a layered mess of multiple naming conventions, files from employees who haven’t been around for years, and old documents with unrecognizable file extensions. Frankly, it’s impossible for anyone to know exactly what’s there.

Sometimes breaches happen when the internal network is not properly segregated. Only individuals or departments with a “need to know” should have access to sensitive information. The Human Resource department should never have access to trade secrets, while the R&D department shouldn’t have access to HR data. The Executive team should have access to confidential client information, while that information might be best kept away from the Sales department.

Aside from inappropriate network segregation network drives, like all computer devices, are eventually replaced. Old hard drives are sometimes donated to schools, sold on Ebay, thrown away, recycled through Best Buy or a similar program, or just stored and forgotten.

Several researchers, including Simpson Garfinkle, have demonstrated that with a small budget you can recover hundreds of thousands of pieces of personal information from used hard drives. Like other computing devices, old network drives must be scanned and completely wiped of all sensitive personal information before they leave your possession.

Remember the fundamentals rules of all data breaches: 1. If you don’t have it, you can’t breach it. 2. Old, forgotten data is dangerous data. Regularly scan these seven types of devices for personal information so that your next breach doesn’t originate from your own computer.

Article first published on Security Catalyst.

Digital pack rat: You probably have a backed-up copy of your old 256 MB hard drive, don't you? Licensed from Stock Exchange.

This is the fifth post in a series about data breaches you can prevent. We’ve covered Phones and Personal Computing Devices , Your Browser, and Your Inbox, and Your Thumb and External Drives. Next we’ll discuss Your Old Windows 95 Computer.

Technology has made it easier than ever to be a digital pack rat. Cheap and plentiful memory probably means that you have backed-up a copy of your old 256 MB hard drive, which you also have stashed somewhere in your basement. Before blindly making back-up copies of old hard drives, make sure that you first delete any information you don’t want to save.

I see this problem haunt people across the country. Once a week a university professor somewhere in the United States copies an archived copy of an old hard drive to a web server, without realizing that the hard drive contained social security numbers of students who graduated a decade earlier. Within weeks those social security numbers can be available to the world via Google.

If you’re a digital pack rat, make sure you scan those old hard drives for sensitive personal information before making backups. Your old hard drive is one of the biggest sources of preventable data breaches you’ll never hear about.

Article first published on Security Catalyst.

The Law of Portable Device Breaches says that the risk of losing a device, and the information thereon, is directly proportional to its portability. Licensed from Stock Exchange

This post is the fourth in a series about data breaches you can prevent. We’ve covered Phones and Personal Computing Devices , Your Browser, and Your Inbox. Here we’ll explore Your Thumb and External Drives.

Just about anything that can store information can be used to store sensitive personal information. Whether you use an external drive to back up sensitive data, or use a thumb drive to transfer large files from one computer to another. The Law of Portable Device Breaches (which I just made up) says that the risk of losing a device, and the information thereon, is directly proportional to its portability. In real terms, this extremely scientific law means that you’re more likely to leave your cell phone at the bar than your desktop computer.

Readers of this blog no doubt assiduously delete sensitive information from portable devices on a regular basis. But simply deleting files doesn’t actually erase the data. Just like cranberry juice on white linen, personal information stains hard drives.

Simply throwing a stained table cloth in the washing machine won’t remove cranberry juice stains. Likewise, simply hitting the “delete” key and emptying the recycle bin won’t completely remove personal information from your thumb or external hard drive. The hard drive usually remains stained with the sensitive information, which may be recovered until you proverbially “scrub” the drive. This scrubbing is called “shredding” the file, and typically requires at least a three-step deletion process whereby each byte is individually overwritten.

You should always think twice before copying sensitive files, such as tax documents, pictures, passwords, or confidential documents to removable media. Regularly scan removable media forgotten personal information so that when you leave your thumb drive in the taxicab, you don’t accidentally cause your own data breach.

Article first published on Security Catalyst.

Your Stored Passwords: Not exactly secured. Licensed from Stock Exchange.

Laptops, desktop computers and smartphones all have built-in internet browsers. A typical browser can store hundreds of passwords and usernames, credit card numbers, contact information, and browsing history. Even though we use our smart phone browsers to do a significant number of online transactions, typical smart phone browsers do not allow users the same degree of privacy control as desktop browsers.

Aside from browser hacks and viruses, it’s important to remember that your browser caches remain intact and accessible even after the machine is lost, stolen, or sold. That’s one reason why it’s important to scan your browsers for personal information and delete unnecessary information, and use a master password whenever possible.

I fancy myself a fairly savvy and privacy-aware individual. I use Firefox and have installed several plugins to help me manage my privacy, including Better Privacy, GoogleShairng, a few PrivacyChoice Plugins, and Abine’s TACO. But when I ran an Identity Finder search, even I was shocked to see the depth of information that my browser stored. It was very sobering to see that my usernames, passwords, and credit card numbers were accessible in plain text. Fortunately, Identity Finder allowed me to delete or secure all of that information.
If your browser caches are ever lost, it may represent a significant breach of personal information. So make sure you are aware what information your browser is storing, because you shouldn’t expect to get a letter in the mail if it ever falls into the wrong hands.

Article first published on Security Catalyst.

Smart phones are now portable computers which just happen to make calls. Licensed from Stock Exchange.

Remember when cell phones were telephones? Those days are long gone. The current generation of smart phones are powerful computing devices which just happen to also make phone calls.

Your personal computing devices perform almost all of the functions of a laptop computer. Smart phones, iPads, Kindles, and other devices are notoriously easy to lose, and store gigabytes of files, passwords, credit card numbers, social security numbers, digital photos, address books, and email attachments. Because of the wealth of personal information on a cell phone, most people would rather lose their wallets, and nearly all respondents to a 2009 survey said they would be “devastated” if they lost their phone.

Upgrading your phone can be as risky as losing it. Some people donate their old phones to charity or sell them on Ebay, and experts warn that personal information on the phone could easily be mined and re-sold. Periodically search your cell phone for personal information, and make sure that you digitally shred the entire contents of your mobile device before you get rid of it.

Article first published on Security Catalyst.

December 10, 2010
Dear Valued Customer,

We recently became aware of unauthorized access to an email list of customers who receive special offers and newsletters from us. As a result, it is possible you may have received some spam email messages asking you to go to another site and enter personal data. We are sorry this has taken place and for any inconvenience to you.

We want to assure you that the only information that was obtained was your email address. Your prescription information, account and any other personally identifiable information were not at risk because such data is not contained in the email system, and no access was gained to Walgreens consumer data systems.

We realize you previously unsubscribed from promotional emails from Walgreens, and that will continue. As a company, we absolutely believe that all customer relationships must be built on trust. That is why we believe it is important to inform you of this incident. Online security experts have reported an increase in attacks on email systems, and therefore we have voluntarily contacted the appropriate authorities and are working with them regarding this incident.

We encourage you to continue to be aware of increasingly common email scams that may use your email address to contact you and ask for personal or sensitive information. Always be cautious when opening links or attachments from unsolicited third parties. Also know that Walgreens will not send you emails asking for your credit card number, social security number or other personally identifiable information. So if ever asked for this information, you can be confident it is not from Walgreens.

If you have any questions regarding this issue, please contact us at 1-888-980-0963. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.

Sincerely,
Walgreens Customer Service Team

Translation

Dear Valued Former Customer Who Doesn’t Want to Hear From Us,

We know you have already unsubscribed from our mailing lists. You may have thought that we deleted your email address, but in fact we decided to keep your email in our databases anyway. Now it was stolen. Sucks to be you, because now you’ll probably get more spam and scam mail. We reported the breach to the police, knowing full well that they don’t care one little bit, but we at least hope do some PR damage control by looking serious about this.

Sincerely,
Wallgreens

P.S. We still don’t plan to actually delete your email address from our systems and eliminate the risk of a future breach.

Well, at least I have to give them points for owning up to the breach. Many companies wouldn’t even do that much.

EPIC Privacy 2010 Election Campaign Comments
Wednesday October 13, 2010; 8:30 – 10:00 AM
The Mott House, 122 Maryland Avenue NE

Thank you for having me here today. My name is Aaron Titus. I am an attorney and the Privacy Director for the Liberty Coalition. The Liberty Coalition works with more than 80 partner organizations from across the political spectrum on transpartisan issues to preserve the Bill of Rights, personal autonomy and individual privacy. The Liberty Coalition works with, but does not speak on behalf of our partners.

We have heard about several substantial policy issues today. I would like to focus on some of the underlying reasons that Privacy has an uphill battle. The Four Most Fundamental Challenges to Privacy in 2010 are:

1. The False Notion that one can “Own” Personal Information
2. The Failed Notice and Consent Legal Regime
3. Erosion of the Definition of Privacy
4. The Two Mortal Enemies of Privacy: Convenience and Fear

Who Owns My Data?

The cultural notion that you can “own” personal information is the single biggest threat to privacy because if you can own my personal information, you can own me. In a very real sense, I am Data. And if I am Data, and Data is Property, then I may become Property.

We are Data

As Daniel Solove wrote, you are not much more than “an electronic collage of bits of information, a digital person composed in the collective computer networks of the world.” This collage is our “Data Self:” A digital alter-ego capable of entering contracts, committing crimes, and going into debt. It’s more than a copy or digital shadow, because you are responsible for the actions of your Data Self.

You are bound by contracts your Data Self signs; you will to jail for crimes your Data Self commits. If someone forces your Data Self to take out a loan, you must repay it. If your Data Self has an operation, you may no longer qualify for medical insurance.

Data is Property

Intellectual Property Law treats data like property because 1. Data has value, like property. 2. Data is fungible, like property, and 3. Data is alienable, like property. Most types of information (ie, trade secrets, copyrightable or patentable information, etc) are valuable, fungible, and alienable.

If personal information really were property, then I should be able to permanently sell, or “alienate,” it. But unfortunately, I can’t sell personal information like a car. If I sell my car and the new owner runs it into a tree, it’s not my problem. But we all know that if I “sell” my personal information and the new owner “crashes” my identity, I suffer. Unlike all forms of property, personal information is inherently inalienable. You can’t get rid of it. But because personal information is valuable and fungible, it is often treated like property as a practical matter.

But intellectual property rights in personal information have little basis in law. Most personal information, such as names, addresses, phone numbers, and social security numbers are facts. Facts are not copyrightable.2 You can’t patent personal information,3 and it certainly isn’t a trade secret.4 In short, nobody “owns” my name, including myself.

Even if we could invent an imaginary intellectual property right to one’s personal information, in most cases the most logical owner would be third parties who created it. My parents would most likely “own” my name and DNA, since they made it up. My mother and her doctor had much more to do with my date of birth than I did. Credit card companies would “own” my credit card number. The government would “own” my Social Security Number, and the Post Office would “own” my address.

Personal information cannot be property.

We are Property

But as long as we treat personal information as property, we are faced with an unavoidable dilemma: If We are Data and Data is Property, then We may become Property. Just yesterday Security Expert Bruce Schneider underlined this fact when he said, “We’re not Facebook customers, we’re Facebook’s product it sells to its customers [the advertisers].”

The now popular crime of Identity Theft is the most visible consequence of this trend. In fact, the term “Identity Theft” epitomizes the problem with treating personal information as property: The very term recognizes that you have an alter-ego “identity” or Data Self. And it acknowledges that your Data Self can be stolen and abused, like property.

If we are data and data is property, then we may become property.

Facing the possibility of a new class of crimes, we cannot afford to allow personal information to be treated as government or corporate property. I must have control over my personal information, because I am my personal information.

Replacement of the Notice and Consent Legal Regime

The second most fundamental Privacy issue of 2010 is the failed Notice and Consent Legal Regime. At its core, Notice and Consent allows almost all privacy protections to be waived with proper notice and implied consent. In most cases, Notice and Consent provides no baseline protections, and as Marc Rotenberg has said many times, the Notice and Consent legal regime stands in opposition to Fair Information Practice Principles (FIPPs). Notice and Consent has failed to protect consumers because the market does not value privacy.

As Fred Cate of the Center for Applied Cybersecurity Research explained, the Notice and Consent model is flawed because some activities should not be consentable. Just like one may not “consent” to be served fraudulent or misleading advertising, some uses of personal information should be prohibited and non-consentable.

Eroding Definition of Privacy

The third most fundamental Privacy issue of 2010 is an Eroding Definition of Privacy. As an attorney, I have learned the importance of definitions. I can promise you the world, but if I define the term “world” as “pocket lint,” you can guess who wins.

I fear that the public doesn’t really know what privacy is. And elected officials have done little to advance the public discourse. Instead, the public discussion has been dominated by DHS, the TSA, Google, Facebook, and others. These entities have drastically narrowed the definition of privacy, often attempting to narrow it to nothing more than “security.” We are losing the world and ending up with pocket lint.

With a narrow or ambiguous definition of privacy, promises to “protect civil rights, civil liberties, and privacy” become either superfluous or illusory. The reason is simple: Without knowing what exactly we’re protecting, it’s impossible to know whether or when we’ve succeeded. It’s almost like saying “We’re going to make the world a better place:” Fluffy goodness that means nothing.

Elected officials must insist on a risk-assessment approach when developing strategies to mitigate the risks to civil liberties, civil rights, and privacy. The first step in that process is to enumerate all of those liberties and rights. We need to talk more about privacy, Anonymity, Freedom of speech, and Rights against searches and seizures, for example.

Next, define each of those liberties. Third, identify the risks to those liberties. Fourth, identify strategies to mitigate those risks. And finally, weigh the cost of implementing the strategies against the benefits. When we do not evaluate what civil rights and liberties are threatened, we are at greater peril of losing them.

We cannot expect the public to stand up for privacy when they do not understand what they’re fighting for. We need public officials who will remind the public what their civil liberties and civil rights are.

The Two Mortal Enemies of Privacy: Convenient Technology and Fear of Insecurity

Private Sector: Convenience

In the private sector, within the context of the Notice and Consent Legal regime, Convenience and Technology continue to be the mortal enemies of Privacy.

It turns out that much of the privacy we have enjoyed for generations did not have roots in constitutional law, but convention reinforced by high transaction costs. As technology has reduced transaction costs, practical privacy protections have diminished or disappeared altogether.

Take Identity Theft, for example. Identity Theft is when someone pretends to be you, does something bad, and you get blamed. Identity theft has always existed. But 15 years ago, you had to drive down to the county courthouse, walk up to the third floor, get a copy of a birth certificate, then walk up to the 5th floor, then drive over to the DMV… The transactional costs for stealing an identity were very high.

Medical records were far more confidential when they were written on paper. It’s not that the legal privacy protections were any greater than they are now, but the cost of sharing the information was prohibitive. Technology universally increases efficiency and decreases transactional costs. Medical information is more efficiently shared with researchers, leading to better treatments. Detailed profile information is efficiently, instantly and cheaply shared with a three dozen affiliate companies. Breaches of enormous proportion and identity theft have never been cheaper or more efficient.

Government: Fear of Insecurity

Counterterrorism in this country is more about mitigating terror, or fear, than saving lives. We hold to a false notion in this country that perfection is somehow attainable, and that when something goes wrong it was because someone failed, and someone is to blame.

As Americans we are very bad at weighing risk, which is why we demand to feel secure. And our lawmakers deliver: The American people now (arguably) demand to be digitally strip searched and groped every time they walk onto an airplane. We take off our shoes. We’re all pretty sure that someone over at the NSA could read our emails if they wanted to. We are all familiar with the term, “warrantless wiretapping,” “National Security Letters,” and “Warantless GPS tracking.” But we are mollified by telling ourselves either we have “nothing to hide,” or “I’m too boring for anyone to pay attention to.” After all, most antelope in the herd never get eaten.

We are terrorizing ourselves.

When people say, “I have nothing to hide,” they really mean, “I am not ashamed of anything.” The truth is, we all have a lot to hide, and shame is just one of many reasons to keep information private or confidential. Having something to hide is not an admission of guilt, and it doesn’t mean you have anything to be ashamed of.

We keep Social Security Numbers private not because we’re ashamed of the number, but because we fear identity theft. Sometimes medical conditions remain confidential because others may react irrationally to them. The Census now zealously guards its information because during World War II, the Federal government acted irresponsibly with truthful census data about the location of Japanese-American citizens.

The need for privacy is the recognition that individuals and institutions act unreasonably and irresponsibly, to the detriment of individuals and society, when in possession of certain truthful facts. In short, humans aren’t always equipped to handle the truth. We are biased.

Conclusion

Again the Four Most Fundamental Challenges to Privacy of 2010 are:

1. The False Notion that one can “Own” Personal Information
2. The Failed Notice and Consent Legal Regime
3. Erosion of the Definition of Privacy
4. The Two Mortal Enemies of Privacy: Convenience and Fear

Thank you for having me.

NSTIC is a high-level national plan to in for trustworthy, virtual identities. The goals of NSTIC are ostensibly to:

1. Secure online transactions.
2. Provide high levels of identity assurance online
3. Foster innovation and new services
4. Improve Privacy

If done correctly, NSTIC could indeed improve privacy. If done incorrectly, NSTIC could have a devastating effect on privacy, create centralized Identity Reporting Agencies, analogous to today’s Credit Reporting Agencies, all without functionally improving security.

Fair Information Practice Principles (FIPPs)

FIPPs are globally recognized principles which just about everyone agrees should govern the collection, storage, use, and dissemination of personal information. FIPPs include:

• Notice and Awareness
• Choice and Consent
• Access and Participation
• Integrity and Security
• Enforcement and Redress
• Others, like Data Minimization

In general, FIPPs are as non-controversial as “motherhood and apple pie.” But the United States has adopted the Notice and Consent legal regime where most of these FIPPs may be waived upon notice and consent. And since FIPPs can be adverse to the business interests of companies like Google, clickwrap agreements often include waivers of most privacy rights or expectations. For the most part, these “checkbox” agreements are enforceable.

Although the current draft of the NSTIC Implementation Plan makes liberal references to FIPPs, I am afraid that they might not mean much in practice, within the United States’ Notice and Consent legal regime.

IdP Regulation

In the most simple trusted identity framework, there are three participants: The User (Me), the Relying Party (RP), and the Identity Provider (IdP). Consider a typical transaction between a User and RP, let’s say me and Pandora. Federal law prohibits providers from collecting personal information on kids under 13 years old without a parent’s consent. Even though Pandora asks for my date of birth, they don’t need my date of birth; they just need to know I’m over 13.

That’s where Identity Providers come in. As a User I can assert to Pandora (the Relying Party) that I’m over 13. Then I send Pandora to a trusted, accredited third party Identity Provider. The IdP essentially says, “Yes, Aaron is over 13 years old, but we’re not giving you his date of birth.” The relying party has the information it needs, but not my date of birth. Pandora is satisfied, and my privacy between me and Pandora is enhanced. For discussion purposes, I’ll call this “retail privacy.”

But retail privacy is only half of the transaction. Since the transaction must go through an IdP, the IdP now has a record of my transaction, as well as all of my other transactions and behaviors, along with my date of birth and other personal information [Please see Jim Fenton's comment about attribute providers, below]. What if Pandora was allowed to purchase enriched information about me from my IdP later, without my knowledge or consent?

Essentially, this is the status quo, and the current draft of NSTIC would not prohibit such purchase from taking place. For ease of reference, I’ll call this “wholesale privacy.” Currently, data warehouses sell billions of dollars in personal information without the knowledge or consent of the data subjects. In this rather probable vision of NSTIC, “retail privacy” between the user and relying party increases, but the increased privacy is illusory unless the IdP is under strict regulations to keep the information private.

The privacy concerns of today – data collection and behavioral marketing practices of very large online service providers – are trivial compared to the new capability to piece together an Identity Ecosystem Participant’s inter-transactional history which, by definition, each Identity Provider in the Identity Ecosystem will have.

It is likely that the market will self-select a handful of large IdPs, who will be custodians of a large amount of Identity Ecosystem participant information, including inter-transactional history. While providing retail privacy to consumers and end-node Identity Ecosystem participants, IdPs will also amass huge warehouses of individual transactional data which may dwarf Transunion, Equifax, and Experian in sheer volume and data richness. This information will have huge economic value, and without strictly enforcing the FIPPs, each IdP will be under strong economic pressures to collect, mine, re-purpose, sell, and share the information with the highest bidder—often the very parties from whom users are trying to keep it.

Unless implemented properly, NSTIC could have a devastating effect on wholesale privacy, rendering any improvements in retail privacy illusory. Absent strict regulation, NSTIC has the potential to turn Identity Providers into pseudo-centralized Identity Reporting Agencies which are further removed from the public view and opaque to users.

But as of now, the NSTIC Strategy document and the Implementation Plan lack crucial detail about regulating IdPs. By definition, Identity Providers will be able to link all of an individual’s personal transactions. Without regulation, larger IDPs will be able to market, share or otherwise derive value from vast storehouses of transactional data, much like today’s credit reporting agencies.

At the very least, NSTIC must mandate the development of context-specific privacy standards for IdPs. Although I’m willing to participate in their development, frankly I’m not too optimistic that adequate protections will be implemented.

Other Points

I have other less substantial critiques of NSTIC, including a lack of detail on redress, whether NSTIC will truly preserve anonymity, or whether by definition any anonymity within the NSTIC framework will be able to be “unwound” to discover the individual’s true identity. Others have legitimate concerns that NSTIC may turn into a defacto National ID. And let’s face it, NSTIC will not solve many security problems. We will still have nodes of failure, risk of fraud, and errors in data.

At this point, NSTIC is at a crossroads. NSTIC could either be really good, or really bad for privacy. I’m hoping for the best, but I’ve learned not to hold my breath.

• Browser Fingerprinting [link to more information]
• Behavioral Analysis [link to more information]
• Cookies and Other Client-Side Object [link to more information]
• …etc.

We have collected the following information about this computer:

• Browser History [click to inspect] [click to delete]
• Screen Resolution
• Operating System
• Google search terms
• Website Visit Length
• …etc.

There is a world of personal information flowing beneath our feet. My identity is bought, sold, analyzed and re-analyzed across the world in milliseconds. Notwithstanding that my identity is an passive participant in this shadow world, my fleshy identity is actively kept out.
Perhaps a periodic Personal Information Public Service Announcement might be a step to allow me to re-take control of my identity.

A policy of this magnitude should be given at least a 90 day public comment period. However, public discussion has been limited and the discussion period is almost over. Therefore, we request that the public comment period be extended for at least 30 days to facilitate more robust public discussion. We also request that subsequent public comment periods on this topic extend for at least 90 days.

We are concerned that the NSTIC is silent on an implementation timeline and other significant details currently missing from the draft. We request clarification on the agency’s proposed timeline and process. We also request an opportunity to convene an in-person discussion with an appropriate White House or DHS official to discuss this important matter and engage in further public discussion.

We look forward to supporting your efforts to engage a robust public discussion on the NSTIC.

Avoid a Legal 500 Error. Debug your privacy policy.

Legal Programming

By Aaron Titus

I’m an awesome programmer. The only thing keeping me from Python, PHP, or Ruby coding awesomeness is knowledge… and skill… and training… and, um practice. OK, I may not be a Ruby all-star, but I could be if I wanted to. Likewise, you can do anything for yourself that an attorney can do for you, including writing legal documents. Lawyers just happen to have knowledge, skill, and training. And if I wanted an iPhone app, I’d talk to a programmer. If I wanted legal documents, I’d talk to a lawyer.

In fact, lawyers are programmers. Writing legal documents—like privacy policies—is just like writing code.

Imagine that your boss tells you, “I need a widget. I’m sure other people in the open source community have done similar things. Just go grab some code and slap it together by the end of the day.” Of course, that’s crazy. You can’t just slap code together. In what language is the code written? Will it play well with existing code? How complete is the API? What are the requirements? What about security? What about debugging?

Yet this is exactly how we treat privacy policies. We go grab some “open source” or “boilerplate” privacy policy, slap it together with a boilerplate Terms of Service, and think we’re good to go. But unlike poorly-written code which will cause an error as soon as it is compiled, you won’t know whether you’ve created a Legal 500 error for months or years—long after it’s too late to fix.

Privacy Policy Principles

The purposes of a privacy policy are to: 1. Help inform and train your employees about your privacy practices, 2. Inform your customers about your privacy practices, and 3. Avoid liability and FTC action. As I explained previously, adhering to the following principles will allow you to accomplish all three goals:

• Be Honest. Your mamma was right: Honesty is the best (privacy) policy.
  • Don’t Over-Promise. Statements like “privacy is our top priority” may be enforced by the FTC as a privacy promise. Don’t box yourself into a corner.
  • Don’t Under-Promise. Under-promising can violate regulations and more importantly, scare off customers.
  • Tell the Whole Truth. Failure to talk about less-desirable privacy practices may be a misleading business practice.
• Be Complete and Conspicuous.
• Adapt to Changing Business Practices. A privacy policy which was accurate six months ago may not be today.
• Get it Right the First Time. Allowing yourself room to change will save headaches long-term, as material changes to privacy policies require additional consent.
• If you Say it, Do it. Generally no magic words are required in privacy policies. The best approach to avoid liability is to stick to your policy.
• It’s Your Business. As an executive, it’s your responsibility to make sure that your privacy policy is accurate and complete.

Custom Programming Your Privacy Policy

Nobody, especially the legislature, has solved your problems for you. If you create an innovative product or service, then it will raise new questions of law, ethics, and privacy which have never been asked or answered. You can’t expect that somebody else’s recycled privacy policy will meet your needs, any more than you can expect that recycling old code will yield innovation. Imagine for a moment that you have just developed an iPhone app. The app communicates with a smart scale using Bluetooth technology, then interfaces with the Google Health API to transfer a user’s weight history to the Weight Watchers website, then optionally posts the summarized results of the user’s weight loss to his Facebook page and Twitter account. Which of the following is true:

1. You can adopt HIPAA as your privacy policy. HIPAA privacy rules apply.
2. The FTC is interested in your privacy policy and practices.
3. You can later use the weight & contact information to market your next iPhone app, “Smart Dieter.”

The answers may surprise you:

1. False on both accounts: 1. HIPAA is not a privacy policy. Nobody, especially Congress has written your privacy policy for you. 2. Your customers are not protected by HIPAA regulations, because they probably don’t apply to you.
2. True. The FTC is always interested in your privacy policies and practices, and even passing assurances of privacy like “Privacy is our Number 1 Priority” may be enforced as a privacy promise.
3. Probably Not. Unless you have written a clear privacy policy that puts your customers on notice, you may be prohibited from reusing their personal information for any reason, even if they would have consented to such a use.

Your privacy policy must reflect your unique business processes, your unique business model, and your unique user needs. If you think that Congress (or anybody, for that matter) have answered the new questions of privacy raised by your iPhone app, then I have a bridge in Brooklyn I’d like to sell you. Even if HIPAA privacy regulations applied (which they don’t), I can guarantee that they were not written with your app in mind. Likewise, if you are doing anything truly innovative, any canned privacy will fail to meet your needs.

Boilerplate legal documents can get people and companies in trouble. Although sometimes there are magic words from a statute or regulation that should be quoted to order to protect your rights, most boilerplate is not magic—it’s lazy. Lawyers do a lot of legal debugging, because improper boilerplate language can be downright harmful. Unless you do your own legal programming to meet your individual needs, you are sure to accidentally waive a right, break the law, incur the ire of the FTC, or create a contradiction and cause a “Legal 500 Error.”

A Living Document

Because technology, business needs, and information demands constantly change, you must consistently update your privacy policy to reflect those changes. Fortunately, privacy policies are extremely flexible documents, with very few formal legal language or “magic words” requirements, so updating them is easy… if you remember to do it. CEOs often find that adapting a business plan to changing market conditions is time-consuming, and privacy policies can fall by the way side.

Before you update your privacy policy, though, keep in mind that there may be consequences to making material changes. When you revise a policy, information collected under the former policy must still be treated according to the terms of the original Privacy Policy, unless you get some sort of assent from your customers, or face the potential ire of the FTC. It is always better to get it right the first time.

Take Charge

As an executive, do these three things:

1. Read Your Privacy Policy. First, do you understand what the policy means? Second, how does the privacy policy translate to concrete business practices in each of your departments? Third, does the policy match actual practice? Fourth, what is missing from your privacy policy that a reasonable customer would want to know about? Fifth, what changes must you make to your business practices (or the privacy policy) to make them the same?
2. Regularly Update Your Privacy Policy. Many companies have internal processes to regularly review and update business plans, department objectives, security, and compliance. Make sure that your privacy policy is on your list of documents to review.
3. Do a Privacy Policy Legal Review. Avoid a “Legal 500 Error” by making sure that your privacy policy is complete and compliant.