Archive for category NSTIC

NSTIC Identity Ecosystem Marketplace Roles and Concepts

This post is a follow-up to our April 15, 2011 whitepaper and accompanying presentation.

NSTIC envisions a secure “Identity Ecosystem Framework,” or “the overarching set of interoperability standards, risk models, privacy and liability policies, requirements and accountability mechanisms that structure the Identity Ecosystem.” While the Identity Ecosystem will provide value to any participant which needs to verify a User’s identity, the Ecosystem will provide tremendous opportunities to streamline the further commoditization of human identity. Without regulation, the NSTIC Identity Ecosystem will create new markets for businesses which thrive on the commoditization of human identity. I identify this resulting market as the “Identity Ecosystem Marketplace.” An Identity Marketplace already exists, and has been admirably illustrated by Luma Partners, LLC and Improve Digital.

The Identity Ecosystem Marketplace includes at least six major roles, as illustrated here. A single organization may fill multiple roles in any given Identity Ecosystem transaction. Some of the definitions here may differ or even conflict with official NSTIC definitions, usually because the official definitions lack clarity within the context of this analysis.

Read the rest of this entry »

No Comments

NSTIC as a National ID

Even outrageous statements on controversial topics often contain flecks of truth. This is an attempt to pan through the muddy waters of NSTIC media coverage in relation to NSTIC to as a “National ID,” identify the golden flecks and nuggets of truth, and frame the debate on this important topic.

As NSTIC develops, we can expect to hear more soundbytes in the public media invoking fear, uncertainty, and doubt (FUD) around NSTIC as a National ID, Internet Passport, Internet ID, or Online Driver’s License. Some of the fear is warranted. Some of it is not. All of the risk and uncertainty should be measured to the fullest extent possible, without freaking out.

Frankly, I do not have a comprehensive definition for a “National ID” right now. Jim Harper, director of Information Policy Studies at the Cato Institute, and author of Identity Crisis: How Identification Is Overused and Misunderstood would have a much better answers than me. Notwithstanding, I have a few comments which I hope will add some clarity to the discussion:

Instituting any sort of national identification can have serious and unanticipated consequences, and should be the subject of a robust public policy debate. History, present and past, is replete with examples of extreme abuse of government-issued identification. To give just two examples, identification credentials played key roles in both the Holocaust and Rwandan Genocide. Other, less dramatic forms of abuse exist wherever identity credentials are issued. For example, the U.S. National ID, commonly known as the Social Security Number, is regularly used to commit crimes we now refer to as “Identity Theft.”

NSTIC is NOT a National ID

Several commentators have expressed skepticism to downright disdain for NSTIC as a back-door approach to instituting a National ID. NSTIC’s defense to these accusations is simple and true, but incomplete: NSTIC is NOT a National ID.

NSTIC itself is not an identification system, much less a National ID. NSTIC is a framework for setting up a structure of interoperable federated identity systems. Each system will be owned and operated by various independent private companies and public institutions, using various technologies with various levels of identity assurance, security, and trust levels. NSTIC is policy, not technology or identification credentials. In fact, I am guilty of a techical faux pas by using the term “NSTIC credential,” since no such thing actually exists. But unfortunately I don’t have a better shorthand way of saying,

“Voluntary identification credentials issued by an accredited private or government Identity Provider which complies with the ‘overarching set of interoperability standards, risk models, privacy and liability policies, requirements, and accountability mechanisms that structure the Identity Ecosystem,’ which are implemented using a range of technologies, mediums, and authentication protocols.”

So I say “NSTIC credential” instead.

I do not attempt to establish a comprehensive definition for a “National ID” here. But when government-issued identification is used to separate individuals into groups, and centralization decreases the transaction costs associated with classifying human identity, bad things can happen.

I decline to call NSTIC a “National ID.” Instead, it is much more prudent to discuss attributes which may be similar or dissimilar to a centralized, federal-government-issued National ID card. I hope that the following table can focus the public discussion on this matter, which is currently lacking articulation.

How NSTIC is Not Like a National ID

How NSTIC Might be Like a National ID

NSTIC credentials are not owned, issued, or managed by the Federal Government, except for IDs issued to government employees.

If adopted by a majority of state governments, NSTIC credentials could become standard in State IDs and drivers licenses. The Federal Government could also embed an NSTIC credential in passports.

Identity Provider Databases are not under government control, except for a few run by the Federal Government for government employees.

Identity and personal information which enters the Identity Ecosystem Marketplace is subject to very little protection against government search and seizure under the 4th Amendment.

NSTIC is voluntary for the private sector and private citizens.

If adopted by State governments, which control a substantial portion of the identification market, NSTIC credentials could become mandatory and displace private sector identity competitors.

NSTIC credentials are not yet required to access government benefits.

Access to electronic government services may one day require an NSTIC credential.

NSTIC credentials are not primarily designed to classify individuals by a status such as race, religion, age or gender.

NSTIC credentials are designed for classifying people by roles and access to resources; the supporting technology could be easily adapted to expand identity profiles compiled by the private sector that may include age, gender, political beliefs, religion, race, socioeconomic status, etc.

Identity and Transaction Information is not stored in a single, centralized government database.

Identity and Transaction Information is stored in thousands of private databases which may be centralized by the private sector, purchased by the government, or accessible to law enforcement with little due process.

An NSTIC credential is designed for online transactions only.

With more of our lives and business conducted online, widespread adoption of the NSTIC framework could mean that an NSTIC credential may become a functional requirement for participating in online life, with real-life consequences.

I agree with the Center for Democracy and Technology’s Jim Dempsey who said,

The Obama Administration is not planning to create a government ID for the Internet. In fact, the Administration is proposing just the opposite: to rely on the private sector to develop identities… for online commerce.… [T]he government needs an identity ecosystem or identity infrastructure. It needs it for its own services as well as part of the solution to the broader Cybersecurity problem as well as one of the foundations of eCommerce, but the government cannot create that identity infrastructure. Because if it tried to, it wouldn’t be trusted.

I hope this table helps to frame the discussion about NSTIC as a National ID.

4 Comments

Why I Support Jeremy Grant, and Hope NIST Will Too

Those even remotely familiar with Washington politics know that everything is political. A few agencies such as the Census bureau, attempt to stay above the political fray with varying degrees of success. The National Institute of Standards and Technology (NIST) is arguably the gold standard of apolitical federal agencies. NIST has learned through experience to remain staunchly apolitical by focusing strictly on standards, science, and technology while keeping their noses and fingers well away from policy. As a result, NIST enjoys a good deal of transpartisan respect. NIST zealously (and appropriately) guards its reputation by avoiding policy and politics.

That’s why I’m both excited and worried about NIST’s role in the National Strategy for Trusted Identities in Cyberspace (NSTIC, pronounced “N-Stick”). On one hand, this emerging framework will benefit substantially from NIST’s knowledge and capability in technology standards development; and let’s face it, the Department of Commerce was one of the few agencies politically neutral enough to host NSTIC. NIST’s NSTIC team includes notable and respected scientists, academics, and technologists. But as our recent Whitepaper on NSTIC’s policy hurdles illustrates, NSTIC policy requires as much development as the technology.

That’s what makes NIST’s role in NSTIC unique: NIST must not only support the development of standards and technology, but must also develop the policy governing the use of the technology. Or, to paraphrase Scott David, NIST must develop both the “tools” and the “rules.” In recognition of these challenges, the NSTIC team also includes respected policymakers and thinkers led by Jeremy Grant, himself a universally respected policymaker. NSTIC needs both tools and rules to avoid abuse, and the inclusion of policymakers on the NSTIC team is essential to develop both.

In Washington everything is political, especially policy. Very soon the policy and governance debate will begin, and proverbial political bullets will begin flying from every direction. I believe that Jeremy Grant and his team will work hard to navigate the impending battlefield of industry, advocates and government interests. But even intelligent, dedicated and respected public servants like Jeremy Grant and his team need the support and political cover of their agency, NIST. And when the negotiations get divisive, political and ugly, NIST has a tendency to wash its hands of such riff-raff and retreat back into its comfort zone of apolitical academic and scientific research.

Among the worst imaginable disasters for NSTIC is if NIST doesn’t have the stomach for policy development and quietly cajoles the NSTIC team back into NIST’s comfort zone of standards and technology, ceding the policy to those with the most firepower.

Then truly, the war will be lost.

Advocates must watch carefully for signs of a NIST retreat from its uncomfortable role as policymaker. Mr. Jeremy Grant, we do not envy your position; you have our support, and we hope that NIST will support you too.

No Comments

NSTIC’s Effect on Privacy

The Department of Commerce released the National Strategy for Trusted Identities in Cyberspace (NSTIC, pronounced “N-Stick”). From a privacy perspective, the 52-page April 15, 2011 Final Draft is a big improvement over the June 25, 2010 Draft.

Also on April 15, 2011, Identity Finder released a 39-page analysis on NSTIC’s effect on Privacy. I was the principal author. The report supports the aspirations of NSTIC, but warns that success is far from assured. NSTIC faces multiple unresolved hurdles to implementing privacy and security in a de-centralized, national framework of interoperable identity systems.

If done well, an ideal NSTIC Identity Ecosystem could establish:

  • High levels of identity assurance online, increasing trust between Users and service providers
  • More secure online transactions
  • Innovation and new services
  • Improved privacy and anonymity
  • Increased convenience for Users and savings for service providers

Through extensive analysis, Identity Finder has found that to successfully implement its visions of privacy, security, and secure identities, NSTIC cannot rely on the private sector alone. Identity technologies may be used for profit, or to preserve privacy, but rarely both. While the private sector is best positioned to develop and maintain the framework of federated identity systems, federal policy must balance individuals’ need for privacy and security. In order to be successful, NSTIC must be supported by regulations that:

  • Hold all Identity Ecosystem Participants to legal and technical standards which implement Fair Information Practice Principles (FIPPs) and baseline privacy and security protocols
  • Create incentives for businesses to not commoditize human identity
  • Compensate for an individual’s unequal bargaining power when establishing privacy policies
  • Subject Identity Providers to similar requirements to the Fair Credit Reporting Act
  • Train individuals on how to properly safeguard their Identity Medium to avoid identity theft
  • Ensure that consumers and advocates have a meaningful voice in the development of NSTIC policy

While we’re concerned about the unsolved techological hurdles, we are even more concerned about the policy and behavioral vulnerabilities that a widespread identity ecosystem would create. We all have social security cards and it took decades to realize that we shouldn’t carry them around in our wallets. Now we will have a much more powerful identity credential, and we are told to carry it in our wallets, phones, laptops, tablets and other computing devices. Although NSTIC aspires to improve privacy, it stops short of recommending regulations to protect privacy. The stakes are high, and if implemented improperly, an unregulated Identity Ecosystem could have a devastating impact on individual privacy.

If NSTIC fails to implement the necessary regulations, the resulting Identity Ecosystem could turn into a free-for-all Identity marketplace, and create the following risks:

  • Powerful identity credentials which, if lost or stolen will enable hyper-identity theft
  • A false sense of control, privacy, and security among Users
  • New ways to covertly collect Users’ personal information
  • New markets in which to commoditize human identity
  • Few consumer protections against abuse or sharing personal information with third parties
  • No default legal recourse against participants who abuse personal information without consent

I’ll be writing more blog posts in the coming days exploring some of NSTIC’s unsolved policy hurdles, and why individuals, businesses, and policy-makers should care.

1 Comment

NSTIC at a Crossroads

Updated January 11, 2011. After the January 7, 2011 NSTIC conference at Stanford, I revisited this blog, which originally posted after an October, 2010 conference call with representatives from the FTC, DHS and the White House cybersecurity staff. The topic was the emerging National Strategy for Trusted Identities in Cyberspace (NSTIC). They are a dedicated staff with a thankless job. My hat is off to them for reaching out to me and other privacy advocates.

NSTIC is a high-level national plan to in for trustworthy, virtual identities. The goals of NSTIC are ostensibly to:

  1. Secure online transactions.
  2. Provide high levels of identity assurance online
  3. Foster innovation and new services
  4. Improve Privacy

If done correctly, NSTIC could indeed improve privacy. If done incorrectly, NSTIC could have a devastating effect on privacy, create centralized Identity Reporting Agencies, analogous to today’s Credit Reporting Agencies, all without functionally improving security. Read the rest of this entry »

10 Comments