Archive for category NSTIC

NSTIC Identity Ecosystem Marketplace Roles and Concepts

This post is a follow-up to our April 15, 2011 whitepaper and accompanying presentation.

NSTIC envisions a secure “Identity Ecosystem Framework,” or “the overarching set of interoperability standards, risk models, privacy and liability policies, requirements and accountability mechanisms that structure the Identity Ecosystem.” While the Identity Ecosystem will provide value to any participant which needs to verify a User’s identity, the Ecosystem will provide tremendous opportunities to streamline the further commoditization of human identity. Without regulation, the NSTIC Identity Ecosystem will create new markets for businesses which thrive on the commoditization of human identity. I identify this resulting market as the “Identity Ecosystem Marketplace.” An Identity Marketplace already exists, and has been admirably illustrated by Luma Partners, LLC and Improve Digital.

The Identity Ecosystem Marketplace includes at least six major roles, as illustrated here. A single organization may fill multiple roles in any given Identity Ecosystem transaction. Some of the definitions here may differ or even conflict with official NSTIC definitions, usually because the official definitions lack clarity within the context of this analysis.

Read the rest of this entry »

No Comments

NSTIC as a National ID

Even outrageous statements on controversial topics often contain flecks of truth. This is an attempt to pan through the muddy waters of NSTIC media coverage in relation to NSTIC to as a “National ID,” identify the golden flecks and nuggets of truth, and frame the debate on this important topic.

As NSTIC develops, we can expect to hear more soundbytes in the public media invoking fear, uncertainty, and doubt (FUD) around NSTIC as a National ID, Internet Passport, Internet ID, or Online Driver’s License. Some of the fear is warranted. Some of it is not. All of the risk and uncertainty should be measured to the fullest extent possible, without freaking out.

Frankly, I do not have a comprehensive definition for a “National ID” right now. Jim Harper, director of Information Policy Studies at the Cato Institute, and author of Identity Crisis: How Identification Is Overused and Misunderstood would have a much better answers than me. Notwithstanding, I have a few comments which I hope will add some clarity to the discussion:

Instituting any sort of national identification can have serious and unanticipated consequences, and should be the subject of a robust public policy debate. History, present and past, is replete with examples of extreme abuse of government-issued identification. To give just two examples, identification credentials played key roles in both the Holocaust and Rwandan Genocide. Other, less dramatic forms of abuse exist wherever identity credentials are issued. For example, the U.S. National ID, commonly known as the Social Security Number, is regularly used to commit crimes we now refer to as “Identity Theft.”

NSTIC is NOT a National ID

Several commentators have expressed skepticism to downright disdain for NSTIC as a back-door approach to instituting a National ID. NSTIC’s defense to these accusations is simple and true, but incomplete: NSTIC is NOT a National ID.

NSTIC itself is not an identification system, much less a National ID. NSTIC is a framework for setting up a structure of interoperable federated identity systems. Each system will be owned and operated by various independent private companies and public institutions, using various technologies with various levels of identity assurance, security, and trust levels. NSTIC is policy, not technology or identification credentials. In fact, I am guilty of a techical faux pas by using the term “NSTIC credential,” since no such thing actually exists. But unfortunately I don’t have a better shorthand way of saying,

“Voluntary identification credentials issued by an accredited private or government Identity Provider which complies with the ‘overarching set of interoperability standards, risk models, privacy and liability policies, requirements, and accountability mechanisms that structure the Identity Ecosystem,’ which are implemented using a range of technologies, mediums, and authentication protocols.”

So I say “NSTIC credential” instead.

I do not attempt to establish a comprehensive definition for a “National ID” here. But when government-issued identification is used to separate individuals into groups, and centralization decreases the transaction costs associated with classifying human identity, bad things can happen.

I decline to call NSTIC a “National ID.” Instead, it is much more prudent to discuss attributes which may be similar or dissimilar to a centralized, federal-government-issued National ID card. I hope that the following table can focus the public discussion on this matter, which is currently lacking articulation.

How NSTIC is Not Like a National ID

How NSTIC Might be Like a National ID

NSTIC credentials are not owned, issued, or managed by the Federal Government, except for IDs issued to government employees.

If adopted by a majority of state governments, NSTIC credentials could become standard in State IDs and drivers licenses. The Federal Government could also embed an NSTIC credential in passports.

Identity Provider Databases are not under government control, except for a few run by the Federal Government for government employees.

Identity and personal information which enters the Identity Ecosystem Marketplace is subject to very little protection against government search and seizure under the 4th Amendment.

NSTIC is voluntary for the private sector and private citizens.

If adopted by State governments, which control a substantial portion of the identification market, NSTIC credentials could become mandatory and displace private sector identity competitors.

NSTIC credentials are not yet required to access government benefits.

Access to electronic government services may one day require an NSTIC credential.

NSTIC credentials are not primarily designed to classify individuals by a status such as race, religion, age or gender.

NSTIC credentials are designed for classifying people by roles and access to resources; the supporting technology could be easily adapted to expand identity profiles compiled by the private sector that may include age, gender, political beliefs, religion, race, socioeconomic status, etc.

Identity and Transaction Information is not stored in a single, centralized government database.

Identity and Transaction Information is stored in thousands of private databases which may be centralized by the private sector, purchased by the government, or accessible to law enforcement with little due process.

An NSTIC credential is designed for online transactions only.

With more of our lives and business conducted online, widespread adoption of the NSTIC framework could mean that an NSTIC credential may become a functional requirement for participating in online life, with real-life consequences.

I agree with the Center for Democracy and Technology’s Jim Dempsey who said,

The Obama Administration is not planning to create a government ID for the Internet. In fact, the Administration is proposing just the opposite: to rely on the private sector to develop identities… for online commerce.… [T]he government needs an identity ecosystem or identity infrastructure. It needs it for its own services as well as part of the solution to the broader Cybersecurity problem as well as one of the foundations of eCommerce, but the government cannot create that identity infrastructure. Because if it tried to, it wouldn’t be trusted.

I hope this table helps to frame the discussion about NSTIC as a National ID.

2 Comments

Why I Support Jeremy Grant, and Hope NIST Will Too

Those even remotely familiar with Washington politics know that everything is political. A few agencies such as the Census bureau, attempt to stay above the political fray with varying degrees of success. The National Institute of Standards and Technology (NIST) is arguably the gold standard of apolitical federal agencies. NIST has learned through experience to remain staunchly apolitical by focusing strictly on standards, science, and technology while keeping their noses and fingers well away from policy. As a result, NIST enjoys a good deal of transpartisan respect. NIST zealously (and appropriately) guards its reputation by avoiding policy and politics.

That’s why I’m both excited and worried about NIST’s role in the National Strategy for Trusted Identities in Cyberspace (NSTIC, pronounced “N-Stick”). On one hand, this emerging framework will benefit substantially from NIST’s knowledge and capability in technology standards development; and let’s face it, the Department of Commerce was one of the few agencies politically neutral enough to host NSTIC. NIST’s NSTIC team includes notable and respected scientists, academics, and technologists. But as our recent Whitepaper on NSTIC’s policy hurdles illustrates, NSTIC policy requires as much development as the technology.

That’s what makes NIST’s role in NSTIC unique: NIST must not only support the development of standards and technology, but must also develop the policy governing the use of the technology. Or, to paraphrase Scott David, NIST must develop both the “tools” and the “rules.” In recognition of these challenges, the NSTIC team also includes respected policymakers and thinkers led by Jeremy Grant, himself a universally respected policymaker. NSTIC needs both tools and rules to avoid abuse, and the inclusion of policymakers on the NSTIC team is essential to develop both.

In Washington everything is political, especially policy. Very soon the policy and governance debate will begin, and proverbial political bullets will begin flying from every direction. I believe that Jeremy Grant and his team will work hard to navigate the impending battlefield of industry, advocates and government interests. But even intelligent, dedicated and respected public servants like Jeremy Grant and his team need the support and political cover of their agency, NIST. And when the negotiations get divisive, political and ugly, NIST has a tendency to wash its hands of such riff-raff and retreat back into its comfort zone of apolitical academic and scientific research.

Among the worst imaginable disasters for NSTIC is if NIST doesn’t have the stomach for policy development and quietly cajoles the NSTIC team back into NIST’s comfort zone of standards and technology, ceding the policy to those with the most firepower.

Then truly, the war will be lost.

Advocates must watch carefully for signs of a NIST retreat from its uncomfortable role as policymaker. Mr. Jeremy Grant, we do not envy your position; you have our support, and we hope that NIST will support you too.

No Comments

NSTIC’s Effect on Privacy

The Department of Commerce released the National Strategy for Trusted Identities in Cyberspace (NSTIC, pronounced “N-Stick”). From a privacy perspective, the 52-page April 15, 2011 Final Draft is a big improvement over the June 25, 2010 Draft.

Also on April 15, 2011, Identity Finder released a 39-page analysis on NSTIC’s effect on Privacy. I was the principal author. The report supports the aspirations of NSTIC, but warns that success is far from assured. NSTIC faces multiple unresolved hurdles to implementing privacy and security in a de-centralized, national framework of interoperable identity systems.

If done well, an ideal NSTIC Identity Ecosystem could establish:

  • High levels of identity assurance online, increasing trust between Users and service providers
  • More secure online transactions
  • Innovation and new services
  • Improved privacy and anonymity
  • Increased convenience for Users and savings for service providers

Through extensive analysis, Identity Finder has found that to successfully implement its visions of privacy, security, and secure identities, NSTIC cannot rely on the private sector alone. Identity technologies may be used for profit, or to preserve privacy, but rarely both. While the private sector is best positioned to develop and maintain the framework of federated identity systems, federal policy must balance individuals’ need for privacy and security. In order to be successful, NSTIC must be supported by regulations that:

  • Hold all Identity Ecosystem Participants to legal and technical standards which implement Fair Information Practice Principles (FIPPs) and baseline privacy and security protocols
  • Create incentives for businesses to not commoditize human identity
  • Compensate for an individual’s unequal bargaining power when establishing privacy policies
  • Subject Identity Providers to similar requirements to the Fair Credit Reporting Act
  • Train individuals on how to properly safeguard their Identity Medium to avoid identity theft
  • Ensure that consumers and advocates have a meaningful voice in the development of NSTIC policy

While we’re concerned about the unsolved techological hurdles, we are even more concerned about the policy and behavioral vulnerabilities that a widespread identity ecosystem would create. We all have social security cards and it took decades to realize that we shouldn’t carry them around in our wallets. Now we will have a much more powerful identity credential, and we are told to carry it in our wallets, phones, laptops, tablets and other computing devices. Although NSTIC aspires to improve privacy, it stops short of recommending regulations to protect privacy. The stakes are high, and if implemented improperly, an unregulated Identity Ecosystem could have a devastating impact on individual privacy.

If NSTIC fails to implement the necessary regulations, the resulting Identity Ecosystem could turn into a free-for-all Identity marketplace, and create the following risks:

  • Powerful identity credentials which, if lost or stolen will enable hyper-identity theft
  • A false sense of control, privacy, and security among Users
  • New ways to covertly collect Users’ personal information
  • New markets in which to commoditize human identity
  • Few consumer protections against abuse or sharing personal information with third parties
  • No default legal recourse against participants who abuse personal information without consent

I’ll be writing more blog posts in the coming days exploring some of NSTIC’s unsolved policy hurdles, and why individuals, businesses, and policy-makers should care.

1 Comment

Crossroads

Many people don’t think of obesity as a disease, but rather as a moral failing. But Dr. Fatima Cody Stanford, instructor of medicine at Harvard Medical School and researcher and practicing physician at the Massachusetts General Hospital Weight Center, points out that obesity is a complex, chronic disease. Stanford’s recent fascinating and informative presentation explains how the body uses and stores energy, and describes the complex interplay of the genetic, developmental, hormonal, environmental, and behavioral factors that contribute to obesity. Learn how to easily treat this condition with leptoconnect.

Obesity isn’t just “calories in versus calories burned”
Obesity isn’t just about energy balance, i.e., calories in/calories out. “That’s simplistic, and if the equation were that easy to solve we wouldn’t have the prevalence of obesity that we have today,” Dr. Stanford explains. She goes on to say that not only is the energy balance theory wrong, but the focus on that simplistic equation and blaming the patient have contributed to the obesity epidemic. Stigma, blame, and shame add to the problem, and are obstacles to treatment. Indeed, over 36% of adults in the United States have obesity, and the world is not far behind.

She describes her research and experience in the treatment of obesity, including several cases from her own clinic. These are the cases that capture my attention, as they demonstrate most clearly the effects of different treatment approaches (and combinations) to obesity: diet and lifestyle (i.e. behavioral), medications, and surgery. Stanford has seen remarkable, long-lasting positive results with all, but she always emphasizes diet and lifestyle change first and foremost. The program (called Healthy Habits for Life) offered at the MGH Weight Center is a huge commitment, but it can help reframe a person’s relationship with food, emphasizing a high-quality diet, and not calorie-counting.

The components of a successful treatment for obesity
Abeer Bader is a registered dietitian and the lead clinical nutrition specialist at the center. She described the program to me in more detail: it’s a 12-week group-based education and support program with a structured curriculum and frequent contact with patients. The classes are 90 minutes long and led by a registered dietitian, and cover everything from the causes of obesity to healthy eating to debunking popular diet myths, plus recommendations for dining out, grocery shopping, meal prep, physical activity, and more. “The goal of the HHL program is to provide patients with the education, support, and tools to lead a healthy lifestyle.”

The diet they promote is loosely based on the DASH diet and the Mediterranean diet, as these eating plans are rich in vegetables, fruit, lean protein, and whole grains. They use the Harvard Healthy Plate to illustrate a healthy, well-balanced meal.

But it’s also a highly individualized program. “We work closely with the patient to put together realistic goals. I think the most important part of approaching goal-setting and behavior change is to first determine what it is that they would like to improve. Often as providers we tell patients what they need to do, but when you allow the patient to highlight an area that they would like to work on, you may see better adherence,” says Bader.

Other similar comprehensive programs have been shown to help patients achieve lasting diet and lifestyle change, lose weight — and avoid diabetes. The Diabetes Prevention Program helps those with obesity and risk of developing diabetes lose 5% to 7% of their body weight, and decreases their risk of diabetes between 58% and 71%. Diabetes usually lead to hearing loss conditions, read these Sonus Complete reviews.

As Bader states, “I think it’s important to note that the diet that “works” is the diet that a person will adhere to for the rest of his or her life. We really emphasize the importance of lifestyle change versus short-term diet fix in order to have the greatest success in achieving a healthier weight.” This statement is evidence-based, as a recent review of multiple research studies looking at different weight loss diets found that all worked about equally as well.

Medications to treat obesity
What can surprise people (including doctors) is how helpful weight loss medications can be, though it can take some trial and error to figure out what will work for someone. “These medications affect the way the brain manages the body’s weight set point, and how the brain interacts with the environment. But sometimes there’s no rhyme or reason why one medication works for someone, but another doesn’t.” Unfortunately, as research shows, weight loss medications aren’t prescribed often enough.

In summary, obesity is a complex, chronic disease with many contributing factors. Primary care doctors and obesity specialists can guide treatments that include lifestyle approaches like diet, exercise, and addressing emotional factors that contribute to obesity. For some people weight loss surgery may be an option (a subject for another post).

8 Comments