NSTIC envisions a secure “Identity Ecosystem Framework,” or “the overarching set of interoperability standards, risk models, privacy and liability policies, requirements and accountability mechanisms that structure the Identity Ecosystem.” While the Identity Ecosystem will provide value to any participant which needs to verify a User’s identity, the Ecosystem will provide tremendous opportunities to streamline the further commoditization of human identity. Without regulation, the NSTIC Identity Ecosystem will create new markets for businesses which thrive on the commoditization of human identity. I identify this resulting market as the “Identity Ecosystem Marketplace.” An Identity Marketplace already exists, and has been admirably illustrated by Luma Partners, LLC and Improve Digital.

The Identity Ecosystem Marketplace includes at least six major roles, as illustrated here. A single organization may fill multiple roles in any given Identity Ecosystem transaction. Some of the definitions here may differ or even conflict with official NSTIC definitions, usually because the official definitions lack clarity within the context of this analysis.

Major Identity Ecosystem Roles and Concepts

• A Subject or User is an individual or Non-Person Entity (NPE) which must assert its identity to a Relying Party in order to receive a benefit such as access to a trusted network, bank account access, or access to premium content online.
• An Attribute Provider (AP) creates, stores and allows others (such as the Identity Provider and Relying Party) to access or analyze User Attributes, usually under conditions. An Attribute Provider is also usually a Third Party. In the Identity Ecosystem, an Attribute Provider must be trusted as an authoritative source of information. Typical examples of attribute providers might be a government title registry, national credit bureau, or commercial marketing database.
• An Attribute is a fact related to a User. Attributes may include traditional PII, information about authority, roles, rights, privileges, or any other fact asserted by a User, Attribute Provider, or Third Party. NSTIC defines “Attribute” as “a named quality or characteristic inherent in or ascribed to someone or something.”
• An Identity Provider (IdP) is an organization certified as trustworthy through an accreditation authority. An IdP issues a credential, which corresponds to a piece of information known to the User (such as a password), a biometric attribute, or information stored on an Identity Medium (not represented herein). An IdP is responsible for verifying the credential when used as evidence of a User’s identity. An IdP may collect attributes about the User from Attribute Providers, store those attributes, and compare them against assertions made by the User to a Relying Party. Identity Providers do not guarantee the correctness of attributes obtained from Attribute Providers, but may instead confirm that a Claim made by a User matches information from Attribute Providers. Identity Providers may share User attributes, personal information, and Transaction Information with Relying Parties, Third Parties, Parent Companies and Attribute Providers, in accordance with the Data Usage Policy.
• A Data Usage Policy is a contract between a User and Identity Provider, governing the use and disclosure of User information held by the Identity Provider.
• Transaction Information is a record of the benefit provided to the User from the Relying Party, and is analogous to a receipt. Transaction Information may include the name of a product purchased, a log of network access and User activity, or services provided.
• Identity Medium refers to the physical device that stores an NSTIC-compatible identity credential. Examples of Identity Mediums include cell phone apps, smart cards, or USB computer dongles. Identity Media are not visually represented, and are not required for a transaction.
• A Relying Party (RP) is a person or NPE that requires some degree of identity assurance and possibly User Attributes before it will provide a benefit to the User.
• A Parent Company is a company which owns or is affiliated with the Identity Provider and/or the Relying Party in such a way that by action of law, ownership or contract, the Parent Company has right to access and use the Identity Provider or Relying Party’s data assets, unless expressly prohibited by law or regulation.
• A Third Party is any person, organization, system, or device which has no direct affiliation with the User or the transaction in question. A familiar example of a Third Party is an online advertiser.
• For purposes of my discussions, I define a Claim as an assertion that an Attribute is truthful or correct. A Claim may be made by any party. Examples of User Claims are, “I am over 18 years old,” “I am a constituent or citizen,” or “I am authorized to enter your network.” Claims are not visually represented here. In technical circles, a “claim” is an assertion that may be derived by comparing or analyzing one or more Attributes.
• According to NSTIC, the Identity Ecosystem Framework is “the overarching set of interoperability standards, risk models, privacy and liability policies, requirements, and accountability mechanisms that structure the Identity Ecosystem.”
• The Identity Ecosystem Marketplace is the Identity Marketplace created by the Identity Ecosystem, where Identity Ecosystem Participants may commoditize and trade User identities and Attributes in exchange for benefits. Not all Identity Ecosystem transactions necessarily commoditize human identity. The exchange of identity information in many e-commerce transactions is ancillary to the transaction, and the User pays directly for the benefit of the transaction (e.g. a money transfer, music or movie download). Notwithstanding, the Identity Ecosystem Marketplace enables Participants to more easily commoditize identity as an additional source of revenue. NSTIC recognizes that Participants should not be allowed to buy and sell identity information within the Ecosystem, but does not yet identify a credible mechanism to enforce this requirement.
• Fair Information Practice Principles (FIPPs) are Transparency, Individual Participation, Purpose Specification, Data Minimization, Use Limitation, Data Quality and Integrity, Security, and Accountability and Auditing. NSTIC identifies FIPPs as core requirements in the Identity Ecosystem, but stops short of mandating FIPPs.

The NSTIC guiding principles are:

• Identity solutions will be privacy-enhancing and voluntary.
• Identity solutions will be secure and resilient.
• Identity solutions will be interoperable.
• Identity solutions will be cost-effective and easy to use.

Through these guding principles NSTIC aims to accomplish its primary goals of:

• Privacy
• Convenience
• Efficiency
• Ease-of-use
• Security
• Confidence
• Innovation, and
• Choice.

Future posts will explore the interaction of these roles in the Identity Ecosystem Marketplace, and under what conditions NSTIC will be able to meet its goals.

As NSTIC develops, we can expect to hear more soundbytes in the public media invoking fear, uncertainty, and doubt (FUD) around NSTIC as a National ID, Internet Passport, Internet ID, or Online Driver’s License. Some of the fear is warranted. Some of it is not. All of the risk and uncertainty should be measured to the fullest extent possible, without freaking out.

Frankly, I do not have a comprehensive definition for a “National ID” right now. Jim Harper, director of Information Policy Studies at the Cato Institute, and author of Identity Crisis: How Identification Is Overused and Misunderstood would have a much better answers than me. Notwithstanding, I have a few comments which I hope will add some clarity to the discussion:

Instituting any sort of national identification can have serious and unanticipated consequences, and should be the subject of a robust public policy debate. History, present and past, is replete with examples of extreme abuse of government-issued identification. To give just two examples, identification credentials played key roles in both the Holocaust and Rwandan Genocide. Other, less dramatic forms of abuse exist wherever identity credentials are issued. For example, the U.S. National ID, commonly known as the Social Security Number, is regularly used to commit crimes we now refer to as “Identity Theft.”

NSTIC is NOT a National ID

Several commentators have expressed skepticism to downright disdain for NSTIC as a back-door approach to instituting a National ID. NSTIC’s defense to these accusations is simple and true, but incomplete: NSTIC is NOT a National ID.

NSTIC itself is not an identification system, much less a National ID. NSTIC is a framework for setting up a structure of interoperable federated identity systems. Each system will be owned and operated by various independent private companies and public institutions, using various technologies with various levels of identity assurance, security, and trust levels. NSTIC is policy, not technology or identification credentials. In fact, I am guilty of a techical faux pas by using the term “NSTIC credential,” since no such thing actually exists. But unfortunately I don’t have a better shorthand way of saying,

“Voluntary identification credentials issued by an accredited private or government Identity Provider which complies with the ‘overarching set of interoperability standards, risk models, privacy and liability policies, requirements, and accountability mechanisms that structure the Identity Ecosystem,’ which are implemented using a range of technologies, mediums, and authentication protocols.”

So I say “NSTIC credential” instead.

I do not attempt to establish a comprehensive definition for a “National ID” here. But when government-issued identification is used to separate individuals into groups, and centralization decreases the transaction costs associated with classifying human identity, bad things can happen.

I decline to call NSTIC a “National ID.” Instead, it is much more prudent to discuss attributes which may be similar or dissimilar to a centralized, federal-government-issued National ID card. I hope that the following table can focus the public discussion on this matter, which is currently lacking articulation.

I agree with the Center for Democracy and Technology’s Jim Dempsey who said,

The Obama Administration is not planning to create a government ID for the Internet. In fact, the Administration is proposing just the opposite: to rely on the private sector to develop identities… for online commerce.… [T]he government needs an identity ecosystem or identity infrastructure. It needs it for its own services as well as part of the solution to the broader Cybersecurity problem as well as one of the foundations of eCommerce, but the government cannot create that identity infrastructure. Because if it tried to, it wouldn’t be trusted.

I hope this table helps to frame the discussion about NSTIC as a National ID.

That’s why I’m both excited and worried about NIST’s role in the National Strategy for Trusted Identities in Cyberspace (NSTIC, pronounced “N-Stick”). On one hand, this emerging framework will benefit substantially from NIST’s knowledge and capability in technology standards development; and let’s face it, the Department of Commerce was one of the few agencies politically neutral enough to host NSTIC. NIST’s NSTIC team includes notable and respected scientists, academics, and technologists. But as our recent Whitepaper on NSTIC’s policy hurdles illustrates, NSTIC policy requires as much development as the technology.

That’s what makes NIST’s role in NSTIC unique: NIST must not only support the development of standards and technology, but must also develop the policy governing the use of the technology. Or, to paraphrase Scott David, NIST must develop both the “tools” and the “rules.” In recognition of these challenges, the NSTIC team also includes respected policymakers and thinkers led by Jeremy Grant, himself a universally respected policymaker. NSTIC needs both tools and rules to avoid abuse, and the inclusion of policymakers on the NSTIC team is essential to develop both.

In Washington everything is political, especially policy. Very soon the policy and governance debate will begin, and proverbial political bullets will begin flying from every direction. I believe that Jeremy Grant and his team will work hard to navigate the impending battlefield of industry, advocates and government interests. But even intelligent, dedicated and respected public servants like Jeremy Grant and his team need the support and political cover of their agency, NIST. And when the negotiations get divisive, political and ugly, NIST has a tendency to wash its hands of such riff-raff and retreat back into its comfort zone of apolitical academic and scientific research.

Among the worst imaginable disasters for NSTIC is if NIST doesn’t have the stomach for policy development and quietly cajoles the NSTIC team back into NIST’s comfort zone of standards and technology, ceding the policy to those with the most firepower.

Then truly, the war will be lost.

Advocates must watch carefully for signs of a NIST retreat from its uncomfortable role as policymaker. Mr. Jeremy Grant, we do not envy your position; you have our support, and we hope that NIST will support you too.

Also on April 15, 2011, Identity Finder released a 39-page analysis on NSTIC’s effect on Privacy. I was the principal author. The report supports the aspirations of NSTIC, but warns that success is far from assured. NSTIC faces multiple unresolved hurdles to implementing privacy and security in a de-centralized, national framework of interoperable identity systems.

If done well, an ideal NSTIC Identity Ecosystem could establish:

• High levels of identity assurance online, increasing trust between Users and service providers
• More secure online transactions
• Innovation and new services
• Improved privacy and anonymity
• Increased convenience for Users and savings for service providers

Through extensive analysis, Identity Finder has found that to successfully implement its visions of privacy, security, and secure identities, NSTIC cannot rely on the private sector alone. Identity technologies may be used for profit, or to preserve privacy, but rarely both. While the private sector is best positioned to develop and maintain the framework of federated identity systems, federal policy must balance individuals’ need for privacy and security. In order to be successful, NSTIC must be supported by regulations that:

• Hold all Identity Ecosystem Participants to legal and technical standards which implement Fair Information Practice Principles (FIPPs) and baseline privacy and security protocols
• Create incentives for businesses to not commoditize human identity
• Compensate for an individual’s unequal bargaining power when establishing privacy policies
• Subject Identity Providers to similar requirements to the Fair Credit Reporting Act
• Train individuals on how to properly safeguard their Identity Medium to avoid identity theft
• Ensure that consumers and advocates have a meaningful voice in the development of NSTIC policy

While we’re concerned about the unsolved techological hurdles, we are even more concerned about the policy and behavioral vulnerabilities that a widespread identity ecosystem would create. We all have social security cards and it took decades to realize that we shouldn’t carry them around in our wallets. Now we will have a much more powerful identity credential, and we are told to carry it in our wallets, phones, laptops, tablets and other computing devices. Although NSTIC aspires to improve privacy, it stops short of recommending regulations to protect privacy. The stakes are high, and if implemented improperly, an unregulated Identity Ecosystem could have a devastating impact on individual privacy.

If NSTIC fails to implement the necessary regulations, the resulting Identity Ecosystem could turn into a free-for-all Identity marketplace, and create the following risks:

• Powerful identity credentials which, if lost or stolen will enable hyper-identity theft
• A false sense of control, privacy, and security among Users
• New ways to covertly collect Users’ personal information
• New markets in which to commoditize human identity
• Few consumer protections against abuse or sharing personal information with third parties
• No default legal recourse against participants who abuse personal information without consent

I’ll be writing more blog posts in the coming days exploring some of NSTIC’s unsolved policy hurdles, and why individuals, businesses, and policy-makers should care.

NSTIC is a high-level national plan to in for trustworthy, virtual identities. The goals of NSTIC are ostensibly to:

1. Secure online transactions.
2. Provide high levels of identity assurance online
3. Foster innovation and new services
4. Improve Privacy

If done correctly, NSTIC could indeed improve privacy. If done incorrectly, NSTIC could have a devastating effect on privacy, create centralized Identity Reporting Agencies, analogous to today’s Credit Reporting Agencies, all without functionally improving security.

Fair Information Practice Principles (FIPPs)

FIPPs are globally recognized principles which just about everyone agrees should govern the collection, storage, use, and dissemination of personal information. FIPPs include:

• Notice and Awareness
• Choice and Consent
• Access and Participation
• Integrity and Security
• Enforcement and Redress
• Others, like Data Minimization

In general, FIPPs are as non-controversial as “motherhood and apple pie.” But the United States has adopted the Notice and Consent legal regime where most of these FIPPs may be waived upon notice and consent. And since FIPPs can be adverse to the business interests of companies like Google, clickwrap agreements often include waivers of most privacy rights or expectations. For the most part, these “checkbox” agreements are enforceable.

Although the current draft of the NSTIC Implementation Plan makes liberal references to FIPPs, I am afraid that they might not mean much in practice, within the United States’ Notice and Consent legal regime.

IdP Regulation

In the most simple trusted identity framework, there are three participants: The User (Me), the Relying Party (RP), and the Identity Provider (IdP). Consider a typical transaction between a User and RP, let’s say me and Pandora. Federal law prohibits providers from collecting personal information on kids under 13 years old without a parent’s consent. Even though Pandora asks for my date of birth, they don’t need my date of birth; they just need to know I’m over 13.

That’s where Identity Providers come in. As a User I can assert to Pandora (the Relying Party) that I’m over 13. Then I send Pandora to a trusted, accredited third party Identity Provider. The IdP essentially says, “Yes, Aaron is over 13 years old, but we’re not giving you his date of birth.” The relying party has the information it needs, but not my date of birth. Pandora is satisfied, and my privacy between me and Pandora is enhanced. For discussion purposes, I’ll call this “retail privacy.”

But retail privacy is only half of the transaction. Since the transaction must go through an IdP, the IdP now has a record of my transaction, as well as all of my other transactions and behaviors, along with my date of birth and other personal information [Please see Jim Fenton's comment about attribute providers, below]. What if Pandora was allowed to purchase enriched information about me from my IdP later, without my knowledge or consent?

Essentially, this is the status quo, and the current draft of NSTIC would not prohibit such purchase from taking place. For ease of reference, I’ll call this “wholesale privacy.” Currently, data warehouses sell billions of dollars in personal information without the knowledge or consent of the data subjects. In this rather probable vision of NSTIC, “retail privacy” between the user and relying party increases, but the increased privacy is illusory unless the IdP is under strict regulations to keep the information private.

The privacy concerns of today – data collection and behavioral marketing practices of very large online service providers – are trivial compared to the new capability to piece together an Identity Ecosystem Participant’s inter-transactional history which, by definition, each Identity Provider in the Identity Ecosystem will have.

It is likely that the market will self-select a handful of large IdPs, who will be custodians of a large amount of Identity Ecosystem participant information, including inter-transactional history. While providing retail privacy to consumers and end-node Identity Ecosystem participants, IdPs will also amass huge warehouses of individual transactional data which may dwarf Transunion, Equifax, and Experian in sheer volume and data richness. This information will have huge economic value, and without strictly enforcing the FIPPs, each IdP will be under strong economic pressures to collect, mine, re-purpose, sell, and share the information with the highest bidder—often the very parties from whom users are trying to keep it.

Unless implemented properly, NSTIC could have a devastating effect on wholesale privacy, rendering any improvements in retail privacy illusory. Absent strict regulation, NSTIC has the potential to turn Identity Providers into pseudo-centralized Identity Reporting Agencies which are further removed from the public view and opaque to users.

But as of now, the NSTIC Strategy document and the Implementation Plan lack crucial detail about regulating IdPs. By definition, Identity Providers will be able to link all of an individual’s personal transactions. Without regulation, larger IDPs will be able to market, share or otherwise derive value from vast storehouses of transactional data, much like today’s credit reporting agencies.

At the very least, NSTIC must mandate the development of context-specific privacy standards for IdPs. Although I’m willing to participate in their development, frankly I’m not too optimistic that adequate protections will be implemented.

Other Points

I have other less substantial critiques of NSTIC, including a lack of detail on redress, whether NSTIC will truly preserve anonymity, or whether by definition any anonymity within the NSTIC framework will be able to be “unwound” to discover the individual’s true identity. Others have legitimate concerns that NSTIC may turn into a defacto National ID. And let’s face it, NSTIC will not solve many security problems. We will still have nodes of failure, risk of fraud, and errors in data.

At this point, NSTIC is at a crossroads. NSTIC could either be really good, or really bad for privacy. I’m hoping for the best, but I’ve learned not to hold my breath.