Thoughts on the National Strategy for Trusted Identities in Cyberspace

Update: This blog post was written while reading the first draft released in the Summer of 2010. A lot changed from then to the publishing of the document in April 2011.

Here is my answer to the NSTIC Governence Notice of Inquiry.

And an article I wrote on Fast Company: National! Identity! Cyberspace! Why you shouldn’t freak out about NSTIC.


Interestingly in paragraph two on the White House blog it says that NSTIC stands for “National Strategy for Trusted Initiatives in Cyberspace” rather than “National Strategy for Trusted Identities in Cyberspace”.

This first draft of NSTIC was developed in collaboration with key government agencies, business leaders and privacy advocates. What has emerged is a blueprint to reduce cybersecurity vulnerabilities and improve online privacy protections through the use of trusted digital identities.

The 2nd draft is posted on an DHS idea scale installation.  There will be three weeks (until July 19th) for public comments.

The Document is 40 pages long and you can download it here. This is where would have come in handy to make comments… cause commenting in a threaded discussion on idea scale about the whole document will not be easy.

We will be hosting the Internet Identity Workshop in DC Sept 9-10 (Thursday-Friday) following Gov 2.0 Summit. See the announcement on the IIW site.

The White House post talks about the Identity Ecosystem. The document uses this phrase extensively.

I am reading it now and comments will follow here over the hour.

The subtitle is good - Creating Options for Enhanced Online Security and Privacy

Executive Summary Quotes and commentary:

In particular, the Federal Government must address the recent and alarming rise in online fraud, identity theft, and misuse of information online.

One key step in reducing online fraud and identity theft is to increase the level of trust associated with  identities in cyberspace. While this Strategy recognizes the value of anonymity for many online transactions (e.g., blog postings), for other types of transactions (e.g., online banking or accessing electronic health records) it is important that the parties to that transaction have a high degree of trust that they are interacting with known entities.
It is good they are recognizing the value of anonymity for online transactions.
This Strategy seeks to identify ways to raise the level of trust associated with the identities of individuals, organizations, services, and devices involved in certain types of online transactions.  The Strategy’s vision is: Individuals and organizations utilize secure, efficient, easy-to-use, and interoperable identity solutions to access online services in a manner that promotes confidence, privacy, choice, and innovation.
They are touching on key underpinnings of potential solutions understood by the user-centric identity community.  The Identity Commons purpose is as follows: to support, facilitate, and promote the creation of an open identity layer for the Internet — one that maximizes control, convenience, and privacy for the individual while encouraging the development of healthy, interoperable communities.
Ok, who let this many “identity ecosystems” out of the building?  Ten in two paragraphs!!
Privacy protection and voluntary participation are pillars of the Identity Ecosystem. The Identity Ecosystem protects anonymous parties by keeping their identity a secret and sharing only the information necessary to complete the transaction.  For example, the Identity Ecosystem allows an individual to provide age without releasing birth date, name, address, or other identifying data.  At the other end of the spectrum, the Identity Ecosystem supports transactions that require high assurance of a participant’s identity.  The Identity Ecosystem reduces the risk of exploitation of information by unauthorized access through more robust access control techniques.  Finally, participation in the Identity Ecosystem is voluntary for both organizations and individuals.
Another pillar of the Identity Ecosystem is interoperability.  The Identity Ecosystem leverages strong and interoperable technologies and processes to enable the appropriate level of trust across participants.  Interoperability supports identity portability and enables service providers within the Identity Ecosystem to accept a variety of credential and identification media types.  The Identity
Ecosystem does not rely on the government to be the sole identity provider.  Instead, interoperability enables a variety of public and private sector identity providers to participate in the Identity
User-Centricity appears on the 2nd page of the Executive Summary:
User-centricity will allow individuals to select the interoperable credential appropriate for the transaction.
Sounds like they get what verified anonymity is and how it means that people don’t have to share all their information when doing transactions online.
Here are the goals of the Strategy:
  1. Develop a comprehensive Identity Ecosystem Framework
  2. Build and implement an interoperable identity infrastructure aligned with the Identity Ecosystem Framework
  3. Enhance confidence and willingness to participate in the Identity Ecosystem
  4. Ensure the long-term success of the Identity Ecosystem
What is an Identity Ecosystem Framework? Maybe they were too afraid to use the word “trust framework”?
They have 9 proposed Actions to achieve these goals:
  1. Designate a Federal Agency to Lead the Public/Private Sector Efforts Associated with Achieving the Goals of the Strategy
  2. Develop a Shared, Comprehensive Public/Private Sector Implementation Plan
  3. Accelerate the Expansion of Federal Services, Pilots, and Policies that Align with the Identity Ecosystem
  4. Work Among the Public/Private Sectors to Implement Enhanced Privacy Protections
  5. Coordinate the Development and Refinement of Risk Models and Interoperability Standards
  6. Address the Liability Concerns of Service Providers and Individuals
  7. Perform Outreach and Awareness Across all Stakeholders
  8. Continue Collaborating in International Efforts

Introduction Quotes and Commentary:

They paint a rosy picture of the future saying this about what it will be like:

They have choice in the number and types of user-friendly identity credentials they manage and use to assert their identity online.  They have access to a wider array of online services to save time and effort.

In this user centric world, organizations efficiently conduct business online by trusting the identity proofing and credentials provided by other entities as well as the computing environment in which the transactions occur.

The No2ID folks are not going to like the “envision” box on the first page….

Envision It!

An individual voluntarily requests a smart identity card from her home state. The individual chooses to use the card to authenticate herself for a variety of online services, including:

  • Anonymously posting blog entries, and  Logging onto Internet email services using a pseudonym.
  • Credit card purchases,
  • Online banking,
  • Accessing electronic health care records,
  • Securely accessing her personal laptop computer,

To be clear, the user-centric identity community has not been focused on government-issued credentials or IDs – it has always been mostly about how people have aspects of their identities self-asserted and then validated by third parties, likely in the commercial sector not government.

The issue around identity theft is well articulated: the underlying data systems are poorly architected and change needs to happen at this level to solve the problem – not paying your bank or other entities “identity theft prevention or protection fees”

Criminals and other adversaries often exploit weak identity solutions for individuals, websites, email, and the infrastructure that the Internet utilizes.  The poor identification, authentication, and authorization practices associated with these identity solutions are the focus of this Strategy.

The lack of User-centrism is touched on as a problem – yeah, they at least get some core aspects of the problem.
Further, the online environment today is not user-centric; individuals tend to have little control over their own personal information.  They have limited ability to utilize a single digital identity across multiple applications.  Individuals also face the increasing complexity and inconvenience associated with managing the large number of user accounts, passwords, and other identity credentials required to conduct services online with disparate organizations.  The collection of identity-related information across multiple providers and accounts, coupled with the sharing of personal information through the growth of social media, increases opportunities for data compromise.  For example, personal data used to recover lost passwords (e.g., mother’s maiden name, the name of your first pet, etc.) is often publicly available.
A very good resource to understand this broad set of issues around data systems architected badly is The Digital Person by Daniel Solove.
This is not about National ID:
[T]he Strategy does not advocate for the establishment of a national identification card.  Instead, the Strategy seeks to establish an ecosystem of interoperable identity service providers and relying parties where individuals have the choice of different credentials or a single credential for different types of online transactions.  Individuals should have the choice of obtaining identity credentials from either public or private sector identity providers, and they should be able to use these credentials for transactions requiring different levels of assurance across different sectors (e.g., health care, financial, and social transactions).
The Guiding Principles quotes and commentary:
What are the essential characteristics of solutions that support Trusted Identities in Cyberspace?
They articulate three kinds of interoperability:
  1. Technical Interoperability – The ability for different technologies to communicate and exchange data based upon well-defined and widely adopted interface standards.
  2. Semantic Interoperability – The ability of each end-point to communicate data and have the receiving party understand the message in the sense intended by the sending party.
  3. Policy Interoperability – Common business policies and processes (e.g., identity proofing and vetting) related to the transmission, receipt, and acceptance of data between systems, which a legal framework supports.
Importantly, it highlights this key aspect of what is essential for interoperability the use of nonproprietary standards.
Identity Ecosystem will encourage identity solutions to utilize non-proprietary standards to help ensure interoperability.
Values and Benefits quotes and commentary:
They do a good job of defining some key identity terms.
The identity solutions identified in the vision are primarily associated with identification (establishing unique digital identities) and authentication (associating an individual with a unique identity) technologies and processes.  Trusted and validated attributes provide a basis for organizations that offer online services to make authorization decisions.
New term bonanza (at least for user-centric ID community) in the ecosystem component:
A non-person entity (NPE) may require authentication in the Identity Ecosystem.  NPEs can be organizations, hardware, software, or services and are treated much like individuals within the Identity Ecosystem.  NPEs may engage in a transaction or simply support it.
The credential can be stored on an identity medium, which is a device or object (physical or virtual) used for storing one or more credentials, claims, or attributes related to a subject.  Identity media are widely available in many formats, such as smart cards, security chips embedded in PCs, cell phones, software based certificates, and USB devices. Selection of the appropriate credential is implementation-specific and dependent on the risk tolerance of the participating entities.
On page 17, the phrase “trust framework” finally appears.
Looking across all three layers, the Identity Ecosystem will have the following characteristics:
  1. Individuals and organizations choose the providers they use and the way they conduct transactions securely.
  2. Participants can trust one another and have confidence that their transactions are secure.
  3. Individuals can conduct transactions online with multiple organizations without sacrificing privacy.
  4. Identity solutions are simple for individuals to use and efficient for providers.
  5. Identity solutions are scalable and evolve over time.

Benefits are articulated for individuals, and the private sector.