Thoughts on the National Strategy for Trusted Identities in Cyberspace

Update: This blog post was written while reading the first draft released in the Summer of 2010. A lot changed from then to the publishing of the document in April 2011.

Here is my answer to the NSTIC Governence Notice of Inquiry.

And an article I wrote on Fast Company: National! Identity! Cyberspace! Why you shouldn’t freak out about NSTIC.


Interestingly in paragraph two on the White House blog it says that NSTIC stands for “National Strategy for Trusted Initiatives in Cyberspace” rather than “National Strategy for Trusted Identities in Cyberspace”.

This first draft of NSTIC was developed in collaboration with key government agencies, business leaders and privacy advocates. What has emerged is a blueprint to reduce cybersecurity vulnerabilities and improve online privacy protections through the use of trusted digital identities.

The 2nd draft is posted on an DHS idea scale installation.  There will be three weeks (until July 19th) for public comments.

The Document is 40 pages long and you can download it here. This is where would have come in handy to make comments… cause commenting in a threaded discussion on idea scale about the whole document will not be easy.

We will be hosting the Internet Identity Workshop in DC Sept 9-10 (Thursday-Friday) following Gov 2.0 Summit. See the announcement on the IIW site.

The White House post talks about the Identity Ecosystem. The document uses this phrase extensively.

I am reading it now and comments will follow here over the hour.

The subtitle is good - Creating Options for Enhanced Online Security and Privacy

Executive Summary Quotes and commentary:

In particular, the Federal Government must address the recent and alarming rise in online fraud, identity theft, and misuse of information online.

One key step in reducing online fraud and identity theft is to increase the level of trust associated with  identities in cyberspace. While this Strategy recognizes the value of anonymity for many online transactions (e.g., blog postings), for other types of transactions (e.g., online banking or accessing electronic health records) it is important that the parties to that transaction have a high degree of trust that they are interacting with known entities.
It is good they are recognizing the value of anonymity for online transactions.
This Strategy seeks to identify ways to raise the level of trust associated with the identities of individuals, organizations, services, and devices involved in certain types of online transactions.  The Strategy’s vision is: Individuals and organizations utilize secure, efficient, easy-to-use, and interoperable identity solutions to access online services in a manner that promotes confidence, privacy, choice, and innovation.
They are touching on key underpinnings of potential solutions understood by the user-centric identity community.  The Identity Commons purpose is as follows: to support, facilitate, and promote the creation of an open identity layer for the Internet — one that maximizes control, convenience, and privacy for the individual while encouraging the development of healthy, interoperable communities.
Ok, who let this many “identity ecosystems” out of the building?  Ten in two paragraphs!!
Privacy protection and voluntary participation are pillars of the Identity Ecosystem. The Identity Ecosystem protects anonymous parties by keeping their identity a secret and sharing only the information necessary to complete the transaction.  For example, the Identity Ecosystem allows an individual to provide age without releasing birth date, name, address, or other identifying data.  At the other end of the spectrum, the Identity Ecosystem supports transactions that require high assurance of a participant’s identity.  The Identity Ecosystem reduces the risk of exploitation of information by unauthorized access through more robust access control techniques.  Finally, participation in the Identity Ecosystem is voluntary for both organizations and individuals.
Another pillar of the Identity Ecosystem is interoperability.  The Identity Ecosystem leverages strong and interoperable technologies and processes to enable the appropriate level of trust across participants.  Interoperability supports identity portability and enables service providers within the Identity Ecosystem to accept a variety of credential and identification media types.  The Identity
Ecosystem does not rely on the government to be the sole identity provider.  Instead, interoperability enables a variety of public and private sector identity providers to participate in the Identity
User-Centricity appears on the 2nd page of the Executive Summary:
User-centricity will allow individuals to select the interoperable credential appropriate for the transaction.
Sounds like they get what verified anonymity is and how it means that people don’t have to share all their information when doing transactions online.
Here are the goals of the Strategy:
  1. Develop a comprehensive Identity Ecosystem Framework
  2. Build and implement an interoperable identity infrastructure aligned with the Identity Ecosystem Framework
  3. Enhance confidence and willingness to participate in the Identity Ecosystem
  4. Ensure the long-term success of the Identity Ecosystem
What is an Identity Ecosystem Framework? Maybe they were too afraid to use the word “trust framework”?
They have 9 proposed Actions to achieve these goals:
  1. Designate a Federal Agency to Lead the Public/Private Sector Efforts Associated with Achieving the Goals of the Strategy
  2. Develop a Shared, Comprehensive Public/Private Sector Implementation Plan
  3. Accelerate the Expansion of Federal Services, Pilots, and Policies that Align with the Identity Ecosystem
  4. Work Among the Public/Private Sectors to Implement Enhanced Privacy Protections
  5. Coordinate the Development and Refinement of Risk Models and Interoperability Standards
  6. Address the Liability Concerns of Service Providers and Individuals
  7. Perform Outreach and Awareness Across all Stakeholders
  8. Continue Collaborating in International Efforts

Introduction Quotes and Commentary:

They paint a rosy picture of the future saying this about what it will be like:

They have choice in the number and types of user-friendly identity credentials they manage and use to assert their identity online.  They have access to a wider array of online services to save time and effort.

In this user centric world, organizations efficiently conduct business online by trusting the identity proofing and credentials provided by other entities as well as the computing environment in which the transactions occur.

The No2ID folks are not going to like the “envision” box on the first page….

Envision It!

An individual voluntarily requests a smart identity card from her home state. The individual chooses to use the card to authenticate herself for a variety of online services, including:

  • Anonymously posting blog entries, and  Logging onto Internet email services using a pseudonym.
  • Credit card purchases,
  • Online banking,
  • Accessing electronic health care records,
  • Securely accessing her personal laptop computer,

To be clear, the user-centric identity community has not been focused on government-issued credentials or IDs – it has always been mostly about how people have aspects of their identities self-asserted and then validated by third parties, likely in the commercial sector not government.

The issue around identity theft is well articulated: the underlying data systems are poorly architected and change needs to happen at this level to solve the problem – not paying your bank or other entities “identity theft prevention or protection fees”

Criminals and other adversaries often exploit weak identity solutions for individuals, websites, email, and the infrastructure that the Internet utilizes.  The poor identification, authentication, and authorization practices associated with these identity solutions are the focus of this Strategy.

The lack of User-centrism is touched on as a problem – yeah, they at least get some core aspects of the problem.
Further, the online environment today is not user-centric; individuals tend to have little control over their own personal information.  They have limited ability to utilize a single digital identity across multiple applications.  Individuals also face the increasing complexity and inconvenience associated with managing the large number of user accounts, passwords, and other identity credentials required to conduct services online with disparate organizations.  The collection of identity-related information across multiple providers and accounts, coupled with the sharing of personal information through the growth of social media, increases opportunities for data compromise.  For example, personal data used to recover lost passwords (e.g., mother’s maiden name, the name of your first pet, etc.) is often publicly available.
A very good resource to understand this broad set of issues around data systems architected badly is The Digital Person by Daniel Solove.
This is not about National ID:
[T]he Strategy does not advocate for the establishment of a national identification card.  Instead, the Strategy seeks to establish an ecosystem of interoperable identity service providers and relying parties where individuals have the choice of different credentials or a single credential for different types of online transactions.  Individuals should have the choice of obtaining identity credentials from either public or private sector identity providers, and they should be able to use these credentials for transactions requiring different levels of assurance across different sectors (e.g., health care, financial, and social transactions).
The Guiding Principles quotes and commentary:
What are the essential characteristics of solutions that support Trusted Identities in Cyberspace?
They articulate three kinds of interoperability:
  1. Technical Interoperability – The ability for different technologies to communicate and exchange data based upon well-defined and widely adopted interface standards.
  2. Semantic Interoperability – The ability of each end-point to communicate data and have the receiving party understand the message in the sense intended by the sending party.
  3. Policy Interoperability – Common business policies and processes (e.g., identity proofing and vetting) related to the transmission, receipt, and acceptance of data between systems, which a legal framework supports.
Importantly, it highlights this key aspect of what is essential for interoperability the use of nonproprietary standards.
Identity Ecosystem will encourage identity solutions to utilize non-proprietary standards to help ensure interoperability.
Values and Benefits quotes and commentary:
They do a good job of defining some key identity terms.
The identity solutions identified in the vision are primarily associated with identification (establishing unique digital identities) and authentication (associating an individual with a unique identity) technologies and processes.  Trusted and validated attributes provide a basis for organizations that offer online services to make authorization decisions.
New term bonanza (at least for user-centric ID community) in the ecosystem component:
A non-person entity (NPE) may require authentication in the Identity Ecosystem.  NPEs can be organizations, hardware, software, or services and are treated much like individuals within the Identity Ecosystem.  NPEs may engage in a transaction or simply support it.
The credential can be stored on an identity medium, which is a device or object (physical or virtual) used for storing one or more credentials, claims, or attributes related to a subject.  Identity media are widely available in many formats, such as smart cards, security chips embedded in PCs, cell phones, software based certificates, and USB devices. Selection of the appropriate credential is implementation-specific and dependent on the risk tolerance of the participating entities.
On page 17, the phrase “trust framework” finally appears.
Looking across all three layers, the Identity Ecosystem will have the following characteristics:
  1. Individuals and organizations choose the providers they use and the way they conduct transactions securely.
  2. Participants can trust one another and have confidence that their transactions are secure.
  3. Individuals can conduct transactions online with multiple organizations without sacrificing privacy.
  4. Identity solutions are simple for individuals to use and efficient for providers.
  5. Identity solutions are scalable and evolve over time.

Benefits are articulated for individuals, and the private sector.

Identity Books Arrive

So I had two book shipments arrive today – i thought I would share them in case any of you out there also are reading or hope to read these books soon. Let me know.

From AMAZON today came

Identity and Control: How Social Formations Emerge, Second Edition by Harrison C. White.
This one was recommended by the Value Networks mailing list that I am on. It dives into the construction of sociocultural context. Chapter one is titled Identities and Control. Should be good.

I am a Strange Loop by Douglas Hofstadter (author of Godel, Escher, Bach) This one was recomended to my by Scott David at lunch when I met him in Seattle recently. A mutual friend introduced us five months ago in e-mail. He is a lawyer based in Seattle and participating in the ID-Legal group . The book asks the question “What do we mean when we say “I”?

I got three books that I hope will be useful in gaining some more skills/tools for communicating about identity topics.

Back of the Napkin: Solving Problems and Selling Ideas with PICTURES by Dan Roam

Presentation Zen: Simple Ideas on Presentation Design and Delivery by Garr Reynolds (I saw him present at SlideShare recently.

Indexed (the space betwen short, nerdy and oddly attractive) by Jessica Hagy (her blog) – think Hugh MacLeod but with diagrams on index cards rather then cartoons on the back of business cards.

Books I bought in Boston and shipped home arrived :)

Buckminster Fuller:Staring with the Universe is the catalogue from the Whitney Museum exhibit about him. This gets to our identity as beings on spaceship earth in the universe.

Uniforms: Why we are what we where by Paul Fussel

Ok these’s don’t exactly have to do with identity but they are fun – and besides “you are what you eat” right?
Slow Food: why our Food should be Good, Clean and Fair by Carlo Petrini – it is a translation of his manifesto originally in italian – this weekend happens to be Slow Food Nation

On Guerrilla Gardening: A Handbook for Gardening Without Boundaries by Richard Reynolds.

Last week Cody’s Books was closing in Berkeley. The bank of the company that owned the store recalled the loans. The store closed about 6 weeks ago and sat there with all the books inside. Then 2 weeks ago they sold all those remaining books at 40% off.

I got four Identity related books

Privacy on the Line: The Politics of Wiretapping and Encryption, Updated and Expanded Edition (2007) by Whitfield Diffie and Susan Landau.
Less Safe, Less Free: Why Americans are Loosing the War on Terror by David Cole and Jules Lobel

Who’s Watching You? The Chilling Truth about the State Surveillance, and Personal Freedom by Mick Farren and John Gibb


cybertypes: Race, Ethnicity and Identity on the Internet by Lisa Nakamura. (cybertypes is her updated word for stereotypes that appear on in the context of cyberspace).

On “Democracy” in contemporary America

I just picked up two books by ‘the’ Naomi’s today.
I saw them in the book shop and I was compelled.

1) The End of America: A Letter of Warning To A Young Patriot
by Naomi Wolff

Naomi Wolff is on the Colbert Report
We don’t have a lot of time free societies close down very quickly she points out and we need a democracy movement to restore the rule of law.

2) The Shock Doctrine: The Rise of Disaster Capitalism
by Naomi Klein

This is a short film about the topic of the book.

3) I recently was pointed to the Century of the Self a film by the BBC. it is a documentary about the role of psychoanalysis, marketing, and public relations in the united states. The concluding installment covers the application of these techniques in the “democratic” political process.

It is well worth watching and is on the Internet Archive.

Identity stories from Slashdot

Yesturday was a rich day for identity related stories.
Feds Start Small on Smart IDs talks about the start of the roll out of

The use of personal identity verification, or PIV, cards for verifying the identities of all federal workers and contractors was mandated by Homeland Security Presidential Directive 12. The unfunded HSPD-12 mandate specified that agencies must adopt a common identification credential for access to government facilities and computer systems.

Friday’s deadline and an earlier one calling on agencies to develop procedures for verifying the identities and backgrounds of all workers by last October were both considered exceptionally aggressive because of funding issues and the technology and process changes required.

Does anyone know what the procedure they actually developed is?

The register reported that to buy a beer in the UK you will have to give your finger print. The rational is to reduce ‘drinking related crime’. It sounds freakishly Orwellian.

Beer fingerprints to go UK-wide:

The government is funding the roll out of fingerprint security at the doors of pubs and clubs in major English cities.

Funding is being offered to councils that want to have their pubs keep a regional black list of known trouble makers.

The council had assumed it was its duty under the Crime and Disorder Act (1998) to reduce drunken disorder by fingerprinting drinkers in the town centre.

Some licensees were not happy to have their punters fingerprinted, but are all now apparently behind the idea. Not only does the council let them open later if they join the scheme, but the system costs them only £1.50 a day to run.

Oh, and they are also coerced into taking the fingerprint system. New licences stipulate that a landlord who doesn’t install fingerprint security and fails to show a “considerable” reduction in alcohol-related violence, will be put on report by the police and have their licences revoked.

Offenders can be banned from one pub or all of them for a specified time – usually a period of months – by a committee of landlords and police called Pub Watch. Their offences are recorded against their names in the fingerprint system. Bradburn noted the system had a “psychological effect” on offenders.

The Home Office distanced itself from the plans. It said it provided funding to Safer, Stronger Communities through the Department for Communities and Local Government’s Local Area Agreements. How they spent the money was a local decision, said a HO spokeswoman.

Winning The Digital Identity World Award

So today was a big day. Digital Identity World gave me their yearly award for my work ‘behind the scenes’ work with the Identity Gang and the Internet Identity Workshop. It feels great to be seen in for over two years of hard work.

I really owe a great debt to Jim Fournier and Elizabeth Thompson for founding Planetwork and bringing together an amazing community from which I learned a lot and got me inspired to work in technology. They worked hard to bring the Link Tank together who’s output was at least partially captured i n the Augmented Social Network White Paper. If you are trying to figure out user-centric identity and what it might mean socially this is still a critical document for that.

Owen Davis deserves a lot of thank yous for his personal vision, intellectual contribution and putting up his own money to work on addressing the social issues that arise with a user-centric identity layer by forming Identity Commons. His decision to hire me gave me my first real job in this space where I learned a lot and began building a network of relationships that became at the heart of the current community.

Of course we must thank our family and my husband Brian has been supportive of my crazy travel schedule to serve and evangelize about goings on inside the community.

I really love the community and thank all of you for your support and I must particularly thank Phil Windley and Doc Searls for there partnership with me in producing the Internet Identity Workshop and Identity Open Spaces.

Come to the Workshop in December it will be a great time.