As I outline in this next section, there is a lot of meaning packed into the word “trust” and it varies on context and scale. Given that the word trust is found 97 times in the NSTIC document and that the NSTIC governing body is going to be in charge of administering “trust marks” to “trust frameworks” it is important to review its meaning.

I can get behind this statement: There is an emergent property called trust, and if NSTIC is successful, trust on the web would go up, worldwide.

However, the way the word “trust” is used within the NSTIC document, it often includes far to broad a swath of meaning.

When spoken of in every day conversation trust is most often social trust.

Trust in a social context: The typical definition of trust follows the general intuition about trust and contains such elements as:

• the willingness of one party (trustor) to rely on the actions of another party (trustee);
• reasonable expectation (confidence) of the trustor that the trustee will behave in a way beneficial to the trustor;
• risk of harm to the trustor if the trustee will not behave accordingly; and
• the absence of trustor's enforcement or control over actions performed by the trustee.

When discussing digital systems there is another meaning for trust related to cryptography and security and other policy enforcement.

Computational Trust - In Information security, computational trust is the generation of trusted authorities or user trust through cryptography.

Trusted Systems - In the security engineering subspecialty of computer science, a trusted system is a system that is relied upon to a specified extent to enforce a specified security policy. As such, a trusted system is one whose failure may break a specified security.

The choice of one individual to trust another depends on who they are, depending on the context, relationship and other factors. This can change and perhaps be tracked.

Trust Metrics -In psychology and sociology, a trust metric is a measurement of the degree to which one social actor (an individual or a group) trusts another social actor.

Trust Operates on Different Scales

In The Speed of TRUST: The One Thing That Changes Everything, Stephen M.R. Covey articulates 5 different ones. I think this model is helpful because it highlights how much trust means and how it operates differently at different scales.

Covey starts with people trusting themselves: SELF TRUST

Are we credible to ourselves?

• Do we have integrity are we congruent inside and out and walking our talk, living in accordance with one’s own values and beliefs?
• What is our intent when interacting with straightforward motives based on mutual benefit?
• What are our capabilities? Do we have the ability to establish, grow, extend and restore trust? What abilities do you have that inspired confidence, talents attitudes, skill, knowledge, style.
• What are our results? Do we get the right things done, are they done well and what is our consistency of results or tack record?

People in the Quantified Self movement are actually using digital devices and sensors to track themselves. They are using data analysis tools to see how fast they ran or what their caloric intake was. One of the reasons people track themselves to work on improving themselves, set goals and measure achievement over time. As they achieve results towards a goal they increase their credibility - their self trust.

Covey moves on to people trusting each other: RELATIONSHIP TRUST
One cultivates this kind of trust with others when one behaves consistently in ways that build trust. People are biologically wired to track behavior of others and form opinions about trustworthiness in real time, all the time balancing a wide array of variables. One way to simplify this is to imagine that with every person you interact with you have a “trust account”. The way you make deposits “In” to someone’s bank account is to have consistent behavior. Deposits are withdrawn from the “account” when someone is not consistent in following agreements.

Behaviors he believes generate trust:

• Create Transparency
• Demonstrate Respect
• Practice Accountability
• Deliver Results
• Get Better
• Extend Trust
• Talk Straight
• Listen First
• Show Loyalty
• Confront Reality
• Clarify Expectations
• Keep Commitments

People are really different: different kinds of behaviors matter more or less to an individual, and therefore a behavior’s meaning affects the current balance on any person’s given trust account account differently.

The Identity Ecosystem is an online environment where individuals and organizations will be able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities and the digital identities of devices. The Identity Ecosystem Framework is the overarching set of interoperability standards, risk models, privacy and liability policies, requirements, and accountability mechanisms that govern the Identity Ecosystem.

This quote from NSTIC makes a big assertion that trust is going to flow between people because they followed agreed-upon standards to obtain and authenticate their digital identities.

The implicit use case might be an individual, lets say her name is Jenna, goes to an attribute verifier service provider like her retail branch bank with attributes like drivers license, latest utility bill and her record showing she has also had a bank account with them for 5 years. The bank checks Jenna’s physical world credentials and then issue a digital token she can use to do 2-factor authentication online. The digital token, when she goes online, presents Jenna’s name as written on her driver’s license.

I see three behaviors in this use case:

Confronting Reality - there is a reality for most people in western liberal democracies that the government of the county or province you were born issued you a paper saying so, and this ironically named breeder document begets you more forms of identification. If a user has not been using their real name, they will now be forced to do so. The reality is, birthplace can have a huge effect on a person’s legal and identify reality.

Creating Transparency - Jenna has linked her “real legal name” to an account which that when she uses it will be transparent about who she is and let everyone know. This means people who look her up online can find her street address in real life. Well, it turns out this creates a vulnerability because others can find where her house is, stalk her or make threats against her.

Practicing Accountability - The ability to be accountable. If Jenna choose a criminal action online, others would be able to trace her by the real name she was using. But so too if she was mildly socially rude, people would know to withdraw from her “trust account”.

There are nine other behaviors really matter in human to human trust relationships but which are not covered in any way by the standards for obtaining and authenticating digital identities - the so-called trust frameworks.

There are other aspect that are not comparable about this scenario when you map them to how people trust one another in everyday life. I don’t trust people because I know their legal name because I checked it on their drivers license. In physical space, I see someone I know and I know it is them because they are in the same body form they were last time I saw them. This verisimilitude to the mental picture I have of them allows me to authenticate36 them visually. When I see them, I can pull up my mental trust account and see how much I have deposited in their account.

In the digital realm, I anchor my mental trust account to identifiers I hold for people in my mind. I need to have confidence that the system they use to authenticate (using a user name and password) is secure, that it isn’t someone else logging in and “being them” because they control the identifier.

When people interact with businesses, they use similar mental models for judging trustworthiness based on observed actions and experiences. The use of the phrase “trust framework” by its very name implies that those who have complied with its requirements are trustworthy because they had a standard way to obtain a digital identity and authenticate. There is a great diversity of particular behaviors that people use to make trust judgements. If people want to use one trust framework or another because they judge one or another ratings agency assesses it to be more “trustworthy” we have a very messy, convoluted conversation.

In groups of people working together: ORGANIZATIONAL TRUST
This mode of trust is about alignment of the structures, systems and symbols of organizational trust. If trust is low in an organization, then to compensate, certain behaviors or systems patterns emerge that are costly: Redundancy, Bureaucracy, Politics, Disengagement, Turnover, Churn and Fraud.

For organization there is: MARKET TRUST
The perception of a business entity in the market place is where there are all kinds of services that help consumers navigate what products to buy. Market trust is developed by repeated activity observed over time.

Beyond the business or nonprofit is: SOCIETAL TRUST
This is about giving back and contributing to the society and the commons. It is particularly important to give back to society trust assets one owns but everyone benefits from. It is vital that societal trust be maintained because other scales for trust operate at this level as a support structure. This is where there is backup when other forms of trust fail and you can trust the court system to give you fair treatment when seeking redress.

“If NSTIC is successful, trust on the web would go up, worldwide.” The trust in this sentence is at the societal level scale and I believe it is true. However the way to succeed in achieving this level of trust is not to name policy-tech frameworks throughout the system “trust frameworks”. I am very keen on NSTIC succeeding, however I am concerned that naming this critical part of the proposed ecosystem “trust frameworks” will actually generate mistrust of the system. If the term “trust framework” is the way policy-technology frameworks within the ecosystem are named and explained to the public, but people find those frameworks untrustworthy, they will suspect anything self labeled with “trust”. People will ask themselves: why should we trust a Trust Framework? Who made up the trust frameworks? Individuals will think to themselves: I am the one who decides what to trust...don’t tell me to trust something just because you call it a “Trust Framework.” Given the recent large scale institutional breakdown in trust in the banking system, consumers are skeptical of large publicly traded companies saying “trust us” we have a “trust framework” to protect you.

I highlighted the challenge with using the word, trust, for policy-technology frameworks at the NSTIC governance workshop at the beginning of June where Jeremy Grant asked me if I had a better name. I do have a better name for trust frameworks:

Accountability Frameworks.

Here is some of my reasoning:

• It is 2 words.
• It captures the heart of the intended purpose: Accountability
• Accountability is achieved in these frameworks via both technology standards and policies that are adopted and audit-able.
• Trust remains an emergent property of these accountability frameworks.
• There can be real conversations by various stakeholders who may have different needs and interests about the nature of the accountability in different frameworks. They can look to see weather particular accountability frameworks are trustworthy from a particular point of view.
• It avoids the problem of talking about the "trustability of trust frameworks".

Trust is absolutely essential in the Identity Ecosystem. People must trust that the information they share will be handled with care, respected and that human dignity is maintained by the individual actors within the Identity Ecosystem. This is achieved by having real accountability in the system around the user’s rights to use their data being respected. When the system is functioning well and accountability frameworks are followed then overall systems behavior of the Identity Ecosystem will be trustworthy.

This post is from pages 20-24 of Kaliya's NSTIC Response - please see this page for the overview and links to the rest of the posts. Here is a link to the PDF.

This is the section before: Alignment of Stakeholders around the many NSTIC Goals

This is the section after: Ecosystem Maps - Present, Evolving, Future

The Many Goals for the Identity Ecosystem & NSTIC Governance

The NSTIC governance NOI articulates many key activities, qualities and goals for a governance system for NSTIC. NSTIC must:

• convene a wide variety of stakeholders to facilitate consensus
• administer the process for policy and standards
• development for the Identity Ecosystem Framework in accordance with the Strategy’s Guiding Principles
• maintain the rules of participating in the Identity Ecosystem
• be private sector-led
• be persistent and sustainable
• foster the evolution of the Identity Ecosystem to match the evolution of cyberspace itself.

Achieving these goals will require high-performance collaboration amongst the steering group and all self-identified stakeholder groups. It will also require earning the legitimacy from the public at large and using methods that surface their experience of the Identity Ecosystem Framework as it evolves.

Its a Wicked Problem

The problem of planning, catalyzing the emergence of and then governing an Identity Ecosystem  is a “wicked problem”, characterized by the following:

• The solution depends on how the problem is framed and vice-versa (i.e. the problem definition depends on the solution framing).
• Stakeholders have radically different world views and different frames for understanding the problem.
• The constraints the problem is subject to and the resources needed to solve it change over time.
• Every implemented solution is consequential, it will leave a trace and can not be undone.

It follows that ecosystem problems are so complex they never can be solved definitively. This is true for “identity” one example being. Is it (identity) fully defined by the individual? Or defined by the social context the individuals finds themselves?  Well, it’s both.

To achieve the goals above alignment around how to achieve all of these goals needs to be cultivated amongst stakeholder groups and shared language and understanding is key for that to happen.

Alignment

Alignment is congruence of intention, whereas agreement is congruence of opinion.

Alignment as congruence of intention is congruence of resolution for the attainment of a particular aim. An aim being in and of the future, unknown or unpredicted variables inevitably enter the generative equations for its achievement. Inherent in alignment, therefore, is the spirit of quest.

The spirit of quest generates open and evolving dialogue-in-action. Participants of a quest bring in diverse points of view while remaining united in the same quest. When they jointly choose a course of action, they know that the choice is a tentative mutual agreement, to be modified, altered, or even discarded along the way. The question is not "who is right" but "what is best" for the fulfillment of the intention.

In an alignment-based organization or movement, disagreement among participants does not diminish but rather enhances the power of the alignment and its synergetic impact. Plurality and diversity of ideas and views, united in a shared intention, mutually enrich one another toward the achievement of an end. In an agreement-based organization or movement, on the other hand, disagreement among participants often leads to internal strife, divisive politics, splitting into cliques, or eventual demise.

An agreement-based organization can transform itself to an alignment-based organization by shifting its value focus from agreement to alignment, from opinion to intention. Alignment is not a static state; it is a dynamic process of constant aligning and realigning in the continual movement of time through the timeless commitment to an intention.

People who differ in their opinions can align in their intentions. No more do we need the usual politics of opinion-domination...What we need instead is a new politics of intention-alignment... beyond agreement or disagreement.

A set of critical challenges that face humanity today includes the challenge of whether or not we can shift our value focus from opinion to intention, whether or not we can affirm common intentions, whether or not we can transcend differences of opinion and unite in common intentions, whether or not we can forge a planetary alignment for the achievement of our common intentions, and whether or not we can reconcile seemingly conflicting or misaligned intentions.

From: Alignment Beyond Agreement

By Yasuhiko Genku Kimura

Shared understanding arises from shared language. When groups collaborate effectively together, a recognizable pattern emerges for shared understanding.  This means unifying a goal/mission/vision so that the question "what are we trying to do" doesn't continually to come up. Within this pattern collaborators aren’t in group think but agree about their disagreements and understand what they are trying to do together.

Eugene Kim, along with some colleagues, created The Squirm Test to measure the level of shared understanding in a group:

The Squirm Test is performed on a group of people collaborating on something together. You get all of the people in a room, seated in a circle, and sitting on their hands.

The first person then stands up and spends a few minutes describing what the group is working on and why. No one is allowed to respond except to ask a clarifying question.

When the first person is done, the second person stands up and does the same thing, articulating the group's goals and motivations in his or her own words.

Everyone in the circle speaks in turns.

You can measure the amount of shared understanding in the group by observing the amount of squirming that happens during the process.

The squirm test is qualitative as a repeatable, measurable and visible to the whole group that does it.

Is there currently shared understanding and alignment amongst the identified NSTIC stakeholders?

No. I often find myself squirming while listening to fellow NSTIC stakeholders articulate their ideas about what we are doing with NSTIC. I imagine with all the comments I have made from a user-advocacy perspective that others have squirmed when I have spoken. Because I feel myself squirming often and I see others squirming too, I know there is limited shared understanding amongst NSTIC stakeholders.

--------

This post is from pages 17-19 of Kaliya's NSTIC Response - please see this page for the overview and links to the rest of the posts. Here is a link to the PDF.

This is the section before: Proactive Development of Shared Language by NSTIC Stakeholders

This is the section after: The Trouble with Trust

The National Strategy for Trusted Identities in Cyberspace charts a course for the public and private sectors to collaborate to raise the level of trust associated with the identities of individuals, organizations, networks, services, and devices involved in online transactions.

Collaboration, as defined by Eugene Kim, a collaboration expert and the first Chief Steward of Identity Commons, occurs when groups of two or more people interact and exchange knowledge in pursuit of a shared, collective, bounded goal

To achieve the challenging goals set out in NSTIC, such as raising trust levels around identities, high performance collaboration is required. Both shared language and shared understanding are prerequisites for high-performance collaboration.

This is a powerful excerpt from Eugene Kim’s blog about two experiences from technical community participants (including Drummond Reed from the user-centric identity community) that paints a clear picture of the importance of time for, and the proactive cultivation of, shared language:

[Because I am writing this as a blog post - it is easy for you to go over to Eugene's site and read the excerpt. - please do]

(This paragraph is key so I will include it with my emphasis.)

Shared language is a prerequisite to collaboration. Without shared language people can’t collaborate. It’s that simple. When a group tries to collaborate without having shared language, the group will try to create it, whether it’s aware of this principle or not. The creation process is often frustrating and painful, and as a result, people sometimes try to skip this step or belittle the process. This is a problem. You can’t skip this step.

I also include this definition of Shared Language from his wiki:

Developing shared language is a messy problem, because communication is a messy process. A good collaborative process recognizes this messiness and factors it in.

Is there currently shared language amongst the identified NSTIC stakeholders?

No. I participated in both the NSTIC governance and privacy workshops in June and did not find there was shared understanding or language amongst stakeholders gathered. I did experience shared language and understanding between the people I knew from the user-centric identity community (and its neighbors). But there are many new stakeholder groups that I was unfamiliar with and found in many conversations that people were talking past each other constantly.  This experience of not having shared language was one of the reasons the breakout group conversations were not productive and many experienced frustration.

Eugene Kim notes that that shared language is not developed by intentionally agreeing to agree on language. The glossary in the back of the NSTIC does not beget shared language because it just  defines terms as used in the strategy document. The shared language needed for collaboration emerges from conversations and the meaning exchanges within those. To succeed the NPO must focus on cultivating contexts for the development of shared language amongst stakeholders

This post is from pages 10-12 of Kaliya's NSTIC Response - please see this page for the overview and links to the rest of the posts. Here is a link to the PDF.

This is the section before: Ecosystem as the Frame for NSTIC

This is the section after: Proactive Development of Shared Language by NSTIC Stakeholders

The National Strategy for Trusted Identities in Cyberspace paints a broad vision for an Identity Ecosystem. The strategy author’s choice to name the big picture vision an “ecosystem” is an opportunity not to be lost. An Identity Ecosystem construct will inform the choice of processes and structures appropriate to govern it.

An ecosystem is a biological environment consisting of all the organisms living in a particular area, as well as all the nonliving, physical components of the environment with which the organisms interact, such as air, soil, water and sunlight.

This definition reminds us that the context of an Identity Ecosystem is broad and goes beyond just the identities of people and devices but extends to the contexts in which they operate and interact, the network and indeed the wider world. When we discuss a person’s digital identity it should not be forgotten that we are each fundamentally biological beings living in complex social systems composed of groups, organizations and businesses, all socially constructed and embedded in a larger context, the biosphere surrounding the planet earth.

An overall Identity Ecosystem is needed because small islands of identity management online are working, but they have not been successfully woven together in a system that manages the tensions inherent in doing so to ensure long term thrivability of the overall system.

Ecosystems have individual organisms within them, interacting in various ways and together, one could say collaborating. With the overall environment, there are emergent properties and services needed to make the whole system work. In human systems, we also communicate in many more ways than with language. An Identity Ecosystem must allow be flexible enough to allow for multiple use cases that allow for different kinds of communication and contexts.

Terms in the above with references in the end notes:

Thrivability: Thrivability: A Collaborative Sketch. I was a contributing author writing the essay on Creating Appropriate Containers

What is the appropriate container to govern the Identity Ecosystem? This is a key question the governance NOI is seeking answers for Jean Russell the curator of the Collaborative Sketch defines Thrivability it this way:

Thrivability is our path out of unsustainable practices toward a world where all people have a high quality of life, a voice, and a nurturing earth supporting them. Using whole systems approach, we evolve our way of being together, of collaborating, so that our collective wisdom and action bring forth a flourishing world and thriving life.

 

Social Construction:  Individuals and groups participate in the construction of their perceived social reality. It involves looking at the ways social phenomena are created, institutionalized, known, and made into tradition by humans. The social construction of reality is an ongoing, dynamic process that is (and must be) reproduced by people acting on their interpretations and their knowldege of it. Because social constructs as facets of reality and objects of knowledge are not "given" by nature, they must be constantly maintained and re-affirmed in order to persist.

Ecosystem:  The term was first coined in 1935 by ecologist, A. G. Tansley in a paper entitled “ The Use and Abuse of Vegitational Concepts and Terms”  he described it as:

...the more fundamental conception is the whole system (in the sense of physics), including not only the organism complex, but also the whole complex of physical factors forming what we can call the environment of the biome--the habitat factors in the widest sense. Though the organisms may claim to be our primary interest, when we are trying to think fundamentally we cannot separate them from their special environment within which they form one physical system.

This post is from page 10 of Kaliya's NSTIC Response - please see this page for the overview and links to the rest of the posts. Here is a link to the PDF.

This is the section after: Ecosystems Collaborate Using Shared Language

Table of Contents to Blog Posts of My Response

My Complete Response in PDF form Kaliya-NSTIC-NOI

Introductory Letter of the Response.

Context for my NSTIC NOI response

I surprised myself when writing my response to the NSTIC (National Strategy for Trusted Identities in Cyberspace)  Governance NOI (Notice of Inquiry).  I wasn't sure exactly what I was going to say because the questions seemed like they were way ahead of where they should be interms of where things were.  I decided to begin by sharing important Context, Frames and Terms that were important before getting to the Questions of Governance and what should be done now.

I began with the word Ecosystem - what it meant and that a system was at the heart of this strategy not something simple or easily actionable.

I touched on the history of the Identity Community and how much conversation and intensive dialogue happened amongst that early community to get to a place where collaboration was natural and "easy". A huge amount of effort went into developing shared language and understanding then and this is needed once again.  The range of self identified stakeholders for NSTIC is quite large (the range of not self identified stakeholders it could be said is everyone on the planet or at least all those with a digital connection (via phone or interent).

I put forward two different methods/tools/processes that could be used to form shared language and understanding across this stakeholder community Polarity Management and Value Network Mapping.

I suggest that the governance structure proposed a "steering group" actually have a mandate to regularly listen to and act on the recommendations of the system that are generated via 3 different well established dialogic processes (Creative Insight Council, World Cafe and Open Space Technology [What we use at IIW]. I then answer the NOI questions referencing the ideas above.

I am going to be posting the whole of my Response in a series of posts and linking them all from there.

I began with one earlier last week which is focused on "trust" both as an emergent property of the overall system AND as the current name of technology and policy/legal frameworks for identity creation.

Links to NSTIC Response Posts: (posts are in the process of being published should be up by Wednesday Sept 14th)

• Ecosystem as the Frame for NSTIC - What is an Ecosystem?
• Ecosystems Collaborate Using Shared Language - NSTIC
• Proactive Development of Shared Language by NSTIC Stakeholders
• Alignment of Stakeholders around the many NSTIC Goals
• The Trouble with Trust (and the Case for Accountability Frameworks)
• Ecosystem Maps - Present, Evolving, Future
• Value Network Mapping and Analysis
• Questions of Governance
• Who are the Stakeholders?
• Effective Information Sharing
• Insight for Governance
• The Importance of Public Legitimacy
• Summary of NSTIC NOI response
• Missing Questions about NSTIC Governance
• Structure of the Steering Group
• NSTIC NOI Questions
• Planetwork Link Tank
• The Augmented Social Network:  Building identity and trust into the next-generation Internet
• People Diversity
• Reboot: Deliberative Democracy
• Resource Guide on Public Engagement
• Anti-pseudonym bingo
• Who is Harmed by a “Real Names” Policy?
• Protocols are Political

Here is the my opening to my response:

Dear Patrick Gallagher and Jeremy Grant,

The challenge of fostering the emergence and governance of an Identity Ecosystem is vast. I do think it is possible for a thriving ecosystem to emerge with the application of the best of available organizational, deliberative and governance processes and structures.

The high level vision outlined in the NSTIC has buy-in from a broad group of stakeholders. Making it real will involve government participation with the private commercial sector and civil society groups (neighborhood associations, schools, religious institutions, sports leagues, advocacy groups). The government also can’t abdicate responsibility and just collaborate with the private sector because its job is to be an advocate for the people and ensure that the guiding principles are not left behind because they are inconvenient or perceived to cost too much. The private sector is not just the largest IT companies, and government must remember to foster some space for new innovations to emerge. Government must, in this startup phase, develop with the broadest possible range of stakeholders, agree upon metrics (both qualitative and quantitative) for ecosystem health, balance and success, and have in place systems to monitor and feed back to the system the results from the agreed-upon indicators.

The danger of creating an unbalanced (in a range of ways) ecosystem is also present. On the one hand, because it could become very easy for virtually any company online to request highly validated identities and require the presentation of identifiers associated with “real legal name” credentials for almost all transactions and comments. This is an inhibitor of civil freedoms and creates a participatory panopticon

situation. On the other hand, a diverse range of accountability networks may not gain adoption because they are not well understood and therefore transactions online decline or people retreat into private commercially-controlled silos.

I open my response by diving into some of the terms and frames that are in NSTIC and used to talk about identity generally, along with examples from my community context. Within the history of the user-centric identity community are some key insights into how to best proceed with developing common stakeholder alignment towards collaborative action to make the vision presented in NSTIC a reality.

You will notice I take the liberty to craft questions that I wish were in the NOI. I added them because it is systems seeing and insight that will be key to effectively “steering”, or to use a more appropriate metaphor, catalyzing industry to move towards making the NSTIC vision of interoperable accountability frameworks and interoperable technologies for identities.

In the last 6 years I have worked with many talented systems thinkers, process innovators,  facilitators, and I have invited four of them to contribute in this response with me listed above as co-authors of particular sections.

My overall goal in this response is to outline several processes and structures that:

• cultivate shared language and understanding,
• collaboratively develop maps of common understanding of issues, ecosystem roles and value flows,
• facilitate efficient information sharing,
• provide efficient systems synthesis,
• provide unique analytical tools,
• allow the system to find pulse points to measure success and warn of imbalances,
• have the potential to foster broad legitimacy with disinterested citizens (who after all are the ones with the identities, identifiers and claims) and
• most importantly, foster collaboration and shared action by the wide pool of interested stakeholders working on making an Identity Ecosystem real.

I describe how they can be applied to the development of, leadership of, and ongoing accountability to all stakeholders of a “steering group”.

Because of the length and depth of my response, I have added a Table of Contents beginning on the next page.

Please let me know if you have any questions about this document.  I would be happy to answer them. I look forward to continued participation in this process.

Enjoy!

-Kaliya, Identity Woman

I was very skeptical when I first learned government officials were poking around the identity community to learn from us and work with us.  Over the last two and a half years, I have witnessed dozens of dedicated government officials work with the various communities focused on digital identity to really make sure they get it right. Based on what I heard in the announcements Friday at Stanford by Secretary of Commerce Locke and White House Cybersecurity Coordinator  Howard Schmidt to put the Program Office in support of NSTIC (National Strategy for Trusted Identities in Cyberspace) within the Department of Commerce. I am optimistic about their efforts and frustrated by the lack of depth and insight displayed in the news cycle with headlines that focus on a few choice phrases to raise hackles about this initiative, like this from CBS News: Obama Eyeing Internet ID for Americans.

I was listening to the announcement with a knowledgeable ear, having spent the last seven years of my life focused on user-centric digital identity. Our main conference Internet Identity Workshop held every 6 months since the fall of 2005 has for a logo the identity dog: an allusion to the famous New Yorker cartoon On the internet, nobody knows you are a dog. To me, this symbolizes the two big threads of our work: 1) maintaining the freedom to be who you want to be on the internet AND 2) having the freedom and ability to share verified information about yourself when you do want to.  I believe the intentions of NSTIC align with both of these, and with other core threads of our communities' efforts: to support identifiers portable from one site to another, to reduce the number of passwords people need, to prevent one centralized identity provider from being the default identity provider for the whole internet, to support verified anonymity (sharing claims about yourself that are verified and true but not giving away "who you are"),  support broader diffusion of strong authentication technologies (USB tokens, one-time passwords on cellphones, or smart cards), and mutual authentication, allowing users to see more closely that the site they are intending to do business with is actually that site.

Looking at use cases that government agencies need to solve is the best way to to understand why the government is working with the private sector to catalyze an "Identity Ecosystem".

The National Institutes of Health is a massive granting institution handing out billions of dollars a year in funding.  In the process of doing so, it interacts with 100,000's of people and does many of those interactions online.  Many of those people are based at institutions of higher learning.  These professors, researchers, post-docs and graduate students all have identifiers that are issued to them by the institutions  they are affiliated with.  NIH does not want to have the expense of checking their credentials, verifying their accuracy and enrolling them into its system of accounts, and issuing them an NIH identifier so they can access its systems. It wants to leverage the existing identity infrastructure, to just trust their existing institutional affiliation and let them into their systems.  In the United States, higher educational institutions have created a federation (a legal and technical framework) to accept credentials from other institutions. The NIH is partnering with the InCommon Federation to be able to accept, and with that acceptance to trust, identities from its member institutions and thus reduce the cost and expense of managing identities, instead focusing on its real work: helping improve the health of the nation through research.

The NIH also has a vast library of research and information it shares with the general public via the internet.  Government sites are prohibited from using cookie technology (putting a unique number in your browser cookie store to remember who you are) and this is a challenge because cookies are part of what helps make Web 2.o interactive experiences. So say that your mom just was diagnosed with breast cancer and you want to do a bunch of in-depth research on breast cancer treatment studies.  You go to the NIH and  do some research on it, but it really requires more then one sitting, so if you close your browser and come back tomorrow, they don't have a way to help you get back to the place you were.

The NIH doesn't want to use a cookie and doesn't want to know who you are.  They would like to be helpful and support your being able to use their library over time, months and years, in a way that serves you, which means you don't have to start from scratch each time you come to their website. It was fascinating to learn about the great lengths to which government officials were going to adopt existing standards and versions of those standards that didn't link users of the same account across government websites (see my earlier post on Fast Company).  They proactively DID NOT want to know who users of their library were.

One more use case from the NIH involves verified identities from the public. The NIH wants to enroll patients in ongoing clinical trials. It needs to actually know something about these people - to have claims about them verified, what kind of cancer do they have, where are they being treated and by whom, where do they live, etc.  It wants to be able to accept claims issued by third parties about the people applying to be part of studies.  It does not want to be in the business of verifying all these facts, which would be very time consuming and expensive. It wants to leverage the existing identity infrastructures in the private sector that people interact with all the time in daily life, and accept claims issued by banks, data aggregators, utility companies, employers, hospitals etc.

These three different kinds of use cases are similar to others across different agencies, and those agencies have worked to coordinate efforts through ICAM which was founded in September 2008 (Identity, Credential and Access Management Subcommittee  of the Information Security & Identity Management Committee established by the Federal CIO Council).  They have made great efforts to work with existing ongoing efforts and work towards interoperability and adopting existing and emerging technical standards developed in established industry bodies.

Let's continue exploring what an identity ecosystem that really works could mean. The IRS and the Social Security Administration would each like to be able to let each person it has an account for login and interact with it online. We as those account holders would like to do this - it would be more convenient for us - but we want to know that ONLY we can get access to our records, that that they won't show our record to someone else.

So let's think about how one might be able to solve this problem.

One option is that each agency that interacts with anywhere from thousands to millions of citizens issues their own access credentials to the population it serves. This is just a massively expensive proposition.  With citizens interacting with lots of agencies, they would need to manage and keep straight different IDs from different agencies.  This is untenable from a end-user perspective and very expensive for the agencies.

Another option is that the government issues one digital ID card to everyone ,and this one ID could be used at a bunch of different agencies that one might interact with. This is privacy-invasive and not a viable solution politically. No one I have ever talked to in government wants this.

So how to solve this challenge - how to let citizens login to government sites that contain sensitive personal information - whether it be tax records, student loan records, Department of Agriculture subsidies, or any other manner of government services, and be sure that it really is the person via an Identity Ecosystem.

Secretary Locke's Remarks: The president’s goal is to enable an Identity Ecosystem where Internet users can use strong, interoperable credentials from public and private service providers to authenticate themselves online for various transactions.

What does a private sector service provider use case look like in this ecosystem?

When we open accounts, they are required to check our credentials and verify our identities under know-your-customer laws. People have bank accounts and use them for many years. They know something about us because of their persistent ongoing relationship with us: storing our money. Banks could, in this emerging identity ecosystem, issue their account holders digital identity credentials that would be accepted by the IRS to let them see their tax records.

The private sector, for its own purposes, does a lot to verify the identities of people, because it has to do transactions with them that include everything from opening a bank account, to loaning money for a house, to setting up a phone or cable line, to getting a mobile phone, to a background check before hiring.  All of these are potential issuers of identity credentials that might be accepted by government agencies if appropriate levels of assurance are met.

What does is a public service provider look like in this ecosystem?

The Federal Government does identity vetting and verification for its employees. Homeland Security Presidential Directive 12 (HSPD-12), Policy for a Common Identification Standard for Federal Employees and Contractors directs the implementation of a new standardized identity badge designed to enhance security, reduce identity fraud, and protect personal privacy.  To date, it has issued these cards to over 4 million employees and contractors.
These government employees should in this emerging ecosystem be able to use this government-issued credential if they need to verify their identities to commercial entities when they want to do business with in the private sector.

There is a wide diversity of use cases and needs to verify identity transactions in cyberspace across the public and private sectors. All those covering this emerging effort would do well to stop just reacting to the words "National"  "Identity" and "Cyberspace" being in the title of the strategy document but instead to actually talk to the the agencies to to understand real challenges they are working to address, along with the people in the private sector and civil society that have been consulted over many years and are advising the government on how to do this right.

I am optimistic that forthcoming National Strategy and Program Office for Trusted Identities in Cyberspace will help diverse identity ecosystem come into being one that reduce costs (for governments and the private sector) along with increasing trust and overall help to make the internet a better place.

Here is my answer to the NSTIC Governence Notice of Inquiry.

And an article I wrote on Fast Company: National! Identity! Cyberspace! Why you shouldn't freak out about NSTIC.

Interestingly in paragraph two on the White House blog it says that NSTIC stands for "National Strategy for Trusted Initiatives in Cyberspace" rather than "National Strategy for Trusted Identities in Cyberspace".

This first draft of NSTIC was developed in collaboration with key government agencies, business leaders and privacy advocates. What has emerged is a blueprint to reduce cybersecurity vulnerabilities and improve online privacy protections through the use of trusted digital identities.

The 2nd draft is posted on an DHS idea scale installation.  There will be three weeks (until July 19th) for public comments.

The Document is 40 pages long and you can download it here. This is where citability.org would have come in handy to make comments... cause commenting in a threaded discussion on idea scale about the whole document will not be easy.

We will be hosting the Internet Identity Workshop in DC Sept 9-10 (Thursday-Friday) following Gov 2.0 Summit. See the announcement on the IIW site.

The White House post talks about the Identity Ecosystem. The document uses this phrase extensively.

I am reading it now and comments will follow here over the hour.

The subtitle is good - Creating Options for Enhanced Online Security and Privacy

Executive Summary Quotes and commentary:

This is, as a friend said to me, a "jump the shark moment" - these technologies are moving out from their technologists technology cave into mainstream adoption by government agencies. We are seeing the convergence of several trends transform the way citizens participate in and communicate with government:

• Top-down support for open government
• The proliferation of social media
• The availability of open identity technologies

The Obama administration open government memorandum called for transparency participation, collaboration and federal agencies have begun to embrace Web 2.0 technologies like blogs, surveys, social networks, and videocasts.

Today there are over 500 government websites and about 1/3 of them require a user name and password. Users need to be able to register and save information and preferences on government websites the same way they do today with their favorite consumer sites, but without revealing any personally identifiable information to the government.

The challenge is that supporting this kind of citizen interaction with government via the web means that identity needs to be solved. On the one hand you can't just ask citizens to get a new user-name and password for all the websites across dozens of agencies that they log in to. On the other you also can't have one universal ID that the government issues to you and works across all government sites. Citizens need a way to interact with their government pseudonymously & in the future in verified ways.

So how will these technologies work?

Those already familiar with OpenID know that typically when users login with it they give their own URL - www.openIDprovider.com/username. (see this slideshare of mine if you want to see OpenID 101) There is a little known part of the OpenID protocol called directed identity - that is a user gives the name of their identity provider - Yahoo!, Google, MSN etc - but not their specific identifier. The are re-directed to their IdP and in choosing to create a directed identity they get an identifier that is unique to the site they are logging into. It will be used by them again and again for that site but is not correlatable across different websites / government agencies. The good news is it is like having a different user-name across all these sites but since the user is using the same IdP with different identifiers (unlinked publicly) but connected to the same account they just have to remember one password.

Information Cards are the new kids on the identity block in a way - this is their first major "coming out party" - I am enthusiastic bout their potential. It requires a client-side tool called a selector that stores the user's "digital cards". Cards can be created by the end user OR third parties like an employer, financial institution, or school can also issue them.

In essence, this initiative will help transform government websites from basic "brochureware" into interactive resources, saving individuals time and increasing their direct involvement in governmental decision making. OpenID and Information Card technologies make such interactive access simple and safe. For example, in the coming months the NIH intends to use OpenID and Information Cards to support a number of services including customized library searches, access to training resources, registration for conferences, and use of medical research wikis, all with strong privacy protections.

Dr. Jack Jones, NIH CIO and Acting Director, CIT, notes, “As a world leader in science and research, NIH is pleased to participate in this next step for promoting collaboration among Assurance Level 1 applications. Initially, the NIH Single Sign-on service will accept credentials as part of an “Open For Testing” phase, with full production expected within the next several weeks. At that time, OpenID credentials will join those currently in use from InCommon, the higher education identity management federation, as external credentials trusted by NIH." In digital identity systems, certification programs that enable a site — such as a government agency — to trust the identity, security, and privacy assurances from an identity provider are called trust frameworks. The OIDF and ICF have worked closely with the federal government to meet the security, privacy, and reliability requirements set forth by the ICAM Trust Framework Adoption Process (TFAP), published on the IDManagement.gov website. By adopting OpenID and Information Card technologies, government agencies can cost effectively serve their constituencies in a more personalized and user friendly way.

"It's good to see government taking a leadership role in moving identity technology forward. It's also good to see government working with experts from private sector and especially with the Information Card Foundation and the OpenID Foundation because identity is not a technical phenomenon -- it’s a social phenomenon. And technological support for identity requires the participation of a broad community and of representatives of government who define the legal framework within which identity will operate," said Bob Blakley, Vice President and Research Director, Identity and Privacy Strategies, Burton Group. "Today's announcement supplies the most important missing ingredient of the open identity infrastructure, mainly the trust framework. Without a trust framework it's impossible to know whether a received identity is reliable."

Under the OIDF and ICF's open trust frameworks, any organization that meets the technical and operational requirements of the framework will be able to apply for certification as an identity provider (IdP). These IdPs can then supply authentication credentials on behalf of their users. For some activities these credentials will enable the user to be completely anonymous; for others they may require personal information such as name, email address, age, gender, and so on. Open trust frameworks enable citizens to choose the identity technology, identity provider, and credential with which they are most comfortable, while enabling government websites to accept and trust these credentials. This approach leads to better innovation and lower costs for both government and citizens.

The government is looking to leverage industry based credentials that citizens already have to provide a scalable model for identity assurance across a broad range of citizen and business needs - doing this requires a trust framework to assess the trustworthiness of the electronic credentials; see Trust Framework Provider Adoption Process (TFPAP).   A Trust Framework Provider is an organization that defines or adopts an online identity trust model involving one or more identity schemes, has it approved by a government or community such as ICAM, and certifies identity providers as compliant with that model. The OIDF and ICF will jointly serve as a TFP operating an Open Trust Framework as defined in their joint white paper, Open Trust Frameworks for Open Government.

Both the OpenID and Information Card Foundation have been working very hard on this for many months - last night I was fortunate to their boards at a history first ever joint dinner.

There are two women in particular though who have driven this forward: Judith Spencer of the Federal Identity, Credential, and Access Management Committee on the government side and Mary Ruddy of Meristic Inc on the industry side. Both of them will be speaking about the project at the Gov 2.0 Summit on Thursday.

Personally this announcement shows how far things have come since I facilitated the first Internet Identity Workshop in 2005 with 75 idealistic identity technologies talking about big ideas for use-centric identity. I am really looking forward to discussing these developments at the forthcoming 9th Internet Identity Workshop in November.

The theme of the event will be "Transparent Government: Risk, Rewards, and Repercussions."

The U.S. National Institute of Standards and Technology (NIST) will be hosting it in Gainthersburg, Maryland.

In the why attend the reference part of a directive by Barack Obama to the National Security Council and Homeland Security Council.

"to defend our information and communications infrastructure, strengthen public/private partnerships, invest in cutting edge research and development and to begin a national campaign to promote cyber-security awareness and digital literacy." The U.S. federal government aims to accomplish all of this while becoming increasingly open and transparent.

The program is now available - and looks quite good.

There is a discount available until August 31. There are special registration proceedures for non-US citizens.

The OpenID Foundation and the Information Card Foundation are working with the U.S. General Services Administration to create open trust frameworks for their respective communities.

Drummond Reed and Don Tibeau announced their paper Open Trust Frameworks for Open Government.

Quiet and intense work has been going on since just before the last IIW on all this, so it is great to see it begin to see the light of day.

The OpenID Foundation had a wonderful new redesign that Chris Messina announced. This page really made me smile: Get an OpenID - Surprise! You may already have an OpenID.

Axel did a Wordle of it:

"The nation's Social Security numbering scheme has left millions of citizens vulnerable to privacy breaches, according to researchers at Carnegie Mellon University, who for the first time have used statistical techniques to predict Social Security numbers solely from an individual's date and location of birth. The researchers used the information they gleaned to predict, in one try, the first five digits of a person's Social Security number 44 percent of the time for 160,000 people born between 1989 and 2003.

This is from the Wired coverage:

By analyzing a public data set called the “Death Master File,” which contains SSNs and birth information for people who have died, computer scientists from Carnegie Mellon University discovered distinct patterns in how the numbers are assigned. In many cases, knowing the date and state of an individual’s birth was enough to predict a person’s SSN.

“We didn’t break any secret code or hack into an undisclosed data set,” said privacy expert Alessandro Acquisti, co-author of the study published Monday in the journal Proceedings of the National Academy of Sciences. “We used only publicly available information, and that’s why our result is of value. It shows that you can take personal information that’s not sensitive, like birth date, and combine it with other publicly available data to come up with something very sensitive and confidential.”

Basically it means we shouldn't be honest about our date of birth and home town on Facebook (or any other social network) or we are making ourselves vulnerable to discernment of our SSN's. I wonder if they can figure out mine? I received my as an adult when I was attending college in California.

I decided to poke around and see what Facebook had up about Identity Theft. I did find a link to this study that created a profile by “Freddi Stauer,” an anagram for “ID Fraudster,”.

Out of the 200 friend requests, Sophos received 82 responses, with 72 percent of those respondents divulging one or more e-mail address; 84 percent listing their full date of birth; 87 percent providing details about education or work; 78 percent listing their current address or location; 23 percent giving their phone number; and 26 percent providing their instant messaging screen name.

Sophos says in most cases, Freddi also got access to respondents’ photos of friends and family, plus a lot of information about personal likes and dislikes, and even details about employers.

Facebook users were all too willing to disclose the names of spouses and partners, with some even sending complete resumes. One facebook user divulging his mother’s maiden name—the old standard used by many financial and other Web sites to get access to account information.

Most people wouldn’t give this kind of information out to people on the street but their guard sometimes seems to drop in the context of a friend request on the Facebook site, O’Brien says.

According to Sophos, the results of what it calls its Facebook ID Probe has significance for the workplace as well as personal life because businesses need to be aware that this type of social-networking site may pose a threat to corporate security.

I have tried to search the Facebook blog to see what they have to say about identity theft and apparently they haven't mentioned it.

It's a well-known dirty trick in the halls of government: If you want to pass unpopular legislation that you know won't stand up to scrutiny, just wait until the public isn't looking. That's precisely what the Bush administration did Dec. 13, 2003, the day American troops captured Saddam Hussein.

Bush celebrated the occasion by privately signing into law the Intelligence Authorization Act – a controversial expansion of the PATRIOT Act that included items culled from the "Domestic Security Enhancement Act of 2003," a draft proposal that had been shelved due to public outcry after being leaked.

Specifically, the IAA allows the government to obtain an individual's financial records without a court order. The law also makes it illegal for institutions to inform anyone that the government has requested those records, or that information has been shared with the authorities.

"The law also broadens the definition of 'financial institution' to include insurance companies, travel and real-estate agencies, stockbrokers, the US Postal Service, jewelry stores, casinos, airlines, car dealerships, and any other business 'whose cash transactions have a high degree of usefulness in criminal, tax, or regulatory matters' " warned Nikki Swartz in the Information Management Journal. According to Swartz, the definition is now so broad that it could plausibly be used to access even school transcripts or medical records.

"In one fell swoop, this act has decimated our rights to privacy, due process, and freedom of speech," Anna Samson Miranda wrote in an article for LiP magazine titled "Grave New World" that documented the ways in which the government already employs high-tech, private industry, and everyday citizens as part of a vast web of surveillance.

Miranda warned, "If we are too busy, distracted, or apathetic to fight government and corporate surveillance and data collection, we will find ourselves unable to go anywhere – whether down the street for a cup of coffee or across the country for a protest – without being watched."

Sources: "PATRIOT Act's Reach Expanded Despite Part Being Struck Down," Nikki Swartz, Information Management Journal, March/April 2004; "Grave New World," Anna Samson Miranda, LiP, Winter 2004; "Where Big Brother Snoops on Americans 24/7," Teresa Hampton and Doug Thompson, Capitol Hill Blue June 7, 2004.

Censored – or bogus? (see below) was a caveat to caveat offered to the above story. I would like to know what others in our network/community know about this and see if the identity community can uncover what information is actually is being shared with government about our day to day personal transactions without our awareness.

Some stories get ignored by the mainstream media because they're too controversial, or too much of a challenge to the rich and powerful, or just too hot to handle.

But some stories get dismissed because they're just not credible – and unfortunately, one of the pieces Project Censored cites this year appears to fall into that category.

Almost everything on the Project Censored list is well sourced and, at the very least, plausible. But one of the stories listed under "Surveillance Society Quietly Moves In" is a piece titled "Where Big Brother Snoops on Americans 24/7." Written by Teresa Hampton and Doug Thompson, the piece was published on www.capitolhillblue.com, a Virginia Web site that's been around since 1994.

The piece makes some pretty spectacular allegations. Hampton and Thompson claim not only that the Pentagon is defying Congress and covertly operating the notorious Total Information Awareness program (TIA) (which Congress explicitly killed), but also that the feds now monitor "virtually every financial transaction of every American," in real time (that is, as it's happening). They also maintain that the Pentagon uses the information to launch investigations of "persons of interest" and as a basis for adding names to the Transportation Security Administration's "no fly" lists.
It's pretty far-fetched to think that the Pentagon could run an operation so vast as to review almost every financial transaction in the country as it happens. But beyond that, the American Civil Liberties Union has filed two suits against the feds trying to pinpoint just how it collates TSA's "no fly" lists and still hasn't been able to figure it out.

The principal sources Hampton and Thompson base their story on seem to be an anonymous "security consultant who worked on the ... project" and an "Allen Banks" – someone identified simply as a "security expert," without any detail as to who he is or how he would be privy to such information.

Thompson, who is the site's publisher, defended the accuracy of the story, saying that he'd spoken with "over 30 sources" – police, banks, credit card agencies – and that he reached his conclusions based on those sources as well as on the fact that there were "too many coincidences." (None of that is explained in the story.)

"To some extent," he added, "it was a conclusion by me, looking at the links." Banks and other private industries had been instructed to e-mail data to the feds under TIA, and they continued sending data to the same places after TIA was killed, because they never received orders to stop, Thompson said. His caveat: "If I had to go into court and prove this, there's no way I could prove it."

We're still dubious.

CTT

Technorati Tags: Patriot Act, surveillance, TIA

This story is an interesting one because it shows what a citizenry empowered with almost omni-present communication tools can do to share information and build a coherent picture of one person's movement over time creating the participatory panopticon. I wonder how much citizen surveillance of government officials and their actions will become the norm. Here is the original Gawker page - where all the intelligence was gathered.

Hopefully as CatherineAustinFitts has said again and again..

Our democracy depends on honest leaders who promote transparency and accountability in the management of our resources. How do we protect such leaders from being terrorized by corrupt special interests that play dirty?

The only way is with real accountability of the action of government officials and transparency of where money and rescues flow.

Just in case Condi was wondering if her help would be needed. This disaster is WAS NOT UNPREDICTABLE - in-fact it was anticipated and she would likely be needed in her role as secretary of state to get help from other countries.

On Thursday, September 1 on Good Morning America George W. Bush said, “I don’t think anyone anticipated the breach of the levees.” This is a flat, baldfaced lie. In early 2001 the Federal Emergency Management Agency (FEMA) identified the three most likely megadisasters that would strain the country’s ability to respond: a terrorist attack in New York City, an earthquake in Southern California, and a hurricane hitting New Orleans. The levees in New Orleans have been breached before. The Mississippi River flood of 1927 did so. Every disaster planning exercise involving New Orleans has assumed that part of the tragedy would be breached levees, a flooded city, and human beings trapped with no food, water, or sanitary facilities. A few minutes of searching the Internet will turn up literally dozens of studies showing that a hurricane of category 3 or more hitting the lower Mississippi would breach the flood protection levees. Breached levees were no surprise and to say that they were is a lie

Ms. Rice should have been on the phone to countries who's help we could well use not to cope with the situation faced by the south. This references the letter from my last post.

The Mississippi Delta region is the natural ecological home of a long list of infectious microbial diseases. It is America’s tropical region, more akin ecologically to Haiti or parts of Africa than to Boston or Los Angeles. The most massive Yellow Fever epidemics in the Americas all swept, in the 19th Century, up the Mississippi from the delta region.

It is perhaps ironic that the only real experience with this scale of insect control for the last two decades has been in developing countries: the CDC and State health folks should be reaching out to PAHO and the insect control expertises of Africa and the Caribbean right now. If we cannot manage to get ahead of the insects, there could very well be a disease crisis ahead.

Can open sourceintelligence and societal information sharing help us as a society get around the need to have 'government officials' who are responsible but instead give us the power collectively organize ourselves.

6) Mental Health issues AND lack of information increasing them.

The mental health of hundreds of thousands of people must now be a priority. Uprooted, homeless, jobless, rootless and in many cases grieving for lost loved ones: These people will all suffer for a very long time. A key to their recovery is, again, a lesson from 9/11: information...Knowing what is going on 'back home' is essential to mental health recovery. We have been in disasters in poor countries where wild rumors flowed among the poor for months, each one sparking a fresh round of anxiety and fear. If government cannot inform, there is no government.

-) Establishing Trust between Government and People to abate public health crises in the aftermath.

I found myself recalling the way the Chinese people responded to the SARS
epidemic. Because they knew that their government had lied to them many
times in the past and had covered up cases in the capital, people turned
away from official government sources of information. Rumors spread like
wildfire via cell phone text messaging, spawning a mass exodus from Beijing
of tens of thousands of people. The medical system in China is notoriously
corrupt and the peasants stay away from hospitals unless it is a matter of
life and death. When government told the masses to go to the hospitals if
they had fevers, the Chinese refused. The SARS situation spiraled out of
control in large part because the people had long-standing, sound reasons
for distrusting their government. Public health collapses if the bond of
trust between government and its people breaks, or never exists. I saw the
same thing with plague in India in ’94.

7) Poliitcal Backlash

America, and this government, is going to witness an enormous political backlash from these events, stemming primarily from the African American community, if steps are not boldly taken to demonstrate less judgment, and greater assistance, for the black poor of the region. Cries of racism will be heard. In every disaster we have been engaged in we have witnessed a similar sense by the victims of disasters that they were being singled out, and ignored by their government, because of their ethnicity, religion or race. The onus is on government to prove them wrong.

5) Debrise - where to put it all?

We have never in history tried to dispose of this much waste. It is hoped that before any officials rush off thinking of how to burn or dump a few hundred thousand boats, houses and buildings, some careful consideration is given to recycling that material for construction of future levees, dams, and foundations. Looking at aerial images of the coastline one sees an entire forest worth of lumber, and the world's largest cement quarry. No doubt tens of thousands of the now unemployed of the region could be hired for a reclamation effort that would be rational in scale and intent. It would be horrible if all that debris were simply dumped or burned without any thought to its utility.

Continued support of medical personal in the region.

Much more thought needs to be given immediately to the needs of medical and psychiatric responders located just outside of the region. The patient flow they are now receiving is minuscule compared to the tidal wave coming their way

1) Mosquitos

2) CDC warning about Vibrio cholerae

3) Sewage

4) Lack of Pharmaceutical supplies

TSA had promised it would only use the limited information about passengers that it had obtained from airlines. Instead, the agency and its contractors compiled files on people using data from commercial brokers and then compared those files with the lists.

The GAO reported that about 100 million records were collected.

The 1974 Privacy Act requires the government to notify the public when it collects information about people. It must say who it's gathering information about, what kinds of information, why it's being collected and how the information is stored.

And to protect people from having misinformation about them in their files, the government must also disclose how they can access and correct the data it has collected.

Before it began testing Secure Flight, the TSA published notices in September and November saying that it would collect from airlines information about people who flew commercially in June 2004.

Instead, the agency actually took 43,000 names of passengers and used about 200,000 variations of those names - who turned out to be real people who may not have flown that month, the GAO said. A TSA contractor collected 100 million records on those names.

It brings up some serious concerns about how information collection and validation is done by the TSA for airline passengers. How can we trust governments to collect this much information about us just because we travel.

This week I wonder why care about airlines passengers because security is so tight that airlines do not seem to be a place where the next round of attacks will be. If London is any indication it will be on mass transit. Given the level of police/security presence on the transit systems in the Bay Area this week is certainly seems like there is some concern that mass transit will be attacked. They have started random searching of bags to get on the NYC subway. One wonders if they will start issuing 'identity passes' to get on such systems.

On the city subways, which are used by 4.5 million people on the average workday, the inspections started on a small scale Thursday afternoon and were expanded Friday.

The New York Civil Liberties Union opposed the searches, saying they violated the Fourth Amendment. Mayor Michael Bloomberg said he hoped the NYCLU would recognize that the city had struck the right balance between security and protecting constitutional rights. He said the bag-checking program is part of a policy to "constantly change tactics" and "may, or may not, be there tomorrow."

Homeland security directive 12
"Policy for Common Identification Standard For Federal Employees and Contractors" - August 2004

HSPD 12 Requirements

1. Secure and reliable forms of personal identification that are:

• Based on sound criteria to verify an individual employee’s identity
• Strongly resistant to fraud, tampering, counterfeiting, and terrorist exploitation
• Rapidly verified electronically
• Issued only by providers whose reliability has been established by an official accreditation process

2. Applicable to all government organizations and contractors except National Security Systems
3. Used for access to federally-controlled facilities and logical access to federally-controlled information systems
4. Flexible in selecting appropriate security level – includes graduated criteria from least secure to most secure
5. Implemented in a manner that protects citizens’ privacy

Expanding Electronic Government

Needing Common Authentication Services for

• 280 million Citizens
• Millions of Businesses
• Thousands of Government Entities
• 10+ Million Federal Civilian and Military Personnel

You can learn more on the GSA website - http://www.gsa.gov/aces