BC Identity Citizen Consultation Results!!!!

As many of you know I (along with many other industry leaders from different industry/civil society segments) was proactively invited to be part of the NSTIC process including submitting a response to the notice of inquiry about how the IDESG and Identity Ecosystem should be governed.

I advocated and continue to advocate that citizen involvement and broad engagement from a broad variety of citizen groups and perspectives would be essential for it to work. The process itself needed to have its own legitimacy even if “experts” would have come to “the same decisions” if citizens were and are not involved the broad rainbow that is America might not accept the results.

I have co-lead the Internet Identity Workshop since 2005 every 6 months in Mountain View, California at the Computer History Museum. It is an international event and folks from Canada working on similar challenges have been attending for several years this includes Aran Hamilton from the National oriented Digital ID and Authentication Council (DIAC) and several of the leaders of the British Columbia Citizen Services Card effort.

I worked with Aron Hamilton helping him put on the first Identity North Conference to bring key leaders together from a range of industries to build shared understanding about what identity is and how systems around the world are working along with exploring what to do in Canada.

CoverThe British Columbia Government (a province of Canada where I grew up) worked on a citizen services card for many years. They developed an amazing system that is triple blind. An article about the system was recently run in RE:ID. The system launched with 2 services – drivers license and health services card. The designers of the system knew it could be used for more then just these two services but they also knew that citizen input into those policy decisions was essential to build citizen confidence or trust in the system.  The other article in the RE:ID magazine was by me about the citizen engagement process they developed.

They developed to extensive system diagrams to help provide explanations to regular citizens about how it works. (My hope is that the IDESG and the NSTIC effort broadly can make diagrams this clear.)

 

The government created a citizen engagement plan with three parts:

The first was convening experts. They did this in relationship with Aron Hamilton and Mike Monteith from Identity North – I as the co-designer and primary facilitator of the first Identity North was brought into work on this. They had an extensive note taking team and the reported on all the sessions in a book of proceedings. They spell my name 3 different ways in the report.

The most important was a citizen panel that was randomly selected citizens to really deeply engage with citizens to determine key policy decisions moving forward. It also worked on helping the government understand how to explain key aspects of how the system actually works. Look in the RE:ID I wrote an article for RE:ID about the process you can see that here.
The results were not released when I wrote that. Now they are! yeah! The report is worth reading because it shows the regular citizens who are given the task of considering critical issues can come out with answers that make sense and help government work better.

 

 

They also did an online survey open for a month to any citizen of the province to give their opinion. That you can see here.

Together all of these results were woven together into a collective report.

 

Bonus material: This is a presentation that I just found covering many of the different Canadian province initiatives.

 

PS: I’m away in BC this coming week – sans computer.  I am at Hollyhock…the conference center where I am the poster child (yes literally). If you want to be in touch this week please connect with William Dyson my partner at The Leola Group.

Resources for HopeX Talk.

I accepted an invitation from Aestetix to present with him at HopeX (10).

It was a follow-on talk to his Hope 9 presentation that was on #nymwars.

He is on the volunteer staff of the HopeX conference and was on the press team that helped handle all the press that came for the Ellsberg – Snowden conversation that happened mid-day Saturday.  It was amazing and it went over an hour – so our talk that was already at 11pm (yes) was scheduled to start at midnight.

Here are the slides for it – I modified them enough that they make sense if you just read them.  My hope is that we explain NSTIC, how it works and the opportunity to get involved to actively shape the protocols and policies maintained.

I am going to put the links about joining the IDESG up front. Cause that was our intention in giving the talk to encourage folks coming to HopeX to get involved to ensure that the technologies and policies for for citizens to use verified identity online when it is appropriate and also most importantly make SURE that the freedom to be anonymous and pseudonymous online.
This image is SOOO important I’m pulling it out and putting it here in the resources list.

WhereisNSTIC

Given that there is like 100 active people within the organization known as the Identity Ecosystem Steering Group as called for in the National Strategy for Trusted Identities in Cyberspace published by the White House and signed by president Obama in April 2011 that originated from the Cyberspace Policy Review that was done just after he came into office in 2009. Here is the website for the National Program Office.

The organization’s website is here:  ID Ecosystem - we have just become an independent organization.

My step by step instructions How to JOIN.

Information on the committees - the one that has the most potential to shape the future is the Trust Framework and Trust Mark Committee

Here is the video.

From the Top of the Talk

Links to us:
Aestetix -  @aestetix Nym Rights
Kaliya – @identitywoman  -  my blog identitywoman.net

Aestetix – background + intro #nymwars from Hope 9

     Aestetix’s links will be up here within 24h
We mentioned Terms and Conditions May Apply – follows Mark Zuckerberg at the end.

Kaliya  background + intro

I have had my identity woman blog for almost 10 years  as an Independent Advocate for the Rights and Dignity of our Digital Selves. Saving the world with User-Centric Identity

In the early 2000’s I was working on developing distributed Social Networks  for Transformation.
I got into technology via Planetwork and its conference in 2000 themed: Global Ecology and Information Technology.  They had a think tank following that event and then published in 2003 the Augmented Social Network: Building Identity and Trust into the Next Generation Internet.
The ASN and the idea that user-centric identity based on open standards were essential – all made sense to me – that the future of identity online – our freedom to connect and organize was determined by the protocols.  The future is socially constructed and we get to MAKE the protocols . . . and without open protocols for digital identity our ID’s will be owned by commercial entities – the situation we are in now.
Protocols are Political – this book articulates this – Protocols: How Control Exists after Decentralization by Alexander R. Galloway. I excerpted key concepts of Protocol on my blog in my NSTIC Governance Notice of Inquiry.
I c0-founded the Internet Identity Workshop in 2005 with Doc Searls and Phil Windley.  We are coming up on number 19 the last week of October in Mountain View and number 20 the third week of April 2015.
I founded the Personal Data Ecosystem Consortium in 2010 with the goal to connect start-ups around the world building tools for individual collect manage and get value from their personal data along with fostering ethical data markets.  The World Economic Forum has done work on this (I have contributed to this work) with their Rethinking Personal Data Project.
I am shifting out of running PDEC to Co-CEO with my partner William Dyson of a company in the field The Leola Group.

NSTIC

Aestetix and I met just after his talk at HOPE 9 around the #nymwars (we were both suspended.
So where did NSTIC come from? The Cyberspace Policy Review in 2009 just after Obama came into office.
Near-Term Action Plan:
#10 Build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the Nation.
Mid-Term Action Plan:
#13 Implement, for high-value activities (e.g., the Smart Grid), an opt-in array of interoperable identity management systems to build trust for online transactions and to enhance privacy.
NSTIC was published in 2011: Main Document – PDF  announcement on White House Blog.
Trust Frameworks  are at the heart of what they want to develop to figure out how navigate how things work.
What will happen with results of this effort?
The Cyber Security Framework  (paperObama Administration just outlined . NSTIC is not discussed in the framework itself – but both it and the IDESG figure prominently in the Roadmap that was released as a companion to the Framework.  The Roadmap highlights authentication as the first of nine different, high-priority “areas of improvement” that need to be addressed through future collaboration with particular sectors and standards-developing organizations.

The inadequacy of passwords for authentication was a key driver behind the 2011 issuance of the National Strategy for Trusted Identities in Cyberspace (NSTIC), which calls upon the private sector to collaborate on development of an Identity Ecosystem that raises the level of trust associated with the identities of individuals, organizations, networks, services, and devices online.

I wrote this article just afterwards: National! Identity! Cyberspace! Why we shouldn’t Freak out about NSTIC   (it looks blank – scroll down).
Aaron Titus writes a similar post explaining more about NSTIC relative to the concerns arising online about the fears this is a National ID.
Staff for National Program Office

The put out a Notice of Inquiry – to figure out How this Ecosystem should be governed.

Many people responded to the NOI – here are all of them.

I wrote a response to the NSTIC Notice of Inquiry about Governance.  This covers that covers much of the history of the user-centric community  my vision of how to grow consensus. Most important for my NSTIC candidacy are the chapters about citizen’s engagement in the systems co-authored with Tom Atlee the author of the Tao of Democracy and the just published Empowering Public Wisdom.

The NPO hosted a workshop on Governance,  another one Privacy – that they invited me to present on the Personal Data Ecosystem.  The technology conference got folded into IIW in the fall of 2011.

OReilly Radar – called it The Manhattan Project for online identity.

The National Program Office published a proposed:

Charter for the  IDESG Organization

ByLaws  and Rules of Association for the IDESG Organization

Also what committees should exist and how it would all work in this webinar presentation.  The Recommended Structure is on slide 6.  They also proposed a standing committee on privacy as part of the IDESG.

THEN (because they were so serious about private sector leadership) they published a proposed 2 year work plan.  BEFORE the first Plenary meeting in Chicago in August 2012

They put out a bid for a Secretariat to support the forthcoming organization and awarded it to a company called Trusted Federal Systems.
The plenary was and is open – to anyone and any organization from any where in the world. It is still open to anyone. You can join by following the steps on my blog post about it.
At the first meeting in August 2012 the management council was elected. The committees they decided should exist ahead of time had meetings.
The committees - You can join them – I have a whole post about the committees so you can adopt one.

Nym Issues!!!

So after the #nymwars it seemed really important to bring the issues around Nym Rights and Issues into NSTIC – IDESG.  They were confused – even though their bylaws say that committees. I supported Aestetix writing out a charter for a new committee – I read it for the plenary in November of 2012 – he attended the Feb 2013 Pleanary in Pheonix. I worked with several other Nym folks to attend the meeting too.
They suggested that NymRights was to confrontational a name so we agreed that Nym Issues would be a fine name. They also wanted to make sure that it would just become a sub-committee of the Privacy Committee.
It made sense to organize “outside” the organization so we created NymRights.
Basically the committee and its efforts have been stalled in limbo.
        Aestetix’s links will be up here within 24h

The Pilot Grants from the NPO

Links
Year 1 – announcement about the FFO , potential applicant Webinar – announcement about all the grantees and an FAQ.
  • Daon, Inc. (Va.): $1,821,520
    The Daon pilot will demonstrate how senior citizens and all consumers can benefit from a digitally connected, consumer friendly Identity Ecosystem that enables consistent, trusted interactions with multiple parties online that will reduce fraud and enhance privacy. The pilot will employ user-friendly identity solutions that leverage smart mobile devices (smartphones/tablets) to maximize consumer choice and usability. Pilot team members include AARP, PayPal, Purdue University, and the American Association of Airport Executives.
  • The American Association of Motor Vehicle Administrators (AAMVA) (Va.): $1,621,803
    AAMVA will lead a consortium of private industry and government partners to implement and pilot the Cross Sector Digital Identity Initiative (CSDII). The goal of this initiative is to produce a secure online identity ecosystem that will lead to safer transactions by enhancing privacy and reducing the risk of fraud in online commerce. In addition to AAMVA, the CSDII pilot participants include the Commonwealth of Virginia Department of Motor Vehicles, Biometric Signature ID, CA Technologies, Microsoft and AT&T.
  • Criterion Systems (Va.): $1,977,732
    The Criterion pilot will allow consumers to selectively share shopping and other preferences and information to both reduce fraud and enhance the user experience. It will enable convenient, secure and privacy-enhancing online transactions for consumers, including access to Web services from leading identity service providers; seller login to online auction services; access to financial services at Broadridge; improved supply chain management at General Electric; and first-response management at various government agencies and health care service providers. The Criterion team includes ID/DataWeb, AOL Corp., LexisNexis®, Risk Solutions, Experian, Ping Identity Corp., CA Technologies, PacificEast, Wave Systems Corp., Internet2 Consortium/In-Common Federation, and Fixmo Inc.
  • Resilient Network Systems, Inc. (Calif.): $1,999,371
    The Resilient pilot seeks to demonstrate that sensitive health and education transactions on the Internet can earn patient and parent trust by using a Trust Network built around privacy-enhancing encryption technology to provide secure, multifactor, on-demand identity proofing and authentication across multiple sectors. Resilient will partner with the American Medical Association, Aetna, the American College of Cardiology, ActiveHealth Management, Medicity, LexisNexis, NaviNet, the San Diego Beacon eHealth Community, Gorge Health Connect, the Kantara Initiative, and the National eHealth Collaborative.In the education sector, Resilient will demonstrate secure Family Educational Rights and Privacy Act (FERPA) and Children’s Online Privacy Protection Act (COPPA)-compliant access to online learning for children. Resilient will partner with the National Laboratory for Education Transformation, LexisNexis, Neustar, Knowledge Factor, Authentify Inc., Riverside Unified School District, Santa Cruz County Office of Education, and the Kantara Initiative to provide secure, but privacy-enhancing verification of children, parents, teachers and staff, as well as verification of parent-child relationships.
  • UniversityCorporation for Advanced Internet Development (UCAID) (Mich.): $1,840,263
    UCAID, known publicly as Internet2, intends to build a consistent and robust privacy infrastructure through common attributes; user-effective privacy managers; anonymous credentials; and Internet2′s InCommon Identity Federation service; and to encourage the use of multifactor authentication and other technologies. Internet2′s partners include the Carnegie Mellon and Brown University computer science departments, University of Texas, the Massachusetts Institute of Technology, and the University of Utah. The intent is for the research and education community to create tools to help individuals preserve privacy and a scalable privacy infrastructure that can serve a broader community, and add value to the nation’s identity ecosystem.

Year 2 – announcement about the FFO, potential applicant webinar, annoucement about the grantees.

  • Transglobal Secure Collaboration Participation, Inc. (TSCP) (Va.): $1,264,074
    The TSCP pilot will deploy trusted credentials to conduct secure business-to-business, government-to-business and retail transactions for small and medium-sized businesses and financial services companies, including Fidelity Investments and Chicago Mercantile Exchange. As part of this pilot, employees of participating businesses will be able to use their existing credentials to securely log into retirement accounts at brokerages, rather than having to obtain a new credential. Key to enabling these cross-sector transactions will be TSCP’s development of an open source, technology-neutral Trust Framework Development Guidance document that can provide a foundation for future cross-sector interoperability of online credentials.
  • Georgia Tech Research Corporation (GTRC) (Ga.): $1,720,723
    The GTRC pilot will develop and demonstrate a “Trustmark Framework” that seeks to improve trust, interoperability and privacy within the Identity Ecosystem. Trustmarks are a badge, image or logo displayed on a website to indicate that the website business has been shown to be trustworthy by the issuing organization. Defining trustmarks for specific sets of policies will allow website owners, trust framework providers and individual Internet users to more easily understand the technical, business, security and privacy requirements and policies of the websites with which they interact or do business.Supporting consistent, machine-readable ways to express policy can enhance and simplify the user experience, raise the level of trust in online transactions and improve interoperability between service providers and trust frameworks. Building on experience developing the National Identity Exchange Federation(NIEF), GTRC plans to partner with the National Association of State Chief Information Officers (NASCIO) and one or more current NIEF member agencies, such as Los Angeles County and the Regional Information Sharing Systems (RISS).
  • Exponent (Calif.): $1,589,400
    The Exponent pilot will issue secure, easy-to-use and privacy-enhancing credentials to users to help secure applications and networks at a leading social media company, a health care organization and the U.S. Department of Defense. Exponent and partners Gemalto and HID Global will deploy two types of identity verification: the use of mobile devices that leverage so-called “derived credentials” stored in the device’s SIM card and secure wearable devices, such as rings and bracelets. Solutions will be built upon standards, ensuring an interoperable system that can be easily adopted by a wide variety of organizations and companies.
  • ID.me, Inc. (Va.): $1,204,957
    ID.me, Inc.’s Troop ID will develop and pilot trusted identity solutions that will allow military families to access sensitive information online from government agencies, financial institutions and health care organizations in a more privacy-enhancing, secure and efficient manner. Troop ID lets America’s service members, veterans, and their families verify their military affiliation online across a network of organizations that provides discounts and benefits in recognition of their service. Today, more than 200,000 veterans and service members use Troop ID to access benefits online. As part of its pilot, Troop ID will enhance its current identity solution to obtain certification at Level of Assurance 3 from the U.S. General Services Administration’s Trust Framework Providers program, enabling Troop ID credential holders to use their solution not only at private-sector sites, but also when interacting online with U.S. government agencies through the recently announced Federal Cloud Credential Exchange (FCCX). Key project partners include federal government agencies and a leading financial institution serving the nation’s military community and its families.
  • Privacy Vaults Online, Inc. (PRIVO) (Va.): $1,611,349
    Children represent a unique challenge when it comes to online identity. Parents need better tools to ensure safe family use of the Internet, while online service providers need to comply with the requirements of the Children’s Online Privacy Protection Act (COPPA) when they deal with minors under the age of 13. PRIVO will pilot a solution that provides families with COPPA-compliant, secure, privacy-enhancing credentials that will enable parents and guardians to authorize their children to interact with online services in a more privacy-enhancing and usable way. Project partners, including one of the country’s largest online content providers and one of the world’s largest toy companies, will benefit from a streamlined consent process while simplifying their legal obligations regarding the collection and storage of children’s data.

Year 3 – ? announcement about FFO - grantees still being determined.

Big Issues with IDESG

Diversity and Inclusion

I have been raising these issues from its inception (pre-inception in fact I wrote about them in my NOI).

I was unsure if I would run for the management council again -  I wrote a blog post about these concerns that apparently made the NPO very upset.  I was subsequently “univited” to the International ID Conf they were hosting at the White House Conference Center for other western liberal democracies trying to solve these problems.

Tech President Covered the issues and did REAL REPORTING about what is going on.  In Obama Administration’s People Powered Digital Security Initiative, There’s Lots of Security, Fewer People.

This in contrast to a wave of hysterical posts about National Online ID pilots being launched.

They IDESG have Issues with how the process happens. It is super TIME INTENSIVE.  It is not well designed so that people with limited time can get involved.  We have an opportunity to change tings becoming our own organization.

The 9th Plenary Schedule – can be seen here.  There was a panel on the first day with representatives who said that people like them and others from other different communities needed to be involved AS the policy is made.  Representatives from these groups were on the panel and it was facilitated by Jim Barnett from the AARP.

  • NAACP
  • Association of the Blind
  • ACLU

The Video is available online.

The “NEW” IDESG

The organization is shifting from being a government initiative to being one that is its own independent organization.

The main work where the TRUST FRAMEWORKS are being developed is in the Trust Framework and Trust Mark Committee.  You can see their presentation from the last committee here.

 

Key Words & Key Concept form the Identity Battlefield

Trust

What is Identity?  Its Socially Constructed and Contextual

Identity is Subjective

Aestetix’s links will be up here within 24h

What are Identifiers?: Pointers to things within particular contexts.

Abrahamic Cultural Frame for Identity / Identifiers

Relational  Cultural Frame for Identity / Identifiers

What does Industry mean when it says “Trusted Identities”?

What is Verified?

AirBnB
Verified ID in the context of the Identity Spectrum : My post about the spectrum.

Reputation

In Conclusion: HOPE!

We won the #nymwars!

Links to Google’s apology.

Skud’s the Apology we hopped for.

More of Aestetix’s links will be up here within 24h

The BC Government’s Triple Blind System

Article about & the system  they have created and the citizen engagement process to get citizen buy-in – with 36 randomly selected citizens to develop future policy recommendations for it.

Article about what they have rolled out in Government Technology.

Join the Identity Ecosystem Steering Group

Get engaged in the process to make sure we maintain the freedom to be anonymous and pseudonymous online.

Attend the next  (10th) Plenary in mid-September in Tampa at the Biometrics Conference

Join Nym Rights group.

http://www.nymrights.org

Come to the Internet Identity Workshop

Number 19 – Last week of October – Registration Open

Number 20 – Third week of April

 

 

 

 

 

 

The Trouble with Trust, & the case for Accountability Frameworks for NSTIC

There are many definitions of trust, and all people have their own internal perspective on what THEY trust.

As I outline in this next section, there is a lot of meaning packed into the word “trust” and it varies on context and scale. Given that the word trust is found 97 times in the NSTIC document and that the NSTIC governing body is going to be in charge of administering “trust marks” to “trust frameworks” it is important to review its meaning.

I can get behind this statement: There is an emergent property called trust, and if NSTIC is successful, trust on the web would go up, worldwide.

However, the way the word “trust” is used within the NSTIC document, it often includes far to broad a swath of meaning.

When spoken of in every day conversation trust is most often social trust.

[Read more...]

National! Identity! Cyberspace!: Why we shouldn’t freak out about NSTIC.

This is cross posted on my Fast Company Expert Blog with the same title.

I was very skeptical when I first learned government officials were poking around the identity community to learn from us and work with us.  Over the last two and a half years, I have witnessed dozens of dedicated government officials work with the various communities focused on digital identity to really make sure they get it right. Based on what I heard in the announcements Friday at Stanford by Secretary of Commerce Locke and White House Cybersecurity Coordinator  Howard Schmidt to put the Program Office in support of NSTIC (National Strategy for Trusted Identities in Cyberspace) within the Department of Commerce. I am optimistic about their efforts and frustrated by the lack of depth and insight displayed in the news cycle with headlines that focus on a few choice phrases to raise hackles about this initiative, like this from CBS News: Obama Eyeing Internet ID for Americans.

I was listening to the announcement with a knowledgeable ear, having spent the last seven years of my life focused on user-centric digital identity.Internet Identity Workshop Logo Our main conference Internet Identity Workshop held every 6 months since the fall of 2005 has for a logo the identity dog: an allusion to the famous New Yorker cartoon On the internet, nobody knows you are a dog. To me, this symbolizes the two big threads of our work: 1) maintaining the freedom to be who you want to be on the internet AND 2) having the freedom and ability to share verified information about yourself when you do want to.  I believe the intentions of NSTIC align with both of these, and with other core threads of our communities’ efforts: to support identifiers portable from one site to another, to reduce the number of passwords people need, to prevent one centralized identity provider from being the default identity provider for the whole internet, to support verified anonymity (sharing claims about yourself that are verified and true but not giving away “who you are”),  support broader diffusion of strong authentication technologies (USB tokens, one-time passwords on cellphones, or smart cards), and mutual authentication, allowing users to see more closely that the site they are intending to do business with is actually that site.

Looking at use cases that government agencies need to solve is the best way to to understand why the government is working with the private sector to catalyze an “Identity Ecosystem”.

[Read more...]

Thoughts on the National Strategy for Trusted Identities in Cyberspace

Update: This blog post was written while reading the first draft released in the Summer of 2010. A lot changed from then to the publishing of the document in April 2011.

Here is my answer to the NSTIC Governence Notice of Inquiry.

And an article I wrote on Fast Company: National! Identity! Cyberspace! Why you shouldn’t freak out about NSTIC.

 

Interestingly in paragraph two on the White House blog it says that NSTIC stands for “National Strategy for Trusted Initiatives in Cyberspace” rather than “National Strategy for Trusted Identities in Cyberspace”.

This first draft of NSTIC was developed in collaboration with key government agencies, business leaders and privacy advocates. What has emerged is a blueprint to reduce cybersecurity vulnerabilities and improve online privacy protections through the use of trusted digital identities.

The 2nd draft is posted on an DHS idea scale installation.  There will be three weeks (until July 19th) for public comments.

The Document is 40 pages long and you can download it here. This is where citability.org would have come in handy to make comments… cause commenting in a threaded discussion on idea scale about the whole document will not be easy.

We will be hosting the Internet Identity Workshop in DC Sept 9-10 (Thursday-Friday) following Gov 2.0 Summit. See the announcement on the IIW site.

The White House post talks about the Identity Ecosystem. The document uses this phrase extensively.

I am reading it now and comments will follow here over the hour.

The subtitle is good - Creating Options for Enhanced Online Security and Privacy

Executive Summary Quotes and commentary:

In particular, the Federal Government must address the recent and alarming rise in online fraud, identity theft, and misuse of information online.

One key step in reducing online fraud and identity theft is to increase the level of trust associated with  identities in cyberspace. While this Strategy recognizes the value of anonymity for many online transactions (e.g., blog postings), for other types of transactions (e.g., online banking or accessing electronic health records) it is important that the parties to that transaction have a high degree of trust that they are interacting with known entities.
It is good they are recognizing the value of anonymity for online transactions.
This Strategy seeks to identify ways to raise the level of trust associated with the identities of individuals, organizations, services, and devices involved in certain types of online transactions.  The Strategy’s vision is: Individuals and organizations utilize secure, efficient, easy-to-use, and interoperable identity solutions to access online services in a manner that promotes confidence, privacy, choice, and innovation.
They are touching on key underpinnings of potential solutions understood by the user-centric identity community.  The Identity Commons purpose is as follows: to support, facilitate, and promote the creation of an open identity layer for the Internet — one that maximizes control, convenience, and privacy for the individual while encouraging the development of healthy, interoperable communities.
Ok, who let this many “identity ecosystems” out of the building?  Ten in two paragraphs!!
Privacy protection and voluntary participation are pillars of the Identity Ecosystem. The Identity Ecosystem protects anonymous parties by keeping their identity a secret and sharing only the information necessary to complete the transaction.  For example, the Identity Ecosystem allows an individual to provide age without releasing birth date, name, address, or other identifying data.  At the other end of the spectrum, the Identity Ecosystem supports transactions that require high assurance of a participant’s identity.  The Identity Ecosystem reduces the risk of exploitation of information by unauthorized access through more robust access control techniques.  Finally, participation in the Identity Ecosystem is voluntary for both organizations and individuals.
Another pillar of the Identity Ecosystem is interoperability.  The Identity Ecosystem leverages strong and interoperable technologies and processes to enable the appropriate level of trust across participants.  Interoperability supports identity portability and enables service providers within the Identity Ecosystem to accept a variety of credential and identification media types.  The Identity
Ecosystem does not rely on the government to be the sole identity provider.  Instead, interoperability enables a variety of public and private sector identity providers to participate in the Identity
Ecosystem.
User-Centricity appears on the 2nd page of the Executive Summary:
User-centricity will allow individuals to select the interoperable credential appropriate for the transaction.
Sounds like they get what verified anonymity is and how it means that people don’t have to share all their information when doing transactions online.
Here are the goals of the Strategy:
  1. Develop a comprehensive Identity Ecosystem Framework
  2. Build and implement an interoperable identity infrastructure aligned with the Identity Ecosystem Framework
  3. Enhance confidence and willingness to participate in the Identity Ecosystem
  4. Ensure the long-term success of the Identity Ecosystem
What is an Identity Ecosystem Framework? Maybe they were too afraid to use the word “trust framework”?
They have 9 proposed Actions to achieve these goals:
  1. Designate a Federal Agency to Lead the Public/Private Sector Efforts Associated with Achieving the Goals of the Strategy
  2. Develop a Shared, Comprehensive Public/Private Sector Implementation Plan
  3. Accelerate the Expansion of Federal Services, Pilots, and Policies that Align with the Identity Ecosystem
  4. Work Among the Public/Private Sectors to Implement Enhanced Privacy Protections
  5. Coordinate the Development and Refinement of Risk Models and Interoperability Standards
  6. Address the Liability Concerns of Service Providers and Individuals
  7. Perform Outreach and Awareness Across all Stakeholders
  8. Continue Collaborating in International Efforts

Introduction Quotes and Commentary:

They paint a rosy picture of the future saying this about what it will be like:

They have choice in the number and types of user-friendly identity credentials they manage and use to assert their identity online.  They have access to a wider array of online services to save time and effort.

In this user centric world, organizations efficiently conduct business online by trusting the identity proofing and credentials provided by other entities as well as the computing environment in which the transactions occur.

The No2ID folks are not going to like the “envision” box on the first page….

Envision It!

An individual voluntarily requests a smart identity card from her home state. The individual chooses to use the card to authenticate herself for a variety of online services, including:

  • Anonymously posting blog entries, and  Logging onto Internet email services using a pseudonym.
  • Credit card purchases,
  • Online banking,
  • Accessing electronic health care records,
  • Securely accessing her personal laptop computer,

To be clear, the user-centric identity community has not been focused on government-issued credentials or IDs – it has always been mostly about how people have aspects of their identities self-asserted and then validated by third parties, likely in the commercial sector not government.

The issue around identity theft is well articulated: the underlying data systems are poorly architected and change needs to happen at this level to solve the problem – not paying your bank or other entities “identity theft prevention or protection fees”

Criminals and other adversaries often exploit weak identity solutions for individuals, websites, email, and the infrastructure that the Internet utilizes.  The poor identification, authentication, and authorization practices associated with these identity solutions are the focus of this Strategy.

The lack of User-centrism is touched on as a problem – yeah, they at least get some core aspects of the problem.
Further, the online environment today is not user-centric; individuals tend to have little control over their own personal information.  They have limited ability to utilize a single digital identity across multiple applications.  Individuals also face the increasing complexity and inconvenience associated with managing the large number of user accounts, passwords, and other identity credentials required to conduct services online with disparate organizations.  The collection of identity-related information across multiple providers and accounts, coupled with the sharing of personal information through the growth of social media, increases opportunities for data compromise.  For example, personal data used to recover lost passwords (e.g., mother’s maiden name, the name of your first pet, etc.) is often publicly available.
A very good resource to understand this broad set of issues around data systems architected badly is The Digital Person by Daniel Solove.
This is not about National ID:
[T]he Strategy does not advocate for the establishment of a national identification card.  Instead, the Strategy seeks to establish an ecosystem of interoperable identity service providers and relying parties where individuals have the choice of different credentials or a single credential for different types of online transactions.  Individuals should have the choice of obtaining identity credentials from either public or private sector identity providers, and they should be able to use these credentials for transactions requiring different levels of assurance across different sectors (e.g., health care, financial, and social transactions).
The Guiding Principles quotes and commentary:
What are the essential characteristics of solutions that support Trusted Identities in Cyberspace?
They articulate three kinds of interoperability:
  1. Technical Interoperability – The ability for different technologies to communicate and exchange data based upon well-defined and widely adopted interface standards.
  2. Semantic Interoperability – The ability of each end-point to communicate data and have the receiving party understand the message in the sense intended by the sending party.
  3. Policy Interoperability – Common business policies and processes (e.g., identity proofing and vetting) related to the transmission, receipt, and acceptance of data between systems, which a legal framework supports.
Importantly, it highlights this key aspect of what is essential for interoperability the use of nonproprietary standards.
Identity Ecosystem will encourage identity solutions to utilize non-proprietary standards to help ensure interoperability.
Values and Benefits quotes and commentary:
They do a good job of defining some key identity terms.
The identity solutions identified in the vision are primarily associated with identification (establishing unique digital identities) and authentication (associating an individual with a unique identity) technologies and processes.  Trusted and validated attributes provide a basis for organizations that offer online services to make authorization decisions.
New term bonanza (at least for user-centric ID community) in the ecosystem component:
A non-person entity (NPE) may require authentication in the Identity Ecosystem.  NPEs can be organizations, hardware, software, or services and are treated much like individuals within the Identity Ecosystem.  NPEs may engage in a transaction or simply support it.
The credential can be stored on an identity medium, which is a device or object (physical or virtual) used for storing one or more credentials, claims, or attributes related to a subject.  Identity media are widely available in many formats, such as smart cards, security chips embedded in PCs, cell phones, software based certificates, and USB devices. Selection of the appropriate credential is implementation-specific and dependent on the risk tolerance of the participating entities.
On page 17, the phrase “trust framework” finally appears.
Looking across all three layers, the Identity Ecosystem will have the following characteristics:
  1. Individuals and organizations choose the providers they use and the way they conduct transactions securely.
  2. Participants can trust one another and have confidence that their transactions are secure.
  3. Individuals can conduct transactions online with multiple organizations without sacrificing privacy.
  4. Identity solutions are simple for individuals to use and efficient for providers.
  5. Identity solutions are scalable and evolve over time.

Benefits are articulated for individuals, and the private sector.