This article explains more about the different parts of the British Columbia Citizen Consultation about their “identity card’ along with how it is relevant and can inform the NSTIC effort. [Read more…]
I accepted an invitation from Aestetix to present with him at HopeX (10).
It was a follow-on talk to his Hope 9 presentation that was on #nymwars.
He is on the volunteer staff of the HopeX conference and was on the press team that helped handle all the press that came for the Ellsberg – Snowden conversation that happened mid-day Saturday. It was amazing and it went over an hour – so our talk that was already at 11pm (yes) was scheduled to start at midnight.
Here are the slides for it – I modified them enough that they make sense if you just read them. My hope is that we explain NSTIC, how it works and the opportunity to get involved to actively shape the protocols and policies maintained.
I wrote an article for Re:ID about the BC Government’s Citizen Engagement process that they did for their eID system.
Here is the PDF: reid_spring_14-BC
BC’S CITIZEN ENGAGEMENT:A MODEL FOR FUTURE PROGRAMS
Because of my decade long advocacy for the rights and dignity of our digital selves, I have become widely known as “Identity Woman.” The Government of British Columbia invited me to participate as an industry specialist/expert in its citizen consultation regarding the province’s Services Card. I want to share the story of BC’s unique approach, as I hope that more jurisdictions and the effort I am most involved with of late, the U.S. government’s National Strategy for Trusted Identities in Cyberspace, will choose to follow it.
The Canadian Province of British Columbia engaged the public about key issues and questions the BC Services Card raised. The well-designed process included a panel of randomly selected citizens. They met face- to-face, first to learn about the program, then to deliberate key issues and finally make implementation recommendations to government.
Over a week-ago I tweeted that I had experienced NSTIC whiplash yet again and wasn’t sure how to deal with it. I have been known to speak my mind and get some folks really upset for doing so – Given that I know the social media savy NSTIC NPO reads all tweets related to their program they know I said this. They also didn’t reach out to ask what I might be experiencing whiplash about.
First of all since I am big on getting some shared understanding up front – what do I mean by “whiplash” it is that feeling like your going along … you think you know the lay of the land the car is moving along and all of a sudden out of nowhere – a new thing “appears” on the path and you have to slam on the breaks and go huh! what was that? and in the process your head whips forward and back giving you “whip-lash” from the sudden stop/double-take.
I was toddling through and found this post. What does it Mean to Embrace the NSTIC Guiding Principles?
I’m like ok – what does it mean? and who decided? how?
I read through it and it turns out that in September the NPO just decided it would decide/define the meaning and then write it all out and then suggest in this odd way it so often does that “the committees” just go with their ideas.
“We believe that the respective committees should review these derived requirements for appropriate coverage of the identity ecosystem. We look forward to continued progress toward the Identity Ecosystem Framework and its associated trustmark scheme.”
Why does the NPO continue to “do the work” that the multi-stakeholder institution they set up was created to do that is to actually figure out the “meaning” of the document.
I have heard over the past few years from friends and associates in the user-centric ID / Personal Cloud/ VRM Communities or those people who care about the future of people’s identities online say to me literally – “Well its good you are paying attention to NSTIC so I don’t have to.”
I’m writing to say the time for that choice is over. There is about 1 more year left in the process until the “outputs” become government policy under the recently released White House Cyber Security Framework (See below for the specifics).
I have been working in the identity industry for over 10 years. It was not until the IDESG – NSTIC plenary that some folks said they were working on a functional model that I heard the term. I as per is normal for me pipped up and asked “what is a functional model”, people looked at me, looked back at the room and just kept going, ignoring my question. I have continued to ask it and on one has answered it.
I will state it out loud here again –
What is a Functional Model?
The Identity Ecosystem Steering Group is a multi-stakeholder organization (See this post about how join.) Technically You can participate on lists even if you are not members but it is better that you go through the process of joining to be “officially” part of the organization.
If you join the IDESG it is good to actively participate in at least one active committee because that is where organization work is done by committees – any person or organization from any stakeholder category can participate.
The committees have mailing lists – that you subscribe to (below click through where it says Join Mailing list and put in the e-mail address you want to use, share your name and also a password).
On the list the group chats together on the list and talk about the different work items they are focused on. They have conference calls as well to talk together (these range from once a week to once a month). You can also contact the chair of the committee and “officially” join but that is not required.
If you are reading this and getting involved for the first time – read through this list and pick one of the committees that sound interesting to you. They are friendly folks and should be able to help you get up to speed – ask questions and ask for help. This whole process is meant to be open and inclusive.
The National Strategy for Trusted Identities in Cyberspace calls for the development of a private sector lead effort to articulate an identity ecosystem.
To be successful it needs participation from a range of groups.
An organization was formed to support this – the Identity Ecosystem Steering Group in alignment with the Obama administration’s open government efforts.
The “joining” process is not EASY but I guess that is part of its charm. It is totally “open and free” but challenging to actually do.
PART 1 – Getting an Account on the Website!
Step 1: Go to the website: http://www.idecosystem.org
One of the reasons that digital identity can be such a challenging topic to address is that we all swim in the sea of identity every day. We don’t think about what is really going in the transactions….and many different aspects of a transaction can all seem do be one thing. The early Identity Gang conversations focused a lot on figuring out what some core words meant and developed first shared understanding and then shared language to talk about these concepts in the community.
I’m writing this post now for a few reasons.
There is finally a conversation about taxonomy with the IDESG – (Yes! after over a year of being in existence it is finally happening (I recommended in my NSTIC NOI Response that it be one of the first things focused on)
Secondly I have been giving a 1/2 day and 1 day seminar about identity and personal data for several years now (You can hire me!). Recently I gave this seminar in New Zealand to top enterprise and government leaders working on identity projects 3 times in one week. We covered:
- The Persona and Context in Life
- The Spectrum of Identity
- What is Trust?
- A Field Guide to Internet Trust
- What is Personal Data
- Market Models for Personal Data
- Government Initiatives Globally in eID & Personal Data
My response, two years ago to the NSTIC (National Strategy for Trusted Identities in Cyberspace) Program Office issued Notice of Inquiry about how to govern an Identity Ecosystem included a couple of models that could be used to help a community of companies & organizations in an ecosystem co-create a shared picture. A shared co-created picture is an important community asset to develop early on because it becomes the basis for a real conversation about critical issues that need to be addressed to have a successful governance emerge.
The Privacy Committee within NSTIC has a Proactive Privacy Sub-Committee and before I went on my trip around the world (literally) a month ago. I was on one of the calls and described Value Network Mapping and was invited to share more about the model/method and how it might be used.
Value Network Maps are a tool that can help us because both the creation of the map and its subsequent use by the companies, organizations, people and governments that are participating strengthens the network. This is important because we are dealing with a complex problem with a complex range of players. In the map below we are in the top left quadrant – we NEED strong networks to solve the problems we are tasked with solving. If we don’t have them we will end up with Chaos OR we will have a hierarchical solution imposed to drive things towards the complicated and simple but …given the inherent nature of the problem we will NOT fully solve the problem and fall off the “cliff” on the edge between simplicity and into chaos.
So – what is a Value Network Map?
It models technical & business networks by figuring the roles in any given system and then understanding the value that flow between different roles. Value flows include payment for the delivery of goods or services (these are tangible deliverables) but also intangible deliverables such as increased level of confidence because information was shared between parties (but was not contractually obligated and no payment was made).
Drawing from Verna’s book/site that lays out how to do it. There are four steps to a value network map.
1. Define the scope and boundaries, context, and purpose.
2. Determine the roles and participants, and who needs to be involved in the mapping.
4. Validate it is complete by sequencing the transactions.
I’ve worked on several value network mapping projects.
I worked with the Journalism that Matters to document he old and new journalism ecosystem.I have lead several community Value Network Mapping efforts.
This projects highlights how the method can be used to talk about a present/past state about how things happen “now”. How do people today or 20 years ago share verified attributes with business and government entities one does business with? If we understand the roles that exist in a paper based version/world How do those roles change in a future enable with technology and how do the value flows change and what new roles are created/needed?
A value networm map can be used to map the flow of rights and duties between different roles in an ecosystem can also be considered along with the flow of monetary and other value.
Two years ago I went with Verna Allee (the innovator of the method) to the Cloud Identity Summit to work on a map for my organization the Personal Data Ecosystem Consortium focused on the “present state” map to explain what currently happens when someone visits a website and clicks on an add to go buy something and then is asked to provide identity attributes.
We took this FCC submitted map that has the individual at the center and data flows to the businesses, government and organizations they do business with and is sold on to Data Brokers and then Data Users buy it to inform how they deal with the individual all without their awareness or consent.
Our hope was to do this and then work on a future state map with a Personal Cloud provider playing a key role to enable new value flow’s that empower the Individual with their data and enabling similar transactions.
This is best viewed in PDF so if you click on the link to the document it will download.
Creating this map was an interactive process involving involved two dozen industry professionals that we met with in small groups. It involved using large chart paper paper and post-it notes and lines on the map. We came into the process with some of the roles articulated, some new roles were added as we began mapping with the community.
An example to give you a sense of what it looks like when you do it in real life is this map that shows how trust frameworks & the government’s reduction of risk in the credit card system.
This was a small piece of the original map for the Personal Data Ecosystem (it did not end up getting included in the PDF version). The roles are the orange flowers and the green arrows are tangible value flows and the blue arrows are intangible value flows.
So how could the Proactive Privacy Sub-Committee use this method?
At an IIW11 one of the practitioners of value network mapping came to share the method and we broke up into smal groups to map different little parts of an identity ecosystem. We had a template like this picking four different roles and then beginning to map.
The exercise is written about here on Verna’s website.
Scott David was a community member there and really saw how it was a tool to understand what was happening in systems AND to have a conversation about the flow of rights and responsibilities flow.
The method is best done face to face in small groups. It helps if the groups are diverse representing a range of different perspectives. A starting point is a use-case a story that can be mapped – what are the roles in that story and then walking through the different transactions.
So how do we “do” it. Well a starting point is for those interested in helping lead it to identify themselves in the context of the pro-active privacy committee. We should work together to figure out how we lead the community using this process to figure out the privacy implications and see where the money flows for different proposed solutions.
We can try to do a session at the upcoming July or October plenary.
We could also organize to do some meetings at:
- conferences in the next few months were we can identify 5-10 interested IDESG members to participate in mapping an ecosystem chunk for an hour or two.
- in cities around the country where we identify 5-10 folks who want to spend an hour or two mapping an ecosystem chunk.
It would be great if we decide to do this that the Secretariat lead by Kay in her role as Executive Director of the IDESG can support us in organizing this (That is why we are paying htem 2.5 million buck s to help us do the work of organizing in a meaningful way.
I am friends with Verna Allee and can ask her for advice on this however I think the kind of help/advice we need to really use this method and do it WELL would behove us to actually use NSTIC IDESG moneys to hire Verna to engage with us in a serious way. When I wrote my NSTIC NOI I did so thinking that their would finally be monies available to pay people to do community conference building work like this. Perhaps it is not to late to do so.
I’ve been on two super trips recently. One went from before American Thanksgiving to early December. This last one was much of February beginning with NSTIC and ending with RSA. I wrote this in pen and paper last week and typed it up today.
One way I manage to get around is to piece together what could only be considered “super trips” – 18 days.
I actually started off at home on Feb 2nd helping Van Riper run the Community Leadership Summit West. Its an unconfernece for mostly technical community leaders but also managers but was inclusive of other community based community leaders. I will have a blog post about it up on my Unconference.net site.
February 4th I headed to NSTIC’s 3rd plenary in Phoenix. I presented the results of the Holistic Picture Visualization Sub-Committee printing out the images we found online. Bob Blakley and Brett McDowell did a good job shaping the agenda and inviting plenary participants to connect with the big vision of NSTIC of 10 years out.
- All implementation actions are complete, and all required policies, processes, tools, and technologies are in place and continuing to evolve to support the Identity Ecosystem.
- A majority of relying parties are choosing to be part of the Identity Ecosystem.
- A majority of U.S. Internet users regularly engage in transactions verified through the Identity Ecosystem.
- A majority of online transactions are happening within the Identity Ecosystem.
- A sustainable market exists for Identity Ecosystem identity and attribute service providers.
While at the same time reminding on the way to getting a man on the Moon we got a Monkey into the Ionosphere – so what is our monkey in an Ionosphere – at the plenary groups were invited to articulate this:
- Relying parties from multiple sectors are demonstrating identity and strong authentication credential interoperability
- Is easier to use than the broken user account and password methods
- Licensed professionals now have a common way to express credentials and ongoing certification. No longer do licensed professionals need to scan, fax or otherwise send paper copies proving their qualifications every time another client seeks to retain their services.
- allows citizens to securely establish a multi-purpose single identity that will significantly reduce, and eventually eliminate, the need to create and maintain multiple passwords and PINs.
- Secure web accounts for use in circles of on line providers by 10 banks, 15 insurance companies and 25 hospitals.
One of the challenges with the whole NSTIC thing is that it has a bunch of different parts. I wrote up this description as part of our What could Kill NSTIC paper.
NSTIC National Program Office. The NSITIC NPO operates within the Department of Commerce’s National Institute of Standards. It is lead by Jeremy Grant. The office has several full time staff and they are responsible for the transition of NSTIC from a US government initiative to an independent, public- private organization. They’re smart, talented, and they care.
Identity Ecosystem Steering Group (IDESG). The NPO invited many people, NGOs, government bodies, and companies to participate in building an identity ecosystem in the Identity Ecosystem Steering Group. All the people and organizations who sign up to be a part of this are together called “The Plenary.” The NSTIC NPO wrote IDESG’s charter and its first bylaws.
IDESG Management Council. The IDESG management council is elected by the members of the plenary who self-selected into stakeholder categories. Each stakeholder category elects a delegate to the Management Council. The entire plenary also elects two at-large positions and two leadership positions. The management council can create sub-committees to get its work done. I’m chaired one that collected holistic ecosystem pictures, for example.
Committees within the IDESG Plenary. These committees do the actual work of making the identity ecosystem’s vision a reality. New committees can be proposed by any member. Committee membership is open to all plenary members. The work and activity of the committees is shared openly. A few of the active committees are working on standards, privacy, trust frameworks, accreditation, and nymrights.
The Secretariat. The NSTIC NPO awarded a $2.5 million dollar contract to provide support services to the Identity Ecosystem Steering Group. Trusted Federal Systems won the contract to act as the IESG’s “Secretariat.” They coordinate meetings, manage listservs, and the like.
NSTIC Pilot Projects. In early 2011, the National Program Office put forward $10 million in funding for five pilot projects that worked to solve some of NSTIC’s challenges. Grants were awarded in September 2012 and run for one year. The pilot projects were set up before the IDESG existed and the IDESG had no input into the selection of the the winning pilots. 187 different initial pilot projects applied for grants, 27 were selected to submit full proposals, and five were selected. Applications for a second round of pilots are coming in Q1 2013.
My colleague at the Personal Data Ecosystem Consortium, Phil Wolff, hosted sessions at the last two IIW‘s that invited community consideration of the risks to NSTIC. He has put together a paper that outlines the results of these two sessions that were titled “Death to NSTIC” the white paper is “What Could Kill NSTIC: A Friendly Threat Assessment”. He has a video about it and you can download it from our website.
It also has a Bonus Section I wrote that:
- Explains some of the background of NSTIC
- Articulates the 6 main parts of NSTIC and what they do
- Explains the relevance of NSTIC to the companies in the Personal Data Ecosystem Consortium.
I’m planning on running for Mayor * again (a position on the NSTIC Steering Group Management Council) – this time for a different “municipality” (delegate representative).
Currently I am the Consumer Advocate delegate – I’m going to shift my membership and join the IDESG with my hat as Executive Director of PDEC and run for the Small Business and Entrepreneur delegated on the Management Council.
If you want to be a part of the IDESG and VOTE in this round of elections you MUST register by February 14th. [Read more…]
Second Challenge: How are we meaningfully and regularly checking in with those outside the community of self selected stakeholders – to regular citizens who have to use the currently broken systems we have today and hopefully will be enthused and inspired to adopt the outcomes of this whole effort?
The openness of NSTIC overall was inspired by the Open Government memo (http://www.whitehouse.gov/the_press_office/TransparencyandOpenGovernment) signed first day in office. It inspired a lot of my colleagues in the dialogue and deliberation community. (Yes, I have another life/carreer doing facilitation see http://www.unconference.net)
They went to work figuring out how to be sure that coherent resources and tools were available to those who were now mandated to “do” open government and have more public participation would have really good resources available. Tom Atlee the person I co-wrote the Governance section of my NOI was one of the leaders of this working with the NCDD (the National Coalition for Dialogue and Deliberation) to define 7 core principles of public engagement.
Blog post that outlines them: (http://ncdd.org/rc/item/3643)
I am posting to this blog the two posts I made to the NSTIC IDESG governance list on Tuesday. Here is the first one on Governing “us” (that is the word “us” not U.S.)
I only got on the [governance] list over the weekend despite raising my hand to be a part at some point in the Chicago meetings.
I am working to track all that is being discussed and I also want to breath and step back a bit. I want to share two bigger challenges and perspectives.
First Challenge how are we we connecting/structuring and governing the interested stakeholders who ARE showing up to engage. How are we as Bob just asked creating ways, systems, processes and tools forward to create alignment and agreement?
Second Challenge How are we meaningfully and regularly checking in with those outside the community of self selected stakeholders – to regular citizens who have to use the currently broken systems we have today and hopefully will be enthused and inspired to adopt the outcomes of this whole effort?
They are two quite different but related challenges. This e-mail will deal with challenge 1. The next one with Challenge 2.
In my governance NOI response I proposed several different methods be used to solicit input from a wide variety of stakeholders and bring forward from those processes clear paths for making a real strategy that take input from a wide range of stakeholders.
When the first governance drafts came out of the NPO, they articulated that the steering committee would operate via consensus BUT then it also articulated a whole set of voting rules for NOT abiding by consensus.
When I asked about their choice of using the term consensus to define a particular methodology – they came back and said well we didn’t actually mean to suggest the use of a particular proces.
But consensus IS a process method I said…and they said we didn’t mean to proscribe a method. So we were sort of in a loop.
Now that we are in this stage that is considering governance and systems for the community of self identified stakeholders (and people beyond this group who will be the users of the outputs). What I don’t know is if people really know what real consensus process is or if we have anyone who is experienced in leading actual consensus processes? It keeps feeling to me like we are using Roberts Rules of Order and then getting everyone to agree – thus having “consensus”. That isn’t consensus process.
Tree Bressen who was the leader of the Group Pattern Language project (I participated along with many others in its development) has an amazing collection of resources about conensus process including a flow chart of consensus process and Top 10 mistakes to avoid them.
Are we using consensus process?
One of the big issues of our democracy today (in the liberal west broadly) is that we have this tendency to believe that “voting” is the thing that makes it democratic. Voting is a particular method and one that by its nature sets up an adversarial dynamic. There are other methods and ways of achieving democracy and we can go well beyond the results of our current systems by using them. Tom has done a lot of research into them over the years at the Co-Intelligence Institute and has published two books The Tao of Democracy and Empowering Public Wisdom.
I am glad methods outside what has been the normative frame of “Roberts Rules of Order” as Democracy are being considered…however we need to be clear on what processe we are using.
This past weekend I finally got onto a bunch of mailing lists for NSTIC including the governance one. (you can too)
It is a generally accepted best practice that governance systems should be developed by the communities that need to live by them. With NSTIC the stakeholders were handed a charter and bylaws created (primarily driven by the vision of one guy) in the NSTIC National Program Office. They kept saying “there is consens” around the charter and bylaws…but there wasn’t they were sort of thrust upon us and not developed by us. We chose to accept them for now and are now in the process of re-visiting the bylaws handed to us and we agreed to for a short period to get things going.
The draft by-laws include a privacy standing committee that has veto power over the outcomes of Identity Ecosystem Steering Group.
Update August 18th:
Thank you to all the people and organizations who vote for me in the NSTIC election – I WON! . I ran with my association to Planetwork and I am the Consumer and Citizen Advocate delegate for the next 6 months on the Management Council of the Steering Committee of the National Strategy for Trusted Identities in Cyberspace. You can learn more about my candidacy and the election on this post. You can track the group/community progress at IDEcosystem.org.
I will be working hard with the AARP to grow the number of citizen and consumer advocate groups who are participating in the NSTIC process.
I’m Running for
Learn how to vote for me and get involved at Kaliya for Mayor .org
Here is the video!
So it’s NSTIC election time!
I’m running for the Consumer (And Citizen) Advocacy delegate position on the Management Council of the Steering Committee for the National Strategy for Trusted Identities in Cyberspace! Learn how to vote for me and get involved at KaliyaForMayor.org and see my campaign video.
Kaliya “Identity Woman” Hamlin, Executive Director of the Personal Data Ecosystem Consoritum is speaking on a panel at RSA about NSTIC.
It is moderated by Jeremy Grant the head of teh NSTIC Program Office and includes fellow panelists Michael Barrett from PayPal, Jim Dempsey from the Center for Democracy and Technology and Craig Spiezle fromt eh Online Trust Alliance.
The first person who I heard calling herself a Yenta was Deborah Elizabeth Finn who I met via my participation in the Nonprofit Technology world and the NTEN community. She is “the Cyber Yenta” helping nonprofit folks figure out their technology needs and match making. Yenta is a Yiddish word for a woman who is doing mate matchmaking.
IIW is always a whirlwind and this one was no exception. The good thing was that even with it being the biggest one yet it was the most organized with the most team members. Phil and I were the executive producers. Doc played is leadership role. Heidi did an amazing job with production coordinating the catering, working with the museum and Kas did a fabulous job leading the notes collection effort and Emma who works of site got things up on the wiki in good order.
We had a session that highlighted all the different standards bodies standards and we are now working on getting the list annotated and plan to maintain it on the Identity Commons wiki that Jamie Clark so aptly called “the switzerland” of identity.
We have a Satellite event for sure in DC January 17th – Registration is Live.
We are working on pulling one together in Toronto Canada in
early February, and Australia in Late March.
ID Collaboration Day is February 27th in SF (we are still Venue hunting).
I am learning that some wonder why I have such strong opinions about standards…the reason being they define the landscape of possibility for any given protocol. When we talk about standards for identity we end up defining how people can express themselves in digital networks and getting it right and making the range of possibility very broad is kinda important. If you are interested in reading more about this I recommend Protocol: and The Exploit. This quote from Bruce Sterling relative to emerging AR [Augmented Reality] Standards.
If Code is Law then Standards are like the Senate.
Appendix 11 of Kaliya’s NSTIC Governance NOI Response - please see this page for the overview and links to the rest of the posts. Here is a link to the PDF.
Excerpted from Protocol: how control exists after decentralization, by Alexander Galloway, MIT Press, 2004. Page 245-246. (I first mentioned book on my blog in 2005)
Protocol is that machine, that massive control apparatus that guides distributed networks, creates cultural objects and engenders life forms.
This is an excerpt of about 1/2 of the authors summarizing moments selected from previous chapters:
- Protocol is a universalism achieved through negotiation, meaning that in the future protocol can and will be different.
- The goal of protocol is totality. It must accept everything, not matter what source, sender, or destination. It consumes diversity, aiming instead for university.
- Internet protocols allow for inter-operation between computers.
- Protocol is a language that regulates flow, directs netspace, codes relationships, and connects life forms. It is etiquette for autonomous agents.
- Protocol’s virtues include robustness, contingency, inter-operability, flexibility, heterogeneity, an pantheism.
- Protocol is a type of controlling logic that operates largely outside institutional, government and corporate power.
- Protocol is a system of distributed management that facilitates peer-to-peer relationships between autonomous entities.
- Protocol is synonymous with possibility.
Protocol then becomes more and more coextensive with humanity’s productive forces, and ultimately becomes the blueprint for humanity’s inner-most desires about the world and how it ought to be lived.
This makes protocol dangerous – ….A colleague Patrick Feng said recently: “Creating core protocols is something akin to constitutional law,” meaning that protocols create the core set of rules from which all other decisions descend. And like Supreme Court justices having control over the interpretation of the American Constitution, whoever has power over the creation of such protocols wields power over a very broad area indeed. In this sense protocols is dangerous.
It is important to remember that the technical is always political, that network architecture is politics. So protocol necessarily involves a complex interrelation of political questions, some progressive some reactionary. In many ways protocol is a dramatic move forward but in other ways it reinstates systems of social and technical control that are deserving of critical analysis.
This post is part of Kaliya’s NSTIC Governance NOI Response - please see this page for the overview and links to the rest of the posts. Here is a link to the PDF.
This is the section before: Who is Harmed by a “Real Names” Policy?