BC Identity Citizen Consultation Results!!!!

As many of you know I (along with many other industry leaders from different industry/civil society segments) was proactively invited to be part of the NSTIC process including submitting a response to the notice of inquiry about how the IDESG and Identity Ecosystem should be governed.

I advocated and continue to advocate that citizen involvement and broad engagement from a broad variety of citizen groups and perspectives would be essential for it to work. The process itself needed to have its own legitimacy even if “experts” would have come to “the same decisions” if citizens were and are not involved the broad rainbow that is America might not accept the results.

I have co-lead the Internet Identity Workshop since 2005 every 6 months in Mountain View, California at the Computer History Museum. It is an international event and folks from Canada working on similar challenges have been attending for several years this includes Aran Hamilton from the National oriented Digital ID and Authentication Council (DIAC) and several of the leaders of the British Columbia Citizen Services Card effort.

I worked with Aron Hamilton helping him put on the first Identity North Conference to bring key leaders together from a range of industries to build shared understanding about what identity is and how systems around the world are working along with exploring what to do in Canada.

CoverThe British Columbia Government (a province of Canada where I grew up) worked on a citizen services card for many years. They developed an amazing system that is triple blind. An article about the system was recently run in RE:ID. The system launched with 2 services – drivers license and health services card. The designers of the system knew it could be used for more then just these two services but they also knew that citizen input into those policy decisions was essential to build citizen confidence or trust in the system.  The other article in the RE:ID magazine was by me about the citizen engagement process they developed.

They developed to extensive system diagrams to help provide explanations to regular citizens about how it works. (My hope is that the IDESG and the NSTIC effort broadly can make diagrams this clear.)


The government created a citizen engagement plan with three parts:

The first was convening experts. They did this in relationship with Aron Hamilton and Mike Monteith from Identity North – I as the co-designer and primary facilitator of the first Identity North was brought into work on this. They had an extensive note taking team and the reported on all the sessions in a book of proceedings. They spell my name 3 different ways in the report.

The most important was a citizen panel that was randomly selected citizens to really deeply engage with citizens to determine key policy decisions moving forward. It also worked on helping the government understand how to explain key aspects of how the system actually works. Look in the RE:ID I wrote an article for RE:ID about the process you can see that here.
The results were not released when I wrote that. Now they are! yeah! The report is worth reading because it shows the regular citizens who are given the task of considering critical issues can come out with answers that make sense and help government work better.



They also did an online survey open for a month to any citizen of the province to give their opinion. That you can see here.

Together all of these results were woven together into a collective report.


Bonus material: This is a presentation that I just found covering many of the different Canadian province initiatives.


PS: I’m away in BC this coming week – sans computer.  I am at Hollyhock…the conference center where I am the poster child (yes literally). If you want to be in touch this week please connect with William Dyson my partner at The Leola Group.

NSTIC WhipLash – Making Meaning – is a community thing.

Over a week-ago I tweeted that I had experienced NSTIC whiplash yet again and wasn’t sure how to deal with it.I have been known to speak my mind and get some folks really upset for doing so – Given that I know the social media savy NSTIC NPO reads all tweets related to their program they know I said this. They also didn’t reach out to ask what I might be experiencing whiplash about.

First of all since I am big on getting some shared understanding up front – what do I mean by “whiplash” it is that feeling like your going along … you think you know the lay of the land the car is moving along and all of a sudden out of nowhere – a new thing “appears” on the path and you have to slam on the breaks and go huh! what was that? and in the process your head whips forward and back giving you “whip-lash” from the sudden stop/double-take.

I was toddling through and found this post.  What does it Mean to Embrace the NSTIC Guiding Principles?

I’m like ok – what does it mean? and who decided? how?

I read through it and it turns out that in September the NPO just decided it would decide/define the meaning and then write it all out and then suggest in this odd way it so often does that “the committees” just go with their ideas.

“We believe that the respective committees should review these derived requirements for appropriate coverage of the identity ecosystem.   We look forward to continued progress toward the Identity Ecosystem Framework and its associated trustmark scheme.”

Why does the NPO continue to “do the work” that the multi-stakeholder institution they set up was created to do that is to actually figure out the “meaning” of the document.

Why not come to the Management Council and say – “hey we really need to as a community figure out what it “means” to actually embrace the guiding principles. We need to have a community dialogue that gets to a meaningful concrete list relatively quickly – how should we do that as a community.” Then the Management Council would do its job and “manage” the process and actually figure out 1) if the NPO was right that indeed now would be a good time to figure out the meaning of embrace and 2) then figure out how to do it and the people on the council (and others in the community) who have some experience in leading real mulit-stakeholder efforts and skills inclusive methodologies would have debated and put forward a path. The Secretariate – (if it actually functioned as a support organ for the Management Council) would then help the council carry out the process/method and get to the needed “outcome” some community developed articulation of what embracing the principles means.  Instead we just have what the NPO staff thinks. Which while I am sure it is “great” and they are such “hard working, good folks”…it wasn’t community generated and therefore not “owned” by the community which is not good if the outcomes of this effort are to be “trusted” by public at large all the core work items of a mutli-stakeholder institution can’t just be done by the NPO.

I’m not your NSTIC “delegate” any more … pls get involved.

I have heard over the past few years from  friends and associates in the user-centric ID / Personal Cloud/ VRM Communities or those people who care about the future of people’s identities online say to me literally – “Well its good  you are paying attention to NSTIC so I don’t have to.”

I’m writing to say the time for that choice is over. There is about 1 more year left in the process until the “outputs” become government policy under the recently released White House Cyber Security Framework (See below for the specifics).

Key items of work are progressing and the time for “our” world view showing up within the work is now and my ability to get them to be taken seriously is ZERO if I continue to be an almost lone voice expressing these key items – particularly

The functional Model Group is working on defining all the “bits” of the system. I believe this is where the “personal cloud” should be a key primary function/piece of the ecosystem. So far it has not been raised in a significant way and not be addressed by the powers that be leading the committee.

The Trust Framework work is progressing rapidly. This is the work to take existing what they call Trust Frameworks (and I think should be called Accountability Frameworks). These are where the existing rules/policies and technologies for various networks are all harmonized and then through that some how we get to a kind of mata/uber trust framework and interoperability.

The big challenge that I see is that it is all coming from existing frames within the conversation do NOT have a remotely “user centric” frame.

  • I don’t hear any conversation about how individuals will be protected from their “Identity Provider” (the entity that has “all” their identity information and vouches for them at a Relying Party).
  • I don’t hear any conversation about how people will be protected from over zealous relying parties asking for way to much information.
  • I don’t hear any conversation about how individuals will be protected from IdP’s and RP’s being able to sell their data into the data broker industry.
  • I don’t hear any conversation about how people could collect their own attributes and information in a Personal Cloud and from that center of personal sovereignty use it in the ecosystem.

I do see:

  • Assertions that Relying Parties can ask for whatever they want / think they need to complete a transaction and that “the market will decide”
  • Assertions that concerns about people’s rights around how they choose to name and identify themselves should be set aside for future iterations.
  • I do see that one of the pilots in the last round of multi-million dollar grants went to a defense industry consortium specifically for “development of an open source, technology-neutral Trust Framework Development Guidance document”

So what should you DO?

1) Sign up to attend the April 1-3 Plenary in Mountain View (bonus you don’t have to attend in person) Link Here.

2) Sign up to watch and contribute to the Trust Framework and Functional Model Groups – please see this post OR any of a number of groups with activity.

3) Sign up to join the IDESG organization (that way you can be “official members”) of the committees and “vote” on things.  See this Post.

4) Let me know you are keen on getting more involved and I can help connect you others also “diving in” right now [ kaliya AT identitywoman DOT net].

5) Bonus - Attend the Internet Identity Workshop in Mountain View May 6-8 and work with others in the user-centric community on this and other more fun issues (like building cool decentralized, empowering technologies).

This is what I referenced above it becoming government policy and practice.

As the White House announcement details below, today marked the release of the Cybersecurity Framework crafted by NIST – with input from many stakeholders – in response to President Obama’s Executive Order on Improving Critical Infrastructure Cybersecurity issued one year ago.

NSTIC is not discussed in the framework itself – but both it and the IDESG figure prominently in the Roadmap that was released as a companion to the Framework.  The Roadmap highlights authentication as the first of nine different, high-priority “areas of improvement” that need to be addressed through future collaboration with particular sectors and standards-developing organizations.

The inadequacy of passwords for authentication was a key driver behind the 2011 issuance of the National Strategy for Trusted Identities in Cyberspace (NSTIC), which calls upon the private sector to collaborate on development of an Identity Ecosystem that raises the level of trust associated with the identities of individuals, organizations, networks, services, and devices online.

NSTIC is focused on consumer use cases, but the standards and policies that emerge from the privately-led Identity Ecosystem Steering Group (IDESG) established to support the NSTIC – as well as new authentication solutions that emerge from NSTIC pilots – can inform advances in authentication for critical infrastructure as well.

NSTIC will focus in these areas:
· Continue to support the development of better identity and authentication solutions through NSTIC pilots, as well as an active partnership with the IDESG;

· Support and participate in identity and authentication standards activities, seeking to advance a more complete set of standards to promote security and interoperability; this will include standards development work to address gaps that may emerge from new approaches in the NSTIC pilots.








What is a Functional Model?

I have been working in the identity industry for over 10 years. It was not until the IDESG – NSTIC plenary that some folks said they were working on a functional model that I heard the term.  I as per is normal for me pipped up and asked “what is a functional model”, people looked at me, looked back at the room and just kept going, ignoring my question.  I have continued to ask it and on one has answered it.

I will state it out loud here again -

What is a Functional Model?

How to Participate in NSTIC, IDESG – A step by step guide.

The Identity Ecosystem Steering Group is a multi-stakeholder organization (See this post about how join.) Technically You can participate on lists even if you are not members but it is better that you go through the process of joining to be “officially” part of  the organization.

If you join the IDESG it is good to actively participate in at least one active committee because that is where organization work is done by committees – any person or organization from any stakeholder category can participate.

The committees have mailing lists – that you subscribe to (below click through where it says Join Mailing list and put in the e-mail address you want to use, share your name and also a password).

On the list the group chats together on the list and talk about the different work items they are focused on.  They have conference calls as well to talk together (these range from once a week to once a month).  You can also contact the chair of the committee and “officially” join but that is not required.

If you are reading this and getting involved for the first time – read through this list and pick one of the committees that sound interesting to you.  They are friendly folks and should be able to help you get up to speed – ask questions and ask for help. This whole process is meant to be open and inclusive.

[Read more...]