Field Guide to Internet Trust Models: Individual Contract Wrappers

Individual Contract Wrappers

When providing information to a service, the requester also provides terms for how that information can be used. Service providers agree to honor those terms in exchange for access to the data, and compliance is enforced through contract law. Terms might include an expiration date, limits on whether the data can be re-sold, or whether it can be used in aggregate form. This model is the mirror image of the Sole Source.

Examples: Personal.com offers a service that provides end users with a place to store personal data. Service providers agree to abide by a set of agreements in order to use this data.

When to use:

Advantages: Provides an incentive for the requester to provide clear, correct, and up-to-date information. In exchange for accepting limits on how the data can be used, the service provider gains access to better quality and more complete data.

Disadvantages: Emerging technology with evolving standards, not widely supported yet.

Ability to scale: It has a high ability to scale but it is almost a reverse architecture of the Sole Source and some of the same challenge.


The full papers is downloadable [Field-Guide-Internet-TrustID] Here is a link to introduction of the paper and a at the bottom of that post is a link to all the other models with descriptions.  Below are links to all the different models.

Sole source, Pairwise FederationPeer-to-Peer,

Three-Party Model 1) “Bring your Own” Portable Identity 2) “Winner Take All” Three Party Model:

Federations 1) Mesh Federations 2) Technical Federations 3) Inter-Federation Federations

Four-Party Model, Centralized Token Issuance, Distributed Enrollment, Individual Contract Wrappers, Open Trust Framework Listing

 

Field Guide to Internet Trust Models: Centralized Token Issuance, Distributed Enrollment

A special case peer-to-peer network. Participants want to establish trusted identities that can be used securely for ongoing, high-value communication among organizations. A trusted, central provider issues identity tokens which are then enrolled independently by each service provider. Service providers are not required to cooperate or accept one another’s enrollments.

Examples: The most common examples are RSA SecurID and SWIFT 3SKey. Hardware tokens are issued by a trusted provider, which are then used to authenticate individual identities.

Each service will require the user to enroll separately, but once the user has registered they can use the token for future interactions.

When the requester wants to use a service, they’re authenticated using the token.

When to use: Strong Authentication across a range of business entities who may have different enrollment requirements.

Advantages: Can provide a high level of identity assurance to institutions spread across legal and national boundaries.

Disadvantages: Can be expensive and complex to implement. Depends upon the existence of a trusted third party who can issue and ensure the security of hardware tokens. Hardware tokens can be lost.

Ability to scale: Can scale to large networks.

 


 

The full papers is downloadable [Field-Guide-Internet-TrustID] Here is a link to introduction of the paper and a at the bottom of that post is a link to all the other models with descriptions.  Below are links to all the different models.

Sole source, Pairwise FederationPeer-to-Peer,

Three-Party Model 1) “Bring your Own” Portable Identity 2) “Winner Take All” Three Party Model:

Federations 1) Mesh Federations 2) Technical Federations 3) Inter-Federation Federations

Four-Party Model, Centralized Token Issuance, Distributed Enrollment, Individual Contract Wrappers, Open Trust Framework Listing

Quotes from Amelia on Systems relevant to Identity.

This is coverage of at WSJ interview with Amelia Andersdotter the former European Parliament member from the Pirate Party from Sweden. Some quote stuck out for me as being relevant

If we also believe that freedom and individualism, empowerment and democratic rights, are valuable, then we should not be constructing and exploiting systems of control where individual disempowerment are prerequisites for the system to be legal.

We can say that most of the legislation around Internet users protect systems from individuals. I believe that individuals should be protected from the system. Individual empowerment means the individual is able to deal with a system, use a system, work with a system, innovate on a system—for whatever purpose, social or economic. Right now we have a lot of legislation that hinders such [empowerment]. And that doesn’t necessarily mean that you have anarchy in the sense that you have no laws or that anyone can do whatever they want at anytime. It’s more a question of ensuring that the capabilities you are deterring are actually the capabilities that are most useful to deter. [emphasis mine].

This statement is key  “individuals should be protected from the system” How do we create accountability from systems to people and not just the other way around. I continue to raise this issue about so called trust frameworks that are proposed as the solution to interoperable digital identity – there are many concerning aspects to the solutions including what seems to be very low levels of accountability of systems to people.

The quotes from Ameila continued…

I think the Internet and Internet policy are very good tools for bringing power closer to people, decentralizing and ensuring that we have distributive power and distributive solutions. This needs to be built into the technical, as well as the political framework. It is a real challenge for the European Union to win back the confidence of European voters because I think a lot of people are increasingly concerned that they don’t have power or influence over tools and situations that arise in their day-to-day lives.

The European Union needs to be more user-centric. It must provide more control [directly] to users. If the European Union decides that intermediaries could not develop technologies specifically to disempower end users, we could have a major shift in global political and technical culture, not only in Europe but worldwide, that would benefit everyone.

How to Participate in NSTIC, IDESG – A step by step guide.

The Identity Ecosystem Steering Group is a multi-stakeholder organization (See this post about how join.) Technically You can participate on lists even if you are not members but it is better that you go through the process of joining to be “officially” part of  the organization.

If you join the IDESG it is good to actively participate in at least one active committee because that is where organization work is done by committees – any person or organization from any stakeholder category can participate.

The committees have mailing lists – that you subscribe to (below click through where it says Join Mailing list and put in the e-mail address you want to use, share your name and also a password).

On the list the group chats together on the list and talk about the different work items they are focused on.  They have conference calls as well to talk together (these range from once a week to once a month).  You can also contact the chair of the committee and “officially” join but that is not required.

If you are reading this and getting involved for the first time – read through this list and pick one of the committees that sound interesting to you.  They are friendly folks and should be able to help you get up to speed – ask questions and ask for help. This whole process is meant to be open and inclusive.

[Read more…]

Value Network Mapping an Ecosystem Tool

My response, two years ago to the NSTIC (National Strategy for Trusted Identities in Cyberspace) Program Office issued Notice of Inquiry about how to govern an Identity Ecosystem included a couple of models that could be used to help a community of companies & organizations in an ecosystem co-create a shared picture. A shared co-created picture is an important community asset to develop early on because it becomes the basis for a real conversation about critical issues that need to be addressed to have a successful governance emerge.

The Privacy Committee within NSTIC has a Proactive Privacy Sub-Committee and before I went on my trip around the world (literally) a month ago.  I was on one of the calls and described Value Network Mapping and was invited to share more about the model/method and how it might be used.

Value Network Maps are a tool that can help us because both the creation of the map and its subsequent use by the companies, organizations, people and governments that are participating strengthens the network.   This is important because we are dealing with a complex problem with a complex range of players. In the map below we are in the top left quadrant – we NEED strong networks to solve the problems we are tasked with solving.  If we don’t have them we will end up with Chaos OR we will have a hierarchical solution imposed to drive things towards the complicated and simple but …given the inherent nature of the problem we will NOT fully solve the problem and fall off the “cliff” on the edge between simplicity and into chaos.

(In this diagram based on the cynefin framework developed by David Snowden architect of children’s birthday parties using complexity theory and the success of Apolo 13 )

 

So – what is a Value Network Map?

It models technical & business networks by figuring the roles in any given system and then understanding the value that flow between different roles.  Value flows include payment for the delivery of goods or services (these are tangible deliverables) but also intangible deliverables such as increased level of confidence because information was shared between parties (but was not contractually obligated and no payment was made).

Drawing from Verna’s book/site that lays out how to do it. There are four steps to a value network map.

1. Define the scope and boundaries, context, and purpose.

2. Determine the roles and participants, and who needs to be involved in the mapping.

3. Identify the transactions and deliverables, defining both tangibles and intangibles.

4. Validate it is complete by sequencing the transactions.

 

I’ve worked on several value network mapping projects.
I worked with the Journalism that Matters to document he old and new journalism ecosystem.I have lead several community Value Network Mapping efforts.

This projects highlights how the method can be used to talk about a present/past state about how things happen “now”. How do people today or 20 years ago share verified attributes with business and government entities one does business with?  If we understand the roles that exist in a paper based version/world How do those roles change in a future enable with technology and how do the value flows change and what new roles are created/needed?

A value networm map can be used to map the flow of rights and duties between different roles in an ecosystem can also be considered along with the flow of monetary and other value.

Two years ago I went with Verna Allee (the innovator of the method) to  the Cloud Identity Summit  to work on a map for my organization the Personal Data Ecosystem Consortium focused on the “present state” map to explain what currently happens when someone visits a website and clicks on an add to go buy something and then is asked to provide identity attributes.

We took this FCC submitted map that has the individual at the center and data flows to the businesses, government and organizations they do business with and is sold on to Data Brokers and then Data Users buy it to inform how they deal with the individual all without their awareness or consent.

 

PersonalData-VNA-NowMapWe added in a wrinkle to this flow and asked what happens when an individual has to prove something (an attribute) about themselves to make a purchase.

Our hope was to do this and then work on a future state map with a Personal Cloud provider playing  a key role  to enable new value flow’s that empower the  Individual with their data and enabling similar transactions.

This is best viewed in PDF so if you click on the link to the document it will download.

Creating this map was an interactive process involving involved two dozen industry professionals that we met with in small groups.  It involved using large chart paper paper and post-it notes and lines on the map.   We came into the process with some of the roles articulated, some new roles were added as we began mapping with the community.

An example to give you a sense of what it looks like when you do it in real life is this map that shows how trust frameworks & the government’s reduction of risk in the credit card system.

This was a small piece of the original map for the Personal Data Ecosystem (it did not end up getting included in the PDF version).  The roles are the orange flowers and the green arrows are tangible value flows and the blue arrows are intangible value flows.

So how could the Proactive Privacy Sub-Committee use this method?

At an IIW11 one of the practitioners of value network mapping came to share the method and we broke up into smal groups to map different little parts of an identity ecosystem. We had a template like this picking four different roles and then beginning to map.

The exercise is written about here on Verna’s website.

Scott David was a community member there and really saw how it was a tool to understand what was happening in systems AND to have a conversation about the flow of rights and responsibilities flow.

The method is best done face to face in small groups.  It helps if the groups are diverse representing a range of different perspectives.  A starting point is a use-case a story that can be mapped – what are the roles in that story and then walking through the different transactions.

So how do we “do” it. Well a starting point is for those interested in helping lead it to identify themselves in the context of the pro-active privacy committee.  We should work together  to figure out how we lead the community using this process to figure out the privacy implications and see where the money flows for different proposed solutions.

We can try to do a session at the upcoming July or October plenary.

We could also organize to do some meetings at:

  • conferences in the next few months were we can identify 5-10 interested IDESG members to participate in mapping an ecosystem chunk for an hour or two.
  • in cities around the country where we identify 5-10 folks who want to spend an hour or two mapping an ecosystem chunk.

It would be great if we decide to do this that the Secretariat lead by Kay in her role as Executive Director of the IDESG can support us in organizing this (That is why we are paying htem 2.5 million buck s to help us  do the work of  organizing in a meaningful way.

I am friends with Verna Allee and can ask her for advice on this however I think the kind of help/advice we need to really use this method and do it WELL would behove us to actually use NSTIC IDESG moneys to hire Verna to engage with us in a serious way. When I wrote my NSTIC NOI I did so thinking that their would finally be monies available to pay people to do community conference building work like this.  Perhaps it is not to late to do so.