This past weekend I finally got onto a bunch of mailing lists for NSTIC including the governance one. (you can too)
It is a generally accepted best practice that governance systems should be developed by the communities that need to live by them. With NSTIC the stakeholders were handed a charter and bylaws created (primarily driven by the vision of one guy) in the NSTIC National Program Office. They kept saying "there is consens" around the charter and bylaws...but there wasn't they were sort of thrust upon us and not developed by us. We chose to accept them for now and are now in the process of re-visiting the bylaws handed to us and we agreed to for a short period to get things going.
The draft by-laws include a privacy standing committee that has veto power over the outcomes of Identity Ecosystem Steering Group.
One theory about why this is, I have heard more then once from industry folks involved with NSTIC, is that the privacy constituency "got" this committee and its veto power as a deal to participate in NSTIC. We don't know ... cause the process of how this idea of having this committee have a veto was not transparent or open.
If we are committed to actually having a consensus based process then no one group committee needs a veto.
I said on the chat during the call that there was a misttrust issue. I don't trust giving the privacy advocates a veto in part because they don't currently show up and engage with industry in the development of the tools and technologies. I have regularly invited privacy advocates to participate in the Internet Identity Workshop and I regularly have those invitations declined. I will call out the specific groups the ACLU of Northern California and the EFF. (Having received a cool shoulder from them I haven't pursued inviting other groups however the woman from the World Privacy Forum who spoke today on the governance call would be great to have at IIW) Both claim "nonprofit" poverty and say lack of budget to attend such events. (IIW has an early bird ticket price of $150 and includes three meals a day for three days....so its not expensive). Both have multi-million dollar budgets and choose not to invest, as part of how then spend their resources, on showing up in forums like IIW with industry "making the sausage" of open standards for how identity will work for people on the internet.
Organizations like this tend to spend their money on lawsuits against companies who have violated privacy. I don't disagree that EPIC and other groups should be holding Google and Facebook accountable for changing their settings in ways that violated user expectations and therefore one version of waht privacy is. However if that is all they do...(sue and file complaints with government agencies) then it is like investing in prisons instead of schools. If you invest in schools you won't need prison's later to hold the citizens who become criminals because they didn't get a good education.
If they chose to invest in the fora where technical standards are made and work with industry to ensure that the interoperable systems they design are in alignment with core functional requirements that give people control of the flow of information about them in digital systems (what we might call privacy). Then they wouldn't have to file so many law suits down the road cause they would work well.
There is also the issue that "Privacy" isn't ONE THING.
See: Solove - Taxonomy of Privacy
Until it is clearer what the groups who are pro-privacy mean and how they see it being instantiated in the standards that becoms the code that will be the basis for the ecosystem. It feels really hard to engage or trust them with a veto.
My fear is that a structure for IDESG that includes a privacy committee with a veto will continue to foster the current pattern of of industry interaction. The privacy interested groups will stay away from really engaging with technology developments as they are done BECAUSE they have a veto over them .. at the end of the process. They will stand on the sidelines and then swoop in and kinda "gotcha" those in industry who have been working together.