NSTIC Governance….Privacy Interests

This past weekend I finally got onto a bunch of mailing lists for NSTIC including the governance one. (you can too)

It is a generally accepted best practice that governance systems should be developed by the communities that need to live by them. With NSTIC the stakeholders were handed a charter and bylaws created (primarily driven by the vision of one guy) in the NSTIC National Program Office.  They kept saying “there is consens” around the charter and bylaws…but there wasn’t they were sort of thrust upon us and not developed by us.  We chose to accept them for now and are now in the process of re-visiting the bylaws handed to us and we agreed to for a short period to get things going.

The draft by-laws include a privacy standing committee that has veto power over the outcomes of Identity Ecosystem Steering Group.

One theory about why this is, I have heard more then once from industry folks involved with NSTIC, is that the privacy constituency “got” this committee and its veto power as a deal to participate in NSTIC.  We don’t know … cause the process of how this idea of having this committee have a veto was not transparent or open.

If we are committed to actually having a consensus based process then no one group committee needs a veto.

I said on the chat during the call that there was a misttrust issue.  I don’t trust giving the privacy advocates a veto in part because they don’t currently show up and engage with industry in the development of the tools and technologies.  I have regularly invited privacy advocates to participate in the Internet Identity Workshop and I regularly have those invitations declined. I will call out the specific groups the ACLU of Northern California and the EFF.  (Having received a cool shoulder from them I haven’t pursued inviting other groups however the woman from the World Privacy Forum who spoke today on the governance call would be great to have at IIW) Both claim “nonprofit” poverty and say lack of budget to attend such events. (IIW has an early bird ticket price of $150 and includes three meals a day for three days….so its not expensive). Both have multi-million dollar budgets and choose not to invest, as part of how then spend their resources, on showing up in forums like IIW with industry “making the sausage” of open standards for how identity will work for people on the internet.

Organizations like this tend to spend their money on lawsuits against companies who have violated privacy. I don’t disagree that EPIC and other groups should be holding Google and Facebook accountable for changing their settings in ways that violated user expectations and therefore one version of waht privacy is. However if that is all they do…(sue and file complaints with government agencies) then it is like investing in prisons instead of schools.  If you invest in schools you won’t need prison’s later to hold the citizens who become criminals because they didn’t get a good education.

If they chose to invest in the fora where technical standards are made and work with industry to ensure that the interoperable systems they design are in alignment with core functional requirements that give people control of the flow of information about them in digital systems (what we might call privacy). Then they wouldn’t have to file so many law suits down the road cause they would work well.

There is also the issue that “Privacy” isn’t ONE THING.

See: Solove – Taxonomy of Privacy 

Until it is clearer what the groups who are pro-privacy mean and how they see it being instantiated in the standards that becoms the code that will be the basis for the ecosystem.  It feels really hard to engage or trust them with a veto.

My fear is that a structure for IDESG that includes a privacy committee with a veto will continue to foster the current pattern of of industry interaction. The privacy interested groups will stay away from really engaging with technology developments as they are done BECAUSE they have a veto over them .. at the end of the process. They will stand on the sidelines and then swoop in and kinda “gotcha” those in industry who have been working together.






  1. says

    Hi Kaliya – the governance call today showed how constructive the privacy community can be when they are engaged. I was delighted that Jay Stanley of the ACLU, Pam Dixon of World Privacy Forum, Aaron Titus of Identity Finder (and Privacy Commons), and other privacy oriented participants joined the Governance Task Force today and really engaged in the dialog with folks from industry and the other participants. Whether a “review and approve” or “comment and consent” or “veto” or other mechanism is used, I hope the Task Force finds an agreed method to ensure privacy and civil liberties interests are proportionally represented during the design phase and through the governance process for NSTIC. And given the fundamental nature of privacy and civil liberties for the success or failure – of any national approach to an identity ecosystem in the United States, the proportionate say is a whole lot of say. I would hope that the (unfortunate) lack of privacy leaders attending Internet Identity Workshop would not be an conculsive metric in assessing their relevance and welcome participation as key parts of NSTIC governance going forward, in particular given the active involvement with standards making and technical innovation the privacy community has demonstrated at key moments many times in the past.

    On a side-note – I thought your contributions today (and the preliminary emails yesterday) to the Governance Task Force were very important and seemed well received. By ensuring the type of deep involvement of citizenry along the lines you suggested (among other ways), it seems to me that NSTIC will be in a better position to provide relevant solutions – including with respect to privacy and civil liberties.

    (btw – is IDESG the new acronym for NSTIC?)

    – Dazza

  2. says

    I have seen lots of useful issues on your web-site about computers.
    However, I’ve got the impression that netbooks are still not nearly powerful enough to be a good selection if you often do jobs that require plenty of power, for example video editing and enhancing. But for world wide web surfing, word processing, and a lot other popular computer work they are okay, provided you may not mind the small screen size. Many thanks for sharing your ideas.

Leave a Reply

Your email address will not be published. Required fields are marked *