[WG-P3] Why a P3 NSTIC Pilot Proposal is Important

[Mark Lizar]

My thoughts on an P3 NSTIC Pilot.  

First a bit of background. 

This Article from NYT reveals how Target has improved their profits by tracking pregnant women. Making Billions in the process.  It's creepy BUT its legal.  In this article Target is using but a fraction of its buyers purchasing history to do this. 

Imagine what ISP's can do today with your data, eg. phone numbers of callers, emails, MMS, text messages, surfing data, location, all of which provide patterns that can be visible as meta data when the volume of this data is added together and deciphered.   This video explains that "an average person will have 736 pieces of information collected about them a day by an ISP.    Over time this amounts to a users "Digital Identity", which is created/aggregated by the ISP's.  The service providers all of whom have different data retention periods, AT&T keeps your data for 84 months and Verison 12 months.  Most individual have shared over a million picies of information from the last 45 months of data collected with an ISP.   This amounts to a  commercial 3rd party owning 4 years of your life, not just an intimate and personal detail of it.    The introduction of identity makes this information accountable both for good and bad.  

In this context I believe it is very important for NSTIC and emerging EU laws to be understood in the context of why Trust is required.   With NSTIC it is conceivable that we will see digital identity moved from ISP's to identity providers,  based on standards, transparency, accessibility and trust.  

Even more, it is extremely clear that  not just Privacy Assessment Criteria is needed but Trust Assessment Criteria is needed as well.  Target may not fall a foul of and privacy laws but it does fall afoul of a Trust Assessment.  P3 is in an excellent position to develop a pilot proposal for both types of assessment criteria, as our current PAC covers much needed elements for both.  Considering the application, it is clear that these assessments, if done properly and to true effect, are worth enormous economic value, while Privacy and Trust is priceless.  

 It is in this spirit that I have drafted a P3 pilot proposition for developing assessment criteria.    I offer this a point of discussion in hope P3 might consider the opportunities at hand.

Best Regards, 

- Mark

[Malcolm Crompton]

Mark – great start.

 

In addition to ‘why trust is required’, more is needed on ‘how trust is attained’.

 

Bringing in the privacy advocates as you have suggested is a great start and should Kantara proceed with this project, their engagement is essential.

 

That said, though, there is another consideration.  The whole ‘trust’ challenge this is not just a logic problem.  At least as significant is the Human Computer Interface challenge.  Or even more deeply as often pointed out by Susan Morrow, the whole social anthropology of these processes.

 

By way of example, have a look at the Oxford Handbook of Internet Psychology (http://ukcatalogue.oup.com/product/9780199561803.do) and in particular, the chapter titled “Trust in Mediated Interactions”, copy attached.  I met with one of the authors, Angela Sasse, in London 10 days ago where we discussed these issues and the impact that HCI is having on the UK Hub arrangements currently being developed for a User Centred federated ID management system.

 

Ignoring the human face of all this will (again) lead to a less than acceptable outcome.

 

Regards

 

Malcolm Crompton

 

Managing Director

Information Integrity Solutions Pty Ltd

ABN 78 107 611 898

 

T:  +61 407 014 450

 

MCro...@iispartners.com 

www.iispartners.com

[Mark Lizar]

Thanks Malcolm. 

I am a social anthropologist that has been looking at the trust challenges deeply over the last few years and I agree with your assessment whole heartedly.  Thanks for these links. 

In P3 our PAC effort includes privacy notice requirements and accountability of credential management process.  It is my feeling that the notice requirements are more in line with trust assessment criteria and that accountability is more in line with the privacy assessment criteria. 

Is there something in line with your work on privacy assessment and accountability that you can point us towards? 

 - Mark

<joinson.pdf>

[Anna Slomovic/Equifax]

Gentlemen,

 

The question comes to mind: whose "trust" are we talking about? As long as IDPs and RPs "trust" each other's credentials, consumer privacy is not really relevant to their willingness to transact. Consumers apparently "trust" online and offline merchants enough to provide data and continue doing business, although in many (most?) cases they do not have a choice in the matter if they want to make purchases or participate in society in other ways.

 

I am not questioning the need for privacy--I've been doing privacy work for a dozen years, and in my personal life I take more precautions than most people. However, before we propose a pilot, we need to be very careful about defining the problem we are trying to address. As Mark pointed out, doing what Target is doing is perfectly legal in the US, and FICAM's requirements extend only to activities on government web sites. Privacy protections will cost companies money both in implementation costs and in foregone revenue. So what is the business case for these protections when it is legal to operate without them?

 

Anna

 

Anna Slomovic

Chief Privacy Officer

Equifax

1010 N. Glebe Road, Suite 500

Arlington, VA 22205

O: 703.888.4620

C: 703.254.9656

---

This message contains information from Equifax Inc. which may be confidential and privileged. If you are not an intended recipient, please refrain from any disclosure, copying, distribution or use of this information and note that such actions are prohibited. If you have received this transmission in error, please notify by e- mail postm...@equifax.com.

[Anna Slomovic/Equifax]

UK is proposing retention of very detailed data for security monitoring and investigation. There is fear that other uses would be made of this data. Same problem as purchasing transactional data only more so.

 

http://www.telegraph.co.uk/technology/internet/9090617/Phone-and-email-records-to-be-stored-in-new-spy-plan.html

 

[snip]

Rather than the Government holding the information centrally, companies including BT, Sky, Virgin Media, Vodafone and O2 would have to keep the records themselves.

Under the scheme the security services would be granted “real time” access to phone and internet records of people they want to put under surveillance, as well as the ability to reconstruct their movements through the information stored in the databases.

The system would track “who, when and where” of each message, allowing extremely close surveillance.

Mobile phone records of calls and texts show within yards where a call was made or a message was sent, while emails and internet browsing histories can be matched to a computer’s “IP address”, which can be used to locate where it was sent.

[snip]

 

Anna Slomovic

Chief Privacy Officer

Equifax

1010 N. Glebe Road, Suite 500

Arlington, VA 22205

O: 703.888.4620

C: 703.254.9656

 

[Susan Landau]

The drive for data retention has been around for quite some time; I believe that the current UK proposal is in response to an EU directive on data retention.  The US is also considering such a bill (it has been an FBI wish for quite some time).

One of the many problems with this proposal is it validates the retention of such data by private industry.  Thus undoing it later may be extremely difficult, since industry gets much value from the data and will be against any repeal.

But I should add that while this issue is of great interest to me (see "Surveillance or Security? The Risks Posed by New Wiretapping Technologies," ;-) ), I think the topic is far from our P3WG agenda ...

Susan

_______________________________________________
WG-P3 mailing list
WG...@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-p3

[Anna Slomovic/Equifax]

Susan,

 

I agree that the topic is far from the agenda--except that the P3 NSTIC pilot is being couched in terms of trying to address issues around data retention and reuse by commercial entities.

 

I'm happy to end this thread.

 

Anna

 

Anna Slomovic

Chief Privacy Officer

Equifax

1010 N. Glebe Road, Suite 500

Arlington, VA 22205

O: 703.888.4620

C: 703.254.9656

 

[Peter Capek]

The Canadians, too, at least some of them, seem to think this is a good idea.

http://www.montrealgazette.com/news/Bill+provokes+privacy+fears/6142986/story.html

       Peter Capek

[Mark Lizar]

Anna, 

I would agree that Trust is not on the P3 Agenda, although, I think the that a Pilot proposal to NSTIC would need to put privacy in the context of trust. 

To answer your question, who's trust we are talking about.  IDPs and RPs deal in confidence, not trust.  e.g. Is there confidence (or a LOA) in the use of credentials.  Trust is where people take a leap of faith that the credential they provide an RP is being used in a privacy enhancing and trustworthy manner. 

 

The missing sociological component is the understanding of privacy in the context of trust.  Has the individual (data subject) been provided with notice, has consent been provided to enable authentication?  Does the individual have the opportunity to trust the management of their credentials to an institution?

In terms of an NSTIC proposal these issues are relevant and I don't think forgoing revenue or implementation costs are relevant.  If we are not to pursue an NSTIC proposal then we can continue to struggle with notice and consent as a part of a Privacy Assessment.

Bottom line are the issues of data retention and commercial re-use of data without notice, without consent, for profit.    All of which are applicable to IdP's and RP's.   Are these Privacy and Public Policy issues for identity management?    Not sure if they are yet, but they will be.   I think these issues are closer to the P3 agenda than you may think. 

- Mark

[Mark@Identity Trust]

It does seem that the definition of trust is quite important here.  Does anyone have the NSTIC definition for trust and its context to hand?  I can't seem to find it. 

- M 

[Malcolm Crompton]

Mark et al – I think there are a number of threads of argument here worthy of discussing.

 

Notice as a trust issue & Accountability as a privacy issue

 

I think this distinction is artificial.  Both tools arguably apply to both. 

 

We have good examples of where additional information leads to disinformation, worse decision making etc and in such circumstances, it is accountability that is the key to trust. 

 

On the one hand, capital markets are discovering that longer more complete product disclosure notices do not lead to better informed markets.  On the other, today’s motor car is incomprehensible to the ordinary driver compared to one made 50 years ago in terms of the technology inside (eg ABS systems compared with simple braking systems of years ago) yet is more trustworthy and trusted.  It is not notice that achieves this, it is the accountability structures, ie the compliance plate on the car’s firewall.

 

HCI and privacy and trust

 

The point of this remark is simply to suggest that any process that Kantara develops shouldn’t just be seen through a technology or logic lens.  I am not an expert in the area.  But I have been concerned for some time that we are not bringing HCI and related fields into the development of online safety / security / privacy when we have seen the incredible impact of it in other aspects of human behaviour online (to wit, the touchscreen / smartphone / tablet revolution) yet haven’t applied it to safety.  Again, the road experience and the way the world has standardised the road experience to improve safety shows it can have considerable safety impact.

 

Storage and use of data by either public or private sector

 

Many folk are aghast at the volumes of information created, retained and used in ways described in the NYT article by either the private sector or the policing / national security folk (themselves or by forcing agents such as ISP to do their work for them).

 

The extent to which this is developing covertly only adds to the unease.  If the Targets of this world, the ad networks and ad servers, the smartphone Apps have nothing to hide, they have nothing to fear too.  The obfuscation of these processes and the unconvincing hand wringing when caught (eg the controversy over the Path app, http://www.theregister.co.uk/2012/02/15/apple_rank_hypocrisy_as_privacy_protector/) at least supports conspiracy theory!

 

Anna’s point that “as long as IDPs and RPs "trust" each other's credentials, consumer privacy is not really relevant to their willingness to transact” needs considerable debate.  Arguably, one of the reasons why Federated Identity systems are NOT trustworthy is that they only deal with trust between IDPs and RPs.  Traditional Federated Identity schemes have provided insufficient assurance at either the technological level or the business process / compliance level to the individuals involved that what they are doing with the information so exchanged is appropriate.  This is where the Kim Cameron Laws of Identity come in and more recently, the concept of Attribute Based Credentials (see the ABC4Trust project for exploration of these issues at https://abc4trust.eu/index.php/pub/talks, especially the first half dozen slides in the presentation by Marit Hansen).  At the very least, this involves minimal disclosure of attribute information between parties and prevention of tracking that starts at the technology layer.

 

Which brings us back to notice and accountability.  Trustworthiness and respect for privacy in such complex systems is probably not going to come from increased notice.  It is going to come from third parties who are acting in the consumer / citizen interest (rather than the organisational interest but with the ability to understand what is going) on certifying in some way that the right thing is being done – in other words, standards, testing against standards and accountability.  Just as is the case for the process that puts compliance plates on the motor car firewall.

[Mark Lizar]

Thanks Malcolm, 

This is very insightful. 

Lots of scope to consider when thinking about an NSTIC pilot. but perhaps out of scope for a PAC based pilot proposal and perhaps even P3. 

I tend to think that its is the combination of many of the points you have raised. Combining HCI, and an infrastructure of accountability with appropriate HCI notices which people can track, log and keep and manage.   After all, how does one tell if a third party is acting in ones own interest with out a sufficient notice ?   But then I do agree, its the organisation acting in that interest which is important and this does require standards and certification.   

Kind Regards,

  

On 20 Feb 2012, at 20:36, Malcolm Crompton wrote:

Mark et al – I think there are a number of threads of argument here worthy of discussing.

 

Notice as a trust issue & Accountability as a privacy issue

 

I think this distinction is artificial.  Both tools arguably apply to both. 

 

We have good examples of where additional information leads to disinformation, worse decision making etc and in such circumstances, it is accountability that is the key to trust. 

 

On the one hand, capital markets are discovering that longer more complete product disclosure notices do not lead to better informed markets.  On the other, today’s motor car is incomprehensible to the ordinary driver compared to one made 50 years ago in terms of the technology inside (eg ABS systems compared with simple braking systems of years ago) yet is more trustworthy and trusted.  It is not notice that achieves this, it is the accountability structures, ie the compliance plate on the car’s firewall.

 

HCI and privacy and trust

 

The point of this remark is simply to suggest that any process that Kantara develops shouldn’t just be seen through a technology or logic lens.  I am not an expert in the area.  But I have been concerned for some time that we are not bringing HCI and related fields into the development of online safety / security / privacy when we have seen the incredible impact of it in other aspects of human behaviour online (to wit, the touchscreen / smartphone / tablet revolution) yet haven’t applied it to safety.  Again, the road experience and the way the world has standardised the road experience to improve safety shows it can have considerable safety impact.

 

Storage and use of data by either public or private sector

 

Many folk are aghast at the volumes of information created, retained and used in ways described in the NYT article by either the private sector or the policing / national security folk (themselves or by forcing agents such as ISP to do their work for them).

 

The extent to which this is developing covertly only adds to the unease.  If the Targets of this world, the ad networks and ad servers, the smartphone Apps have nothing to hide, they have nothing to fear too.  The obfuscation of these processes and the unconvincing hand wringing when caught (eg the controversy over the Path app,http://www.theregister.co.uk/2012/02/15/apple_rank_hypocrisy_as_privacy_protector/) at least supports conspiracy theory!

[Malcolm Crompton]

Mark – yes, it is a combination.

 

With regard to the role that notice has, it is less whether a notice is given (again, thinking of the motor car analogy or financial audit obligations), it is less about the notice given by the organisation processing the data so much as the (legal) obligations on the third party accountability agent to act in the interests of the individual not the organisation (as is the case in both the motor car circumstance and financial audit, where the obligation of the auditor is the interest of the shareholder not company management).

 

Malcolm