[WG-P3] Disruptive NSTIC Critique

[Mark Lizar]

HI All, 

Some good points in this critique of the NSTIC effort that is worth bringing to the attention of  P3 members. 

Has anyone seen this article?   Google-NSTIC-Leading-the-March-to-Digital-Totalitarianism.   I think it is worth sharing as it is very critical of the NSTIC elaborating some different privacy and trust risk view points, which we have yet to discuss in P3. 

Some points brought up in this article maybe useful to discuss more broadly.   This article, along with other issues relating to developing an identity ecosystem, has led me to think that a community based identity provider is a missing element in developing a trustworthy ecosystem.   (Something in between a government and a corporate identity provider)

Has anyone else has had thoughts along these lines? 

- Mark 

[Anna Slomovic/Equifax]

Mark,

 

Thank you for sending out this link. The loss of anonymity is, indeed, a great worry. The fact that NSTIC is voluntary at the outset doesn't mean that it will remain so in any practical way. There is nothing in the law that requires that the anonymous option remain available, so at least in the US, it is very easy to envision a situation when an ID is required because a business says it is--and businesses will because they will benefit. Airlines embraced ID requirements as "security requirements" long before 9/11/2001 because this prevented resale of cheap tickets or tickets obtained with frequent flier miles. Some concert and theater venues now require ID for the same reason. Having an ID and, therefore, information about someone's history and behavior is a marketer's dream.

 

I don't think this is paranoia, either.

 

Anna

 

Anna Slomovic

Chief Privacy Officer

Equifax

1010 N. Glebe Road, Suite 500

Arlington, VA 22205

O: 703.888.4620

C: 703.254.9656

---

This message contains information from Equifax Inc. which may be confidential and privileged. If you are not an intended recipient, please refrain from any disclosure, copying, distribution or use of this information and note that such actions are prohibited. If you have received this transmission in error, please notify by e- mail postm...@equifax.com.

[Mark Lizar]

I agree, 

The loss of anonymity at  the hands of commercial interests is a grave concern and is already happening on a large scale with Facebook connect and the like. 

This leads me to think that a community identity provider is sorely needed, in which controls, not completely driven by profit, are driven in part by the people with values that reflect the privacy and trust needs of community and the individual.  But it seems that without the profit of a commercial IdP this is hard if not impossible to achieve on scale.   This leads me to believe that it would take an effort like NSTIC to put something of this nature in place. Although NSTIC, as you point out, would not be enough on its own, and legally, the US will need the legal conventions to support a community IdP effort domestically and internationally in driving controls that protect privacy, provide security and create a true platform for trust.  At this time a task that seems daunting considering the fractured nature of privacy politics in the US.  Perhaps something along the lines of the "Convention 108," the International Privacy Convention? (Which  EPIC is again calling for the US to ratify).   

- M 

_______________________________________________
WG-P3 mailing list
WG...@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-p3

[Malcolm Crompton]

Mark – apologies for my long absence from this debate, too.

 

I agree that this perspective must be introduced into Kantara thinking.

 

However, I don’t think that Convention 108 will be the right starting point.  In effect, the only folk pressing for its wider adoption are the Council of Europe itself and some advocacy groups.  The 1980 OECD guidelines are a much less controversial starting point.

 

That said, the introduction of people from the advocacy / community sector into the Kantara processes is the key rather than reference to particular documentation.

 

Our company has just completed a first report for a Department of the Australian Government on starting a process to consider developing the frameworks for a National Trusted Identities Framework in Australia.  I am currently in London & have had some informal discussion with folk involved in the UK Cabinet Office initiative & will be in Washington DC in the week beginning 6 March when I hope to meet with folk involved in the NSTIC.  Government leadership seems to be an essential ingredient, but precisely what it should be is very varied!

 

If anybody from P3WG Kantara is in DC at that time, I would be pleased to catch up with them.

 

Regards

 

Malcolm Crompton

 

Managing Director

Information Integrity Solutions Pty Ltd

ABN 78 107 611 898

 

T:  +61 407 014 450

 

MCro...@iispartners.com 

www.iispartners.com

[Mark Lizar]

Hi Malcolm,

On 10 Feb 2012, at 15:32, Malcolm Crompton wrote:

Mark – apologies for my long absence from this debate, too.

 

I agree that this perspective must be introduced into Kantara thinking.

 

However, I don’t think that Convention 108 will be the right starting point.  In effect, the only folk pressing for its wider adoption are the Council of Europe itself and some advocacy groups.  The 1980 OECD guidelines are a much less controversial starting point.

I agree, there is clear sense in the advocacy of the OECD Privacy Guidelines, they are based on FIP's, they provide the foundation for EU laws, and they provide a low friction starting point to start a discussing the harmonising of privacy guidelines internationally. ( Anyone know why this hasn't happened already?).

 

That said, the introduction of people from the advocacy / community sector into the Kantara processes is the key rather than reference to particular documentation.

Hmm.. Interesting thought! It would be interesting to know more of what you are thinking on this topic.   With NSTIC providing pilots it is an excellent opportunity to think about how a community IdP could be composed from a standards and privacy perspective.  A common sense approach would indicate that NSTIC requires a IdP that is legal and privacy assessed. 

  

Our company has just completed a first report for a Department of the Australian Government on starting a process to consider developing the frameworks for a National Trusted Identities Framework in Australia.  I am currently in London & have had some informal discussion with folk involved in the UK Cabinet Office initiative & will be in Washington DC in the week beginning 6 March when I hope to meet with folk involved in the NSTIC.  Government leadership seems to be an essential ingredient, but precisely what it should be is very varied!

Sounds exciting.  From the latest NSTIC documentation the project is to start with a International Co-Ordination Work Group, an Access and Usability WG and a Security WG.  I would be interested to hear who will lead these three WG's.

 It seems that the underlying theme of economic development should be the focus of any community driven IdP and perhaps a pilot proposition should be framed with the Department of Commerce in mind as an audience. 

[Malcolm Crompton]

Mark – you ask some interesting questions.

 

The first in particular:  why hasn’t there been better progress towards an international standard or treaty.  The fundamental reason is that until very recently, data protection and governance has simply not been seen as a leader level issue.  But this is changing.  I have written about this in blogs over the last year that will let you see my perspective on the matter at least.  I blog at www.openforum.com.au/blogs/malcolm-crompton.  The most relevant blogs are:

·         Will the boat come in for privacy law reform in 2012?

·         Privacy has made it onto the agenda of world leaders

·         Getting closer to Base Camp: the sherpa's are unpacking the tents

 

The APEC Privacy Framework and now the just agreed Corporate Binding Privacy Rules approach to their governance in multi jurisdictional circumstances is a very good example of what is possible in the absence of clear & strong leadership.  A group of dedicated officials from some of the APEC economies (US, Australia, Canada, NZ in particular but also others eg Mexico) and privacy officers from leading global companies (mostly American & mostly large ICT) have put a lot of effort into developing the CBPRs.  I have been privileged to be consultant on a number of occasions through the process, including in the development of the components of the CBPR Pathfinder project.

 

However, that arrangement is in the end voluntary and only just about to commence having effect.  The proof of the pudding will be in the eating over the next few years – will a voluntary arrangement work?  How are free riders etc to be handled?  Are enough economies going to participate?  Are enough companies going to participate?  It is a fascinating experiment & I for one really want to see it work.

 

With regard to your second point about community interest participation in Kantara, informal discussion has already made it clear to me that Kantara is seen as an industry front for doing too little.  The only way to address this is to bring them into the process, or at least make sure that there is nothing hidden in the closet.  It must involve active, documented outreach to them, not just a wait & hope they will come approach.

 

As to your third comment, I like it, but emails like this don’t (yet?) have a Like button.