Identity Woman

Independent Advocate for the Rights and Dignity of our Digital Selves

Trust

Authored: National! Identity! Cyberspace! Why we shouldn’t freak out about NSTIC.

· · 2 Comments

This is cross posted on my Fast Company Expert Blog with the same title.

I was very skeptical when I first learned government officials were poking around the identity community to learn from us and work with us.  Over the last two and a half years, I have witnessed dozens of dedicated government officials work with the various communities focused on digital identity to really make sure they get it right. Based on what I heard in the announcements Friday at Stanford by Secretary of Commerce Locke and White House Cybersecurity Coordinator  Howard Schmidt to put the Program Office in support of NSTIC (National Strategy for Trusted Identities in Cyberspace) within the Department of Commerce. I am optimistic about their efforts and frustrated by the lack of depth and insight displayed in the news cycle with headlines that focus on a few choice phrases to raise hackles about this initiative, like this from CBS News: Obama Eyeing Internet ID for Americans.
I was listening to the announcement with a knowledgeable ear, having spent the last seven years of my life focused on user-centric digital identity. Our main conference Internet Identity Workshop held every 6 months since the fall of 2005 has for a logo the identity dog: an allusion to the famous New Yorker cartoon On the internet, nobody knows you are a dog. To me, this symbolizes the two big threads of our work: 1) maintaining the freedom to be who you want to be on the internet AND 2) having the freedom and ability to share verified information about yourself when you do want to.  I believe the intentions of NSTIC align with both of these, and with other core threads of our communities’ efforts: to support identifiers portable from one site to another, to reduce the number of passwords people need, to prevent one centralized identity provider from being the default identity provider for the whole internet, to support verified anonymity (sharing claims about yourself that are verified and true but not giving away “who you are”),  support broader diffusion of strong authentication technologies (USB tokens, one-time passwords on cellphones, or smart cards), and mutual authentication, allowing users to see more closely that the site they are intending to do business with is actually that site.
Looking at use cases that government agencies need to solve is the best way to to understand why the government is working with the private sector to catalyze an “Identity Ecosystem”.
The National Institutes of Health is a massive granting institution handing out billions of dollars a year in funding.  In the process of doing so, it interacts with 100,000’s of people and does many of those interactions online.  Many of those people are based at institutions of higher learning.  These professors, researchers, post-docs and graduate students all have identifiers that are issued to them by the institutions  they are affiliated with.  NIH does not want to have the expense of checking their credentials, verifying their accuracy and enrolling them into its system of accounts, and issuing them an NIH identifier so they can access its systems. It wants to leverage the existing identity infrastructure, to just trust their existing institutional affiliation and let them into their systems.  In the United States, higher educational institutions have created a federation (a legal and technical framework) to accept credentials from other institutions. The NIH is partnering with the InCommon Federation to be able to accept, and with that acceptance to trust, identities from its member institutions and thus reduce the cost and expense of managing identities, instead focusing on its real work: helping improve the health of the nation through research.

The NIH also has a vast library of research and information it shares with the general public via the internet.  Government sites are prohibited from using cookie technology (putting a unique number in your browser cookie store to remember who you are) and this is a challenge because cookies are part of what helps make Web 2.o interactive experiences. So say that your mom just was diagnosed with breast cancer and you want to do a bunch of in-depth research on breast cancer treatment studies.  You go to the NIH and  do some research on it, but it really requires more then one sitting, so if you close your browser and come back tomorrow, they don’t have a way to help you get back to the place you were.

The NIH doesn’t want to use a cookie and doesn’t want to know who you are.  They would like to be helpful and support your being able to use their library over time, months and years, in a way that serves you, which means you don’t have to start from scratch each time you come to their website. It was fascinating to learn about the great lengths to which government officials were going to adopt existing standards and versions of those standards that didn’t link users of the same account across government websites (see my earlier post on Fast Company).  They proactively DID NOT want to know who users of their library were.

One more use case from the NIH involves verified identities from the public. The NIH wants to enroll patients in ongoing clinical trials. It needs to actually know something about these people – to have claims about them verified, what kind of cancer do they have, where are they being treated and by whom, where do they live, etc.  It wants to be able to accept claims issued by third parties about the people applying to be part of studies.  It does not want to be in the business of verifying all these facts, which would be very time consuming and expensive. It wants to leverage the existing identity infrastructures in the private sector that people interact with all the time in daily life, and accept claims issued by banks, data aggregators, utility companies, employers, hospitals etc.

These three different kinds of use cases are similar to others across different agencies, and those agencies have worked to coordinate efforts through ICAM which was founded in September 2008 (Identity, Credential and Access Management Subcommittee  of the Information Security & Identity Management Committee established by the Federal CIO Council).  They have made great efforts to work with existing ongoing efforts and work towards interoperability and adopting existing and emerging technical standards developed in established industry bodies.

Let’s continue exploring what an identity ecosystem that really works could mean. The IRS and the Social Security Administration would each like to be able to let each person it has an account for login and interact with it online. We as those account holders would like to do this – it would be more convenient for us – but we want to know that ONLY we can get access to our records, that that they won’t show our record to someone else.
So let’s think about how one might be able to solve this problem.
One option is that each agency that interacts with anywhere from thousands to millions of citizens issues their own access credentials to the population it serves. This is just a massively expensive proposition.  With citizens interacting with lots of agencies, they would need to manage and keep straight different IDs from different agencies.  This is untenable from a end-user perspective and very expensive for the agencies.

Another option is that the government issues one digital ID card to everyone ,and this one ID could be used at a bunch of different agencies that one might interact with. This is privacy-invasive and not a viable solution politically. No one I have ever talked to in government wants this.

So how to solve this challenge – how to let citizens login to government sites that contain sensitive personal information – whether it be tax records, student loan records, Department of Agriculture subsidies, or any other manner of government services, and be sure that it really is the person via an Identity Ecosystem.
Secretary Locke’s Remarks: The president’s goal is to enable an Identity Ecosystem where Internet users can use strong, interoperable credentials from public and private service providers to authenticate themselves online for various transactions.
What does a private sector service provider use case look like in this ecosystem?

When we open accounts, they are required to check our credentials and verify our identities under know-your-customer laws. People have bank accounts and use them for many years. They know something about us because of their persistent ongoing relationship with us: storing our money. Banks could, in this emerging identity ecosystem, issue their account holders digital identity credentials that would be accepted by the IRS to let them see their tax records.

The private sector, for its own purposes, does a lot to verify the identities of people, because it has to do transactions with them that include everything from opening a bank account, to loaning money for a house, to setting up a phone or cable line, to getting a mobile phone, to a background check before hiring.  All of these are potential issuers of identity credentials that might be accepted by government agencies if appropriate levels of assurance are met.


What does is a public service provider look like in this ecosystem?
The Federal Government does identity vetting and verification for its employees. Homeland Security Presidential Directive 12 (HSPD-12)Policy for a Common Identification Standard for Federal Employees and Contractors directs the implementation of a new standardized identity badge designed to enhance security, reduce identity fraud, and protect personal privacy.  To date, it has issued these cards to over 4 million employees and contractors.
These government employees should in this emerging ecosystem be able to use this government-issued credential if they need to verify their identities to commercial entities when they want to do business with in the private sector.

There is a wide diversity of use cases and needs to verify identity transactions in cyberspace across the public and private sectors. All those covering this emerging effort would do well to stop just reacting to the words “National”  “Identity” and “Cyberspace” being in the title of the strategy document but instead to actually talk to the the agencies to to understand real challenges they are working to address, along with the people in the private sector and civil society that have been consulted over many years and are advising the government on how to do this right.

I am optimistic that forthcoming National Strategy and Program Office for Trusted Identities in Cyberspace will help diverse identity ecosystem come into being one that reduce costs (for governments and the private sector) along with increasing trust and overall help to make the internet a better place.

[Read more…] about Authored: National! Identity! Cyberspace! Why we shouldn’t freak out about NSTIC.

Catalyst: SSO Simple Secure and Open – Dick on Identity .20

· · Leave a Comment

Dick – had a 580 slide deck done Lessig Style
This is a summary of his talk:
We found out about Dick’s Identity
We learned a about what Identity is
What I say about me
What other say about me (others trust this)
So,
identity=reputaiton
What others say about you
We learned about Identity Transactions:
Verbal in person (with visual cues)
Talk on phone (loss of visual cues)
Job Application (fill out form)
We learned about data verification using drivers licenses in the real world and how the process reduces Identity Friction.
Identity Transactions are Asymmetrical
There is separation of the acquisition and presentation of credential
The credential is reusable
Trust is social
What is digital identity?

Identity 1.0 Today

Today it is the hassel of filling out the same information again and again.
Basically today authentication is that you get to prove you are an entry in a directory entry. single authority on one credential – not portable – in silo.
Verified digital Identity is not what you give a site today.
e-bay -/-> Craigslist
We have walled gardens
Identity 2.0 is where the user can move it to any site.

Simple and open has a history of winning in new standards look at:

  • networking
  • e-mail
  • web – html

WHAT DOES IT LOOK LIKE?
Identity Credential exchange is transparent transaction that is scalable.
WHO WILL DRIVE THIS?
users? – to many user names and passwords

won’t pay – little influence

enterprise? – partners, contracts, agents

but risky to lead… can’t get there
Identity 1.5

e-government?

maybe

but localized

Banks?

motivated to solve
theoretical trust relationship

Identity Ecosystem will emerge where

users are loosely coupled
share user identity

We are in a new era

Webservices – Flickr, Mappr, SalesForce

Web 2.0 will drive identity 2.0

It will happen on the edge of the Internet (not the edge of the enterprise).

XRI/XDI no web-service apps

SXIP

name/value pairs
DIGS XML

The goal is to mimic photo ID
With Sxip Network

SXIP 1.0 has had a few tire kickers

SXORE Blog comment spam solution

SXIP 2.0 support web services
SXIP ACCESS
SSO – Simple Secure and Open

Jamie Lewis –
Q: So will this go into a STANDARDS PROCESS?
A: We are working on it. We want to get it very close to right then put it into standards body. I like IETF. Our goal is to be open

Identity and Gaming

· · Leave a Comment

To prepare to talk with Susan Crawford I thought I would scan her three year old blog for any menitons of Identity. It turns out that Susan has done some extensive thought about identity and in particular in the context of online gaming. She has a link to a paperWho’s in Charge of Who I am?: Identity and the Law Online. Here are some good quotes…

Online identities are emergent. Identity is by definition a group project, something created by the context in which the identified operates.
Online walled gardens will be come more prevalent, as concerns about security, viruses, spam and the unknown increase, as valuable content is made accessible only to those who have been permissioned to see it, and as hardware and software systems made available to the masses increasingly taken on “trusted” aspects. Online games are precursors of these future more serious, walled garden online worlds. Key characteristics of both games and walled worlds are limited access, clear boundaries, rules, roles/players, and feedback mechanisms that create reputation. … These characteristics of games make them ideal laboratories for experimentation with rulesets.

This is a great mention of the word – rulesets. I have been thinking a lot about them ever since I read Thomas Barnett’s book – The Pentagon’s New Map. How we as a society and how institutions that govern us determine what the ruleset’s are is important to think about. With the complexifying world we live in – robust, legitimate and fair systems to create good rulesets are needed. This is particularly true in the online space that is really built by and for us. I hope that all the effort that has gone into creating the Identity Commons structure can be just such a place.
Back to Susan…

Who owns identity? who owns reputation? From the intermediary’s perspective, software creates rules that control what social context can be moved elsewhere. Your identity is “really” a database entry, and the intermediary can argue that your identity is their intellectual property, not yours. You may attach great importance to it, but this identity (and its reputation) will not as a practical matter survive outside the world in which it was formed. Walled world designers have incentives to raise switching costs and capture all the vale of this reputation. In other words, controllers of online worlds are gods. But users may defect from environments and attempt to constrain them in how persistent their reputations and identities are. The difficult task for developers/intermediaries is how much freedom to give their users. This takes us from the realm of risks to the realm of opportunities.
AS real work becomes a more common online activity, identity created in connection with groups will be more and more meaningful.
Human nature will always tend toward group-ness.

  • What would be made visisble? The fact that someone’s identity has been taken away, and the reasons why? Or speech-related actions of the intermediary that have an impact on identity (but are less then “disappearing” someone?)
  • What about reputation? Is it right that a user must leave her reputation behind when she leaves a particular online world? Is “reputation portability” possible? Or is reputation so context-dependent that the online world should be permitted to own it? And what does the online world own exactly? A group-created construct?
  • Is this entire problem avoided by staying out of “walled gardens” and maintaining our own domains? Will this be possible, as online worlds become more and more attractive, and as hardware and software increasingly intertwine?

In the end, it boils down to the fact that the best government is the one that you can trust, which will be the one you know personally: the people close to you in your virtual community, who are held accountable precisely because of community ties. Your best government is going to be each other, because the man behind the curtain isn’t going to know any more than you know him.
Conculusion:
We are still in the early stages of the first two steps dealing with any technology: fear and opportunism. Enlightenment is not far away. I want to suggest that we skip quickly through the fear, linger on the opportunism, and move on to human betterment. This social benefit may come (as so many things do) from playfulness. Games have a great deal to teach us about how we establish and maintain identity. Now we need to consider who is in charge of these identities. It may be, in the end, that we are.
We need to forge a direct link between how we live and work online (especially within walled gardens) and how we structure control over online resources. If the new mode of work online is collaborative peer-production of resources, who will own a shared online space of identities? This ownership may have to be collective. The fundamental problem that is yet to be address is that while reputations and identities are group projects, legal ownership of collectively-created intangible identities currently appears to reside (by default) in online intermediaries. We may need to make some noise about this and ensure a better fit. Perhaps the game should belong to the players.

She raises some interesting questions for us to think about. I think looking at the governance and how to actualize that – this is what the distributed governance form of Identity Commons is designed to do. I didn’t really realize that she was involved with XNSORG several years back. She really liked you all and mentioned Bill Washburn and Drummond Reed by name.
While talking with her about identity and her paper she mentioned her connection to the State of Play conferences. The third one is coming up this fall and is entightled Social Revolution. Two panels look very relevant:

  • Collective Action in the Metaverse: Groups, Community and Power
  • Identity in the Metaverse: On-Line Identity in Virtual Worlds

It is the day after Web 2.0 but might be worth the trip đŸ™‚