I was invited to present in the Personal Data Track at the Cloud Identity Summit, 2016 in New Orleans.
This is the talk I gave. It also came with a two sided 11×17 sheet with all 6 diagrams (just below).
Independent Advocate for the Rights and Dignity of our Digital Selves
Kaliya Young · ·
I was invited to present in the Personal Data Track at the Cloud Identity Summit, 2016 in New Orleans.
This is the talk I gave. It also came with a two sided 11×17 sheet with all 6 diagrams (just below).
Since becoming involved in the IDESG, I have become concerned that we do not have people of religious faith – with that as their primary “identity” within the context of participating in the organization. Let me be clear about what I mean, we have many people of many faiths involved and I am not disrespecting their involvement. We also don’t have people who’s day job is working for faith institutions (that they would take time out from to “volunteer” on this effort to explicitly bring in a faith perspective). Someone from say the National Council of Churches would not be a bad thing to have given that one of groups of people who today have consistently sue against “identity systems” are Christians objecting to ID systems put into public schools to track children students. With this proactive faith stance involved the systems we are seeking to innovate reduces the risk of rejection via law suite. I also think the views of those from Jewish, Muslim Sikh, Budhist, Hindu and other faiths should be proactively sought out.
Another Tweet from the Tampa meeting….
Please see the prior post and the post before about how we got to discussing this.
We can not forget that the Holocaust was enabled by the IBM corporation and its Hollerith machine. How did this happen? What were these systems? How did they work? and particularly how did the private sector corporation IBM end up working a democratically elected government to do very horrible things to vast portions of its citizenry? These are questions we can not ignore.
In 2006 Stefan Brands gave a talk that made a huge impression on me he warned us and audience of very well meaning technologists that we had to be very careful because we could incrementally create a system that could lead to enabling a police state. It was shocking at the time but after a while the point he was making sunk in and stuck with me. He shared this quote (this slide is from a presentation he gave around the same time)
It is the likability that is the challenge.
We have to have the right and freedom NOT to be required to use our “real name” and birthdate for everything.
This is the defacto linkable identifier that the government is trying to push out over everything so they can link everything they do together.
Stephan proposes another Fair Information Principle.
I will share more of Stephan’s slides because I think they are prescient for today.
Stephan’s slides talk about User-Centrism technology and ideas in digital identity – ideas that have virtually no space or “air time” in the NSTIC discussions because everything has been broken down (and I believe intentionally so) into “security” “standards” “privacy” “trust frameworks” silos that divide up the topic/subject in ways that inhibit really tackling user-centrism or how to build a working system that lives up to the IDEALS that were outlined in the NSTIC document.
I have tried and tried and tried again to speak up in the year and a half before the IDESG and the 2 years since its existence to make space for considering how we actually live up to ideals in the document. Instead we are stuck in a looping process of non-consensus process (if we had consensus I wouldn’t be UN-consensusing on the issues I continue to raise). The IDESG are not taking user-centrism seriously, we are not looking at how people are really going to have their rights protected – how people will use and experience these large enterprise federations.
Yes everyone that is what we are really talking about…Trust Framework is just a code word for Enterprise Federation.
I went to the TSCP conference a big defence/aerospace federation (who was given NSTIC grants to work on Trust Framework Development Guidance) where this lovely lady Iana from Deloitte who worked on the early versions of NSTIC and potential governance outlines for IDESG – she said very very clearly “Trust Frameworks ARE Enterprise Federations” and it was like – ahhh a breath of fresh clear honest air – talking about what we are really talking about.
So back to the Stephan Brands re-fresher slides on user-centric ID so we don’t forget what it is.
Look at these, take them seriously.
The complaint was that I called my fellow IDESG colleagues Nazi’s. He was unsatisfied with my original statement about the tweet on our public management council mailing list. Some how this led to the Ombudsman taking on the issue and after I spoke with him in Tampa it was followed by a drawn out 5 week “investigation” by the Ombudsman before he issued a recommendation.
Then turns out after all was said and done there was never actually a formal complaint. There was the ombudsman taking action on his own. (its funny how organizations can use Ombudsman to not actually protect people with in institutions but use them as institutional forces to push people out who speak up and ask too many questions)
During the time I was being investigated I experienced intensive trolling about the matter on twitter itself. The trolling was done by someone obviously familiar with the situation who was upset. There were only 5 people familiar with them matter as it was ongoing through this investigation.During my own IIW conference the troll topped off the week by making implicit rape threats. This was very very disruptive and upsetting to me so much so I don’t even remember that IIW.
Here is the tweet that I authored while pondering theories of organizational dynamics in Tampa and without any intent to cause an association in the mind of a reader with IDESG, NSTIC, nor any person or persons in particular note that I did not reference anyone with a @____ or add any signifying hashtags e.g., #idesg or #nstic in this tweeted comment. So unless you were reading everything you would never know I said it.
I own that the tweet was provocative but it was It was not my intent to cause harm to anybody or to the IDESG organization and wider identity community.
We can’t put documents up for community and public input and say “its 40 page document nobody has time to read” and laugh as if it is funny that the process is so bad that there is no ability for the body of the organization let alone the public to have insight. That is how not good things begin to happen no one is looking. I was trying to make a point that the meeting was being badly badly run and that poor process can lead to really bad outcomes.
I am very sorry if the tweet had an emotionally negative impact on people on the management council. I fully acknowledge that referencing anything relative to the Nazi era is triggering. It touches on our collective shame and surfaces vulnerability it is very hard to look at.
I also believe that we have to actually be prepared to do so. If we don’t examine the past we can’t be sure we will not repeat it. [Please click to see my my next post for this to be further expounded upon]
I didn’t choose to say anything along these lines because I was in the middle of a process with the Ombudsman I thought that would be honored and let to run its course.
I also didn’t feel one should feed internet trolls – one was being very aggressive and pestering me for an apology.
I think that we all need to keep in mind our roles as Directors of the IDESG when we interact with the public and with each other.
This includes hiding behind pseudonyms and aggressively trolling to get back at someone you are upset with. Which also happened – either deal with the issue in a formal process or take them out on twitter but do’t do both.
The whole process left my and my attorney puzzled. My attorney wrote a letter to the Management Council/Board of Directors with a whole bunch of questions and now that this is posted we look forward to their answers to those questions.
No one from he IDESG including the ombudsman ever responded or was concerned by the aggressive trolling and implicit rape threats on twitter by someone intimately familiar with the ongoing ombudsman process.
Abusive behavior towards women isn’t just a physical thing it is a psychological as well. I have felt unsafe in the Identity community since this incident. I am now setting it aside though and stepping forth in my full power.
I wrote an article for Re:ID about the BC Government’s Citizen Engagement process that they did for their eID system.
Here is the PDF: reid_spring_14-BC
BC’S CITIZEN ENGAGEMENT:A MODEL FOR FUTURE PROGRAMS
Because of my decade long advocacy for the rights and dignity of our digital selves, I have become widely known as “Identity Woman.” The Government of British Columbia invited me to participate as an industry specialist/expert in its citizen consultation regarding the province’s Services Card. I want to share the story of BC’s unique approach, as I hope that more jurisdictions and the effort I am most involved with of late, the U.S. government’s National Strategy for Trusted Identities in Cyberspace, will choose to follow it.
The Canadian Province of British Columbia engaged the public about key issues and questions the BC Services Card raised. The well-designed process included a panel of randomly selected citizens. They met face- to-face, first to learn about the program, then to deliberate key issues and finally make implementation recommendations to government.
[Read more…] about BC Government Innovation in eID + Citizen Engagement.
I am really excited to be working with a super awesome crew of leaders of the Online Community Manager Tribe – or OCTribe. We have been considering reviving the event and the pieces have finally come together to do it.
Registration is Open!
I really love the other co-organizers who are all rockstar community managers.
The conference was originally produced by Forum One and I contracted with them to help design and facilitate. That event itself grew out of an invitational summit they hosted annually on online communities. I actually attended one of these in 2004 as a replacement for Owen Davis who I worked for at the time at Identity Commons (1).
My firm Unconference.net is doing the production and facilitation for the event.
I plan to bring forward topics of digital identity forward at the event and hopefully get some of the amazing expertise on identity and reputation to participate in NSTIC.
[This is cross posted on the PDEC blog – http://pde.cc/2013/03/edudata/]
Every day it seems there is a new story about new “big data” systems are going to make things better – but then… they just made things creepier.
The latest news like this came from inBloom Inc. via SXSW-Edu (on Reuters). inBloom is a newly formed nonprofit to host a massive database of student records created with $100 million in funding from the Bill and Melinda Gates Foundation. The goal seems good: track the progress of students through school and use the data to improve their outcomes.
The records can be comprehensive and inBloom doesn’t need students’ parents to consent to have their records in the database.
Federal officials say the database project complies with privacy laws. Schools do not need parental consent to share student records with any “school official” who has a “legitimate educational interest,” according to the Department of Education. The department defines “school official” to include private companies hired by the school, so long as they use the data only for the purposes spelled out in their contracts.
The whole idea that you must have one massive educational database of all student records is an architecture of the past.
The core idea is right: more data about a student’s learning experience in school is good for them and could be good for the overall school system. The challenge is how it is engineered. Are students and their parents put at the center of their own data lives? Or are they in another giant system they have little control over or say in?
We need to empower students with their own personal clouds. They must be able to download their own student learning records. They must be able to share them with companies and services that will work on their behalf. With personal clouds and infomediaries to help, students will find educational resources/and tools that can help them fill gaps in their learning and discover communities of interest. This infomediary market approach puts personal data to use without revealing any more data than needed and only on the student’s terms.
Infomediary Market Model for Personal Data
In this market model the individual collects data in their personal cloud. This could be a machine in their home or a service provider they trust (they must have the right & ability to move service providers with all their data if this is truly a personal cloud service). The individual trusts an infomediary service to look into their personal cloud but does so with a fiduciary duty to the end-user. The infomediary then works on their behalf in the market place to find relevant vendors and services. It does not reveil specific personally identifying information to prospective service providers. It helps the individual have good choices and they decide who to transact with (thus reveling personal information).
The inBloom project sounds like an marketing project: companies will comb through the data base, find students to approach, and sell them with “education” products. The student data is up for grabs.
We need a better set of policies, technologies, and products that put parents and their kids at the center of and in control of their data. This single point of failure won’t do.
Tomorrow is the UnMoney Convergence – an un-conference about all sorts of topics related to money, currency, land, value, reputation, identity.
Here are the topics that people are hoping to discuss:
TEDx New Wall St.
re-imagining banking re-built for the Information Age in Silicon Valley on a New Wall Street, as described in the attached press release, and here http://.www.TEDxNewWallStreet.org
Fosters dialogue and collaboration among the range of interesting emerging ideas around money and exchange systems and to explore connections with issues of land and property tenure. In addition to topics on alternatives to the current currency systems, we invite all who are looking at new ways to look at land tenancy and stewardship, hard currency versus energy, time and food based currencies. We are looking for synergies between folks who see the need for more grounded, materially based economics and those looking at the spiritual, energetic and values based approaches.
Website here (might be new in a few days).
There are many definitions of trust, and all people have their own internal perspective on what THEY trust.
As I outline in this next section, there is a lot of meaning packed into the word “trust” and it varies on context and scale. Given that the word trust is found 97 times in the NSTIC document and that the NSTIC governing body is going to be in charge of administering “trust marks” to “trust frameworks” it is important to review its meaning.
I can get behind this statement: There is an emergent property called trust, and if NSTIC is successful, trust on the web would go up, worldwide.
However, the way the word “trust” is used within the NSTIC document, it often includes far to broad a swath of meaning.
When spoken of in every day conversation trust is most often social trust.
[Read more…] about The Trouble with Trust, & the case for Accountability Frameworks for NSTIC
The NSTIC governance NOI articulates many key activities, qualities and goals for a governance system for NSTIC. NSTIC must:
Achieving these goals will require high-performance collaboration amongst the steering group and all self-identified stakeholder groups. It will also require earning the legitimacy from the public at large and using methods that surface their experience of the Identity Ecosystem Framework as it evolves.
[Read more…] about Alignment of Stakeholders around the many NSTIC Goals
Collaboration is a huge theme in NSTIC. Below is the initial approach to collaboration in the document:
The National Strategy for Trusted Identities in Cyberspace charts a course for the public and private sectors to collaborate to raise the level of trust associated with the identities of individuals, organizations, networks, services, and devices involved in online transactions.
Collaboration, as defined by Eugene Kim, a collaboration expert and the first Chief Steward of Identity Commons, occurs when groups of two or more people interact and exchange knowledge in pursuit of a shared, collective, bounded goal
To achieve the challenging goals set out in NSTIC, such as raising trust levels around identities, high performance collaboration is required. Both shared language and shared understanding are prerequisites for high-performance collaboration.
This is a powerful excerpt from Eugene Kim’s blog about two experiences from technical community participants (including Drummond Reed from the user-centric identity community) that paints a clear picture of the importance of time for, and the proactive cultivation of, shared language:
[Read more…] about Ecosystems Collaborate using Shared Language – NSTIC
What is an Ecosystem?
The National Strategy for Trusted Identities in Cyberspace paints a broad vision for an Identity Ecosystem. The strategy author’s choice to name the big picture vision an “ecosystem” is an opportunity not to be lost. An Identity Ecosystem construct will inform the choice of processes and structures appropriate to govern it.
An ecosystem is a biological environment consisting of all the organisms living in a particular area, as well as all the nonliving, physical components of the environment with which the organisms interact, such as air, soil, water and sunlight.
This definition reminds us that the context of an Identity Ecosystem is broad and goes beyond just the identities of people and devices but extends to the contexts in which they operate and interact, the network and indeed the wider world. When we discuss a person’s digital identity it should not be forgotten that we are each fundamentally biological beings living in complex social systems composed of groups, organizations and businesses, all socially constructed and embedded in a larger context, the biosphere surrounding the planet earth.
An overall Identity Ecosystem is needed because small islands of identity management online are working, but they have not been successfully woven together in a system that manages the tensions inherent in doing so to ensure long term thrivability of the overall system. [Read more…] about Ecosystem as the frame for NSTIC
Context for my response to the NSTIC Governance NOI
Table of Contents to Blog Posts of My Response
My Complete Response in PDF form Kaliya-NSTIC-NOI
Introductory Letter of the Response.
Context for my NSTIC NOI response
I surprised myself when writing my response to the NSTIC (National Strategy for Trusted Identities in Cyberspace) Governance NOI (Notice of Inquiry). I wasn’t sure exactly what I was going to say because the questions seemed like they were way ahead of where they should be interms of where things were. I decided to begin by sharing important Context, Frames and Terms that were important before getting to the Questions of Governance and what should be done now.
I began with the word Ecosystem – what it meant and that a system was at the heart of this strategy not something simple or easily actionable.
I touched on the history of the Identity Community and how much conversation and intensive dialogue happened amongst that early community to get to a place where collaboration was natural and “easy”. A huge amount of effort went into developing shared language and understanding then and this is needed once again. The range of self identified stakeholders for NSTIC is quite large (the range of not self identified stakeholders it could be said is everyone on the planet or at least all those with a digital connection (via phone or interent).
I put forward two different methods/tools/processes that could be used to form shared language and understanding across this stakeholder community Polarity Management and Value Network Mapping.
I suggest that the governance structure proposed a “steering group” actually have a mandate to regularly listen to and act on the recommendations of the system that are generated via 3 different well established dialogic processes (Creative Insight Council, World Cafe and Open Space Technology [What we use at IIW]. I then answer the NOI questions referencing the ideas above.
I am going to be posting the whole of my Response in a series of posts and linking them all from there.
I began with one earlier last week which is focused on “trust” both as an emergent property of the overall system AND as the current name of technology and policy/legal frameworks for identity creation.
Links to NSTIC Response Posts:
[Read more…] about NSTIC Response by Identity Woman
This is my talk presented to the Digital Privacy Forum produced by Media Bistro, January 20th, 2011 about Personal Data Ecosystem and the emerging consortium in the space.
Thanks for inviting me here to speak with you today.
The purpose of my talk is to share a new possibility for the future regarding users’ personal data that most have not yet explored. It sits between the two extremes of a familiar spectrum.
On one end, “Do not track” using technology and a legal mandate to prevent any data collection.
On the other end, “Business as usual” leaving the door open for ever more “innovative” pervasive and intrusive data collection and cross referencing.
There is a third possibility that aligns with peoples’ privacy needs as well as offering enormous business opportunities.
A nascent but growing industry of personal data storage services is emerging. These strive to allow individuals to collect their own personal data to manage it and then give permissioned access to their digital footprint to the business and services they choose—businesses they trust to provide better customization, more relevant search results, and real value for the user from their data.
With other leading industry thinkers, I have come to believe that there is more money to be made in an ecosystem that allows users to determine which businesses have access to what data,and under what terms and conditions, than there is under present more diffused, scattershot, and unethical collection systems. Today I will articulate the broad outlines of this emerging “personal data ecosystem” and talk about developments in the industry.
Those of you who know me will find it unusual for me to have such a keen focus on making money on user data and emerging business models.
I am, after all, known as the “Identity Woman – Saving the World with User-Centric Identity”. Since first learning about issues around identity technologies online in 2003, I have been an end user advocate and industry catalyst.
[Read more…] about Personal Data Ecosystem talk at Digital Privacy Forum, Jan 20th, 2011 in NYC
This is cross posted on my Fast Company Expert Blog with the same title.
I was very skeptical when I first learned government officials were poking around the identity community to learn from us and work with us. Over the last two and a half years, I have witnessed dozens of dedicated government officials work with the various communities focused on digital identity to really make sure they get it right. Based on what I heard in the announcements Friday at Stanford by Secretary of Commerce Locke and White House Cybersecurity Coordinator Howard Schmidt to put the Program Office in support of NSTIC (National Strategy for Trusted Identities in Cyberspace) within the Department of Commerce. I am optimistic about their efforts and frustrated by the lack of depth and insight displayed in the news cycle with headlines that focus on a few choice phrases to raise hackles about this initiative, like this from CBS News: Obama Eyeing Internet ID for Americans.
I was listening to the announcement with a knowledgeable ear, having spent the last seven years of my life focused on user-centric digital identity. Our main conference Internet Identity Workshop held every 6 months since the fall of 2005 has for a logo the identity dog: an allusion to the famous New Yorker cartoon On the internet, nobody knows you are a dog. To me, this symbolizes the two big threads of our work: 1) maintaining the freedom to be who you want to be on the internet AND 2) having the freedom and ability to share verified information about yourself when you do want to. I believe the intentions of NSTIC align with both of these, and with other core threads of our communities’ efforts: to support identifiers portable from one site to another, to reduce the number of passwords people need, to prevent one centralized identity provider from being the default identity provider for the whole internet, to support verified anonymity (sharing claims about yourself that are verified and true but not giving away “who you are”), support broader diffusion of strong authentication technologies (USB tokens, one-time passwords on cellphones, or smart cards), and mutual authentication, allowing users to see more closely that the site they are intending to do business with is actually that site.
Looking at use cases that government agencies need to solve is the best way to to understand why the government is working with the private sector to catalyze an “Identity Ecosystem”.
The National Institutes of Health is a massive granting institution handing out billions of dollars a year in funding. In the process of doing so, it interacts with 100,000’s of people and does many of those interactions online. Many of those people are based at institutions of higher learning. These professors, researchers, post-docs and graduate students all have identifiers that are issued to them by the institutions they are affiliated with. NIH does not want to have the expense of checking their credentials, verifying their accuracy and enrolling them into its system of accounts, and issuing them an NIH identifier so they can access its systems. It wants to leverage the existing identity infrastructure, to just trust their existing institutional affiliation and let them into their systems. In the United States, higher educational institutions have created a federation (a legal and technical framework) to accept credentials from other institutions. The NIH is partnering with the InCommon Federation to be able to accept, and with that acceptance to trust, identities from its member institutions and thus reduce the cost and expense of managing identities, instead focusing on its real work: helping improve the health of the nation through research.
The NIH doesn’t want to use a cookie and doesn’t want to know who you are. They would like to be helpful and support your being able to use their library over time, months and years, in a way that serves you, which means you don’t have to start from scratch each time you come to their website. It was fascinating to learn about the great lengths to which government officials were going to adopt existing standards and versions of those standards that didn’t link users of the same account across government websites (see my earlier post on Fast Company). They proactively DID NOT want to know who users of their library were.
One more use case from the NIH involves verified identities from the public. The NIH wants to enroll patients in ongoing clinical trials. It needs to actually know something about these people – to have claims about them verified, what kind of cancer do they have, where are they being treated and by whom, where do they live, etc. It wants to be able to accept claims issued by third parties about the people applying to be part of studies. It does not want to be in the business of verifying all these facts, which would be very time consuming and expensive. It wants to leverage the existing identity infrastructures in the private sector that people interact with all the time in daily life, and accept claims issued by banks, data aggregators, utility companies, employers, hospitals etc.
These three different kinds of use cases are similar to others across different agencies, and those agencies have worked to coordinate efforts through ICAM which was founded in September 2008 (Identity, Credential and Access Management Subcommittee of the Information Security & Identity Management Committee established by the Federal CIO Council). They have made great efforts to work with existing ongoing efforts and work towards interoperability and adopting existing and emerging technical standards developed in established industry bodies.
Let’s continue exploring what an identity ecosystem that really works could mean. The IRS and the Social Security Administration would each like to be able to let each person it has an account for login and interact with it online. We as those account holders would like to do this – it would be more convenient for us – but we want to know that ONLY we can get access to our records, that that they won’t show our record to someone else.
So let’s think about how one might be able to solve this problem.
One option is that each agency that interacts with anywhere from thousands to millions of citizens issues their own access credentials to the population it serves. This is just a massively expensive proposition. With citizens interacting with lots of agencies, they would need to manage and keep straight different IDs from different agencies. This is untenable from a end-user perspective and very expensive for the agencies.
Another option is that the government issues one digital ID card to everyone ,and this one ID could be used at a bunch of different agencies that one might interact with. This is privacy-invasive and not a viable solution politically. No one I have ever talked to in government wants this.
So how to solve this challenge – how to let citizens login to government sites that contain sensitive personal information – whether it be tax records, student loan records, Department of Agriculture subsidies, or any other manner of government services, and be sure that it really is the person via an Identity Ecosystem.
Secretary Locke’s Remarks: The president’s goal is to enable an Identity Ecosystem where Internet users can use strong, interoperable credentials from public and private service providers to authenticate themselves online for various transactions.
What does a private sector service provider use case look like in this ecosystem?
When we open accounts, they are required to check our credentials and verify our identities under know-your-customer laws. People have bank accounts and use them for many years. They know something about us because of their persistent ongoing relationship with us: storing our money. Banks could, in this emerging identity ecosystem, issue their account holders digital identity credentials that would be accepted by the IRS to let them see their tax records.
The private sector, for its own purposes, does a lot to verify the identities of people, because it has to do transactions with them that include everything from opening a bank account, to loaning money for a house, to setting up a phone or cable line, to getting a mobile phone, to a background check before hiring. All of these are potential issuers of identity credentials that might be accepted by government agencies if appropriate levels of assurance are met.
What does is a public service provider look like in this ecosystem?
The Federal Government does identity vetting and verification for its employees. Homeland Security Presidential Directive 12 (HSPD-12), Policy for a Common Identification Standard for Federal Employees and Contractors directs the implementation of a new standardized identity badge designed to enhance security, reduce identity fraud, and protect personal privacy. To date, it has issued these cards to over 4 million employees and contractors.
These government employees should in this emerging ecosystem be able to use this government-issued credential if they need to verify their identities to commercial entities when they want to do business with in the private sector.
There is a wide diversity of use cases and needs to verify identity transactions in cyberspace across the public and private sectors. All those covering this emerging effort would do well to stop just reacting to the words “National” “Identity” and “Cyberspace” being in the title of the strategy document but instead to actually talk to the the agencies to to understand real challenges they are working to address, along with the people in the private sector and civil society that have been consulted over many years and are advising the government on how to do this right.
I am optimistic that forthcoming National Strategy and Program Office for Trusted Identities in Cyberspace will help diverse identity ecosystem come into being one that reduce costs (for governments and the private sector) along with increasing trust and overall help to make the internet a better place.[Read more…] about Authored: National! Identity! Cyberspace! Why we shouldn’t freak out about NSTIC.
Update: This blog post was written while reading the first draft released in the Summer of 2010. A lot changed from then to the publishing of the document in April 2011.
Here is my answer to the NSTIC Governence Notice of Inquiry.
And an article I wrote on Fast Company: National! Identity! Cyberspace! Why you shouldn’t freak out about NSTIC.
Interestingly in paragraph two on the White House blog it says that NSTIC stands for “National Strategy for Trusted Initiatives in Cyberspace” rather than “National Strategy for Trusted Identities in Cyberspace”.
This first draft of NSTIC was developed in collaboration with key government agencies, business leaders and privacy advocates. What has emerged is a blueprint to reduce cybersecurity vulnerabilities and improve online privacy protections through the use of trusted digital identities.
[Read more…] about Thoughts on the National Strategy for Trusted Identities in Cyberspace
Today the United States Government with digital identity industry leaders announced the development of a pilot project with NIH and related agencies using two of the open identity technology standards OpenID and Information Cards.
This is, as a friend said to me, a “jump the shark moment” – these technologies are moving out from their technologists technology cave into mainstream adoption by government agencies. We are seeing the convergence of several trends transform the way citizens participate in and communicate with government:
The Obama administration open government memorandum called for transparency participation, collaboration and federal agencies have begun to embrace Web 2.0 technologies like blogs, surveys, social networks, and videocasts.
Today there are over 500 government websites and about 1/3 of them require a user name and password. Users need to be able to register and save information and preferences on government websites the same way they do today with their favorite consumer sites, but without revealing any personally identifiable information to the government.
The challenge is that supporting this kind of citizen interaction with government via the web means that identity needs to be solved. On the one hand you can’t just ask citizens to get a new user-name and password for all the websites across dozens of agencies that they log in to. On the other you also can’t have one universal ID that the government issues to you and works across all government sites. Citizens need a way to interact with their government pseudonymously & in the future in verified ways.
So how will these technologies work?
Those already familiar with OpenID know that typically when users login with it they give their own URL – www.openIDprovider.com/username. (see this slideshare of mine if you want to see OpenID 101) There is a little known part of the OpenID protocol called directed identity – that is a user gives the name of their identity provider – Yahoo!, Google, MSN etc – but not their specific identifier. The are re-directed to their IdP and in choosing to create a directed identity they get an identifier that is unique to the site they are logging into. It will be used by them again and again for that site but is not correlatable across different websites / government agencies. The good news is it is like having a different user-name across all these sites but since the user is using the same IdP with different identifiers (unlinked publicly) but connected to the same account they just have to remember one password.
Information Cards are the new kids on the identity block in a way – this is their first major “coming out party” – I am enthusiastic bout their potential. It requires a client-side tool called a selector that stores the user’s “digital cards”. Cards can be created by the end user OR third parties like an employer, financial institution, or school can also issue them.
In essence, this initiative will help transform government websites from basic “brochureware” into interactive resources, saving individuals time and increasing their direct involvement in governmental decision making. OpenID and Information Card technologies make such interactive access simple and safe. For example, in the coming months the NIH intends to use OpenID and Information Cards to support a number of services including customized library searches, access to training resources, registration for conferences, and use of medical research wikis, all with strong privacy protections.
Dr. Jack Jones, NIH CIO and Acting Director, CIT, notes, “As a world leader in science and research, NIH is pleased to participate in this next step for promoting collaboration among Assurance Level 1 applications. Initially, the NIH Single Sign-on service will accept credentials as part of an “Open For Testing” phase, with full production expected within the next several weeks. At that time, OpenID credentials will join those currently in use from InCommon, the higher education identity management federation, as external credentials trusted by NIH.” In digital identity systems, certification programs that enable a site — such as a government agency — to trust the identity, security, and privacy assurances from an identity provider are called trust frameworks. The OIDF and ICF have worked closely with the federal government to meet the security, privacy, and reliability requirements set forth by the ICAM Trust Framework Adoption Process (TFAP), published on the IDManagement.gov website. By adopting OpenID and Information Card technologies, government agencies can cost effectively serve their constituencies in a more personalized and user friendly way.
“It’s good to see government taking a leadership role in moving identity technology forward. It’s also good to see government working with experts from private sector and especially with the Information Card Foundation and the OpenID Foundation because identity is not a technical phenomenon — it’s a social phenomenon. And technological support for identity requires the participation of a broad community and of representatives of government who define the legal framework within which identity will operate,” said Bob Blakley, Vice President and Research Director, Identity and Privacy Strategies, Burton Group. “Today’s announcement supplies the most important missing ingredient of the open identity infrastructure, mainly the trust framework. Without a trust framework it’s impossible to know whether a received identity is reliable.”
Under the OIDF and ICF’s open trust frameworks, any organization that meets the technical and operational requirements of the framework will be able to apply for certification as an identity provider (IdP). These IdPs can then supply authentication credentials on behalf of their users. For some activities these credentials will enable the user to be completely anonymous; for others they may require personal information such as name, email address, age, gender, and so on. Open trust frameworks enable citizens to choose the identity technology, identity provider, and credential with which they are most comfortable, while enabling government websites to accept and trust these credentials. This approach leads to better innovation and lower costs for both government and citizens.
The government is looking to leverage industry based credentials that citizens already have to provide a scalable model for identity assurance across a broad range of citizen and business needs – doing this requires a trust framework to assess the trustworthiness of the electronic credentials; see Trust Framework Provider Adoption Process (TFPAP). A Trust Framework Provider is an organization that defines or adopts an online identity trust model involving one or more identity schemes, has it approved by a government or community such as ICAM, and certifies identity providers as compliant with that model. The OIDF and ICF will jointly serve as a TFP operating an Open Trust Framework as defined in their joint white paper, Open Trust Frameworks for Open Government.
Both the OpenID and Information Card Foundation have been working very hard on this for many months – last night I was fortunate to their boards at a history first ever joint dinner.
There are two women in particular though who have driven this forward: Judith Spencer of the Federal Identity, Credential, and Access Management Committee on the government side and Mary Ruddy of Meristic Inc on the industry side. Both of them will be speaking about the project at the Gov 2.0 Summit on Thursday.
Personally this announcement shows how far things have come since I facilitated the first Internet Identity Workshop in 2005 with 75 idealistic identity technologies talking about big ideas for use-centric identity. I am really looking forward to discussing these developments at the forthcoming 9th Internet Identity Workshop in November.
I am really happy to let you all know about this forth coming OASIS ID-Trust Identity Management 2009 event September 29-30.
The theme of the event will be “Transparent Government: Risk, Rewards, and Repercussions.”
The U.S. National Institute of Standards and Technology (NIST) will be hosting it in Gainthersburg, Maryland.
In the why attend the reference part of a directive by Barack Obama to the National Security Council and Homeland Security Council.
“to defend our information and communications infrastructure, strengthen public/private partnerships, invest in cutting edge research and development and to begin a national campaign to promote cyber-security awareness and digital literacy.” The U.S. federal government aims to accomplish all of this while becoming increasingly open and transparent.
The program is now available – and looks quite good.
There is a discount available until August 31. There are special registration proceedures for non-US citizens.
Yesterday the Government hosted a workshop in DC: Open Government Identity Management Solutions Privacy Workshop.
The OpenID Foundation and the Information Card Foundation are working with the U.S. General Services Administration to create open trust frameworks for their respective communities.
Drummond Reed and Don Tibeau announced their paper Open Trust Frameworks for Open Government.
Quiet and intense work has been going on since just before the last IIW on all this, so it is great to see it begin to see the light of day.
The OpenID Foundation had a wonderful new redesign that Chris Messina announced. This page really made me smile: Get an OpenID – Surprise! You may already have an OpenID.
Axel did a Wordle of it:
“The nation’s Social Security numbering scheme has left millions of citizens vulnerable to privacy breaches, according to researchers at Carnegie Mellon University, who for the first time have used statistical techniques to predict Social Security numbers solely from an individual’s date and location of birth. The researchers used the information they gleaned to predict, in one try, the first five digits of a person’s Social Security number 44 percent of the time for 160,000 people born between 1989 and 2003.
This is from the Wired coverage:
By analyzing a public data set called the “Death Master File,” which contains SSNs and birth information for people who have died, computer scientists from Carnegie Mellon University discovered distinct patterns in how the numbers are assigned. In many cases, knowing the date and state of an individual’s birth was enough to predict a person’s SSN.
“We didn’t break any secret code or hack into an undisclosed data set,” said privacy expert Alessandro Acquisti, co-author of the study published Monday in the journal Proceedings of the National Academy of Sciences. “We used only publicly available information, and that’s why our result is of value. It shows that you can take personal information that’s not sensitive, like birth date, and combine it with other publicly available data to come up with something very sensitive and confidential.”
Basically it means we shouldn’t be honest about our date of birth and home town on Facebook (or any other social network) or we are making ourselves vulnerable to discernment of our SSN’s. I wonder if they can figure out mine? I received my as an adult when I was attending college in California.
I decided to poke around and see what Facebook had up about Identity Theft. I did find a link to this study that created a profile by “Freddi Stauer,” an anagram for “ID Fraudster,”.
Out of the 200 friend requests, Sophos received 82 responses, with 72 percent of those respondents divulging one or more e-mail address; 84 percent listing their full date of birth; 87 percent providing details about education or work; 78 percent listing their current address or location; 23 percent giving their phone number; and 26 percent providing their instant messaging screen name.
Sophos says in most cases, Freddi also got access to respondents’ photos of friends and family, plus a lot of information about personal likes and dislikes, and even details about employers.
Facebook users were all too willing to disclose the names of spouses and partners, with some even sending complete resumes. One facebook user divulging his mother’s maiden name—the old standard used by many financial and other Web sites to get access to account information.
Most people wouldn’t give this kind of information out to people on the street but their guard sometimes seems to drop in the context of a friend request on the Facebook site, O’Brien says.
According to Sophos, the results of what it calls its Facebook ID Probe has significance for the workplace as well as personal life because businesses need to be aware that this type of social-networking site may pose a threat to corporate security.
I have tried to search the Facebook blog to see what they have to say about identity theft and apparently they haven’t mentioned it.