Focus turns to privacy in second NSTIC workshop


The first of four guiding principles in the National Strategy for Trusted Identities in Cyberspace (.pdf) call for identity solutions to be privacy-enhancing and voluntary. Representatives from government, industry and consumer advocacy groups met for an NSTIC workshop June 27 and 28 at the Massachusetts Institute of Technology Media Lab in Cambridge, Mass. to discuss how those privacy objectives will mesh with the implementation of an identity ecosystem framework.

"Developing clear policies will only be the first step to achieving enhanced privacy protections within the Identity Ecosystem. Participating service providers need to implement the policies in ways that provide a good user experience and enable individuals to realize meaningful benefit from those policies," says a workshop document (.pdf) published by the National Institute of Standards and Technology, which hosted the event.  

During his opening address, Jeremy Grant, senior executive advisor for identity management at NIST emphasized the importance of fair information practice principles, or FIPPs, in the privacy conversation.

"The envisioned Identity Ecosystem will be grounded in a holistic implementation of the FIPPs in order to provide multi‐faceted privacy protections," says the NSTIC document. "Moreover, a FIPPs-based approach will promote the creation and adoption of privacy-enhancing technical standards," it adds.

But, "the FIPPs don't judge uses," notes a slide presentation (.pdf) from Seth Schoen, staff technologist at the Electronic Frontier Foundation. In other words, ID providers, relying parties and end users may have different different notions of what information some entity needs.

"What incentives will IDPs and RPs really have to align their information collection and ID demands with end users' preferences?" asked Schoen in slides from his workshop presentation. 

User preferences are are sometimes unclear, as well. Many end users don't have effective tools to manage their identity, said Kaliya Hamlin, executive director of the Personal Identity Ecosystem Consortium during her presentation. According to NSTIC, an identity ecosystem "will require new business models [for] each of the service provider roles." Hamlin's question is: "What about the individual's (the subject's) business model?"

"People are the only ethical integrators of their own diverse data streams...we need business and market models for business agents that work on the users behalf," said Hamlin, according to her slide presentation (.pdf).

Open discussions followed the presentation in breakout sessions focused on usability/user experience issues and the role of privacy-enhancing technologies in implementing privacy protections, along with related challenges, according to NIST.

The event followed the first NSTIC workshop, which focused on governance, June 9 and 10 in Washington, D.C. During the first event, NIST posted a Notice of Inquiry (.pdf) seeking comment on the requirements of, and possible models for, an NSTIC steering group. Comments on the NOI are due on or before July 22, 2011.

For more:
- see the presentations from the second NSTIC workshop
- see slides 22-27 of Grant's presentation (.pdf) for more on FIPPs

Related Articles:
NSTIC policy and standards body to be formed by year end, says NIST official
White House releases plan for an Internet 'identity ecosystem' 
White House, Commerce prepare for trusted identities in cyberspace 
Online 'personas' at heart of privacy protection in identity ecosystem, says U.K. think tank
Q&A: Lord Erroll on NSTIC and online identity management