NSTIC will require privacy legislation, say groups


Two civil liberties groups say the online identity ecosystem envisioned by the National Strategy for Trusted Identities in Cyberspace will require legislation to ensure that private sector companies aren't tempted to monetize participant data.

NSTIC envisions the creation of two types of intermediaries that together would verify the identity and eligibility of an Internet user wishing to conduct a secure transaction, such as accessing sensitive information. Identity providers would provide a credential, such as a downloadable certificate, verifying that a person is who he says he is, while attribute providers would store characteristic information about that individual--things such as age, for use when accessing age-appropriate online sites.

In comments submitted July 22 to the National Institute of Standards and Technology, the Electronic Privacy Information Center and the Liberty Coalition say there is an "unmistakable need" to guarantee that the intermediaries would be governed by Fair Information Practices. The best way to ensure that, the organizations say, is through legislation, since without it "companies are likely to conceal rather than correct problems."

Fair Information Practices include principles such as giving consumers choices on how their personal information may be used and an awareness of any potential recipients of their data.

"Lucrative incentives to monetize personal information are a constant threat to privacy, particularly in an industry where information is highly valuable and consolidated, and alternative business models have not yet been established," the comments state.  

In a footnote, EPIC states that legislation often need a title that resolves into a memorable acronym in order to gain attention. It offers a number of possible names, such as the Encouraging Privacy or Identities in Cyberspace Act, or EPIC Act.     

For more:
- download the EPIC and Liberty Coalition comments from the EPIC website (.pdf)

Related Articles:
Q&A: Jeremy Grant on NSTIC implications for government IT 
NSTIC pilots expected next year; NIST releases NSTIC RFP