NSTIC

NSTIC is the National Strategy for Trusted Identities in Cyberspace, "a White House initiative to work collaboratively with the private sector, advocacy groups, public sector agencies, and other organizations to improve the privacy, security, and convenience of sensitive online transactions." The government wants a way for people to be able to sign in to government sites without using government-issued identities.

White Paper: What Could Kill NSTIC? A friendly threat assessment

5 February 2013 by Phil Wolff 1 Comment

I shouted “Death to NSTIC!” and my session filled up. This was at the Spring 2011 Internet Identity Workshop and the National Strategy for Trusted Identity in Cyberspace program office was getting its act together, meeting the identerati in Mountain View, California. We took over a room and a whiteboard and imagined what could keep NSTIC’s vision from coming true. The dozen folks in the room were diverse. We were from startups and big companies, governments and NGOs. We were tech geeks, policy wonks, and executive suits. We dredged up failures we’ve known, obvious challenges and barriers unique to the notion of an “identity ecosystem.”

18 months later I did it again, with a different group, at the Fall 2012 IIW. Again, a whiteboard full of threats.

I sat down in December and correlated the two sets of findings. PDEC is putting this out as a whitepaper, full of the details. Read on Scribd or download the pdf. I have a presentation version on Slideshare or you can download the deck as a pdf too.

Two threats stood out. First, a user experience failure could destroy user adoption, ruin trust in the ecosystem, and twist user behavior counterproductively. Second, the ecosystem’s success depends on being strong in four areas (technology, economy, policy, and culture) and in having each of those areas balance the others. An imbalance could rip the ecosystem apart.

Something stayed constant between the two sessions: performance anxiety. Execution risk was the overarching concern. Few attempts at something this complex ever go live, let alone thrive.

Something changed between the two sessions, however. Where the first had many outside threats, the second session focused on internal risks. Less we-may-be-tackled-by-opponents and more we-may-fumble-without-interference. [Sorry for the US football metaphor.] Speculating, it may be that people had shown up to the program, light bureaucracy was being worked out, and it had all become more real.

It’s important to get digital identity right. It affects everyone, every business, every institution.

To that end, NSTIC’s Identity Ecosystem plenary (the people and companies that make up the ecosystem) is meeting this week in Phoenix, and PDEC’s Kaliya Hamlin is there to speak for our startups as part of her “Personal Data World Tour” taking her from Arizona, to D.C. to Austria (conference) to London (seminar) to Manhattan (seminar). Starting now, Kaliya is running to represent all small businesses and entrepreneurs on the IESG’s management council; sign up to vote for her by 14 February.

What do you think could kill NSTIC?

What could kill NSTIC? A friendly threat assessment in 3 parts. from Phil Wolff

PDEC Whitepaper – What Could Kill NSTIC 2013 by evanwolf on Scribd

Could the Fiscal Cliff Kill NSTIC?

30 December 2012 by Phil Wolff Leave a Comment

montgomery burns explains the fiscal cliff

Cuts are coming to US federal government spending in the new year. Cuts will come by cleaver if a “fiscal cliff avoiding” budget is passed or with a chainsaw if Congress and the President fall over the “cliff.”

High hopes fly for an international identity system that works across industries, technologies, governments, regulatory schemes and still manages to be user centric. This is driven in the United States under a program initiated by the National Strategy for Trusted Identity in Cyberspace through the National Institute of Science and Technology (NIST).

Direct effects. Nobody knows if this will directly affect NIST and the NIST staff managing the NSTIC project. NIST DoC logo Could the stream of Department of Commerce funding for NSTIC innovation grants dry up and will existing projects be halted? Will NIST’s funding for the Identity Ecosystem’s Secretariat, that coördinates and supports the work of the IE, be sustained or cut? In a trillion dollar budget, today’s spending on NSTIC is a rounding error.

Indirect effects. We don’t know how cuts in federal spending will affect the program indirectly as participating businesses and NGOs lose government contracts, experience greater risk, or enjoy new opportunities.

eGovernment as customer. Will the largest government agencies stay in the game? Constituent-facing services would be among the first implementors of these open, user-centric, identity frameworks. Having huge customers as “anchor tenants” provides strong incentives for the private sector to invest and make the identity ecosystem work. Will spending cuts affecting the these major clients throughout government interfere with their projects’ continuity? Will key personnel assigned to identity ecosystem governance, design, and engineering stay engaged? Stay employed?

Lots of unknowns.

And no strategy to respond to these risks from the Identity Ecosystem Steering Group. Yet.

NSTIC Governance Workshop, March 15

7 March 2012 by Kaliya Leave a Comment

Kaliya will be attending:

Thursday, March 15, 2012

Main Auditorium, U.S. Department of Commerce – Herbert C. Hoover Building, 1401 Constitution Avenue NW, Washington, DC

Since the creation of the Internet, there have always been difficult questions surrounding privacy, security and trust. How do we know with whom we are interacting? How do we know they are trustworthy? How do we balance the desires for anonymity and personal privacy with the need to secure our information and transactions? In an effort to address these questions, President Obama signed the National Strategy for Trusted Identities in Cyberspace (NSTIC or “Strategy”).

The U.S. Department of Commerce and the National Institute of Standards and Technology (NIST) will host a workshop with thought leaders from government and industry to discuss aspects of the Identity Ecosystem governance structure called for in the NSTIC.

This workshop will review and take questions on NIST’s February 2012 paper, Recommendations for Establishing an Identity Ecosystem Governance Structure, and on specific issues concerning the establishment of that governance structure.

23 February 2012 by Kaliya Leave a Comment

Consumer Data Privacy in a Networked World was released by the white house.

The Consumer Privacy Bill of Rights provides a baseline of clear protections for consumers and greater certainty for businesses. The rights are:
Individual Control: Consumers have a right to exercise control over what personal data organizations collect from them and how they use it.

Transparency: Consumers have a right to easily understandable information about privacy and security practices.
Respect for Context: Consumers have a right to expect that organizations will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.
Security: Consumers have a right to secure and responsible handling of personal data.
Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data are inaccurate.
Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.
Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.

23 February 2012 by Kaliya Leave a Comment

Consumer Data Privacy in a Networked World was released by the white house.

Transparency: Consumers have a right to easily understandable information about privacy and security practices.
Respect for Context: Consumers have a right to expect that organizations will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.
Security: Consumers have a right to secure and responsible handling of personal data.
Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data are inaccurate.
Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.
Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.

PDEC presents at NSTIC Privacy Workshop

27 June 2011 by Kaliya Leave a Comment

Kaliya Hamlin, Executive Director of PDEC presented at the two day NSTIC (National Strategy for Trusted Identities in Cyberspace) Privacy Workshop June 27-28th in Boston at MIT’s Media Lab. Agenda Here. A focus of her talk was be the PDEC Startup Circle and market based solutions for individual privacy.

Personal Data Ecosystem – NSTIC Privacy Workshop

View more presentations from Kaliya Hamlin

Update from Identity Associates:

I had the opportunity to attend much of the two day NSTIC Privacy Workshop held in Cambridge Massachusetts this week. I haven’t been following this NIST-backed effort as closely as I probably should have, so the workshop in Cambridge was a perfect opportunity to catch up with NSTIC, at least through the lens of privacy.

A few observations:

Once again, Identity Woman, aka Kaliya Hamlin, seems to be two steps ahead. Will the Personal Data Ecosystem Consortium trump traditional standards processes by leveraging the entrepreneurial energy of competing startups? Running code FTW?

NSTIC Privacy Workshop

27 June 2011 by Kaliya Leave a Comment

June 27, 2011 – Boston
Kaliya Hamlin was invited by NIST to present at the NSTIC Privacy Workshop (PDF) on a panel Privacy-Enhancing Technologies, Usability and the End User Experience. The Moderator was Dazza Greenwood, eCitizen Foundation and panelists included: Jeffrey Friedberg, Chief Trust Architect, Microsoft, Ken Mortenson, Chief Privacy Officer, CVS Caremark, John Clippinger, The Law Lab at Harvard, Seth Schoen, Staff Technologist, Electronic Foundation (EFF) and Dawn Jutla, Professor, Saint Mary’s University, Halifax. You can see Kaliya Hamlin’s slides here.

NSTIC Governance Workshop

9 June 2011 by Kaliya Leave a Comment

June 8-9, 2011 – Washington, DC
Kaliya Hamlin attended the NSTIC Governance Workshop, hosted to consider how the Identity Ecosystem should be governed and raised the issue that perhaps “Trust Framework” was not the best name to describe the joint technology & policy frameworks being developed to support the sharing of personally identifiable information and personal data online. Jeremy Grant, the head of the program office, asked her if she had a better name.

Privacy, Identity and Innovation

20 May 2011 by Kaliya Leave a Comment

May 19-20, 2011, Santa Clara
Many startups focused on personal data were at this event and we had the first PDEC Startup Circle gathering on the evening prior to the event. Attendees included Shane Green of Personal, Joe Andrieu of Switchbook, andTara Hunt of Buyosphere. Kaliya Hamlin participated in a Roundtable Discussion, Implementing an Identity Ecosystem, with Declan McCullagh of CNET, Eric Sachs, Product Manager at Google, Ari Schwartz, Senior Internet Policy Advisor for the NIST Information Technology Laboratory, Don Thibeau, Executive Director of the OpenID Foundation, Peter Watkins, Executive director in the Office of the CIO with the Government of British Columbia. Video and podcast are linked from this page, also see http://pii2011.com/.

PDEC at IIW: An NSTIC Project Risk Analysis

12 May 2011 by Phil Wolff Leave a Comment

At last week’s Internet Identity Workshop in Mountain View, California, I led a brainstorming session to identify risks to the success of the new National Strategy for Trusted Identities in Cyberspace (NSTIC, pronounced “EN-stick”). The strategy is to encourage many non-government organizations to provide digital identity and personal data services in a way that meets the needs of individuals, identity providers (“yes, person is who she claims to be”), attribute providers (“she is registered at our school”), and those who rely on digital identity. What could go wrong with a project like this? What can be done to avoid these threats and risks? To mitigate them when they show up? Meeting notes…

Risks

Lack of adoption. NSTIC relies on the private sector to invest and build identity infrastructure. There’s a real chance that this could happen slowly or unevenly. We’ve seen great technologies wither when they don’t reach critical mass.

Impatience for learning curve. We learn by doing and we learn more from problems and failures. NSTIC as a whole could be unfairly discredited after some projects or products fail for technical or business reasons.

Usability failures. Great products fail on even minor user experience defects. We know very little about what great user experience looks like for this next generation of personal data control.

Interop failures. Systems that should work together in theory may not in practice. Sometimes this is technical philosophy, ego, fuzzy specs, culture gaps, or regulatory differences, and local optimization.

Overscope. We’ve all seen protocols that work at first, become burdened as new features pile on, and lose their clarity and momentum as a result.

Phishing and Malware ($). We know that bad actors will follow the money, as they have from email to search to social media. Stakeholders could lose faith and abandon trust frameworks.

Perversion of principles ($). NSTIC lists core principles. Those principles will be eroded, if not attacked, unless monitored and defended.

Overpromising (by Tech to Policy). Silicon Valley has a tendency to tell Washington that technology offers silver bullets to huge problems.

Dystopian fear. Maybe your government really is out to get you, but dark overwhelming fears could slow or stop the project.

Waiting for winners. One strategy for risk is to wait for a handful of leaders to emerge before joining. This stifles investment, experimentation, and deep learning. The ecosystem needs pioneers and early adopters before winners can emerge.

Regulatory blocks. National and local laws and regulations may interfere with the ability of the ecosystem to grow. Privacy laws, liability, and antitrust rules could stall engineering, investment and adoption.

Uncertainty over liability. However the ecosystem works out liability, uncertainty about the resolution threatens investment.

Short attention span. This is not a weekend project. Will the ecosystem persist until it becomes mainstream?

Hype cycle. Many technologies don’t survive the hype cycle’s peak of inflated expectations or the trough of disillusionment.

Chicken vs. Egg. The system needs governance, startups, large corporate and government users, and the public to buy in. Nobody wants to jump in first.

Prevention and Mitigation Actions

Highlight small successes. We should celebrate small, incremental successes more than big-bang moments. Don’t oversell or overpromise.

Industry Marketing and PR. The ecosystem needs its own media and voice to respond to concerns, to put forth a common vision, to reach out to newbies and decision makers, to evangelize the benefits of the approach.

Share community UX experience. We could plan and pool knowledge and experiments as a community of practice. Where a Google might not be able to try different login UIs , variation being perceived as phishing, smaller companies can experiment and share results, leading to convergence and adoption.

Cultivate Engineering Focus. Keeping designers and engineers focused on current release cycles helps a developer community avoid feature creep and intriguing digressions.

Foster Interop Testing. Other industries develop standards for testing interop, hold interop workshops and set up backchannels for feedback. We just need a convening body to coordinate tests.

Formulate, publish and update a Clear/Graded Roadmap. Short term plans with long term visions. Plans to reach specific business and technology milestones. Long term visions for where those protocols and practices should go. Clearly communicated and widely agreed upon so the industry avoids forking, surprises, and hype.

Industry association outreach. The NSTIC strategy depends on achieving a critical mass of adoption within various communities. Many are represented by industry associations or professional organizations. Outreach services could provide education, evangelism, engagement and help with rough spots in adoption.

Recruit legacy identity authentication communities. NSTIC is not the first attempt to solve these problems. A look at NIST SP 800-63 shows existing identity and security standards have communities of their own, including tens of thousands of implementers. Outreach can smooth the way for education and adoption.

Security Council. It’s not too early to start a security conversation within the NSTIC ecosystem. At a minimum, we could start a working group to prepare for the first wave of phishing and identity theft.

Government Affairs. Governments are huge stakeholders in NSTIC. Not just US federal government agencies but US state and local governments. There is every reason to expect this program to be transnational so governments around the world are also stakeholders. They will want to understand the policy implications of the rapidly changing technologies, and the effect rules, regulations, directives and laws will have on the ecosystem. Effective communication and advocacy on behalf of the industry, especially for the many small startups and the interests of individuals who lack a voice, could keep government perspectives and actions cordial and supportive.

OIX Risk Wiki. OIX has an active security thread on its wiki.

Risk, Response, Community and PDEC

So this brings to mind three roles for PDEC, the Personal Data Ecosystem Consortium: Communicate, Convene, and Community.

Many of these responses involve marketing communication functions on behalf of the community’s stakeholders. As listed above, industry marketing and public relations, government affairs, highlighting small accomplishments, publishing a roadmap, are the kinds of things a consortium can do well. Speakers bureau, anyone?

Similarly, bringing people together to talk and work is another role for PDEC. We can serve some of our outreach goals by inviting people and organizations to join in projects and conversations. For example we could invite identity providers and relying parties to interop workshops. We might host security roundtables and mailing lists.

Last, today’s identity ecosystem doesn’t have a real voice for individuals, a way for people to talk about this topic. PDEC might offer community services to help people talk to each other, with the industry, and with other stakeholders.

The “Death to NSTIC!” motto, all in fun, reminds us bad things happen and preparedness is part of planning.

I want to thank the IIW folks who crowded into room E for their work, as reported here. I also want to thank the Identity Commons for creating an environment where IIW and PDEC can emerge.