From IVP Wiki
Revision as of 13:13, 27 June 2011 by Bill Densmore (talk | contribs) (Q&A session)



National Strategy for Trusted Identities in Cyberspace

Privacy Workshop

June 27-28, 2011 / MIT Media Lab / Boston, Mass.

By Bill Densmore

Hash tags: #nstic.mit #nstic

SPEAKER: Keynote and host -- Sandy Pentland, MIT Media Lab

Keynote speaker Alex “Sandy” Pentland, former head of the Media Lab. He is pioneer of the mobile social web:

“Personal data is the new oil of the internet and the new currency of the diital world.” Meglena Kuneva, European Consumer Commissioner.

Telcoms have to collect personal data to make money. “They see this as their way forward. …. Most large media companies see this as their route back to profitability.”

In two years there will be 200 million medicial devices on and inside people, according to executive at Qualcomm.

“All the private data about people coming through one channel . . . that’s the real point of pain here . . . do not be distracted by Facebook or Google.”

SPEAKER: Jeremy Grant: Personal data: The emergence of a new asset class

“The only people you can trust with this data, are the people themselves. People have to have ownership of their data,” he says. So how do you promote ownership of personal data by the people themselves. Key is to think if data as valuable.

“Companies are willing to do this, because if they give you a copy of your data . . . you have the ability to use it in whatever value-producing way you choose.”

  • Privacy-enhancing and voluntary -- user choice of providers
  • Secure and resilient
  • Interoperabie
  • Cost-effective and easy to use

What problems are sought to be solved?

  • User names and passwords are broken
  • Identity-theft costs are rising – 11.7M victims, $17.3B cost over two years
  • Cybercrime is also on the rise
  • Goal: By Jan. 1, 2016 – an identity ecosystem that is interoperable.

Grant says government wants to lead a private sector effort but will not develop an infrastructure itself – rather will collaborate and use private solutions. He quotes President Obama as saying the idea is to not force anyone to give up the anonymity they enjoy on the web if they wish to be anonymous.

Grant: “Government will paricipate in this group … but it does not mean we will lead this effort.” Government wants to advocate for and protect individuals. A June 8 notice of inquiry is due July 22, focused on steering group structure, initiation, representation of stakeholders and international considerations.

They hope to get ideas, lessons and input from stakeholders. Submissions are part of the public record and there will be a public report with recommendatiosn fr addressing, at a minimum, questions raised on the four key issues.

Grant: A few words about privacy

  • Enhancement of privacy a guiding principle
  • Minimum information required to be shared is the idea
  • Preserve positive privacy benefits of offline transactions, mitigate bad aspects

A key objective: Developed improved privacy-protection mechanisms

The executive branch will work with private sector to make sure that identity providers:

  • Limit collection and retention of data, provide notice, minimize data aggregation and linkages across transactions, allow easy deletion by end-user, accuracy standards, allow transfers, accountability about how information is actually used, and privde effective redress mechanisms.

SPEAKER: Naomi Lefkovitz, White House

Lefkovitz is on the national security staff of the executive office of the president.

“I do want to spend a few minutes talking about why NSTIC puts such an emphasis on privacy.”

Obama has placed emphasis on cybersecurity. It is possible to have privacy and secure identities, she believes. The danger is that we could arrive at a system with unprecedented tracking without control by individuals. If not careful: “We will have set in motion this very thing.” But not being proactive, and building privacy protections in at the early stages, the result could easily by an uncontrolled evolution of such unprecedented tracking.

  • What do privacy protections mean? What will be its impact on business? Privacy is a subjective term and concept.

NSTIC not implemented in a vacume. A recognition that we need a comprehensive and integrated approach toward privacy. What NSTIC is calling for is consistent with a larger movement around privacy.

“The administration through NSTIC feels it is possible to have both privacy and more secure online transactions. But it is not inevitable . . . the U.S. government is committed to working with all the stakeholders . . . to making this possible.”

Q&A session

‘’’A person from PayPal wants to know how much is now about the extent to which national office will “certify” an identity provider as accredited for government purposes.’’’ ANSWER: Nothing specific.

Karen Sollins, MIT: Concern that for it to work, businesses have to understand how to make money in it. That is a huge tension in this space. Until we get a better idea of that it is very hard to talk about governance … why are people going to want to go into it. Why are Google and Facebook, who are already providing their own models … what is going to bring them into the folk?

Consumers do ease of use: What are you going to do proactively on site you don’t collect information on? Nothing prevents Google from taking and keeping information. Right now that information is not collected by the federal government. How do we make sure it is not collected by anyone else, either . . . How are you going to ensure the same level of non-collection?’’

Steve Carmody, Brown University, and part of InCommon, a private education federation. There are already trust fabrics and policies for sharing of attributes. NIST is focused on the consumer side. Has there been discussion about accommodating those two different environments?

A: NSTIC not sure if it will be a single framework or many different trust frameworks which are interconnected. That’s something the steering group will tackle.

Jeff W3C – what is strategy for harmonizing globally?

Jamie Clark: OASIS: What about hooks toward anonymity? Are we assuming the anonymity is woven through privacy as a special case. Sometimes private information needed is zero?

A: Middle ground – There might only need to be an assurance that you can buy something, but all they need to know is that you can pay.

Karen Sollins, MIT: Re internationalism, there are many countries with significantly different models of what privacy and identity mean, and who owns data.

A: Agrees that concepts are different around the world. May have to go in baby steps before getting to harmonization. Won’t solve overnight.

Sollins: “My instinct is if we start in our own little vacuume and say we will figure it out later – that won’t work.”

A: That why one of the four questions is specifically on international questions: We don’t have all the answers now. He says a number of nations who issued national identity cards have been in touch with Grant thinking the NSTIC model might be cooler and better.