National Strategy for Trusted Identities in Cyberspace
June 27-28, 2011 / MIT Media Lab / Boston, Mass.
By Bill Densmore
Hash tags: #nstic.mit #nstic
BREAKOUT SESSION: 1:30 p.m.
Lead by Kellie Cosgrove Riley (Federal Trade Commission division of privacy and identification).
BREAKOUT GROUP ONE
(missed the first few minutes of this)
Some debate about whether or not the best practice is out-of band consent, not real time, or in-band consent, realtime.
Who actually owns and controls the data – the individual or are the consumers of the data presenting an agreement which allows them to do everything that is not prohibited?
Early adopters: Individuals at a corporation or consumers?
There’s a need where there are multiple identities for an individual, there need to be firewalls between those so they can’t be correlated. Also possibly a rule that the identity provider doesn’t know where a credential is used, so that it cannot be correlated.
He mentored Southeast Michigan Health Information Exchange
Oracle said state and local units of government have strong financial incentive to adopt FICAM due to budgetary processes.
What is a required element of the frameworks. Trust framework advocated for. Included in that would be auditing. There was a discussion about robust work being done by CPAs. SASA audits still have subjectivity. Consumer feedback or complaints important.
Extensive discussion about technical solutions that in a portal technology environment the control can be set in place so that individuals who misuse the system can be automatically cut off. Portal being one extreme, trust framework being the other end – the neighborhood watch where you have audit control. In portal technology you have monopoly, total control over the data.
What if entities are too big to fail or too big to be booted from the system. What if an entity that is too big to fail does get booted? Need for a dispute resolution system. Several people suggested the Visa Payment Network. Visa is a payment resolution system that happens to move money, he says.
Is self-regulation in a trust framework sufficient. Some people advocated for the need for disinterested oversight on top of the need for self regulation. He noted to the group the US Postal Service and inspector unit have been part of NSTIC and have the ambition to provide some of that enforcement.
A whole discussion about whether bad actors can be tacked by private sector alone or is there a need for government enforcement? Inside our outside of NSTIC?
Maybe we need to separate out security (outside actors breakin in) from privacy (actors in the system violating the rules, but with no criminal intent).
BREAKOUT GROUP TWO
Wanted to avoid system where there was one top-down entity blessing everything.
- Attributes for doing ID
- Attributes for doing underlying application
- Attributes for user preferences
Can we trust the relying party to only ask for what they need?
Liability – how do we evaluate the chain of trust?
Understanding the nature of enforcement.
Should a relying party have true freedom in deciding which indentity provider to accept within a given trust framework?
BREAKOUT GROUP THREE
The question of scope dominated the discussion, who is governed, what are the use cases and covered – a vast domain. Does NSTIC cover all privacy issues or just those related to identity. How can we eliminate attribution collection to just that required for authentication.
Establishing what the identity attributes are is a core task.
A lot of entities have a policy they will do whatever they want with user data.
Many identities want email address as part of giving access. They should ask for it and explain why they want it.
- Market driven
- US. Government organized steering committee
- Adjudicatory model