[WG-P3] Liaisons with KI WG's
Susan Landau
susan.landau at privacyink.org
Fri Oct 8 13:33:50 EDT 2010
Thanks Joni for the clarity. Yes, I agree with you that this
distinction between cultural and work is exactly the right one (my
feeling is that if P3 is to provide value to KI, it needs to be a work
group).
Susan
On 10/8/10 1:19 PM, Joni Brennan wrote:
>
>
> Thank you for your always insightful input. The root of your comments
> I think can be summed up in this question. Should Privacy Framework
> and tangible deliverables be broken in to its own WG leaving the P3WG
> as more of a Discussion Group or should P3 carry Privacy Framework
> with the many interesting questions you raise being addressed in
> another Discussion Group.
>
> I think we have 2 tracks of approach Discussion or Work. Some members
> may prefer Discussion and others Work. Its up to P3 to decide which
> they prefer to do - be a Discussion Group or a Work Group. Do others
> see this as a key 'cultural' decision for P3 to think about?
>
> Thanks
>
> On Fri, Oct 8, 2010 at 10:07 AM, Bob Pinheiro <kantara at bobpinheiro.com
> <mailto:kantara at bobpinheiro.com>> wrote:
>
> As Chair of the Kantara Consumer Identity WG, I'd just like to
> state some privacy and public policy issues of interest to CIWG,
> and get some reaction from P3WG members as to whether there is
> expertise and interest in P3WG to address these. The kinds of
> issues raised below go far beyond "building privacy into trust
> frameworks", so it would be understandable if it turns out that
> P3WG is not the appropriate forum to address these.
>
> CIWG advocates the voluntary use of high assurance identity
> credentials by consumers when establishing high value
> relationships or accounts with service providers. The purpose is
> to help reduce the incidence of identity fraud by enabling service
> providers to have a way to know, with high assurance, the
> identities of those individuals with whom it establishes those
> relationships. There is a flip side to this: consumers who go
> through the trouble of obtaining high assurance identity
> credentials should also have a "high assurance" that service
> providers will not establish a high value relationship or account
> with a fraudster who uses the consumer's "stolen identity" to
> establish that relationship.
>
> We define a high value relationship or service as one in which
> "substantial" harm can befall a consumer if an imposter is able to
> establish this relationship using the consumer's stolen
> "identity"; in other words, if the fraudster presents the
> consumer's personally identifiable information or other bogus
> credentials to the service provider, and the service provider
> accepts this information or credential as "proof" of the
> fraudster's identity. High value services would include
> financial services such as online banking, credit card and other
> payment accounts, and moving money out of online financial
> accounts. Emerging services such as electronic health records and
> personal data services would also be included.
>
> In addition to the various usability, technical, and economic
> issues that need to be addressed in order for this goal to be
> realized, there are also a number of public policy and privacy
> issues that come to mind:
>
> * What role, if any, should governments have in establishing
> incentives or regulations that would encourage the
> deployment and use of identity services that could be used
> by consumers as well as high value service providers to
> prevent or reduce identity fraud?
>
> * Should there be any standardization or guidelines to define
> the kinds of harms that consumers can suffer in order to
> designate an online service as "high value", if incentives
> or regulations are promulgated for the use of high assurance
> identity credentials with high value services?
>
> * What kind of incentives should be established in order to
> encourage high value service providers to participate in an
> identity infrastructure that would help reduce identity
> fraud? [Simply suggesting that such participation would
> reduce the service provider's fraud losses does not seem to
> be sufficient]
>
> * What kinds of incentives should be established in order to
> encourage consumers to voluntarily obtain high value
> identity credentials?
>
> * If it is assumed that participation by service providers and
> consumers in such an identity infrastructure is completely
> voluntary, can a participating consumer still be protected
> from the harm of identity theft if a fraudster uses the
> consumer's "identity" at a non-participating service
> provider? Should there be any liability on the part of the
> service provider if identity theft occurs due to the service
> provider's non-participation?
>
> * Once a relationship or account is established, would it be
> necessary for the service provider to require high assurance
> identity credentials (and corresponding identity assertions
> from identity providers) for ongoing access to the protected
> resource or service? Would it not be sufficient to simply
> bind a strong authentication token (such as a PKI private
> key or one-time password) to the account/resource, and
> require that ongoing access require that the person seeking
> access demonstrate possession and control of the token?
>
> * Assuming that the use of high assurance identity credentials
> by consumers becomes widespread in conjunction with high
> value services, how can their use be discouraged in low
> value services? [The assumption is that it would be
> undesirable to create an identity infrastructure whereby
> knowledge of a person's identity would be required for
> almost all internet interactions].
>
>
> Again, my purpose is not to seek answers to these issues right
> now, but only to put these questions out on the table and ask
> whether these are the kinds of issues that P3WG has the expertise
> and interest in addressing. Of course, P3WG can have much
> value if it can help to "build privacy" into identity frameworks
> and other Kantara products. But since the topic of liaising with
> other WGs has come up for discussion, I wanted to put this forward
> as an example of public policy and privacy issues that are of
> interest to CIWG.
>
> Thanks
>
> Bob
>
> ---------------------------
> Bob Pinheiro
> Chair, Consumer Identity WG
> 908-654-1939
> kantara at bobpinheiro.com <mailto:kantara at bobpinheiro.com>
> www.bobpinheiro.com <http://www.bobpinheiro.com>
>
>
>
> On 10/8/2010 9:48 AM, Anna Slomovic wrote:
>> Mark,
>>
>> As I read you note, I realized that it is not clear to me what P3WG is about. Is it a group that builds privacy into all Kantara efforts, trust framework, etc., or is it basically a marketing group directed toward the privacy community? I am one of the "boots on the ground" privacy people, although I have a PhD in Public Policy and have done policy work for governments and private sector organizations in the US and Europe. I want to make sure that if someone builds a system that is certified by Kantara, this system will include privacy protections. My biggest concern with annual briefings and analyses done in isolation from other groups is that P3WG will either have no impact on what is being created and made available to companies that will be asking for Kantara certification or that the annual review will raise issues at a much later stage in the development cycle than would be useful.
>>
>> I think P3 needs to have greater involvement with the development of the Kantara identity assurance framework, both to influence that work and to align Kantara's public policy positions with what is actually being built. I thought the Privacy Framework was a good start, but it cannot stand alone. It needs to become part of the identity assurance framework and part of the certification requirements for a Kantara certification.
>>
>> Anna
>>
>>
>> Anna Slomovic
>> Chief Privacy Officer
>> Anakam, an Equifax company
>> 1010 N. Glebe Rd.
>> Suite 500
>> Arlington, VA 22201
>>
>> P: 703.888.4620
>> F: 703.243.7576
>>
>> -----Original Message-----
>> From:wg-p3-bounces at kantarainitiative.org <mailto:wg-p3-bounces at kantarainitiative.org> [mailto:wg-p3-bounces at kantarainitiative.org] On Behalf Of Mark Lizar
>> Sent: Friday, October 08, 2010 8:33 AM
>> To: Kantara P3WG
>> Cc: Anna Ticktin
>> Subject: [WG-P3] Liaisons with KI WG's
>>
>>
>> As liaising with other WG is a charter item of the P3 this issue has
>> been brought up numerous times. From what I have gathered the P3 WG
>> has a focus that is less about analysing the privacy impact of various
>> WG's, but more in understanding, advertising, and developing privacy
>> and public policy around existing KI efforts.
>>
>> In the last meeting we discussed various approaches to liaising with
>> other WG's these included:
>>
>> - Having WG present to the P3
>> - Having P3 members regularly attend other WG's
>> - Auditing other WG's privacy impact
>>
>> It was mentioned in the previous WG call that we need a more formal
>> process and approach to liaising with other WG's. It was also
>> mentioned that we are invited to presentations which currently are
>> arranged with the LC and that Trent would present a consolidated
>> approach to the LC for P3 if we were to present one.
>>
>> One approach may be to provide/develop a yearly KI WG privacy and
>> public policy impact survey that we could consolidate and cross
>> reference. As a multi-stakeholder approach to Public Policy is a
>> cornerstone work item that has been delivered to the P3 in the form of
>> the Rossetta Stone document by Robin Wilton, that we evolve this work,
>> and strive for a multi-stakeholder approach in KI privacy and public
>> policy.
>>
>> I propose that we add to this list the option of asking (through the
>> Leadership council) working groups to provide the P3 with privacy
>> impact of their technologies and with the support of Kantara staff we
>> as P3 discuss the impact of these in Kantara and in the P3 work
>> group. Putting us in a position where we some analysis can be
>> conducted of how various KI efforts work together for the purposes of
>> Privacy and Public Policy.
>>
>> Perhaps we could combine the three suggestions above, by asking WG to
>> deliver a finished Survey, have P3 members regularly attend other
>> WG's, and on occasion ask other WG's to present their efforts and
>> discuss the impact WG's are having on Privacy and Public Policy in
>> Identity Management?
>>
>> I suggest that we discuss this further at the Paris F2F and further
>> evolve our approach. Perhaps with a discussion of a budget allocation
>> of $2000, to deliver a survey and produce a report. (depending on the
>> scope of the effort). An addition idea would be to ask for a small
>> budget or KI staff time to help lead a Kantara wide discussion of
>> Public Privacy Policy, with an aim to produce policy that Public
>> Policy (through a multi-stake holder approach) that Kantara as a whole
>> can support. This could be supplemented by regular announcements to
>> our list (by Kantara Staff) when WG's are presenting their work to the
>> LC.
>>
>> Best Regards,
>>
>> Mark Lizar
>>
>>
>>
>> _______________________________________________
>> WG-P3 mailing list
>> WG-P3 at kantarainitiative.org <mailto:WG-P3 at kantarainitiative.org>
>> http://kantarainitiative.org/mailman/listinfo/wg-p3
>> _______________________________________________
>> WG-P3 mailing list
>> WG-P3 at kantarainitiative.org <mailto:WG-P3 at kantarainitiative.org>
>> http://kantarainitiative.org/mailman/listinfo/wg-p3
>>
>
>
>
> _______________________________________________
> WG-P3 mailing list
> WG-P3 at kantarainitiative.org <mailto:WG-P3 at kantarainitiative.org>
> http://kantarainitiative.org/mailman/listinfo/wg-p3
>
>
>
>
> --
> Joni Brennan
> IEEE-ISTO
> Kantara Initiative | Managing Director
> voice:+1 732-226-4223
> email: joni @ ieee-isto.org <http://ieee-isto.org>
> gtalk: jonibrennan
> skype: upon request
>
> Join the conversation on the community@ list -
> http://kantarainitiative.org/mailman/listinfo/community
>
>
>
>
>
>
>
> _______________________________________________
> WG-P3 mailing list
> WG-P3 at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/wg-p3
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-p3/attachments/20101008/2434dc6b/attachment-0001.html
More information about the WG-P3
mailing list