[WG-P3] Disruptive NSTIC Critique

Mark Lizar mark at smartspecies.com
Sun Feb 12 06:13:53 EST 2012 

Hi Malcolm,


On 10 Feb 2012, at 15:32, Malcolm Crompton wrote:

> Mark – apologies for my long absence from this debate, too.
>
> I agree that this perspective must be introduced into Kantara  
> thinking.
>
> However, I don’t think that Convention 108 will be the right  
> starting point.  In effect, the only folk pressing for its wider  
> adoption are the Council of Europe itself and some advocacy groups.   
> The 1980 OECD guidelines are a much less controversial starting point.

I agree, there is clear sense in the advocacy of the OECD Privacy  
Guidelines, they are based on FIP's, they provide the foundation for  
EU laws, and they provide a low friction starting point to start a  
discussing the harmonising of privacy guidelines internationally.  
( Anyone know why this hasn't happened already?).

>
> That said, the introduction of people from the advocacy / community  
> sector into the Kantara processes is the key rather than reference  
> to particular documentation.

Hmm.. Interesting thought! It would be interesting to know more of  
what you are thinking on this topic.   With NSTIC providing pilots it  
is an excellent opportunity to think about how a community IdP could  
be composed from a standards and privacy perspective.  A common sense  
approach would indicate that NSTIC requires a IdP that is legal and  
privacy assessed.

>
> Our company has just completed a first report for a Department of  
> the Australian Government on starting a process to consider  
> developing the frameworks for a National Trusted Identities  
> Framework in Australia.  I am currently in London & have had some  
> informal discussion with folk involved in the UK Cabinet Office  
> initiative & will be in Washington DC in the week beginning 6 March  
> when I hope to meet with folk involved in the NSTIC.  Government  
> leadership seems to be an essential ingredient, but precisely what  
> it should be is very varied!

Sounds exciting.  From the latest NSTIC documentation the project is  
to start with a International Co-Ordination Work Group, an Access and  
Usability WG and a Security WG.  I would be interested to hear who  
will lead these three WG's.

  It seems that the underlying theme of economic development should be  
the focus of any community driven IdP and perhaps a pilot proposition  
should be framed with the Department of Commerce in mind as an audience.

>
> If anybody from P3WG Kantara is in DC at that time, I would be  
> pleased to catch up with them.
>
> Regards
>
> Malcolm Crompton
>
> Managing Director
> Information Integrity Solutions Pty Ltd
> ABN 78 107 611 898
>
> T:  +61 407 014 450
>
> MCrompton at iispartners.com
> www.iispartners.com
>
>
>
> From: wg-p3-bounces at kantarainitiative.org [mailto:wg-p3-bounces at kantarainitiative.org 
> ] On Behalf Of Mark Lizar
> Sent: 09 February 2012 07:27
> To: Kantara P3WG
> Subject: Re: [WG-P3] Disruptive NSTIC Critique
>
> I agree,
>
> The loss of anonymity at  the hands of commercial interests is a  
> grave concern and is already happening on a large scale with  
> Facebook connect and the like.
>
> This leads me to think that a community identity provider is sorely  
> needed, in which controls, not completely driven by profit, are  
> driven in part by the people with values that reflect the privacy  
> and trust needs of community and the individual.  But it seems that  
> without the profit of a commercial IdP this is hard if not  
> impossible to achieve on scale.   This leads me to believe that it  
> would take an effort like NSTIC to put something of this nature in  
> place. Although NSTIC, as you point out, would not be enough on its  
> own, and legally, the US will need the legal conventions to support  
> a community IdP effort domestically and internationally in driving  
> controls that protect privacy, provide security and create a true  
> platform for trust.  At this time a task that seems daunting  
> considering the fractured nature of privacy politics in the US.   
> Perhaps something along the lines of the "Convention 108," the  
> International Privacy Convention? (Which  EPIC is again calling for  
> the US to ratify).
>
> - M
>
> On 8 Feb 2012, at 01:54, Anna Slomovic/Equifax wrote:
>
>
> Mark,
>
> Thank you for sending out this link. The loss of anonymity is,  
> indeed, a great worry. The fact that NSTIC is voluntary at the  
> outset doesn't mean that it will remain so in any practical way.  
> There is nothing in the law that requires that the anonymous option  
> remain available, so at least in the US, it is very easy to envision  
> a situation when an ID is required because a business says it is-- 
> and businesses will because they will benefit. Airlines embraced ID  
> requirements as "security requirements" long before 9/11/2001  
> because this prevented resale of cheap tickets or tickets obtained  
> with frequent flier miles. Some concert and theater venues now  
> require ID for the same reason. Having an ID and, therefore,  
> information about someone's history and behavior is a marketer's  
> dream.
>
> I don't think this is paranoia, either.
>
> Anna
>
> Anna Slomovic
> Chief Privacy Officer
> Equifax
> 1010 N. Glebe Road, Suite 500
> Arlington, VA 22205
> O: 703.888.4620
> C: 703.254.9656
>
> From: wg-p3-bounces at kantarainitiative.org [mailto:wg-p3-bounces at kantarainitiative.org 
> ] On Behalf Of Mark Lizar
> Sent: Tuesday, February 07, 2012 8:30 PM
> To: Kantara P3WG
> Subject: [WG-P3] Disruptive NSTIC Critique
>
> HI All,
>
> Some good points in this critique of the NSTIC effort that is worth  
> bringing to the attention of  P3 members.
>
> Has anyone seen this article?   Google-NSTIC-Leading-the-March-to- 
> Digital-Totalitarianism.   I think it is worth sharing as it is very  
> critical of the NSTIC elaborating some different privacy and trust  
> risk view points, which we have yet to discuss in P3.
>
> Some points brought up in this article maybe useful to discuss more  
> broadly.   This article, along with other issues relating to  
> developing an identity ecosystem, has led me to think that a  
> community based identity provider is a missing element in developing  
> a trustworthy ecosystem.   (Something in between a government and a  
> corporate identity provider)
>
> Has anyone else has had thoughts along these lines?
>
> - Mark
>
>
>
>
>
> This message contains information from Equifax Inc. which may be  
> confidential and privileged. If you are not an intended recipient,  
> please refrain from any disclosure, copying, distribution or use of  
> this information and note that such actions are prohibited. If you  
> have received this transmission in error, please notify by e- mail postmaster at equifax.com 
> .
> _______________________________________________
> WG-P3 mailing list
> WG-P3 at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/wg-p3
>
> _______________________________________________
> WG-P3 mailing list
> WG-P3 at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/wg-p3

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-p3/attachments/20120212/226ba873/attachment-0001.html

More information about the WG-P3 mailing list