[Wg-p3] Prep For Privacy Workshop in Washington DC - August 10

Susan Landau Susan.Landau at sun.com
Tue Aug 4 07:04:29 PDT 2009

On 08/04/09 09:47, J. Trent Adams wrote:
> Susan -
>> I believe OpenID is getting center stage because it is greatly beloved
>> by the blogging community, some of whom have now moved into positions
>> in the White House.  I know this sounds trite, but what you have is a
>> transition from a non online WH to an active online community.  But
>> most of the lawyers who have moved into cyber-related positions in the
>> WH do not come from industry, but from policy areas, and don't fully
>> get the technical issues, including the security and privacy aspects
>> raised.
> If true, this is a troubling situation for our policy-makers.  I applaud
> their movement as being in a generally positive direction, however I'm
> concerned about the presumption of details.  Specifically, I'm troubled
> by a full sprint toward something that could begin to bake technologies
> into the solution space which have unintended consequences.
Usual problem in DC (probably other governments also, but I can only say 
this for sure about DC).  I discovered ten days ago that the White House 
had been talking about using OpenID for electronic health care until 
someone put them straight about the security issues. I am not saying 
these people are fools --- they are not --- but sometimes they don't 
know what questions to ask.  I think that is the issue here. The 
technical people at NIST, who do the levels of assurance, know the 
technical issues, but they are not policy people and they steer clear of 
policy questions --- sometimes not advising the White House or Congress 
when they should.
> Beyond this event, do you know if there are other avenues for public
> input on the plan?  If not, what about direct lines of communication we
> could use to share our opinions?
I don't fully know. I'd use this meeting to develop contacts; I am not 
sure who at the White House is running things.  OMB is certainly 
involved somewhere.  Buttonhole the policy folks at the meeting and ask 
them what problem they are solving.  Listen carefully and ask probing 
questions; don't assume they know the technical aspects.  (Apologies if 
I am saying something obvious). Be careful and precise in claims.  Offer 
to come down and explain.  You win most points if you stay to the 
technical and avoid pushing particular solutions --- even when it is 
understood you have a particular position you're in favor of.

There's also stuff to point to in writing.  Eve Maler and Drummond Reed 
wrote a nice piece comparing OpenID, SAML, and CardSpace a year ago in 
IEEE Security and Privacy; bring that along and share it, and point to 
it for people.  (There's also a useful egovernment use case paper in the 
same issue --- March/April 2008 --- that features a SAML implementation 
in New Zealand (disclaimer: I was co-editor for the special issue).)  
Handing stuff in writing is good; the policy wonks will look it over 
some and it will help coalesce their thoughts.

I imagine there will be press at the meeting.  Getting the person from 
Federal Computer Week to understand the issues is useful.  If there is a 
place for submitting written comments, that is also useful, as the 
written record must be paid attention to.

Sorry if I am stating the obvious. 


More information about the Wg-p3 mailing list