[Wg-p3] Prep For Privacy Workshop in Washington DC - August 10
Susan.Landau at sun.com
Tue Aug 4 07:04:29 PDT 2009
On 08/04/09 09:47, J. Trent Adams wrote:
> Susan -
>> I believe OpenID is getting center stage because it is greatly beloved
>> by the blogging community, some of whom have now moved into positions
>> in the White House. I know this sounds trite, but what you have is a
>> transition from a non online WH to an active online community. But
>> most of the lawyers who have moved into cyber-related positions in the
>> WH do not come from industry, but from policy areas, and don't fully
>> get the technical issues, including the security and privacy aspects
> If true, this is a troubling situation for our policy-makers. I applaud
> their movement as being in a generally positive direction, however I'm
> concerned about the presumption of details. Specifically, I'm troubled
> by a full sprint toward something that could begin to bake technologies
> into the solution space which have unintended consequences.
Usual problem in DC (probably other governments also, but I can only say
this for sure about DC). I discovered ten days ago that the White House
had been talking about using OpenID for electronic health care until
someone put them straight about the security issues. I am not saying
these people are fools --- they are not --- but sometimes they don't
know what questions to ask. I think that is the issue here. The
technical people at NIST, who do the levels of assurance, know the
technical issues, but they are not policy people and they steer clear of
policy questions --- sometimes not advising the White House or Congress
when they should.
> Beyond this event, do you know if there are other avenues for public
> input on the plan? If not, what about direct lines of communication we
> could use to share our opinions?
I don't fully know. I'd use this meeting to develop contacts; I am not
sure who at the White House is running things. OMB is certainly
involved somewhere. Buttonhole the policy folks at the meeting and ask
them what problem they are solving. Listen carefully and ask probing
questions; don't assume they know the technical aspects. (Apologies if
I am saying something obvious). Be careful and precise in claims. Offer
to come down and explain. You win most points if you stay to the
technical and avoid pushing particular solutions --- even when it is
understood you have a particular position you're in favor of.
There's also stuff to point to in writing. Eve Maler and Drummond Reed
wrote a nice piece comparing OpenID, SAML, and CardSpace a year ago in
IEEE Security and Privacy; bring that along and share it, and point to
it for people. (There's also a useful egovernment use case paper in the
same issue --- March/April 2008 --- that features a SAML implementation
in New Zealand (disclaimer: I was co-editor for the special issue).)
Handing stuff in writing is good; the policy wonks will look it over
some and it will help coalesce their thoughts.
I imagine there will be press at the meeting. Getting the person from
Federal Computer Week to understand the issues is useful. If there is a
place for submitting written comments, that is also useful, as the
written record must be paid attention to.
Sorry if I am stating the obvious.
More information about the Wg-p3