[Wg-p3] For those attending Monday's ICAM workshop

Robin Wilton futureidentity at fastmail.fm
Fri Aug 7 10:02:07 PDT 2009


Brett asked me to have a crack at finding some 'framing'
questions which could help Monday's discussion result in the
information which would be most useful to us.

The 'framing' question I would suggest is this:

- is there sufficient clarity of purpose, yet, to lead to a
strategy and an implementation which meet long-term goals of
service delivery, security and privacy?

That question can then be broken down into three further layers:
policy/purpose, strategy, implementation. These three layers are
not chosen at random; they are based on the model we derived from
the Libery Alliance Privacy Summit Program, and there is a fourth
layer - the Technology layer. Through the Privacy Summits, we
observed two things:

1 - that the Technology layer is often the starting point for
discussions about identity and privacy, and often the layer in
which the discussion gets bogged down;

2 - that discussions which start at the Technology layer in the
hope of reaching some goal at the Policy layer almost inevitably
fail on the way there, or get there but miss the intended goal.

We concluded that it is vital to be able to position the
Technology-related contributions appropriately, but to keep an
equally attentive mind on the way in which they must fit into the
broader picture of implementation, strategic and policy issues.

I would therefore be very cautious of any approach which says
"here are a handful of technology options; taking those as a
starting point, how close can get get to policy objective x ?".
An approach based on explicit policy aims and strategic
direction, which considers the broad range of implementation
factors, is far more likely to result in an accurate and
properly-qualified technology selection, which in turn will play
its role in achieving the policy aims.

These are some of the kinds of question which might emerge,
concerning the other three layers:

  * it's clear that the new administration has a very different
    approach from its predecessor in this area. To what extent
    does that affect the assumptions and ground rules which
    formed the basis for previous policies, and how far have
    those basic assumptions been re-visited? For instance, the
    current discussion is based around the use of existing,
    commercially-sector credentials for access to public-sector
    services. Do/should the different liability cultures in those
    two sectors give rise to any changes in the 'ground rules'?
  * if the goal is to provide access to public services while
    protecting the personal data of service requesters/citizens,
    are anonymous and/or pseudonymous access also envisaged? Even
    pseudonymous or anonymous access is not necessarily
    privacy-neutral; for example, if supposedly anonymous
    transactions can be correlated, the end user may be
    identifiable whether or not they have had to provide an

  * A key part of the strategy is to map public sector service
    applications onto 'required levels of assurance' and then to
    map LoAs onto the technologies capable of implementing them.
    Has the classification of public sector applications been
    reviewed recently to see if it is still valid?
  * A single public sector application may have the potential to
    do 'slight' or 'moderate' harm to an individual in the event
    of a privacy breach, but the same application, if the user's
    actions can be correlated with access to other services, may
    have the potential to do much greater harm. Has the risk
    model been reviewed to assess the potential increase in harm
    which may arise out of more  'correlatable' access to
  * A policy objective of improved privacy outcomes for citizens
    generally translates into better means for citizens to
    exercise consent and control over the use of their personal
    information by third parties. To what extent does the
    strategy expect to achieve this by technical means, and to
    what extent by other means (such as contracts, charters,
    statements of rights/entitlements etc.)?

  * Have previous assumptions about viable/non-viable technology
    options been revisited in the light of the new policy
    approach? For example, if, say, PKI had previously been ruled
    out, does that assumption still stand? Do new technical
    factors, such as increased network bandwidth and/or mobile
    access, necessitate a review of the basic assumptions?
  * Does the inclusion of commercial identity providers introduce
    new requirements/costs, for example in the area of regulatory
    compliance? For instance, are there new costs to do with
    auditability, accountability and redress, which will now fall
    to commercial organisations who had not had to bear them

There are bound to be other questions, as well as other
categories of question, which come up on Monday, but this 4-layer
framework for multi-stakeholder discussions has served us very
well up to now, and I hope you will find it helpful for the


Robin Wilton

Director, Future Identity
Director of Privacy and Public Policy, Liberty Alliance

+44 (0)705 005 2931
Structured consulting on digital identity, privacy and public policy
Future Identity is a limited company number 6777002, registered in England & Wales

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/wg-p3_kantarainitiative.org/attachments/20090807/8a52c846/attachment.html>

More information about the Wg-p3 mailing list