[Wg-p3] For those attending Monday's ICAM workshop
futureidentity at fastmail.fm
Fri Aug 7 10:02:07 PDT 2009
Brett asked me to have a crack at finding some 'framing'
questions which could help Monday's discussion result in the
information which would be most useful to us.
The 'framing' question I would suggest is this:
- is there sufficient clarity of purpose, yet, to lead to a
strategy and an implementation which meet long-term goals of
service delivery, security and privacy?
That question can then be broken down into three further layers:
policy/purpose, strategy, implementation. These three layers are
not chosen at random; they are based on the model we derived from
the Libery Alliance Privacy Summit Program, and there is a fourth
layer - the Technology layer. Through the Privacy Summits, we
observed two things:
1 - that the Technology layer is often the starting point for
discussions about identity and privacy, and often the layer in
which the discussion gets bogged down;
2 - that discussions which start at the Technology layer in the
hope of reaching some goal at the Policy layer almost inevitably
fail on the way there, or get there but miss the intended goal.
We concluded that it is vital to be able to position the
Technology-related contributions appropriately, but to keep an
equally attentive mind on the way in which they must fit into the
broader picture of implementation, strategic and policy issues.
I would therefore be very cautious of any approach which says
"here are a handful of technology options; taking those as a
starting point, how close can get get to policy objective x ?".
An approach based on explicit policy aims and strategic
direction, which considers the broad range of implementation
factors, is far more likely to result in an accurate and
properly-qualified technology selection, which in turn will play
its role in achieving the policy aims.
These are some of the kinds of question which might emerge,
concerning the other three layers:
* it's clear that the new administration has a very different
approach from its predecessor in this area. To what extent
does that affect the assumptions and ground rules which
formed the basis for previous policies, and how far have
those basic assumptions been re-visited? For instance, the
current discussion is based around the use of existing,
commercially-sector credentials for access to public-sector
services. Do/should the different liability cultures in those
two sectors give rise to any changes in the 'ground rules'?
* if the goal is to provide access to public services while
protecting the personal data of service requesters/citizens,
are anonymous and/or pseudonymous access also envisaged? Even
pseudonymous or anonymous access is not necessarily
privacy-neutral; for example, if supposedly anonymous
transactions can be correlated, the end user may be
identifiable whether or not they have had to provide an
* A key part of the strategy is to map public sector service
applications onto 'required levels of assurance' and then to
map LoAs onto the technologies capable of implementing them.
Has the classification of public sector applications been
reviewed recently to see if it is still valid?
* A single public sector application may have the potential to
do 'slight' or 'moderate' harm to an individual in the event
of a privacy breach, but the same application, if the user's
actions can be correlated with access to other services, may
have the potential to do much greater harm. Has the risk
model been reviewed to assess the potential increase in harm
which may arise out of more 'correlatable' access to
* A policy objective of improved privacy outcomes for citizens
generally translates into better means for citizens to
exercise consent and control over the use of their personal
information by third parties. To what extent does the
strategy expect to achieve this by technical means, and to
what extent by other means (such as contracts, charters,
statements of rights/entitlements etc.)?
* Have previous assumptions about viable/non-viable technology
options been revisited in the light of the new policy
approach? For example, if, say, PKI had previously been ruled
out, does that assumption still stand? Do new technical
factors, such as increased network bandwidth and/or mobile
access, necessitate a review of the basic assumptions?
* Does the inclusion of commercial identity providers introduce
new requirements/costs, for example in the area of regulatory
compliance? For instance, are there new costs to do with
auditability, accountability and redress, which will now fall
to commercial organisations who had not had to bear them
There are bound to be other questions, as well as other
categories of question, which come up on Monday, but this 4-layer
framework for multi-stakeholder discussions has served us very
well up to now, and I hope you will find it helpful for the
Director, Future Identity
Director of Privacy and Public Policy, Liberty Alliance
+44 (0)705 005 2931
Structured consulting on digital identity, privacy and public policy
Future Identity is a limited company number 6777002, registered in England & Wales
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Wg-p3