[Wg-p3] Preparation for USG Privacy Workshop (Aug 10th)

j stollman stollman.j at gmail.com
Tue Aug 11 08:24:56 PDT 2009


There was a critical item that drove the meeting that was never spoken.
Vivek Kundra, the new Federal CIO is adamant about the use of OpenID.  He
brought it into consideration and he has forced it down the throats of the
ICAM group.  As peons, they are marching to his drum.

On the spoken side, Susan's line of questions established the tone for the

Following the conference I sent a note to Mary Ruddy, a private sector
identity advocate who is helping lead ICAM's integration with industry.  In
my note, I summarized my concerns about the meeting.  My comments to her

   1. I view the privacy issues of government access by the citizenry as a
   systems problem.  While I understand and agree with the need to "start
   somewhere" and to start with the easy victories first, I don't think that
   pilots should begin until all of the system-wide issues have been fully
   considered.  I believe that the issues of usability have not been thoroughly
   2. One of the biggest concerns I have with usability is the need for the
   government to act *in loco parentis* to help ensure that users of the
   system don't expose themselves to privacy issues through their own actions.
   While a site like Facebook may take a Buyer Beware attitude, the government
   needs to go a step further to prevent harm to its subjects as a result of
   users' ignorance of the privacy and security exposure that they will face.
   3. The Government has many well thought-out regulations regarding
   security and privacy, but these apply to the government; they do not provide
   guidance to the external users of Government systems.  Looking at security
   and privacy from the user perspective, the Government will not only need to
   be able to provide instructions to users on how to use Government sites
   (many of which may be obvious), but it will also need to provide policy
   guidance to users.  For example, it would be my recommendation that users be
   told to create an anonymous ID for accessing government web sites at Level 1
   and not use this ID for other purposes.  As per the profile, correlation of
   government sites will then be limited to information held only by the
   Identity Provider and because the ID will not be used with other
   non-Government sites, there will be no opportunity to correlate usage with
   4. After consideration of usability, it may turn out to be a small
   issue.  It may be determined that we can live with the problem of having to
   retrain users.
   5. This consideration should consists of at least two concerns:  (1) user
   training and retraining and (2) scope creep.
   6. The user training and retraining concern is whether it will be
   difficult for non-computer-savvy users to understand and implement the
   end-user policy guidance for Level 1 and then learn and apply new guidance
   for other levels.  This could be tested using life people.  Such testing may
   already have been done by some of the large commercial sites (Google,
   Facebook, Yahoo, AOL, AARP, etc.) and may be available, without having to
   run new studies.
   7. The scope creep concern is that agencies will begin adding
   capabilities to their LoA 1 sites which start their migration to higher
   levels of assurance.  I believe it was Naomi Leftkovitz from the Federal
   Trade Commission who suggested that this is already a wide-spread practice
   in Federal agencies.  This practice can be measured and needs to be measured
   before LoA 1 can be isolated from the systems problem.
   8. If either of these concerns turn out to be valid, then I would
   recommend adding another vetting constraint to your technology screen
   mechanism:  technologies must be readily extensible to higher levels of
   assurance.  Should this be the case, OpenID would not make the cut.
   9. Another problem I had with the session in general yesterday is that I
   had the sense that the Level 1 acceptance of OpenID, SAML, and Information
   Cards was a *fait accompli*.  In the session, itself, there did not seem
   to be any resistance to OpenID and SAML.  But there was a lot of concern
   about OpenID.
   10. I also recognize that OpenID is being pushed from the very top.  But
   the reason it is being pushed is based on a fallacious argument:  that the
   Government should use OpenID because it is already ubiquitous. But OpenID
   2.0 is not ubiquitous.  In fact, the director of the OpenID Foundation
   admits to not having a clue how many OpenID 2.0 users there are.  What is
   ubiquitous is OpenID 1.0 which everyone agrees does not meet the
   Government's standards.  I have no axes to grind against OpenID or Don
   Thibeau (whose integrity and honesty I highly respect).  But in my gut, I do
   not believe that OpenID warrants consideration until the issues noted in 6
   and 7 above have been fully considered.


On Tue, Aug 11, 2009 at 9:43 AM, J. Trent Adams <jtrentadams at gmail.com>wrote:

> Susan -
> Excellent summary.  And great questions yesterday.
> All -
> To provide additional flavor to Susan's comments about usability, it was
> brought up many times throughout the day.  I would classify some of the
> issues as what could be called a contract with the users (i.e. setting
> their expectations and how to meet them).  While Judy and Chris tried to
> reinforce the focus on LOA 1, many saw a disconnect between the
> usability requirements of this pilot and what might come next with a
> higher ROI.
> Of note on this point, Judy made an interesting comment toward the end
> that I'm not sure is accurate (AFAIK).  She said that Don Thibeau had
> mentioned to her that while OpenID can't move beyond LOA 1 today, there
> are people in the OpenID community working on ways to address this soon.
> Also, Don was asked how much usability testing has taken place on
> OpenID.  While he did say that he assumes Google and Yahoo have done
> extensive testing on their own, he decided not to mention the report
> that came out earlier this year illustrating how OpenID integration
> decreases conversion rates.  His response was primarily that the pilot
> should be rolled out and be adjusted according to reactions.
> Significant questions were also raised about privacy relating to
> unintended self-exposure and masquerading.  Both issues were noted by
> Chris Louden as he said they were issues that hadn't been previously
> explored.
> In the end, none of the topics raised appeared to indicate the GSA/ICAM
> would slow down the pilot program to address them.
> It was also very interesting that in response to questions, Brett
> mentioned that Kantara has three groups working on or planning to work
> on the following issues that were brought up:
>  1. Usability
>  2. Certification
>  3. Privacy Assurance
>  4. Legal & Litigation
> It was clear to me that Kantara was the only represented group in the
> room positioned to deal across the board with the issues at the center
> of the discussion.  It might make sense to reach out to the attendees
> and invite them to participate in these activities.
> Finally, it might not be known to the group, but Kantara submitted it's
> Trust Framework Process proposal to the GSA/ICAM on Friday.  So far,
> it's the only application they have received.
> - Trent
> Susan Landau wrote:
> > On 08/11/09 07:48, Georgia Marsh wrote:
> >> How was the meeting?
> >>
> > Divisive.  Here's my trip report.  Thanks for the info on US
> > government SAML uses; that came up indirectly during the meeting but
> > things were sufficiently heated that I dropped that in favor of asking
> > some other, somewhat pointed, questions.  But thanks much for your
> > help.  It was good to have that information in my back pocket if needed.
> >
> > Best,
> >
> > Susan
> >
> > Judy Spencer, who is the co-chair of the Identity Management and
> > Access Management SC (special committee? signon committee?), ran the
> > meeting.  She sought to focus only on Level of Assurance 1, a decision
> > that was objected to by many in the audience.
> >
> > Most of the attendees appeared to be members of the federal government
> > and contractors.  There were very few privacy advocates in the room:
> > one from EPIC, a junior person from CDT, no one from EFF.  I suspect
> > this was due to too short notice (and in EFF's case, too expensive a
> > plane flight from west coast).
> >
> > The morning was taken up with presentations by the various folks.
> > First Chris Louden of Protiviti, a federal contractor working on this
> > initiative gave an overview, and made the point that for efficiency's
> > sake, the government wanted to leverage work in the private sector.
> > There had already been SAML profiles.  But OpenID had lots of traction
> > and so the government was going to leverage that for Level of
> > Assurance 1, where the government wanted to be able to identify the
> > same user each time the same user turned up but without any need to
> > tie identity to a particular person (so as to enable to return
> > customized webpages, send updates to the user if an email had been
> > supplied, etc.). Chris went through the privacy requirements for level
> > 1, which included unlinkability of the user between different sites
> > (something satisfied by OpenID 2.0 but not OpenID 1.0).
> >
> > This was followed by a panel: Bob Morgan on InCommon, Don Thibeau and
> > Drummond Reed doing a tag team on OpenID and InfoCard Foundations and
> > Brett on Kantara.  The meeting was originally supposed to be on
> > OpenID, InfoCard, and privacy issues but had broadened.   Don and
> > Drummond spoke about OpenID 2.0 fulfilling the pseudonymity needs
> > prescribed by the federal profiles and that OpenID had billions of
> > users. They did not mention that it was OpenID 1.0 that had the large
> > installed user base.
> > At this point, I asked some questions.  I asked about the number of
> > OpenID 2.0 users; this was not answered.  I asked about liability and
> > didn't get an answer. Nonetheless it was useful to plant these issues
> > for later discussion.
> >
> > The afternoon session was devoted to privacy and identity and that was
> > the time for Q&A. Here I asked about extensibility, pointing out that
> > in security you architect for the whole solution, then cut back as
> > needed (and not the other way around) and that we will need
> > identifiers for health care with much higher levels of assurance.
> > Chris Louden of Protiviti said that they understand the issue and
> > they've got that covered.  At this point, various of the audience
> > picked up the issue of extensibility strongly.
> >
> > Someone from MITRE spoke about the progress with level of assurance 3
> > and 4 and how this was a step backwards.
> >
> > Don Schmidt of Microsoft said, "billions of burgers sold has nothing
> > to do with reality."
> >
> > Jeff Stollman said that usability needs say that other levels
> > influence level 1.0.  "You can't talk about level 1.0 separately from
> > higher levels when you talk about usability"; you are making a huge
> > mistake by using OpenID for level 1.0 when you can't do OpenID for
> > higher levels. The audience resonated with this.
> >
> > Tony Nadlin (sp?) said "Why are you going the industry route?
> > Liability issues have not been addressed?  What is your emergency
> > response initiative?  What is your liability initiative?"
> >
> > Judy Spencer:  "For level 1, OpenID is absolutely appropriate.  We
> > want to enable technologies for people to use and OpenID is perfectly
> > acceptable at level 1.0."
> >
> > Don Schmidt: Using OpenID is a really bad idea (this is a
> > paraphrase).  You're teaching people the wrong message about security.
> > "If this is successful and if there's a disconnect between this and
> > higher levels [because OpenID is not extensible for higher levels], in
> > the end we haven't done a good thing."  I was surprised to see
> > Microsoft speaking that way, but Schmidt was quite emphatic.
> >
> > I would say that by the end of the meeting, there was a great deal of
> > dubiousness in the room concerning using OpenID even at level of
> > assurance 1.  The agencies will have to implement, of course.  But the
> > people there were clearly aware --- if they hadn't been earlier ---
> > of the problems with OpenID.
> >
> > ***********************************************************
> > Susan Landau                     phone: 413-259-2018
> > Distinguished Engineer           fax: 413-253-2156
> >
> >        Sun Microsystems Laboratories
> >        MS UBUR02-311
> >        35 Network Drive
> >        Burlington MA 01803-0902
> >        http://research.sun.com/people/slandau
> >
> >        susan.landau at sun.com
> > ************************************************************
> >
> >
> >
> > _______________________________________________
> > Wg-p3 mailing list
> > Wg-p3 at kantarainitiative.org
> >
> http://kantarainitiative.org/mailman/listinfo/wg-p3_kantarainitiative.org
> --
> J. Trent Adams
> =jtrentadams
> Profile: http://www.mediaslate.org/jtrentadams/
> LinkedIN: http://www.linkedin.com/in/jtrentadams
> Twitter: http://twitter.com/jtrentadams
> _______________________________________________
> Wg-p3 mailing list
> Wg-p3 at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/wg-p3_kantarainitiative.org

Jeff Stollman
stollman.j at gmail.com
1 202.683.8699
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/wg-p3_kantarainitiative.org/attachments/20090811/1fae0bf7/attachment-0001.html>

More information about the Wg-p3 mailing list