Focusing public attention on emerging privacy and civil liberties issues

National Strategy for Trusted Identities in Cyberspace (NSTIC)

Top News

  • NIST Proposes Governance Structure for Internet Identity: The National Institute of Standards and Technology has released a report detailing the governance structure for the White House’s National Strategy for Trusted Identities in Cyberspace. EPIC, joined by the Liberty Coalition, submitted comments on the original proposal, emphasizing the need for transparency and balanced representation. NIST adopted many of EPIC’s suggestions, including the establishment of a Privacy Coordination Committee. However, the final document ignored EPIC’s recommendation that legislation be enacted to safeguard privacy. For more information, see EPIC: National Strategy for Trusted Identities in Cyberspace. (Feb. 10, 2012)
  • EPIC, Liberty Coalition Submit Comments on Governance for Internet Identities: EPIC, joined by the Liberty Coalition, has submitted comments to the National Institute for Standards and Technology (NIST) on governance topics associated with the National Strategy for Trusted Identities in Cyberspace (NSTIC). The NSTIC proposal is part of a series of initiatives driven by the 2009 Cyberspace Policy Review. EPIC’s comments called for a structure that would "include[e] protection of consumer information and implementation of strong privacy practices." EPIC further asked for legislation that will protect sensitive personal information in the Identity Ecosystem. For more information, see EPIC: National Strategy for Trusted Identities in Cyberspace. (Jul. 22, 2011)
  • House Examines White House Cybersecurity Proposal: The House of Representatives has held two hearings on the White House legislative plan for cybersecurity. The House Oversight and House Judiciary Committees questioned government officials and members of private industry on the proposal. Committee members showed particular interest in provisions that pre-empted stronger state laws and those that offered immunity to private industry for complying with government requests for information on data breaches. Rep. Watt (D-NC) asked how the proposal was unlike the controversial telecom immunity contained in the Patriot Act. The White House proposal is part of a series of initiatives driven by the 2009 Cyberspace Policy Review. EPIC has called for cybersecurity legislation that strengthens security standards, requires encryption, promotes agency accountability, and safeguards personal data and privacy. For more information, see EPIC: Cybersecurity and Privacy and EPIC: National Strategy for Trusted Identities in Cyberspace. (May. 26, 2011)
  • White House Releases Plan for Internet Identities: The White House has published the National Strategy for Trusted Identities in Cyberspace (NSTIC), which provides guidance for an Internet identity system to be designed and built by the private sector. The plan comes nearly two years after the White House first released its Cyberspace Policy Review, which set forth a national plan for Internet identities. In 2010, the White House released the draft NSTIC, and accepted public comments via an online forum. EPIC responded with comments that emphasized the need for strong privacy safeguards for Internet users. "The President endorsed 'Privacy Enhancing Technologies' for online credentials. That is historic," said EPIC Executive Director Marc Rotenberg today. "But online identity is complex problem and the risk of 'cyber-identity theft' with consolidated identity systems is very real. The US will need to do more to protect online privacy." In a press release, the White House emphasized that NSTIC should be privacy-enhancing and voluntary, interoperable, and cost-effective. For more information, see EPIC: National Strategy for Trusted Identities in Cyberspace. (Apr. 15, 2011)
  • EPIC, Joined by 13 Organizations, Sends Statement on NSTIC: EPIC, joined by the American Library Association, Liberty Coalition, Bill of Rights Defense Committee, and the Center for Media and Democracy, among others, sent a statement to the Department of Homeland Security responding to the Administration's call for comments regarding its National Strategy for Trusted Identities in Cyberspace Creating Options for Enhanced Online Security and Privacy (NSTIC) draft policy. The coalition's comments press the Administration for a clearer definition of the problems that the policy intends to solve. The coalition further advocates for the maintenance of a free and open Internet that protects the creative content of users, assures privacy, and creates accountability and oversight of government activity, especially as it relates to law enforcement and surveillance. For more, see EPIC's Cybersecurity and Privacy. (Oct. 1, 2010)
  • EPIC Urges Federal Trade Commission to Strengthen Childrens' Privacy Rule: EPIC filed comments urging the Federal Trade Commission to improve the Childrens' Online Privacy Protection Act Rule. The rule is the principal federal protection for childrens' privacy, and limits how companies may collect and disclose childrens' personal information. "The need for the COPPA Rule has become increasingly urgent in light of new business practices and recent technological developments, such as social networking sites and mobile devices," EPIC wrote. "Existing provisions need to be strengthened and new provisions need to be added." In April, EPIC testified before Congress concerning childrens' privacy. For more, see EPIC: COPPA and EPIC: FTC. (Jul. 9, 2010)
  • EPIC Urges Congress to Extend Children's Privacy Law to Teenagers and Social Network Services, Says Current Law Has Failed to Keep Up with New Business Practices: EPIC President Marc Rotenberg testified today before the Senate Commerce Committee. He said that "COPPA did not anticipate the immersive online experience that a social network service would provide or the extensive data collection of both the trivial and the intimate information that children would share with friends." Mr. Rotenberg also pointed to the FTC's failure to enforce children's privacy rights despite clear-cut violations of the fedral law. EPIC recommended updates that would expand COPPA protections to teens and clarify the law's application to mobile and social network services. EPIC'S press release can be found here. For more, see EPIC: COPPA (Apr. 28, 2010)
  • Worker Biometric ID Under Consideration in US: Senators Charles Schumer and Lindsey Graham have proposed a new national identity card. The Senators would require that "all U.S. citizens and legal immigrants who want jobs" obtain a "high-tech, fraud-proof Social Security card" with a unique biometric identifier. The card, they say, would not contain private information, medical information, or tracking techniques, and the biometric identifiers would not be stored in a government database. EPIC has testified in Congress and commented to federal agencies on the privacy and security risks associated with national identification systems and biometric identifiers. For more information, see EPIC: National ID and the REAL ID Act, EPIC: Biometric Identifiers, and the Privacy Coalition’s Campaign Against REAL ID. (Mar. 24, 2010)

Background

History

In 1999, Microsoft announced plans to use its Passport service to authenticate subscribers in online transactions with affiliate companies. In July, 2001, EPIC filed a complaint with the Federal Trade Commission (updated and re-filed in August 2001), alleging that Microsoft Passport violated the Federal Trade Commission Act, which prohibits unfair or deceptive trade practices.

Microsoft Passport was the first large-scale use of an "Internet credential" system to authenticate a user's identity. Passport was a cookie-based service that allowed users to use a single, core log-in to verify identity without requiring the user to sign up for a new account with each service they wanted to use. EPIC's complaint pointed out that Microsoft encouraged its users to sign up for the service and represented that the service protected privacy and complied with the Children's Online Privacy Protection Act (COPPA). However, in reality Passport was facilitating the tracking and monitoring of its users by signing up all Microsoft Hotmail users for the service without the availability of an opt-out, not allowing individuals to delete their accounts, sharing user e-mail addresses with third parties by default, and neglecting key provisions of COPPA.

Based on EPIC's complaint, the FTC took action and negotiated a Consent Order that broadly required Microsoft to build in protections for the use of personal information, including e-mail addresses, persistent identifiers in cookies, and embedded identifiers, for any and all authentication systems that Microsoft offered, presently or in the future. In addition, for a period of 20 years (until 2022) Microsoft is required to fully disclose all information collection and use practices, develop a comprehensive security program and obtain third-party review of it, and maintain all Passport marketing materials for FTC review.

Modern Digital Identities

Since Passport, numerous "digital identity" credentialing services have emerged. In 2005, OpenID was developed (initially referred to as Yadis), as an open-source Credential service, at first only for comments on LiveJournal and its affiliates, though it expanded quickly, and is perhaps the most prevalent service offered today, employed by websites like Google, Yahoo, and Paypal. Another popular identity service emerged in 2008, when Facebook launched Facebook Connect and enabled users to "share their information with the third party websites and applications they choose." Any of Facebook's 600 million users can use their Facebook log-in information to connect to different of networks, such as Pandora, both around the Internet and on mobile apps. As of 2011, other identity services included Kantara, OASIS, and CardSpace.

Despite their growing prevalence, privacy problems with identity services remain, particularly when users are coerced into using a service by market pressure or when an identity service allows users to be tracked in order to predict or control their behavior. The biggest risk is what can happen if an open identity is phished or compromised. Unlike the traditional system, where a compromised password will only expose the single account to which it is attached, if a hacker or other individual finds a way to access a user's credential, they will be able to wreck havoc on a much wider scale.

Emergence of NSTIC

In August, 2004, President George W. Bush issued a Homeland Security Presidential Directive, requiring all federal employees to be issued a single identity card that would allow them access to buildings, websites, and would monitor security clearances on restricted documents. This program was expanded in September 2008, when the White House Chief Information Officers Council created the Federal Information Security & Identity Management Committee (ISIMC) and the Identity, Credential and Access Management (ICAM) subcommittee. Among many other missions, ICAM was tasked with the development of an identity program for government employees.

On May 29, 2009, the White House published the Cyberspace Policy Review. The Review set forth an objective for a national plan for a public secure Internet identification program:

"The Federal government - in collaboration with industry and the civil liberties and privacy communities - should build a cyber security-based identity management vision and strategy for the Nation that considers an array of approaches, including privacy-enhancing technologies. The Federal government must interact with citizens through a myriad of information, services and benefit programs and thus has no interest in the protection of the public's private information as well."

Based on the White House's recommendations, an inter-agency writing team developed and released a Draft plan of the National Strategy for Trusted Identities in Cyberspace (NSTIC) in June 2010. NSTIC is seen as an acceleration and expansion of the initiatives developed by ICAM to the public domain. The Draft identified what it called the Identity Ecosystem - "a user-centric online environment, a set of technologies, policies, and agreed upon standards that securely supports transactions ranging from anonymous to fully authenticated and from low to high value." The Draft was published on IdeaScale, and was open for the public to submit comments. (The page has since been removed, though MSNBC has maintained a screenshot.)

EPIC Responded to the Draft NSTIC with a formal statement on the unique challenges the proposal presented for the continued protection of privacy and consumer rights. EPIC emphasized the need for:

  • A complete enumeration of the sources of the problems identified in the draft
  • A clear plan for privacy protection
  • A strategy for the protection of private communications by fair information practices
  • The assignment of responsibility of government agencies to oversee authorities, courts, and credential users regarding constitutional rights
  • The assurance that Internet users can continue to create, control, and own web content.
EPIC also emphasized the importance of applying Fair Information Practices to all personally identifiable information that is collected, retained or used, and recommended an explicit statutory provision that would apply protections in the Federal Privacy Act to all credential-related information.

On January 7, 2011, White House Cybersecurity Coordinator, Howard Schmidt and Commerce Secretary Gary Locke appeared at an event at Stanford University in California. In his speech, Locke detailed many potential threats on the Internet, claiming that the "cyber threat" was "one of the most serious economic and national security challenges we face as a nation." In order to lead the government's efforts on digital identity, Locke announced the creation of a National Program Office at the Department of Commerce, housed under the National Institute for Standards and Technology (NIST), that would be responsible for a digital identity framework.

As described by Secretary Locke in his announcement: The new Program Office would spearhead the development of NSTIC, though implementation would be outsourced to the private market, eliminating the need for a single overseer or a central database. (However, because the federal government will not be maintaining the databases of information, they will not be subject to the protections provided in the Federal Privacy Act of 1974). The digital identity program is also designed to be entirely voluntary to users. In addition to private industry, the General Services Administration and the Department of Homeland Security were also slated to assist with development of the new programs.

The National Strategy for Trusted Identities in Cyberspace

The White House's National Strategy for Trusted Identities in Cyberspace was released on April 15, 2011 during a formal event at the U.S. Chamber of Commerce. The Strategy is housed at the National Institute for Standards and Technology (NIST) within the Department of Commerce, where a new Program Office has been created. The Program Office is currently headed by Jeremy Grant, former co-chair of the Identity Management Committee at TechAmerica.

As an aspirational document, the NSTIC makes many promising statements. Among these is a often repeated promise to "enhance" privacy and security in online transactions. Much like the preceding draft document, the NSTIC emphasizes the role of the private sector as the "primary developer, implementer, owner, and operator of the Identity Ecosystem."

The NSTIC identifies four parties that will contribute to transactions under the Identity Ecosystem:

An individual or non-person entity is the party seeking to engage in an online transaction and the owner of the credential at issue in the transaction.
An identity provider (IDP) "is responsible for establishing, maintaining, and securing the digital identity associated" with an individual or non-person entity, including "revoking, suspending, and restoring the subject's digital identity if necessary."
An attribute provider (AP) "is responsible for the processes associated with establishing and maintaining identity attributes [...] including validating, updating, and revoking the attribute claim.
A relying party (RP) is the party with which the individual or non-person entity wishes to transact. "Within the Identity Ecosystem, the relying party selects and trusts the identity and attribute providers of their choice, based on the risk of credential types and identity media."

In addition, the document calls for the incorporation of clear rules and guidelines based on eight best practices, which the document defines in an Appendix. Though these practices are to "address not only the circumstances under which a service provider or relying party may share information but also the kinds of information that they may collect and how that information is used," the NSTIC does not mandate the practices to be implemented as they are defined within it:

  • Transparency: Organizations should be transparent and notify individuals regarding collection, use, dissemination, and maintenance of personally identifiable information (PII).
  • Individual Participation: Organizations should involve the individual in the process of using PII and, to the extent practicable, seek individual consent for the collection, use, dissemination, and maintenance of PII. Organizations should also provide mechanisms for appropriate access, correction, and redress regarding use of PII.
  • Purpose Specification: Organizations should specifically articulate the authority that permits the collection of PII and specifically articulate the purpose or purposes for which the PII is intended to be used.
  • Data Minimization: Organizations should only collect PII that is directly relevant and necessary to accomplish the specified purpose(s) and only retain PII for as long as is necessary to fulfill the specified purpose(s).
  • Use Limitation: Organizations should use PII solely for the purpose(s) specified in the notice. Sharing PII should be for a purpose compatible with the purpose for which the PII was collected.
  • Data Quality and Integrity: Organizations should, to the extent practicable, ensure that PII is accurate, relevant, timely, and complete.
  • Security: Organizations should protect PII (in all media) through appropriate security safeguards against risks such as loss, unauthorized access or use, destruction, modification, or unintended or inappropriate disclosure.
  • Accountability and Auditing: Organizations should be accountable for complying with these principles, providing training to all employees and contractors who use PII, and auditing the actual use of PII to demonstrate compliance with these principles and all applicable privacy protection requirements.

The final major call in the NSTIC is for a "trustmark scheme" for parties within the Identity Ecosystem, provided for by one or more private-sector accreditation authorities, and policed by a public-private steering group, to ensure "minimum requirements of the Identity Ecosystem Framework" are met. The trustmark is to represent the application of a single privacy and service framework to all entities who bear it.

Implementation of the NSTIC

Following the release of the NSTIC, the government has sponsored a series of Workshops, aimed at brainstorming solutions and confronting problems with the NSTIC implementation. The first Workshop as focused on issues with Governance and was held in Washington, D.C. on June 9-10, 2011. After the Workshop, a Notice of Inquiry was issued on "Models for a Governance Structure for the National Strategy for Trusted Identities in Cyberspace." The deadline for the NOI is July 22, 2011.

The second Workshop was held on June 27-28, 2011 at MIT in Cambridge, Massachusetts to examine Privacy in the NSTIC. A third Workshop focused on technology solutions has not yet been scheduled, but is expected to be held in the California Bay Area in September, 2011.

Additional Resources

Latest News