National Strategy for Trusted Identities in Cyberspace (NSTIC)
- NIST Proposes Governance Structure for Internet Identity: The National Institute of Standards and Technology has released a report detailing the governance structure for the White House’s National Strategy for Trusted Identities in Cyberspace. EPIC, joined by the Liberty Coalition, submitted comments on the original proposal, emphasizing the need for transparency and balanced representation. NIST adopted many of EPIC’s suggestions, including the establishment of a Privacy Coordination Committee. However, the final document ignored EPIC’s recommendation that legislation be enacted to safeguard privacy. For more information, see EPIC: National Strategy for Trusted Identities in Cyberspace. (Feb. 10, 2012)
- EPIC, Liberty Coalition Submit Comments on Governance for Internet Identities: EPIC, joined by the Liberty Coalition, has submitted comments to the National Institute for Standards and Technology (NIST) on governance topics associated with the National Strategy for Trusted Identities in Cyberspace (NSTIC). The NSTIC proposal is part of a series of initiatives driven by the 2009 Cyberspace Policy Review. EPIC’s comments called for a structure that would "include[e] protection of consumer information and implementation of strong privacy practices." EPIC further asked for legislation that will protect sensitive personal information in the Identity Ecosystem. For more information, see EPIC: National Strategy for Trusted Identities in Cyberspace. (Jul. 22, 2011) More top news »
In 1999, Microsoft announced plans to use its Passport service to authenticate subscribers in online transactions with affiliate companies. In July, 2001, EPIC filed a complaint with the Federal Trade Commission (updated and re-filed in August 2001), alleging that Microsoft Passport violated the Federal Trade Commission Act, which prohibits unfair or deceptive trade practices.
Microsoft Passport was the first large-scale use of an "Internet credential" system to authenticate a user's identity. Passport was a cookie-based service that allowed users to use a single, core log-in to verify identity without requiring the user to sign up for a new account with each service they wanted to use. EPIC's complaint pointed out that Microsoft encouraged its users to sign up for the service and represented that the service protected privacy and complied with the Children's Online Privacy Protection Act (COPPA). However, in reality Passport was facilitating the tracking and monitoring of its users by signing up all Microsoft Hotmail users for the service without the availability of an opt-out, not allowing individuals to delete their accounts, sharing user e-mail addresses with third parties by default, and neglecting key provisions of COPPA.
Based on EPIC's complaint, the FTC took action and negotiated a Consent Order that broadly required Microsoft to build in protections for the use of personal information, including e-mail addresses, persistent identifiers in cookies, and embedded identifiers, for any and all authentication systems that Microsoft offered, presently or in the future. In addition, for a period of 20 years (until 2022) Microsoft is required to fully disclose all information collection and use practices, develop a comprehensive security program and obtain third-party review of it, and maintain all Passport marketing materials for FTC review.
Modern Digital Identities
Since Passport, numerous "digital identity" credentialing services have emerged. In 2005, OpenID was developed (initially referred to as Yadis), as an open-source Credential service, at first only for comments on LiveJournal and its affiliates, though it expanded quickly, and is perhaps the most prevalent service offered today, employed by websites like Google, Yahoo, and Paypal. Another popular identity service emerged in 2008, when Facebook launched Facebook Connect and enabled users to "share their information with the third party websites and applications they choose." Any of Facebook's 600 million users can use their Facebook log-in information to connect to different of networks, such as Pandora, both around the Internet and on mobile apps. As of 2011, other identity services included Kantara, OASIS, and CardSpace.
Despite their growing prevalence, privacy problems with identity services remain, particularly when users are coerced into using a service by market pressure or when an identity service allows users to be tracked in order to predict or control their behavior. The biggest risk is what can happen if an open identity is phished or compromised. Unlike the traditional system, where a compromised password will only expose the single account to which it is attached, if a hacker or other individual finds a way to access a user's credential, they will be able to wreck havoc on a much wider scale.
Emergence of NSTIC
In August, 2004, President George W. Bush issued a Homeland Security Presidential Directive, requiring all federal employees to be issued a single identity card that would allow them access to buildings, websites, and would monitor security clearances on restricted documents. This program was expanded in September 2008, when the White House Chief Information Officers Council created the Federal Information Security & Identity Management Committee (ISIMC) and the Identity, Credential and Access Management (ICAM) subcommittee. Among many other missions, ICAM was tasked with the development of an identity program for government employees.
On May 29, 2009, the White House published the Cyberspace Policy Review. The Review set forth an objective for a national plan for a public secure Internet identification program:
"The Federal government - in collaboration with industry and the civil liberties and privacy communities - should build a cyber security-based identity management vision and strategy for the Nation that considers an array of approaches, including privacy-enhancing technologies. The Federal government must interact with citizens through a myriad of information, services and benefit programs and thus has no interest in the protection of the public's private information as well."
Based on the White House's recommendations, an inter-agency writing team developed and released a Draft plan of the National Strategy for Trusted Identities in Cyberspace (NSTIC) in June 2010. NSTIC is seen as an acceleration and expansion of the initiatives developed by ICAM to the public domain. The Draft identified what it called the Identity Ecosystem - "a user-centric online environment, a set of technologies, policies, and agreed upon standards that securely supports transactions ranging from anonymous to fully authenticated and from low to high value." The Draft was published on IdeaScale, and was open for the public to submit comments. (The page has since been removed, though MSNBC has maintained a screenshot.)
EPIC Responded to the Draft NSTIC with a formal statement on the unique challenges the proposal presented for the continued protection of privacy and consumer rights. EPIC emphasized the need for:
- A complete enumeration of the sources of the problems identified in the draft
- A clear plan for privacy protection
- A strategy for the protection of private communications by fair information practices
- The assignment of responsibility of government agencies to oversee authorities, courts, and credential users regarding constitutional rights
- The assurance that Internet users can continue to create, control, and own web content.
On January 7, 2011, White House Cybersecurity Coordinator, Howard Schmidt and Commerce Secretary Gary Locke appeared at an event at Stanford University in California. In his speech, Locke detailed many potential threats on the Internet, claiming that the "cyber threat" was "one of the most serious economic and national security challenges we face as a nation." In order to lead the government's efforts on digital identity, Locke announced the creation of a National Program Office at the Department of Commerce, housed under the National Institute for Standards and Technology (NIST), that would be responsible for a digital identity framework.
As described by Secretary Locke in his announcement: The new Program Office would spearhead the development of NSTIC, though implementation would be outsourced to the private market, eliminating the need for a single overseer or a central database. (However, because the federal government will not be maintaining the databases of information, they will not be subject to the protections provided in the Federal Privacy Act of 1974). The digital identity program is also designed to be entirely voluntary to users. In addition to private industry, the General Services Administration and the Department of Homeland Security were also slated to assist with development of the new programs.
The National Strategy for Trusted Identities in Cyberspace
The White House's National Strategy for Trusted Identities in Cyberspace was released on April 15, 2011 during a formal event at the U.S. Chamber of Commerce. The Strategy is housed at the National Institute for Standards and Technology (NIST) within the Department of Commerce, where a new Program Office has been created. The Program Office is currently headed by Jeremy Grant, former co-chair of the Identity Management Committee at TechAmerica.
As an aspirational document, the NSTIC makes many promising statements. Among these is a often repeated promise to "enhance" privacy and security in online transactions. Much like the preceding draft document, the NSTIC emphasizes the role of the private sector as the "primary developer, implementer, owner, and operator of the Identity Ecosystem."
The NSTIC identifies four parties that will contribute to transactions under the Identity Ecosystem:
|An individual or non-person entity is the party seeking to engage in an online transaction and the owner of the credential at issue in the transaction.|
|An identity provider (IDP) "is responsible for establishing, maintaining, and securing the digital identity associated" with an individual or non-person entity, including "revoking, suspending, and restoring the subject's digital identity if necessary."|
|An attribute provider (AP) "is responsible for the processes associated with establishing and maintaining identity attributes [...] including validating, updating, and revoking the attribute claim.|
|A relying party (RP) is the party with which the individual or non-person entity wishes to transact. "Within the Identity Ecosystem, the relying party selects and trusts the identity and attribute providers of their choice, based on the risk of credential types and identity media."|
In addition, the document calls for the incorporation of clear rules and guidelines based on eight best practices, which the document defines in an Appendix. Though these practices are to "address not only the circumstances under which a service provider or relying party may share information but also the kinds of information that they may collect and how that information is used," the NSTIC does not mandate the practices to be implemented as they are defined within it:
- Transparency: Organizations should be transparent and notify individuals regarding collection, use, dissemination, and maintenance of personally identifiable information (PII).
- Individual Participation: Organizations should involve the individual in the process of using PII and, to the extent practicable, seek individual consent for the collection, use, dissemination, and maintenance of PII. Organizations should also provide mechanisms for appropriate access, correction, and redress regarding use of PII.
- Purpose Specification: Organizations should specifically articulate the authority that permits the collection of PII and specifically articulate the purpose or purposes for which the PII is intended to be used.
- Data Minimization: Organizations should only collect PII that is directly relevant and necessary to accomplish the specified purpose(s) and only retain PII for as long as is necessary to fulfill the specified purpose(s).
- Use Limitation: Organizations should use PII solely for the purpose(s) specified in the notice. Sharing PII should be for a purpose compatible with the purpose for which the PII was collected.
- Data Quality and Integrity: Organizations should, to the extent practicable, ensure that PII is accurate, relevant, timely, and complete.
- Security: Organizations should protect PII (in all media) through appropriate security safeguards against risks such as loss, unauthorized access or use, destruction, modification, or unintended or inappropriate disclosure.
- Accountability and Auditing: Organizations should be accountable for complying with these principles, providing training to all employees and contractors who use PII, and auditing the actual use of PII to demonstrate compliance with these principles and all applicable privacy protection requirements.
The final major call in the NSTIC is for a "trustmark scheme" for parties within the Identity Ecosystem, provided for by one or more private-sector accreditation authorities, and policed by a public-private steering group, to ensure "minimum requirements of the Identity Ecosystem Framework" are met. The trustmark is to represent the application of a single privacy and service framework to all entities who bear it.
Implementation of the NSTIC
Following the release of the NSTIC, the government has sponsored a series of Workshops, aimed at brainstorming solutions and confronting problems with the NSTIC implementation. The first Workshop as focused on issues with Governance and was held in Washington, D.C. on June 9-10, 2011. After the Workshop, a Notice of Inquiry was issued on "Models for a Governance Structure for the National Strategy for Trusted Identities in Cyberspace." The deadline for the NOI is July 22, 2011.
The second Workshop was held on June 27-28, 2011 at MIT in Cambridge, Massachusetts to examine Privacy in the NSTIC. A third Workshop focused on technology solutions has not yet been scheduled, but is expected to be held in the California Bay Area in September, 2011.
- NSTIC Program Office: National Strategy for Trusted Identities in Cyberspace
- NSTIC Program Office: Recommendation for Establishing an Identity Ecosystem Governance Structure
- NSTIC Program Office: Homepage
- NSTIC Program Office: Notice of Inquiry on "Models for a Governance Structure for the National Strategy for Trusted Identities in Cyberspace"
- EPIC: National Identity
- EPIC: NSTIC Statement: Creating Options for Enhanced Online Security and Privacy
- EPIC and Liberty Coalition: Comments on "Models for a Governance Structure for the National Strategy for Trusted Identities in Cyberspace"
- EPIC: Sign Out of Passport
- EPIC: Microsoft Passport Investigation Docket
- DHS: Draft National Strategy for Trusted Identities in Cyberspace
- The White House Blog: A National Program Office for Enhancing Online Trust and Privacy
- White House: Fact Sheet for Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure
- White House: Press Release and Fact Sheet for National Strategy for Trusted Identities in Cyberspace
- NSTIC.US: A Coalition Fostering Open Dialog on the National Strategy for Trusted Identities in Cyberspace
- NIST: NSTIC Animated Video
- Department of Commerce: Remarks at Cybersecurity Event with White House Cybersecurity Coordinator Howard Schmidt, Stanford, California (Commerce Secretary Gary Locke)
- Department of Commerce: Working with the Private-Sector to Enhance Cybersecurity
- Department of Commerce: The Commerce Department's Latest Privacy Initiative on Data Privacy Day
- European Commission Joint Research Centre Institute for Prospective Technological Studies: "The State of the Electronic Identity Market: Technology, Infrastructure, Services, and Policies"
- Identity Finder: "NSTIC's Effect on Privacy"
- American Bar Association: Federated Identity Management Legal Task Force
- InformationWeek: Bypassing The Password, Part 2: Trusted Identities (April 21, 2015)
- CBS News: This My Be the Answer to Cybersecurity, or Not (May 27, 2014)
- RT: Government starts testing online ID program (April 29, 2014)
- ZDNet: NSTIC doc outlines transition to privately led ID effort (February 8, 2012)
- Fierce Government IT: NSTIC will require privacy legislation, say groups (July 28, 2011)
- Fierce Government IT: Focus Turns to Privacy in Second NSTIC Workshop (July 7, 2011)
- Popular Science: Point/Counterpoint: Internet IDs Are a Terrible Idea (June 28, 2011)
- Popular Science: Point/Counterpoint: We Need a System of Internet IDs (June 28, 2011)
- Cisco Blog: Establishing Trust in the NSTIC (June 15, 2011)
- O'Reilly Radar: A Manhattan Project for Online Identity (May 4, 2011)
- Tech News World: White House Gets the Ball Rolling on Single Credential Online ID System (May 3, 2011)
- Miller-McCune: The Government Internet ID Proposal’s Pros and Cons (April 19, 2011)
- Auction Bytes: PayPal on Board with White House 'Trusted Identity' Initiative (April 19, 2011)
- The Falcon's View: Identity Crisis: The Delusion of NSTIC (April 18, 2011)
- CNET: Obama moves forward with Internet ID plan (April 15, 2011)
- NPR News Blog: White House Proposes A Universal Credential For Web (April 15, 2011)
- Information Week: White Houses Issues Online Trusted Identities Plan (April 15, 2011)
- Internet Evolution: Why an Internet 'Driver's License' Won't Work (February 8, 2011)
- Bloomberg Business Week: Say Goodbye to All Those Passwords (January 27, 2011)
- Network World: NSTIC and the Feds HUA Problem (January 14, 2011)
- The New American: Obama Plans for Federal Internet "Identity Ecosystem" (January 12, 2011)
- Aaron Titus: NSTIC at a Crossroads (January 11, 2011)
- SecureID News: NSTIC's Evolution and the Identity Community at Work (January 11, 2011)
- InfoSecurity: US Government Sets Up Office to Oversee Online Trusted Identities Program (January 10, 2011)
- International Business Times: Proposed Online ID System Raises Privacy Concerns (January 10, 2011)
- Fast Company: National! Identity! Cyberspace! Why We Shouldn't Freak Out About NSTIC (January 10, 2011)
- Techi: Why Obama's National ID Solution is a Really, REALLY Bad Idea (January 10, 2011)
- Information Week: Commerce Department to Head Web Identity Initiative (January 10, 2011)
- The Hill: Locke Announces New Office to Secure Online Transactions (January 9, 2011)
- Bloomberg Business Week: Internet Identity System Said Readied by Obama Administration (January 7, 2011)
- PC World: White House Officials Push Online Trusted IDs (January 7, 2011)
- Wired: Obama's Solution for Online ID? Let Silicon Valley Take the Lead (January 7, 2011)
- eWeek: Trusted Identity Plans Require Proper Balance in Private, Public Partnerships (January 7, 2011)
- Gov20.govfresh: National Strategy for Trusted Identities in Cyberspace Highlights Key Online Privacy, Security Challenges/ (January 7, 2011)
Share this page:
EPIC relies on support from individual donors to pursue our work.
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.
by Ryan Calo, A. Michael Froomkin,