How can we retain privacy when doing business online?

I recently spoke at a 2-day event hosted by NIST that addressed privacy and identity management as part of the NSTIC; the NSTIC represents the most far-reaching set of goals and objectives to date around promoting secure, efficient online commerce through strong online identities, as blogged in this space previously.

The workshop was held at the Massachusetts Institute of Technology’s Media Lab, and attended by over 100 privacy, identity, technology, commercial and government experts, and was actually the second such event in a 3-week span.  The first workshop addressed issues around how governance should best be accomplished in a national strategy that depends critically on privacy sector leadership and close industry-government collaboration – you can read about the governance workshop and its proceeding; in addition, NIST had a notice of inquiry on Governance out for comment by July 22.

NSTIC Program Manager Jeremy Grant opened the privacy workshop with a general overview of the issue.  This was followed by a perspective from White House staffer  Naomi Lefkovitz, who presented a view on why the White House believes privacy to be key in the implementation of NSTIC, as part of the broader Administration focus on consumer privacy through policy papers recently issued for comment by the Department of Commerce and Federal Trade Commission. She focused on the import placed on the Fair Information Privacy Principles (FIPPs) as part of the NSTIC itself; the FIPPs are still available.

The first day focused on turning the FIPPs into operational practice, assessing questions that included:

• How can the FIPPs be translated from general principles into workable rules and guidelines specific to the NSTIC Identity Ecosystem? 
• How do different needs in different industries impact on the ability to generate workable rules and guidelines with regard to privacy practices?
• Should there be different privacy requirements or standards for credentials for different industries of different risk levels 

An active discussion of these issues followed.  Among key points made by workshop participants:

• NSTIC should establish a “baseline of good behavior” consistent with the FIPS, and allow variation above the baseline for different industries
• Allow for differences based on  industry – health care likely needs a different approach than financial services, though both need to follow a set of common rules
• Don’t try to solve all problems with one solution – use an incremental approach and build on that
• Avoid making one company or one solution the answer
• Start by connecting with the customer of a transaction – design the system to make it easy for users to use it and control their own data
• Any process should include audit and enforcement

Day 2 focused on technologies that could enhance privacy in identity management.  Among the topics discussed were approaches to protecting identity through cryptography, including Microsoft’s U-Prove  and IBM’s Identity Mixer.  The session emphasized that any identity technology should build privacy into the design framework, rather be addressed after the fact.  Once technologies are identified, NSTIC envisions that an Identity Ecosystem Framework steering group – expected to be established later this year – will act as a clearinghouse and disseminator for numerous technical approaches consistent with NSTIC, rather than endorsing one solution.

More information on the privacy workshop can be found by reading a number of presentations made there.  And for those who would rather see the movie, the conference was streamed live and the link may still be up.