Friday, July 01, 2011

NSTIC Privacy Workshop

I had the opportunity to attend much of the two day NSTIC Privacy Workshop held in Cambridge Massachusetts this week.   I haven't been following this NIST-backed effort as closely as I probably should have, so the workshop in Cambridge was a perfect opportunity to catch up with NSTIC, at least through the lens of privacy.

A few observations:
  • The people involved are experienced and sharp.   The process seems inclusive, which bodes well.  The meeting was well run.
  • There was some deja-vu for me based on some PKI experiences in working groups I participated in over 10 years ago in the financial sector.  Identity, authentication, authorization, attributes, etc...  all being discussed in similar ways.   Its dangerous to look too closely at that past experience, though, because use cases, technology, and the environment are so substantially evolved from that time frame.
  • More than one speaker noted the compelling issues on the horizon regarding mobility, location based services, "big data" mining and related advances, noting this may rapidly outstrip the worries we have about current ad-network dominated problems.
  • Once again, Identity Woman, aka Kaliya Hamlin, seems to be two steps ahead.  Will the Personal Data Ecosystem Consortium trump traditional standards processes by leveraging the entrepreneurial energy of competing startups?  Running code FTW? 
  • So what do I worry about?  I'd love for the vision and zeal of the privacy advocates to win the day, but I'm not sure that is feasible.  Maybe we need to  ensure that NSTIC allows privacy-enhancing approaches to be first-class citizens in any adopted standard, and a true market will emerge whereby citizens and consumers have the right and ability to chose to use privacy-enhancing solution.  And let the NSTIC infrastructure itself not leak privacy.  A bad scenario, in my opinion, would be for the NSTIC process to be co-opted by the biggest firms, and NSTIC results in a legal, regulatory, and operational framework that in practice serves to meet the widest dreams of the greediest internet  marketers at the expense of meaningful citizen privacy.

National Strategy for Trusted Identities in Cyberspace (NSTIC): http://www.nist.gov/nstic/

epic.org has a great overview paper on NSTIC here: http://epic.org/privacy/nstic.html

personal data ecosystem consortium: http://personaldataecosystem.org/



No comments: