Archive for the ‘NSTIC’ Category
Ray Campbell hits the ball out of the park again with his awesome suggestion in his blog: we need a HIPAA-like regime for the privacy of personal data. As a mental exercise, Ray has gone through the HIPAA document and substituted “individually identifiable health information” to “individually identifiable personal information“. The red-lined doc can also be found on his site.
The at the heart of his proposal is the notion of shifting the thought paradigm from the person as the absolute owner of his/her personal data to one where the person is seeking the right to know about who has his/her personal data, how they obtained it, what are they doing with it and to whom have they sold the data (the 4 questions).
Following on from Ray’s post and from Professor Sandy Pentland’s view on the New Deal on Data, I believe there should be a new market in the digital economy where individuals can meet directly with buyers of their personal data, and where individuals can opt-in to make more data about themselves available to these buyers. Cut out the middleman — the big data corporations that are not contributing to the efficiency of free markets.
People ask me all the time about the vision of the IDESG. The following provides a very useful summary (from the original NPO document):
“Individuals and organizations utilize secure, efficient, easy-to-use, and interoperable identity solutions to access online services in a manner that promotes confidence, privacy, choice, and innovation.”
Identity Solutions will be:
- Privacy-enhancing and voluntary
- Secure and resilient
- Cost-effective and easy to use
Today at the 3rd Plenary of the IDESG, the Chair of the IDESG (Bob Blakley) presented a high level vision slide of what the IDESG should be working on. Its a very good slide for the purposes of uniting the work of the IDESG. Each industry area (or stakeholder group) would end-up with its own Trust Framework Provider that covers IdPs in that space, and users and RPs.
Aaron Titus writes an interesting piece based on his analysis of the recent proposal from Trent Adams (PayPal) to modify the NSTIC governance rules. The abolition of the NSTIC Privacy Standing Committee may have unforeseen impact on the acceptance of the whole NSTIC Identity Ecosystem idea, notably from the privacy front.
During the last decade — starting from the Liberty vs Passport kerfufle — we have seen a number of proposals for components of an “identity infrastructure” for the Internet. All in all, there has been little adoption (by consumers) of these technologies for high-value transactions due IMHO to the lack of privacy-preserving features.
So far I have yet to see a sustainable business model for identities which is focus on the “individual” (i.e. individual centric) and which preserves his/her personal data. All the agreements and EULAs that we click “yes” to seem to be titled in favor of the provider. If a provider “loses” my personal information (including credit-card information), there is really little incentive (positive or negative) to get them to recover my data. The individual suffers all the losses. Little wonder there is no buy-in from the consumer
Today NSTIC started its 2 day Ecosystem Steering Group meeting in Chicago. Never thought that dialing-in all day would be so tiring. Glad that the group (of about 300 people, half in-person and half virtual) got over the initial confusion about voting for the candidates and dealing with proposed changes to the Charter and By Laws.