The National Institute of Standards and Technology (NIST), a federal agency within the Department of Commerce, has launched a web site detailing the President Obama’s proposed National Strategy for Trusted Identities in Cyberspace (NSTIC). NSTIC, initially released for public comment in June 2010, was developed in response to the Obama Administration’s 2009 Cyberspace Policy Review, which called for the creation of a “cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the Nation.”
Coining a new phrase for a more secure virtual world, known as the Identity Ecosystem, NSTIC seeks to improve upon the passwords currently used to login online, with the broader aim to reduce identity theft and online theft; reduce inefficiencies in online transactions; and provide new online services currently thought of as too risky for e-commerce. While the Identity Ecosystem has not yet been built and there are currently no Identity Ecosystem credentials available at this time, some private-sector identity providers do exist. NSTIC envisions individuals choosing their own Identity Ecosystem credentials from a variety of service providers (both public and private) and using any of these trusted online credentials to log in to their banks, e-mail accounts, or social networking sites, without having to remember multiple passwords. In addition, the Identity Ecosystem would seek to enhance individuals’ privacy by reducing the amount of information they must disclose to authenticate their identity.
Participation in the Identity Ecosystem would be voluntary—users will be able to choose whether to obtain Identity Ecosystem credentials; further, private-sector organizations, rather than the government, will build and operate the Identity Ecosystem. And in response to more broad civil liberties concerns, the NSTIC requires that the Identity Ecosystem be based on the Fair Information Practice Principles (FIPPS)—a set of eight key principles drawn from the 1974 Privacy Act—to ensure that individuals can trust that their personal information is handled safely.
There’s a problem in the notion of “coining a new phrase … the Identity Ecosystem” for this is not a new idea that needs ‘coining’ at all. Used in relation to NSTIC — which is an elaborate IT architecture — “ecosystem” is a bit of a stretch, more marketing than ecology.
There are true business ecosystems, in which different sectors and communities of interest have bred their own peculiar conventions, rules, contracts, regulations etc. for managing risk. It’s possible and valuable (within limits) to describe “identities” being provided for people acting in these different contexts, but the word is suggestive of a magic property that can be taken out of one context and used in another.
Digital identities are context dependent. We all know that, but many have underestimated the strength of the dependence. NSTIC is based on an optimism that we can change context and still preserve some re-usable ‘core’ identity. This ‘interoperability’ has only been demonstrated to date in near trivial use cases like logging onto blog sites with unverified OpenIDs or Twitter handles.
Digital identities are far more strongly context dependent than people seem to realise.
If NSTIC is an ecosystem, it is artificial. As such it may be as fragile as an exotic botanic garden or tropical aquarium, and in need of constant care and attention to save it from collapse.