Thursday, October 18, 2012

Open Source Identity Ecosystem: We Have an App for That



Background

The United States population is one of the most open, information centric demographics in the world.  Tens of millions of people voluntarily expose the most intimate details of their lives through the pervasive world of social networking.  More than 88% of consumers have made purchases online spending more than 142 billion dollars in 2010 with a 14% increase continuing to trend upwards through the 2nd quarter of 2011 (comScore, Inc., 2011). Within a few years this trend will represent hundreds of billions of dollars of transactions conducted with the barest of security protections.  The bulk of these transactions can be characterized as the modern equivalent of giving your checking account number, routing number, and driver’s license information to a 16 year old supermarket customer service worker in return for a check cashing card.  A FTC-sponsored survey estimated that the annual total loss to businesses due to ID theft approached $50 billion with the total annual cost of identity theft to victims at $5 billion (H CMTE on Ways and Means, 2012).  This means more than a third of annual gross cyber revenue is lost to business or more likely the losses are passed to the consumers.  Yet those same hordes of consumers who willingly play this financial Russian roulette on a regular basis are the doppelgänger vocal detractors of government sponsored identity systems.  The paradox of an individual who will surrender his or her credit card, credit history, and identity to a faceless cyber organization but balk at providing their government-issued social security numbers to either state or federal government program is astounding.
The fundamental issue is one of trust - not trusted identity but trusted government.  Public trust is at an all time low according to the Pew Research Center.  Nearly eighty percent of Americans do not trust their own government.  In fact, the only time since 1975 that government trust broke 50% was in the months following 9/11 (Thompson, 2010).  To summarize, eighty eight percent of Americans trust the internet with their identity and their hard earned money while eighty percent of Americans distrust their government.  Given this situation, it is not surprising that government sponsored identity trust models have struggled to get off the ground unless they are thus elevated by significant amounts of funding.  The solution to this dilemma may be to turn the identity / trust dichotomy upside down.  The US government would be more effective as the behind the scene partner by allowing a certain level of trust as the relying party and allowing a measured participation by its own trusted identity systems.   Building on this foundation the ever-growing worlds of social networking, application [app] stores, and the real-time personal gratification that comes from instant access to information, becomes the propagator of the assured identity.  In this scenario it is likely that the nation will trend in the direction of the NSTIC Identity Ecosystem vision.  This is an alternative delivery mechanism of an important concept, but one easily digested by the American public.  It is unlikely the average individual has ever discussed the President’s Cyberspace Policy Review and very likely they have never heard of it. 

A two part concept

The first part of the concept focuses on the development of a unique cyber identify infrastructure.  The infrastructure must include development of new protocols and policy at multiple trust levels designed around the needs of relying parties with day to day contact with the “citizenry end user” mindful of that end user’s privacy requirements.  Infrastructure development would be preceded by a survey and public comment phase administered by a stakeholders’ steering committee supported by a number of institutions of higher education and private industry.  By design the infrastructure must also be flexible, scalable and adaptable.  The infrastructure would account for and allow use by the existing federal identity programs at the user level.  In addition, the proposed infrastructure supports a new and unique cloud based identity program built around the user’s ability to define dynamically the rules surrounding use and reuse of their Personal Information (PI) and have those bound to, and travel with the digital identity.  The infrastructure must be agnostic to token type yet driven by use case influenced levels of trust.  Most importantly, the final infrastructure would be open source.  API’s and SDK’s, resulting from the project, would be offered free of charge allowing for both the well-financed and under-financed to have equal access to program participation.   Commercialized this concept would establish an open source identity ecosystem community that is ultimately self supporting and free of the strictures of reliance on government funding and the profit driven pressures of the private sector. This approach allows for maximum interoperability and cost effectiveness.
The concept of an Identity Ecosystem open source community supported policy and protocol infrastructure is both unique and thought provoking in its conception.  Without an initial financial jumpstart from a forward looking organization, as well as expert oversight and guidance, it is unlikely such as concept would ever get off the ground. 
While the establishment of the infrastructure would be a worthy goal, it is actually the stepping stone to part two of the concept, which is the outward facing ambassador to the American public.  Part two is the feeder program for an Identity Ecosystem App store.  Academic, commercial, and governmental partners would identify, at minimum, a single use case for which the trusted identities, either as a product of the new infrastructure or those created through existing programs, can be leveraged to the benefit of their constituency, the average citizen.  Each partner would use the previously published API’s and SDK’s to develop an “App” which would be both practically tested and added to the code base for use by future application developers.  Again, in the spirit of the open source community model, the application will be made available to other relying parties with similar needs.   Leveraging a diverse project team, the solutions could span healthcare, government, commercial, academic, financial as well as physical and logical access needs.   The combination of the two concept segments would proffer a new ability to offer both users and relying parties choice in level of trust, affordability, convenience, ease of use, security and confidence while demonstrating and encouraging unparalleled innovation from a national or even world wide open source community (which should continue exponential growth even during the unfunded years). 
The combination of the two concept segments would address the issue of commonly accepted technical standards by developing a baseline “living” standard.  The standard would be put to the test through the development of multiple applications addressing diverse relying party requirements.    Interoperability would be assured by offering a free set of development and compliance testing tools and peer review of code supported by the community as a whole. 
If the concept was commercialized academic partners, would examine the liability and economic issues in context, allowing for direct or indirect influence of the “living” standard during the course of the project
Addressing privacy concerns is paramount so as to be consistent with addressing the issues identified earlier in this essay.  One of the primary conceptual methods that would be examined in this project is to maintain the anonymity of the user by focusing on the end use attributes or privileges assigned to the non-reputable identity rather than asserting the individual characteristics of the person.  Using the driver’s license as a simplistic example, it is not necessary to provide address, date of birth, unique identifier or even name when challenged so long as the identity is trusted by the querying system and a check can be made against the privilege. 
Any solution must be capable of integrating the PIV and PIV-I credentials currently deployed.  However, rather than focus simply on the expected uses of these strong authentication credentials, emphasis would be placed on the alternative use of the credentials by integrating acceptance of the credential by the project developed software.

Works Cited

comScore, Inc. (2011, August 8). comScore Reports $37.5 Billion in Q2 2011 U.S. Retail E-Commerce Spending, Up 14 Percent vs. Year Ago. Retrieved March 1, 2012, from comScore, Press & Events : http://www.comscore.com/Press_Events/Press_Releases/2011/8/comScore_Reports_37.5_Billion_in_Q2_2011_U.S._Retail_E-Commerce_Spending
H CMTE on Ways and Means. (2012, February 29). Committee on Ways and Means Facts and Figures: Identity Theft. Retrieved March 2, 2012, from Committee on Ways and Means: http://waysandmeans.house.gov/media/pdf/ss/factsfigures.pdf
Thompson, D. (2010, Aril 19). 80 Percent of Americans Don't Trust the Government. Here's Why. Retrieved March 1, 2012, from The Atlantic Business Archive: http://www.theatlantic.com/business/archive/2010/04/80-percent-of-americans-dont-trust-the-government-heres-why/39148/