Background
The United States population is one of the most open,
information centric demographics in the world.
Tens of millions of people voluntarily expose the most intimate details
of their lives through the pervasive world of social networking. More than 88% of consumers have made
purchases online spending more than 142 billion dollars in 2010 with a 14%
increase continuing to trend upwards through the 2nd quarter of 2011 (comScore, Inc., 2011). Within a few
years this trend will represent hundreds of billions of dollars of transactions
conducted with the barest of security protections. The bulk of these transactions can be
characterized as the modern equivalent of giving your checking account number,
routing number, and driver’s license information to a 16 year old supermarket
customer service worker in return for a check cashing card. A FTC-sponsored survey estimated that the
annual total loss to businesses due to ID theft approached $50 billion with the
total annual cost of identity theft to victims at $5 billion (H CMTE on Ways and Means, 2012). This means more than a third of annual gross
cyber revenue is lost to business or more likely the losses are passed to the
consumers. Yet those same hordes of
consumers who willingly play this financial Russian roulette on a regular basis
are the doppelgänger vocal detractors of government sponsored identity
systems. The paradox of an individual
who will surrender his or her credit card, credit history, and identity to a
faceless cyber organization but balk at providing their government-issued
social security numbers to either state or federal government program is
astounding.
The fundamental issue is one of trust - not trusted
identity but trusted government. Public
trust is at an all time low according to the Pew Research Center. Nearly eighty percent of Americans do not
trust their own government. In fact, the
only time since 1975 that government trust broke 50% was in the months
following 9/11 (Thompson, 2010). To summarize, eighty eight percent of
Americans trust the internet with their identity and their hard earned money
while eighty percent of Americans distrust their government. Given this situation, it is not surprising
that government sponsored identity trust models have struggled to get off the
ground unless they are thus elevated by significant amounts of funding. The solution to this dilemma may be to turn
the identity / trust dichotomy upside down.
The US government would be more effective as the behind the scene
partner by allowing a certain level of trust as the relying party and allowing
a measured participation by its own trusted identity systems. Building
on this foundation the ever-growing worlds of social networking, application [app]
stores, and the real-time personal gratification that comes from instant access
to information, becomes the propagator of the assured identity. In this scenario it is likely that the nation
will trend in the direction of the NSTIC Identity Ecosystem vision. This is an alternative delivery mechanism of an
important concept, but one easily digested by the American public. It is unlikely the average individual has
ever discussed the President’s Cyberspace Policy Review and very likely they
have never heard of it.
A two part concept
The first part of the concept focuses on the
development of a unique cyber identify infrastructure. The infrastructure must include development
of new protocols and policy at multiple trust levels designed around the needs
of relying parties with day to day contact with the “citizenry end user”
mindful of that end user’s privacy requirements. Infrastructure development would be preceded
by a survey and public comment phase administered by a stakeholders’ steering
committee supported by a number of institutions of higher education and private
industry. By design the infrastructure must
also be flexible, scalable and adaptable.
The infrastructure would account for and allow
use by the existing federal identity programs at the user level. In addition, the proposed infrastructure
supports a new and unique cloud based identity program built around the user’s
ability to define dynamically the rules surrounding use and reuse of their
Personal Information (PI) and have those bound to, and travel with the digital
identity. The
infrastructure must be agnostic to token type yet driven by use case influenced
levels of trust. Most importantly, the
final infrastructure would be open source.
API’s and SDK’s, resulting from the project, would be offered free of
charge allowing for both the well-financed and under-financed to have equal
access to program participation. Commercialized this concept would establish an
open source identity ecosystem community that is ultimately self supporting and
free of the strictures of reliance on government funding and the profit driven
pressures of the private sector. This approach allows for maximum
interoperability and cost effectiveness.
The concept of an Identity Ecosystem open source
community supported policy and protocol infrastructure is both unique and
thought provoking in its conception.
Without an initial financial jumpstart from a forward looking
organization, as well as expert oversight and guidance, it is unlikely such as
concept would ever get off the ground.
While the establishment of the infrastructure would be
a worthy goal, it is actually the stepping stone to part two of the concept,
which is the outward facing ambassador to the American public. Part two is the feeder program for an
Identity Ecosystem App store. Academic,
commercial, and governmental partners would identify, at minimum, a single use
case for which the trusted identities, either as a product of the new
infrastructure or those created through existing programs, can be leveraged to
the benefit of their constituency, the average citizen. Each partner would use the previously
published API’s and SDK’s to develop an “App” which would be both practically
tested and added to the code base for use by future application
developers. Again, in the spirit of the
open source community model, the application will be made available to other
relying parties with similar needs. Leveraging
a diverse project team, the solutions could span healthcare, government,
commercial, academic, financial as well as physical and logical access
needs. The combination of the two concept
segments would proffer a new ability to offer both users and relying parties
choice in level of trust, affordability, convenience, ease of use, security and
confidence while demonstrating and encouraging unparalleled innovation from a
national or even world wide open source community (which should continue exponential
growth even during the unfunded years).
The combination of the two concept segments would
address the issue of commonly accepted technical standards by developing a
baseline “living” standard. The standard
would be put to the test through the development of multiple applications
addressing diverse relying party requirements.
Interoperability would be
assured by offering a free set of development and compliance testing tools and
peer review of code supported by the community as a whole.
If the concept was commercialized academic partners, would
examine the liability and economic issues in context, allowing for direct or
indirect influence of the “living” standard during the course of the project
Addressing privacy concerns is paramount so as to be
consistent with addressing the issues identified earlier in this essay. One of the primary conceptual methods that
would be examined in this project is to maintain the anonymity of the user by
focusing on the end use attributes or privileges assigned to the non-reputable
identity rather than asserting the individual characteristics of the
person. Using the driver’s license as a
simplistic example, it is not necessary to provide address, date of birth,
unique identifier or even name when challenged so long as the identity is
trusted by the querying system and a check can be made against the
privilege.
Any solution must be capable of integrating the PIV and
PIV-I credentials currently deployed.
However, rather than focus simply on the expected uses of these strong
authentication credentials, emphasis would be placed on the alternative use of the
credentials by integrating acceptance of the credential by the project
developed software.
Works Cited
comScore, Inc. (2011, August 8). comScore Reports
$37.5 Billion in Q2 2011 U.S. Retail E-Commerce Spending, Up 14 Percent vs.
Year Ago. Retrieved March 1, 2012, from comScore, Press & Events : http://www.comscore.com/Press_Events/Press_Releases/2011/8/comScore_Reports_37.5_Billion_in_Q2_2011_U.S._Retail_E-Commerce_Spending
H CMTE on Ways and Means. (2012, February 29). Committee
on Ways and Means Facts and Figures: Identity Theft. Retrieved March 2,
2012, from Committee on Ways and Means:
http://waysandmeans.house.gov/media/pdf/ss/factsfigures.pdf
Thompson, D. (2010, Aril 19). 80 Percent of
Americans Don't Trust the Government. Here's Why. Retrieved March 1, 2012,
from The Atlantic Business Archive:
http://www.theatlantic.com/business/archive/2010/04/80-percent-of-americans-dont-trust-the-government-heres-why/39148/