autotelic, autistic, assonance-hole©.

A conversation about NSTIC with Jim Fenton of Cisco

I had a very interesting email waiting for me this morning from Jim Fenton of Cisco. First, let me say that I was both very humbled and really quite pleased to think that my thoughts garner consideration and respect from a “known and well reputed” member of the technology stratosphere; and, lest someone ask me to wipe my nose, let me also say that I’m not fooling myself in relation to my general ability to affect or impact things. I’m just a regular gal, no different than anyone else excepting that I may have some degree of skill at stringing letters together. Important note:  I am assuming that Jim is speaking as an individual, offering his personal opinion, and specifically not a representative of Cisco; I suggest that you consider this as true, too.

Anyway… the email was in response to my recent post entitled “NSTIC, you and me, (and Google?)”; Jim wanted to ensure that I understood that Google doesn’t speak for the NSTIC, but that he shared my concerns for the rapidity with which companies like Google seem to be swarming this little bandwagon for identity service online.

I’ve asked Jim for his permission to use his words verbatim and in context, but have not yet received it. Until I do, I will paraphrase his comments (italicized) in-line with my own actual reply as delivered by email. If I should receive his permission, I’ll edit to replace the paraphrasing.

As stated above, Jim opened by pointing out that Messina probably doesn’t represent the NSTIC and that he, too, thought there is a lot of self-serving interjection from corporations happening in relation to their efforts, to which I responded:

I would agree that Messina doesn’t represent them en totale, but I think it would be naive to think he does not represent a particularly strong element within the group that truly believes/thinks the notion of what will essentially be “online id” is wise. I’ll get into my concerns about this on the general level later in this reply.

Jim further pointed out that NSTIC’s primary thrust was to support our ability to choose our own identity provider. He further commented that while no one knows how many there may be, or how to encourage diversity in providers, it is hoped that folks like the EFF, ACLU, etc. will become providers to offer privacy options “to those for whom this is a priority”.  He also mentioned a concern regarding the “voluntary” (his emphasis)
nature of the NSTIC effort and pointed out that, while likely not an issue initially, any significant adoption/dependence could result in an outcome of mandatory use. My response:

Precisely; I find it bordering on disingenuous that the “optional” line is being so strongly stressed as no one (particularly the government) who devotes genuine consideration of the long-view can possibly deny that dependence and mandate will be functionally inevitable.

When I consider how Google in particular is maintaining many of their users simply through weight of popularity and entrenchment of services, the reality of how simple it will be for this to become mandatory AND for it to do so without actual government backing (which accords the related legal protections and recourse) frankly, is frightening to me.

As I’m sure you are aware, “being directed by…” is NOT the same as “being accountable and responsible for…” and it disturbs me to see government deliberately seeking to avoid accountability and responsibility when it would actually benefit the consumer (particularly in availing themselves of remedy) for them to assume both. Also, that it is already clear that any conflict in this future arena will not find consumer protections but, instead, will languish in the courts (when they can effectively be brought for consideration at all).

Of course I understand that there is no way for government (i.e., the commerce department) to present themselves as accountable or responsible for a “online id” without there being an immediate outcry of “too much government involvement in commerce”… which leads me to my point – this NSTIC effort effects the same result without any of the remedies AND it puts corporations into place as the buffer and protection against any fallout. There simply is no context by which such a thing is beneficial, helpful, or even efficient for the consumer.

I do not find it sufficient to have providers who support and protect privacy “as an option” amongst a larger pool of providers. The conflicts that such a dichotomy cannot help but raise over time make the entire system ultimately untenable to my mind. Further, I do not find it obvious or even supportable that an “identity provider” is necessary except to the extent that, obviously, identity theft and fraud are odious (but obvious and ongoing) threats to commerce in general.

Which raises the next assertion/contention/objection: This effort as it stands is operating on logical fallacies, to wit, the slippery slope and perfectionist fallacies.

Slippery Slope: It is not logically valid to assume that another layer of identity service will effectively reduce or eliminate fraud or impersonation in electronic commerce. The Counter: This effort not only introduces an entirely new layer of complexity that can (and will!) be exploited; additionally, that any such effort creates another layer of information which must be analyzed and then, demonstrated to prove intrusions (to a legal standard of proof, mind you).

Perfectionist: It is not logically valid to assume that the solution of an identity service is the only means by which to combat fraud and impersonation. The Counter: As you and I are both aware, there are existing technologies readily available that offer significant ability to raise the bar of security that have not been fully implemented or even explored as solutions.

Instead, we now have government and corporate interest being reactively hurried in a way that usurps (or takes advantage of, depending upon your perspective) consumer and customer choice and seeks to both co-opt and control elements of their property (identity). The worst part? This is happening under the guise of consumer protection when, in reality (as demonstrated by reviewing the information), this effort would be far more accurately depicted as protecting revenue generating transactions and the systems that support them; particularly the validation of purchaser identity to reduce charge-back and fraud costs.

Succinctly, it seems the summation of consideration toward protecting the consumer/customer is “That’s nice… when we can manage it”… a distinctly ancillary thing.

Google’s efforts in particular are distressing to me as they seem to clearly indicate that they intend to drive adoption of this in ways very little different from how they have driven adoption of Google+… and with about as much understanding or tolerance for the diversity of need (or interest) in the world. It is not difficult to reasonably conclude that this will be the mindset of any such provider, or that adoption will be driven through the “usual” methods of generating fear, uncertainty, and doubt about the consumer/customer’s ability to protect themself. Frankly, I find that possibility quite unethical, at best, and bordering on the fraudulent at worst.

And if, as I suspect, Google’s mentality is in fact the “most popular” as well as the “most supported” within the auspices of NSTIC, I do not see how it is reasonable to conclude that consumer/customer choice, interests, or rights are being considered at all except to the extent they must to ensure acceptance and adoption (I mean, come on, this group didn’t get together to figure out how to protect consumer rights, they came together to figure out how to protect online revenue; that difference in motivation makes profound difference in orientation as well as in outcomes).

Jim also expressed concern about Google’s posture and pronouncements on NSTIC and shared with me that he ponders if Google+ will go the way of their “Wave” produce… a failed experiment/effort. He shared that he has been rather underwhelmed with Google+, saying he does “not find it especially compelling”. He admits that he too, thinks they want to be THE identity provider, but such a goal is (in his opinion) counter to MSTIC model as well as being precisely how Microsoft failed in pursuit of “Passport”. To which I replied:

What concerns me is how many people stay with them even when they are (a) concerned or (b) unhappy. It doesn’t exactly help my sense of alarm that most people will happily do nothing but complain until there’s nothing left for them to actually DO that can affect change at all.

While I focus on Google, I am well aware there are many companies active in the NSTIC effort. I am also aware that no one invited or is more than passively considering the perspective of groups like EFF, EPIC, and the ACLU in drafting policy or standard. Additionally, there remain a number of gaps (as outlined in the ACLU’s “dotrights” campaign) that are not being addressed legally or by the NSTIC’s effort at all. Defusing input over “the public” does tend to ensure that pointed requests such as would be provided by these groups is defrayed, wouldn’t you say?  As for me, I watch this tacit exclusion, so quietly effected, and find it the most disquieting and disturbing thing of all as a consumer.

As the old axiom goes, “The road to hell is paved with good intentions.” While there is no doubt in my mind that the NSTIC means well, it’s ultimate goal is not CONSUMER safety, it is COMMERCE and REVENUE safety and frankly, the refusal to keep the consumers primary and in the forefront of consideration automatically disqualifies the effort for me; it fails to address the fundamental reality that ALL commerce and revenue depends upon the trust and protection of those who engage in them and it seems to act as if ignoring this reality can bring anything other than a new and more odious manner of fraud and impersonation into being.

Mind you, I’m not spending any time on the OTHER matters (e.g., expression and speech overall; how the right to self-select identity outside of legal engagements allows for expression and speech, how this effort will both chill and repress such rights as “official id” becomes ascendant, etc.), but they are definitely there. That they too, are being largely ignored and swept under the rug of smoother commerce is easily as disturbing to me.