Conversation continues; I’ve resorted to using our initials to keep things in context. Content indented and in blue are my previous comments that Jim is responding to…
On 8/31/2011 2:40 PM, Jim Fenton wrote:
On 08/31/2011 07:29 AM, B.L. Nadri wrote:
When I consider how Google in particular is maintaining many of their users simply through weight of popularity and entrenchment of services, the reality of how simple it will be for this to become mandatory AND for it to do so without actual government backing (which accords the related legal protections and recourse) frankly, is frightening to me.
As I’m sure you are aware, “being directed by…” is NOT the same as “being accountable and responsible for…” and it disturbs me to see government deliberately seeking to avoid accountability and responsibility when it would actually benefit the consumer (particularly in availing themselves of remedy) for them to assume both. Also, that it is already clear that any conflict in this future arena will not find consumer protections but, instead, will languish in the courts (when they can effectively be brought for consideration at all).
JF: I don’t follow this…how is the Government attempting to avoid accountability and responsibility?
BLN: By setting corporations between themselves and the consumer, by “directing” but not holding any direct responsibility (nor offering any clear recourse) to the consumer for instances of abuse, failure, etc; by enabling and empowering corporations without equally enabling and empowering consumers, frankly.
In fact, it feels very much like the same “Don’t like it, don’t use it/leave.” posture of Google lately… you might imagine how that comes across.
I don’t know about you, but being able to call upon the FCC/FTC and know they will investigate, respond, and act when appropriate on my behalf certainly trumps being stuck in a situation where my only option is to haul GIANT CORPORATION X into court and hope I have the funds and wherewithal to effectively seek redress.
I see nothing in the NSTIC information thus far that speaks to these aspects of consumer rights or how issue resolution would proceed. That is a concern and, in my opinion, a real oversight. I dislike intensely the notion that my right of redress and legal recourse may be getting co-opted out from under me in this process.
JF: The Government is walking a fine line here: On one hand, they function like a really big business. I once spoke with a gentleman from the Department of Education who said they have 50 million student loan accounts to manage, and would like people to be able to manage them online. It would be a huge efficiency if the Government didn’t have to enroll and manage credentials for each of them. On the other hand, there are real civil liberties concerns in the US if the Government were to try to manage an identity system for use by others.
BLN: I think this certainly speaks to the point; if the government is so aware that there is a real impact to civil liberties should THEY attempt this, why on earth should/would anyone think there could be LESS impact if corporations undertake it (particularly at the government’s behest)? Succinctly – this is a known issue for civil liberties and, to date, there are many options other than the current track of NSTIC and government to attempt redress; why such a blatantly authoritarian approach when you and I both know that less threatening (i.e., less intrusive, chilling, etc) possibilities exist?
JF: One thing I have found is that the answer to the question of who should operate an identity system is very culture-dependent. I work with a guy from Finland, who after we had been discussing this for quite a while, asked, “Why doesn’t the Government just operate the identity system?” We have big concerns about National ID Cards, but seemingly everyone is happy with them in Finland. It comes down to a question of who you trust, and different cultures and individuals trust different things. That’s why I’m happy that the principle of choice has so much emphasis in the NSTIC.
BLN: Frankly, there are a number of issues in this mix and what works for one doesn’t at all work for the others. If the government wanted to extend my social security card as a token of online identification, I’d respond by saying, “It already works as that.”
At the moment, they are saying, “You need another token of online identification?” So my response is simply, “Why?”
(Of course, I remember, my social security number has all manner of protections associated with it, all of which save it from the kind of tracking and exchange that seems to be behind the NSTIC effort. So here is the point at which distrust and suspicion kick in for me…. because I WANT those protections and avenues of recourse.)
A question I asked that no one seems to want to answer remains, “Why, exactly, do I *need*an identity service online?”
I hear, read, and see plenty of reasons why companies and government want very much for me to have one, but I have not yet seen a single reason that serves me, the consumer, beyond “convenience”.
Frankly, that one’s a bit lop-sided for what I potentially give up to “gain” it (there’s no guarantee it actually would be more convenient and, of course, no way to gracefully exist should it prove not to be). That’s a concern.
I do not find it sufficient to have providers who support and protect privacy “as an option” amongst a larger pool of providers. The conflicts that such a dichotomy cannot help but raise over time make the entire system ultimately untenable to my mind.
JF: I don’t see the problem. People have different priorities and different privacy needs. Some people would trust only the ACLU; others wouldn’t trust the ACLU at all.
Further, I do not find it obvious or even supportable that an “identity provider” is necessary except to the extent that, obviously, identity theft and fraud are odious (but obvious and ongoing) threats to commerce in general. Which raises the next assertion / contention / objection: This effort as it stands is operating on logical fallacies, to wit, the slippery slope and perfectionist fallacies.
JF: The identity provider fulfills an important privacy function by asserting different identifiers to different relying parties so that they can’t easily aggregate information on people (a principle known as Directed Identity). I made an effort to answer this question for someone else a few months ago at http://blogs.cisco.com/security/identity-intermediaries-and-the-nstic/
BLN: I do not see any function they might fulfill that I could not (and do not already) fulfill myself (as above stated). It is also worth noting that, were appropriate opt-in and opt-out mandates and consumer privacy/related protections a la the “dotrights” campaign in place, this (tracking and aggregation) wouldn’t even be an issue, which makes this seem more than a little like taking a sledgehammer to a fly or using that lack to push a decidedly more intrusive agenda.
I think we may wind up agreeing to disagree here; I just do not see how identity service works better to redress matters for consumers than appropriate legislation. Of course, I realize that the interests of the NSTIC and corporations at large are pretty much stacked against the consumer’s rights overall… but that just underscores the point and the concern.
The worst part? This is happening under the guise of consumer protection when, in reality (as demonstrated by reviewing the information), this effort would be far more accurately depicted as protecting revenue generating transactions and the systems that support them; particularly the validation of purchaser identity to reduce charge-back and fraud costs.
JF: I don’t see reductions in chargebacks and fraud as being counter to consumer protection.
BLN: Of course not, but when corporate interests conflict with consumer choice and privacy, particularly in activities and efforts like NSTIC or government, you know as well as I do that without the weight/support of law, the consumer loses.
My point is that the focus is NOT protecting consumer choice and privacy except to the extent that it protects corporations from fraud and liability. My point is that there ARE divergent interests at stake and my concern is that consumer interests simply are not being considered as they should be, AND that it is highly unlike they will be until/unless folks like the EFF, EPIC, and the ACLU are equal partners in the discussion rather than relegated to submit comments and hope for them getting attention (let alone find adoption).
Case in point – I haven’t heard a peep from anyone in relation to EPICPrivacy’s submission and there are highly relevant items in that submission which do not seem to be finding attention or traction with NSTIC.
While I focus on Google, I am well aware there are many companies active in the NSTIC effort. I am also aware that no one invited or is more than passively considering the perspective of groups like EFF, EPIC, and the ACLU in drafting policy or standard. Additionally, there remain a number of gaps (as outlined in the ACLU’s “dotrights” campaign) that are not being addressed legally or by the NSTIC’s effort at all. Defusing input over “the public” does tend to ensure that pointed requests such as would be provided by these groups is defrayed, wouldn’t you say? As for me, I watch this tacit exclusion, so quietly effected, and find it the most disquieting and disturbing thing of all as a consumer.
JF: I don’t know all the organizations that are involved, but I note that Jay Stanley of ACLU spoke on a panel at the NSTIC Governance Workshop in June and that someone from CDT spoke at the January event at Stanford.
BLN: I don’t mean to sound snarky, but “speaking at” is not the same as “being included in the decisions of” and that is precisely the difference I’m pointing at and finding so disturbing.
JF: I don’t know if this works for you, but the next NSTIC workshop is scheduled for one day of the Internet Identity Workshop in Mountain View, California in mid-October. It’s an opportunity to interact with the NSTIC people and the identity community more generally. More information at: http://www.nist.gov/nstic/upcoming-workshops.html
BLN: I wish I could; life and schedule doesn’t permit. But I can and do track this pretty tightly. The things that result from all this activity will have considerable impact on both how and if the Internet remains a healthy, viable venue for consumer activity, choice, and privacy.
JF: P.S. You may quote this message.
BLN: Thanks for the explicit permission, Jim.