As promised in my previous post, I’m going to tell you about how the National Strategy for Trusted Identities in Cyberspace (NSTIC) (pdf) envisions an Identity Ecosystem that is more protective of your personal privacy. Today, a vast amount of information about you is collected as you surf the Internet and conduct transactions. How organizations handle that information can vary greatly, and more often than not, it’s difficult to understand how your privacy will (or won’t) be protected.
To bring clarity and transparency to these practices, NSTIC seeks to establish clear privacy rules based upon the Fair Information Practice Principles (FIPPs) (pdf) that address the responsibilities of all participants in the Identity Ecosystem. The privacy rules must cover not only the circumstances under which participants may share information, but also the kinds of information they may collect and how it is managed and used. In particular, the rules must ensure that websites do not ask for more identification than they need. Of course, if you want to disclose more of your information to a website in return for services that you value, you will still be able to do so—but these protections will set the baseline behavior of Identity Ecosystem participants.
Yet we need more than just strong policies to achieve better privacy. We have an opportunity to design privacy directly into the fabric of the Identity Ecosystem. In fact, there are innovative technologies that will do just that. Consider this: in the physical world, people who show a driver’s license to prove their age also reveal their name, address, height, eye color, and other unnecessary information. Online, however, you could have a credential that uses a privacy-enhancing technology that would not reveal any extraneous information. For example, perhaps a teenager wants to participate in a chat room that is intended for adolescents between the ages of thirteen and fifteen. The teenager can use her Identity Ecosystem credential to prove that she is in that age range without revealing her date of birth or her real name. That way the teenager can be comfortable in her anonymity, and her parents can trust that the other participants are in her age range.
Identity Ecosystem credentials can also keep your credential provider from tracking all of the websites you surf, or log into. And unlike your driver’s license, which has a single identifying number on it, these privacy-enhancing technologies can enable you to log in with a different identifier for each website. That way, no one can create a centralized database that tracks all of your activities online through the use of your credential.
There is much work to be done to achieve the privacy-enhancing vision of NSTIC, and all stakeholders – from the private sector to privacy advocates – need to join together, but I am confident that having a system that provides more consumers with the convenience and confidence to conduct their business online, will be worth every bit of the effort.
Howard A. Schmidt is the Cybersecurity Coordinator and Special Assistant to the President.