How do Different Technologies Align with the 4 NSTIC Guiding Principles (W4C)

Session Topic: NSTIC Privacy

Convener: Jeremy Grant

Notes-taker(s): Iana Bohmer

Tags for the session - technology discussed/ideas considered: 

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

This was an open discussion on privacy. Below are the comments that were made during the session from participants:
 * There is the appearance that the Federal Government may be pushing privacy policies on IDPs that go beyond the law. However, the issue is that there are no laws yet in this area so there is the chicken-egg problem. The expectation is that privacy policies would emerge, and possibly be enacted into law, as a result of the orderly development of the Identity Ecosystem.
 * It would be very important that IDPs would have appropriate incentives to implement privacy safeguards.
 * On the user side, success will depend on mitigating users’ suspicions of conducting transactions in cyberspace and how their identities will be used.
 * Jeremy introduced the concept of having an established set of privacy defaults and how are these defaults explained to the users, as an example of increased transparency within the identity ecosystem.
 * The Federal Government has not made any decisions on the privacy model. A key concept of NSTIC is transparency with respect to privacy practices.
 * Individuals may have the right to exchange information with a default to ensure that requirements will be the minimum necessary to conduct any given transaction.
 * Depending on how the model is built, it may limit the IDPs ability to participate, because they may not have all the information/attributes on an individual to conduct the transaction.
 * Recommendations that are in the NSTIC strategy weren’t developed in a vacuum. And currently there is a lot of discussion on the Hill regarding privacy.
 * NSTIC is a policy experiment. While it is a document with the president’s signature, it isn’t a law.
 * NSTIC lays out a vision that would build on FICAM, but it would still be based on private sector.
 * Participation in the Identity Ecosystem is a choice that every company will make regarding participation because participation is voluntary.
 * The Government’s goal and reason for its involvement is to allow cooperation in solving these problems rather than have laws/regulations come down with a hammer.
 * Common thread in NOI responses is that government should serve as the privacy advocate for individuals.
 * Potential tradeoff between user privacy and business utility needs to be researched. Need to put forth the business case for private sector stakeholders.
 * There are many organizations, not just individuals, who care about privacy protections because they serve these individuals as their customers.
 * The user needs to be able to trust in the identity ecosystem. One idea is to have the IDP act as the main party that the individual trusts. The IDP could take the role of sanitizing the data to suit the customer desires based on the transaction type. Individuals will weigh the value of the service based on what privacy safeguards are provided.
 * It will be important to clearly define levels of privacy and be able to implement then with privacy-enhancing technologies. But several commented that the Government can’t make the bar too high right at the beginning.
 * Several participants made the comment of how traditionally NIST has not be open to discussing privacy enhancing technologies, that it seems as though there has been more interest in privacy from the private sector than from the Government.