Uniqueness in the Eye of the NSTIC
Posted by 
Share this Post
Uniqueness isn't always as clear as a fingerprint
The White House released a draft of the National Strategy for Trusted Identities in Cyberspace (NSTIC) on June 25th via the Whitehouse blog.
As I read through the strategy I kept thinking about a recent post from my colleague Marty Moseley, Uniqueness is in the Eye of the Beholder. The crux of Marty's post is there is not one right view of Marty as an Intuit customer but the view of Marty depends on who is asking the question - whether it is marketing, finance or the privacy officer.
The NSTIC is a strategy-level document and it is largely describing a high level plan for implementation of an Identity Ecosystem that is based on user-centric identity concepts. User-centric identity isn't new; the concepts are several years old but this document represents the government taking it to new level.
The NSTIC doesn't address uniqueness in the way Marty does. Granted they are somewhat different problems - one is identity matching the other is authentication - but I submit not addressing uniqueness is an oversight in NSTIC.
Proponents of user-centric identity (I will admit that I am one) would say the uniqueness comes when a person who is managing their über credential provides only the information necessary to complete the transaction. The commonly used example would include only my age, not my birth date, name, or address; then a trusted third party validates my age. Things are rarely that simple.
First I look at this from a breadth perspective. Marty uses an example as an Intuit customer: depending on who within Intuit is asking, there will be different, unique views of Marty.
Extend NSTIC to all the places you interact, multiplied by the number of views of you they might have. Whether I am interacting with government services or commercial services, the list becomes daunting.
Is it practical and reasonable to assume that there can be only one representation of me that meets the requirements of everyone I interact with and still remain unique enough to meet their needs and my privacy concerns?
Second, from a depth perspective, let's look at it just from the point of view of interacting with government.
Joe Citizen will have a unique view of himself as a tax payer to the IRS and as a citizen with the SSA. He may have a unique view of himself to the ATF as a Federal Firearm License holder, and perhaps a unique view to the FAA with a pilot's license.
Those are distinct and unique views of Joe Citizen to the government and each of these views has quite a lot of information records about Joe (i.e., a lot of data) that make up these views. Beyond the somewhat simplistic authentication examples, how will the depth of these views of Joe Citizen be treated in the identity ecosystem?
This is a complex area and the NSTIC is a draft strategy-level document. I suspect that as the strategy is refined, use cases are defined, and roles in the ecosystem are filled, we'll come across this topic again. In the meantime, kudos to the government for taking on a tough challenge.
7 Responses »
Trackbacks
- Tweets that mention Uniqueness in the Eye of the NSTIC | Mastering Data Management -- Topsy.com
- Did They Put a Man on the Moon? « Liliendahl on Data Quality
Leave a Response
Entries(RSS)
Good post, Jeffrey.
I am also a proponent of user-centric identity.
In his excellent book Pull
, David Siegel discussed the concept of The Personal Data Locker
, which would be your secure online account that stores all of your personal information, where it would be managed by who truly owns it—you.
You would grant permission to access the relevant aspects of your personal information to the vendors and other service providers with which you conduct business.
In most cases, the only personal information released will be your unique identifier (e.g., your OpenID or i-name—Please Note: these are only examples).
I definitely agree with you that this is a complex area and a tough challenge, but I also share your kudos to the NSTIC for starting to tackle it.
Best Regards,
Jim
As a strategy document, the NSTIC is long on ideals and intentions and somewhat short on details, but implementing mechanisms that help limit the amount of personal information disclosed for any given transaction to the minimum necessary to identify, authenticate, and authorize the user is an explicit guiding principle in the document ("Identity Solutions will be Privacy Enhancing and Voluntary for the Public" pp. 9-10) which aims to provide exactly the sort of uniqueness that user-centric identity proponents are seeking. The draft Strategy even uses a version of the "commonly used example" you mention in your post - noting that when a driver's license is presented to show proof of age, other personal information beyond what is necessary is disclosed to the party inspecting the license.
Hey Jeff -
Great post! Thanks for keeping us up to date!
The thing that bugs me in these discussions is that for law-abiding citizens the problem is difficult enough to manage. As you so well stated, the sheer number of permutations of how I choose to identify myself to myriad vendors, agencies, companies, social networks, etc. is daunting. And, do we put all this control into the hands of the individual (they can choose how to identify themselves, even though it might not work w/ a particular vendor)?
The corner cases that really bug me are those where someone intentionally uses different sets of PII to mislead or hide who they really are (not actually using their name or any variant but a made-up name, or a fake postal address, another person's phone, email addr, etc.) - even for valid and legal purposes. The one that really bugs is where someone steals someone else's identity to spoof them or cause them harm.
Those things wreak havoc on software that attempt to dump all PII for a person into the same bucket for comparison. It's possible for someone to pollute the PII on someone w/ so much flack that a software package sees no clear delineation between two different people, b/c the "bad guy" wants to blur the line and actually "mooch" off the identity of the victim.
Keep us thinking w/ another great post ok?
cheers, and well done!
Jeffrey, I think a have mentioned this a few times also on the Initiate blog before – but here I go again. Whether you like it or not, seen from a pure data quality point of view a national ID used for all citizen roles makes so many things much easier. We know this from 50 years of experience in Scandinavia.
I am currently involved in a data management program in Denmark. The client is within public transit.
For some intended uses you don’t have to know the precise identity of a passenger. For some other intended uses you must know the identity. The latter cases at my client include giving discounts based on age and transport need like when attending educational activity. Also when fighting fraud it helps knowing the identity. So the data governance policy (and a business rule) is that customers for most products must provide a national identification number.
Like it or not: Having the ID makes a lot of things easier. Uniqueness isn’t a big challenge like in many other master data programs. It is also a straight forward process when you like to enrich your data. An example here is accurately geocoding where your customer live, which is rather essential when you provide transportation services.
Henrik,
I see your point that it is so much easier to let the government take control with one silo. I believe though, others need to have a special ground to negotiate thier identities being digital and or physical.
What if we could use MyTransitiD.com to manage our transportation identity, and MyTravelID.com to manage your travel identity or MyCitizenID.com to .... But for your case MyNationalID.com could be that portal for all nations with preinstalled national ID schemas to interelationship those controlled identities.
Identities are like folders, you name them and forget them and search through them when you need to select one to act on. I wonder how your nations will adapt to the next generation user centric identity management portals.
Sometimes simple is just simple and just because a governent is the first to pave a path, does not mean you cannot stop at the light and make your own path.
At the end of the day, it should be a personal selection of who you select as your online and offline identity sponsors.
Food for thought.