IDESG Newsletter #17
Table of Contents
Happy Data Privacy Day!
Today is International Data Privacy Day: a perfect day to reflect on the progress that IDESG has made in the last year and highlight our vision of work for the year to come.
The most significant organizational development has been the legal incorporation of the group as a not-for-profit corporation in the Commonwealth of Virginia - an important step to putting the organization on a sound footing as an independent, self-funded and sustained body - and its affirmation of core building blocks in its long-term strategy.
IDESG addresses an increasingly important international priority: removing the barriers to trusted interactions online and navigating a new identity-enabled online world. IDESG believes that this can only be done successfully when citizens, businesses and government act together - and the organization is structured explicitly to meet that challenge.
We have a vision of a world where people trust the security and privacy of online identification; and the exchange and use of personal data. Our mission is thus to promote secure, user-friendly ways to give individuals and organizations confidence in those online interactions.
Our unique value comes from integrating cross-sector industry leadership with individual privacy perspectives and public policy. This independent, collaborative partnership enhances choice, protects civil liberties and stimulates innovation.
Our priorities continue to reflect these challenges and objectives. In particular, in 2014, we intend to deliver a first framework of policies, recommended standards, processes and models that together will help shape the online identity ecosystem. In our efforts to develop a tangible "trustmark" that reflects this framework, we must not forget the central roles played by privacy and usability.
In order to achieve this priority objective, the organization itself needs to further develop and mature. Outreach and membership growth will be key to this as will some streamlining of our internal processes while preserving the unique multi-stakeholder and multidisciplinary nature of the body.
The diversity of our membership - and their active and thoughtful engagement in our work - remains our greatest strength and provides valuable opportunities to spread the word and the work into all areas of society, government, business, education, and services. There is a growing awareness both of the core messages of our work and - importantly - that those core messages are increasingly relevant and critical, as we have seen over the last six months in particular. The value of contributions from IDESG and its members are already being felt in areas as diverse as health care and defense.
As in any organization, we also rely on our leaders. There are a couple of vacancies in committee leadership posts and organization-wide elections will shortly be underway for the Plenary officers and the entire Management Council in accordance with our rules. Do not hesitate to put your name forward and help make a difference at a critical time for privacy, security and trust in our increasingly connected and online world.
Peter F Brown
President and Board Chair, IDESG Inc.
7th Plenary Recap: IDESG Holds 1st Plenary Meeting as an Incorporated Non-Profit Organization
History was made a few weeks ago as the Identity Ecosystem Steering Group (IDESG) held its first plenary as a newly incorporated independent entity: IDESG, Inc. Georgia Tech Research Institute (GTRI) pulled out all the stops to make attendees feel warm and welcome during the unseasonably cold week. Together, GTRI along with meeting sponsorsAuthentify and LexisNexis provided top-notch catering of all meals and snack breaks to attendees. Highlights of the meeting included: a keynote from Andy Ozment, Senior Director for Cybersecurity for the White House; a special report from the Trust Framework and Trustmark (TFTM) Committee on an Identity Ecosystem Iterim Concept; an Overview of the UK's Identity Assurance Program presented over the phone by David Rennie of the UK Digital Service Cabinet Office; and presentations from the newly selected 2013 NSTIC Pilots.
Although the meeting officially started at 1:00 p.m. on Tuesday, January 14, the Management Council held a meeting at GTRI that morning. In lieu of an IDESG Orientation Session, an orientation PDF document was prepared for new participants in the IDESG.
Day 1 - Tuesday, January 14
On Tuesday morning, a focused TFTM working session was held on their "Requirements Mapping and Analysis Paper."
Welcome - Bob McGrath, GTRI Director
At 1:00, Bob McGrath, the Director of GTRI gave a warm welcome. He thanked members for their contributions and noted he was "impressed with the constituents in your community consisting of technology companies, commercial business, legal and policy sectors, privacy advocates, and government, all working together to define and evolve the future Identity Ecosystem."
Welcome - Bob Blakley, Plenary Chair
Bob Blakley, Plenary Chair, officially opened the meeting to an audience of in-person and remote attendees. He briefly noted what has already been accomplished by the IDESG so far:
Blakley concluded by noting that the IDESG is at a crucial transition point right now. Incorporation is complete, nominations for the next round of officers is underway, and the work item list is established. There is a lot of very important work to be done in 2014.
Speaker Introduction - Jeremy Grant
Jeremy Grant, NSTIC NPO Director, then introduced keynote speaker Andy Ozment. He is the Senior Director for Cybersecurity at the White House and one of two deputies to the Cybersecurity Coordinator. At the White House, Andy leads a team to develop national policy and coordinate federal cybersecurity efforts in the areas of critical infrastructure protection, legislative proposals, executive branch security, privacy and civil liberties, information sharing, and incident response. In a previous stint at the White House,Andy led the effort to develop the National Strategy for Trusted Identities in Cyberspace (NSTIC).
Keynote - Dr. Andy Ozment
Ozment said as one involved in the drafting of the NSTIC it is "amazing to see how far we have come. Some of you are frustrated that we aren't moving faster, but it's important to highlight that this is a very tough set of problems...that's why we're all here." He also mentioned that at the White House, they are focused on four significant risks to the nation: 1) attacks against critical infrastructure, 2) traditional espionage, 3) cyber-enabled economic espionage, and 4) threats to the freedom, openness, and interoperability of the internet. The White House is focusing on five priorities to address these risks: 1) improve incident response, 2) security, 3) engage internationally, 4) shape the future, and 5) protect critical infrastructure. The IDESG is an "opportunity to get something right in cybersecurity. That being said, every day that we don't have a framework is another day our adversaries move ahead." He said the IDESG is "tackling one of the most pressing issues that we face online today. You all know that. You live it every day in your lives as consumers. You see it every day in the newspapers and read about another breach where authentication was involved." Ozment closed with a challenge to the IDESG to keep its foot on the gas, he urged members to "maintain a sense of urgency to see the Identity Ecosystem Framework to fruition and life."
Afternoon Committee Breakout Sessions
That afternoon, the Healthcare Committee, TFTM Committee, and the Taxonomy Ad Hoc Group each met in breakout rooms also set up for remote participation. The TFTM Meeting was led by David Temoshok who discussed an Interim Trust Mark/Listing Approach Paper. The paper will define 2-4 existing/potential approaches to Trustmark/Listing Services and the legal, administrative, and operational implications for each. More details found at: https://www.idecosystem.org/wiki/TFTM_01-06. Download TFTM Meeting Presentation.
NSTIC NPO Update - Jeremy Grant, NSTIC NPO Director
Jeremy Grant, NSTIC NPO Director, congratulated the IDESG on a successful 6th Plenary Meeting that quickly transitioned to a virtual event in light of the government shut down. "Turning what could have been a real disaster into a terrific and productive three days...all without our involvement at all..was encouraging and I viewed it as a sure sign that the IDESG has become a privately led organization." Grant also mentioned the exciting milestone of being incorporated as a 501 (c)(3) last fall and what an important step it is to have already started engaging in plans to raise funds on its own. Grant then discussed four main items:
Management Council and Board of Directors Update - Peter Brown, Management Council Chair
Peter Brown, Management Council Chair, gave an update on recent Management Council and Board of Directors tasks. A lot of time has been spent looking at initial governance issues and fiduciary responsibilities of the new organizational structure. The board had its first meeting to elect corporate officers. Peter Brown was elected as President and Chair of the Board, Kay Chopard Cohen was elected as Corporate Secretary, and Kim Little was elected as Corporate Treasurer. Brown said that the core issues of incorporation, transitioning to a self-sustaining organization, membership fees, and strategic planning are all responsibilities of the board and have been "marked by extensive consultation with the plenary." One question that has come up is whether the IDESG needs both a Management Council and a Board of Directors. Brown said that they need to look at the issue and will need to "come back to the plenary with some specific suggestions." He also mentioned that the Management Council and Board need to think about how they can "engage with and across the committees in helping to drive the work forward," and how they can link the work of the committees together, support committee leaders, and help them understand their function so they don't get too caught up in processes. Brown closed by mentioning the need to look at the potential risk of having no continuity among the Management Council from one year to the next. Every organization needs some continuity, so the issue may call for a rule change.
During a November online planning meeting a straw proposal for an IDESG membership fee schedule was discussed. After the meeting, the Management Council and Board received many comments during the two week comment period. After reviewing the comments, the decision was made to find a better approach since the proposed schedule was not supported. In the short term, NIST will provide a funding opportunity to help cover interim operational costs.
Some of the input received included:
Review of Strategic Planning Process: this past summer, outside consultants drew together the input from the plenary membership from a variety of meetings and comment periods. Following the comment period after the last Plenary, working drafts of the mission statement, vision, and value propositions were finalized.
Chopard Cohen closed by stating that the three next steps for 2014 are 1) develop a messaging and communications framework, 2) fully develop our value propositions, and 3) review organizational alignment with the strategic priorities.
New Direction for IDESG Inc. Communications and Outreach Effort - Jim Barnett, Communications Subcommittee Chair - Download Presentation
Day 1 was concluded by a Chairs Meeting and Debrief.
Day 2 - Wednesday, January 15
TFTM Committee Report - Download Presentation
Day 2 began with brief presentations by the "Birds of a Feather" Lunch Session leaders describing their proposed sessions. Next the TFTM Committee Chair, Jack Suess, and Vice Chair, Andrew Hughes presented a Committee Report on a Committee-developed approach paper for an Interim Identity Ecosystem. The presentation covered the generalized approach of the committee, its work plan, deliverables, progress to date, and plans for the next quarter. This overview included the ID Ecosystem Concept, a decision-making matrix, and IDESG choices and priority setting.
An Overview of 2014 Plans for the UK Identity Assurance Program - David Rennie, Identity Assurance Programme, Government Digital Service, Cabinet Office
In his talk, Rennie explained that the UK Identity Assurance Program focuses on coordinating across various government departments, for example the pension and tax collecting departments, the health sector, etc. They are pursuing a policy called "Digital by Default." This came about after a report showed that what is required is not small and incremental change, but a revolutionary approach in the way the public center things about digital, "revolution, not evolution." Rennie said, "we have to think about designing all public services from the ground upwards to be digital first." The goal is to have 600,000 digital identities registered with government services. They are being as transparent as possible with the program and everything is published at http://www.gov.uk. They have formed the Identity Steering Group (IDSG) and also have government funded projects that are similar to the NSTIC Pilots.
Birds of a Feather Sessions & Committee Breakout Sessions
During the lunch hour, Naomi Lefkovitz gave a presentation on FCCX. In another breakout room there was a session titled "Discussion of NSTIC Appropriate Concepts for Anonymity and Pseudonymity." Immediately afterwards the Healthcare Committee and the International Coordination Committee held meetings and there was a Joint Functional Model, Security, and TFTM Meeting. After a break, the Privacy Coordination Committee held an open session, the Standards Committee held a meeting focused on the Standards Adoption Process, and a Joint TFTM and Security meeting held a deeper discussion on the Identity Ecosystem concept presented earlier in the day.
The day concluded with a chairs meeting and debrief.
Day 3 - Thursday, January 16
Thursday began with the much anticipated presentations from the new 2013 NSTIC Pilots. Jeremy Grant, NSTIC NPO Director, served as moderator. Please click the links below to access video recordings and download the presentation files.
Privacy Coordination Committee - Stuart Shapiro. During their breakout session, the Privacy Coordination Committee ratified version 1.5 of the Privacy Evaluation Methodology. In this version they added a middle group workflow so rather than only having the option of blessing a work product or running a full blown evaluation on it, they now have the option of sending comments to the originating committee and giving them a chance to make changes. They are working to review the first edition of the Taxonomy work and trying to finalize comments on the current crop of use cases. The use cases are not going through the formal review process, instead the committee is trying to identify privacy issues that pertain to the scenarios described in the use cases. The Privacy Coordination Committee is now turning their focus to the "Proactive Privacy Guidance Document", previously titled "Prviacy Articulation Document."
International Committee - Don Thibeau. The International Committee built an inventory of "things in the world similar to NSTIC." They drafted it knowing it would be an evolving document. At the same time, others in the community also compiled similar kinds of lists. This year the committee began bridge building with a variety of international organizations. One of the committee's goals is to be the vehicle by which global partners learn what the IDESG is doing and also bring back conversations from these partners to inform what the IDESG does.
Security, Taxonomy, and Functional Model reports - Adam Madlin -
Healthcare Committee - Tom Sullivan. The Healthcare Committee used their first breakout to have a presentation from one of the older NSTIC pilot projects, the American Association of Motor Vehicle Administrators (AAMVA). Sullivan said he "appreciates the growing emphasis in the IDESG on the healthcare problems and some of the solutions that are being offered." Sullivan discussed in-depth the one use case the committee has sent to the Privacy Committee titled "Health IT Record Location Service." In its breakout session, the committee discussed the Prescription Drug Monitoring Program (PDMP). Each state has one of these programs. Although they are run by each state, the Office of the National Coordinator has a weekly webinar about what each state is doing. The committee sees its role as making sure that the parties involved understand what the NSTIC is and understand what different parts of the government are doing so that silos within narrow agencies are avoided.
Standards: Standards Adoption Process meeting - Ann Racuya-Robbins - Download Presentation
Standards: Use Case Ad Hoc Group - Scott Shorter - Download Presentation
TFTM Committee - Jack Suess. During the next three months the Committee plans to provide an updated version of the Interim Report presented earlier in the plenary. The first release is planned for February 3. Suess said, "You will see the product continue to be refined." He invited those with comments, suggestions, or changes to attend the TFTM Committee Meetings on Wednesdays at 1:00pm ET. The committee had good conversations during the week about how to begin integrating the work of the NSTIC pilots and other committees into the document.
Communications Subcommittee - Jim Sheire. If any IDESG members would like to engage and help out with external communication, media relations, traditional media, and other forms of communications, contact Jim Barnett. It is important to find communications professionals from the member organizations to supplement the IDESG's current capabilities.
Human Trust Experience - Ann Racuya-Robbins - Download Presentation
Anonymity and Pseudonymity Meeting - Bob Blakley. During lunch, this Birds of a Feather Session focused largely on which types of transactions could be performed anonymously and under what sets of terms and conditions. They also discussed interference and leakage of information as well as what it means for identification to be voluntary.
Mark Your Calendars!
Symantec - Mountain View, CA
IDESG 9th Plenary Meeting - June 25-27, 2014
NIST - Gaithersburg, MD
Additional information is forthcoming and will be posted to www.idecosystem.org.
The Call for Nominations is Open Until February 1, 2014
Election of At-Large Positions (Ballot 1) will commence on February 13, 2014 at 8:00 AM (ET) and conclude on February 19, 2014 at 8:00 PM (ET).
Election of Stakeholder Category Delegates (Ballot 2) will commence on March 19, 2014 at 8:00 AM (ET) and conclude on March 24, 2014 at 8:00 PM (ET).
Please see the following links for more information:
If you have any questions about the elections, please firstname.lastname@example.org.
ATTENTION COMMITTEES! Update the entire IDESG on your progress in the next newsletter by emailing email@example.com.