On NSTIC and the Personal Data Economy


Posted by Neil Wilson on 1/6/12 4:23 AM

The National Strategy for Trusted Identities in Cyberspace (NSTIC) initiative launched last year has been an interesting topic to follow. If you’re not familiar with the initiative, then I recommend checking out this article by Alex Howard from O’Reilly: “A Manhattan Project for online identity”. It succinctly sums up the vision and challenges of the initiative from multiple perspectives. Anytime you mix together the words “National”, “Trusted”, and “Identities”, alarm bells sound off for those keeping tabs on the reach of the U.S. Government into the private sector. For this reason alone, this initiative has garnered considerable attention. While this is clearly not a call for a nationalized online ID system for the U.S. – as was the most prominent fear expressed by naysayers – it does, nonetheless, raise concerns about the effects that the acceleration of the status quo in federated identity might have on individual privacy.

This argument is laid out well in the whitepaper produced by Identity Finder. The basic premise is that while NSTIC does a good job of outlining a strategy for developing a “national framework of independent and interoperable federated identity systems”, it falls short of spelling out specific policy (national legislation) that will ensure the privacy preserving principles that it lists as one of the guiding principles. In the status quo, federated systems are already in widespread use and the collection and monetization of personal data is already a multi-billion dollar industry. Most of the transactions involving this data today are occurring behind the scenes, primarily for the benefit of better marketing. As the argument goes, if NSTIC is successful, then we’ll simply see more of what we have today, as well as transactions based on new business models enabled by a wider reaching, more standardized ecosystem – and therefore less privacy for the individual. While I agree with the premise outlined in the paper, solving the regulatory problem is far beyond the scope of NSTIC. And to be fair to the authors, I’m not suggesting that they place the burden squarely on the shoulders of NSTIC. The reality is that we may have a “fail faster” proposition, and the further adoption of federated identity systems under the current status quo might be the catalyst for that change. Unfortunately, the stakes are high. As a result of these negative forces on privacy, an entirely new industry is being born to put the individual back into the flow of the transactions involving their personal data. Although I don’t really like the name given to the movement by Forrester – Personal Identity Management – their report on this topic does a good job of describing the driving forces that are at play. One might consider this to be the free markets response to the privacy concerns that are driving the calls for regulation. As is the case in most situations, it will take a little bit of both (market innovation and a regulatory framework) to resolve this one. Also, it should be stated that this problem is viewed and addressed differently across international boundaries. But beyond the real privacy concerns, which again are pre-existing conditions, the benefits that a comprehensive strategy of this caliber at the national level could bring are immense.

There is no doubt that personal (identity) data is valuable. Whether it is leveraged as a means to execute a business transaction, as is this case when we leverage a username, password, and profile data to purchase a book from an online retailer, or it is the subject of the transaction, there is value in this data. For further reading on this topic, checkout the report published by the World Economic Forum (image on the left) – “Personal Data: The Emergence of a New Asset Class.” The question “Is Personal Data the New Currency” was recently posed by David Zak on one of the blogs hosted on the Technology Review.

I agree with David’s assessment that there is a bit of hyperbole at play here, but let’s not let that take away from the fact that new markets are being formulated around this currency. A sizeable market exists today and the changes that are taking place as result of the work being done by NSTIC, the Personal Data Ecosystem, Open Identity Exchange, and countless others, will open the doors to new markets for this data.

As a technology vendor that is building products to help companies participate in this new marketplace, we are both excited by the growth opportunities it presents and humbled by the technical and policy challenges that must be overcome to ensure that personal data is capable of flowing in these transactions in a secure, privacy-enhancing manner. We started down this path by building a customer data platform (or Identity Cloud as defined by the post) that is designed to help service providers (Telcos, Cloud Service Providers, and Enterprises) unify their customer’s personal (identity) data and make that data readily available to applications or services they offer in a real-time fashion. Data accessibility in this context is primarily about Internet-facing applications accessing this data from behind the firewall. As we move forward as a company, we are investing in solutions that will help to make this data accessible to third-party providers and applications outside of the firewall leveraging many of the technology standards for this purpose that exist today. That is what is at the heart of the new Identity Ecosystem being proposed by NSTIC and the broader market. Needless to say, it’s an exciting time to be in the Identity Ecosystem.

Topics: Data Management , Privacy and Preference Management