In Obama Administration’s People-Powered Digital Security Initiative, There’s Lots of Security, Fewer People
BY Sarah Lai Stirland | Thursday, March 27 2014
President Obama in 2011 launched an ambitious initiative to rid our digital world of passwords and replace them with new systems with which to identify ourselves. The goal was to make our digital accounts and transactions less hackable and prone to fraud.
As Bob Blakley, Citigroup’s director of security innovation put it: “[The National Strategy for Trusted Identities in Cyberspace] is a unique opportunity; it’s the first time a government has offered to accept identity credentials of the citizen’s choice, rather than to impose credentials on the citizens.”
Blakley has been chairing the meetings of the “Identity Ecosystem Steering Group” (IDESG,) the non-profit citizen-private sector body that is responsible for making recommendations pertaining to the legal policies, technical standards, and protocols of the new so-called identity ecosystem.
But three years into this supposedly citizen-powered process, Kaliya Hamlin, one of the group’s own management council members, and a privacy activist and conference organizer, is charging that the effort is less diverse and inclusive of the citizenry than it should be, and instead is being overtaken by the executives in the digital-security industry. Hamlin says that the group has not done the necessary legwork to seek out the range of input needed to create a set of authentication choices that would fairly accommodate everyone.
“This group does not currently have any member organizations who explicitly represent women, people of color, LGBTQ, persons with disabilities, immigrants or youth members,” she wrote in an e-mail she is circulating online. She has also aired her concerns with the leadership of IDESG, she said in interview, but has received no substantive response.
“There is a danger that without the input of regular people (and organizations that represent them) we could end up with a very restrictive digital identity system,” she explained in a write-up on her concerns that she’s distributing to allies via e-mail. “Just as pre-civil rights voting rules limited the rights of African Americans, Latinos and the poor to fully participate at the polls, this digital identity system could restrict everyone’s ability to participate in everyday activities online.”
The group is scheduled to meet in person April 1-3 at Symantec in Mountain View. Hamlin wants a more diverse group of people to participate, and is using this meeting as an opportunity to spread the word to the more technically-minded residents of the Bay Area to start paying attention and get involved. Membership and participation in the IDESG is open to anyone.
There’s no one agreed-upon system to replace passwords. The goal of IDESG and its sub-committees is to come to cross-industry, standardized understandings of basic concepts, policies, terminology, protocols and security processes so that organizations in both the private and public sector can work effectively together to authenticate individuals engaging in critical transactions. The committee will then make recommendations to the administration based on this work.
Hamlin’s point is that those who are sometimes at the margins of society, and their interests, should be more involved in the creation of such a technical infrastructure since software code can often have the same force of effect as legal code.
To be sure, the American Civil Liberties Union, the Electronic Frontier Foundation and the Electronic Privacy Information Center, are listed as members of IDESG, and staffers from those organizations have participated in some of the meetings. But even the EFF’s Senior Staff Attorney Lee Tien acknowledges his own and his colleagues’ limitations.
“It seems quite reasonable to say, well, they ought to be looking at how this [initiative] could affect them. We think about those issues, but it would be good to have a broader base of people rather than us self-appointed guardians of Truth, Justice and The American Way,” he said in an interview.
A coalition of civil and human rights groups, including the NAACP, the National Council of La Raza and 12 others issued a statement recently generally setting forth their vision of civil rights in the era of big data.”
That statement articulated five principles of fairness that should be ensured in our information-driven society. Of particular relevance in this context: the principle of allowing individuals to exert more control over who holds their personal information, and what those entities do with it.
Yet there’s a conundrum facing these groups. They don’t have the time, resources or expertise to participate, Tien said. They’re too busy dealing with more immediate concerns, rather than with projects that appear much more abstract to them.
“Sometimes, the only reason I can function [in dealing with these issues] is that I have a staff technologist helping me,” he said.
Jim Barnett, a senior strategic advisor at the AARP, and a board member at the IDESG, acknowledges Hamlin’s point. But he says that the job of explaining what the IDESG does, and why it’s important that these groups should come to represent their members at meetings, is just another to-do item.
The group welcomes their participation, but over the past year “it became clear that the value of IDESG was not immediately clear to legacy membership and advocacy organizations and why they should be part of this, and we’re working on that,” he said.
“The way you identify yourself is going to be so different five years from now,” he said. “We need to have many consumer organizations watching what’s going on, to make sure that their members are protected to transact generally on the Internet in a way that they can be confident.”