There was a Fast Company story a couple of years ago about the emergence of a “Sharing Economy,” and the necessity of trust:
Almost all of them require profiles for both parties and feature a community ratings system.
But these ratings would carry far more weight if they traveled with you across the web… Startups like TrustCloud would like to become the portable reputation system for the web. The company is building an algorithm to collect (if you choose to opt in) your online “data exhaust” — the trail you leave as you engage with others on Facebook, LinkedIn, Twitter, commentary-filled sites like TripAdvisor, and beyond — and calculate your reliability, consistency, and responsiveness.
Emergent By Design has also discussed Facebook developing into an arbiter of trust on the Internet:
Every time you upload a photo, make a comment, add a friend, click a link, or make a purchase, that data is being harvested to create a map and a simulation of you. This is tremendously valuable information, and Facebook gets that…
If the trend continues where logging in via your Facebook profile is the simple method for verification, some speculate this could lead to Facebook evolving to being an actual utility for identity…After all, if people are willing to trust sensitive data to Facebook, companies could use that info to offer better rates on car or health insurance, or help you secure a loan, via the platform. While this could seem convenient for the average user, it does carry serious implications in terms of how governments will respond.
How will governments respond?
The US government responded this past week with the National Strategy for Trusted Identities in Cyberspace (NSTIC): “Enhancing Online Choice, Efficiency, Security, and Privacy.”*
The “Identity Ecosystem NSTIC”
In an effort to develop trust and promote security the US government wants to help foster and develop “The Identity Ecosystem.” An online environment where individuals and organizations will be able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities—and the digital identities of devices.
The Identity Ecosystem has four principles:
- Identity solutions will be privacy-enhancing and voluntary
- Identity solutions will be secure and resilient
- Identity solutions will be interoperable
- Identity solutions will be cost-effective and easy to use
This system will not be created or managed by the US Government but rather be guided and shaped by the government through the development of standards, interoperability, and the like.
Goals and Benchmarks of the Identity Ecosystem
Proponents of the Identity Ecosystem will note that participation is not mandatory and that it is an opt-in program, however, if you dig deeper into the (NSTIC) it’s goals are clearly laid out:
Even more telling are the benchmarks established to determine whether or not the system is a success:
Interim Benchmarks (3-5 years)
- There exists a growing marketplace of both trustmarked, private-sector identity providers at different levels of assurance and private-sector relying parties that accept trustmarked credentials at different levels of assurance. This relying party population is not confined to just one or two sectors.
- The number of enrolled identities in the Identity Ecosystem is growing at a significant rate, and the number of authentication transactions in the Identity Ecosystem is growing at least at the same rate.
Longer-term Benchmarks (10 years)
- A majority of relying parties are choosing to be part of the Identity Ecosystem.
- A majority of U S Internet users regularly engage in transactions verified through the Identity Ecosystem.
- A majority of online transactions are happening within the Identity Ecosystem.
So in ten years, the US Government envisions that the majority of Internet users will be using a online identity system whose underlying structure has been developed in conjunction with the Department of Commerce and the Department of Homeland Security.
And while participation is voluntary at the moment, what about in ten years when the majority of Internet users are participants in the system as the US government imagines? Will Amazon or a bank refuse to do business with users who don’t participate in the programs?
There is also no clear guide as to how US courts will approach the issue. Just last week, the Texas Supreme Court held that identities of anonymous bloggers should not be disclosed. What happens when the Identity Ecosystem is prevalent?
The Identity Ecosystem and Electronic Discovery
Here is a depiction of the Identity Ecosystem from NSTIC:
A case comes across your desk involving any type of online transaction or communications, litigation ensues, and you proceed with discovery. Who has what information?
Bits and pieces of individuals’s identities are going to be strewn about dozens of systems. Where are all these systems located? These systems will not exclusively be in one state or even country. Who do you subpoena in the above illustration and how?
If a dispute arises in the United States, and relevant data is stored in Ireland and India – whose law applies? In this Information Ecosystem a dispute over a transaction at Starbucks could involve multi-national electronic discovery.
The companies that provide Identity Ecosystem services as well as companies that participate in the system will need clear policies and procedures in dealing with any litigation that may arise within the system.
The Future of Online Identities
Despite any reluctance citizens may have about the Identity Ecosystem – it is coming one way or the other. The Internet has existed in a sort of “wild west” vacuum of control and authority for a long period of time but it is probably coming to an end. The Internet has become too important and vital to business and government to allow it to continue to march forward without firmly establishing a method of uniquely and accurately identifying users online.
Business wants it. Governments want it. Even citizens want it.
People want to know that they are secure in dealing with their bank, purchasing a book on their Kindle, or swiping a Smart Card (or phone) at a vending machine. And while the NSTIC certainly discusses anonymity…it’s hard to envision it actually existing in the Identity Ecosystem.
But if the Internet has shown itself to be one thing, it would be that it is resilient and adaptive in the face of change and threats to it’s structure. I can imagine a black market economy developing on darknets such as Freenet for users who truly want to protect their identity online.
Regardless, change is coming to the Internet. The question is if people are ready, or even aware of it? I’ll leave you with this video presentation of the NSTIC (which oddly feels as though it was prepared by Aperture Laboratories):
You can help this process along by buying my book. Amazon is really good at tracking you.