Happy Data Privacy Day! According to a recent survey of young Americans by Harvard’s Institute of Politics, 65% of respondents said they were “very concerned” about technology companies collecting digital information from their phone or computer. While it’s only January, that level of concern suggests privacy will continue to have a place in the national conversation throughout 2016.
The first NSTIC Guiding Principles is that solutions will be privacy-enhancing and voluntary, and today we would like to take the opportunity to talk about some of the things we are doing to help organizations be better stewards of individuals’ data. The reality is that when it comes to building infrastructure like the Identity Ecosystem, there are only so many things individuals can do when the infrastructure itself creates privacy risks. Thus, the organizations that are a part of the Identity Ecosystem also need to take steps to identify and address privacy risks in the systems they build.
One of the ways NIST is working to promote a privacy-enhancing identity ecosystem is by funding new, innovative solutions in the identity space. In working with pilots over the past several years, we have learned about a few key challenges in online identity. Although our pilots and the broader marketplace have made great progress toward the NSTIC vision, there’s still much room for improvement in privacy. Take our Galois pilot, for example. They are working to develop a personal data store that will enable a user to be in control of what data they are sharing and to whom—enabling consented online transactions with the user’s information squarely in their own control.
In the National Cybersecurity Center of Excellence, we’re working on a building block to develop privacy-enhancing identity federation solutions. The goal of this effort is to develop a solution, using commercially available products, that protects individual transactions and personal data from being exposed to participants in the federation. Once complete, we will release a cybersecurity practice guide that details the integration steps we completed so that other organizations can learn from our efforts, or even better, repeat our integration with limited complexity.
Beyond technical research, we are continuing to support the work of the Identity Ecosystem Steering Group, who released last year their first version of the Identity Ecosystem Framework (IDEF). The IDEF’s privacy requirements provide a baseline for describing the organizational and engineering practices of organizations who take individuals’ privacy seriously. Through this work and with the help of other organizations working in this space, we hope to support the development of standards for the technical underpinnings of what individuals can expect from privacy protections online.
It’s just a matter of time: as technology continues to evolve and as people demand better privacy protections, new technological advances will emerge—and organizations will find innovative ways to deliver services with improved management of privacy risk. We see the great things that are possible and we continue – through research, pilots, and partnerships – to set our expectations high. We are celebrating Data Privacy Day today—but we aspire to an identity ecosystem that is truly privacy-enhancing all 365 days a year.