• Print

Analysis: Three privacy initiatives from the Office of Management and Budget

The U.S. government has a new take on federated identity, storage and social networks.

Last Friday was a scramble for government security personnel and
independent privacy advocates, and should also have stood out to
anyone concerned with the growth of online commerce, civic action, and
social networking. The U.S. government’s Office of Management and
Budget, which is the locus of President Obama’s drive toward transparency and open government, popped out three major
initiatives that combine to potentially change the landscape for
online identity and privacy, not only within government but across the
Internet.

In this blog I’ll summarize the impacts of all three documents, as
well as the next steps that I see necessary in these areas. The
documents (all distributed as PDFs, which is not the easiest format to
draw commentary) are:

These documents are not long, but the complexity of the policy areas
they address ensure that no blog could cover everything of importance,
nor could a single commentator like me provide a well-rounded view.
I’ll focus on the changes they make to policies that are known to
require change, with a “job well done” pat on the back. In
highlighting gaps and omissions, I’ll deliberately swim around the
shoals that others have loudly pointed to already, focusing instead on
problems that I believe deserve more attention.

I’ll also assume a good deal of background on the part of the reader,
figuring that if you’ve taken the time to read this post you have
absorbed the key issues in the privacy debates over the past few
decades, or can easily pick them up by rounding up the usual suspects:
Electronic Privacy Information Center,
Privacy
International
, Electronic Frontier
Foundation’s privacy page
, the Center for Democracy and Technology,
etc. (If anybody knows well-researched sites that adopt the opposite
philosophy, “Shop till you drop, post your videos to America’s
Favorite Bloopers, and forget about privacy,” please let me know.)

Why social networks don’t protect privacy

I thought it useful to start with this fundamental dilemma because it
helps put other privacy efforts into context. Facebook, LinkedIn,
MySpace, and other such sites are not going to protect your privacy in
any foreseeable scenario.

The problem is not the evil temptations of advertising. Yes, the sites
would like to get to know you better and classify you into finer and
finer grids to improve the flow of advertising dollars, but take the
monetary incentive away and social networks would still reveal your
personal information. That’s what makes social networking worthwhile.

Long before the Internet, people had private forums offline and online
to share ideas and socialize. The limitation of such forums — which
still exist on Yahoo! Groups, Google Groups, and other places — is that
they don’t benefit from the power of the small world effect. They
don’t exploit any more than one degree of separation.

The genius of social networking is precisely the “Friends of Friends”
feature that privacy advocates decry. If you like dogs and you note on
Facebook that your friend Sue has joined the Lunchtime Dog Walkers
Club, you benefit in two ways: you’ve just learned of something you
and Sue have in common, and you may consider joining the Lunchtime Dog
Walkers Club yourself.

The whole reason to join social networks is to meet a friend of a
friend who cares just as much about the Special Olympics as you do, or
to find out that three of your friends attended the local rhythm ‘n
blues bash you missed. If I know that you’re following me on Twitter,
I have the option of following you. So if you don’t want to learn
about these things — or let other people know what you do — stick to
Yahoo! Groups.

Now we can better assess the challenges facing the Senior Agency
Official for Privacy at each agency who according to the
Guidance for Agency Use of Third-Party Websites and Applications
,
must “examine the third party’s privacy policy to evaluate the risks”
and convey them to members of the public in a privacy impact
assessment. Jane may sign up for an agency social network in order to keep up
discreetly with changes in laws and regulations affecting an
embarrassing lapse in her past, but no one may realize that all her
friends will see a “Jane has joined the Initiative to Freeze Sex Offender Records Group!” message.

And suppose that the agency can suppress the message when Jane joins,
but that anybody who runs a search on the social network for “Sex
Offender” turns up the names of everyone who joined the group.

I’m guessing the memorandum will be helpful. It contains some
common-sense orders that every agency can follow, such as making sure
that every interaction it has with the public can be carried out in
alternative settings besides the social network, and letting the
public know whether it gives the social network any personally
identifiable information (PII). Once again, though, the notion of PII
is slippery. Researchers have demonstrated that the URLs and
query strings generated when you navigate a social network contain
lots of PII, so this might be associated with the activities you engage
in with the government agency even though the agency is totally
passive.

The authors of the memo seemed to have in mind tacitly that the Senior
Agency Official for Privacy has only limited access to the workings of
the social networks, because they instructed the agency to tell the
public what the agency itself does with information (for instance,
“any PII that is likely to become available to the agency through
public use of the third-party website or application”) but not what
the third-party website does with information.

I also noticed one more sign of timidity in the memo on third-party
sites: “the agency should monitor any changes to the third party’s
privacy policy and periodically reassess the risks.” Why not declare
that any social networking site used by government must promise to
notify users of changes affecting privacy, preferably 30 days in
advance, and even put up a draft of the new policy for public comment
as the government itself does?

My sense is that the chief advantage of putting government agencies on
popular social network sites is to look cool, or perhaps more
charitably, to “be present” when the public seeks information. Because
fans of social networks call up their pages several times a day to
check everything from friends’ clothing choices to the press releases
of the professional associations they’ve joined, how nice to offer
updates on government policies that interest them in the same place.

But a true social networking orientation that makes, say, the
Environmental Protection Agency a full participant in the waves of
commentary on a social network would be so daunting that it’s not even
clear what the result would look like. (“Returned my old motor oil to
the dealer for disposal.” “EPA likes this.”)

Possibly, agencies could gain efficiencies by using third-party
applications on social networks — and last Friday’s memorandum explicitly
allowed that — but I can’t see how the agency could accurately assess
the privacy risks of the applications.

In short, I don’t think serious public policy will be made on the same
sites where people rate their favorite salsa brands. Instead, the
social networking strategy will be a transitional contact mechanism
that will fall by the wayside when agencies can offer rich interactive
forums on their own. And that’s where the draft strategy on identities
picks up where the memorandum on third-party sites leaves off.

A certificate-backed OpenID system

The vision presented in the identity strategy
draft
could easily take decades to realize. The goal, roughly
speaking, is to improve on the welter of means currently employed to
validate websites and web users, and to give the public enough
confidence to make them comfortable conducting increasing amounts of
business and civic affairs over the Internet. The principles are
recognizably the ones behind OpenID, whose champions have been in protracted discussions with the OMB and other agencies working on
identity.

Currently, the average web user relies on browser validation of
certificates — or blasts right past it, given how many web
administrators fail to maintain their certificates — while the server
requires either password authentication or OpenID to authenticate a
user. When OpenID is enabled, the server delegates user authentication
to a set of trusted sites (AOL, Google, etc.) where users create their
IDs.

The strategy document extends certificates to user authentication. In
a scenario presented by the draft to warm us toward the strategy, a
woman retrieves hospital test results from her cell phone. Both the
hospital and the cell phone offer PKI certificates and the hospital,
in addition, “obtained an Extended Validation Certificate for its
website to enable individuals to indicate that the website has not
been spoofed.” That last dance turn is a little hard to follow. The
draft doesn’t offer such details as who can give a hospital an
Extended Validation Certificate, and how it can protect against
malicious UNICODE-encoded domain names, man-in-the-middle attacks, or
garden-variety breaches of web security.

I can understand the strategy’s reliance on PKI as the only social
structure available to back up assertions of identity. But this is the
wobbly leg of the table that holds up the OMB proposal. The document
should recognize the flaws of PKI, notably (but not limited to):

  • The difficulty of revoking a certificate.
  • Lapses by certificate authorities that let unauthorized people
    masquerade as legitimate sites.
  • The lack of due care by browser manufacturers in approving certificate
    authorities for inclusion in browsers.

I don’t need to go into detail, because plenty of warnings about PKI
have been issued by Bruce Schneier and
others. A more tightly managed PKI system may emerge from the OMB
initiative and may mitigate the risks that have surfaced — but only if
we acknowledge and face those risks. We should do so before we migrate
more and more of our social infrastructure to certificates, a scenario
I laid out in a short story, “Validators.”

(Update, 10 PM: encouraged by a friend, I submitted a comment about certificate authorities
to the draft’s comment site.)

Why the OMB is taking on identity and privacy now

As mentioned earlier, the OMB has invested a lot of time and engaged
in a huge amount of consultation in the development of its identity
strategy. The result is breath-taking in its scope of proposed
activity: setting standards, encouraging private companies to use the
resulting technologies (and even providing financial incentives to do
so), educating the public to their benefits, setting an example by
deploying the technologies across the federal government, and working
with other government bodies across the country and internationally.

Why expend all this sweat on a program that was being promoted by
various technorati and social networking sites up to now? The
government needs a comprehensive identity framework, clearly, and one
can make a strong argument that the identity framework needs the
government, too.

The government needs an identity framework to achieve a goal that
administrations and congress folk have expressed over many decades: to
bring intense consultation and debate about government activity beyond
the Beltway. The enormous participation that the administration
witnessed around such issues as the spending of stimulus money,
reported on Recovery.gov,
showed that they can no longer depend on cabbing their insiders to a
meeting in the Senate Office Building on a Monday morning at nine.
They also need the local activist who can’t afford a plane trip to DC
and has just four hours a week to spend on his concern.

Health IT at OSCON 2010Health care, the administration’s most controversial undertaking and
its area of biggest accomplishment, cries out for an identity system
so that doctors can make referrals, exchange records, and report
quality measures. The demands of a modern health care system on data
exchange were recently laid out in two interviews on this site, one
with Brian
Behlendorf
and another with Arien
Malec
, and that dependency extends to securely identifying health
care providers. A PKI-backed, OpenID-like identity system drives the
promise of better and cheaper health care.

But why not leave things to the tech community and the market? There
are several roles for government:

  • No computer technology is perfectly secure, so potential malefactors have to be convinced that they will suffer retribution from strong legal enforcement. Improving laws regarding identity and privacy will facilitate the adoption of useful technologies. At the same time, laws and regulations become unenforceable and are widely scorned if the
    technology does not support them.

  • Mistakes will happen, so one of the most useful roles for government might be to lay out rules for liability, as mentioned in the draft.

  • Although fundamental standards are coming along nicely in the tech community, government support might be needed as standards touch more directly on the social impacts of identity systems. The large sites
    in the tech space don’t have the interests of ordinary users at
    heart — just look at all the controversies that Google and Facebook get
    themselves into regularly. Other industries (notably health care) also
    have a lot tied up in legacy practices and business models that could
    distort the implementation of identity checking unless the government
    plays a neutral role.

  • The government can lay out a model of graduated risk to guide people
    to choosing the right level of security. Some types of transactions
    can depend on an ID you get by providing an email address. Others
    might require you to provide a credit card. And some may require you
    to visit a notary. A formal hierarchy of risk can assure us we’re
    getting the security we need without going overboard.

With so much at stake, the OMB is actually acting with considerable
restraint. This doesn’t come across to the hypersensitive
super-individualists whose most paranoid fears have been stoked by
right-wing cynics, and who post their high-strung dissents to the
comment site without
bothering to actually read the draft. I’m sure this blog will not
totally escape their distracting impracticalities either.

The OMB is not making a power grab for the Internet identity
infrastructure. On the other hand, they are asking those who have
responsibility for the infrastructure to join together and adopt more
stringent rules. The formality of the system the OMB is proposing,
with risk models, standards, and a bigger role for certificate
authorities (not to forget Extended Validation Certificates!) belies
the document’s snuggly metaphor of an Identity Ecosystem.

Identity’s relationship to security also puts the new initiative fully
in line with recent efforts to create a national cyber-security
strategy. The OMB’s collaborative approach has nothing in common with
the control-and-command mentality of Sections 248, 249, and 250 in the
Protecting
Cyberspace bill
just passed by a Senate Committee. But during the
current debate over that bill, we can’t lose sight of the larger
context. The bill is just the response by one group of lawmakers to a
general drumbeat of concern over the need for governments to be
prepared for threats to a software stack that has taken on some roles
of a public utility.

Cookies and other fuzzy identifiers

Just as the identity system in the OMB draft — should they succeed in
pulling it off — will replace the need for using social networking
sites, its rigorous combination of identity and privacy protection
will also replace the mushy combination that now exists with cookies
and other information collected by websites. But current web practice
demands the use of this information to let visitors stay signed in and
customize their experience. The information also helps sites track
user behavior so they can improve the sites (to discover, for
instance, that a key document isn’t being read because people can’t
find it).

So the second of Friday’s documents, Guidance
for Online Use of Web Measurement and Customization Technologies
(PDF), is actually the most successful and clearly applicable in my opinion. It lays out fairly simple rules about collecting information
only for the purposes just mentioned, anonymizing it, and disposing of
it quickly.

Agencies are specifically prohibited from sharing the user data with
other agencies, an important constraint in an age where we’ve learned
of the intelligence agencies mining so much communication. (On the
other hand, my impression from other situations is that laws and
regulations always manage to create exceptions for law enforcement
that eviscerate the promises that personal information is safe from
snooping.)

A certain amount of fuzziness remains, an inevitability in a complex
world. Agencies have varying uses for data and varying relationships
with their visitors, so the memorandum leaves wiggle room and simply
requires the posting of the resulting policies. In theory, visitors
will have to check each site’s policy to find out what the
site is doing with cookies and other PII. In practice, I think the
wiggle room is minimal and that the guidelines are relatively
inviolate, offering visitors a more pleasant experience without
compromising their privacy.

What’s left? I’m still interested in the issues I raised a year ago
about the relation
of identity and anonymity to citizen participation in
government
. Sometimes people need to relinquish anonymity in order
to be credible. The infrastructure that the OMB is talking about can
provide a range of levels of identification.

Related:

tags: , ,