Last Friday was a scramble for government security personnel and independent privacy advocates, and should also have stood out to anyone concerned with the growth of online commerce, civic action, and social networking. The U.S. government's Office of Management and Budget, which is the locus of President Obama's drive toward transparency and open government, popped out three major initiatives that combine to potentially change the landscape for online identity and privacy, not only within government but across the Internet.

In this blog I'll summarize the impacts of all three documents, as well as the next steps that I see necessary in these areas. The documents (all distributed as PDFs, which is not the easiest format to draw commentary) are:

• A discussion draft of the National Strategy for Trusted Identities in Cyberspace. Comments can be viewed and entered on a feedback site.
• An OMB Memorandum on Guidance for Online Use of Web Measurement and Customization Technologies.
• An OMB Memorandum on Guidance for Agency Use of Third-Party Websites and Applications.

These documents are not long, but the complexity of the policy areas they address ensure that no blog could cover everything of importance, nor could a single commentator like me provide a well-rounded view. I'll focus on the changes they make to policies that are known to require change, with a "job well done" pat on the back. In highlighting gaps and omissions, I'll deliberately swim around the shoals that others have loudly pointed to already, focusing instead on problems that I believe deserve more attention.

I'll also assume a good deal of background on the part of the reader, figuring that if you've taken the time to read this post you have absorbed the key issues in the privacy debates over the past few decades, or can easily pick them up by rounding up the usual suspects: Electronic Privacy Information Center, Privacy International, Electronic Frontier Foundation's privacy page, the Center for Democracy and Technology, etc. (If anybody knows well-researched sites that adopt the opposite philosophy, "Shop till you drop, post your videos to America's Favorite Bloopers, and forget about privacy," please let me know.)

Why social networks don't protect privacy

I thought it useful to start with this fundamental dilemma because it helps put other privacy efforts into context. Facebook, LinkedIn, MySpace, and other such sites are not going to protect your privacy in any foreseeable scenario.

The problem is not the evil temptations of advertising. Yes, the sites would like to get to know you better and classify you into finer and finer grids to improve the flow of advertising dollars, but take the monetary incentive away and social networks would still reveal your personal information. That's what makes social networking worthwhile.

Long before the Internet, people had private forums offline and online to share ideas and socialize. The limitation of such forums -- which still exist on Yahoo! Groups, Google Groups, and other places -- is that they don't benefit from the power of the small world effect. They don't exploit any more than one degree of separation.

The genius of social networking is precisely the "Friends of Friends" feature that privacy advocates decry. If you like dogs and you note on Facebook that your friend Sue has joined the Lunchtime Dog Walkers Club, you benefit in two ways: you've just learned of something you and Sue have in common, and you may consider joining the Lunchtime Dog Walkers Club yourself.

The whole reason to join social networks is to meet a friend of a friend who cares just as much about the Special Olympics as you do, or to find out that three of your friends attended the local rhythm 'n blues bash you missed. If I know that you're following me on Twitter, I have the option of following you. So if you don't want to learn about these things -- or let other people know what you do -- stick to Yahoo! Groups.

Now we can better assess the challenges facing the Senior Agency Official for Privacy at each agency who according to the Guidance for Agency Use of Third-Party Websites and Applications, must "examine the third party's privacy policy to evaluate the risks" and convey them to members of the public in a privacy impact assessment. Jane may sign up for an agency social network in order to keep up discreetly with changes in laws and regulations affecting an embarrassing lapse in her past, but no one may realize that all her friends will see a "Jane has joined the Initiative to Freeze Sex Offender Records Group!" message.

And suppose that the agency can suppress the message when Jane joins, but that anybody who runs a search on the social network for "Sex Offender" turns up the names of everyone who joined the group.

I'm guessing the memorandum will be helpful. It contains some common-sense orders that every agency can follow, such as making sure that every interaction it has with the public can be carried out in alternative settings besides the social network, and letting the public know whether it gives the social network any personally identifiable information (PII). Once again, though, the notion of PII is slippery. Researchers have demonstrated that the URLs and query strings generated when you navigate a social network contain lots of PII, so this might be associated with the activities you engage in with the government agency even though the agency is totally passive.

The authors of the memo seemed to have in mind tacitly that the Senior Agency Official for Privacy has only limited access to the workings of the social networks, because they instructed the agency to tell the public what the agency itself does with information (for instance, "any PII that is likely to become available to the agency through public use of the third-party website or application") but not what the third-party website does with information.

I also noticed one more sign of timidity in the memo on third-party sites: "the agency should monitor any changes to the third party's privacy policy and periodically reassess the risks." Why not declare that any social networking site used by government must promise to notify users of changes affecting privacy, preferably 30 days in advance, and even put up a draft of the new policy for public comment as the government itself does?

My sense is that the chief advantage of putting government agencies on popular social network sites is to look cool, or perhaps more charitably, to "be present" when the public seeks information. Because fans of social networks call up their pages several times a day to check everything from friends' clothing choices to the press releases of the professional associations they've joined, how nice to offer updates on government policies that interest them in the same place.

But a true social networking orientation that makes, say, the Environmental Protection Agency a full participant in the waves of commentary on a social network would be so daunting that it's not even clear what the result would look like. ("Returned my old motor oil to the dealer for disposal." "EPA likes this.")

Possibly, agencies could gain efficiencies by using third-party applications on social networks -- and last Friday's memorandum explicitly allowed that -- but I can't see how the agency could accurately assess the privacy risks of the applications.

In short, I don't think serious public policy will be made on the same sites where people rate their favorite salsa brands. Instead, the social networking strategy will be a transitional contact mechanism that will fall by the wayside when agencies can offer rich interactive forums on their own. And that's where the draft strategy on identities picks up where the memorandum on third-party sites leaves off.

A certificate-backed OpenID system

The vision presented in the identity strategy draft could easily take decades to realize. The goal, roughly speaking, is to improve on the welter of means currently employed to validate websites and web users, and to give the public enough confidence to make them comfortable conducting increasing amounts of business and civic affairs over the Internet. The principles are recognizably the ones behind OpenID, whose champions have been in protracted discussions with the OMB and other agencies working on identity.

Currently, the average web user relies on browser validation of certificates -- or blasts right past it, given how many web administrators fail to maintain their certificates -- while the server requires either password authentication or OpenID to authenticate a user. When OpenID is enabled, the server delegates user authentication to a set of trusted sites (AOL, Google, etc.) where users create their IDs.

The strategy document extends certificates to user authentication. In a scenario presented by the draft to warm us toward the strategy, a woman retrieves hospital test results from her cell phone. Both the hospital and the cell phone offer PKI certificates and the hospital, in addition, "obtained an Extended Validation Certificate for its website to enable individuals to indicate that the website has not been spoofed." That last dance turn is a little hard to follow. The draft doesn't offer such details as who can give a hospital an Extended Validation Certificate, and how it can protect against malicious UNICODE-encoded domain names, man-in-the-middle attacks, or garden-variety breaches of web security.

I can understand the strategy's reliance on PKI as the only social structure available to back up assertions of identity. But this is the wobbly leg of the table that holds up the OMB proposal. The document should recognize the flaws of PKI, notably (but not limited to):

• The difficulty of revoking a certificate.
• Lapses by certificate authorities that let unauthorized people masquerade as legitimate sites.
• The lack of due care by browser manufacturers in approving certificate authorities for inclusion in browsers.

I don't need to go into detail, because plenty of warnings about PKI have been issued by Bruce Schneier and others. A more tightly managed PKI system may emerge from the OMB initiative and may mitigate the risks that have surfaced -- but only if we acknowledge and face those risks. We should do so before we migrate more and more of our social infrastructure to certificates, a scenario I laid out in a short story, "Validators."

(Update, 10 PM: encouraged by a friend, I submitted a comment about certificate authorities to the draft's comment site.)

Why the OMB is taking on identity and privacy now

As mentioned earlier, the OMB has invested a lot of time and engaged in a huge amount of consultation in the development of its identity strategy. The result is breath-taking in its scope of proposed activity: setting standards, encouraging private companies to use the resulting technologies (and even providing financial incentives to do so), educating the public to their benefits, setting an example by deploying the technologies across the federal government, and working with other government bodies across the country and internationally.

Why expend all this sweat on a program that was being promoted by various technorati and social networking sites up to now? The government needs a comprehensive identity framework, clearly, and one can make a strong argument that the identity framework needs the government, too.

The government needs an identity framework to achieve a goal that administrations and congress folk have expressed over many decades: to bring intense consultation and debate about government activity beyond the Beltway. The enormous participation that the administration witnessed around such issues as the spending of stimulus money, reported on Recovery.gov, showed that they can no longer depend on cabbing their insiders to a meeting in the Senate Office Building on a Monday morning at nine. They also need the local activist who can't afford a plane trip to DC and has just four hours a week to spend on his concern.

Health care, the administration's most controversial undertaking and its area of biggest accomplishment, cries out for an identity system so that doctors can make referrals, exchange records, and report quality measures. The demands of a modern health care system on data exchange were recently laid out in two interviews on this site, one with Brian Behlendorf and another with Arien Malec, and that dependency extends to securely identifying health care providers. A PKI-backed, OpenID-like identity system drives the promise of better and cheaper health care.

But why not leave things to the tech community and the market? There are several roles for government:

• No computer technology is perfectly secure, so potential malefactors have to be convinced that they will suffer retribution from strong legal enforcement. Improving laws regarding identity and privacy will facilitate the adoption of useful technologies. At the same time, laws and regulations become unenforceable and are widely scorned if the technology does not support them.
• Mistakes will happen, so one of the most useful roles for government might be to lay out rules for liability, as mentioned in the draft.
• Although fundamental standards are coming along nicely in the tech community, government support might be needed as standards touch more directly on the social impacts of identity systems. The large sites in the tech space don't have the interests of ordinary users at heart -- just look at all the controversies that Google and Facebook get themselves into regularly. Other industries (notably health care) also have a lot tied up in legacy practices and business models that could distort the implementation of identity checking unless the government plays a neutral role.
• The government can lay out a model of graduated risk to guide people to choosing the right level of security. Some types of transactions can depend on an ID you get by providing an email address. Others might require you to provide a credit card. And some may require you to visit a notary. A formal hierarchy of risk can assure us we're getting the security we need without going overboard.

With so much at stake, the OMB is actually acting with considerable restraint. This doesn't come across to the hypersensitive super-individualists whose most paranoid fears have been stoked by right-wing cynics, and who post their high-strung dissents to the comment site without bothering to actually read the draft. I'm sure this blog will not totally escape their distracting impracticalities either.

The OMB is not making a power grab for the Internet identity infrastructure. On the other hand, they are asking those who have responsibility for the infrastructure to join together and adopt more stringent rules. The formality of the system the OMB is proposing, with risk models, standards, and a bigger role for certificate authorities (not to forget Extended Validation Certificates!) belies the document's snuggly metaphor of an Identity Ecosystem.

Identity's relationship to security also puts the new initiative fully in line with recent efforts to create a national cyber-security strategy. The OMB's collaborative approach has nothing in common with the control-and-command mentality of Sections 248, 249, and 250 in the Protecting Cyberspace bill just passed by a Senate Committee. But during the current debate over that bill, we can't lose sight of the larger context. The bill is just the response by one group of lawmakers to a general drumbeat of concern over the need for governments to be prepared for threats to a software stack that has taken on some roles of a public utility.

Cookies and other fuzzy identifiers

Just as the identity system in the OMB draft -- should they succeed in pulling it off -- will replace the need for using social networking sites, its rigorous combination of identity and privacy protection will also replace the mushy combination that now exists with cookies and other information collected by websites. But current web practice demands the use of this information to let visitors stay signed in and customize their experience. The information also helps sites track user behavior so they can improve the sites (to discover, for instance, that a key document isn't being read because people can't find it).

So the second of Friday's documents, Guidance for Online Use of Web Measurement and Customization Technologies (PDF), is actually the most successful and clearly applicable in my opinion. It lays out fairly simple rules about collecting information only for the purposes just mentioned, anonymizing it, and disposing of it quickly.

Agencies are specifically prohibited from sharing the user data with other agencies, an important constraint in an age where we've learned of the intelligence agencies mining so much communication. (On the other hand, my impression from other situations is that laws and regulations always manage to create exceptions for law enforcement that eviscerate the promises that personal information is safe from snooping.)

A certain amount of fuzziness remains, an inevitability in a complex world. Agencies have varying uses for data and varying relationships with their visitors, so the memorandum leaves wiggle room and simply requires the posting of the resulting policies. In theory, visitors will have to check each site's policy to find out what the site is doing with cookies and other PII. In practice, I think the wiggle room is minimal and that the guidelines are relatively inviolate, offering visitors a more pleasant experience without compromising their privacy.

What's left? I'm still interested in the issues I raised a year ago about the relation of identity and anonymity to citizen participation in government. Sometimes people need to relinquish anonymity in order to be credible. The infrastructure that the OMB is talking about can provide a range of levels of identification.

Related:

• OMB updates rules for cookies and privacy on U.S. government websites
• Putting Online Privacy in Perspective
• My contrarian stance on Facebook and privacy
• Can privacy, social media and business get along?