P3WG Meeting Minutes 2011-06-16

Attendees:

Richard Wilsher
Hedy Kirkby (Gov't of Canada)
Mark Lizar
Tom Smeddinghof
Susan Landau
Peter Capek
Rich Furr
Aaron Titus
Trent Adams
Gershon Janssen

Guests:
Jane Galloway (Gov't of Canada)
Rainer Hoerbe

Staff:
Joni Brennan
Anna Ticktin

Minutes:

1. Roll Call - (Quorum Reached)

2.  P3 Announcements

  • The PF has been suspended whilst its work gets further scoped around Privacy Assurance Criteria.
  • Elections have been suspended as Mark will be continuing on as secretary. Jeff may be back engaged more actively this fall.

3. NSTIC Governance / NOI — Joni

  • Last Thursday and Friday Kantara Initiative participated in the NSTIC Governance workshop panel which discussed real world examples of governance models which could be modeled for the governance of the NSTIC initiatives.  The Day 1 video is posted here: http://www.nist.gov/itl/nstic-workshop-june2011.cfm.   The summaries of the breakout sessions will soon be posted as well.  

Day 1 Talks and Panels included:

  • Opening speeches by Jeremy Grant and Howard Schmidt which focused on the sorely out dated use of strictly userID and password as a means of authentication.  The them focused around the need to create a trusted identity ecosystem developed out of a public/private partnership which would uphold principles of privacy as one of the core values.
  • A real world case panel which included Joni Brennan of Kantara Initiative, reps from NACHA, SmartGrid, NIST and was moderated by Don Thibeau of OIX.
  • An essential elements of governance panel which included Tom Smeddinghof of ABA and Dazza Greenwood of eCitizen, a rep from the American Civil Liberties Union (ACLU) and was moderated by Jeremy Grant.

Day 1 and 2 Breakout sessions were focused on 3 areas:

  1. Steering Committee Initiation
  2. Stakeholders
  3. Governance Models
  • Each breakout session was moderated, used the questions listed in the NOI document, and notes were taken which were presented at the conclusion of the event on Friday.  The breakout sessions took the tone of brainstorms and simply acted as a forum for informal and early feedback with some ideas of next steps suggested.  Two issues seemed apparent:
  • The scope the steering committee did not seem entirely clear and needs refinement such that a clear path can be taken either toward a new organization or the initiation of the steering committee under an existing organization.
  • There were questions around the liability of such a steering committee.  For example - would this committee be legally responsible should organizations determine that the NSTIC program has violated some type of rights and responsibilities (such as failure to up hold end user privacy for example).
  • The next step is for Kantara to craft a response to the NOI.  On yesterday's IAWG call we discussed a path toward IAWG specific feedback.  The Leadership Council is now in discussion regarding the creation of a NSTIC Discussion Group which would serve as the central body for NSTIC related activities and discussions.  Please stay tuned for progress regarding the formation of NSTIC DG but don't let this group formation distract your personal review of the NOI questions.  
  • Additionally, there will be a NSTIC privacy workshop held in Cambridge Mass (see further details below).  The Kantara Privacy WG will discuss the next workshop in their meeting today to identify who from the Kantara Privacy community may attend and what the P3 strategy and input will include.

Notes of importance:

  • An ACLU representative stated a seemingly thinly veiled threat something to the effect of privacy folks "having a 'pass' for 12 years", but no longer!  This brings important issues of NSTIC Privacy education and inclusion that P3 may want to consider contributing. 
  • Susan Mentioned:  In terms of explaining privacy in terms of NSTIC there is a need for education and discussion.  There are many different levels of assurance and different levels of privacy needed in different context -
  • New book from Susan and called "Economic Puzzles in Federated Identity. "  There are economic pressures in terms of law, and by different stakeholders which drive privacy economically.  
  • A second workshop has been announced – focused on privacy issues in NSTIC – on Monday June 27 and Tuesday June 28.  The event will take place at the MIT Media Lab in Cambridge, Massachusetts.  Details (including a link to online registration) are at:  http://www.nist.gov/itl/nstic-privacy-workshop.cfm.
  • The registration fee for this workshop will be only $20 – a notable discount from the fee for our first governance workshop.  A draft agenda will be posted shortly.
  • Rich Furr and Susan Landau will be in attendance.

4. Liaison Activities

  • Tom Smedinghoff Liaison Report on NSTIC Workshop
    • Tom explains that there was confusion around which aspects of governance the meeting and comments are focused on.  This meeting an the comments are about setting up a governance of the steering group not so much a trust framework.  Although there was confusion and overlap of the two main aspects of governance that was brought up: The Governance of NSTIC as a whole and the NSTIC Governance Committee,  
    • Tom presented about what trust framework is from the ABA perspective.  Mentioned that it is important to understand what the group is building when creating the steering structure within NSTIC.
  • ABA Report - Tom Chairs the ABA - Identity Management Legal Task Force
  • Identity Management Conference Next Week IN Chicago with Aerospace Industry
  • ABA is not putting comments in for the NSTIC NOI (may get involved with an informal response)
  • ABA Goal to produce a Draft Report (the working title is "Building the Legal Framework for Online Identity Management").  It's focus is to identify and examine the legal issues related to IdM, and to evaluate possible legal structures for IdM systems.
  • ABA are holding a joint meeting with TSCP on June 22-23, 2011 (see attached email).  However, that meeting will not address the ABA report directly. in mid july with a follow up meeting (August, Sep) in Washington for comments which P3 is invited to provide

5. Topics on the List (Open Invitation for Topics in Privacy and Public Policy. )

(Drummond Reed was unable to join the call...) (so his talk was tabled and we moved on to discussing P3 NSTIC response

  • Emerging areas of identity based trust frameworks and assurance metrics.
  • Two Types of Trust.  Institutional Trust (a.k.a Identity Assurance), and (Social Trust- Governance). 
  • Does this require multiple types of trust assurance metrics?   How does Trust Assurance effect Privacy?

6. Brainstorm for NSTIC NOI responses from P3:

Tom :
How will privacy interests be represented  by the steering group?
And how will privacy decisions be made by the steering committee?

Susan:

  • Who will represent Gov't interests to protect privacy?

Mark & Aaron:

  • What will the International aspects be?
  • US gov't must first develop it's national strategy, then look to international directions.
  • We could leverage International work efforts and technical solutions to inform our thinking so as not to waste time reinventing the wheel.

Question:

  • How is privacy going to be represented on the steering committee?
  • What is the authority structure and organisation of the steering committee?  Will it include org structures
  • Hedy: Are there any synergies in effect between privacy and the private sector other than what this initiative is pushing?
  • Any efforts connecting the dots between Legislation and NSTIC? 
  • Mentioning that a very strong privacy framework helps a lot as a back drop which is comfortable for the Canadian Identity management industry

Question:

  • Aaron : What do we see the authority of this governing body to be? Do they have the authority to define, bless or veto something? How will we unilaterally accept all the work coming from this body with respect to acceptance and approval of it's process.
  • Richard : Whilst the government pushes industry to drive it's work, to what extent will the gov't be a stakeholder? Will it have a golden vote?

Points Raised for NSTIC NOI Input

  • There are various structures that the governance committee can explore. Aaron mentions the educational - legal - industry representation in the governance steering committee.
  • Tom brings up different structure that can be organised by issues, (privacy/security) Another approach - organise by type of expertise. (policy/legal/policy) various types of representation that need to be brought up.
  • Many participants are not even thinking about this today.  Needs to be organised with future participants in mind.
  • The issue of liability was raised.
  • Presumption that there would need to be a corporate entity to accommodate the needs of NSTIC operations.   Which would have a potential for liability.
  • Tom notes that authority will come from with-in the structure. from the participants.
  • Indicating that the governance committee needs to be representative
  • What stake will the government take in the steering of this corporate body?
  • Kantara has a good model of governance to draw upon for response,
  •   A Kantara response may include representing international standards in privacy.  Suggestions were made that  the steering committee will need to represent standards community according to particular areas of governance.  Assessment criteria and process will be needed for each of these areas.  FICAM being one of them.

Issues

- Organize by Issue or type of expertise.

  • ACTION : Joni will be drafting a charter to quickly spin up a discussion group as a forum to complete, compile and compose the Kantara response to the NOI. Members from all work groups will be invite to join the collaborative effort.

5. AOB

  • Motion of minutes approval for  11 Jan & 05  May 2011
  • Motion to approve minutes as captured on 11 Jan and 05 May moved by Mark. Seconded by Gershon. No further discussion or objection. Minutes are approved.
  • The issue of the ITAC presentation was raised
  • P3 will convene a call for next week to further discuss NSTIC and address an RFP / reduced scope for the the PAF / PAC (Privacy Assessment Criteria).

ADJOURNED