The Open Identity Exchange, The US National Strategy For Trusted Identity in Cyberspace and Today’s Identity Ecosystem

In the 16 months since it was incorporated as a not-for-profit organization, The Open Identity Exchange, OIX has been gathering expertise and building tools to support the development of a new kind of trust frameworks. Open Identity Trust Frameworks serve the needs of all stakeholder groups in emerging identity ecosystem data/identity systems across the Internet.

OIX was initially established in response to a call from the US CIO for the commercial sector to take the enable the development of open technology and policy standards for government to citizens’ online identity applications. That role has evolved as the cost savings and market growth potential of standardized, multiparty legal structures; called “Trust Frameworks,” in online identity applications have become increasingly evident.

As awareness of the value proposition of trust frameworks has spread from endorsements like that of the US National Strategy for Trusted Identity in Cyberspace (NSTIC) so too has interest in the business, legal and technical requirements of operating open identity trust frameworks at internet scale. The many workgroups that have formed in and outside of the OIX come from different industries with similar goals, i.e., to enjoy the benefits of more reliable, predictable and interoperable online data and identity management structures.

Just as technical standard setting can save costs, help develop markets, and aid market adoption, so to can efforts directed at standardizing the legal terms and linked contracts documented and transparent in open trust frameworks. OIX continues to support the US GSA FICAM and other US government needs as originally intended, but now also support commercial and consumer use cases in B2B and B2C, and in C2C applications.

The first annual meeting of OIX members is taking place around the time of the first of the three workshops associated with the implementation of the US NSTIC. OIX programs and tools can help support the rulemaking activity that is at the heart of the identity ecosystem contemplated by NSTIC. Trust Framework development is a form of rules development, since trust frameworks set forth the rules that are intended to govern the online identity ecosystem.

It is particularly relevant that the first NSTIC workshop is focused on governance. The rulemaking processes described below outlines a sort of “assisted self governance” through which OIX maintains the programs and tools to help trust communities develop trust frameworks. In each trust framework, trust communities establish rules to govern those aspects of data rights and identity technology protocols that are of particular interest and importance to them.

OIX programs support a form of rulemaking that relies heavily on market mechanisms for the identification of best practices that can be considered for elevation to “standards” in a more formal manner. One goal of OIX is to manifest standard setting in the legal “rules” to complement standards for technology tools.

OIX rulemaking activities and resources can help the NSTIC to achieve many of its goals. OIX was designed to foster and support rulemaking using market infrastructure to enhance the ability of systems to keep pace with changing market needs. The identity ecosystem will be supported by standards and rules; more detailed at the “local” level, and increasingly generalized at higher levels, culminating in the very general “principle-based” rules of the US national identity ecosystem, and ultimately the more general set of international, internet scale, rules associated with national strategies such as the US NSTIC.

NSTIC promotes policy-making that is inclusive, comprehensive, transparent, accessible, and responsive to stakeholder needs, even as those needs evolve and change. This material explores policy development issues from a process perspective. NSTIC notes “the private sector will be the primary developer, implementer, owner, and operator of the Identity Ecosystem.” The level of public private coordination needed requires a structured processes for market operation, rulemaking and enforcement. OIX was set up to address market operation and rulemaking processes.

Complementary enforcement processes to maintain system integrity are best configured after the market operation and rulemaking processes are developed, so that enforcement structures and strategies can best support market function.

OIX is designed to reduce friction associated with the interface between current internet practice and the requirements of national and industry identity systems. That “friction” is partially absorbed through the OIX working groups that divide governance between “information exchange operation decision making” (which resides in the OIX board), and “Trust Framework development decision making” (which resides in the working group participants).

OIX helps to enable the establishment of market-based standards, the ultimate decision authority on standards remains within the Trust Communities that draft their Trust Frameworks (only the decisions on market operations rest with OIX). The nature of the Trust Frameworks, whether broad national principles or narrower context-specific rules, composed by trust communities ultimately defines the data/identity market characteristics for each of them. OIX programs and tools merely promote their normalization and interoperability with other trust frameworks.

OIX working groups draft their own governance documents, IP policies, etc. They can invite participation of all stakeholder groups, and they can craft Trust Framework materials of any scope desired (including those intended for national domestic application such as the US Identity Ecosystem). By becoming part of the OIX working group community, there is greater access to OIX tools, the advisory board, and the market itself.

OIX tracks the advancement of a trust framework initiative through five policy stages. These come in the form of an empirical analysis of the five stages of rulemaking in public/private partnerships from policy sciences literature. The five stages of are: agenda setting (discussion of issues), problem identification (focusing on relevant variables), decision (define future action items), implementation (focus on deployment), and evaluation (assessment of implementation and new agenda setting cycle).

I. Stage 1 – Agenda Setting

Agenda setting is where groups raise issues in related areas and identify and explore potential connections and conflicts with other groups.

Successful agenda setting requires a hybrid of public and private processes occurring across multiple groups. For efficiency and to enable stakeholder participation, the rulemaking processes of different groups should be loosely coupled into separate but coordinated efforts. OIX working groups can access legal analysis and tools to optimize cooperation and consultation among groups. A substantial part of the discussion (such as that around issues of “security,” “privacy,” and “liability”) is being engaged in as part of the “agenda setting” process.

Rulemaking in a public/private partnership (“PPP”) such as that contemplated in NSTIC, can offer greater flexibility and informality in rulemaking than the formal processes associated with public law. In a PPP situation, there can be agreed-upon aspects of system legal development that can be worked on in either the private or the public sphere to match the context and different stakeholder group needs. OIX working groups create their own governance structure, IPR policies and other arrangements to suit their work.

The “agenda setting” stage offers a opportunity for broad participation in the rule-making process. A market that cultivates broad participation at the “agenda setting” phase is more likely enjoy broad adoption at the “implementation” stage. OIX enables broad participation with online tools to provide efficient pathways to discerning the needs and preferences of various groups involved in trust framework development and deployment.

II. Stage 2 – Problem Identification

Problem identification is the stage where issues raised during “agenda setting” are narrowed to those that lend themselves to the crafting of rules and solutions for the next “Stage 3 – Decision.”

The second stage exercise of “problem identification” can be thought of as the specification of issues/problems “signals” from the “noise” of agenda setting. Moving issues from the “agenda setting” to “problem identification” is repeated for each issue to enable progress. The timing and characterization of issues will be different for different issues and will be ongoing as long as there continue to be issues that are considered to remain unaddressed.

The improvement of the “signal to noise” ratio does not suggest that items be ignored, only that they be developed to the point that one or more parties decides to expend the energy to chaperone the issues into existing or new problem identification “slots.” OIX working groups allow the separation of issues/ discussions into groups and subgroups as needed to foster efficient, transparent and participatory. OIX working group determine its own work plan at its own pace. Some issues will take longer to develop than others, but all are important.

Traditional rulemaking in this area would likely result in jurisdictional silos, i.e., across countries and their legal subdivisions, raising compliance costs for data/identity service providers and other stakeholders across multiple jurisdictions without addressing security, privacy or liability concerns. A broadly participatory, rulemaking governance structure can leverage various initiatives and allow policy coordination across jurisdictions, especially with regard to data/identity services which play an increasingly important role in many industries. Multiple party participation is desirable for diversity and adoption, and it also plays a critical role in commercial viability.

Trust Frameworks (whether broad comprehensive national and industry frameworks, or narrower stakeholder-specific rules) are, at base, multiple, integrated contracts that establish mutually dependent duties among stakeholders. For stakeholders rights to be meaningful, stakeholder duties must be enforceable. It is inefficient to base trust framework duties, at internet scale, solely or even primarily on monetary consideration. Instead, comprehensive trust frameworks are the cheapest to build, since more parties’ contractual promises to perform duties in accordance with a given standard of care are available as the “currency” to pay to other participants in a comprehensive trust framework. Structuring more comprehensive trust frameworks allows trust framework-based data/identity infrastructure to “scale” with more modest resource investment.

III. Stage 3 – Decision making

Decision making involves the selection of stage 2 “problems” to address and the making of decisions and new rules of how to deal with them. “Problems” that make the leap to the “decision making” stage come in all “shapes and sizes.” They will involve minor, administrative issues, while others may be considered more significant and substantive.

Each “problem” identified at stage 2 will command different resource and attention needs at this new stage 3. Properly managed, this mechanism can yield responsive, resilient and broadly adoptable rules that address all stakeholder needs in a balanced way. The OIX working group structure makes it easier to compare how others handle various issues. The sharing of solutions across trust frameworks is a step toward best practices and ultimately legal standards that improve interoperability across jurisdictions and industries. One area in which NSTIC seeks to guide decision making is through FIPPs-based legislation.

The Department of Commerce Green Paper suggests an updated set of FIPPs is a necessary starting point. FIPPs based legislation has been introduced in Congress in several bills. A well structured PPP arrangement could coordinate the variety of perspectives and approaches to the question of FIPPs standardization leading to appropriately updated, balanced, broadly adoptable, resilient, commercially-viable FIPPs-based rules.

IV. Stage 4 – Implementation

During stage 4, “implementation,” the focus shifts from rulemaking development to deploying systems that implement those rules. This stage is very different from earlier stages. It involves such additional considerations as administrative and operational challenges of deployment, running audit and enforcement processes, and issues arising from applying incentives and penalties to coax system-consistent participation.

PPPs enable standardization of legal rules to help support standardization of technology tools. If private parties are involved in rule setting, they can help to better configure new rules to be more readily adopted and integrated with existing data practices. This will help to defray the educational and other deployment costs that plague efforts to comply with government-only rulemaking. A PPP can encourage membership by implementing “privacy by design” concepts, such as by structuring data/identity rules to have built-in incentives that encourage other entities to adopt PPP-derived rules.

For those system challenges that don’t lend themselves to contract-based solutions, industry can work with relevant governmental entities to rely on the capacity and expertise of public sector enforcement capabilities. That latter approach, i.e., private rulemaking and public-assisted enforcement, is consistent with the FTC Staff Proposal (Dec. 2010), but that proposal only covers enforcement to benefit individual U.S. stakeholders in their roles as consumers. It does not cover other necessary enforcement in favor of other stakeholder roles (such as individuals engaged in business activity, individual civil rights issues, enforcement for any other legal entities (such as businesses as relying parties or data handlers), or the interests of non-U.S. persons). Even though it is limited in scope, FTC enforcement is an example of the type of arrangements that can provide cost savings for stakeholders in data/identity systems.

V. Stage V – Evaluation

During the evaluation stage there is assessment and reporting of of prior actions and the initiation of corrective actions. This is stage at which a PPP structure offers unique advantages. Governmental rulemaking in the form of legislation or regulation does not typically anticipate being subject to near-term dynamic alteration based on effectiveness reviews.

The feedback from the “evaluation” phase sets up a “virtuous cycle” of continuous improvement of best practices that can be standardized to the benefit of all of stakeholders. Private rulemaking evaluation are atypical because they are infrequently bothered with during process planning. The OIX metadata listing service is intended to make market relevant information on both Tools and Rules widely available, subject to review, critique and adoption in an active, transparent market.

Where PPP processes based on open standard, open information mechanisms are engaged in, the evaluation steps can be more formalized, making possible better evaluation, and improved process improvement, with the anticipation that private involvement makes corrective changes easier.