White House releases Consumer Privacy Bill of Rights

After years of wrangling about online privacy in Washington, the White House has unveiled a Consumer Privacy Bill of Rights. A coalition of Internet giants, including Google, Yahoo, Microsoft, and AOL, have committed to adopt “Do Not Track technology” in most Web browsers by the end of 2012.

These companies, which deliver almost 90 percent of online behavioral advertisements, have agreed not to track consumers if these choose to opt out of online tracking using the Do Not Track mechanism, which will likely manifest as a button or browser plug-in. All companies that have made this commitment will be subject to FTC enforcement.

“American consumers can’t wait any longer for clear rules of the road that ensure their personal information is safe online,” said President Obama in a prepared statement. “As the Internet evolves, consumer trust is essential for the continued growth of the digital economy. That’s why an online privacy Bill of Rights is so important. For businesses to succeed online, consumers must feel secure. By following this blueprint, companies, consumer advocates and policymakers can help protect consumers and ensure the Internet remains a platform for innovation and economic growth.”

The announcement coincided with the release of a long awaited white paper: Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy. (Embedded below.)

The Center for Democracy & Technology (CDT) welcomed the Administration’s unveiling of this “Consumer Privacy Bill of Rights,” calling the industry announcement by industry to respect “Do Not Track” settings in Web browsers is “a positive step for consumer privacy.”

“The Administration’s call for a comprehensive privacy bill of rights comes at a pivotal time when there is a tremendous concern among consumers about their personal information,” said CDT President Leslie Harris in a prepared statement. “While we believe legislation will likely be necessary to achieve these protections, we support the White Paper’s call for the development of consensus rules on emerging privacy issues to be worked out by industry, civil society, and regulators.”

“For five years CDT has pushed for the development of a reliable ‘Do Not Track’ mechanism; today’s Digital Advertising Alliance announcement is an important step toward making ‘Do Not Track’ a reality for consumers,” said CDT’s Director of Consumer Privacy Justin Brookman in a prepared statement. “The industry deserves credit for this commitment, though the details of exactly what ‘Do Not Track’ means still need to be worked out,” Brookman said. “CDT will continue to work through the W3C standards setting process to develop strong and workable ‘Do Not Track’ guidelines.”

As Edward Wyatt reported at the New York Times, however, implementation of these online privacy guidelines won’t be just a matter of adding some lines of code:

Much remains to be done before consumers can click on a button in their Web browser to set their privacy standards. Congress will probably have to write legislation governing the collection and use of personal data, officials said, something that is unlikely to occur this year. And the companies that make browsers — Google, Microsoft, Apple and others — will have to agree to the new standards.

There will be a press conference tomorrow, streamed live from the White House. (Much more to come on this story tomorrow, though given that I’ll be traveling, you’ll be reading it elsewhere.)

A Consumer Privacy Bill of Rights

· Individual Control: Consumers have a right to exercise control over what personal data organizations collect from them and how they use it.

· Transparency: Consumers have a right to easily understandable information about privacy and security practices.

· Respect for Context: Consumers have a right to expect that organizations will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.

· Security: Consumers have a right to secure and responsible handling of personal data.

· Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data are inaccurate.

· Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.

· Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.

White House Privacy White Paper

This story has been updated as more statements and news stories came online.

Dyson at the eG8: You don’t need to be from the Internet to believe in liberty or free speech

At the eG8, 20th century ideas clashed with the 21st century economy. The inaugural eG8 forum, held in Paris before the G-8 summit of global leaders, showed that online innovation and freedom of expression still need strong defenders. As Nancy Scola reported at techPresident, at the at the eG8, civil society groups restaked their claim to the ‘Net.

Several attendees, many who had traveled from the United States, strongly questioned whether the Internet should be regulated in the ways that Sarkozy implied. The “value of internet is not just efficiency but also transparency,” tweeted Esther Dyson, “a much better regulator than government could ever be.”

I spoke further in with Dyson in an interview embedded below. What matters about the eG “is that you have a lot of people being exposed to one another and you have a lot of government people being exposed to people they don’t normally listen to,” said Dyson. “As usual, it’s not what happens up on stage, or what happens on the video: it’s what happens on the tweets, in the personal interactions, in the dinner afterwards, and in the back hall of the meeting. And that – that was positive. The world doesn’t change overnight, mostly. ”

She spoke to the concerns of civil society about eG8 recommendations: “It is sort of justified. Some of them were precanned. I actually sat down with my guy after doing my panel and changed them. I don’t think that happened with all of them. But again, the community is aroused: it’s going to make its points around this.”

Dyson also emphasized the universality of some of these concerns and what’s at stake. “You don’t need to be ‘from the Internet’ to believe in liberty or free speech.”

How are startups helping the global transparency movement? “They’re providing tools to make the data meaningful,” said Dyson. “They’re providing tools for people to share the information. They’re providing the communication tools, again, that allow from everything from Wikileaks to people communicating with reporters. Tools like your phone, connected to the Internet, so that you can record interviews not just with me but with all of the other people you talk to, upload them, people can share them, people can comment on them. That’s all technology.”

Dyson shared other thoughts on the eG8 and Internet freedom, including how entrepreneurs are changing the world through their work. Dyson also shared an insight that transcends technology:

“Even when you have a revolution, what makes the revolution works is what changes in people’s minds, and that’s what’s going on here,” said Dyson.

“The world is changing. People in government are not special. They should be as transparent as everybody else. People deserve privacy. Officials, governments, institutions, they all should be transparent. That’s new thinking, and it was being heard.”

Google reaches agreement with FTC on Buzz privacy concerns

Google has agreed to an independent review of its privacy procedures once every two years and to ask it users to give “affirmative consent” before it changes how it shares their personal information. The agreement raises the bar for the way that companies handle user privacy in the digital age.

Alma Whitten, director of privacy, product and engineering, announced that that Google had reached the agreement with the United States Federal Commission in an update in Buzz posted to Google’s official blog this morning.

“The terms of this agreement are strong medicine for Google and will have a far-reaching effect on how industry develops and implements new technologies and services that make personal information public,” said Leslie Harris, president of the Center for Democracy and Technology.  “We expect industry to quickly adopt the new requirement for opt-in consent before launching any new service that will publicly disclose personal information,” Harris said.

In a statement posted to FTC.gov, the FTC charged deceptive privacy practices in Google’s rollout of its buzz social network. (Emphasis is mine):

The agency alleges the practices violate the FTC Act. The proposed settlement bars the company from future privacy misrepresentations, requires it to implement a comprehensive privacy program, and calls for regular, independent privacy audits for the next 20 years. This is the first time an FTC settlement order has required a company to implement a comprehensive privacy program to protect the privacy of consumers’ information. In addition, this is the first time the FTC has alleged violations of the substantive privacy requirements of the U.S.-EU Safe Harbor Framework, which provides a method for U.S. companies to transfer personal data lawfully from the European Union to the United States.

“When companies make privacy pledges, they need to honor them,” said Jon Leibowitz, Chairman of the FTC. “This is a tough settlement that ensures that Google will honor its commitments to consumers and build strong privacy protections into all of its operations.”

The FTC turned to Twitter for a live Q&A with the Web. Here’s a recap of the conversation:

In her post, Whitten highlighted the efforts that the search engine has made in this intersection of Google, government and privacy:

For example, Google Dashboard lets you view the data that’s stored in your Google Account and manage your privacy settings for different services. With our Ads Preferences Manager, you can see and edit the data Google uses to tailor ads on our partner websites—or opt out of them entirely. And the Data Liberation Front makes it easy to move your data in and out of Google products. We also recently improved our internal privacy and security procedures.

Looking back at SXSWi and a “Social Networking Bills of Rights”

Posts and thoughts on the 2011 South by Southwest Interactive Festival are still making their way out of my hard drive. On the first day of the conference, I moderated a panel on “Social Network Users’ Bill of Rights” that has received continued interest in the press.This correspondent moderated a panel on a “social networking bill of rights” which has continued to receive attention in the days since the festival, including at MSNBC, Mainstreet.com, and PC World, focusing on the responsibility data stewardship. At MemeBurn.com, Alistair Fairweather highlighted a key question to consider for the technology industry to consider in the months ahead: “Why is user data always vested within the networks themselves? Why don’t we host our own data as independent “nodes”, and then allow networks access to it?”

Good questions, and ones that a few startups I talked to at the festival are working hard to answer. Stay tuned. For now, Jon Pincus captured the online conversation about the panel using Storify, below.

Daniel Weitzner is the new White House deputy CTO for Internet policy

DSC_5476
Image by Elon University via Flickr

There’s a new deputy chief technology officer in the White House Office of Science and Technology Policy: Danny Weitzner. He’ll be taking over the policy portfolio that Andrew McLaughlin held. The appointment appears to have been reported first by Julia Angwin in her story on a proposed bill for an online privacy bill of rights drafted by Senator John McCain (R-AZ) and Senator John Kerry (D-MA). Rick Weiss, director of communications at OSTP confirmed the appointment and said that they anticipate that Weitzner will start work “very soon.”

With the appointment, the OSTP staff has three deputy CTOs again working under federal CTO Aneesh Chopra: Chris Vein for innovation, Weitzner for Internet policy and Scott Deutchman for telecommunications policy.

Weitzner has a deep and interesting background when it comes to Internet policy. He was serving as associate administrator for policy at the United States Commerce Department’s National Telecommunications and Information Administration (NTIA), the principal adviser to the President on telecommunications and information policy. Prior to joining the Obama administration, Weitzner created the MIT CSAIL Decentralized Information Group and was used to be the policy director for the World Wide Web Consortium (W3C) before he joined . Here’s his bio from his time there:

Daniel Weitzner is Policy Director of the World Wide Web Consortium’s Technology and Society activities. As such, he is responsible for development of technology standards that enable the web to address social, legal, and public policy concerns such as privacy, free speech, security, protection of minors, authentication, intellectual property and identification. Weitzner holds an appointment as Principal Research Scientist at MIT’s Computer Science and Artificial Intelligence Laboratory, co-directs MIT’s Decentralized Information Group with Tim Berners-Lee, and teaches Internet public policy at MIT.

As one of the leading figures in the Internet public policy community, he was the first to advocate user control technologies such as content filtering and rating to protect children and avoid government censorship of the Intenet. These arguments played a critical role in the 1997 US Supreme Court case, Reno v. ACLU, awarding the highest free speech protections to the Internet. He successfully advocated for adoption of amendments to the Electronic Communications Privacy Act creating new privacy protections for online transactional information such as Web site access logs.

Before joining the W3C, Mr. Weitzner was co-founder and Deputy Director of the Center for Democracy and Technology, a leading Internet civil liberties organization in Washington, DC. He was also Deputy Policy Director of the Electronic Frontier Foundation. He serves on the Boards of Directors of the Center for Democracy and Technology, the Software Freedom Law Center, the Web Science Research Initiative. and the Internet Education Foundation.

His publications on technical and public policy aspects of the Internet have appeared in the Yale Law Review, Science magazine, Communications of the ACM, Computerworld, Wired Magazine, and The Whole Earth Review. He is also a commentator for NPR’s Marketplace Radio.

Mr. Weitzner has a degree in law from Buffalo Law School, and a B.A. in Philosophy from Swarthmore College.

As Angwin reported, Weitzner pushed for creation of the Commerce Department new privacy office while he was at NTIA. In his new role, he’s likely to be working closely with the FTC, Congress and a new privacy office at the Commerce that, according to Angwin, is likely to be run by Jules Polonetsky, currently head of the Future of Privacy Forum.

Weitzner’s appointment is good news for those who believe that ECPA reform matters and for advocates of free speech online. Given the recent role of the Internet as a platform for collective action, that support is worth acknowledging.

For those interested, Weitzner can be found on Twitter at @djweitzner. While he has not sent out a tweet since last November, his link to open government in the United Kingdom last July bodes well for his support for open data and Gov 2.0: “Proposed Government Data Transparency principles from UK gov’t via Shadbolt & Berners-Lee http://bit.ly/b1WyYs #opendata #gov20.”

 

Enhanced by Zemanta

Congress faces challenges in identifying constituents using social media

Citizens are becoming more influential through social networks and influencing their peers. Research from the The Pew Research Center’s Internet & American Life Project suggests that government 2.0 an important trend, with respect to our understanding of what it means to be a citizen and how our actions influence those of our fellow citizens. The role of the Internet as a platform for collective action is growing but the authorities that control the levers of power offline still matters immensely.

Today, Politico reported that social media isn’t so hot on the Hill. Or, as FierceGovernmentIT.com reported, “Congress is using social media to talk, not listen.” Both media outlets were reporting on survey results conducted by the Congressional Management Foundation on perceptions of citizen advocacy by Congressional staffers.

A better headline, however, might have been “Twitter isn’t so hot on the hill with lawmakers,” given myriad challenges around identifying constituents online, automated campaigns and what Representative Culberson (R-TX) described as a “lot of trolls on Twitter.” (It’s even worse on YouTube, Congressman.) The question posed at the end of the Politico article — “Are lawmakers putting too much time — or staff resources — into social media?” is followed with Pew stats on *Twitter* use and penetration, not Facebook.

The complaints from numerous anonymous Congressional staffers about the time it takes to maintain social media are likely honest and parallel the experiences of higher-paid contemporaries in private industry, academia, media, fashion and the nonprofit worlds. Managing multiple social media presences can, indeed, be a pain in the a–. And it takes resources, in terms of time, that may be scarcer than ever. That said, social media is now part of the lexicon of Congressional staff trusted with constituent communications. If a Representative or Senator is speaking anywhere in DC, there’s an increasingly good chance that snippets of it may tweeted, unusual pictures will be tagged on Facebook and that any gaffes will be up on YouTube later.

Doing more than trying to fit the 20th century model of broadcasting to these platform requires time, expertise and commitment, along with a thick skin. Opening up these new online channels for Congressional communications created challenges, to be sure, but then so did adding the telegraph, radio, television, fax machines, cellphones and email. It’s not hard to find past news reports of Senators resisting the addition of dial phones to the Hill.

Every new communications technology has had an impact on Congress. In 2011, Twitter, Facebook and YouTube do each come with new wrinkles. YouTube and Twitter can work in concert to share video and share it instantly with the world. At the same time, on the Hill, automated campaigns using social media have followed the path of email and faxes deluges. Carefully edited videos can trim key context from statements, or audio from broadcasts. The risks and rewards for the use of Web 2.0 that pertain to federal and state agencies also pertain to Congress.

Take, for instance, Facebook, which is generally tied to the real identities of citizens. Engaging with citizens carries with it identity and privacy issues for constituents. That’s the rub, and it won’t come out easily. Look at how San Francisco integrated city services with 311 and Facebook for an example of how government can mitigate and address some of those issues. The National Strategy for Trusted Identities in Cyberspace might address some of the challenges as well.

In the meantime, Congresional staffers and citizens alike can hope that new, improved architectures for participatory democracy online come along soon to upgrade the status quo in Washington.

2011 Trends: National Strategy for Trusted Identities in Cyberspace highlights key online privacy, security challenges

Blackberrys, cell phones and communications devices are tagged with post-its during a briefing on Afghanistan and Pakistan in the Cabinet Room of the White House, March 26, 2009. (Official White House Photo by Pete Souza)
Blackberrys, cell phones and communications devices are tagged with post-its during a briefing on Afghanistan and Pakistan in the Cabinet Room of the White House, March 26, 2009. (Official White House Photo by Pete Souza)

The upcoming release of the final version of the White House “National Strategy for Trusted Identities in Cyberspace” highlights three key trends that face the world in 2011: online identity, privacy and security. Governments need ways to empower citizens to identify themselves online to realize both aspirational goals for citizen-to-government interaction and secure basic interactions for commercial purposes.

Earlier today, Stanford hosted an event today where U.S. Commerce Secretary Gary Locke and White House cybersecurity coordinator Howard Schmidt talked about the Obama administration’s efforts to improve online security and privacy at the Stanford Institute for Economic Policy Research (SIEPR). Here’s the NSTIC fact sheet the administration posted last year.

“As we look at the innovation engine that drives many of the things we’re doing, what does it mean to sit there as we’ve come together today,” asked Schmidt, “bringing these things together to overcome some of these risks associated with the technology we’ve deployed over the past 20 some odd years?”

The administration took public feedback on the document at NSTIC IdeaScale, which is now closed. (For a screenshot, see the story on IdeaScale on MSNBC.com.) “Every day at the end of the day. I would go back and read some of those comments,” said Schmidt today. “Some of them quite honestly were pretty silly. Other of them were very insight full and gave us some good thoughts about how can we do this right? How can we create a document that really does those things the secretary mentioned such as privacy enhancing but also giving us better trust?”

Schmidt took to the White House blog again today to announce a “National Program Office for Enhancing Online Trust and Privacy.”

Today, at Stanford University, Commerce Secretary Gary Locke and I were pleased to announce that the Commerce Department will host a National Program Office (NPO) in support of the National Strategy for Trusted Identities in Cyberspace (NSTIC).  As I’ve written previously, the NSTIC fulfills one of the action items in theCyberspace Policy Review (pdf) and is a key building block in our efforts to secure cyberspace.

This holiday season, consumers spent a record $30.81 billion in online retail spending, an increase of 13 percent over the same period the previous year.  This striking growth outshines even the notable 3.3-5.5 percent overall increase in holiday spending this past year.  While clearly a positive sign for our economy, losses from online fraud and identity theft eat away at these gains, not to mention the harm that identity crime causes directly to millions of victims.  We have a major problem in cyberspace, because when we are online we do not really know if people, businesses, and organizations are who they say they are. Moreover, we now have to remember dozens of user names and passwords. This multiplicity is so inconvenient that most people re-use their passwords for different accounts, which gives the criminal who compromises their password the “keys to the kingdom.”

We need a cyber world that enables people to validate their identities securely, but with minimal disclosure of information when they’re doing sensitive transactions (like banking) – and lets them stay anonymous when they’re not (like blogging). We need a vibrant marketplace that provides people with choices among multiple accredited identity providers – both private and public – and choices among multiple credentials. For example, imagine that a student could get a digital credential from her cell phone provider and another one from her university and use either of them to log-in to her bank, her e-mail, her social networking site, and so on, all without having to remember dozens of passwords. Such a marketplace will ensure that no single credential or centralized database can emerge. In this world, we can cut losses from fraud and identity theft, as well as cut costs for businesses and government by reducing inefficient identification procedures. We can put in-person services online without security trade-offs, thereby providing greater convenience for everyone.

This is the world envisioned in the NSTIC.  We call it the Identity Ecosystem.  We will be working to finalize the NSTIC in the coming months, but that is only the beginning of the process. I’m excited to be working with Secretary Locke. The Commerce Department is perfectly suited to work with the private sector to implement the NSTIC. In addition, there are other departments and agencies with strategic roles to play as well. Above all though, we look to the leadership of the private sector. Therein lies the key to success. Now is the time to move forward with our shared vision of a better, more secure cyberspace.

Why NSTIC Matters

The policy that the United States government makes towards the Internet has the potential to affect every person online in 2011, as advocates know, so how this is carried out bears close watching. The Center for Democracy and Technology filed key comments on NSTIC last year, including a key issue: “We alerted the Commerce Department to our concern about NSTIC’s current focus on the use of government credentials for private transactions: A pervasive government-run online authentication scheme is incompatible with fundamental American values,” wrote Heather West regarding the cybersecurity policy proposal.

The issue is at once simple and enormously complex, as Jim Dempsey from the Center for Democracy and Technology highlighted today. Government needs a better online identity infrastructure to improve IT security, online privacy, and support ecommerce but can’t create it itself, said Dempsey, outlining the key tension present. Dempsey advocated for a solution for online identity that lies within a broader trust framework and that is codified within a baseline federal consumer privacy law.

Some of the answers to the immense challenge of securing online privacy and identity won’t be technical or legislative at all. They lie in improving the digital literacy of for online citizens. That very human reality was highlighted after the massive Gawker database breach last year, when the number of weak passwords used online became clear. Schmidt highlighted the root caused of passwords today:

The reason most people do that is because we have to worry about remembering so many different passwords and then there’s so many layers of complexity and, complexity that we have to worry about, we have different time frame. We replace them every 30-day, 60 days, 90 days and it becomes really cumbersome. And recent survey found that 46% of the people surveyed never ever have changed their passwords and 71% use the same password with over and over and over again. From reading an on-line blog to doing sensitive financial transactions.

Others answers may be founded in creating online trust frameworks, which were a key initiative in 2010 for the federal government. Multifactor authentication, where more than one forms of identity are used in transactions, will be part of that vision. Schmidt described, loosely, what that might look like.

I go to a store. I go to a grocery store in some cases. I do some level of proofing, whatever I want to wind up doing, whether it’s the lowest level or the highest level to get an online identity stored on a token. A digital identity. Whether it’s on a USB drive or whether it’s on a smart card, I have the ability to do something beyond what I’m doing now. I go to log-in to these accounts. I use the USB device, I use a smart card. I use a one time password on my mobile device that no longer puts me in a position where I’ve been in the past where I can wind up making one small mistake and paying for it for years. But then I also get the log-in to my web mail account. That credential is passed on as well. So I have the ability to do these things seamlessly without all the baggage and overhead that goes with it. But then here comes the true test – this web mail – this phishing e-mail – comes in, and working together between the token and my digital identity and the browser, it stops me from doing things that are going to be harmful. And I had the ability to control that. I have the ability to set this up. And then it keeps me from becoming a victim of fraud.

That combination of physical tokens that interface with commercial and communications infrastructure to authenticate a consumer or online user are one vision of an identity ecosystem. Given the commercial needs of the moment, it should not be a surprise that the Department of Commerce is a key player. Secretary Locke offered perspective on the challenges that face the nation in 2011. [Full unedited transcript]

Let’s flash forward to today to 2011. Nowadays the world does an estimated $10 trillion of business online. Nearly every transaction you can think of is being done over the Internet. Consumers paying their utility bills, even from smartphones. People downloading music, movies and books online. Companies from the smallest local store to bed and breakfasts, to multinational corporations, ordering goods, paying vendors, selling to customers, all around the world. All over the Internet. E-commerce sales for the third quarter of 2010 were estimated at over $41 billion, up almost 14% over last year. And early reports indicate that the recent holiday buying season saw similar growth with year over year sales up by over 13%.

But despite these ongoing successes, the reality that the Internet still faces something of a trust issue. And it will not retch its full potential until users and consumers feel more secure than they do today when they go on-line. The threats on the Internet seem to be proliferating just as fast as the opportunities. Data breaches, malware, ID theft and spam are just some of the most commonly known invasions of a user’s privacy and security. And people are worried about their personal information going out and parents, like me, are worried about unwarranted sexually explicit material coming in before their children. And the landscape is getting more complex as dedicated hackers undertake persistent targeted attacks and develop ever more sophisticated frauds.

The approach that Locke outlined will apparently be housed within the Department of Commerce, a choice that is likely relevant to the scale and growth of e-commerce online:

The end game of course, is to create an identity ecosystem where individuals and organizations can complete online transactions with greater confidence, putting greater trust in the online identities of each other, and greater trust in the infrastructure that the transactions run over. Let’s be clear, we’re not talking about a national ID card. We’re talking about a government controlled system. But what we are talking about is enhancing online security and privacy, and reducing, and perhaps even eliminating, the need to memorize a dozen password through the creation and use of more trusted digital identities. To accomplish this, we’re going to need your help. And we need the private sector’s expertise and involvement in designing, building and implementing this identity ecosystem. To succeed we’ll also need a national program office at the Department of Commerce focused on implementing our trusted identities strategy.

For more context, look back to Schmidt’s introduction of the NSTIC at the WhiteHouse.gov blog last year:

Cyberspace has become an indispensable component of everyday life for all Americans. We have all witnessed how the application and use of this technology has increased exponentially over the years. Cyberspace includes the networks in our homes, businesses, schools, and our Nation’s critical infrastructure. It is where we exchange information, buy and sell products and services, and enable many other types of transactions across a wide range of sectors. But not all components of this technology have kept up with the pace of growth. Privacy and security require greater emphasis moving forward; and because of this, the technology that has brought many benefits to our society and has empowered us to do so much — has also empowered those who are driven to cause harm.

Today, I am pleased to announce the latest step in moving our Nation forward in securing our cyberspace with the release of the draft National Strategy for Trusted Identities in Cyberspace (NSTIC). This first draft of NSTIC was developed in collaboration with key government agencies, business leaders and privacy advocates. What has emerged is a blueprint to reduce cybersecurity vulnerabilities and improve online privacy protections through the use of trusted digital identities.

The NSTIC, which is in response to one of the near term action items in the President’s Cyberspace Policy Review, calls for the creation of an online environment, or an Identity Ecosystem as we refer to it in the strategy, where individuals and organizations can complete online transactions with confidence, trusting the identities of each other and the identities of the infrastructure that the transaction runs on. For example, no longer should individuals have to remember an ever-expanding and potentially insecure list of usernames and passwords to login into various online services. Through the strategy we seek to enable a future where individuals can voluntarily choose to obtain a secure, interoperable, and privacy-enhancing credential (e.g., a smart identity card, a digital certificate on their cell phone, etc) from a variety of service providers – both public and private – to authenticate themselves online for different types of transactions (e.g., online banking, accessing electronic health records, sending email, etc.). Another key concept in the strategy is that the Identity Ecosystem is user-centric – that means you, as a user, will be able to have more control of the private information you use to authenticate yourself on-line, and generally will not have to reveal more than is necessary to do so.

This is all wonky stuff that may seem a bit dry to some readers, but it’s important. The intertwined issues of identify, security and online privacy are increasingly relevant to every citizens as more commerce, education, communication and elements of everyday life move onto the Internet and mobile infrastructure. This strategy is central to how the United States government will work with industry, nonprofits, citizens and other states to improve the status quo. On that count, Bob Gourley, CTO of Crucial Point, commented extensively on the NSTIC at CTOVision.

It won’t be easy. Supporting the creation of identity infrastructure and improvements to online privacy in the private sector has the potential to make the Internet more secure and convenient for users and consumers but could have unintended consequences if not carefully pursued. There’s a lot at stake. As the Stanford event organizers highlighted, “e-commerce worldwide is estimated at $10 trillion of business online annually.”

Wired’s Ryan Singel highlighted a key issue for the White House plan for online identity, perhaps even the fundamental one in today’s online identity landscape: Facebook.

Philip Kaplan, the outspoken founder of Blippy, AdBrite and Fucked Company, added a Silicon Valley developer voice to event’s panel, arguing that any system has to be simple to implement, so that developers working in their living room making a website can concentrate on building new features, not worrying about security.

The closest thing to that currently is Facebook Connect, which lets you use your Facebook credentials to login you in around the net and on mobile apps..

“I can put in one line of JavaScript and I have a login system,” Kaplan said. “But that doesn’t I’m not going to pay my taxes using Facebook Connect.”

Which is another way of it might be as dangerous for a single company to be the world’s online ID vault as it would for the government to handle that task.

And right now, with Facebook at 600 million users and $50 billion in valuation, that future seems much more likely than a standards-based, interoperative system built by geeks at the behest of the feds.

Whether an online trust framework can be a viable alternative to Facebook’s play to be the identity provider online is a first-order question, and one that deserved examination. Kudos to Singel for putting the event in that context.

Weekend Reading: The most recent version of the NSTIC follows. Look for more reporting, both here or at another outlet, once the final version is released.

National Strategy for Trusted Identities in Cyberspace

U.S. House to hold online privacy hearings on “Do-Not-Track” legislation

Yesterday, the FTC online privacy report endorsed a “do not track” mechanism for Web browsers. This morning, the Subcommittee on Commerce, Trade and Consumer Protection in the United States House of Representatives will hold a hearing on “Do-Not-Track” legislation. The hearing will e”xamine the feasibility of establishing a mechanism that provides Internet users a simple and universal method to opt-out from having their online activity tracked by data-gathering firms (a.k.a. a ‘Do Not Track List’).”

A livestream of the hearing is available, along with testimony:

The subcommittee has posted a memo that sets the stage for the hearing, which is embedded below. Notably, the document heavily references the Wall Street Journal’s excellent “What Do They Know?” series on digital privacy.

In the Internet age, each keystroke or click of a mouse can betray the most mundane or even sensitive details of our lives, and those details are being collected and packaged into profiles by a data-gathering industry with an increasing hunger for information that can be sold and used to target consumers based on their tastes, needs, and even perceived desirability. Many Americans don’t know that the details of their online lives are being gobbled up and used in this way, much less how to stop it in the event that such collection offends their expectations of privacy.

This summer, the Wall Street Journal began reporting about the online gathering of information about Internet users in an ongoing investigative series called “What They Know.” For its first piece, the Journal uncovered the extent to which Internet users’ activity is being tracked. The Journal found that visiting the top 50 most popular websites in the U.S. resulted in the placement on a single test computer of 2,224 files by 131 companies that track Internet users’ activity across the Internet. In addition, not only is tracking of Internet users pervasive, but it has become more invasive through the use by some in the tracking industry of more sophisticated technologies that can keep tabs on an Internet users activity on a website (rather than collecting just the fact that the website was visited) and some can even re-spawn themselves if an Internet user tries to delete them.

If you haven’t read the series, take some time over the weekend or holiday. And if you’re interested in what the federal government is considering in the context of digital privacy, tune in to the livestream and follow the #DNTrack hashtag on Twitter for the live backchannel.

DNTrack House Briefing memo.12.01

FTC online privacy report endorses “Do-Not-Track” mechanism for Web browsers

The Federal Trade Commission released an online privacy report today that will reshape how companies, consumers and businesses interact on the Internet. The agency will take questions from reporters at 1 PM EST and from the public on Twitter in its first Twitter chat at 3 PM EST. The recommendation that “companies should adopt a ‘privacy by design’ approach by building privacy protections into their everyday business practices” is a key direction to every startup or Global 1000 corporation that comes under the FTC’s purview as the nation’s top consumer protection regulator.

The new FTC privacy report proposes a framework that would “balance the privacy interests of consumers with innovation that relies on consumer information to develop beneficial new products and services,” according to the agency’s statement, and recommends the implementation of a “Do Not Track” mechanism, which the agency describes as “a persistent setting on consumers’ browsers – so consumers can choose whether to allow the collection of data regarding their online searching and browsing activities.”

“Technological and business ingenuity have spawned a whole new online culture and vocabulary – email, IMs, apps and blogs – that consumers have come to expect and enjoy. The FTC wants to help ensure that the growing, changing, thriving information marketplace is built on a framework that promotes privacy, transparency, business innovation and consumer choice. We believe that’s what most Americans want as well,” said FTC Chairman Jon Leibowitz.

The report states that industry efforts to address privacy through self-regulation “have been too slow, and up to now have failed to provide adequate and meaningful protection.” The framework outlined in the report is designed to reduce the burdens on consumers and businesses.

“This proposal is intended to inform policymakers, including Congress, as they develop solutions, policies, and potential laws governing privacy, and guide and motivate industry as it develops more robust and effective best practices and self-regulatory guidelines,” according to the report, which is titled, “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers.”

“Self-regulation has not kept pace with technology,” said David Vladeck, director of the FTC’s Consumer Protection Bureau, speaking this morning about the proposed online privacy rules. “We have to simplify consumer choice and ‘do not track’ will achieve that goal,” he said. “I don’t think that under the FTC authority we could unilaterally mandate ‘do not track.'”

One of the nation’s top technology policy advocates approved. “The FTC report hits all the right notes. It sets out a modern and forward looking framework for privacy protection that moves beyond a narrow focus on notice and choice toward a full set of fair information practices and accountability measures,” said Center for Democracy and Technology president Leslie Harris. “The FTC has provided the blueprint. Now it is time for Congress and industry to follow suit.”

“We are very pleased to see the FTC exerting strong leadership on privacy,” said CDT Privacy Project Director Justin Brookman. “This report should bolster efforts to enact a privacy bill next Congress. Its recommendations are consistent with what is being discussed on the Hill.”

In a novel move, the FTC tweeted out “key points” from the report, embedded below, using @FTCGov.

“FTC proposes new framework 2 guide policymakers & industry as they develop legislation & other solutions. Self-regulation on privacy has been too slow. Important privacy choices should be presented in relevant context, not buried in privacy policy. Baseline protections of FTC’s proposed framework include reasonable security & accuracy, confidence that data collected or kept only 4 legitimate needs & privacy considered at every stage of product development. Privacy notices should be clearer, shorter & more standardized to better understand privacy practices & promote accountability. Consumers should have reasonable access to data upon request. Commission supports a more uniform mechanism for behavioral advertising: a so-called “Do Not Track”. Do Not Track could signal consumer’s choices about being tracked & receiving targeted ads.”

Below are the prepared remarks of the FTC chairman, followed by a liveblog of the press call. Audio of the FTC online privacy press call is available as an MP3.

FTC Chairman Privacy Report Remarks

FTC Online Privacy Report