The NSTIC (National Strategies for Trusted Identities in Cyberspace) the online Identity verification program, no longer a theory or a possible probability, the NSTIC is here readied and in go mode. So now what?
Those who follow me, read me, or conference with me, already know what these five letters mean, but just in case let’s review the NSTIC, what it means and then where we are now.
A Little Background
Simply put, the NSTIC stands for the National Strategies for Trusted Identities in Cyberspace. It is a program that is federally overseen, but privately run with identity verification (online) in mind.
What does this mean? NSTIC was designed to eliminate the password “issue” by replacing passwords with a “trust” verification system where websites will know you are who say you are by utilizing credentials from a third party Identity Provider.
So How Does it Work?
The Identity Ecosystem as the NSTIC is commonly referred to consists of the following actors: The User (or Me), the Relying Party (RP) and the Identity Provider (IdP) who exchange bite size digital verification and identification credentials to say you are you.
So let’s take the case of a site with an age requirement, like Pandora. Pandora requires that I, the user, be 13 to use the site. However, in that process it does not need to know my actual birthday if “someone else” it trusts can say I am over 13. This is where the “trust” process or “Identity Ecosystem” begins its work.
So the process works like this: Me the User goes to Pandora.com. Pandora asks “me” are you 13? Instead of me giving a birthdate as I would today, my Identity Provider, who holds that piece of verified data about me and is also trusted by Pandora says, “Hello Pandora! Yes, this is Kristine and yes she is over 13. You can let her in.” Pandora trusts my Identity Provider (IdP) and I am allowed site access. Woot! Awesome right?
This is a Good Thing, Right?
Well advocates will explain to you this is all much better for you the user, because there:
- Are no passwords for you to remember.
- Is no detailed data to exchange (i.e., Pandora knows I'm over 13, but not when I was born.
- Is only one access point which makes your information easier to protect.
Ecosystem advocates tell us we're afforded a safer Internet, with more privacy and enhanced anonymity. Well, that's what advocates say.
What critics say is you have entered Wonderland and all that appears to be true is in actuality a trip through the looking glass. Where one door is less safe than many (one access point vs. multiple log-ins), your privacy is held by back from who you interact with but not by who contains it, and there is no such thing as anonymity in a well tracked world, at most it can be pseudoanonymous as your IdP knows what you do – and who is watching them?
Cool! No More Passwords!
No more passwords is the main selling point of the NSTIC program to the User (Me), so it takes a lot of reading and dissecting of documents to understand what is not being stated and what words like “privacy” and “anonymity” mean in the identity ecosystem and then why in the world they matter to a search engine marketer, beyond the personal that is.
Illusion of Privacy in the NSTIC
So a year has come and gone in the NSTIC and the issue of privacy seems to still be at the forefront. What is the issue? Well the advocates will tell you "see it gives you MORE privacy!" Because you don’t have to give these websites you interact with any information, your IdP will vouch for your name, address, age, social security, credit card and anything else that your IdP holds in their “verified identity” account of you. Then all you do is pass over a “credential” that gives over limited amounts of data from the IdP to the RP (third party website).
Sounds great right? Well except if we think about it.
If we have an IdP or even several of these, we no longer have many websites that we might only transact with on a limited basis or for limited purposes. So say, I am a daily Amazon.com User. Amazon.com still only has very limited data about me that most websites currently have about me. They have my name, address and payment method. This information isn't contained in one bucket anywhere. It is spread across competing enterprises in many buckets.
Not with an IdP, all your verified data is kept there, whether needed or not because there is a larger requirement here. Now the IdP has to verify you are who you say you are, verify your credentials, become your trusted verification source.
Now it is not just name, address and payment data, but that you are you and you can be verified as you. So your privacy isn't really private. In addition, the only laws that govern this data collection are Fair Information Practice Principles (FIPPs) which can be signed away with a TOS and a click of a button.
So your IdP can hold all this data on you and where you go with your data, who you interact with, but there are no laws that govern what the IdP does with this data except the weakest of those which can be clicked away with a TOS button.
Anonymity Tracked - Is It Ever Anonymous?
The other claim to fame for the NSTIC, the big sale, is that you will be anonymous to the sites you visit. That you will be Jane Doe, but the IdP can verify you without you having to give away more than the most limited amounts of data.
But again we have the same issues as in privacy, that which is tracked is not private or anonymous and there are no laws that can prevent an IdP from doing what they would want with your information. In fact, PayPal has already tried to eliminate the current privacy board, in favor of a weakened set of guiding principles.
Security! One Strong Door
Finally there is security, the one strong door theory. However, with every major entity including the CIA and the FBI having their data compromised I think I will take the many unconnected weak doors, rather than the one large strong one. Why? Because there is no such thing as a door strong enough to keep all those who want in, out.
NSTIC - No Longer a Possibility, but a Reality
Last year, the NSTIC was a theoretical concept. Sure Google, PayPal and Equifax were federally credentialed Identity Providers (IdPs) and there were governing bodies, massive government involvement and private firms all chomping at the proverbial bit. However, it was still theoretical. The idea was it would be, could be implemented at some time in the not too far off future. This is no longer the case.
As for this fall Centers for Medicare and Medicaid (CMS) as well as The Office of Management and Budget (OMB) were all looking to move to the NSTIC Identity Ecosystem.
“The Centers for Medicare and Medicaid Services wants to move away from providing credentials and instead leverage the National Strategy for Trusted Identities in Cyberspace, or NSTIC, according to CMS Chief Information Officer Tony Trenkle”
But it’s not only the Federal Government; there were six NSTIC pilot programs approved all in a variety of verticals including ecommerce, health, education, even the Virginia Department of Motor Vehicles.
These pilot programs are meant to explore differing implementations of the NSTIC and how they work, then report back to the NSTIC program office on their successes (or lack thereof) to better sculpt the real world applications of the program when it is implemented on a wider scale.
OK so Why Does a Search Marketer Care?
So you are probably wondering ok, how are you going to tie all this in with G+ and Eric Schmidt?
One of the most important components of the NSTIC program is that it be voluntary. In fact it MUST be voluntary; no one can be forced to sign-up for it. Of course voluntary is an illusion if all your government services wind up using it, but let’s say it is purely voluntary and private how do you get people to sign-up for the NSTIC ?
As a company if you want to become part of the Identity Ecosystem you get federally certified as one of the Identity Providers.
G+ the “social network” is part of the company just recently quoted saying, “G+ is Google and Google is G+”. So if “G+ is Google and Google is G+” and if Google is a Federally Certified Identity Provider then maybe the purposes behind G+ is what Eric Schmidt said it was, i.e. G+ is not a Social Network, but an identity service and Google is now ready to be an IdP to over 300 million Users when the NSTIC system is fully rolled out.
So where else can we see evidence of the Identity Ecosystem at play at Google?
One of the more notable places you can find direct similarities between the NSTIC system and Google is in the Google patent applications. Especially if you read the patents on Authorship and Content which states;
“Verifying identity of the user by verifying credentials of the user; and upon verifying the identity of the user, creating an author badge for the content posted online by the user, wherein the author badge includes a badge identifier; transmitting the author badge to the client computer”
Identity of author is verified through authorship credentials passed from user to third party. Sound familiar?
In fact, in stories between SEOs there is anecdotal evidence that some author’s content cannot rank or index and that author has been marked. Read the patents and you can see this is not only possible, but the patents discuss it.
In addition, the author is verified through their online reputation, social network, education, known experience and other “trust” factors which can be ported not only to the author, but “ from one online publisher to another.”
Remember Eric Schmidt mentioning people needing multiple identities in a lifetime, the NSTIC and a review of the author patents starts to make those “crazy Schmidtisms” seem suddenly like rational proclamations.
Where Else do we see the Identity Ecosystem at Play?
How many of you know about your Google Dashboard?
Google Dashboard is the place Google has for you to check all the information Google stores on you. If you have never been, you might find this particularly eye opening, possibly frightening depending on how may of Google’s shiny-free services you use.
Noticeably removed from the dashboard now is a link to a bit if data where Google showed you the social connections they tracked you by. Yes, they showed you who you knew, how you knew them and by what online service they found that information. Now this went by things such as Twitter and losing the Twitter firehose could be why the link to this data no longer exists, but it is interesting that it is no longer present.
So what else is in the dashboard?
Google now includes a section in dashboard about your Online Reputation, what you can find on Google about you, how to manage it and how to fix it if broken. So as SEO/Ms we all call this Reputation Management, yet in this new broader context of Google as IdP, reputation far extends past whether or not a bad link appears about you on page one.
What Else is Google Doing?
We don’t want to give the impression there are no other IdPs in your life. There are many ready to come online, readying their certifications, asking for their credentials; but right now I can only speak the very few that have actually received their credentials: Google, Equifax and PayPal. However, know that this is only the beginning.
Just the Beginning
A year ago the NSTIC was a maybe program that could be, and might be entering your life. This is no longer the case.
The NSTIC is now readied; it is implemented for certain services readied alongside other methods under the older Federated ID Program for Federal Services such as Medicaid and Medicare. It is a proverbial ball descending downhill with your online Identity in its path. The question now is not if, or when, but in what form and how it will come to pass.
The NSTIC will offer itself up as private, anonymous, even secure. However, it cannot be any of those things, by sheer nature of its construction.
However, and even more insidious is the application of this Identity Ecosystem to the Search Paradigm. Bad actors in the search space may find themselves unable to work without creating new Identity. Crazy? Maybe.
Go read your Google Dashboard and see all the data that can be associated with you as an individual, a marketer, an author, a person and now attach that to Google as your IdP, G+ as your IdP log-in who also doles out your credentials to everyone you transact with online.
Are you getting the picture? No tinfoil hats here because this is all real and the data is all here.
The question just becomes, how far does it go once implemented, once you need to use your IdP to transact and that IdP also houses/scans your email, knows where you were this morning (phone), who you talked to in chat/email/sms/voice, what analytics accounts you work on, what Adwords you manage etc. etc. all in an effort to say you are who you say you are online.
Personally, give me a password. Better a few messy digits then the potential for digital totalitarianism, because done wrong and in the current state, without IdP Governance? An old phrase comes to mind, “Absolute Power Corrupts, Absolutely.”
Author's Note: I strongly encourage you to view the resources below, follow the links to the previous stories, and seek the information out. In order to understand Google going forward you must understand Google as identity provider, not just Google as search engine. Identity is already in play and can only continue to grow in importance and significance.
- Launch of NSTIC at US Chamber of Commerce Meeting (long but important)
- The NSTIC Program
- NSTIC Governance
- NSTIC Call of Pilot Program Proposals
- Privacy Update and Analysis of Proposed Paypal Amendments
- NSTIC promotional video (2011) Older Video - Not true about provider does not know
Optimising Digital Marketing Campaigns with Search, Social and Analytics
At SES London (9-11 Feb) you'll get an overview of the latest tools, tips, and tactics in Paid, Owned, Earned, Integrated Media and Business Intelligence to streamline your marketing campaigns in 2015. Register by 31 October to take advantage of Early Bird Rates.