Spring2014movemag web image Page 2 Image 0003

May 2014

Turning the Privacy Model on its Head

Jeremy Grant from NIST shares his unique perspective on driver privacy. 


Jeremy Grant, Senior Executive Advisor for Identity Management, National Strategy for Trusted Identities in Cyberspace, National Institute of Standards and Technology

The National Strategy for Trusted Identities in Cyberspace (NSTIC) is a White House initiative that looks to raise the level of trust online by addressing three issues:

1. Passwords. The humble password is creating major security problems for all of us. According to the 2013 Data Breach Investigations Report, a global study conducted by Verizon, 76 percent of network intrusions in 2012 exploited weak or stolen credentials, primarily passwords. NSTIC calls for the country to get away from passwords and move toward more secure and resilient solutions for authentication.

2. The question of identity online. A little over 20 years ago, a famous cartoon in The New Yorker depicted a dog sitting at a computer with the adage “On the Internet, nobody knows you’re a dog.” Twenty years later not much has changed. Sometimes you want to be anonymous online, but sometimes you have a need to prove you really are you. Many public and private sector services are not available online today because service providers don’t have an easy way to know that people are who they say they are. NSTIC calls for consumers to be able—when they so choose—to more easily prove their true identity online.

3. Privacy. At a time when the amount of data on all of us is increasing—and with it, the risk of this data being stolen or misused is growing—how do we give people the ability to prove they are who they say they are in a way that enhances privacy instead of introducing more risk? By designing privacy from the ground up into the “identity ecosystem,” we are working to turn the way that people think of privacy and security on its head. We’re creating a “user-centric” ecosystem that puts the user in control.

While there are currently laws in place—like the Driver Privacy Protection Act—that restrict data sharing, we’re looking at changing that model [within the existing laws] to one in which people can personally manage their data, choose to share it with others and have control over where it goes. For example, a NSTIC pilot that AAMVA is leading in Virginia, called the Cross Sector Digital Identity Initiative (CSDII), is allowing citizens to ask the DMV to assert certain validated attributes about themselves on their behalf to online service providers, enabling those providers to provide secure, privacy-enhancing online access to sensitive information like medical records.

DMVs are in a unique position. All jurisdictions are doing “identity proofing” when people come in person to apply for a driver’s license, validating key attributes about applicants. DMVs clearly have restrictions on sharing that information, but why does that preclude citizens from asking the DMV to assert this information on their behalf when they need to convince an online service provider that they really are who they claim to be? By putting citizens in charge of these requests, we turn the old model on its head.

Of course, when sharing that private data electronically, we are using privacy enhancing encryption to ensure maximum security and maximum privacy, which are both very important in that environment. We architected this program to build in privacy from the start.

With CSDII, Virginia has been a real pioneer in rethinking what is possible when it comes to what DMVs can do in the identity space. Historically, DMVs have had a limited view here, focusing on providing credentials to people so they can operate motor vehicles. If DMVs are willing to embrace the fact that they are in the identity business, they have a tremendous opportunity to provide user-centric identity services to citizens that help them do business online in a way that enhances security and privacy—and help service providers, including state governments, offer a number of new types of transactions online.