As a founding member of the Identity Ecosystem Steering Group, MIT's delegates have contributed to design of governance as well as technical and substantive policy making for this NSTIC initiative. Today, the IDESG is considering how and when to incorporate in order to formalize the organization.
This page will include views and resources relevant to the discussion on legal entity formation and transition plans for the IDESG. Among the topics under consideration:
1. The current proposal does not adequately respect the careful balance of individual and business interests proposed by NSTIC and reflected in the IDESG Rules of Association.
The asserted approach and purpose for the IDESG was to construct a balanced, fair and therefore legitimate and therefore suitable organization to establish an acceptable new deal on identity and break through the barriers preventing an economy and society wide bargain for national scale identity services. The barriers to government, banking, user-centered, social-networking or narrow stakeholder group successfully proposing and leading a wide-scale solution can be transcended by the multi-stakeholder model of the current RoA. This is worth preserving, and is in fact the seminal purpose for which fund raising, staff and other resources are supposed to be gathered to achieve.
By contrast, in the way currently proposed, the formation of a child corporation explicitly focused upon advancing the business interests of business members of the IDESG is unbalanced and appears to funnel government money and the support of Secretariat and IDESG resources to one of the constituencies of the Plenary at the direct expense of the interests of non-business members. Remarkably, the constituency in the best position to advocate, lobby and organize for it's own interests is the one being exclusively subsidized and then enshrined in a perpetual power position by the proposed plan.
Of course, the interests of business are extremely important and insufficient focus upon and resources for business interests would be just as fatal to development of a nationally acceptable approach to identity as unbalanced over emphasis would be. The organizing question to anchor this transitin is: "How will the IDESG support and reflect the national strategy imperitive that "Individuals are the first priority" of NSTIC" while also ensuring adequate resource priority to other stakeholders? (see: http://www.nstic.us/?page_id=112#sec6list1item1)
The corporate capabilities much both i) advocate individual interests in privacy, identity-related civil liberties, meaingful rights to give or withold consent and personal data ownership as well as ii) business interests in profit making, private property, self regulation and power aggretation. It is very important to avoid unraveling the legitimate and validly articulated system for a balanced deliberative body reflected in the current IDESG. It is necessary to pass forward to the next entity such a system, with it's legitimacy and validity in tact, if the next entity is going to successfully steer policy and standards for identity in a manner than can credibly form part of the basis for a new nationally acceptable approach to identity and personal data and that can earn the trust and reliance of all stakeholders sustainably over a long period of time.
The proposed incorporation plan should either:
i) Omit the 501c6 trade association at this time, at least in the way currently proposed, or
ii) Maintain the trade association but also include another corresponding not-for-profit, LLC, coop or Benefit Corporation with the purpose of serving the interests of individuals as the first priority of NSTIC and the IDESG, promoting user-experience and engagement, stakeholder outreach and involvement, advocacy for privacy, identity-related related civil liberties, legal and marketplace interests, usability and quality of life enhancing identity services and other key interests of individuals.
2. The Current Process and Proposal do Not Adequately Support Openness, Participation and Transparency.
Evidently the process leading up to proposal of bylaws and articles and a transition plan has not respected or reflected the IDESG commitment to openness, participation and transparancy. These expectations should be honored going forward, such that any member individually, in groups and acting in the aggregate through the Plenary will have meainingful access to the development of a full transition plan, including development of revised proposed membership dues, drafting of replacement membership agreements, approach to asset transfer of IP and other things of value contributed to or accumulated by the IIDESG during the current phase and other matters pertaining to transition planning. Furthermore, these principles are absent as governing rules enshrined in the articles and/or bylaws. These omissions are significant oversights and should be corrected.
The conduct, processes and activities of the proposed corporation and also the Management Council and others involved in driving the transition process to formation and migration to legal entity status much explicitly ensure openness, opportunity for IDESG member participation and transparency. Specifically, the IDESG leadership should describe a transition plan that reflects these needs and does not repeat the mistake of failing to share key draft legal entity proposal documents with those who have been asking and with the Plenary at large with time to socialize the content, propose alternatives and only then come to decision.
3. The proposed purposes of the corporations do not appear to sufficiently reflect the existing and intended purposes of the IDESG.
a) Discussion of Current Proposed Language
i) Current Proposed 501c3 "parent" corporation:
According to the proposed Articles, the purpose of the 501c3 "parent" corporation is as following:
"Specifically, the Corporation is organized to improve security and privacy on the Internet by supporting the Identity Ecosystem Framework as defined in the U.S. National Strategy for Trusted Identities in Cyberspace (NSTIC). The Identity Ecosystem envisioned in the NSTIC is an online environment that will enable people to validate their identities securely, but with minimized disclosure of personal information when they are conducting transactions."
According to the draft bylaws, the purpose is as folliowing:
"the Corporation is organized to govern and administer the Identity Ecosystem Framework as further detailed and described in the organization’s Rules of Association as now existing or later amended."
It is recommended that the purposes of the Articles and the Bylaws be revised with legal language focused on realization of the Identity Ecosystem Framework as per NSTIC and the RoA. Optionally, if more context is necessary of desirable, then reference to all four of the guiding principle in their entirely would be appropriate to add (as opposed to calling out some of the principles or some of the facets of one of the principles).
c) Further Analysis
i) Half the Guiding Principles is Insufficient Scope of Purpose
The proposed draft chooses to focus on "security and privacy" as the scope of focus for achieving the Identity Ecosystem Framework. Beyond "security and privacy" the Identity Ecosystem Framework is also intended to accord with and to accomplish the other two guiding principles.
ii) Focus on Disclosure of Personal Information for Identity Validation is Insufficient Scope of Purpose
The current proposed language focuses on having individuals "validate their identities securely, but with minimized disclosure of personal information when they are conducting transactions" but these are incomplete and lead to anomalous results if used to define and constrain the legal purposes of the corporation according to the plain meaning of the words and sentences as they currently exist.
By definition, "minimized" personal information disclosure still includes some amount, quantity, or degree of personal information disclosure. Unfortunately, this choice of wording focusing on "validated" identity based on "disclosure of personal information" ignores, mistakes or intentionally excludes the need to include within the scope of purpose important requirements for also preserving anonymity and use of pseudonyms.
Ignored or rejected by the current draft formulation of purpose is the axiomatic promise that NSTIC intends to "protect individuals’ capacity to engage anonymously in cyberspace. Universal adoption of the FIPPs in the envisioned Identity Ecosystem will enable a variety of transactions, including anonymous, anonymous with validated attributes, pseudonymous, and uniquely identified — while providing robust privacy protections that promote usability and trust." See: http://126.96.36.199/?page_id=112#sec3para6
The current language, stressing certain selected aspects while leaving others out, puts the focus on minimized disclosure of personal data but some systems that can and will be certified as enabling anonymity and pseudonyms are intended to disclose no personal data by design and by lawful, valid agreement of the participants in transactions using such methods. The open personal data stores demonstrated and discussed by Professor Sandy Pentland at the IDESG Plenary this July are excellent examples of existing methods for enabling zero personal information leakage by design. Similarly, the solutions of IDESG member company WWPass demonstrate commercially available and industry grade security that preserves anonymity and use of pseudonyms by design. The purpose of creating a national identity system that presumes sharing of personal data underemphasized or omits the voluntary nature of the intended facets and the the envisioned ecosystem of providers and solutions that allow for no personal data to be shared even while offerings like OpenID Connect based services are used effectively by individuals and governments or corporations, such as the innovative technical solutions being developed at the MIT Kerberos and Internet Trust consortium.
The decision to change the scope and purpose of the IDESG with respect to these matters should be directly discussed and agreed and not accomplished by mistaken or intentional drafting of legal documents alone. The "privacy" and "identity-related civil liberties" arising from NSTIC and instantiated in the IDESG through our common agreement, committees scopes and the Rules of Association should not and need not be rendered apparently out of scope of the corporate purposes. By revising the language as recommended to evenly and at a high level refer to the IEF and NSTIC, none of the (hopefully unintended) skew of scope and purpose results.