What NIST Is Hoping To Get Out Of Its Privacy Grant Program
By Sam Pfeifle
Last week, the U.S. National Institute of Standards and Technology (NIST) released news of some $7 million in grant money headed toward five start-ups, all with a privacy or cybersecurity bent. The money is meant to support the National Strategy for Trusted Identities in Cyberspace (NSTIC), which envisions an “Identity Ecosystem” that allows for a cyber-commerce experience that is as safe as the brick-and-mortar commerce experience, with movement beyond the simple username-password operation.
The firms receiving the grant money could all contribute in some way to an idea of an online marketplace that is more safe and trustworthy for the average consumer, with emphasis placed on “privacy, convenience, efficiency, ease-of-use, security, confidence, innovation and choice.”
NIST wants to “help make things happen that might not otherwise be happening in the market,” said Naomi Lefkovitz, who is senior privacy advisory at NIST and a member of the NSTIC team, which is part of the Information Technology Lab. The hope is that the funds will jumpstart this Identity Ecosystem with companies that are paying attention to the Fair Information Practice Principles (FIPPs,) and NIST team members like Lefkovitz will monitor the pilot projects along the way to make sure the companies can do what they’re trying to do without compromising privacy.
This is the second year of grants, she said, and “One thing that we found is that these pilots are a really excellent resource for raising up issues that we weren’t aware of, particularly around the privacy engineering area.”
For example, Lefkovitz said, “We might learn that, well, they had all the best intentions for making sure they only took data points that were necessary to the transaction, but then they discovered that the way the software was working, that they’re pulling all of (a consumer’s data), and so the pilot principle has to make a decision: Either get rid of these attributes to comply with the data minimization or don’t make the transaction. It wasn’t that they didn’t want to do it; it’s more that the software wasn’t allowing it. That’s very valuable information to know. Now we—meaning we as a society—have a problem that we need to fix. We need to address the issue if we want to be true to these kinds of principles.
“We learn a lot about the way that technology can make it difficult to implement privacy polices and where we need to fix things.”
Because the resultant fix is part of the NIST grant program, that gained knowledge can be shared throughout the Identity Ecosystem.
“We’re looking to see that they’re honoring the FIPPs and implementing the FIPPs,” Lefkovitz said, “and to the extent that they said that they’re going to use either a policy or technical measures to do that, then that’s what we’re looking for, to see how they’re doing that.”
Opportunities To Participate
In fact, the NSTIC program has more opportunities for information sharing, and they’re looking for help.
The Identity Ecosystem Steering Group (IDESG) has just celebrated its first anniversary and will convene its next plenary session in January. Comprising industry groups, consumer groups, consultants—a total of roughly 300 members—the IDESG is definitely on the lookout for more privacy pros, Lefkovitz said.
Trusted Federal Systems won the grant to be the convener and forum for the group, which is meant to operate outside of government control but with NIST support. Like many bodies throughout the world, they’re looking at standards and best practices for privacy and cybersecurity, and there’s a separate privacy committee “whose function is to manage and promote alignment with the privacy guiding principles,” Lefkovitz said. They’ve already created a privacy evaluation methodology, and that’s been helpful in identifying privacy risks in the pilot program. Next up is developing requirements for what might constitute a trust mark for privacy.
Currently, there are about 40 members of the privacy committee, but Lefkovitz said it’s a little light on CPOs, so she’s eager for more help from that quarter. To get involved, drop her an e-mail or visit the IDESG web site.
Like the work of many other multi-stakeholder groups, any output from the IDESG will be strictly voluntary for adoption. “The strategy,” said Lefkovitz, “was that the government would be a facilitator, but it was on the privacy sector to lead and implement.”
The result thus far, she said, has been a group “where professionals can share information and learn best practices. Really, this is less an organization about general compliance and laws and more about focusing on implementation and privacy engineering.”