Forthcoming Identity Trust Strategies, Frameworks Should Use FIPP, Speakers Say.
As the Federal Trade Commission, the Department of Commerce and other agencies develop the National Strategy for Trusted Identities in Cyberspace (NSTIC) and other frameworks for keeping customer information and privacy secure online, the Department of Homeland Security’s Fair Information Practice Principles (FIPP) should be a major component, speakers said Friday at the Online Trust & Cybersecurity Forum at Georgetown University. The strategy isn’t a government solution, “it’s about enabling individuals to do things in a more secure fashion,” said Mike Garcia, a Homeland Security strategist on cybersecurity. Industries have different regulations, and the strategy aims to “bring all those into the same fold” and “into something that’s interoperable in which we can bridge those gaps of siloed sectors,” he said.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
The strategy will be user-centric because “individuals are not standing on the sidelines” while their information is exchanged, said Naomi Lefkovitz, an FTC attorney. Consumers should have a central role in which they “can easily and intuitively select and manage their credentials for both low- and high-assurance transactions."
The creators of the strategy plan to fully adopt fair information practices principles, Lefkovitz said. Incorporating the principles can help achieve a system “where we can interact anonymously and as a trusted identity while maintaining our privacy,” she said. Privacy “should revolve around FIPP” from Homeland Security, which transparency, purpose specification, use limitation and data minimization, said the Center for Democracy & Technology. Data minimization can mean telling a company to “take only what you need” and “then get rid of the data when you no longer want to use it,” said Justin Brookman, CDT senior fellow. The FTC should strengthen its version of FIPP, he added. The commission “should have a more robust framework for pushing U.S. policy forward.” Without new privacy legislation, the FTC should be more aggressive in pursuing privacy violations, Brookman added.
The FTC’s coming privacy framework proposal won’t give recommendations on legislation but instead present “what privacy really should look like,” FTC Associate Director Maneesha Mithal said. It’s being drafted with the idea that “consumers shouldn’t have to choose data security or accuracy.” A company “should build in certain protections at the outset and they should have processes in place,” like conducting privacy reviews before launching new products and services, she said. Consumer choice should be simplified and privacy notices should be put in a form “that is easily digestible,” Mithal said.
A report from the Commerce Department will try to “articulate a way to have it both ways,” said Marc Berejka, a senior adviser to the department for technology policy. It will try to offer “a subtle approach to increasing best practices in the privacy space,” without erecting regulations “that become an impediment to innovation.”