Individuals and organizations have different requirements for trusted identity validation

A closer look at the structure of the administration’s newly released National Strategy for Trusted Identities in
Cyberspace (NSTIC) makes clear that while the “identity ecosystem” envisioned in the Strategy offers anticipated benefits for both individual citizens and government and commercial entities, the nature of those benefits are very different, and these differences reflect different implied requirements for trust in online interactions. When the parties to an online transaction are an individual and an organizational entity, “trust” means something different for an organizational entity as the truster and an individual as trustee than it does for an individual as truster and organizational entity as trustee. These differences in the basis by which each party considers the other to be trustworthy (or at least trustworthy enough to conduct a transaction or other interaction) derive from the distinct interests each party has in the relationship, the information each needs to develop trust in the other, the risk each party faces by deciding to act on that trust.

This simple analysis adopts a definition of trust as a willingness to take risk (the risk in this case comes from one party making themselves vulnerable to the actions of another based on the expectation that the other party will behave in the way desired by the trusting party), following Mayer, Davis, and Schoorman (1995) and many other scholars (Johnson-George & Swap, 1982; Luhmann; 1988; Gambetta, 1988). Context is also essential, where trust is a three-part concept, involving a truster, a trustee, and a purpose or scope to which the relationship applies — party A trusts party B to do X (Baier, 1986; Hardin, 1993).

The primary benefits for an individual participant in the identity ecosystem are the reduction in the number of separate online credentials (such as usernames and passwords) that must be created, maintained, and recalled when needed, and greater control over personal information disclosure, resulting in enhanced privacy by limiting the information disclosed in any given interaction to the specific set of attributes the product or service providing entity requires. In theory, the governance plan for the identity ecosystem could also give individuals more confidence (via the “trustmark” issued to accredited entities) that they are interacting with the actual entities they intend, but in general this assurance will be limited to the identity of the entity, and the extent to which that entity can be trusted by the individual may depend as much or more on prior experience, existing relationship dynamics, or knowledge developed out-of-band. To the extent that the organizational entities are service providers such as government agencies, financial institutions, health care providers, or e-commerce businesses, individuals may be seeking little more information than identity verification and, perhaps, privacy policies, terms of service, or other assertions about how their personal information will be handled.

In contrast, the sorts of organizational entities most likely to participate in the identity ecosystem are likely to be most concerned with verifying the identity of individuals requesting services or engaging in online transactions, as user authentication (with appropriate identity proofing) is often all that is required to make authorization decisions. Representative government scenarios fitting this description would include enrollment in entitlement programs and receipt of benefits associated with those programs; submission of legally required information such as tax returns; renewal of personal or business licenses; or provision of services or products offered to citizens — anything from campsite reservations in federal parks to Treasury bills. In terms of authorization decisions — such as whether the individual identified and authenticated in a transaction is actually eligible to receive the information or product or service being offered by the government — depending on the nature of the transaction the entity may request a set of information (attributes) as part of the request that can be used to authorize the transaction, or may cross-reference the identity information presented by the requested with additional attributes maintained by the organization itself or by a third party. For example, when a U.S. citizen enrolls in Medicare, the government requests the individual’s social security number as part of the application process, and then validates the SSN with the Social Security Administration, not only to make sure the number itself is valid, but also to retrieve attributes such as the individual’s date of birth and citizenship, both of which are needed to determine eligibility for Medicare, to validate the information submitted by the applicant.

For commercial service providers, proof of identity is also commonly a sufficient basis to complete a transaction, whether that transaction involves access to information about an individual such as an insurance explanation of benefits or the purchase of a product from an online e-commerce site. Note that in the case of e-commerce, the vendor is typically concerned with authenticating customers only insofar as is necessary to make the vendor reasonable confident that the payment commitment from the customer is valid and not fraudulent. An e-commerce vendor rarely makes any independent assessment of the trustworthiness of a customer, instead relying on third parties such as credit card issuers to validate the attributes asserted by the customer. The reasoning here is simple — the e-commerce vendor’s primary interest is being paid for the products or services it provides, so the claims it requires from customers in order to complete a transaction are those associated with verifying that payment will be received. Where the direction of the information flow is reversed — that is, when individuals are providing personal information to organizational entities, whether in public or private sector contexts — there may be a greater need to establish the trustworthiness of the vendor, at least in terms of what safeguards, policies, and commitments the entity has in place relating to securing and protecting the privacy of information disclosed to them. To engender the sort of trust needed to support these types of interactions, the standards by which entities are accredited under the NSTIC framework will need to include information that allows individuals to make a determination of the entities’ trustworthiness, especially for entities with which the individuals have no prior relationship. This may be somewhat easier to achieve in the public sector context, since in many cases there is only one agency or organization able (or authorized) to provide the product or service in question. In contexts where information sharing or disclosure is an anticipated outcome — such as health care — individuals can and should require a higher threshold for the trustworthiness of organizations to which they provide information.

References:

Baier, A. (1986). Trust and antitrust. Ethics, 96(2), 231-260.

Gambetta, D. (1988). Can we trust trust? In D. Gambetta (Ed.), Trust: Making and breaking cooperative relations (pp. 213-237). Oxford, England: Basil Blackwell.

Hardin, R. (1993). The street-level epistemology of trust. Politics & Society, 21(4), 505-529.

Johnson-George, C., & Swap, W. C. (1982). Measurement of specific interpersonal trust: Construction and validation of a scale to assess trust in a specific other. Journal of Personality and Social Psychology, 43(6), 1306-1317.

Luhmann, N. (1988). Familiarity, confidence, trust: Problems and alternatives. In D. Gambetta (Ed.), Trust: Making and breaking cooperative relations (pp. 94-107). Oxford, England: Basil Blackwell.

Mayer, R. C., Davis, J. H., & Schoorman, F. D. (1995). An integrative model of organizational trust. The Academy of Management Review, 20(3), 709-734.