Privacy and Identity- The Next Frontier for the CIOs
Over the last decade Chief Information Officers (CIOs) have been preoccupied with issues of service management, cost containment, governance and decision-making. Security emerged recently as a topic of strategic interest, and many articles have been written about the imperative for CIOs to provide thought leadership on this topic. As important as these issues are and have to be mastered by any central IT organization, it is important for the CIOs to somehow move beyond these issues and get a seat at the table with the other important technology issues closely related to security, privacy and identity. That requires us to move further beyond the service provider role that is more reactive to a proactive policy and strategy role.
Prior to the computer revolution, many of us would have considered tracking and reporting on someone’s behavior Orwellian. If someone followed you with a pencil and a notepad and tracked what you did it would have been considered intrusive. Today computers quietly and unassumingly automate the tedious work of following someone and allow people to glean insight about individuals or groups of individuals from their online behavior.
There are compelling cases for tracking, such as searching for missing students by analyzing network logs for connections of their wireless devices and looking at log-in information. There are institutional risk management reasons, such as deploying various content filtering software to analyze traffic and search for sensitive information. There are data analytics algorithms to aid prediction of student success and more. Yet each of these cases has a boundary that requires careful consideration and knowledge.
The fact that we can follow someone does not mean that we should. But at the same time, a quasi feeling should not deter us from preparing for future capabilities that may be acceptable -even expected -as society evolves. In each of these cases there is the capability of the technology and mapping it to what is right for the institution, the community and its culture at this time. CIOs need to step out of the role of the technology provider with focus on service level agreements and help shape institutional policy and its ongoing evolution.
It will become imperative for CIOs to speak on behalf of the institutional role in protecting privacy. This institutional role will need to be balanced with the desire, expectation and increasingly the actual technical ability of all of us to have an individual choice about what is revealed about us. Social media pioneered the ability for people to be selective about who gets to see their information, but the need for monetization of free services has eclipsed the original goals. More and more institutions will need to embrace individual choice and set the context for that choice.
Over time CIOs will need to become as knowledgeable about this complex topic as they currently are about the security topic. This will mean following the emerging work on individual privacy enablement such as the National Strategy for Trusted Identities in Cyberspace (NSTIC) initiative. The good news is that our consortia such as Internet 2 (and its subsidiary, InCommon Federation) continue to lead in this space and coordinate with their international counterparts. The Internet 2 Trust and Identity in Higher Education (TIER) effort is currently working on how to better involve CIOs in the space that has been historically too esoteric and how to better advise CIOs so they can inform the best path for the campuses they represent.
We are rapidly moving from a place where institutions provisioned “identities” (accounts) to provide access to resources to a society where individuals have their own online identities that persist from one institution to another. As anyone who has ever moved between institutions and continued an active collaboration on a project will attest, having your access tied to an employer rather than your work on a specific project is not easy. Yet the very concept of a persistent identity is still quite revolutionary. Most campuses correctly seek to cut your access as soon as you leave in order to protect security of campus systems. This leaves researchers and other national collaborators in an odd quandary- use a personal account from the get-go (in effect severing the institution from these collaborations) or realize that migrating access will be a multi-month effort to move credentials.
“CIOs need to step out of the role of the technology provider with focus on service level agreements and help shape institutional policy and its ongoing evolution”
Sometimes you get lucky like I did going from the University of Chicago to Rice University. Both schools have effective Identity Management (IdM) teams that use federated identity tools that allow the release of attributes to research and education services (also known as InCommon R&S), making this easier. Also, all of my resources were part of InCommon Federation. However, had I gone to an institution that does not allow the attribute release and does not have an effective substitute, the only option might have been OpenID or the new service that InCommon will provide provisionally called “IdP of Last Resort.”
Emerging efforts such as Trust and Identity in Higher Education and Research (TIER) aims at providing tools to help manage some of these complex issues. TIER encompasses not only the substantial community investment in web single sign-on tools (Shibboleth); group management tools (Grouper) and identity registry work, but also identity federation work under InCommon Federation. About 50 CIOs across the country are involved in spearheading and shaping the effort with Internet2 managing its delivery.
As time progresses, we as CIOs will increasingly have to navigate institutional needs to manage access to institutional resources, researchers’ needs to have persistent sets of credentials that allow them to continue their work across institutions and individual desires to have a say about the what is revealed about them on their behalf. CIOs will have to negotiate a complex space between historic institutional control-based approaches (“We create and own your online identity”) and individual empowering methods (“You own your online identity and we enhance it by managing access, privileges and rights”).