A group called the Open Identity Exchange officially launched this week to support government guidelines for online privacy and security and undergo certification to assure compliance. Founding members include Google, Equifax, PayPal and Verizon, among others.
According to OIX chairman Dan Thibeau, the organisation was created to show support by the private sector for standards from the US government's Identity, Credential and Access Management (ICAM) Subcommittee of the Information Security and Identity Management Committee established in September 2008 by the Federal CIO Council. ICAM, co-chaired by the General Services Administration and the Deptartment of Defence, is composed of chief privacy officers within the federal government who have agreed on a set of privacy and security policies and technologies related to online interactions with citizens.
The federal government's CIO Vivek Kundra "reached out to private industry on this," Thibeau says, noting Kundra encouraged the formation of OIX as a way to get online service providers on board with the federal government's vision for privacy and security of information related to individuals' email and web interactions.
Thibeau says federal civilian agencies, in particular, want to be able to expand electronic exchanges with citizens under the ICAM-envisioned authentication framework. The initial focus of the OIX effort is related to the simplest, and acknowledged lowest, level of assurance that pertains to privacy issues in interactions such as OpenID-based email that citizens might use with federal agencies.
The privacy issue at stake is that federal agencies, when interacting with citizens online, do not want email or web usage information about individuals to be sold to a third party, nor should that email information be used to advertise to the person, Thibeau says. The membership of the OIX formally agrees to those restrictions, what Thibeau calls "rules and tools", and in addition, OIX members agree to undergo an audit to ensure compliance.
Exact aspects of that are still in review, but OIX anticipates it will publish a list of accredited auditors for this purpose, and it will be up to the OIX members to pay for this process.