The Internet Identity Workshop, founded around the notion of “user-centric” Internet identity, is being held this week Mountain View, CA. However, the discussion over how users might actually influence Internet identity governance shifted east this week with the Department of Commerce’s National Program Office (NPO) release of a “discussion draft” of Identity Ecosystem Steering Group (IESG) By-laws. The IESG is a governance structure proposed by the DoC as part of the USG’s National Strategy for Trusted Identities in Cyberspace. The draft By-laws follow the DoC’s Governance Recommendations for the IESG released in March. According to the NPO,
Unlike the previous document – which represented the government’s formal recommendations – these draft By-laws are simply that, a draft. They were produced by our office solely to catalyze discussions among NSTIC stakeholders and, we hope, accelerate the work of the Identity Ecosystem Steering Group when it formally convenes in the months ahead.
One can only speculate about where some of the ideas for the draft by-laws actually came from. A dozen proposals to provide the Secretariat function for the IESG were recently submitted by organizations which might want to influence how it governs. (disclosure: an organization with which I’m affiliated participated in developing one proposal) Others have also indicated their interest in shaping the IESG. For example, the Open Identity Exchange, which is an association for Internet identity industry players (e.g., AT&T, Google, Paypal, Verizon, Experian, etc.), indicated its Advisory Board would produce a set of draft governing documents for the community to vet. It released comments today which raise many good questions pertaining to the IESG’s actual purpose, how it functions, and its corporate structure.
For those not following the development of NSTIC closely, the DoC proposed an IESG structure largely consistent with earlier comments submitted by Open Identity Exchange and others. These comments suggested a structure similar to another industry effort, the Smart Grid Interoperability Panel. In the IESG, a multistakeholder Membership participates in a Plenary Body with various Standing Committees and Working Groups. The Plenary makes specific “policy and standards” recommendations either by consensus or voting to a Management Council, which provides organizational oversight and ratifies recommendations. Leadership of the Plenary is derived from the Membership, while the Management Council is elected by the Membership from a slate of candidates provided by a Nominating Committee. The by-laws attempt to flesh out this structure with some details about roles, participation and decision making in a consensus driven, multistakeholder governance institution. While the draft represents a helpful first attempt, there are some fundamental issues with which the community still needs to grapple. In this post, I’ll tackle one issue – revolving around public involvement.
The NSTIC promotes a vision of multistakeholder identity governance incorporating academia, industry, standards organizations, government and civil society. While “multistakeholderism” is in vogue with the USG for describing Internet governance institutions, it is critical to understand the political science behind it. For instance, the practical and organizational challenges associated with reflecting the interests of large numbers of people with small stakes in an outcome are well known from collective action and institutional theory (Olson 1965; Ostrom and Ostrom, 1975). The logic of collective action will hold true for the IESG. Average users which compose civil society, whose stake in identity governance is small, are unlikely to have a strong enough incentive to devote the time it takes to become regularly involved in a complex, multi-tiered governance structure. On the other hand, more concentrated interests, like businesses and governments, stand to benefit substantially from Internet identity governance, and therefore will devote the resources to participate and influence outcomes.
As it stands, the IESG’s governing documents do not really confront this problem and perhaps makes it worse. While 14 different stakeholder groups are identified (including one for “unaffiliated individuals”), two classes of membership are proposed, observing (non-voting) and participating (voting). The bar for being a participating voting member is having your attendance recorded at meetings (either in-person or virtually). However, for average users that may even be too high. There is a risk that average users will be disenfranchised.
One answer is direct election by users of some or all of the Management Council. Elections provide a low-cost way for users to exercise input. One thing going in IESG’s favor is that “users” are clearly defined – they are individuals who use the trusted online identities governed by the IESG. This makes implementing an election relatively straightforward for the Secretariat and helps ensure that those setting policy and standards in the IESG remain attuned to the public interest. In this regard, it makes debate over one issue identified in Open Identity Exchange’s recent comments – corporate structure – incredibly important. Whatever structure is chosen must support a Membership that includes enfranchised users.
Another, less obvious answer is not to focus so much on participation. Rather, the governing documents should ensure there are strong forms of accountability in place. This makes theoretical as well as practical sense, and has been observed in other Internet governance institutions like ICANN (Internet Governance Project 2009). A lightweight governance structure like the proposed IESG cannot expend substantial resources on “outreach” efforts to increase participation. Instead, robust accountability mechanisms incorporated into the governing documents can be exercised when decisions are taken that are contrary to the public interest. Examples might include an independent review process to challenge specific decisions taken by the Management Council or, in more serious cases, recall mechanisms for the Management Council or Nominating Committee.
Needless to say, such answers might be less than palatable to organizations not used to multistakeholder Internet governance.