The IT Law Wiki


The Identity Ecosystem is an online environment where individuals, organizations, services, and devices can trust each other because authoritative sources establish and authenticate their digital identities.


The Identity Ecosystem enables:


Ecosystem components[]

The Identity Ecosystem is composed of three layers:

  • Execution layer – conducts transactions in accordance with the rules of the Identity Ecosystem.
  • Management layer – applies and enforces the rules for participants in the Identity Ecosystem.
  • Governance layer – Establishes the rules required to function within the Identity Ecosystem.

The layers of the Identity Ecosystem identify the participants, policies, processes, and technologies required to provide trusted identification, authentication, and authorization across diverse transaction types.

Listed below are the various participants in the Identity Ecosystem. It is important to note that a single organization need not fill each discrete role; rather, it is possible that an organization provides services that cross multiple roles.

Privacy protection and voluntary participation[]

Privacy protection and voluntary participation are pillars of the Identity Ecosystem. The Identity Ecosystem protects anonymous parties by keeping their identity a secret and sharing only the information necessary to complete the transaction. For example, the Identity Ecosystem allows an individual to provide age without releasing birth date, name, address, or other personally identifying data. At the other end of the spectrum, the Identity Ecosystem supports transactions that require high assurance of a participant’s identity. The Identity Ecosystem reduces the risk of exploitation of information by unauthorized access through more robust access control techniques. Finally, participation in the Identity Ecosystem should be voluntary for both organizations and individuals.

Identity solutions should preserve the positive privacy benefits of offline transactions, while mitigating some of the negative privacy aspects. The eight Fair Information Practice Principles (FIPPs) — Transparency, Individual Participation, Purpose Specification, Data Minimization, Use Limitation, Data Quality and Integrity, Security, and Accountability and Auditing — are the widely accepted framework for evaluating and mitigating privacy impacts.

Universal and integrated adoption of the FIPPs in the Identity Ecosystem should enable individuals to understand and make meaningful choices about the use of their personal information in cyberspace. Adoption of the FIPPs should also ensure that organizations limit data collection, only use and distribute personal information that is relevant and necessary, maintain appropriate safeguards on that information, and are responsive and accountable to individuals’ privacy expectations. Fully integrating all of the FIPPs into the Identity Ecosystem will be the key to achieving trusted identities in cyberspace that are truly privacy-enhancing.


Another pillar of the Identity Ecosystem is interoperability. The Identity Ecosystem leverages strong and interoperable technologies and processes to enable the appropriate level of trust across participants. Interoperability supports identity portability and enables service providers within the Identity Ecosystem to accept a variety of credential and identification media types. The Identity Ecosystem does not rely on the government to be the sole identity provider. Instead, interoperability enables a variety of public and private sector identity providers to participate in the Identity Ecosystem.


Interoperability and privacy protection combine to create a user-centric Identity Ecosystem. User-centricity will allow individuals to select the interoperable credential appropriate for the transaction. Through the creation and adoption of privacy-enhancing policies and standards, individuals will have the ability to transmit no more than the amount of information necessary for the transaction, unless they choose otherwise.

In addition, such standards will inhibit the linking of an individual’s transactions and credential use by service providers. Individuals will have more confidence that they exchange information with the appropriate parties, securely transmit that information, and have the information protected in accordance with privacy best practices.


See also[]