scope:

The Trusted Information Exchange (TIE) document is a functional description of the service. Later work will provide detailed system interaction and flows. This document:

1. Defines the purpose of the TIE;

2. Describes service enablers required for implementation;

3. Highlights the source of the rules to be included; and

4. Identifies gaps that must be closed for implementation.

Much existing work has already been completed on this topic. These components will be identified and included as appropriate. Specific examples and references are included in the Informative and Normative References.

Purpose

Cloud and Web Services use significantly more personal information than the PSTN. Frequently, this information is shared across providers and there can be unintended consequences when the 3^rd party stores and then repurposes the information. In many cases, this information becomes more valuable as it is collected from multiple sources and correlated (e.g., your address book to your friend's address book). Limited industry and government privacy rules exist in the sharing and management of this information, and some start-up companies and major web players are already exploiting the raw and correlated end user information for commercial purposes.

The scope of this problem has become public with cases such as Path.com. This is illustrated in Figure 1: Current Environment. With Path.com, user address book access was requested for legitimate purposes, but the scope and use of the information accessed greatly exceeded the intended purpose. Complete user address books were downloaded and kept for an extended period of time without the knowledge or consent of the user. This inventory of address books was then correlated to generate insights into the social networks of the users.

Cloud service providers must find the right balance between enabling the delivery of new services and protecting users' privacy in the process. Building blocks such as video, VoLTE, VoIP, and WebRTC are integrated into aggregated services such as telepresence and social networks. There is also an emerging set of information-rich services associated with M2M and cloud such as eHealth, telematics, and logistics. In these heterogeneous services, service providers must do more than achieve protocol interoperability. They must achieve interoperability of the service experience. This requires sharing more user information, but the information must be shared in a protected way.

This document was created at the request of the ATIS Board of Directors to illustrate an achievable solution that builds on existing industry work to strike the balance between usability and privacy. The ATIS Board wanted to take a leadership position by proposing a trusted information exchange with strong controls before the federal government intervenes due to privacy and security concerns. The solution identifies existing mechanisms developed, or in progress, in the industry for applicability to this problem. The end goal is to deliver information exchange services that are useful to the service provider while providing the attribute owner (e.g., user) a transparent and understandable consent mechanism.