The Obama administration has come up with a proposal for both improving and simplifying identity protection for consumers using the Internet, computers, and mobile devices. The plan would greatly reduce the need for consumers to use and remember multiple passwords or fill out separate privacy forms for multiple online accounts.
The administration’s National Strategy for Trusted Identities in Cyberspace (NSTIC) seeks to better protect consumers from fraud and identity theft, enhance individual privacy, and foster economic growth by enabling industry both to move more business online and to create innovative services.
“By making online transactions more trustworthy and better protecting privacy, we will prevent costly crime, we will give businesses and consumers new confidence, and we will foster growth and untold innovation. That’s why this initiative is so important for our economy,” said President Barack Obama when the administration rolled out the plan last month. The final NSTIC plan was released after taking public comment on the proposal.
The concept of the NSTIC is simple. Consumers who want to participate in the program will be able to obtain a single credential — such as a unique piece of software on a smartphone, a smart card, or a token that generates a one-time digital password. Instead of having to remember dozens of passwords, the consumer can use the single credential to log into any website, with more security than passwords alone provide. Consumers will be able to use their credential to prove their identity when they’re carrying out sensitive transactions, like banking, and can stay anonymous when they are not.
Among several illustrations provided by the White House were these examples:
Consumer transactions: A consumer tired of memorizing dozens of password and username combinations to conduct personal online business opts instead to get a smart card from an Internet service provider. The consumer inserts the card into a personal computer. With just clicks of a mouse, the user is able to securely move between an online bank account, a mortgage company, and a doctor. At the same sitting, the consumer can move on to sending an authenticated email to a friend and remotely check an office calendar via a workplace intranet.
Small business platform: Without making large investments in technology, a small business owner wants customers to know he can provide the same safety and privacy for online transactions as larger companies. He installs standard software and agrees to follow the program’s “Identity Ecosystem” privacy and security requirements, earning a “trustmark” logo for his website. To reduce fraud, he needs to know that his customers’ credit cards or other payment mechanisms are valid and where to ship his merchandise. Several different ID providers can issue credentials that validate this information. Customers can now use his website without having to share extra personal information or even set up accounts with the small business. This saves customers time, increases their privacy and confidence, and saves the operator money.
Private Sector Role
A key element of the program is the use of a consumer “credential” to facilitate transactions. Under the proposal, a consumer would, in essence, volunteer to register with a private sector identity provider, such as a bank or a telecom services company, which would securely hold personal information such as a Social Security number and other personal data, much of it of a demographic nature.
The identity provider would then issue a credential that could be used during an online transaction. The credential would serve to vouch for the consumer’s identity and financial ability to conclude the transaction. However, the process would not result in disclosure of the consumer’s actual personal identity. In essence, the process provides consumer verification without identification. In some circumstances, consumers could choose to release identification as well.
“A major positive factor in this initiative is the administration’s commitment to using privacy enhancing technologies in online applications,” John Verdi, senior counsel at the Electronic Privacy Information Center (EPIC), told the E-Commerce Times. “The advantage of the administration’s proposal is that it provides for protection of a person’s identity while creating a credential that can be used for transactions.”
While the concept is simple in concept for the consumer, implementation will be a challenge. The administration concedes that it would take a minimum of three years to launch an effective program and close to 10 years to achieve a totally mature system.
According to the plan, the private sector would be responsible for implementation, while the federal government would provide support and coordination services.
“The policy calls for a plurality of competing providers of identity services, rather than for a single government-run identity service. We strongly support this aspect of the plan because it provides the benefits of competition and the incentive for innovation,” Mark MacCarthy, vice president for public policy at the Software and Information Industry Association (SIIA), told the E-Commerce Times.
“The NSTIC report also properly identifies the range of issues that need to be resolved before these identity services can flourish. But it doesn’t just leave it at that — it creates a process of workshops where industry, government, civil society and academics can discuss these issues and come to a consensus on how to address them,” he said.
“SIIA has advocated for a strong private sector role, and we believe the policy strikes the right balance. It provides for a leading role by private sector suppliers of identity services, but reserves the option of making changes in law and policy to remove obstacles that might prevent the full development of these services,” MacCarthy added.
One element that needs fine tuning, noted MacCarthy, is the issue of allocating liability when something goes wrong in the provision of identity services.
“The proposal does not fully address this problem, though I expect it will be fleshed out in the coming workshops,” he said.
The Obama administration plans to put substantial resources into supporting the initiative. The U.S. Commerce Department’s National Institute of Standards and Technology (NIST) will have a key role in administering the NSTIC National Program Office. The administration has requested US$24.5 million in the pending 2012 budget for the program, with $7-million allocated for the program office and $17.5 million for multiple NSTIC pilot projects.
“In the meantime, we are ramping up activities this year to prepare for full implementation of the NPO and jumpstarting NSTIC implementation activities,” Jeremy Grant, senior executive advisor for identity management at NIST, told the E-Commerce Times.
NIST has appointed Grant to lead the initiative. “Our immediate priority is to fully engage partners to realize and implement the NSTIC vision. We are currently focused on extensive outreach to stakeholders in both the public and private sectors,” he said. Three stakeholder workshops are planned for later this year.
Big Brother Issue
The question of government involvement in any sort of identity system usually raises the question of an overly intrusive government presence. The NSTIC program is designed to limit the role of government in the process.
“From every conversation I’ve had with the White House team, they’re simply trying to set the voluntary ground rules of an identity ecosystem that will allow the creation of a safer online experience, without a heavy handed ‘big brother’ approach,” Michael Barrett, PayPal’s chief information security officer, said on the company’s official blog site.
“We intend to directly support the NSTIC, which we expect will result in many new benefits to our customers, perhaps the most immediate benefit being the use of PayPal and eBay identities within the e-government context. We think this will help all of our customers,” Barrett said, “and we look forward to seeing the development of the NSTIC and the emerging identity ecosystem.”