NIST: National ID is not part of 'identity ecosystem'

New website explains plans for Trusted Identities strategy and counters fears over ID requirements

A new website has been created by the National Institute of Standards and Technology to explain plans for a National Strategy for Trusted Identities in Cyberspace and to help quell fears that the government is creating a national Internet ID to track online activities.

“NSTIC does not advocate for a required form of identification,” the site’s FAQ says. “Nor will the U.S. government mandate that individuals obtain an Identity Ecosystem credential (i.e., digital identity). . . . This new Identity Ecosystem is meant for sensitive transactions that require authentication and would keep transactions anonymous when a trusted ID is not needed.”

Launching of the site follows last week’s announcement that a national program office for the national strategy will be set up in the Commerce Department. That office has not yet been formally established, but William Barker, chief of the NIST IT Laboratory’s Computer Security Division, has been named acting program manager.


Related coverage:

Internet ID system challenge: Balance security and privacy


Commerce Secretary Gary Locke announced the office Friday during a symposium at the Stanford Institute for Economic Policy Research, at which public- and private-sector officials discussed the need for a trusted system to support online transactions. The program office will:

  • Promote private sector involvement.
  • Build consensus on the necessary legal and policy frameworks to enhance privacy, free expression, and open markets.
  • Work with industry to identify new standards or collaboration that might be needed;
  • Support and coordinate interagency collaboration.
  • Assess progress in meeting the goals, objectives, and milestones of the strategy.
  • Promote pilot projects and other implementations.

NSTIC is part of broader effort to improve the nation’s cybersecurity posture and to help ensure the security of the growing online economic sector. During the symposium, White House Cybersecurity Coordinator Howard Schmidt sited $30.8 billion in online spending during the 2010 holiday season, a 13 percent increase over the previous year.

A draft strategy was released in July and the final version is expected to be released within a few months. The strategy does not define the technology to be used, but sets out four guiding principles:

  • The identity solutions must be secure and resilient.
  • They must be interoperable.
  • They will be voluntary.
  • They must cost-effective and user-friendly.

“We have a major problem in cyberspace, because when we are online we do not really know if people, businesses, and organizations are who they say they are,” Schmidt wrote in a blog posting about NSTIC last week. “Moreover, we now have to remember dozens of user names and passwords. This multiplicity is so inconvenient that most people re-use their passwords for different accounts, which gives the criminal who compromises their password the ‘keys to the kingdom.’”

Because the identity ecosystem being envisioned would be voluntary and competitive, the cooperation of the private sector will be essential. Companies are expected to develop the credentials needed for the ecosystem, as well as the trust framework that would make them interoperable.

A major challenge in implementing NSTIC will be enabling technology in a way that is scalable and manageable both for end users and organizations. Schemes also must be easily adaptable to transactions requiring different levels of security and assurance. The requirements are to limit the amount of information used in a transaction to only that which is needed to secure that particular transaction, and to retain no more information than is necessary and for no longer than is necessary to ensure the privacy of the user.

There is some public concern that NSTIC is intended to be or will evolve into a national ID, at least for online identities, that could be used to track online activities. Locke addressed that concern in announcing the national program office.

“We are not talking about a national identity card,” he said. “We are not talking about a government system.”

NIST is taking pains on the website to assure that the proposed identity ecosystem would not be a national ID system. “The U.S. government will not mandate that people obtain an Identity Ecosystem credential,” the FAQ says.



About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Fri, Mar 11, 2011

Your papers, please, and remember, Big Brother IS watching!

Thu, Jan 20, 2011 Greg Reston

Look, I am no fan of the Obama administration, but NSTIC is actually a very good idea and one that would not allow the government to track online activities. In fact, it would be a system much much better than the current "cookie" based system that allows private companies to track you on the internet (see Wall Street Journal articles on "What Do They Know". There's an excellent whitepaper that Microsoft published on the concept years ago and many govt systems are already using this. http://msdn.microsoft.com/en-us/library/ms996422.aspx In fact, much of the technology to do this is already baked into Windows and Linux (not sure about Macs, but probably easy enough). Doing this is just another step in the development of the internet and that has turned out alright despite being a govt project.

Tue, Jan 18, 2011 Michael Rose

Only a noob gamer among internet users is under the slightest illusion that Govt is setting up this spynet for the benefit of We The People. It is a polite fiction (actually a downright LIE) that the People voted any Government type in to represent US. Government types are paid by the Federal Reserve and they obey FedRes demands without asking the stupid questions we mere mortals type Bernanke's avaricious Banksters want power, ca$h and full control of the WikiLeaking Internet. Watch your cyber back: don't give them your contact ID. We

Mon, Jan 17, 2011

The SSN was never supposed to be used as a source of identity either.

Thu, Jan 13, 2011

I don't see why we need this. In a few years ID theft will be so pervasive, we'll get used to it. Dealing with the charges and bad credit a few times a year will be the norm, and people won't really think anything negative about it anymore. Corporations will start taking care of it for us, and we'll be safe from the predatory government.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above