Internet ID system challenge: Balance security and privacy

Commerce to lead national strategy for identity management, but private sector must build it

A national program management office will be set up in the Commerce Department to oversee development and implementation of a secure “identity ecosystem” that will be outlined in a National Strategy for Trusted Identities in Cyberspace, the Obama administration announced Friday.

Commerce Secretary Gary Locke made the announcement during a symposium at the Stanford Institute for Economic Policy Research at which the groundwork was laid for the public- and private-sector partnership that will be needed for the initiative.

Locke said there were an estimated $41 billion worth of online consumer transactions in the third quarter of 2010, up 14 percent from the previous year. But despite its growing importance to the national economy, “the Internet still faces something of a trust issue,” he said. Online fraud and crime are growing, and identity management schemes to protect privacy and secure online transactions often are unwieldy and inadequate.


Related stories:

National strategy for identity management nearly done

ID management's weakness: Few want to use it


The administration is addressing this issue in the National Strategy, the final version of which will be released “in the coming months,” Locke said. The strategy will outline a system for online identity management that will be voluntary, competitive and diverse.

But the government faces trust issues of its own, said James Dempsey, the Center for Democracy and Technology’s vice president for public policy.

“The government cannot create that identity infrastructure,” Dempsey said at the symposium. “If it tried to, it wouldn’t be trusted.”

Government and industry officials and privacy advocates agreed that while government leadership is needed for creating a trusted identity ecosystem to support online activities, it will be the private sector that must develop and adopt it.

The online world has been recognized by the Obama administration as critical to U.S. security and economic well-being, and the National Strategy for Trusted Identities in Cyberspace is part of a broader effort to improve the nation’s cybersecurity posture. A draft strategy released in June, calls for an interoperable, voluntary scheme for identity verification that enhances both the security and privacy of online transactions. The strategy does not define the technology to be used but sets out four guiding principles:

  • The identity solutions must be secure and resilient.
  • They must be interoperable.
  • They will be voluntary.
  • They must be cost-effective and user-friendly.

The first action called for in the draft was to “designate a federal agency to lead the public-/private-sector efforts,” which was done with the announcement that Commerce would house the program management office.

Although the strategy is not likely to specify what the forms of trusted identity will be, Locke was clear about what it would not be.

“We are not talking about a national identity card,” he said. “We are not talking about a government system.”

The identity ecosystem most likely would be built on existing technologies that include digital certificates, tokens and other identity schemes such as passwords, coupled with a trust framework that would allow sharing of credentials across domains.

The challenge will be in implementing the technology in a way that is scalable and manageable both for end users and organizations. Schemes also must be easily adaptable to transactions requiring different levels of security and assurance. The requirements are to limit the amount of information used in a transaction to only that which is needed to secure that particular transaction and to retain no more information than is necessary and for no longer than is necessary to ensure the privacy of the user.

No single set of credentials or form factor will be required or would be adequate in themselves, said White House Cybersecurity Coordinator Howard Schmidt. Users would be able to choose which, if any, forms of ID to use for an online activity. Secure, interoperable ID is not the final answer to online security, Schmidt said.

“This is not a panacea; this is one small piece of everything we’re looking at,” he said.

Schmidt emphasized that the private sector must lead implementation of the strategy but that the private sector has acknowledged the need for government leadership because of the lack of security in the current online environment.

“We’ve created an environment in which there is a low risk and high reward for criminals” and for terrorists, said Dave DeWalt, CEO of McAfee. “We’ve seen an exponential increase in malware and the amount of crime.”

Although he warned against government regulation of consumer identity, Dempsey said one area in which congressional action would help is passage of a federal consumer privacy bill that would establish baseline protections, such as those in the European Community.

“That has to be part of the picture,” he said. “It should be addressed legislatively.”

 

Reader Comments

Wed, Jan 12, 2011 WOR

Hey steve -- Quite funny, "required to carry the card", when there is no such physical object! Or, um, pathetic if you were being serious there...

Wed, Jan 12, 2011 steve los angeles

PREDICTIONS: * Over the next few years, they will promote the Internet ID as a "good thing" that will benefit society and reduce "terrorism". * They will start small ("it's only for credit card processing") and then start spreading like a disease so slowly that the changes to the bill go unnoticed. * The government branch will be among the first required to carry the card. Then they will slowly fade in the executive branch, the business class, schools and then everyone else. * They will put pressure on business to update their websites to require Internet ID's. * European students will fight the bill more than the Americans who will all be brainwashed into wanting their own slavery so bad that they will pay for it. ("MOM, CAN I HAVE $50 FOR AN INTERNET ID?") * The Internet ID will not be free. Your yearly subscriptions will cover all the governments costs of spamming and mass advertising campaigns as well as maintenance and storage of your personal data.

Tue, Jan 11, 2011 Brock Meeks

Let's get this over right away: The Obama Administration is not planning to create a government ID for the Internet. And let's get this straight too, CDT's Jim Dempsey IS NOT criticizing the government's plan. Just the opposite; it always helps to actually use a quote in context, but that's NOT what happened with Dempsey's quote in the story above. Dempsey and CDT have a public record of supporting the Administration for promoting improvements in online identity without creating a centralized or government-managed system. Here's the whole scoop: http://www.cdt.org/blogs/jim-dempsey/new-urban-myth-internet-id-scare Brock Meeks, CDT Dir. of Communications

Tue, Jan 11, 2011 WOR

I'm trying to figure out what some of the commentators are quacking about, but they've lost me. I have to conclude they're perhaps just talk-radio followers.

Tue, Jan 11, 2011 Jeffrey A. Williams

NSTIC is not full-proof and never will be. Most important is securitng the actual data and than the networks and doing those two things does not require a Internet ID as being considered. Without privacy there is no security on any network. PKI is great as far as it goes and/or can go, but it has it's own security and particularly privacy holes as well.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above