Thursday, April 21, 2011

White House unveils strategy for online ID credentials

By Kent Hoover, ACBJ Washington Bureau Chief

The White House released its strategy for developing an “identity ecosystem” on the Internet, where individuals could use a single credential to prove who they are instead of remembering multiple passwords.

The National Strategy for Trusted Identities in Cyberspace promises to make Internet transactions more convenient and secure. Services that are now too sensitive to be conducted online – such as signing mortgage documents – could move to the Internet. Consumers could choose from a variety of innovative identity credentialing services. Small businesses could avoid the cost of building their own log-in systems for e-commerce.

That’s the vision, anyway. Some privacy advocates, however, fear that online identity credentials could increase identity theft if they aren’t implemented with strong enough privacy protections.

Under the strategy, the National Institutes of Standards and Technology will work with the private sector and consumer advocates to develop standards for voluntary online identity credentials. Companies that meet those standards would then offer a variety of accredited identity credential options to Internet users — a smart card, a unique piece of software on a smart phone or a token that generates a one-time digital password, for example. Users could then use this credential to conduct transactions on any website.
Internet users who are just browsing or posting comments online could remain anonymous.

The government’s role in developing online identity credentials will primarily be that of facilitator. NIST will hold three workshops, beginning in June, on issues such as standards for identity credentials, how the accreditation process for these credentials should work and privacy safeguards. It also will launch pilot programs to test some of the concepts developed by a steering group that will be led by the private sector.

“Working together, innovators, industry, consumer advocates and the government can develop standards so that the marketplace can provide more secure online credentials – while protecting privacy – for consumers who want them,” said Commerce Secretary Gary Locke.

He expects this effort “will jump-start a range of private-sector initiatives to enhance the security of online transactions.”

Wave Systems Corp., a data protection company based in Lee, welcomed the initiative. Its solutions use security capabilities already built in computer hardware.

“More than 400 million PCs today have built-in hardware security called a Trusted Platform Module, which serves as a secure vault to hold digital credentials,” said Wave Systems CEO Steven Sprague. “Instead of having to remember dozens of passwords, users can log into their device and their device logs them into their online accounts.”
 

Such a system would require strong privacy protections to guard against identity theft, according to Identity Finder, an identity protection and data loss prevention company based in New York City.

“We all have Social Security cards, and it took decades to realize that we shouldn’t carry them in our wallets,” said Aaron Titus, Identity Finder’s chief privacy officer. “Now we will have a much more powerful identity credential that lets us carry it in our wallets, phones, laptops, tablets and other computing devices.”

“The stakes are high, and if implemented improperly, an unregulated identity ecosystem could have a devastating impact on individual privacy,” Titus said.

Privacy advocates were pleased that the credentials system will be voluntary. Plus, since credentials will be provided by a variety of sources, there will be no single, centralized database of personal information.

“Having a single issuer of identities creates unacceptable privacy and civil liberties issues,” Locke said.

“There’s no doubt the vision is right,” said Leslie Harris, president and CEO for the Center for Democracy and Technology.

The question is whether the private sector will step up and do what’s necessary to make sure consumer privacy continues to be protected. Since technology will continue to evolve, the government will have to stay involved with the industry-led credentialing process, said Susan Landau, a fellow at the Radcliffe Institute for Advanced Study at Harvard University and a former senior staff engineer at Sun Microsystems.

Harris said government officials should bring a spray bottle and catnip to these meetings.

“It’s going to require a level of cat herding and staying on it for the government,” she said.