US Government Calls For Identity Ecosystem

The Obama administration has outlined plans for a private sector-led identity system intended to reduce fraud

The Obama Administration is committed to reducing Internet fraud by developing a comprehensive, national online identity strategy, United State Commerce Secretary Gary Locke said on 7 January. Cyber-security and digital identity was a “national top priority” issue, said Locke.

Locke was joined by Howard Schmidt, the White House Cybersecurity coordinator, at the Stanford Institute for Economic Policy Research at Stanford University, where they outlined the framework for an “identity ecosystem” which will allow people to complete online transactions with confidence that their personal information was safe.

Trust issues

“We are not talking about a national ID card. We are not talking about a government-controlled system,” Locke said.

Despite the fact that over $10 trillion (£6.4tn) worth of business conducted online annually, which includes more than just e-commerce transactions, the “Internet still faces something of a trust issue”, because people are worried about what information is going out and who has access to it, said Locke.

The administration wants to “foster an identity ecosystem where individuals can use interoperable credentials to authenticate themselves online”, said Locke

Administration officials are currently working on the guidelines, called the National Strategy for Trusted Identities in Cyberspace, and will be releasing it in the next few months, said Locke. A draft version of the proposal was publicly circulated in late June 2010 and comments invited. While some of the comments were “quite silly”, others were “very insightful” and “gave us some good thoughts about how can we do this right?” said Schmidt.

Locke emphasised the goal was to enhance online security and privacy through “trusted digital identities”. The ecosystem may even “eliminate the need to memorise a dozen passwords”, he said.

The identity ecosystem will centre on four main buckets, said Schmidt. First and foremost, this must be strictly voluntary, he said. “I don’t have to get a credential if I don’t want to,” he said. If a user establishes identity credentials, but decides not to use it for a particular transaction, that should be possible too. Creating a digital identity ecosystem does not mean taking away anonymity and pseudonimity on the Internet, he said.

Security

The second bucket focused on security. The ecosystem will work only if the consumers are confident and trust that the information is secure, said Schmidt.

Third, the system has to interoperable. One, company controlling everyone’s identity information is dangerous and does not inspire confidence, said Schmidt. Identity should not be a single point of failure where attackers target one place to compromise everyone. Thus it’s critical there are a number of solutions and mechanisms from a variety of companies, he said. With choice, interoperability is critical, because otherwise users are left with credentials that are accepted only some of the time.

Schmidt said he wanted a “potential future of one in which multi-factor authentication is sort of the norm of doing business”. Instead of relying on fixed passwords, that people either re-use across multiple sites or have weak ones to begin with, he wants to see several mechanisms, all of which can protect a person from fraud, he said.

Finally, the system must be cost-effective and easy to use. It must be easy for the general user to obtain credentials to identify themselves, and also affordable for various businesses to implement the type of security that would accept the secured credentials, said Schmidt.

While the initial efforts have come from the White House, there needs to be private sector involvement from the companies who “made the Internet what it is today”, before this system could become reality, said Locke. “The solutions allowing us to actually achieve that goal are very likely to emanate from your firms,” he told his Stanford University audience.

Private sector leadership

There’s no chance that “a centralised database will emerge”, and “we need the private sector to lead the implementation of this”, said Schmidt.

The Commerce Department was the “absolute perfect spot” in the federal government to coordinate the online identity effort, because it would address how consumers interact with businesses online, said Schmidt. The news is expected to please privacy and civil liberties groups who had been nervous at the prospect of the National Security Agency or the Department of Homeland Security spearheading the effort.

Both Locke and Schmidt warned that the identity ecosystem was “not a panacea” and will not fix all security problems. Vulnerabilities will still need to be fixed, and people will still need to be careful, but it would be “one small piece we need to pull together”, said Locke.

“The greater the trust, the more often people will rely on the Internet for more sophisiticated applications and services,” Locke said.