The Obama administration's release of the final version of the National Strategy for Trusted Identities in Cyberspace (NSTIC) was greeted on Friday with caution by privacy advocates who see it as a well-intentioned effort that is still years away from fruition.
The strategy, first announced last June, is designed to foster better technologies, standards and policies for online authentication. The goal of NSTIC is to enable an identity ecosystem in which individuals and organizations are able to conduct online transactions with far more assurance and security than they are currently able to.
When fully implemented, the new identity infrastructure will allow Internet users the option of obtaining trusted online identity credentials from a range of private service providers and from government entities.
Instead of maintaining separate usernames and passwords for each website, Internet users would be able to use a single set of identity credentials to gain access to services on multiple sites.
For example, a user would be able to use a digital credential obtained from his ISP, bank or university to securely access services at multiple other sites without having to first register at each one or having to divulge personal information to them.
Such a model is expected to be far more convenient and privacy-friendly than current online authentication mechanisms.
NSTIC calls on the National Institute for Science and Technology to develop standards and technology polices for the new identity infrastructure. But it leaves it to the private sector to do the actual development and deployment of the technology. Internet users will be free to decide for themselves whether they want to use NSTIC credentials for online transactions.
Andy Ozment, White House director for cybersecurity policy, and Howard Schmidt, President Obama's cybersecurity coordinator, touted NSTIC as a groundbreaking effort on Friday.
Commerce Secretary Gary Locke described NSTIC as another example of the U.S. government helping to enable and support private innovation at a critical juncture.
"Usernames and passwords are no longer good enough" for protecting against identity theft and online fraud, Locke said. For the Internet to achieve its full potential, it's vital for the government and the private sector to work collaboratively to develop a new, secure and more privacy-friendly identity ecosystem, he said.
"We must do more to help consumers protect themselves, and we must make it more convenient than remembering dozens of passwords," Locke said.
However, meanwhile privacy advocates see the effort as a well-meaning one that is fraught with many uncertainties.
For one thing, the kind of identity infrastructure envisioned by NSTIC is still several years away at least, said Aaron Brauer-Rieke, a fellow at the Center for Democracy and Technology. "The strategy at this point is just a vision for the future," Brauer-Rieke said. "There is still a lot of work that has to happen."
The idea behind NSTIC is good but what's going to be vital is the kind of governance structure that is put in place around it, he said. NSTIC envisions a scenario in which a relatively small number of entities will provide the identity credentials used by millions of Internet users to access Web services.
Proper rules governing the use of such information is going to be vital to ensure that providers of identity credentials and those consuming it do not misuse the data, he said. "If the rules aren't written properly, it could result in privacy harm," Brauer-Rieke said.
Lee Tien, a senior staff attorney with the Electronic Frontier Foundation, said that a lot of what is going on right now is at a very high and abstract level. "It's not perfectly clear how this is going forward," he said.
In general, though, one major concern with the identity system as proposed is that it could cut down on user privacy as opposed to enhancing it, Tien said. "To some extent, when you make it easier for people to provide ID, you make it easier for people to ask for it," he said.
Care needs to be taken to ensure that a situation is not created where users are asked to provide identities for scenarios were none is required now, he said. Without proper care, an identity credential of the sort envisioned under NSTIC will actually enable more tracking by credential providers and others than is possible today, Tien said.
The real question that will need to be answered going forward is, "How much identity will I need to show to use the Internet, to send email, to browse or to use Google?" Tien said. "In a trusted identity ecosystem, we would be required to have an identity for more and more of what we do on the Web, or we won't be allowed to do certain things."
Comprehensive privacy legislation will be needed to protect against the misuse of identity credentials by those who provide them, said Marc Rotenberg, executive director of the Electronic Privacy Information Center. "Online identity is a complex problem, and the risk of 'cyber-identity theft' with consolidated identity systems is very real," Rotenberg said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.