FRAMINGHAM, 18 APRIL 2011 - The Obama Administration's release of the final version of the National Strategy for Trusted Identities in Cyberspace (NSTIC) was greeted on Friday with caution by privacy advocates who see it as a well-intentioned effort that is still years away from fruition.
The strategy, first announced last June, is designed to foster better technologies, standards and policies for online authentication. The goal of NSTIC is to enable an identity ecosystem in which individuals and organizations are able to conduct online transactions with far more assurance and security than they are able to currently.
When fully implemented, the new identity infrastructure will allow Internet users the option of obtaining trusted online identity credentials from a range of private service providers, and government entities.
Instead of maintaining separate usernames and passwords for each website, Internet users would be able to use a single set of identity credentials to gain access to services on multiple sites.
For example, a user would be able to use a digital credential obtained from their ISP or bank or university, to securely access services at multiple other sites, without having to first register at each one or having to divulge personal information to them.
Such a model is expected to be far more convenient and privacy friendly than current online authentication mechanisms.
The NSTIC calls on the National Institute for Science and Technology (NIST) to develop standards and technology polices for the new identity infrastructure. But it leaves it to the private sector to do the actual development, deployment and use of the technology. Internet users will be free to decide for themselves if they want to use NSTIC credentials for online transactions.
Andy Ozment, White House Director for Cybersecurity Policy and Howard Schmidt, President Obama's cyber-security coordinator, touted the NSTIC as a ground breaking effort on Friday.
Commerce Secretary Gary Locke described NSTIC as another example of the U.S. government helping enable and support private innovation at a critical juncture.
"Usernames and passwords are no longer good enough," for protecting against identity theft and online fraud, Locke said. For the Internet to achieve its full potential, it's vital for the government and the private sector to work collaboratively to develop a new, secure and more privacy friendly identity ecosystem, he said.
"We must do more to help consumers protect themselves, and we must make it more convenient than remembering dozens of passwords," Locke said.
Privacy advocates meanwhile see the effort as a well meaning one that is fraught with many uncertainties, however.
For one thing, the kind of identity infrastructure envisioned by NSTIC is still several years away at least, said Aaron Brauer-Rieke, a fellow at the Center for Democracy and Technology. "The strategy at this point is just a vision for the future," Brauer-Rieke said. "There is still a lot of work that has to happen."
The idea behind NSTIC is good but what's going to be vital is the kind of governance structure that is put in place around it, he said. NSTIC envisions a scenario in which a relatively small number of entities will provide the identity credentials used by millions of Internet users to access Web services.
Proper rules for governing the use of such information is going to be vital to ensure that providers of identity credentials and those consuming it, do not misuse the data, he said. "If the rules aren't written properly, it could result in privacy harm," Brauer-Rieke said.
Lee Tien, a senior staff attorney with the Electronic Frontier Foundation (EFF), said that a lot of what is going on right now is at a very high and abstract level. "It's not perfectly clear how this is going forward," he said.
In general, though, one major concern with the identity system as proposed is that it could cut down on user privacy as opposed to enhancing it, Tien said. "To some extent, when you make it easier for people to provide ID you make it easier for people to ask for it," he said.
Care needs to be taken to ensure that a situation is not created where users are asked to provide identities for situations were none is required now, he said. Without proper care, an identity credential of the sort envisioned under NSTIC will actually enable more tracking by credential providers and others than is possible today, he said.
The real question that will need to be answered going forward is, "How much identity will I need to show to use the Internet, to send email, to browse or to use Google ?" he said. "In a trusted identity ecosystem, we would be required to have an identity for more and more of what we do on the Web, or we won't be allowed to do certain things," Tien said.
Comprehensive privacy legislation will be needed to protect against the misuse of identity credentials by those who provide them, said Marc Rotenberg, executive director of the Electronic Privacy Information Center (EPIC). "Online identity is complex problem and the risk of 'cyber-identity theft' with consolidated identity systems is very real," Rotenberg said.
Sign up for Computerworld eNewsletters.