Wireless securityGovernment plan for consolidated online ID unveiled

Last Friday President Obama unveiled a plan to establish federal standards to create consolidated secure online passwords.

The final version of the plan, which was originally announced last June and is dubbed the National Strategy for Trusted Identities in Cyberspace (NSTIC), seeks create a more secure environment for online transactions where users only have to register once and can use a common password for multiple sites.

Under NSTIC users would no longer have to maintain separate logins and passwords for various websites and would have the option to merge all of their accounts under a single password.

This single login and password would be obtained from an Internet service provider, bank, or university that would store a user’s information, rather than having to register at multiple sites and have personal data on several servers.

Speaking at the roll out of the president’s new plan, Commerce Secretary Gary Locke said, “The fact is that the “old” password and user-name combination we often use to verify people is no longer good enough.  It leaves too many consumers, government agencies and businesses vulnerable to ID and data theft.”

He added that the Internet still has a “trust” issue” and cannot “reach its full potential – commercial or otherwise – until users and consumers feel more secure than they do today when they go online.”

Locke described NSTIC as a joint effort between the government and the private sector that leverages the strengths of both.

“This strategy will leverage the power and imagination of entrepreneurs in the private sector to find uniquely American solutions,” Locke said.

NSTIC lays out the industry standards and technology policies around the new authentication methods but leaves the development and deployment of the technology entirely in the hands of the private sector.

Easing concerns over privacy, Locke said that NSTIC is not the same as a national identity and that President Obama’s plan specifically seeks to avoid relying on a government-led initiative.

Instead, “we expect the private sector to lead the way in fulfilling the goals of NSTIC,” he said.

“Having a single issuer of identities creates unacceptable privacy and civil liberties issues. We also want to spur innovation, not limit it.”

But privacy advocates were not swayed by these arguments.

Lee Tien, a senior staff attorney with the Electronic Frontier Foundation, worries that the proposed identity system will create an environment where authentication will be increasingly needed.

“To some extent, when you make it easier for people to provide ID, you make it easier for people to ask for it,” Tien said.

Tien cautioned that the new identity system should not require users to provide authentication where none is currently required.

According to Tien, in moving forward the key question is “How much identity will I need to show to use the Internet, to send email, to browse or to use Google?”

“In a trusted identity ecosystem, we would be required to have an identity for more and more of what we do on the Web, or we won’t be allowed to do certain things,” he argued.

Privacy advocates will likely not have to worry for quite some time as the technology to actually create consolidated IDs is still years away.

Aaron Brauer-Rieke, a fellow at the Center for Democracy and Technology, says, “The strategy at this point is just a vision for the future. There is still a lot of work that has to happen.”

In the meantime, Marc Rotenberg, the executive director of the Electronic Privacy Information Center, says that comprehensive legislation to protect against the mishandling of identity credential must be passed.

“Online identity is a complex problem, and the risk of ‘cyber-identity theft’ with consolidated identity systems is very real,” he said.