Trusted Identity Plans Require Proper Balance in Private, Public Partnerships

The Obama administration wants the tech industry to take the lead in creating a trusted online identity ecosystem.

Talk of private and public partnerships for Internet security are a common refrain, and the calls were heard yet again Jan. 7 when federal officials announced plans for a new office within the U.S. Department of Commerce to coordinate federal efforts to support the creation of a trusted online identity ecosystem.

Taking the concept of trusted identities from discussion to reality, many say, requires striking the proper balance between the private and public sectors, and the government wants the tech industry to take the lead.

"The president's goal is to foster an identity ecosystem where Internet users can use strong, interoperable credentials from public and private sector providers to authenticate themselves online for a whole host of transactions," U.S. Commerce Secretary Gary Locke told an audience of people at a forum at the Stanford Institute for Economic Policy Research at Stanford University.

"The solutions allowing us to actually achieve that goal are very likely to emanate from your firms, and the players and the organizations here in Silicon Valley," he added.

James Dempsey, vice president for public policy at the Center for Democracy and Technology, agreed the Obama administration's National Strategy for Trusted Identities in Cyberspace (NSTIC) initiative needs to be led by the private sector.

"The problem here on some level is the government needs an identity ecosystem or identity infrastructure ... but the government cannot create that identity infrastructure because if it tried to, it wouldn't be trusted," he said at the forum.

The ecosystem should be voluntary, diverse-meaning there should be more than one identity provider-and based on the concept of levels of assurance ranging from anonymous to the highly verified for transactions that require that, Dempsey said. It should also be just one part of the security puzzle, which also needs to include baseline legislation on consumer privacy, he added.

Away from the forum, Forrester Research analyst Chenxi Wang said the need to address security issues on the Web should not drive the initiative in a direction that compromises privacy or liberty.

"I think if the government tries to initiate a national identity directory effort, it will fail miserably because people will not trust it. ... This system will have to be based on open competition," she said. "I can see Google being one of the suppliers of this national identity. I can even see Salesforce playing a role.

"This will also have to be standards-based so private directories can hook into the national repository if they wish," she added. "The government will have a regulator role to play here-they can set restrictions on how the identity information can be used, and also act as a facilitator for international identity negotiations."

Ultimately, she said, if the infrastructure behind the initiative is built, it will emerge as a virtual infrastructure with open standards-based implementation that is hosted by various parties and monitored by industry watchdog groups.

But while some feel the tech industry should take the lead, Gartner analyst Avivah Litan offered a contrary opinion.

"The federal government is the most natural issuer of identities in a federated identity scheme," she told eWEEK. "After all, they already issue our [Social Security numbers]. It's too bad they haven't figured out how to issue electronic identity credentials.

"In the meantime, what can we expect? Facebook is already a major identity provider, and many e-commerce sites already rely on those Facebook identities," Litan continued. "Granted, these are for seemingly low-risk transactions, so that a bank or government agency disbursing benefits would never be able to rely on it as an example for high-risk transactions. But over time, I think we can expect Facebook, Google and mobile commerce companies like Bling Nation to eventually figure out a business model where they can back user identities and their high-level transactions as long as they can make money at it-and as long as they get significant user adoption."