The Obama Administration announced plans to develop an internet identity ecosystem that officials claim will reduce fraud and identity theft while streamlining online transactions.
The Obama Administration is committed to reducing Internet
fraud by developing a comprehensive, national online identity strategy, United
State Commerce Secretary Gary Locke said on Jan. 7. Cyber-security" and digital
identity was a "national top priority
" issue, said Locke.
Locke was joined by Howard Schmidt, the White House
Cybersecurity coordinator, at the Stanford Institute for Economic Policy
Research at Stanford University, where they outlined the framework for an
"identity ecosystem" which will allow people to complete online transactions
with confidence that their personal information was safe
"We are not talking about a national ID card. We are not
talking about a government-controlled system," Locke said.
Despite the fact that over $10 trillion worth of business
conducted online annually, which includes more than just e-commerce
transactions, the "Internet still faces something of a trust issue," because
people are worried about what information is going out and who has access to
it, said Locke.
The administration wants to "foster an identity ecosystem
where individuals can use interoperable credentials to authenticate themselves
online," said Locke
Administration officials are currently working on the
guidelines, called the National Strategy for Trusted Identities in Cyberspace,
and will be releasing it in the next few months, said Locke. A draft version of
was publicly circulated in late June 2010 and comments invited.
While some of the comments were "quite silly," others were "very insightful"
and "gave us some good thoughts about how can we do this right?"said Schmidt.
Locke emphasized the goal was to enhance online security and
privacy through "trusted digital identities." The ecosystem may even "eliminate
the need to memorize a dozen passwords," he said.
The identity ecosystem will center on four main buckets,
said Schmidt. First and foremost, this must be strictly voluntary, he
said. "I don't have to get a
credential if I don't want to," he said. If a user establishes identity
credentials, but decides not to use it for a particular transaction, that
should be possible too. Creating a digital identity ecosystem does not mean
taking away anonymity and pseudonimity on the Internet, he said.
The second bucket focused on security. The ecosystem will
work only if the consumers are confident and trust that the information is
secure, said Schmidt.
Third, the system has to interoperable. One, company controlling
everyone's identity information is dangerous and does not inspire confidence,
said Schmidt. Identity should not be a single point of failure where attackers
target one place to compromise everyone. Thus it's critical there are a number
of solutions and mechanisms from a variety of companies, he said. With choice,
interoperability is critical, because otherwise users are left with credentials
that are accepted only some of the time.
Schmidt said he wanted a "potential future of one in which
multi-factor authentication is sort of the norm of doing business." Instead of
relying on fixed passwords, that people either re-use across multiple sites or
have weak ones to begin with, he wants to see several mechanisms, all of which
can protect a person from fraud
, he said.
Finally, the system must be cost-effective and easy to use.
It must be easy for the general user to obtain credentials to identify
themselves, and also affordable for various businesses to implement the type of
security that would accept the secured credentials, said Schmidt.
While the initial efforts have come from the White House,
there needs to be private sector involvement from the companies who "made the
Internet what it is today," before this system could become reality, said
Locke."The solutions allowing us to actually achieve that goal are very likely
to emanate from your firms," he told his Stanford University audience.
There's no chance that "a centralized database will
emerge," and "we need the private sector to lead the implementation
of this," said Schmidt.
The Commerce Department was the "absolute perfect spot" in
the federal government to coordinate the online identity effort, because it
would address how consumers interact with businesses online, said Schmidt. The
news is expected to please privacy and civil liberties groups who had been
nervous at the prospect of the National Security Agency or the Department of
Homeland Security spearheading the effort.
Both Locke and Schmidt warned that the identity ecosystem
was "not a panacea" and will not fix all security problems. Vulnerabilities
will still need to be fixed, and people will still need to be careful, but it
would be "one small piece we need to pull together," said Locke.
"The greater the
trust, the more often people will rely on the Internet for more sophisiticated
applications and services," Locke said.