Last Friday, the U.S. government unveiled its National Strategy for Trusted Identities in Cyberspace, a blueprint for the private-industry development of voluntary tools that would authenticate and consolidate your identity online. We need such a thing, the government says — in a pamphlet titled, well, "Why We Need It" — because our proliferating online passwords are inconvenient and insecure, and because last year 8.1 million adults in the U.S. suffered identity theft or fraud, at a cost of $37 billion.
The idea seems like one mandated by the moment. Increasingly, important commerce, banking and government services have migrated online, demanding ever more accounts and passwords and logins to remember.
But Amie Stepanovich, national security counsel for the Electronic Privacy Information Center in Washington, explains that this proposal has actually been years in the making. And the history of its development suggests the concept is equal parts promising and risky — a reality hardly captured in the government's enthusiastic 45-page rollout, complete with "Envision it!" sidebar scenarios.
Stepanovich dates the idea back to early last decade when private companies first began designing "Internet credential" systems to verify users' identities in online transactions. In 2004, the government launched such a system for federal employees, who today carry microchip-embedded ID cards that grant access to both buildings and websites while recognizing individual security clearance levels.
That system seemed a logical efficiency (and federal employees, after all, have a different relationship to the government than the rest of us do). But the following year, Congress passed legislation, the REAL ID Act, mandating elements of a national ID card for the rest of us.
"In that [government employee] capacity there really wasn't a huge privacy concern," Stepanovich said. "And then it started growing, this need to authenticate everybody."
In 2009, the government released a Cyberspace Policy Review first proposing the objective of a national plan for online identification — what sounded like a national ID card for the Internet — and concerns grew.
"That's what a lot of people feared — that the government was going to take REAL ID and put it on the Internet and be able to track everybody's Internet activity," Stepanovich said.
That is not what's contained in the NSTIC proposal, to the relief of privacy advocacy groups.
"I think that they learned a lesson with REAL ID that people are not receptive to a centralized government database," Stepanovich said. "The history, all the way back to the 1930s with Social Security numbers, has been that people reject the idea of a national identity number."
The NSTIC sidesteps that, in part, by deferring to private industry to develop the "identity ecosystem." But the idea, as it is roughly outlined in the government's proposal, still comes with a lot of unsettling complications.
The government has set out principles — chief among them "choice, efficiency, security and privacy" — more than mechanics. But the basic idea is that you could have your offline identity verified online by a company of your choosing. That company would then provide you with a single credential you could then present (when you don't want to be anonymous online) to Amazon, or VA.gov, instead of having to re-establish that you are who you say you are with every online transaction.
The device carrying your credential — a flash drive, a cellphone, a smart card of some kind — would authenticate itself, rather than referring Amazon to the company that vouches for you. Amazon would know the buyer was secure, and the credential would know it was communicating with a bookseller, but the authentication provider would never learn that you just bought Bob Woodward's new book. In this way, all of the parties involved would never freely communicate with each other, creating precisely the web of information that you probably don't want anyone — private company or government agency — to track.
The first problem with this idea is obvious: If you consolidate all of your passwords in one place, that actually makes your identity even easier to steal. And if you're carrying that identity around on a pocket-sized device, you're about as likely to lose it as you are your wallet — now with added disastrous consequences.
The alternative to a self-authenticating physical credential would be some kind of authentication via the cloud. But that has problems, too. Inside the cloud, it would be more difficult to erect blinders between the ID provider, you and the sites you want to access or the products you want to buy.
"It cuts both ways," Stepanovich said of the benefits and pitfalls of an authentication device. "It's more secure. Because there's no database of everything you're doing, they're not going to be able to track you. But in the end, you're carrying around your entire identity. Imagine losing your cellphone if in the future your Visa card were on your cellphone."
Because of this, she doesn't expect anyone in the future will truly use just one credential. Maybe you'll have a high-security ID for banking (on a thumb drive), a medium-security one for e-commerce (on your keychain), and a low-security one for social networking (in your wallet). Three access points is still probably fewer than you use today, although Stepanovich's vision does dampen the government's suggestion that NSTIC would give you one magic key to the whole Internet.
Privacy advocates also worry about whether the program would truly be voluntary and how long it could stay that way. It's easy to imagine an online world where authentication becomes practically mandatory, if not legally so. Advocates can point to the mission creep of the Social Security number as an example.
"It's not enough to say they won't be mandatory — you affirmatively have to say that they are voluntary," Stepanovich said. "People need to be given a choice. If I want to use my credential to say I am who I am, that's great. But if I want to keep 10,000 passwords, if I want to keep everything separate, I should be given that opportunity. I shouldn't be excluded from activities on the Internet simply because I don't want my data aggregated."
We also don't want to exclude demographics that will be slow adopters of this technology, Stepanovich adds, or to discourage foreign companies from doing business with U.S. online platforms that require authentication.
The last problem with NSTIC is the murkiest. Nowhere in the government's 45-page proposal is the Department of Homeland Security mentioned, but that agency has been involved throughout the idea's history, dating back to its lead in developing the federal employee ID card system. The public face of the proposal, instead, has been Commerce Secretary Gary Locke, and the National Institute of Standards and Technology, within Commerce, is set now to lead the plan forward.
Homeland Security's involvement, though, sends up yellow flags.
"We don't really know what their role with NSTIC is," Stepanovich said. "We know they were a partner in developing the strategy, and supposedly they have transitioned their role to NIST to implement it. I think, though, that we have to be aware as consumers of this program that if DHS continues to be involved, there are definitely concerns that are going to come with that."
If the system works as the government's proposal says it should, there wouldn't be much opportunity for Homeland Security to track your compartmentalized online information anyway. But there's no denying that the government is currently pursuing two policies in cyberspace that now seem at odds with each other. On the one hand, it wants to make your online identity so secure and private — even more so than in the real world — that it swears even the government can't track you. But on the other, federal law enforcement agencies are actively pursuing expanded powers to wiretap online communications.
In an ideal universe, where all of these concerns could be resolved, an online identity system could be a good idea. The question is whether we can guarantee those conditions.
"That's where the legislation is going to have to come in," Stepanovich said. "An agency regulating itself and what it can do is not going to be enough here. We're going to have to have legislation that there are certain protections that come with this program, and we're going to have to make sure that those are implemented and that there are strict consequences if those are not complied with, either by private industry or by government.
"If it comes out that there is a back door, if some of this technology has been developed in a way that government can access the information, I think the government needs to be held accountable for that."