Experts: Government trusted Internet identities a long way off

The National Strategy for Trusted Identities in Cyberspace aims to set the benefits, overall strategy, goals and objectives of the government’s plan to improve how users (and even devices) are authenticated onto the Internet. The plan, so far, calls for very limited government involvement in the development of the identity infrastructure. As it stands today, the government’s role will be essentially promoting leadership, encouraging speed of deployment, and the use of certain identity solutions.

Cybersecurity Coordinator and Special Assistant to the President Howard A. Schmidt said the initiative is necessary to help fight online fraud and identity theft. “We have a major problem in cyberspace, because when we are online we do not really know if people, businesses, and organizations are who they say they are. Moreover, we now have to remember dozens of user names and passwords. This multiplicity is so inconvenient that most people re-use their passwords for different accounts, which gives the criminal who compromises their password the “keys to the kingdom,” he wrote.

Few would argue the need for improved Internet identities and authentication. But the devil, if there is one, would reside in the details of the plan. The initial version of the plan was published last summer. Late last week, Commerce Secretary Gary Locke and Schmidt announced the Commerce Department will host a National Program Office (NPO) in support of the National Strategy.

Federal Data Security Law: ‘Careful What You Wish For’

While many would expect civil liberties groups and privacy groups to be wary of any government identity plans, that doesn’t appear to be happening with what has been put out for consideration this time. As Jim Dempsey, vice president for public policy at the Center for Democracy & Technology said at a Stanford University event held last week, “The government needs an identity ecosystem or identity infrastructure. It needs it for its own services as well as part of the solution to the broader cybersecurity problem as well as, as one of the foundations of eCommerce, but the government cannot create that identity infrastructure, because if it tried to, it wouldn’t be trusted.”

Dempsey said in a blog post: “And here’s the good news: The Administration agrees. The Administration is not trying to create the identity infrastructure for the Internet. The Administration plan supports anonymity. The only centralization that was discussed by the Administration was the centralization of identity policy-making in the Department of Commerce.”

While Locke and Schmidt made it clear the plan doesn’t call for a national ID card, nor even a government controlled system, they didn’t provide many details about what such an identity ecosystem would actually look like.

Will smart cards be issued to Internet users? Will users be given software certificates to help authenticate who they are? Will biometrics play a role? Who will issue the credentials? Banks? Internet Service Providers?

The answer is “possibly” as the government is, so far, only working to encourage the adoption of technologies by private industry. And that, analysts say, means anything concrete coming from this plan is years away.

“It’s not clear to me how the government can influence identity much further than where things are today already,” said Scott Crawford, research director at Enterprise Management Associates. “They can say something is a good idea, such as by getting behind a standard,” he said. “But how are they going to create an ecosystem of identity providers? That can happen only if they become an identity provider for the Internet themselves, otherwise they can’t do much more than provide moral support.”