Have you lost your password recently, or had someone try to steal it through a “phishing” attempt? Maybe you’ve been hacked, or had someone pretend to be you online. Even if you haven’t suffered from actual identity theft or hacking, it’s something we all probably worry about as we live more and more of our lives online. But trying to maintain a secure online identity across hundreds of services is a daunting task, so the federal government wants to help. It says it doesn’t want to take over managing your identity though, or give you some kind of federal digital ID card. Instead, it plans to try to get the private sector to create a set of standards that allow an open “identity ecosystem” to form.
To that end, the Obama administration introduced its long-awaited National Strategy on Trusted Identity in Cyberspace on Friday, a document that has been in the works for over a year and is part of the government’s Cyberspace Policy Review plan. Those involved in shepherding the strategy — including Commerce Secretary Gary Locke, who introduced it during a live event followed by a panel discussion — took pains to point out that this effort will be led by industry, and that it isn’t some kind of Big Brother-ish system that everyone will be forced to use.
Secretary Locke said, “the old password and user-name combination we often use to verify people is no longer good enough” because it leaves too many consumers and businesses vulnerable to ID and data theft, since many people can’t remember their passwords or have too many to keep track of and wind up losing them. So the strategy — which involves the Commerce Department and the Department of Homeland Security, as well as other parts of the government — is designed to create an identity “ecosystem” that the administration hopes will jump-start private sector initiatives to create what Locke called “a uniquely American solution” to the problem of verifying identity online.
The ability to verify identity is the “endoskeleton of our online lives,” said Jane Lute, deputy secretary of the Department of Homeland Security, in a speech following Secretary Locke. She added that “the goal here is confidence, not centralized control.” A copy of the strategy is available here (PDF link).
In a prepared statement, President Obama said the Internet “has transformed how we communicate and do business, opening up markets, and connecting our society as never before. But it has also led to new challenges, like online fraud and identity theft, that harm consumers and cost billions of dollars each year.” According to a recent survey by Javelin Strategy and Research quoted by the Commerce Department, over 8 million U.S. adults were the victims of identity theft or fraud in 2010, with total costs of $37 billion.
While other countries have chosen to rely on government-led initiatives to essentially create national ID cards, Locke said “we don’t think that’s a good model, despite what you might have read on blogs frequented by the conspiracy theory set,” and that having a single issuer of identities “creates unacceptable privacy and civil liberties issues.” Instead, the Commerce Secretary said that the private sector would lead the way, with the government providing the framework for developing standards that everyone can agree on. The strategy is being supported by companies including Verisign, Microsoft and PayPal, the latter of which wrote a blog post about its support of the strategy.
Dr. Andy Ozment, White House Director for Cybersecurity Policy, said on a conference call prior to the announcement of the strategy that it’s designed to do four things:
- protect consumers’ privacy on the Internet
- protect them against identity theft and fraud
- foster economic growth by moving more businesses online, and
- create a platform for innovative services online
Ozment said the plan is to create a “marketplace” with businesses and agencies of different kinds, all of whom are trusted identity providers. Users could obtain identity credentials from anyone who met certain standards, he said: “[I]t could be something on my USB drive, it could be a smart card, or maybe a one-time password generator.”
The administration said it plans to have several workshops with industry and other interested parties to discuss how the plan will be rolled out and what kind of governance model it will involve — whether it’s run by the private sector alone, or whether it involves a hybrid private-public model. The next step is to run public pilot projects in 2012, but one of the officials involved said it “could take three to five years for the private-led steering group to settle on the standards.”
As with most such government-led initiatives, one of the big questions is whether the private sector will want to adopt this strategy, and what role the government will play in setting the standards that eventually emerge (former Twitter CEO Evan Williams wrote a blog post recently about the difficulties of dealing with digital identity). Locke and Ozment both made it clear that participating in the strategy is “completely voluntary” both for consumers and for businesses, and that all the Obama administration wants to do is help facilitate the efforts to agree on standards, and give its blessing to some kind of “trust mark” system for identifying who is participating in the system and who isn’t.
The risk, of course, is that companies and agencies that are already enforcing strong privacy and identity-management principles — and those who are trying to build market share as identity intermediaries, as Facebook and LinkedIn are — will join the effort, while those who are making millions by doing the opposite will continue to ignore it.