The US government will coordinate private sector efforts to create trusted identification systems for the Internet, with the goal of giving consumers and businesses multiple options for authenticating identity online, according to a plan released by President Barack Obama's administration.
The National Institute of Standards and Technology (NIST) will work with private companies to drive development and adoption of trusted ID technologies, White House officials said. The National Strategy for Trusted Identities in Cyberspace (NSTIC), released by the Department of Commerce on Friday, aims to protect the privacy and security of Internet users by encouraging a broad online authentication market in the US.
"The fact is that the old password and username combination we often use to verify people is no longer good enough," Commerce Secretary Gary Locke said at an NSTIC release event hosted by the US Chamber of Commerce. "It leaves too many consumers, government agencies and businesses vulnerable to ID and data theft."
Because of online fraud, many people don't trust the Internet, Locke added. "It will not reach its full potential, commercial or otherwise, until users and consumers feel more secure than they do today when they go online," he said.
About 8.1 million US residents were victims of ID theft in 2010, Locke said. The cost to business is high: a company with 500 employees spends about $110,000 a year managing employee IDs, according to the Department of Commerce.
The trusted ID technologies described in NSTIC would allow online users to dump passwords in favour of credentials that can be used on multiple websites. The Obama administration hopes that multiple trusted ID technologies will emerge, officials said. Consumer participation in trusted ID technologies will be voluntary, they added.
NIST will host three workshops starting in June to focus on problems with development and adoption of online ID authentication technologies, Obama administration officials said. Businesses, consumer groups, privacy advocates and other interested members of the public will be invited, they said.
The plan aims for several trusted ID pilot projects to be launched in 2012, and the administration hopes to see a robust trusted ID market in the US in three to five years, officials said.
The White House released a draft version of NSTIC in June. The new version more explicitly emphasises that the private sector will drive forward the trusted ID market, with government playing a coordinating role, administration officials said.
After the draft release, some critics raised privacy concerns about NSTIC, suggesting it is the administration's effort to create a national ID. The emphasis on private sector leadership should debunk that argument, Locke said.
"Other countries have chosen to rely on government-led initiatives to essentially create national ID cards," he said. "We don't think that's a good model, despite what you might have read on blogs frequented by the conspiracy theory set. Having a single issuer of identities creates unacceptable privacy and civil liberties issues. We also want to spur innovation, not limit it."
Privacy advocate Susan Landau, a fellow at Harvard University, praised the new version of NSTIC, saying it will allow Internet users to remain anonymous for many online transactions. The plan calls for online businesses to collect the minimal amount of information necessary from credential providers in order to process the transaction, administration officials said.
"NSTIC certainly sets out the right vision here," added Leslie Harris, president and CEO of the Center for Democracy and Technology (CDT), a privacy advocacy group. "It gives consumers more control and more choice about their online identities. It makes it clear that it's voluntary."
Representatives of several vendors, including Google and Paypal, praised the effort. Several vendors demonstrated trusted ID technologies at the event, with Northrop Grumman, Microsoft and other partners demonstrating a cloud-based credential system for mobile devices.