Internet ID system challenge: Balance security and privacy

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By William Jackson
 

Connecting state and local government leaders

By William Jackson

|

The Commerce Department will oversee development and implementation of a secure “identity ecosystem” that will be outlined in the National Strategy for Trusted Identities in Cyberspace, but the private sector must build it.

A national program management office will be set up in the Commerce Department to oversee development and implementation of a secure “identity ecosystem” that will be outlined in a National Strategy for Trusted Identities in Cyberspace, the Obama administration announced Friday.

Commerce Secretary Gary Locke made the announcement during a symposium at the Stanford Institute for Economic Policy Research at which the groundwork was laid for the public- and private-sector partnership that will be needed for the initiative.

Locke said there were an estimated $41 billion worth of online consumer transactions in the third quarter of 2010, up 14 percent from the previous year. But despite its growing importance to the national economy, “the Internet still faces something of a trust issue,” he said. Online fraud and crime are growing, and identity management schemes to protect privacy and secure online transactions often are unwieldy and inadequate.

Related stories:

National strategy for identity management nearly done

ID management's weakness: Few want to use it

The administration is addressing this issue in the National Strategy, the final version of which will be released “in the coming months,” Locke said. The strategy will outline a system for online identity management that will be voluntary, competitive and diverse.

But the government faces trust issues of its own, said James Dempsey, the Center for Democracy and Technology’s vice president for public policy.

“The government cannot create that identity infrastructure,” Dempsey said at the symposium. “If it tried to, it wouldn’t be trusted.”

Government and industry officials and privacy advocates agreed that while government leadership is needed for creating a trusted identity ecosystem to support online activities, it will be the private sector that must develop and adopt it.

The online world has been recognized by the Obama administration as critical to U.S. security and economic well-being, and the National Strategy for Trusted Identities in Cyberspace is part of a broader effort to improve the nation’s cybersecurity posture. A draft strategy released in June, calls for an interoperable, voluntary scheme for identity verification that enhances both the security and privacy of online transactions. The strategy does not define the technology to be used but sets out four guiding principles:

  • The identity solutions must be secure and resilient.
  • They must be interoperable.
  • They will be voluntary.
  • They must be cost-effective and user-friendly.

The first action called for in the draft was to “designate a federal agency to lead the public-/private-sector efforts,” which was done with the announcement that Commerce would house the program management office.

Although the strategy is not likely to specify what the forms of trusted identity will be, Locke was clear about what it would not be.

“We are not talking about a national identity card,” he said. “We are not talking about a government system.”

The identity ecosystem most likely would be built on existing technologies that include digital certificates, tokens and other identity schemes such as passwords, coupled with a trust framework that would allow sharing of credentials across domains.

The challenge will be in implementing the technology in a way that is scalable and manageable both for end users and organizations. Schemes also must be easily adaptable to transactions requiring different levels of security and assurance. The requirements are to limit the amount of information used in a transaction to only that which is needed to secure that particular transaction and to retain no more information than is necessary and for no longer than is necessary to ensure the privacy of the user.

No single set of credentials or form factor will be required or would be adequate in themselves, said White House Cybersecurity Coordinator Howard Schmidt. Users would be able to choose which, if any, forms of ID to use for an online activity. Secure, interoperable ID is not the final answer to online security, Schmidt said.

“This is not a panacea; this is one small piece of everything we’re looking at,” he said.

Schmidt emphasized that the private sector must lead implementation of the strategy but that the private sector has acknowledged the need for government leadership because of the lack of security in the current online environment.

“We’ve created an environment in which there is a low risk and high reward for criminals” and for terrorists, said Dave DeWalt, CEO of McAfee. “We’ve seen an exponential increase in malware and the amount of crime.”

Although he warned against government regulation of consumer identity, Dempsey said one area in which congressional action would help is passage of a federal consumer privacy bill that would establish baseline protections, such as those in the European Community.

“That has to be part of the picture,” he said. “It should be addressed legislatively.”

 

NEXT STORY: The first Patch Tuesday of the year? Surprisingly light.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.