Obama moves forward with Internet ID plan

CNET News | April 15, 2011
By Declan McCullagh

The Obama administration said today that it's moving ahead with a plan for broad adoption of Internet IDs despite concerns about identity centralization, and hopes to fund pilot projects next year.

At an event hosted by the U.S. Chamber of Commerce in Washington, D.C., administration officials downplayed privacy and civil liberties concerns about their proposal, which they said would be led by the private sector and not be required for Americans who use the Internet.

There's "no reliable way to verify identity online" at the moment, Commerce Secretary Gary Locke said, citing the rising tide of security threats including malware and identity theft that have grown increasingly prevalent over the last few years. "Passwords just won't cut it here."

A 55-page document (PDF) released by the White House today adds a few more details to the proposal, which still remains mostly hazy and inchoate.

It offers examples of what the White House views as an "identity ecosystem," including obtaining a digital ID from an Internet service provider that could be used to view your personal health information, or obtaining an ID linked to your cell phone that would let you log into IRS.gov to view payments and file taxes. The idea is to have multiple identity providers that are part of the same system.

Administration officials plan to convene a series of workshops between June and September of this year that would bring together companies and advocacy groups and move closer to an actual specification for what's being called the National Strategy for Trusted Identities in Cyberspace, or NSTIC.

Left unsaid was that the series of workshops, which will be open to the public, will give the proposal's backers a chance to downplay concerns that it could become the virtual equivalent of a national ID card.

During his speech, Locke lashed out at the "conspiracy theory set" who have criticized the proposal. A column in NetworkWorld.com, for instance, called NSTIC a "great example of rampant, over-reaching, ignorant, and ill-conceived political foolishness."

"A top-down strategy for online identity is unlikely to work," Jim Harper, director of information studies at the Cato Institute, said today. "People will not participate in a government-corporate identity project that deviates from their demand for control of identity information, which is an essential part of privacy protection, autonomy, and liberty."

The Commerce Department's National Telecommunications and Information Administration created a YouTube video to reassure Americans that "there is no central database tracking your actions." An FAQ repeats the message. It's enlisted allies to spread the message, including the Center for Democracy and Technology's Leslie Harris, who wrote in a post on commerce.gov that NSTIC is "not a national ID," but instead represents "a call for leadership and innovation from private companies."

One intriguing feature of today's description of NSTIC released by the White House is that it appears to build on a joint Microsoft-IBM project called Attribute-Based Credentials. (See CNET's previous coverage.)

The idea is to use encryption technology to let people disclose less about themselves--ideally, the minimum necessary to complete a transaction. The NSTIC document gives the example of someone filling a medical prescription online: "The pharmacy is not told (his) birth date or the reason for the prescription. The technology also filters information so that the attribute providers---the authoritative sources of the age and prescription information---do not know what pharmacy (is being used)."

The idea of using encryption technology to protect privacy in this way isn't exactly new. The legendary cryptographer David Chaum, the father of digital cash who's now building secure electronic voting systems, developed some of these ideas in the late 1980s. Dutch cryptographer Stefan Brands more fully developed the concept of limited disclosure digital certificates; Microsoft bought his company in 2008, and released the U-Prove specification last year along with a promise not to file patent lawsuits over its use.

On the other hand, it would be more convenient for law enforcement (not to mention intelligence agencies) if a more traditional, centralized system were used.

Sen. Barbara Mikulski, a Maryland Democrat who also spoke today at the Chamber event, seemed to veer a bit off-message--and instead of touting anonymity, she stressed the importance of aiding law enforcement.

Protecting civil liberties is important, Mikulski said. "But the first civil liberty is to be able to have a job, lead a life, and be able to buy what you want in the way we now buy it, which is through credit cards."

"We're going to support the FBI," said Mikulski, who heads the Senate subcommittee that oversees the FBI's funding. "We're going to support the growth of the FBI."

The Obama administration's record on digital identification and authentication is mixed.

During the 2008 presidential campaign, President Obama told CNET that "I do not support the Real ID program." But after being elected, Obama has not called for its repeal and his administration said last month that it's working "very closely with the states to assist with implementation."

Another cautionary note comes from a previous public-private partnership that also sought to improve identity-related authentication. The largest company participating in the TSA's registered traveler identification program, Verified Identity Pass' CLEAR, shut down in 2009. Its assets were sold to the highest bidder.

Another concern: Although the White House is describing the NSTIC plan as "voluntary," federal agencies could begin to require it for IRS e-filing, applying for Social Security or veterans' benefits, renewing passports online, requesting federal licenses (including ham radio and pilot's licenses), and so on. Then obtaining one of these ID would become all but mandatory for most Americans.

"For end-users, online identification has become increasingly cumbersome and complex," says Marc Rotenberg, president of the Electronic Privacy Information Center. "But it remains unclear whether the White House proposal will solve this problem or create new problems. There is the real risk that consolidated identity schemes will lead to 'hyper' identity theft."