And confusion and split opinions were certainly what we heard in the flood of comments following the post. We took your concerns, questions and comments to the U.S. Commerce Department, the federal agency authorized to oversee the administration’s efforts in this area, for an in-depth interview with Ari Schwartz, senior advisor for Internet policy at the department.
Social Times: What exactly is an “Identity Ecosystem?”
AS: The Identity Ecosystem is a cyber world that improves upon the passwords currently used to log in online. It will provide people with a variety of more secure and privacy-enhancing ways to access online services. The Identity Ecosystem enables people to validate their identities securely when they’re doing sensitive transactions (like banking or accessing health records) and lets them stay anonymous when they’re not (like blogging). The Identity Ecosystem will enhance individuals’ privacy by minimizing the information they must disclose to authenticate themselves.
Social Times: How does an Identity Ecosystem credential differ from a national ID?
AS: An Identity Ecosystem credential would allow individuals to choose among multiple identity providers – both private and public – and among multiple digital credentials. Such a marketplace will ensure that no single credential or centralized database can emerge. Moreover, people can continue to communicate anonymously online. This new Identity Ecosystem is meant for sensitive transactions that require authentication and would keep transactions anonymous when a trusted ID is not needed. The government will not mandate that people obtain an Identity Ecosystem credential, but individuals who choose to participate would enjoy more privacy, greater convenience – since they would no longer have to keep track of dozens of usernames and passwords – and more security from fraud and identity theft.
Social Times: Consumers are constantly told to vary and diversify their passwords to protect themselves online. How will having a single password enhance their security?
AS: The National Strategy for Trusted Identities in Cyberspace (NSTIC), a key building block in the national effort to secure cyberspace, requires that the Identity Ecosystem be founded upon the Fair Information Practice Principles (FIPPs) to ensure that people will be able to trust that their personal data are handled fairly and transparently. For instance, the Identity Ecosystem can increase levels of online privacy by minimizing the sharing of identifiable information to only what is necessary. In the physical world, when people show identification to prove their age, they also reveal all of the other information on the ID. In the envisioned online Identity Ecosystem, however, a digital credential could prove age without revealing any other information.
In addition, a FIPPs-based approach will promote the creation and adoption of privacy-enhancing technologies. Such technologies will inhibit the linkage of credential use among multiple service providers, thereby preventing those providers from developing a complete picture of an individual’s activities online. Authentication methods may include smart cards, USB devices or other technologies to verify identity that would provide stronger security than passwords alone.
Social Times: Will your average Internet user, say Jane Doe in Smalltown, USA, who uses the Internet mainly for social networking and some shopping need a credential?
AS: No. The U.S. government will not require that people obtain an Identity Ecosystem credential. However, individuals who choose to participate would enjoy more privacy, greater convenience – since they would no longer have to keep track of dozens of usernames and passwords – and more security from fraud and identity theft. Similarly, online service providers who opt in will be able to reduce inefficiencies and fraud losses because they can better trust that participating consumers are who they say they are. This new Identity Ecosystem is meant for sensitive transactions that require authentication and would keep transactions anonymous when a trusted ID is not needed.
Social Times: Why should private companies run the program?
AS: The successful implementation of the Identity Ecosystem depends on the leadership of the private sector to develop new authentication technologies and on the establishment of the National Program Office to help coordinate federal efforts and convene stakeholders for the development of consensus standards for interoperability.
Private-sector organizations – who will represent the majority of service providers – have the incentives as well as the market experience that are necessary to build, promote, operate and maintain the Identity Ecosystem. The private sector – with the support of the public sector – has the capacity to build a trustworthy, privacy-enhancing cyberspace with more convenience than what exists online today.
Social Times: What role, if any, will the government, specifically the U.S. Commerce Department, play in overseeing the program on a day-to-day basis?
AS: The National Program Office will coordinate the federal activities needed to implement NSTIC and is to be established within the Department of Commerce once it is formally funded. The Office will serve as the point of contact to bring the public and private sectors together to meet this challenge. As the federal coordinator, the National Program Office will collaborate with other federal partners on the implementation of NSTIC. The principal role of the U.S. government is to facilitate and catalyze the private sector’s efforts and to protect individuals by ensuring that the Identity Ecosystem meets the guiding principles laid out in NSTIC.
Social Times: What is the timeline for implementing NSTIC?
AS: The administration intends to release the final National Strategy in the early part of 2011. Once it is released and the National Program Office is formally funded and established, the timeline for federal activities related to NSTIC can be developed with input from all stakeholders.
Social Times: Will the public have any additional opportunities to view and/or comment on the NSTIC once it’s released?
AS: A draft of NSTIC was released for public comment in June and July of 2010. The administration is incorporating the feedback it received from that public comment period into its final strategy. There will be additional opportunities for the public to comment on and participate in the implementation of the strategy.
Social Times: What are the best resources to learn more about and stay up-to-date on the Identity Ecosystem and the NSTIC?
AS: Regular updates about NSTIC will be posted on www.nist.gov/NSTIC, which is hosted by the U.S. Department of Commerce. On the website, you can also find FAQs, video, and other resources.