White House releases trusted Internet ID plan

The Obama administration wants to help drive forward the trusted ID market in the U.S.

The U.S. government will coordinate private-sector efforts to create trusted identification systems for the Internet, with the goal of giving consumers and businesses multiple options for authenticating identity online, according to a plan released by President Barack Obama's administration.

The National Institute of Standards and Technology (NIST) will work with private companies to drive development and adoption of trusted ID technologies, White House officials said. The National Strategy for Trusted Identities in Cyberspace (NSTIC), released by the Department of Commerce on Friday, aims to protect the privacy and security of Internet users by encouraging a broad online authentication market in the U.S.

"The fact is that the old password and username combination we often use to verify people is no longer good enough," Commerce Secretary Gary Locke said at an NSTIC release event hosted by the U.S. Chamber of Commerce. "It leaves too many consumers, government agencies and businesses vulnerable to ID and data theft."

Because of online fraud, many people don't trust the Internet, Locke added. "It will not reach its full potential -- commercial or otherwise -- until users and consumers feel more secure than they do today when they go online," he said.

About 8.1 million U.S. residents were victims of ID theft in 2010, Locke said. The cost to business is high: a company with 500 employees spends about US$110,000 a year managing employee IDs, according to the Department of Commerce.

The trusted ID technologies described in NSTIC would allow online users to dump passwords in favor of credentials that can be used on multiple websites. The Obama administration hopes that multiple trusted ID technologies will emerge, officials said.

Consumer participation in trusted ID technologies will be voluntary, they added.

NIST will host three workshops starting in June to focus on problems with development and adoption of online ID authentication technologies, Obama administration officials said. Businesses, consumer groups, privacy advocates and other interested members of the public will be invited, they said.

The plan aims for several trusted ID pilot projects to be launched in 2012, and the administration hopes to see a robust trusted ID market in the U.S. in three to five years, officials said.

The White House released a draft version of NSTIC in June. The new version more explicitly emphasizes that the private sector will drive forward the trusted ID market, with government playing a coordinating role, administration officials said.

After the draft release, some critics raised privacy concerns about NSTIC, suggesting it is the administration's effort to create a national ID. The emphasis on private sector leadership should debunk that argument, Locke said.

"Other countries have chosen to rely on government-led initiatives to essentially create national ID cards," he said. "We don't think that's a good model, despite what you might have read on blogs frequented by the conspiracy theory set. Having a single issuer of identities creates unacceptable privacy and civil liberties issues. We also want to spur innovation, not limit it."

Privacy advocate Susan Landau, a fellow at Harvard University, praised the new version of NSTIC, saying it will allow Internet users to remain anonymous for many online transactions. The plan calls for online businesses to collect the minimal amount of information necessary from credential providers in order to process the transaction, administration officials said.

"NSTIC certainly sets out the right vision here," added Leslie Harris, president and CEO of the Center for Democracy and Technology (CDT), a privacy advocacy group. "It gives consumers more control and more choice about their online identities. It makes it clear that it's voluntary."

Representatives of several vendors, including Google and Paypal, praised the effort. Several vendors demonstrated trusted ID technologies at the event, with Northrop Grumman, Microsoft and other partners demonstrating a cloud-based credential system for mobile devices.

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is grant_gross@idg.com.

Tags GooglesecurityAccess control and authenticationGary LockeCenter for Democracy and Technologygovernment

More about CDTGoogleHarvard UniversityIDGMicrosoftNorthrop GrummanTechnologyTIC


A Nonymous


Yes this will totally work because everyone on the internet is American right?

It is an international wide area network, you cannot enforce this and no one will trust America to do this right without spying.



Ah yes, I see what they did there. We're going to increase your privacy by having the government give you a "voluntary" internet ID card. There couldn't possibly be any ulterior motives, could there?

Notice how this same plan keeps getting reintroduced in different ways, with different PR campaigns. It's the same thing: Internet ID. Gary Locke is simply talking out of his abdominal orfice. This is 2011. Making online purchases isn't exactly something that makes people skeptical, like it did back in the late 1990s. More crap we don't need, and didn't ask for, sold to us as if it's a great service to humanity. I'll trust my passwords, thank you very much. I'm not convinced that the government has any interest in protecting my security. I'd be much more concerned about government hacking into my online affairs than some schmo hacker somewhere.

Once the system is implemented and various sites migrate to it, it then becomes mandatory. By that time Barry boy will be sipping martinis in the Bahamas laughing about the con jobs he pulled off while in office.

Fred the Grumbler


ID theft on the Internet happens predominantly because of unsecured Windows PC that leak credentials to fraudsters. Adding layers of authentication makes no difference. Today's Windows Trojans even redirect sessions authenticated with SecureID fobs.

The only "benefit" I can see is that all law-abiding US consumers will have to be authenticated, which will be the end of free speech on the Internet. I fully expect Google et al. to jump of the bandwagon, because identifying all Internet activity will be a boon for advertisers.



We're from the government and we're here to help you--NOT. If the feds want to release some encryption technology good, be like NASA, sell the technology and get the heck out of the way. To have the government in charge of trust is like giving the keys to the convicts.



This smacks of public health care "It's just a public option" - which is quickly becoming the only option.
The reality is that no one is more concerned about my privacy than me. While industry strides can be taken to increase public awareness and comfort with certain technologies as soon as it goes over to government liberty demands the defeat of these controls. Should this be accepted it will be a demeaning trade of considerable freedom for marginal good. This time and money would be better spent promoting the advantages in available technology and process to allow private industry (both commercial and individual) to ensure privacy in regards to the people that decide on their own to divulge their information.



With the administration currently in office (or any administration, for that matter, but especially this one), I would be a fool to trust them. The government has no business pushing this effort. If it is a good idea, let the private sector do it. We've all seen this movie before, and we know how it ends - and it ain't pretty.

Comments are now closed

ACCC rebuffs Telstra's rivals on wholesale pricing