Trusted IDs face fearful response

Proposed 'identity ecosystem' has plenty of pros and cons

The level of fear, uncertainty and doubt (FUD) that has always been a factor in online business has taken a turn for the worse — courtesy of the federal government, no less.

In late June, the Obama administration released a draft strategy for creating a system aimed at protecting individuals against identity theft, Internet scams and other malicious activity, whether someone is buying a book or downloading an electronic health record.

The gist of the proposal is simple: Develop a process for providing individuals with secure personal identifiers, such as digital certificates or smart cards, which they can use when conducting online transactions.

“The problem, as depicted in Peter Steiner’s legendary 1993 'New Yorker' cartoon, is that on the Internet nobody knows you’re a dog,” writes John Markoff for the New York Times. “And thus the enduring conundrum over who can be trusted in cyberspace.”

At present, many businesses issue personal identifiers, such as passwords or personal ID number codes, to online customers. But the administration envisions a trusted identity ecosystem in which all participating organizations agree to recognize the identifiers issued by one another. Participation would be voluntary for organizations and individuals, but the administration is betting that the prospect of convenient, secure online transactions would be a big draw.

However, the FUD factor might temper that optimism.

Some people fear that the system would improve security at the expense of privacy, with the secure identifier making it easier to monitor an individual’s online activity.

The Obama administration “must tread carefully, as efforts to create identity cards, personal certificates or other systems of identifiers raise privacy worries and fears of Big Brother tracking its citizens online,” writes Lolita Baldor for the Associated Press.

Then again, some people are uncertain that the plan would even improve security.

The Homeland Security Department set up an online forum to gather feedback from the public. One reader thought the government’s approach made the prospect of identity theft even more frightening than it already was.

“A single centralized identity is inherently less secure than a dozen identities because it creates a single point of failure,” the community member wrote. “Once that identity has been compromised — which will certainly happen no matter what technological measures are taken to protect it because there will always be a user in the chain — an individual's entire life will be open for hijacking.”

Gartner Vice President John Pescatore said he believes the strategy is simply off point. Rather than trying to construct a federal identity ecosystem, as others have attempted in the past, “the government would be much better off focusing on the root of identity theft and cyber crime problems: reusable passwords,” he writes in a post on the Gartner blog network.

Ultimately, some security experts doubt that a truly secure system is possible without creating the online equivalent of a government-issued, mandatory driver’s license — the worst nightmare of privacy advocates.

According to this camp, the “’voluntary ecosystem’ envisioned by Mr. Schmidt would still leave much of the Internet vulnerable,” Markoff writes. “They argue that all Internet users should be forced to register and identify themselves, in the same way that drivers must be licensed to drive on public roads.”

Finally, there are those for whom the FUD factor is beyond all reckoning. Andrew S., commenting on the DHS forum, dismissed the administration’s strategy as pointless given the state of security on the Internet.

“There is no such thing as ‘trusted identity’ as long as 25 percent of all computers running Windows are infected with malware that lets other people remotely control their computers,” he writes.

 

About the Author

Connect with the FCW staff on Twitter @FCWnow.

The 2015 Federal 100

Meet 100 women and men who are doing great things in federal IT.

Featured

  • Shutterstock image (by venimo): e-learning concept image, digital content and online webinar icons.

    Can MOOCs make the grade for federal training?

    Massive open online courses can offer specialized IT instruction on a flexible schedule and on the cheap. That may not always mesh with government's preference for structure and certification, however.

  • Shutterstock image (by edel): graduation cap and diploma.

    Cybersecurity: 6 schools with the right stuff

    The federal government craves more cybersecurity professionals. These six schools are helping meet that demand.

  • Rick Holgate

    Holgate to depart ATF

    Former ACT president will take a job with Gartner, follow his spouse to Vienna, Austria.

  • Are VA techies slacking off on Yammer?

    A new IG report cites security and productivity concerns associated with employees' use of the popular online collaboration tool.

  • Shutterstock image: digital fingerprint, cyber crime.

    Exclusive: The OPM breach details you haven't seen

    An official timeline of the Office of Personnel Management breach obtained by FCW pinpoints the hackers’ calibrated extraction of data, and the government's step-by-step response.

  • Stephen Warren

    Deputy CIO Warren exits VA

    The onetime acting CIO at Veterans Affairs will be taking over CIO duties at the Office of the Comptroller of the Currency.

  • Shutterstock image: monitoring factors of healthcare.

    DOD awards massive health records contract

    Leidos, Accenture and Cerner pull off an unexpected win of the multi-billion-dollar Defense Healthcare Management System Modernization contract, beating out the presumptive health-records leader.

  • Sweating the OPM data breach -- Illustration by Dragutin Cvijanovic

    Sweating the stolen data

    Millions of background-check records were compromised, OPM now says. Here's the jaw-dropping range of personal data that was exposed.

  • FCW magazine

    Let's talk about Alliant 2

    The General Services Administration is going to great lengths to gather feedback on its IT services GWAC. Will it make for a better acquisition vehicle?

Reader comments

Wed, Jul 14, 2010 Bob

Having read the Strategy throughout, there is no mention of any centralized entity that stores your identity. This is mostly a Private Sector Infrastructure that is decentralized. Tyranny is in the imagination of those who probably have not read nor participated in the discussion or the solution in any thoughtful way. It is good to challenge the ideas so that those who do participate and are concerned about our Freedoms work diligently to protect them!

Fri, Jul 9, 2010

If a single, centralized entity stores your identity for all transactions, that entity has the power to prevent you from completing any transaction. That's not FUD, it' tyranny.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above