Trusted IDs face fearful response

The level of fear, uncertainty and doubt (FUD) that has always been a factor in online business has taken a turn for the worse — courtesy of the federal government, no less.

In late June, the Obama administration released a draft strategy for creating a system aimed at protecting individuals against identity theft, Internet scams and other malicious activity, whether someone is buying a book or downloading an electronic health record.

The gist of the proposal is simple: Develop a process for providing individuals with secure personal identifiers, such as digital certificates or smart cards, which they can use when conducting online transactions.

“The problem, as depicted in Peter Steiner’s legendary 1993 'New Yorker' cartoon, is that on the Internet nobody knows you’re a dog,” writes John Markoff for the New York Times. “And thus the enduring conundrum over who can be trusted in cyberspace.”

At present, many businesses issue personal identifiers, such as passwords or personal ID number codes, to online customers. But the administration envisions a trusted identity ecosystem in which all participating organizations agree to recognize the identifiers issued by one another. Participation would be voluntary for organizations and individuals, but the administration is betting that the prospect of convenient, secure online transactions would be a big draw.

However, the FUD factor might temper that optimism.

Some people fear that the system would improve security at the expense of privacy, with the secure identifier making it easier to monitor an individual’s online activity.

The Obama administration “must tread carefully, as efforts to create identity cards, personal certificates or other systems of identifiers raise privacy worries and fears of Big Brother tracking its citizens online,” writes Lolita Baldor for the Associated Press.

Then again, some people are uncertain that the plan would even improve security.

The Homeland Security Department set up an online forum to gather feedback from the public. One reader thought the government’s approach made the prospect of identity theft even more frightening than it already was.

“A single centralized identity is inherently less secure than a dozen identities because it creates a single point of failure,” the community member wrote. “Once that identity has been compromised — which will certainly happen no matter what technological measures are taken to protect it because there will always be a user in the chain — an individual's entire life will be open for hijacking.”

Gartner Vice President John Pescatore said he believes the strategy is simply off point. Rather than trying to construct a federal identity ecosystem, as others have attempted in the past, “the government would be much better off focusing on the root of identity theft and cyber crime problems: reusable passwords,” he writes in a post on the Gartner blog network.

Ultimately, some security experts doubt that a truly secure system is possible without creating the online equivalent of a government-issued, mandatory driver’s license — the worst nightmare of privacy advocates.

According to this camp, the “’voluntary ecosystem’ envisioned by Mr. Schmidt would still leave much of the Internet vulnerable,” Markoff writes. “They argue that all Internet users should be forced to register and identify themselves, in the same way that drivers must be licensed to drive on public roads.”

Finally, there are those for whom the FUD factor is beyond all reckoning. Andrew S., commenting on the DHS forum, dismissed the administration’s strategy as pointless given the state of security on the Internet.

“There is no such thing as ‘trusted identity’ as long as 25 percent of all computers running Windows are infected with malware that lets other people remotely control their computers,” he writes.