Senior Executive Advisor for Identity Management
National Institute of Standards and Technology
1. Why now? Why is the National Strategy for Trusted IDs in Cyberspace needed?
Cyber crime is growing and has become more organized and sophisticated. As we increasingly perform high-value transactions online such as mortgage applications, buying stocks, or reviewing health care information, our vulnerability to theft, fraud, and privacy violations increases proportionately.
Sixty years ago, before the invention of the credit card, people simply accepted the danger inherent in carrying cash with them to make a large payment. Today we accept the dangers of using easy-to-break passwords and providing personal information to dozens of different Web sites as the cost of doing business on the Internet. But we don't have to.
The technologies exist now to make online transactions more secure, private, and more convenient. NSTIC offers a vision of the future where the private sector, civil societies, and the public sector collaborate to create the standards and policies needed for interoperable trusted credentials that would dramatically reduce ID theft and fraud online. In addition, by acting now and creating a more trusted environment for online transactions, we will ensure that the Internet continues to support innovation and the creation of new jobs.
2. Is NSTIC a plan to introduce a national ID card or an internet driver's license? Do I have to get one?
No. The government will not require that you get a trusted ID. If you want to get one, you will be able to choose among multiple identity providers — both private and public — and among multiple digital credentials. Such a marketplace will ensure that no single credential or centralized database can emerge. Even if you do choose to get a credential from an ID provider, you would still be able to surf the Web, write a blog, visit chat rooms, or do other things online anonymously or under a pseudonym. The new Identity Ecosystem is meant for sensitive transactions — banking, shopping, accessing health records, etc. It is designed to protect your privacy by helping online providers verify your identity before accepting or providing sensitive information to you. It is also intended to help you verify that the Web sites you use are legitimate and not fake sites designed to steal your credit card or other personal information.
3. Will the government run the Identity Ecosystem?
No. The Identity Ecosystem will be created and run primarily by the private sector. Leadership by the private sector is critical to the success of the proposed strategy. Private companies have the incentives as well as the market experience to build, promote, and operate the Identity Ecosystem. While some government agencies, such as those that provide health care or other benefits may provide trusted IDs directly, the majority of service providers will be private-sector organizations. Federal, state, and local government agencies are also expected to accept trusted credentials provided by these private-sector organizations.
4. Why should the government be involved at all?
The role of the federal government is to facilitate and help jump start the private sector's efforts by convening workshops and bringing together the many different stakeholders important for establishing the Identity Ecosystem. The government will also protect individuals by ensuring that the Identity Ecosystem meets these four guiding principles: (1) privacy-enhancing and voluntary, (2) secure and resilient, (3) interoperable, and (4) cost-effective and easy to use. Lastly, the government can help drive the market by accepting Identity Ecosystem credentials for its online services.
5. How will implementation of NSTIC enhance privacy and support civil liberties?
NSTIC requires that service providers abide by the Fair Information Practice Principles (FIPPs) to ensure that people will be able to trust that their personal data are handled fairly, that they are informed about how their data will be used, have meaningful choices, and that checks and balances are in place to hold providers accountable for following a standard set of best practices. As is made clear in the subsequent White House report "Consumer Data Privacy in A Networked World" these FIPPs are completely consistent with the Consumer Privacy Bill of Rights (see Appendix B).
For example, service providers would be required to collect and share the minimum amount of information necessary for authentication. In the physical world, when people show a driver's license to prove their age, they also reveal all of the other information on the license. In the Identity Ecosystem, your credential could be used to prove you were a minimum age to allow a purchase without revealing your birth date or other information.
In addition, an approach grounded in recognized privacy principles will promote the creation and adoption of privacy-enhancing technologies. Such technologies will inhibit the linkage of credential use information among multiple service providers, thereby preventing those providers from developing a complete picture of an individual's activities online. Equally important, the Identity Ecosystem allows you to continue to use the Internet anonymously, which supports civil liberties like free speech and freedom of association.
6. Where can I get a trusted credential? Is the Identity Ecosystem built yet?
While some private and public identity providers do exist, the Identity Ecosystem, the system of technical and policy standards described by NSTIC, is not established yet. The purpose of NSTIC is to encourage public and private efforts to build upon current services in ways that enhance privacy, security, and convenience, but it will likely be some years before the full promise of the Identity Ecosystem is in place.
7. Won't having a single password and credential be less secure and private than having many usernames and passwords?
No. Like the bank card and PIN you use to obtain money from an ATM, having a password and a credential in physical form such as a cell phone, token, or smart card is much more secure than passwords alone. In addition, you may choose to have multiple credentials from different identity providers. However, even a single Identity Ecosystem credential is privacy-enhancing, because it can send different types of information to different service providers. For example, you could use your credential to log in to your online magazine subscription as "Jane457," because the magazine doesn't need to know your real name. But if you want to access your medical records, the same credential could prove that you are truly "Jane Smith."
NSTIC does not specify exactly how the technology behind credentials should verify identity; that should be left up to the private sector. However, past experience has shown that "multi-factor authentication" is much more secure than passwords alone. For example, a bank could issue you both a physical device, such as a key fob (something you have), combined with a short PIN number (something you know) to access your accounts. This two-factor method would make it much more difficult for thieves to break into your accounts. Your cell phone could also carry a digital certificate (something you have) that requires a password (something you know).
The key is that you can have multiple trusted identity credentials, and even if you lose the physical device, a cyber criminal still can't assume your identity without your PIN or password. Having even a few PIN numbers or passwords - should you choose to use multiple credentials - would be much more convenient than the dozens of passwords most people are forced to remember now. Also, should a credential be lost, you can more easily notify all necessary parties to secure accounts through the credential provider, rather than having to notify each individually. The ID provider would then discontinue that credential and issue you a new one, helping to minimize the likelihood of unauthorized activity.
No solution, of course, is a magic fix for all possible cybersecurity risks, and NSTIC does not claim to have answers to all threats associated with online transactions. It is, however, a major step forward in making the growing number of online transactions more convenient, more secure and more private.
8. Should I get a credential if I don't use the Internet very much?
Even if you don't use the Internet for lots of high-value transactions you will probably still benefit from having a trusted ID. Having a credential makes it easier to shop without having to open multiple accounts and it makes it harder for identity thieves to hack into your social networking accounts to get your personal information. Just as you probably routinely lock your car when you leave it in the parking lot, you should have a "lock and key" for your identity, even if you don't need to use it on the Internet very often.
9. Who will make sure that companies follow the rules?
One of the first actions for the National Program Office once it is established will be to convene a workshop for companies, privacy advocates, and other stakeholders to develop a steering group for the Identity Ecosystem. This group would administer the process for developing the technical standards and policies needed for the Identity Ecosystem. A community of members with similar goals and perspectives — known as a trust framework — can hold its members accountable to follow specific standards and policies. An accreditation authority would assure that individual service providers adhered to accepted Identity Ecosystem practices. Those who violate the rules would lose their trustmark status. Furthermore, the role of the government in the Identity Ecosystem is to ensure that individuals are protected from serious harm.
10. Will new laws be needed to create the Identity Ecosystem?
New ways of conducting business in the marketplace sometimes create uncertainty. If the marketplace does not respond in a timely way to that uncertainty with ways to ensure that privacy is protected and limits on liability are described then changes to current federal laws may be necessary.