Senior Executive Advisor for Identity Management
National Institute of Standards and Technology
A critical element of the National Strategy for Trusted Identities in Cyberspace (NSTIC) is to substantially improve the privacy of online transactions and support civil liberties like freedom of speech and freedom of association.
Right now the Internet is not a very private place. Passwords are the main form of account protection. But cyber criminals can use simple tool kits that break them or can trick people into giving up their passwords with phishing emails and spoofed websites. Additional security features usually require consumers to share all kinds of personal information like home towns, favorite books, and pet names.
There's a better way to put people in more control of their personal information and protect their online accounts.
Some media organizations and bloggers have reported inaccurately that NSTIC would require that a government ID be used on the Internet or that NSTIC aims to track people's activities online.
In a blog posting, Jim Dempsey, a respected privacy advocate and Vice President for Public Policy at the Center for Democracy & Technology, responded to these incorrect reports:
"The Obama Administration is not planning to create a government ID for the Internet. In fact, the Administration is proposing just the opposite: to rely on the private sector to develop identities (note the plural) for online commerce, in a system that allows individuals to have multiple identities and to engage in online activity anonymously and pseudonymously.
And let's get this straight too: I have not been criticizing the government's plan. Just the opposite: I have been praising the Administration for promoting improvements in online identity that would address concerns about identity theft, online fraud and cybersecurity without creating a centralized or government-managed system."
Here's how the identity ecosystem envisioned by NSTIC will improve privacy:
Standards: Developed through a multi-stakeholder process, all Identity Ecosystem service providers would follow privacy best practices based on recognized privacy principles when issuing or relying on identity credentials. NSTIC requires that service providers abide by the Fair Information Practice Principles (FIPPs), and as is made clear in the subsequent White House report "Consumer Data Privacy in A Networked World" these FIPPs are completely consistent with the Consumer Privacy Bill of Rights (see Appendix B).
Key Principles: In brief, the principles say that personally identifiable information (PII) must be:
Individual control: NSTIC will maintain anonymity on the Internet, and even provide it in ways that are not currently possible. For example, if a teenager wanted to socialize online with other teenagers, an Identity Ecosystem credential could provide proof of age without disclosing an actual birth date, or even a name. People will still be able to surf the web without credentials as they do today. Participation is voluntary. No one has to get a "trusted ID" or credential.
Limited data access: Trusted IDs only reveal necessary personal information. For example, if an individual wanted to access her online magazine subscription, her credential could log her in with an anonymous user ID like Jane457, because the magazine doesn't need to know her real name. But if she wanted to access her medical records, the credential would prove that she is truly "Jane Smith." Thus, banks, online stores, and other organizations would rely on the credential to verify individual identities, without having to collect extra PII.
De-centralized: NSTIC envisions many different ID providers and multiple credentials that use technologies that inhibit the linking of people's online activities together. No centralized databases tracking credential use will emerge. In addition, digital credentials can limit the need for any one organization to aggregate information because they can combine identifying information from different sources. For example, a doctor who needs to access an electronic health record could use a credential that proves that her identity was validated by her cell phone provider and her medical license was validated by her state medical board. In this way, neither the cell phone provider nor the medical board has a complete set of information about the doctor.
Fewer PII Targets: Finally, thousands of organizations large and small that currently collect personal information from individuals to conduct transactions will no longer need to store this data, dramatically reducing the number of opportunities for ID thieves and other cyber criminals to find data security weak points.
Implementing NSTIC and developing privacy best practices for the Identity Ecosystem requires the participation of all stakeholders. Stay informed- Sign up to receive email alerts about upcoming NSTIC news, workshops, and other events.