Trust But Verify

The Obama administration wants to partner with the e-commerce industry to make sure citizens are who they say they are online. But it's not clicking yet.

Imagine visiting any government website for the first time and immediately accessing services without having to register. Think of it as an online express lane akin to the airport security gates that allow prescreened travelers to whiz through without taking off their shoes and belts. And imagine the money that agencies providing these accounts could save by eliminating duplicative ID verification systems. Federal officials are pushing to turn this fantasy into online reality.

The Obama administration has handed the private sector a blueprint for building a network similar to the credit card payment system for secure online transactions. But this network would exchange online identities, the currency of the 21st century. The National Strategy for Trusted Identities in Cyberspace has the support of businesses and even wary public interest groups. But protecting online transactions worldwide is expected to take years of negotiations among Internet companies, governments and individuals "Portions of an identity ecosystem exist today, but it's not quite unified in a way that NSTIC envisions it," says Jeremy Grant, who heads the effort as a senior executive adviser at the National Institute of Standards and Technology.

The framework for "federated identity management" should solve several Internet problems by allowing any site to rely on third parties for issuing and verifying a person's digital credentials. Currently, Internet users must create a new account for every service they want to access online, requiring that they deposit personal information all over the place. Sites must shoulder the costs of setting up and maintaining their own independent ID validation systems, and visitors must remember multiple passwords to interact with each agency or business.

Another hitch is that sites often ask for more personal information than is necessary simply to send users alerts or to save Web page settings. Fraudsters, who can easily crib passwords or hack into customer databases, then can steal that information to commit identity theft. As a famous canine cartoon in The New Yorker summed it up nearly two decades ago: "On the Internet, nobody knows you're a dog." Because there's still no way to substantiate who you are online, sensitive transactions like the issuance of Social Security cards are restricted to costly agency field offices.

By outsourcing credentialing operations to trusted third parties, agencies and companies are likely to cut costs and boost customer service, federal officials say. The combination of stronger ID confirmation and privacy restrictions also can "put individuals more in control of their data," Grant adds.

But there is no credentialing industry yet. Firms interested in creating a marketplace have hit a number of obstacles that Grant says government can help overcome. For one, there aren't sufficient compatibility standards- an area where NIST can help. And policy issues like liability and privacy are unclear-another area where government can assist.

A Little Push

Many say government is suited to become an early adopter, with its gigantic user base and critical need to provide citizens, such as Federal Student Aid applicants, with secure online services. ID theft-including breaches of Internal Revenue Service and Veterans Affairs Department databases-costs the average victim 130 hours and $631 to recover, according to the Commerce Department. Citizens will start asking, " 'Why can't I have the same credential to log into VA and the IRS and FSA?' " Grant says. "If agencies can stop building what's essentially the same credentialing system, you should be able to save money."

With the exception of the National Institutes of Health, government has been slow to embrace nongovernment sign-on services. As with transitioning to the cloud-renting space from a third-party's data center online-agencies contend that allowing outside credentials requires giving up control. Instead departments concoct their own duplicative ID systems.

Agencies perhaps just need a little push-or shove.

The White House in mid-October said agencies must accept certified commercial credentials when launching or upgrading their websites. Administration officials say they won't rule out the option of choking off funding for agencies that don't comply, and those that neglect to transition during site overhauls must submit a plan for future adoption.

ID providers certified to verify usernames and passwords for the government include Google, Equifax, PayPal, Symantec and Wave Systems. Under the new policy, an agency would embed, say, a PayPal button on its home page that would allow users to log in to access secure information. A successful sign-on would then instantly open the agency's site. NIH, so far, is the only federal agency that allows visitors to log in this way.

For agencies that want a higher level of verification, such as smart card authentication or in-person enrollment, the policy calls for outside credentials only "where appropriate and as resources permit." Currently, no ID management vendors are certified to provide those credentials, according to federal officials.

In releasing the memo, federal cybersecurity czar Howard Schmidt wrote on the White House blog that other agencies besides NIH need to start trusting outside ID validators.

"A citizen who is a veteran, a college student and a taxpayer ought not to have to obtain separate digital credentials at each agency website, but instead should be able to use ones he or she already has-a university-issued credential for example-across sites hosted by the departments of Veterans Affairs, Education and Treasury," he wrote. "Doing so allows the federal government to streamline the customer experience and recognize real cost savings just when we need to be tightening our belts. Moreover, by using accredited identity providers, federal agencies see to it that Americans' information is treated with privacy and security online."

Risk and Rewards

NIH estimates it will save about $3 million between 2011 and 2015 without the burden of managing IDs across 50 systems. Visitors now register with existing credentials to cull information from multiple research databases. Federal officials say the government could slash ID management costs by up to 80 percent if all agencies subscribed to a shared credentialing service. Each agency would pay for the authentication service based on licensing costs, its user base and numbers of servers hosting the agency's site.

NIST has prescribed four categories of ID trustworthiness. Level 1 requires a visitor to enter a username and password on Google, for example, to access low-risk information such as personalized news feeds. Google verifies that the person's password and username exist, but there is no proof of identity required. A mother and son, for instance, can share the same account. Level 4 requires a visitor to scan a smart card containing personal information and biometric fingerprints to, say, wire $1 million. The individual must prove his or her identity in person to obtain credentials.

The cost of software and services for accepting basic identity credentials runs from zero to well under $1 million, says J. Brent Williams, chief technology officer of Anakam, Equifax's identity proofing product line. Prices for obtaining higher levels of assurance range from $5 million to $10 million because the effort involves enrolling users' unique traits, verifying those traits for each transaction and storing that identity information securely. Equifax is applying to become a certified Level 2 and Level 3 provider for the government, he says.

Some identity management experts, however, say that adoption in the federal government will be a challenge. There's a desire to accept third-party IDs, says Mike Ozburn, a Booz Allen Hamilton principal who consults on federal identity safeguards, but tight budgets stymie new initiatives. That said, a great innovation like the iPhone can gain traction across the marketplace rather quickly, he adds. An ID provider could develop an easy-to-use service that e-commerce sites and consumers find irresistible, which in turn could put pressure on agencies to adapt. "The fact that they don't have a budget* for NIST right now doesn't mean the industry isn't moving forward," Ozburn says. "The same people that government would call citizens, businesses call customers."

The health care industry and banks, for instance, are eager to access sensitive patient records and financial statements on the go, through mobile ID services, government and business executives say. Jim Williams, a 30-year veteran of the federal government who served as acting administrator of the General Services Administration under President George W. Bush, says the private sector has to pursue an ID eco-system collaboratively, but much faster.

Central to security is the ability to cancel credentials networkwide if IDs are compromised, says Williams, now an executive at Daon, a firm that provides identification verification software. "You've got to be able to revoke quickly. If somebody does hack into it, à la Sony, and steals your identity and passwords, what you're worried about is somebody being able to steal your biometrics," adds Williams, who also served as director of U.S. Visitor and Immigrant Status Indicator Technology, the Homeland Security Department's biometric identification program.

Supporters of the concept have raised concerns that disseminating personal information through fewer channels could increase the extent of damages if one ID is exposed. A hacker who steals a trusted credential could essentially have a master key to the victim's bank accounts, health records and other critical information. Grant says relying on one ID provider is no more risky than using the same password for all accounts, which is common among Internet users nowadays. Web surfers have the option of using multiple credentials, multiple ID providers-or no IDs at all, he adds.

Think of having one digital credential for paying taxes and banking and a separate one, maybe "pinkpony55," for posting anonymous comments in online forums, including ones hosted by government agencies, says Aaron Brauer-Rieke, a fellow at the Center for Democracy and Technology. "What we hope we don't see is requirements for a credential with my legal name," he cautions.

Forcing Americans to register for credentials under their real names veers into the territory of a national ID or online driver's license, which civil liberties groups like CDT detest.

Signing Everyone Up

Brauer-Rieke expects the plan will not become a national ID because the credentials aren't mandatory and the White House envisions the private sector leading the effort. The term "identity ecosystem" implies multiple identity providers, rather than a state-owned system, he adds. And the strategy takes into account privacy by asking all participants to abide by "fair information practice principles," or universal codes of conduct for protecting personal information on websites.

But it remains to be seen whether the entire information superhighway will take to the idea, Brauer-Rieke notes. The tools to accomplish the goal already exist but not the cooperation, he explains. "I can't use my Facebook login to go to Bank of America," he says. "I can't use my Twitter login to go to Amazon. The problem is not in the technology that is available. The problem is getting consensus and standards out there to make it work." Grant says Facebook Connect has been "one of the biggest federated identity success stories to date," adding he would love to see Facebook apply for certification like some of its competitors. Facebook declined to comment for this story.

Other civil liberties activists, while not yet concerned about the current approach, dispute the notion that industry is in charge. "If the folks doing NSTIC succeed in their goal of creating an identity ecosystem, it's not the national ID that I oppose," says Jim Harper, director of information policy at the Cato Institute. But he does object to the Commerce Department running the effort. "Industry-led initiatives are not run by the government," he says. One worry is the government could decide to cut waste by requiring everyone to file taxes online using a credential tied to their driver's license, he says.

Even if the administration carries out the plan as is, the next president could change the rules, Harper notes. "If the government is the lead actor in this ecosystem, well, the government's going to end up calling the shots," he says. "And when we have a bad day, if heaven forbid there's some kind of terrorist attack, watch the government turn on a dime and drop the idea of an open ID system."

In Grant's view, however, the ID plan is basically no different than other government strategies that assist industry. "The U.S. government has an agricultural strategy, but that does not mean we are growing crops and raising cattle," he says. "The only thing the Commerce Department is running is a process to convene stakeholders and to facilitate collaboration among them."

Grant notes that the U.S. Chamber of Commerce and the Commerce Department jointly announced the strategy at the Chamber's headquarters in April. "There's a reason that bastions of free-market capitalism like the U.S. Chamber of Commerce have endorsed NSTIC," he says. "It's because they understand that the government needs to play some role here in removing barriers to private firms in the space, so that the marketplace can thrive."

*Editor's note: This article went to press before Congress passed the National Institute of Standards and Technology's budget for fiscal 2012.