Internet passwords would be passé under an Obama administration plan to replace the cumbersome process of logging into websites with new technologies that can quickly and securely confirm cyberspace identities. Banks, health care providers, retailers, and other organizations that normally require visitors to provide user names and passwords to reach their accounts could grant access instantly using a variety of technologies, ranging from software applications to smart cards inserted into computers or mobile phones.
For anyone who has forgotten a password or simply can’t keep track of his or her growing list of online handles, the idea of E-ZPass-like technology for the Internet may sound appealing.
But there are some big catches that could prevent the so-called trusted online identities initiative from ever getting beyond the drawing board. Obstacles include determining the federal government’s role in spurring and overseeing this “identity ecosystem” and whether proponents can deliver on their promises of enhanced online privacy and security.
Overcoming the worries that Washington might play a Big Brother role could be a significant problem. With Republicans in Congress already complaining about too much government control of the Internet, this plan may reinforce the view that the administration is heavy-handed on technology policy.
The stakes are enormous for Americans who are increasingly turning to the Web to make purchases and to socialize. “The world does an estimated $10 trillion of business online,” Commerce Secretary Gary Locke said at an April 15 announcement of the government-led initiative. “Nearly every transaction you can think of is being done over the Internet.”
The White House noted in an accompanying statement that identity theft and online fraud cost the U.S. economy billions of dollars annually. For the millions of consumers whose identities are stolen each year, average out-of-pocket costs are $631, the statement said.
In an interview with National Journal, Jeremy Grant, senior adviser of identity management at the National Institute of Standards and Technology, a federal agency playing a key role in the initiative, said that accomplishing the administration’s goals would be “a hard thing to do.” There’s much work to be done, he explained, to craft standards for the technologies that will emerge and rules governing consumers and issuers of security credentials.
“If it was an easy thing to have done, it probably would have happened already, or it would have happened on its own,” he said. “If you implement this the wrong way and don’t build in privacy principles from the start, then there’s absolutely risks.”
For one, although Grant insists that the administration won’t take advantage of the technology to secretly monitor online activity, he acknowledged that law enforcement might be able to do so under its existing legal authority.
Among the innovations on the horizon are hardware devices and software applications containing “digital certificates” that would authenticate online identities. A password would still be required to activate the device or software. Technologies that offer quick and secure access to various websites, such as onetime password generators (which provide fresh passwords with short life spans), are available now, but none can be used as widely as the ones being contemplated, experts said.
Consumer participation would be voluntary, and retailers could induce Internet-savvy Americans to take the plunge by offering discounts or opportunities to collect frequent-flier miles.
Having one gateway serve as the key to unlocking every website seems, on the surface, riskier than having a mix of passwords for different sites. That’s because a thief would need but a single password to steal all aspects of someone’s personal information.
To address such concerns, identity devices that are lost or stolen could be deactivated remotely. Users also might be required to provide voice or facial recognition—by speaking into a microphone or photographing themselves with a smart phone or webcam—for verification.
Despite the administration’s efforts to spur a marketplace featuring an array of technologies and certified vendors, it wants the private sector to lead the way. But to get that involvement, Grant said, the government “has to play the role” of convening the stakeholders and facilitating the process.
Conspiracy theorists are already filling the blogosphere with assertions that the White House’s real goal is to create a national identification-card system. That view is based on the fact that in Estonia and other European countries where this technology has been launched, it is tied to government-issued IDs. Addressing that concern, Locke said: “Having a single issuer of identities creates unacceptable privacy and civil-liberties issues.”
Nevertheless, questions remain about Washington’s level of involvement. Daniel Castro, a senior analyst at the Information Technology & Innovation Foundation, a nonpartisan think tank, said that the government could end up playing a larger role than anticipated if the private sector stumbles. “It remains to be seen whether it makes sense for industry to step up and do it,” he said.
It could take three to five years for the identity marketplace to materialize. The next milestones are public workshops beginning in June and securing the $24.5 million for the initiative that the White House has included in its proposed budget for the NIST in fiscal 2012.
The location of the April 15 announcement—the U.S. Chamber of Commerce—underscored the high level of industry interest. Online retailers see increased potential for revenue, while tech companies see opportunities to manufacture identity-related products.
One possible downside for consumers could be the ease with which they would be able to frequent online retailers (possibly without entering credit card data)—all courtesy of their trusted identities. Castro points out that, once again, technology could come to the rescue. This time, consumers could download apps that track their purchases and remind them how much—or little—money is left in their checking accounts.
This article appears in the April 23, 2011, edition of National Journal.