Uncle Sam Wants You to Have an Online ID
By Jay Bavisi co-founder of the EC-Council
Published July 02, 2010
As our daily interactions and transactions have become increasingly “wired,” we have yet to see any truly comprehensive attempts at securing online identities. Our complex system of usernames and
passwords is astoundingly outdated and increasingly prone to security breaches and theft. Yet, so far it has been mostly up to the individual to protect himself against various forms of identity fraud—with larger corporations taking relatively little responsibility.
But this could change in a big way. Right now the federal government is proposing a new system being referred to as the “Identity Ecosystem”—which was highlighted in the recently-released draft paper, “National Strategy for Trusted Identities in Cyberspace” [NSTIC].
The Identity Ecosystem would allow Americans to choose to obtain a single authenticated ID for online transactions. Like a passport, this single ID could travel with them online and be used to access everything from e-mail, to online health records and banking information. Furthermore, the Identity Ecosystem would only reveal the least amount of information necessary for each transaction.
To highlight the potential consumer benefits of such a system, the White House’s proposal uses the example of an individual filling a prescription online. Under the “smart ID card,” the pharmacy would only receive proof that the individual is over 18 and that the prescription is valid. No other information like birth date or the reason for the prescription.
Right now the only online ID management options available to consumers are tools like OpenID and Microsoft’s U-Prove. While these systems work across a variety of popular platforms
such as Google , Yahoo and Blogger, they are best used for cases of low-assurance clearance (i.e., personal e-mail and social networkingsites). So-called “high-assurance” sites, like banking and health services, aren’t set up to support wide-access systems; they present too much of a liability.
What’s important to note is that membership in the smart ID program would be voluntary—both for consumers and companies. Individuals who wanted to become members might apply for a smart identity card through their state government. Because the program is voluntary, the government is stressing the importance of consumer confidence, education and usability.
It’s easy to see why consumers would benefit from an easy-to-use, secure and universal system. What’s harder to understand is the overall impact on e-commerce.This program could eliminate the biggest obstacle to the e-commerce industry: fear of identity theft and fraud, which could literally lead to billions of dollars in new online spending. It could also jumpstart health e-commerce, a market that has yet to take off because of serious privacy and security risks.
But the costs associated with implementing such a system would likely be enormous. The NSTIC has anticipated some kickback and will be offering businesses incentives such as tax credits/breaks, insurance, grants and loans for early adoption. However, the question is: Are these incentives enough?
Although the NSTIC proposal is somewhat vague on this issue, the government will have to be prepared to work with the hardware industry in order to ensure that smart-card readers, scanners, etc. are integrated with standard systems.Obviously, consumers that adopt such a system with their existing hardware will need to somehow upgrade their systems. It will certainly require a lot of negotiations within the industry, as the government may run into disputes over patent ownership between companies with conflicting interests. In order to integrate the system into existing sites, companies will need to pour money and resources into writing code to integrate an ecosystem with existing Web assets. And it is tantamount to their task that Web developers avoid security blunders in the process.
Consider how long it has taken us to get this far – and it’s easy to see how challenging it will be to teach
common users how to successfully utilize an ecosystem that controls all of your online authentication with various “user-controlled” settings. Should this system be implemented, consumers must be prepared for a “new” experience and accept that convenience over security can no longer be their daily mantra. Implementing such a comprehensive system will be tough—and requires widespread and fairly immediate support. The government must be able to win over consumers and businesses at the same time—or the Identity Ecosystem is likely to become a chicken-egg problem—with consumers unwilling to join a program that businesses aren’t a part of, and vice versa.
Furthermore, many modern services are complex. Take for instance online health: this would require the
collaboration of doctors, hospitals, insurance providers, pharmacies and individuals.
The bottom line here is that the White House’s proposal depends on businesses voluntarily agreeing to turn the current e-commerce system upside down, incur massive new costs and collaborate with competitors – a dim possibility, to say the least.
Although the White House should be applauded for this idea, it is doubtful that such a voluntary approach is likely to win over the big companies who will end up footing the bill or passing it on to consumers.
The private industry has been trying to enact this type of online assurance model for some time now, and with little success. It is far more likely that the White House will have to work with Congress to legislate this type of a reform.
Jay Bavisi is president and co-founder of the International Council of E-Commerce Consultants (EC-Council), a global organization that researches, consults and provides training on issues of e-commerce and cybersecurity. Jay is a regularly featured speaker at e-commerce and cybersecurity conferences in the U.S., Asia, Europe and
the Middle East.