Lock and key

Government begins testing 'Internet driver's license'

Shares

At a time when Americans are more reticent to trust the government with their online information than ever before, officials are finally moving forward with plans for a universal online ID.

The White House has been toying with this idea for several years. The project was first floated in 2011, then described by the New York Times as a "driver's license for the Internet."

Now a pilot program is underway in two states, testing the so-called "National Strategy for Trusted Identities in Cyberspace." If successful, it could quickly expand to other states and government agencies, but privacy advocates and security experts are sounding the alarm about Americans putting all their cyber eggs in one basket and asking the government to carry it.

The NSTIC pilot program begins this month in Michigan and Pennsylvania. The Obama administration's hope is to replace the tedious and fragmented system of passwords people use to access government resources online with a stream-lined and universal Web ID based on next-generation authentication protocol.

The goal is to make government services more convenient and secure. Despite Americans' ability to shop and pay taxes online, many government agencies still insist on doing things the old fashioned way. In many states, you're still required to spend hours in line at the DMV in order to show a clerk your birth certificate and a piece of mail to verify your identity. In other cases, you have to physically drop off or mail in license plates to transfer ownership of a vehicle. It's not that agencies necessarily prefer doing it this way, but many still find password security too flimsy.

But if the government could find a way to replicate the security of a birth certificate or a driver's license online, more agencies might be willing to migrate their services to the Web. The National Institute of Standards and Technology has awarded $2.4 million collectively to Michigan and Pennsylvania and charged them with the task of figuring out which existing online authentication tools would be most useful in this task.

"Most of what we are looking at are commercial software and services," said Jeremy Grant, NIST’s senior executive advisor for identity management.

No doubt, identity verification is a real problem government agencies face in adapting their services to 21st century technology. But this approach is raising a number of red flags among privacy advocates. It's not helped by the fact that the government is still dealing with the blowback from Edward Snowden's National Security Agency leaks and the troubled rollout of Healthcare.gov.

"Probably the biggest conceptual problem is that the draft NSTIC seems to place unquestioning faith in authentication—a system of proving one's identity—as an approach to solving Internet security problems," writes Lee Tien and Seth Schoen of the Electronic Frontier Foundation. "Even leaving aside the civil liberties risks of pervasive online authentication, computer security experts question this emphasis."

Although the online mish-mash of passwords and logins maintained by the average American is messy, the EFF and others argue there is an inherent danger to a single unified credential. It would create a large and attractive prize for hackers. This concern is magnified when one considers the potential for the creation of an "interoperable authentication protocol" that works across all websites, not just government ones. Motherboard writes that the success of the Michigan and Pennsylvania pilot programs could pave the way for universal credential covering everything from your Facebook profile to your health insurance provider.

The EFF also raises considerable concerns about privacy and anonymity online:

The draft NSTIC 'envisions' that a blogger will use 'a smart identity card from her home state' to 'authenticate herself for . . . [a]nonymously posting blog entries.' (p. 4) But how is her blog anonymous when it’s directly associated with a state-issued ID card? [...]

Indeed, the draft NSTIC barely recognizes the value of anonymous speech, whether in public postings or private email, or anonymous browsing via systems like Tor. Nor does it address issues about re-identification, e.g. the ability to take different sets of de-identified data and link them so as to re-identify individuals.

Also of concern is the government's plan to outsource the job of storing these online IDs to a third party company. In theory, this could give a company like Google or Verizon a powerful tool for accessing user data and trusting them not to misuse it for their own gain.

Whether or not this vision of the future comes to pass rides on the success or failure of Michigan and Pennsylvania's programs. It's impossible to tell anything at this point, other than it will be a challenge. Pennsylvania's Chief Informations Security Officer, Erik Avakian, told GCN that his state's current identification procedures are "kind of kludgy," with each agency maintaining its own database. He said unifying and simplifying millions of online credentials will be a difficult process.

“What NIST is asking us to do is pretty complex if you don’t have some things already in place,” Avakian said.

Photo by Brenda Clark/Flickr (CC BY 2.0)