NSTIC – fragmenting the Web around national borders?

posted by on Friday, January 21st, 2011 at 10:00 am

The National Strategy for Trusted Identities in Cyberspace (NSTIC) is an Obama Administration initiative aimed at establishing identity solutions and privacy-enhancing technologies that will improve the security and convenience of sensitive online transactions through the process of authenticating individuals, organizations, and underlying infrastructure – such as routers and servers.

Summarizing the key points from the NSTIC:

-       In a nutshell, NSTIC is a way to give every American citizen a unique online Identity.

-       Thus, a student could get a digital credential from her cell phone provider and another one from her university and use either of them to log-in to her online bank, her e-mail, her social networking site, and so on, all without having to remember dozens of passwords.

-       The NSTIC envisions a cyber world – the Identity Ecosystem – that improves upon the passwords currently used to login online. The Identity Ecosystem will provide people with a variety of more secure and privacy-enhancing ways to access online services.

-       The NSTIC’s Identity Ecosystem is a vibrant marketplace that provides people with choices among multiple identity providers – both private and public – and choices among multiple credentials.

Predictably this has a lot of advantages but also raises some concerns. For instance, the Center for Democracy and Technology suggest that: a pervasive government-run online authentication scheme is incompatible with fundamental American values.

The policy that the United States government makes towards the Internet has the potential to affect every person online in 2011, as advocates know, so how this is carried out bears close watching. The Center for Democracy and Technology filed key comments on NSTIC last year, including a key issue: “We alerted the Commerce Department to our concern about NSTIC’s current focus on the use of government credentials for private transactions: A pervasive government-run online authentication scheme is incompatible with fundamental American values,” wrote Heather West regarding the cybersecurity policy proposal.

The issue is at once simple and enormously complex, as Jim Dempsey from the Center for Democracy and Technology highlighted today. Government needs a better online identity infrastructure to improve IT security, online privacy, and support ecommerce but can’t create it itself, said Dempsey, outlining the key tension present. Dempsey advocated for a solution for online identity that lies within a broader trust framework and that is codified within a baseline federal consumer privacy law.

Predictably, the smart card industry agrees and also seeks a central role in the NSTIC scheme.

The SCA adds that the highest priority should be defining the identity ecosystem for the most trusted digital transactions based on an identity medium, since this part of the ecosystem can have the greatest positive impact on identity, security and privacy and it is also the least developed commercially and therefore needs the greatest attention and leadership.

The alliance also suggests using smart card technology to carry PKI credentials, biometrics and other security features to create a portable identity medium and provide a secure environment that is independent from the PC, thereby side-stepping hacker threats.

The impact of NSTIC will be potentially global because:

-       It will provide a validation for National ID schemes (as the NSTIC is essentially a national ID scheme).

-       Technology providers and developers, many of which are still in the US, will work towards it.

-       Critically, unlike in other countries pursuing national ID Schemes like India, NSTIC is driven by the department of commerce, but the motivation is security.

The question is: Will we see a national Online ID standard per country or is there a role for a CROSS national Online ID standard created by an agnostic body like the W3C or other bodies?

The danger is: We are potentially fragmenting the online world through national boundaries since the USA is not the only country which is pursuing this agenda (think Chinese Online Identity, Indian Online identity, European Online Identity etc). Fragmenting the Online world through national boundaries is not a good idea in my view.