Some of the Obama administration initiatives of the past two years are well known, and some remain controversial. But one that has gotten too little attention is called “The National Strategy for Trusted Identities in Cyberspace.” (Of course it’s abbreviated, so let’s call it NSTIC.) The strategy aims to establish what it calls an “identity ecosystem” where all parties can interact in a trusted environment, where “authoritative sources establish and authenticate their digital identities.” The strategy recognizes that certain web activities require the option of anonymity (blog postings, for example), while other (like online banking) can only succeed if the identities of both parties (yours and your bank’s) are known and validated.
The NSTIC recognizes two important principles: privacy protection and interoperability. Partnership with the business sector is pivotal and the proposal cannot succeed without it. Although the plan recognizes the likelihood of new legislation to support the strategy, this appears to be secondary to the goal of establishing standards and technologies that all parties can use to validate identities on line. You may be thinking ‘big government’ and more bureaucracy etc. – but the proposal is short on government and long on business. I think legislating a technical standard is impractical if not impossible; protocols only succeed if they work, if parties on all sides benefit and no better alternative is available. I think the NSTIC planners recognize that, so they’re seeking to build a voluntary consensus, rather than to drum up votes on Capitol Hill.
Spend some time looking at the original draft of the proposal and I think you’ll be impressed that this time our government got it right. The persuasive arguments are well thought-out and address the real issues; they’re not written by clueless technocrats.
Yet already there is dissent. “Obama’s Internet Plan Sounds an Awful Lot Like a National Internet ID” reads a post last month on ReadWriteWeb. The author, Curt Hopkins, states his opposition to having “one ‘verified’ ID, which would be known by the government, and a set of large corporations.” He goes on to say that “given the periodic outbreak of government and corporate shenanigans, we fail to see the benefit of such a system.”
Well, I can, Mr. Hopkins. Given the shenanigans of much shadier and scarier characters on the net, I’m putting my money on the government and the corporations. With oversight and transparency, I’d trust a government-sponsored program of identity verification, knowing as I do the risks of no verification program at all. The fear of a big-brotherish national ID system goes back a century – to a day before the internet. On this issue, we need to update our thinking.
Our on-line world today requires that we identify ourselves accurately and trustfully. I want my bank, for example, to recognize me when I come calling, and to boot out anyone who claims to be me but can’t stand up under electronic scrutiny. And I want a way to guarantee that my bank is my bank, and not some spoofed web site or man-in-the-middle imposter.
I think it’s time that better standards of identity protection emerge, to replace the patchwork quilt of non-interoperable systems and incompatible one-offs. I already have four pages of login names and passwords – and yes, they’re written down: who can remember them all? I’m glad to see the government take the lead. Someone has to.
As in life, everything in technology is a tradeoff. I think the light-hand of government regulation, coupled with business consensus, will be a better alternative than the risky online world that we all inhabit today. What do you think?
No comments:
Post a Comment