Proposed Online ID System Raises Privacy Concerns

The Obama administration is proposing what it calls the National Strategy for Trusted Identities in Cyberspace (NSTIC), an initiative aimed at establishing technologies to identify people and enhance privacy. The idea is to improve the ability to identify individuals as well as authenticate who they are, as a way of protecting people from identity theft and businesses from fraud.

Ari Schwartz, senior internet policy advisor at the Department of Commerce, said the idea is not to create a unique internet ID, or any kind of national identification system. Rather, it's to set up a set of credentials that could be used on many sites, avoiding the problem of giving a lot of personal information repeatedly and making oneself vulnerable. At the same time it should protect privacy. While it is still in the early stages, Schwartz said there are encryption technologies that allow for separating a transaction history from the identifying information that could be helpful.  

Privacy advocates are concerned that in trying to close some vulnerabilities, new ones could get opened up, but the current system isn't a great success. What we have certainly doesn't work very well at all, said Jim Dempsey, vice president for public policy at the Center for Democracy and Technology. Properly implemented, the ID ecosystem the Commerce Department is proposing could improve both privacy and security, he said.

The key, however, is proper implementation. Ellie Coney, associate director of the Electronic Privacy Information Center, said such a system could make consumers more vulnerable. Once someone stole an identity and was authenticated, they would have even easier access to many different part of the victim's life.

One of the strengths of the proposed system, said both Schwartz and Dempsey, is that it is led by the private sector, which avoids many of the issues that would arise were it a government-led initiative. A government program is a non-starter, said Dempsey.

But just because the private sector is leading doesn't mean there won't be problems. Another issue is the security of the ID information itself. Coney noted that when the Department of Homeland Security tried implementing the Trusted Traveler program to speed border crossings, one of the vendors -- CLEAR, owned by Verified Identity Pass Inc. -- was suspended by the TSA after an incident in 2008 in which a laptop with 33,000 individuals' personal information was lost -- and then found again. The data included names, addresses, phone numbers, birth dates, drivers' license, green card, and passport information.

Leaving aside the issue of employees, when the company went into bankruptcy (it eventually emerged and is offering its services again) the information could have been considered an asset by creditors and sold, Coney adds.

Dempsey said agreed that implementation is important, and added that any identification system requires a robust privacy law in order to work well. Such a law has to have provisions for notifying people what information others have about them, access to the information and the right to consent to the reuse and redistribution of that information. It should also have a system for restitution when there are errors.

Current U.S. law has nothing like that now, he said. There are privacy laws that cover certain sectors, such as banking, telecommunications, medical information and credit ratings. But there is no comprehensive privacy law that gives consumers the rights necessary under one set of rules.