On Friday, the Obama Administration unveiled the final draft of its ambitious National Strategy for Trusted Identities in Cyberspace (NSTIC), which seeks to develop new and more secure systems for identity authentication online, creating new “Identity Ecosystem.” Secretary of Commerce Gary Locke as well as other officials unveiled the NSTIC (pronounced “en-stick”), which is signed by President Obama, at an event at the U.S. Chamber of Commerce.
As the NSTIC explains, on the Internet as it exists today, individuals must maintain numerous passwords for different websites which they use. This imposes risks and burdens on consumers and businesses alike. Moreover, the NSTIC describes how the absence of highly reliable authentication methods has hindered the ability of high-risk sectors like health and finance to migrate their services online.
To remedy these deficiencies, the NSTIC envisions a new online “Identity Ecosystem” involving four basic parties:
- A “subject” is the basic participant whose information is authenticated. A subject can be an individual or an organization. It also can be hardware or software that must be authenticated.
- “Identity providers” establish, maintain, transmit, and secure the subject’s digital information.
- “Attribute providers” validate “attribute claims” made by subjects and stored in identity providers. For instance, an attribute provider might verify that someone is above a certain age or that an electronic device is entitled to access a private network.
- “Relying parties” are individuals or businesses to which subjects choose to transmit attribute information.
The NSTIC envisions that a single individual might use multiple identity providers and might maintain different “levels” of identity – for instance, the individual might choose to be pseudonymous in some contexts but choose in others to reveal more genuine personal information.
The NSTIC emphasizes that participation is voluntary and that identity storage and authentication functions will normally be performed privately. However, it suggests several steps the government may take to promote the development of the Identity Ecosystem:
- Develop privacy principles for the Identity Ecosystem, either via executive agencies or legislation. The NSTIC identifies Fair Information Practice Principles (FIPPs) as the basis of its privacy vision (example of a set of FIPPs).
- Facilitate the development of risk models and technical standards.
- Establish clear accountability and remediation processes, including establishing liability rules in the event of fraud or breach.
- Lead by example by having federal agencies act as early adopters of Identity Ecosystem-based approaches.
- Encourage interoperability through information sharing and pilot programs.
- Promote public confidence in the Identity Ecosystem.
We will continue to monitor as the Administration prepares to take the next steps to foster its envisioned Identity Ecosystem.