White House’s ‘Identity Ecosystem’ spurs suspicion of national ID registry

6 May, 2014 03:40 / Updated 11 years ago

The US government is reportedly considering a so-called “Identity Ecosystem” that, while promising to save time and money, has already riled privacy advocates worried about the government having too much biometric information at its disposal.

The National Institute of Standards and Technology awarded $2.4 million in grants to two states ($1.3 million to Michigan and $1.1 to Pennsylvania) to help them launch pilot programs aimed at testing “new online technologies to improve access to government services and the delivery of federal assistance programs to reduce fraud.”

While the programs differ in minor ways, each is essentially trying to help citizens who rely on public assistance but are overwhelmed by the application process.

In Michigan, for instance, many people often have their benefits delayed because of a small mistake in enrollment or registration. Pennsylvania residents often find themselves in the same unfortunate situation, sometimes because they need to verify their identity multiple times, both in person and through paperwork.

Private companies already use a variety of more efficient approaches to correctly identify customers – most often with usernames and passwords.

The complexity of this approach is a burden to individuals, and it encourages behavior – like the reuse of passwords – that makes online fraud and identity theft easier,” the White House report announcing the initiative stated.

At the same time, online businesses are faced with ever-increasing costs for managing customer accounts, the consequences of online fraud, and the loss of business that results from individuals’ unwillingness to create yet another account. Moreover, both businesses and governments are unable to offer many services online, because they cannot effectively identify the individuals with whom they interact,” the report reads.

To avoid the same fate, the Identity Ecosystem promises privacy protections, convenience, efficiency, security, and choice, among other confidence-boosting measures.

A Michigan aid recipient would need to appear in person to verify their identity before being given a “trusted credential” via a smart card, cell phone application, or a similarly connected option. The credential is endorsed by the federal government and no longer requires users to employ passwords or usernames. The federal credential is advertised as completely voluntary, and does not need to be used for all online activity.

For example, the Identity Ecosystem will allow a consumer to provide her age during a transaction without also providing her birth date, name, address, or other identifying data,” the announcement said.

The pilot programs have earned early praise for taking the simple, if flawed, system favored by the private sector for government verification. Avivah Litan, a Gartner security analyst, told Venture Beat that the effort will be a refreshing change for residents tired of waiting in line for hours.

It’s easy to tell you this is a terrible idea and it’s the end of the world,” she said. “But it’s nice to see someone finally trying to implement this idea,” which “has been around since the ‘90s, but the main reason no one’s done it is because no one stepped up to the plate.”

Others, perhaps not surprisingly after the National Security Agency leaks, are far less enthused. Civil libertarians have been quick to note the potential for abuse, citing the Taiwanese government’s plan to give citizens smart cards to implement a similar system while failing to adequately protect all of that data from hackers.

The Electronic Frontier Foundation (EFF) admitted the strategy is a reasonable solution to a growing problem, but noted that the National Institute of Standards and Technology did not mention how drastically the plan could go off course.

The draft NSTIC now calls for pervasive, authenticated digital IDs and makes scant mention of the unprecedented threat such a scheme would pose to privacy and free speech online,” the EFF said.

And while the draft NSTIC ‘does not advocate for the establishment of a national identification card,’ it’s far from clear that it won’t take us dangerously far down that road. Because the draft NSTIC is vague about many basic points, the White House must proceed with caution and avoid rushing past the tricks that lay ahead.”

Like the failed Taiwanese idea, the EFF warned about the potential implications that a national online ID could have, especially the privacy risks that would exist if multiple ID cards are linked together under a single credential.

Pervasive online ID could likewise encourage lawmakers to enact access restrictions for online services, from paying taxes to using libraries and beyond,” the digital rights group noted.

Website operators have argued persuasively that they cannot be expected to tell exactly who is visiting their sites, but that could change with a new online ID mechanism. Massachusetts recently adopted an overly broad obscenity law; it takes little imagination to believe states would require NSTIC implementation individuals to be able to access content somehow deemed to be ‘objectionable.’”