White House Plan for Web Identity Ecosystem a Tough Sell So Far
Update: Read more on this from our conversation with Google Open Web Advocate and OpenID Board member, Chris Messina.
Original Article: The White House is working on a "National Strategy for Trusted Identities in Cyberspace" in which it has placed the Commerce Department in charge of an "Identity Ecosystem". In a nutshell, the program is about giving consumers IDs they can use to log in across sites all over the web, which they can rely on as being secure, and not have to worry about remembering countless passwords (and thereby not having to use the same password over and over again on different sites, which is incredibly helpful to cyber criminals).
Would you rather have a single web ID than use multiple passwords? Comment here.
Of course the announcement of this strategy has already drawn plenty of skepticism, backlash, and general controversy. For example, many are skeptical that government can succeed where technology giants like Microsoft or Google have not. As some have pointed out, the company that’s probably come the closest and has the best chance of accomplishing becoming online users’ universal ID would be Facebook, given not only its enormous amount of users, but its integration into a large portion of the web through Facebook log-in. Add mobile and the rest of the world outside of the U.S. to the mix, and Facebook does have a very widespread and portable reach. Of course not everyone trusts Facebook to be their universal ID, with many very concerned with how the company treats privacy issues.
Much of the criticism of the White House’s efforts has been over the vagueness of the strategy, and of course many simply don’t want the government involved in this.
Here is the explanation of the strategy from Howard A. Schmidt, the Cybersecurity Coordinator and Special Assistant to President Obama (from WhiteHouse.gov):
This holiday season, consumers spent a record $30.81 billion in online retail spending, an increase of 13 percent over the same period the previous year. This striking growth outshines even the notable 3.3-5.5 percent overall increase in holiday spending this past year. While clearly a positive sign for our economy, losses from online fraud and identity theft eat away at these gains, not to mention the harm that identity crime causes directly to millions of victims. We have a major problem in cyberspace, because when we are online we do not really know if people, businesses, and organizations are who they say they are. Moreover, we now have to remember dozens of user names and passwords. This multiplicity is so inconvenient that most people re-use their passwords for different accounts, which gives the criminal who compromises their password the "keys to the kingdom."
We need a cyber world that enables people to validate their identities securely, but with minimal disclosure of information when they’re doing sensitive transactions (like banking) – and lets them stay anonymous when they’re not (like blogging). We need a vibrant marketplace that provides people with choices among multiple accredited identity providers – both private and public – and choices among multiple credentials. For example, imagine that a student could get a digital credential from her cell phone provider and another one from her university and use either of them to log-in to her bank, her e-mail, her social networking site, and so on, all without having to remember dozens of passwords. Such a marketplace will ensure that no single credential or centralized database can emerge. In this world, we can cut losses from fraud and identity theft, as well as cut costs for businesses and government by reducing inefficient identification procedures. We can put in-person services online without security trade-offs, thereby providing greater convenience for everyone.
"We are not talking about a national ID card," U.S. Commerce Secretary Gary Locke is quoted as saying at the event where the plan was announced. "We are not talking about a government-controlled system."
That’s not enough to curb the criticism, however. For example, Pascal-Emmanuel Gobry at Silicon Alley Insider says, "The big security/IT companies with the right Washington connections to get this gig don’t reassure us any more than the government does." Gobry does also suggest that having the Commerce Department, as opposed to the Department of Homeland Security run the program feels a little less "big-brotherish."
As far as I can tell, there’s nothing here indicating that people will be required to use IDs from this program. It will be interesting to see how it is adopted around the web. Will people trust this system more than they trust Facebook? Of course there are other options like OpenID, at least for the sites that support them.