As a way to combat online identity theft in the age of digital shoplifting, the White House has developed a plan dubbed the National Strategy for Trusted Identities in Cyberspace, or NSTIC. "Today, we take another major step; this one to ensure that the Internet's security features keep up with the many different types of online transactions people now engage in," Commerce Secretary Gary Locke said at the unveiling last week.
For the typical consumer, the plan means a partial consolidation of Internet logins, a kind of "Facebook Connect" for online shopping, with the government's stamp of approval. Another part of the plan lays the groundwork for hand-held authentication devices.
People in the near future could verify their online identity through a cell phone or keychain. "Today, we have lots and lots of usernames and passwords and, generally speaking, people have pretty bad habits," Aaron Brauer-Rieke, a fellow at the Center for Democracy and Technology, said. "They don't use good passwords. They use repeat passwords for the same username across the Internet."
Of course, too few passwords can also present a problem. "On the flip side of the scale, if you have one username and password, that's also a bad security situation," Brauer-Rieke said.
So policy makers will aim for a balanced approach, emphasizing the need for multiple login providers as a way to combat identity theft. Improved security could encourage consumers and financial services companies to adopt mobile payments through smartphones.
Proponents of the system emphasize that the program would be voluntary. Industry and government want to avoid the appearance of a mandatory national online identity program.
"This is not a government-mandated, national I.D. program," said Leslie Harris, president of the Center for Democracy and Technology, a group that specializes in digital privacy issues. "In fact, it's not an identity 'program' at all."
Despite supporters' fears of a backlash, civil liberties groups are tentatively behind the plan. "So the administration has done all the right things and said all the right things," ACLU legislative council Chris Calabrese said.
"They've been concerned about privacy. They've been concerned about collecting the right amount of information and not creating a centralized repository of everyone's Web-surfing habits. That's a very good thing."
Still, while watchdogs have reserved judgment, Calabrese says he'll monitor the plan as details emerge. "Unfortunately, as the system gets built, it's possible that those protections could be eroded, that other national security concerns could intercede or that simply the way the system is built, either by business or third parties, could allow for the collection of a great deal of information about all of us when we move around online," he said.
Secretary Locke and others emphasize the importance of private-sector involvement but allow for government input.
Steven Sprague, CEO of Wave Systems, which manufactures security chips for the computer industry, said, "I think that industry has done a huge amount of work by itself but there are pieces that are sticking points; things like liability, interoperability ... making sure that our privacy is properly protected are all things that require oversight. You could almost use adult supervision and the government can provide a very good role with that."