Online Identity Theft Prompts Security Guidelines From White House

Consumers' online shopping habits might be in for a change.

April 21, 2011 -- As a way to combat online identity theft in the age of digital shoplifting, the White House has developed a plan dubbed the National Strategy for Trusted Identities in Cyberspace, or NSTIC. "Today, we take another major step; this one to ensure that the Internet's security features keep up with the many different types of online transactions people now engage in," Commerce Secretary Gary Locke said at the unveiling last week.

For the typical consumer, the plan means a partial consolidation of Internet logins, a kind of "Facebook Connect" for online shopping, with the government's stamp of approval. Another part of the plan lays the groundwork for hand-held authentication devices.

People in the near future could verify their online identity through a cell phone or keychain. "Today, we have lots and lots of usernames and passwords and, generally speaking, people have pretty bad habits," Aaron Brauer-Rieke, a fellow at the Center for Democracy and Technology, said. "They don't use good passwords. They use repeat passwords for the same username across the Internet."

Of course, too few passwords can also present a problem. "On the flip side of the scale, if you have one username and password, that's also a bad security situation," Brauer-Rieke said.

So policy makers will aim for a balanced approach, emphasizing the need for multiple login providers as a way to combat identity theft. Improved security could encourage consumers and financial services companies to adopt mobile payments through smartphones.

Proponents of the system emphasize that the program would be voluntary. Industry and government want to avoid the appearance of a mandatory national online identity program.

"This is not a government-mandated, national I.D. program," said Leslie Harris, president of the Center for Democracy and Technology, a group that specializes in digital privacy issues. "In fact, it's not an identity 'program' at all."

Combating Online Identity Theft

Despite supporters' fears of a backlash, civil liberties groups are tentatively behind the plan. "So the administration has done all the right things and said all the right things," ACLU legislative council Chris Calabrese said.

"They've been concerned about privacy. They've been concerned about collecting the right amount of information and not creating a centralized repository of everyone's Web-surfing habits. That's a very good thing."

Still, while watchdogs have reserved judgment, Calabrese says he'll monitor the plan as details emerge. "Unfortunately, as the system gets built, it's possible that those protections could be eroded, that other national security concerns could intercede or that simply the way the system is built, either by business or third parties, could allow for the collection of a great deal of information about all of us when we move around online," he said.

Secretary Locke and others emphasize the importance of private-sector involvement but allow for government input.

Steven Sprague, CEO of Wave Systems, which manufactures security chips for the computer industry, said, "I think that industry has done a huge amount of work by itself but there are pieces that are sticking points; things like liability, interoperability ... making sure that our privacy is properly protected are all things that require oversight. You could almost use adult supervision and the government can provide a very good role with that."

And cyber security has serious economic implications. The average cost of a stolen identity is $631 per person, according to an industry survey cited by the Commerce Department.

Economic losses will often lead to questions of legal liability. Plans laid out for the new security standards would also help to clarify who bears responsibilities for what in the event of a cyber theft.

Although the plan is still in its early planning stages, administration officials have acknowledged privately that the road ahead is difficult. Any new cyber security plan has unforeseen challenges.

Congress has held hearings on cyber security in recent months, leading up to a possible Senate bill. And while participants are undecided on how to tackle the cyber threat, the one thing on which they seem to agree is that cyber security is a pressing issue and a real challenge.

A recent Senate judiciary hearing on cyber crime featured testimony from security experts with warnings about password security. In his testimony, Stewart Baker, a former assistant secretary for policy for the Department of Homeland Security, said password security is not the end all and be all, pointing to the recent security breach at the cyber security firm RSA, a company that makes authentication hardware, as a reason why password authentication is not always bulletproof.