Internet users are pushing back against the National Strategy for Trusted Identities in Cyberspace (NSTIC) initiative, a government-led online identification system currently in the pilot phase. Much of the furor circles around the possibility, stoked by all-too-frequent revelations of surveillance by the National Security Agency, that NSTIC pushes toward a single-ID system that would enable the U.S. government to track its citizens online.
In reality, NSTIC software prohibits tracking. The program's aim is to create a standard for high-security internet identity, initially for users of the government's digital services. In an era of lax attitudes to online privacy and deep security exploitations like the Heartbleed virus, could such an online ID system be the sensible next step? Or is the NSTIC setting the United States more firmly on the path to becoming a Big Brother state?
What is NSTIC?
NSTIC is a federated ID system in which third-party companies verify an account for use in other services. In this case, several companies chosen by the government create high-security accounts initially for use in digital government services such as voter registration or driver's license applications.
The secure ID could eventually be used at other sites around the Internet. Given that NSTIC is funded by the Department of Commerce and was originally devised to reduce fraud in online transactions, it isn't a leap to imagine that e-tailers might be the next to offer log-ins using an NSTIC credential.
The NSTIC ID is opt in, meaning that signing up is still optional for now. However, the government will encourage all new users of its digital services to create an NSTIC-aligned ID, offering a standalone government account as a last resort.
How does it work?
NSTIC depends on a government-engineered software infrastructure called the Federal Cloud Credential Exchange (FCCX). Identity-providing companies structure their IDs to work with this system.
NSTIC IDs will provide Level 3 security credentials, a step above the Level 2 ID security provided by the strict authentication processes currently used by U.S. banks. These high-security IDs include multifactor authentication requiring more data than a single password. According to Jeremy Grant, senior executive advisor for identity management at NSTIC, the recently wrapped NSTIC pilots tested the use of smartphones to add GPS tags and fingerprints.
The onus is on the third-party company to verify that the creator of the account is actually who they say they are, saving the government the costs of verifying all its digital users. The third-party identity provider charges the government a small fee every time one of its IDs is used. So far, mobile phone carrier Verizon and security software company Symantec have been accredited to create these high-security IDs.
According to the 2014 Verizon Data Breach Investigations Report, two out of three data breaches exploit weak or stolen passwords. Using a high-security, NSTIC-verified ID could avert such breaches as well as save users the trouble of remembering (or forgetting) dozens of passwords.
There could also be a privacy boon in using an ID system like NSTIC, which uses cryptology tech so that only the bare minimum of data is exchanged in authentication at a particular site. “Though your identify is verified and a transaction is binding, the authenticator [such as Verizon] does not actually know who you are, in the same way as Facebook or Google does,” says Lee Tien, senior staff attorney at the Electronic Frontier Foundation.
Using other ID solutions such as Facebook, Google or even driver's license details to log into other services puts a lot of unnecessary data up for grabs for hackers, trackers or simply the third-party service, including birthdates, email addresses, photos and likes and +1s. “By using a digital signature with a service that confirms only that the signature is indeed attached to a real person, privacy can be improved,” Tien says.
“Not all of technology we need [for perfect cryptology] is as mature as we'd like – and even if it was, it doesn't mean the companies that are implementing it will do it well,” Tien says. Multifactor authentication involving smartphones may still be a security risk because smartphones remain notoriously hackable. So identity theft and data breaches may still be problems, whether through human error or exploitation by ID thieves.
Then there's the worry that data about who we are and what we do could land in the virtual grasp of a government known to have spied on its citizens or commercial companies whose primary concern isn't our privacy but the profit we may help them turn.
Tien is cautiously optimistic about Uncle Sam's intentions. “The NSTIC system is voluntary, run by private companies rather than the government itself, and most importantly, it is decentralized, so that individuals will be able to choose between different providers,” he says.
Tracking theoretically won't be possible due to double-blind software architecture. “Say you're using your Verizon ID to log into the Department of Veteran Affairs; Verizon will only be able to log that you're connected to the FCCX and at something government-related,” Grant says. “On the other side, the Department of Veteran Affairs doesn't know what you use to log in, only that it is a certified solution.”
What happens to your data?
“We are not creating new databases,” says Grant. No single company (or the government) would hold a base of user info and web trail, and users can create different NSTIC-approved IDs for different services without necessarily having them linked.
Even so, it is possible that the identity providers would be able to use whatever data you submit for verification to build demographic profiles for research and marketing. If and how data can be used is one of the issues being discussed by the IESG, a policy group for the NSTIC framework mostly comprised of private companies, security and identity experts and lawyers.
“The direction of the IESG indicates that the companies should not be able to use your data for anything besides verification,” Tien says. “But it's a large group, with many private companies whose interest will lie on the commercial possibilities.”
Finally, one of the biggest issues for the NSTIC will be accountability. Who would be liable in the event of data hacks or identity thefts? Grant says the aim is to create a regulation framework similar to those in the financial sector. For example, a Visa credit card comes with the Visa guarantee; in the event of fraud, Visa offers protection to some extent. How such a guarantee would work with NSTIC is still to be announced.
To NSTIC or not
Internet users are already using Facebook and Google to log in to dozens of different sites, indicating a strong need for a single (or at most, a few) IDs for the myriad facets of their online lives. At the same time, most Americans do little to ensure their own online privacy.
“If the NSTIC is done right, it could be really good,” says Tien. “We see a lot of good faith that the government is trying to avoid it being a giant government vacuum cleaner of information.”
Getting NSTIC wrong, however, could devastate privacy as well as trust in the government and escalate costs associated with online fraud.
NSTIC will enter a third round of pilot testing in September 2014. Several further years of testing are expected before consumers get the chance to look at giving NSTIC a try.
[lock on keyboard via Shutterstock]