How "Trusted IDs" Could Revolutionize Privacy
In between the latest viral videos, most of us use our computers and our connections to the Internet in order to attend to business. Be it finances, online banking, shopping, or important communications, the fact of the matter is that in the last decade or so computers and the Internet have become the backbone for individuals, businesses, government and all of society. With our heightened reliance and dependence on technology over recent years, it’s understandable that this same useful technology has become a medium in which people are taken advantage of and scammed online; leading to practices such as identity theft which leave the victim with nothing short of a headache. However, new progress is being made in Washington, DC in order to alleviate this downfall with the Internet and ultimately make it a safer place for all of us to conduct business.
Announced in July of last year, the National Strategy for Trusted Identities in Cyberspace would put a number of measures in place to make it easier for online retailers, financial websites, and other content providers – as well as the users of said services – to conduct their operations as efficiently and securely as possible. While this concept has only been in the drafting stages for a matter of months now, a visit by White House officials to Stanford University seems to indicate that the White House privacy revolution is in full-swing and that we may be seeing the results of it in the near future.
One of the biggest things that the National Strategy for Trusted Identities in Cyberspace (NSTIC) would do would be change how we log in and authenticate to online services. As you’re surely aware, present-day login procedures require the use of usernames and passwords. And despite the abundance of information online regarding how to create strong passwords and even how password authentication works, the fact of the matter is that password-based logins are simply not secure. Why? Simply put, passwords are nothing more than “secret” and “protected” strings of text that people are oftentimes not careful enough with and that can often be cracked. In order to combat this issue, the NSTIC would make it easier for websites and the users of said sites to implement “privacy-enhancing credential[s]” such as smart cards, mobile phone certificates, and multi-factor authentication tokens. In layman’s terms, the NSTIC would make it easier for users to use physical authentication mediums to authenticate themselves, ensuring that anyone without the medium would be far less likely to gain access to an account. By taking advantage of these technologies, users would not only reap the benefits of having more secure authentication methods, but in many cases would also be able to do away with the hassles behind creating, managing, and remembering secure passwords.
One of the other advantages to the NSTIC would be that users would be able to better and more simplistically control exactly what information they were giving to sites and organizations. This would help to pacify privacy concerns on the part of end-users, as sites would be unable to gain access to information that wasn’t explicitly granted for them to see. On top of all this, users would be able to put more trust into the sites they logged into simply because the information would be secure; thus eliminating issues such as fake login pages, rouge websites, etc.
While some users may be worried about the government involvement with the NSTIC, Gary Locke of the Commerce Department has stated that the project is not aimed at being a “national ID card”, and will not be a “government-controlled system”, but rather a push to create opt-in “trusted ID” technologies that end-users could take advantage of only if they wanted to. Howard Schmidt, the White House cybersecurity coordinator was also quick to point out that users would be able to choose which – if any – sites they wanted to use the trusted ID system with, and that there would be “a range of trusted ID providers and a range of credentials available”; meaning that users would be able to control who managed their security.
Even though the NSTIC has the potential to revolutionize Internet security and privacy as we know it, the lack of willingness amongst end-users to change their routines and practices will likely be one of the biggest downfalls. Having said this, OpenID was the last major “revolution” in online authentication and was supposed to accomplish a lot of the same tasks in creating a “handshake” authentication method between users and websites. However, OpenID was a miserable failure and never really took off amongst end-users. While the NSTIC appears to be a larger-scale and more though-out concept, the fact remains that there are always going to be users who are unwilling to adapt to changes; and a potential fear of the government’s involvement on the part of some users definitely isn’t going to help.
At the end of the day, only time will tell if NSTIC will be a success and if users will take advantage of it. I am extremely anxious to see which sites opt to be “early adopters”, and how the project will fare with the overall public. What are your thoughts? Let us know in the comments!