online id verification plan carries risks. (nyt)

[Benjamin]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://www.nytimes.com/2011/09/18/business/online-id-verification-plan-carries-risks.html

Call It Your Online Driver?s License
By NATASHA SINGER
Published: September 17, 2011
WHO?S afraid of Internet fraud?

Consumers who still pay bills via snail mail. Hospitals leery of
making treatment records available online to their patients. Some
state motor vehicle registries that require car owners to appear in
person ? or to mail back license plates ? in order to transfer vehicle
ownership.

But the White House is out to fight cyberphobia with an initiative
intended to bolster confidence in e-commerce.

The plan, called the National Strategy for Trusted Identities in
Cyberspace and introduced earlier this year, encourages the
private-sector development and public adoption of online user
authentication systems. Think of it as a driver?s license for the
Internet. The idea is that if people have a simple, easy way to prove
who they are online with more than a flimsy password, they?ll
naturally do more business on the Web. And companies and government
agencies, like Social Security or the I.R.S., could offer those
consumers faster, more secure online services without having to come
up with their own individual vetting systems.

?What if states had a better way to authenticate your identity online,
so that you didn?t have to make a trip to the D.M.V.?? says Jeremy
Grant, the senior executive adviser for identity management at the
National Institute of Standards and Technology, the agency overseeing
the initiative.

But authentication proponents and privacy advocates disagree about
whether Internet IDs would actually heighten consumer protection ? or
end up increasing consumer exposure to online surveillance and
identity theft.

If the plan works, consumers who opt in might soon be able to choose
among trusted third parties ? such as banks, technology companies or
cellphone service providers ? that could verify certain personal
information about them and issue them secure credentials to use in
online transactions.

Industry experts expect that each authentication technology would rely
on at least two different ID confirmation methods. Those might include
embedding an encryption chip in people?s phones, issuing smart cards
or using one-time passwords or biometric identifiers like fingerprints
to confirm substantial transactions. Banks already use two-factor
authentication, confirming people?s identities when they open accounts
and then issuing depositors with A.T.M. cards, says Kaliya Hamlin, an
online identity expert known by the name of her Web site, Identity Woman.

The system would allow Internet users to use the same secure
credential on many Web sites, says Mr. Grant, and it might increase
privacy. In practical terms, for example, people could have their
identity authenticator automatically confirm that they are old enough
to sign up for Pandora on their own, without having to share their
year of birth with the music site.

The Open Identity Exchange, a group of companies including AT&T,
Google, Paypal, Symantec and Verizon, is helping to develop
certification standards for online identity authentication; it
believes that industry can address privacy issues through
self-regulation. The government has pledged to be an early adopter of
the cyber IDs.

But privacy advocates say that in the absence of stringent safeguards,
widespread identity verification online could actually make consumers
more vulnerable. If people start entrusting their most sensitive
information to a few third-party verifiers and use the ID credentials
for a variety of transactions, these advocates say, authentication
companies would become honey pots for hackers.

?Look at it this way: You can have one key that opens every lock for
everything you might need online in your daily life,? says Lillie
Coney, the associate director of the Electronic Privacy Information
Center in Washington. ?Or, would you rather have a key ring that would
allow you to open some things but not others??

Even leading industry experts foresee challenges in instituting
across-the-board privacy protections for consumers and companies.

For example, people may not want the banks they might use as their
authenticators to know which government sites they visit, says Kim
Cameron, whose title is distinguished engineer at Microsoft, a leading
player in identity technology. Banks, meanwhile, may not want their
rivals to have access to data profiles about their clients. But both
situations could arise if identity authenticators assigned each user
with an individual name, number, e-mail address or code, allowing
companies to follow people around the Web and amass detailed profiles
on their transactions.

?The whole thing is fraught with the potential for doing things
wrong,? Mr. Cameron says.

But next-generation software could solve part of the problem by
allowing authentication systems to verify certain claims about a
person, like age or citizenship, without needing to know their
identities. Microsoft bought one brand of user-blind software, called
U-Prove, in 2008 and has made it available as an open-source platform
for developers.

Google, meanwhile, already has a free system, called the ?Google
Identity Toolkit,? for Web site operators who want to shift users from
passwords to third-party authentication. It?s the kind of platform
that makes Google poised to become a major player in identity
authentication.

But privacy advocates like Lee Tien, a senior staff lawyer at the
Electronic Frontier Foundation, a digital rights group, say the
government would need new privacy laws or regulations to prohibit
identity verifiers from selling user data or sharing it with law
enforcement officials without a warrant. And what would happen if,
say, people lost devices containing their ID chips or smart cards?

?It took us decades to realize that we shouldn?t carry our Social
Security cards around in our wallets,? says Aaron Titus, the chief
privacy officer at Identity Finder, a company that helps users locate
and quarantine personal information on their computers.

Carrying around cyber IDs seems even riskier than Social Security
cards, Mr. Titus says, because they could let people complete even
bigger transactions, like buying a house online. ?What happens when
you leave your phone at a bar?? he asks. ?Could someone take it and
use it to commit a form of hyper identity theft??

For the government?s part, Mr. Grant acknowledges that no system is
invulnerable. But better online identity authentication would
certainly improve the current situation ? in which many people use the
same one or two passwords for a dozen or more of their e-mail, e-tail,
online banking and social network accounts, he says.

Mr. Grant likens that kind of weak security to flimsy locks on
bathroom doors.

?If we can get everyone to use a strong deadbolt instead of a flimsy
bathroom door lock,? he says, ?you significantly improve the kind of
security we have.?

But not if the keys can be compromised.

A version of this article appeared in print on September 18, 2011, on
page BU4 of the New York edition with the headline: Call It Your
Online Driver?s License.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk51M44ACgkQCqrZ7Vb4ZF8JTQCfX9d57ijhsdt4xnQQ0Lm9jJhC
lOsAoJukXw0nHYoMGDEnvrEugYToLGuE
=zdam
-----END PGP SIGNATURE-----