http://www.nytimes.com/2011/09/18/business/online-id-verification-plan-carries-risks.html

September 17, 2011

Call It Your Online Driver's License

By NATASHA SINGER

WHO'S afraid of Internet fraud?

Consumers who still pay bills via snail mail. Hospitals leery of making treatment records available online to their patients. Some state motor vehicle registries that require car owners to appear in person -- or to mail back license plates -- in order to transfer vehicle ownership.

But the White House is out to fight cyberphobia with an initiative intended to bolster confidence in e-commerce.

The plan, called the National Strategy for Trusted Identities in Cyberspace and introduced earlier this year, encourages the private-sector development and public adoption of online user authentication systems. Think of it as a driver's license for the Internet. The idea is that if people have a simple, easy way to prove who they are online with more than a flimsy password, they'll naturally do more business on the Web. And companies and government agencies, like Social Security or the I.R.S., could offer those consumers faster, more secure online services without having to come up with their own individual vetting systems.

"What if states had a better way to authenticate your identity online, so that you didn't have to make a trip to the D.M.V.?" says Jeremy Grant, the senior executive adviser for identity management at the National Institute of Standards and Technology, the agency overseeing the initiative.

But authentication proponents and privacy advocates disagree about whether Internet IDs would actually heighten consumer protection -- or end up increasing consumer exposure to online surveillance and identity theft.

If the plan works, consumers who opt in might soon be able to choose among trusted third parties -- such as banks, technology companies or cellphone service providers -- that could verify certain personal information about them and issue them secure credentials to use in online transactions.

Industry experts expect that each authentication technology would rely on at least two different ID confirmation methods. Those might include embedding an encryption chip in people's phones, issuing smart cards or using one-time passwords or biometric identifiers like fingerprints to confirm substantial transactions. Banks already use two-factor authentication, confirming people's identities when they open accounts and then issuing depositors with A.T.M. cards, says Kaliya Hamlin, an online identity expert known by the name of her Web site, Identity Woman.

The system would allow Internet users to use the same secure credential on many Web sites, says Mr. Grant, and it might increase privacy. In practical terms, for example, people could have their identity authenticator automatically confirm that they are old enough to sign up for Pandora on their own, without having to share their year of birth with the music site.

The Open Identity Exchange, a group of companies including AT&T, Google, Paypal, Symantec and Verizon, is helping to develop certification standards for online identity authentication; it believes that industry can address privacy issues through self-regulation. The government has pledged to be an early adopter of the cyber IDs.

But privacy advocates say that in the absence of stringent safeguards, widespread identity verification online could actually make consumers more vulnerable. If people start entrusting their most sensitive information to a few third-party verifiers and use the ID credentials for a variety of transactions, these advocates say, authentication companies would become honey pots for hackers.

"Look at it this way: You can have one key that opens every lock for everything you might need online in your daily life," says Lillie Coney, the associate director of the Electronic Privacy Information Center in Washington. "Or, would you rather have a key ring that would allow you to open some things but not others?"

Even leading industry experts foresee challenges in instituting across-the-board privacy protections for consumers and companies.

For example, people may not want the banks they might use as their authenticators to know which government sites they visit, says Kim Cameron, whose title is distinguished engineer at Microsoft, a leading player in identity technology. Banks, meanwhile, may not want their rivals to have access to data profiles about their clients. But both situations could arise if identity authenticators assigned each user with an individual name, number, e-mail address or code, allowing companies to follow people around the Web and amass detailed profiles on their transactions.

"The whole thing is fraught with the potential for doing things wrong," Mr. Cameron says.

But next-generation software could solve part of the problem by allowing authentication systems to verify certain claims about a person, like age or citizenship, without needing to know their identities. Microsoft bought one brand of user-blind software, called U-Prove, in 2008 and has made it available as an open-source platform for developers.

Google, meanwhile, already has a free system, called the "Google Identity Toolkit," for Web site operators who want to shift users from passwords to third-party authentication. It's the kind of platform that makes Google poised to become a major player in identity authentication.

But privacy advocates like Lee Tien, a senior staff lawyer at the Electronic Frontier Foundation, a digital rights group, say the government would need new privacy laws or regulations to prohibit identity verifiers from selling user data or sharing it with law enforcement officials without a warrant. And what would happen if, say, people lost devices containing their ID chips or smart cards?

"It took us decades to realize that we shouldn't carry our Social Security cards around in our wallets," says Aaron Titus, the chief privacy officer at Identity Finder, a company that helps users locate and quarantine personal information on their computers.

Carrying around cyber IDs seems even riskier than Social Security cards, Mr. Titus says, because they could let people complete even bigger transactions, like buying a house online. "What happens when you leave your phone at a bar?" he asks. "Could someone take it and use it to commit a form of hyper identity theft?"

For the government's part, Mr. Grant acknowledges that no system is invulnerable. But better online identity authentication would certainly improve the current situation -- in which many people use the same one or two passwords for a dozen or more of their e-mail, e-tail, online banking and social network accounts, he says.

Mr. Grant likens that kind of weak security to flimsy locks on bathroom doors.

"If we can get everyone to use a strong deadbolt instead of a flimsy bathroom door lock," he says, "you significantly improve the kind of security we have."

But not if the keys can be compromised.