The White House released the National Strategy for Trusted Identities in Cyberspace (.pdf) April 15, a government-coordinated effort to create a digital "identity ecosystem," executed by the private sector.

"The old password and user-name combination we often use to verify people is no longer good enough. It leaves too many consumers, government agencies and businesses vulnerable to ID and data theft," said Commerce Secretary Gary Locke during the strategy launch event at his department in Washington, D.C. April 15.

"This is why the Internet still faces something of a trust issue. And it will not reach its full potential--commercial or otherwise--until users and consumers feel more secure than they do today when they go online," he added.

The 52-page document provides broad principles to guide industry in the creation of voluntary identity credentials. Such credentials, federal officials said, would remedy the insecurity and inconvenience of passwords and allow individuals to prove their online identity for certain transactions, such as banking and healthcare transactions.

"By making online transactions more trustworthy and better protecting privacy, we will prevent costly crime, we will give businesses and consumers new confidence, and we will foster growth and untold innovation," President Obama said in a statement.

Eventually, the strategy aims to allow Internet users to get trusted credentials, issued by private-sector identity providers, which could take the form of a secure application on a cell phone, a smart card or another device. Such technologies would, ideally, prevent the surveillance of credentials and could be remotely wiped and reprogrammed, according to the strategy. Officials expect pilots of the technology to begin in fiscal 2012.

According to the strategy document, in five years the NSTIC national program office, within the Commerce Department, should be able to measure participation, compatibility, credential options and public-sector use. The program office should also develop "trust marks," an icon displayed by companies that meet NSTIC rules. In ten years, according to the strategy document, all standards and technologies should be in place and broadly adopted by organizations engaging in e-commerce.

Starting in June, NSTIC implementation workshops will be held around the country and coordinated by the National Institute of Standards and Technology. The third and final workshop will be in September. "These workshops will put an expedited focus on operating standards and consensus rules," said an Obama administration official, who spoke to reporters on background.

It's too early to determine the role of regulation and legislation for NSTIC and "we'll tackle that as it comes," said the administration official. He said a strong self-regulatory role will likely emerge in the marketplace, as different sectors have different oversight mechanisms.

But some critics say that without clear regulation, procedural safeguards and mandatory standards, NSTIC could do more harm than good, ushering in an era of "hyper-identity theft."

In an April 15 whitepaper published by Identity Finder, report authors charge that NSTIC must be revised in order to avoid the creation of a false sense of control, privacy and security among users. NSTIC should better safeguard against the covert collection of users' personal information and the creation of new markets that commoditize human identity, said the report.

"We hope that the Identity Community, which has spent years developing privacy-enhancing protocols, will demand that NSTIC require those best practices as a matter of policy," advised authors.

For more:
- see the NSTIC document (.pdf)
- see the Identity Finder whitepaper, "NSTIC's Effect on Privacy" (.pdf)
- watch this NSTIC explanatory video, from NIST
- see the Commerce fact sheet (.pdf)
- see testimonials compiled by Commerce, "What others are saying about NSTIC" (.pdf)

Related Articles:
White House, Commerce prepare for trusted identities in cyberspace
White House releases draft authenticated Internet identity plan
Schmidt outlines goals for cyber policymaking
White House preparing national Internet identity authentication plan