The White House's draft plan to create trusted identities in cyberspace has met with skepticism if not outright hostility in some electronic security and privacy quarters.

One month ago, the White House released its "National Strategy for Trusted Identities in Cyberspace [1]" (.pdf) laying out its vision for a voluntary "Identity Ecosystem" that could foster trusted online transactions while promoting privacy. According to the strategy, "[t]he Identity Ecosystem is an online environment where individuals, organizations, services, and devices can trust each other because authoritative sources establish and authenticate their digital identities."

According to the strategy's introduction, trusted identity credentials provided by private and public organizations could help eliminate the growing problem of identity theft and other types of fraud and data theft online. The draft cites complaint numbers from the Internet Crime Complaint Center that indicate cybercrime continues to increase and costs its victims $560 million in 2009. The strategy also reports 10 million Americans annually become victims of identity theft and can spend up to 130 hours reclaiming their identity.

The White House believes the strategy could help fight these online ills.  "What has emerged is a blueprint to reduce cybersecurity vulnerabilities and improve online privacy protections through the use of trusted digital identities," Howard Schmidt, cybersecurity coordinator and special assistant to the president, posted on the White House blog [2].

Beyond security, trusted identities would make life easier for netizens, the White House said.  "No longer should individuals have to remember an ever-expanding and potentially insecure list of usernames and passwords to login into various online services," wrote Schmidt.

Another advantage of the ecosystem, the report added, is individuals would be able to control how much information is used during a transaction. If a Web site requires confirmation that an individual is18 for a purchase, the Identity Ecosystem would allow the customer to share only the necessary data without revealing unnecessary information, such as name, address, and even birth date, according to the draft report.

But for all the convenience, many Web sites and digital privacy advocates are questioning not only the unintended consequences of the strategy, but whether it will deliver its main promise: security.

While the White House stresses that participation would be voluntary, Jon Stokes at Ars Technica's Law and Disorder blog fears mission creep [3], noting the now ubiquitous use of Social Security numbers (SSN) to verify identities. "Given what has happened with the SSN, it's not at all hard to imagine that a voluntary state ID would quickly morph into a mandatory state ID, unless of course you withdraw from the web of modern commerce."

Then there's the issue of whether trusted identities would make it easier for government to track online behavior, even presumably anonymous activity. The Electronic Frontier Foundation, a digital rights organization, takes shots at the strategy's example of an individual using her smart identity card to anonymously post blog entries [4]. "The proposal mistakenly conflates trusting a third party to not reveal your identity with actual anonymity — where third parties don’t know your identity," the EFF argues. "When Thomas Paine anonymously published Common Sense in 1776, he didn’t secretly register with the British Crown."

“George Orwell's ‘Big Brother’ has arrived,” wrote one Federal Computer Week reader after the strategy's release [5]. “Total monitoring of all communication by an all powerful central government.”

Finally there's the question of security. Ars Technica's Stokes finds it hard to believe that one credential used for multiple services is more secure than multiple passwords used for multiple online services, because it creates a single point of failure. "Either it will be possible to steal my credentials and impersonate me throughout the entire ecosystem, or there will have to be some kind of rock-solid biometric component to authentication," writes Stokes.

Readers who want to leave a comment or recommendation to further refine the strategy or simply read the reactions of other interested parties can do so at this Department of Homeland Security site [6].

 ♦ Screen shot of the National Strategy for Trusted Identities in Cyberspace

Thumbnail: