Michigan and Pennsylvania are about to test a national cyber-ID prototype. If the complex system works as planned, it might offer a level of protection against identity theft that has not been generally available at websites.
However, critics worry that the government-proposed, private sector-built scheme could have some serious privacy implications. The worry is that people who use it could be uniquely matched to the bulk of their Web activity, making current concerns about online privacy seem quaint in comparison.
Called the National Strategy for Trusted Identities in Cyberspace (NSTIC), the nearly four-year-old concept focuses on a computer security problem called authentication. Not only do companies, governments and individuals want to keep outsiders from breaking in and grabbing data, but they want to know who is on the other end of a conversation or transaction.
As a New Yorker cartoon pointed out in the early 1990s, "On the Internet, nobody knows you're a dog." But they want to know.
Although passwords and IDs are a long-standing approach to authentication, they have significant limitations. Someone could apply for an ID and password with a faked email address and begin to establish an online identity as someone else. In many cases criminals obtained a person's login information by parlaying a few pieces of personal information into presumed authentication, a process called social engineering.
"The whole idea of NSTIC is to create an environment where we can increase trust online," said Cathy Tilton in an interview with CBS MoneyWatch. She's vice-president of standards and technology for Daon, an authentication technology vendor involved with a separate NSTIC pilot for the U.S. Postal Service.
The concept of NSTIC is a national identity infrastructure and marketplace. Some companies might provide an initial authentication. Others would provide technology so people could prove who they claimed to be, based on the first authentication. Virtually any website could opt in, meaning greater safety online.
There could also be noncommercial reasons to encourage a national form of authentication and identity. "If someone knew they had to have a 'license plate,' would that slow down or perhaps reduce cyberbullying?" said Rabbi Abraham Cooper, associate dean of the Simon Wiesenthal Center.
But many misconceptions surround NSTIC. The most common is that it's a government program. "There's never been an intent for there to be a single ID for government programs," Tilton said.
Another is that privacy hasn't been a concern in the project. Consumers could, in theory, create multiple credentials for different circumstances, so that it would be difficult to piece together a complete background of any one person. And NSTIC has made other efforts to address privacy worries.
However, the plans and intentions still leave room for significant concern, particularly if private companies and the government both wind up using the same system. "Of course, once the government has your ID, it probably means they'll end up mining, at least as well as the private sector is already doing, and we can pretty much post 'rest in peace' on the notion of privacy," said Cooper.
"I'm fairly comfortable with some of what the government has done in the past," said Peter Toren, a former federal prosecutor who's now an attorney with Weisbrod Matteis & Copley. "But I don't think the government has made a strong case as to why they need something like this, what they're trying to accomplish." In the face of massive spying by the National Security Agency, making that case will be important.
NSTIC also faces technical and social issues. Even if people could create multiple identities, most might not. For example, the most common passwords of 2013 were "123456," "password" and "12345678." Many Facebook users don't even understand the implications of their current privacy settings.
Another question is: How secure would the systems would? Although there's an "upside" for government and commercial transactions in convenience and security, said Ann Bartow, a professor at Pace Law School, "there have been disasters with data everywhere."
Assuming that a complex set of technologies would be invulnerable is ignoring the history of computing.
And then there's the question of adoption. Other authentication concepts in the past would have used different interacting vendors. Although they did technically work, people never broadly adopted them. Given that the vendors involved will likely want to be paid for their work, this would be asking consumers to voluntarily embrace spending money on something that few might understand and not all would trust.
Even as pilot programs go into place with the best of intentions, it's unclear whether this concept at its best could solve the security problems Internet users face. Or, in a worst case, if it would become an electronic nightmare.