White House Issues Blueprint for Digital Identity Management and Privacy: Will the Private Sector Build It?

On April 15, 2011 the White House issued the National Strategy for Trusted Identities in Cyberspace. The document responds to the administration's Cyber Policy Review of December 2010, which had identified the establishment of a secure and trusted authentication system as a key component of improving digital security. The Strategy envisions replacing the current model of digital interactions, in which users maintain multiple passwords and provide varying degrees of personal information to different entities, with a new model based on authenticated "credentials." In this new model, consumers would obtain "credentials" from designated providers, and the "credentials" would in turn be recognized by businesses, government agencies, and other consumers. This shift, the Strategy suggests, will have salutary effects such as enabling more sensitive transactions to occur online, and relieving consumers' burden of entering personal information over and over again. Ultimately, the Strategy seeks to usher into existence a full-blown "identity ecosystem" in which users are able to select and obtain credentials that provide a level of privacy that is appropriate for a given transaction. For a sensitive transaction involving medical data, for example, a user could obtain and use a "high-assurance" credential, whereas more quotidian tasks like purchasing clothes online might be accomplished with a more easily obtainable "low-assurance" credential. These credentials would be offered by private sector companies in competition with one another, and would be accepted by businesses and government agencies as a means of identifying or validating the user. The document itself is somewhat abstract, and pronouncements such as "the identity ecosystem must be grounded in the holistic adoption of the FIPPS" may be obscure for the uninitiated. Helpfully, though, the Strategy conveys its basic idea via a series of descriptions of various means by which the proposed "credentials" might be obtained and used. For example: A consumer obtains a digital credential from her ISP. The credential is stored on a smart card. She inserts the smart card into her computer; obtains digital cash from her bank; buys a sweater at an online retailer without opening an account; signs documents to refinance a mortgage, and reads a note left by her doctor in her personal health record. These tasks are accomplished "in just minutes." (see page 7) A teenager wants to enter an online chat room that is for users from age 12-17. He gets permission from his parents to obtain a digital credential from his school. His school provides the credential and acts as an "attribute provider," validating that he is of the correct age but not providing other information such as his name or birth date. (see page 11) These and other examples indicate how the proposed system would work, and suggest the benefits that could accrue from a successful marriage of online privacy and security. Still, the Strategy acknowledges that many challenges remain, including obstacles related to incentives, security, technology, and institutional capacity. Incentives: The Strategy emphasizes that participation must be both voluntary and "market-driven." However, if no companies accept "credentials" there will be no incentive for users to obtain them or for anyone to provide them, and conversely if no users obtain credentials, there will be no incentive for companies to accept them. (i.e., there is a two-sided market problem). Institutional Capacity: The Strategy envisions that entities such as ISPs and schools will issue credentials and perform authentication functions. It is unclear whether such entities (particularly schools) are suited for these tasks. Security: If the credentials themselves are compromised or stolen, then the same trustworthiness that makes them useful will render them all the more destructive. Thus the success of the Strategy rests on the ability of the credential-providers to keep credentials secure and to provide a prompt and effective means of revoking them if they are compromised. Technology: The Strategy notes that some social networking sites currently provide a stripped down version of identification. (For example, when a user logs in to Facebook and he/she can then be identified by other sites, Facebook is providing authentication and/or credentials for the user.) This capability, which is similar to a "low assurance" credential in the parlance of the Strategy, highlights the need to ensure that the Strategy stays abreast of changes in the digital environment. Recognizing the existence of these and other challenges, and to help implement the Strategy, the Secretary of Commerce will establish an interagency National Program Office, which will be charged with coordinating the process of implementation by the private sector with government input. At this time, then, the Strategy is perhaps most notable for its firm embrace of the idea that privacy can and should exist online, and that this can be achieved without sacrificing the benefits that can accrue from digital interactions. Ron Lee, Nancy Perkins, George Langendorf

Read more detail on Recent Advertising Law Posts –

This entry was posted in Advertising Law and tagged , , , , , , , , , , . Bookmark the permalink.

Leave a Reply