(CNN) -- My
neighbor recently discovered a four-digit passcode that unlocks the front doors
to our apartment building. He shared the code with me, as well as with his
girlfriend, buddies and a few other neighbors. I shared it with some people,
and so did others. Within a few weeks, the building's security system was
buzzing constantly for people who didn't actually have one of the dozen or so
physical keys given to tenants.
My apartment building's security is not all that different
from the password-protected login system that forms a chain-link fence around
Facebook, Google, iTunes or any other Internet service. Passwords are often
shared among family, friends and spouses, and people typically use the same
passwords for everything. Many experts say passwords are cybersecurity's weak
link. To minimize identity theft, the Obama administration is urging Internet
companies to agree upon and adopt a standard, reliable identity-verification
system that people can use for any website. Each person would choose one
company, perhaps their e-mail service provider, to handle credentials for
sensitive personal or financial information on other sites.
In this hypothetical digital world, someone could buy books
on Amazon.com using a Google account, while another person could sign up for a
social network using a PayPal account. Because the U.S. government is involved,
Americans might be able to download their tax forms by signing into, say, their
Microsoft accounts.
President Obama introduced the initiative in spring 2011,
and development of the technology seems to be moving at the speed of
Washington, not Silicon Valley. Almost a year later, there's no consensus among
Web companies and government about what exactly this should look like and when
we should expect to see it.
Some websites have already embraced an idea similar to what
is being proposed, without the government giving them a push. For example,
users of TripIt, a travel organizer from Concur Technologies, can log in using
their Facebook, Google or Yahoo accounts. But this typically involves small
utilities piggybacking on the networks of larger companies. The biggest
Internet players, such as Amazon, Apple, Facebook and Google, do not play well
with each other.
Instead, Facebook and Google boast about how quickly they
are convincing users to volunteer their personal information in setting up
profiles. Apple regularly mentions how many credit cards its iTunes service has
on file -- at last count, more than 225 million. People involved in the
government initiative said the major players have informally expressed
interest. But a Google spokesman declined to make executives available for
comment for this story. A Facebook spokesman declined to comment and a PayPal
spokeswoman didn't respond to a request for comment.
These companies may view their respective platforms as a
competitive advantage, said Don Thibeau, the executive chairman for the OpenID
Foundation. His organization has been trying to provide a sort of universal
login system that includes Google and Yahoo, but some users find the system's
row of tiny buttons confusing. OpenID will launch a simplified, single-button
alternative called Connect in the next few months, Thibeau said.
Thibeau said he believes technology companies may eventually
realize the limits of their identity silos. Similar to how people can now send
text messages to friends on different cellular networks, or how a Mac user can
open a Microsoft Word file, Internet login systems should one day standardize,
he said.
"This notion of standards, as boring as it is, is
really the plumbing of the Internet economy," Thibeau said. "It turns
out that you can only go so far with business and Internet services until you
come up with standards. Standards build markets. Standards help the pie grow
bigger."
Internet giants have not been eager to unite on their own.
For various reasons, having the government involved either provides the best possibility
for bringing rivals together or will poison the well, according to people
involved. Companies and citizens alike can sometimes have an allergic reaction
to government intervention, especially when privacy is involved.
When President Obama announced last year that he was handing
over the keys for an online identity initiative to the U.S. Commerce
Department, talk of an "online driver's license" ensued. Observers
say that's not an apt analogy because the identity system, as proposed, wouldn't
be required for using the Web, nor would it be issued by the government. But
the idea of a government-controlled database spooked many people.
What Obama's proposal describes is a series of security
problems on the Internet, such as insecure passwords and people handing over
sensitive data to dozens of companies, as well as some vague suggestions for
how to solve them.
"It's not a piece of legislation," said Aaron
Brauer-Rieke, a fellow at the Center for Democracy and Technology, an Internet
privacy group in Washington. "Instead, it's the federal government saying
here is our vision of how to improve identity on the Internet."
A year ago, Jeremy Grant inherited the project. He is a
senior executive for the Commerce Department's National Institute of Standards
and Technology, and he is playing government liaison to tech companies and
privacy advocates as part of the National Strategy for Trusted Identities in
Cyberspace, or NSTIC.
The government's prospective standard for online identity is
not expected to result in a law, as long as companies can come to an agreement
among themselves. The system could be regulated by the Federal Trade
Commission, said people involved in the planning.
"The way that Washington tends to affect change is to
either pass a law or to pass a regulation to make something happen," Grant
said. "NSTIC is a bit of a policy experiment."
After failed government experiments, the United States has
observed that an online ID has to be driven by companies, not countries, and
has to keep Internet anonymity intact, Grant said. "We could, on paper,
come up with what would be the perfect mousetrap, and no one would want to buy
it," Grant said. "The federal government doesn't care if you're a dog
[online] or not. Anonymity and pseudonymity have always been hallmarks of the
Internet."
Bidding will begin this month on NSTIC pilot programs that
should launch in the summer to demonstrate what an online identity framework
could look like, Grant said. The government will carefully determine what
safeguards will be implemented in the identification process and the
punishments for violators, he said. Some sites could begin launching NSTIC
login options in about two years, he said.
Others were not so optimistic.
Persuading every major Internet company and then every Web
user to sign up will be a massive undertaking, said Brauer-Rieke, from the
Center for Democracy and Technology. "The work of herding cats is just
beginning," he said.
Because this is such an unusual policy experiment, the
government cannot point to a similar program in the past that has been
successful, said Thibeau, who is also the chairman of the Open Identity
Exchange, which counts AT&T, Google, PayPal and Verizon among its members.
Also, other countries may object to an initiative led by the United States, he
said.
What this system will look like remains undefined. People
may have to type in a temporary password received via text message, answer quiz
questions or identify friends in photographs, according to people involved in
the initiative. NSTIC could even require a hardware dongle that users plug into
their computers, though that's unlikely as people increasingly move to mobile
devices that don't have standard inputs, they said.
Just about everyone involved is in agreement that today's
model of people picking their own passwords will not survive much longer. "The
greatest threat to security and the greatest threat to privacy are
passwords," Thibeau said. "Passwords are really yesterday's
news."
SOURCE LINK: CNN.COM
Posts
