Government Needs to Incentivize, Not Own, Online ID
Last week, the White House released a draft strategy to make the Internet more secure. CDT has been part of this effort to develop an identity management strategy for the United States, part of the cybersecurity strategy suggested in the cybersecurity policy review released earlier this year. The Strategy focuses on ways to establish and maintain trusted digital identities, a key aspect for improving the security of online transactions. The Strategy recognizes that strong online identity is not a panacea for the cybercrime that ails us - but it is a piece of the puzzle to making the Internet a safer place for innovative services and exchanges.
The government doesn't have a very strong history in centralized identity - social security numbers and REAL ID are a few examples. Luckily, there seems to be an acknowledgement that the government should not "own" the identity ecosystem, but that it should help develop best practices and standards for reputable players in the identity ecosystem. The government can provide incentives for industry and the public to adopt digital identity, but should not require it, and including policies to protect consumers and ensure that privacy and security protections are included from the outset is key to trust from consumers and large scale adoption.
Discussion of the ways to create trust using standards and binding agreements among all players in the ecosystem is vital to this process, but the Strategy does not address the kinds of trust-creation that will be necessary before the Identity Ecosystem takes off. The Strategy is largely ephemeral - disappointingly, these concrete protections are not included. Many of the important aspects that would allow an Identity Ecosystem as envisioned in the Strategy to become a reality have been left out. Luckily, DHS and the White House have asked us - and you - for input on the Strategy before it is finalized via an online voting forum. They'll be taking feedback until July 19th, but half the fun will be the discussion and voting on the forum. If you want to see our suggestions, you can CDT's participation and let us know what you think of our ideas. We are largely concerned with the implementation of the Governance Layer - the part of the ecosystem that allows unaffiliated entities to trust each other and governs how players in the space are required to act, including how they treat user data. We're hoping that the Strategy can be the basis for a widely accepted set of standards and agreements for identity online, so that the ecosystem can move forward and innovate. What are you hoping to see in the next version of the Strategy?