Is the US government-backed NSTIC online ID a good thing?


Technical editors independently review the products. To help support our mission, we may earn affiliate commissions from the links on this page.

Netizens are opposing the National Strategy for Trusted Identities in Cyberspace (NSTIC) initiative, a government-led online identification system currently in a pilot phase. Much of the furor revolves around the possibility, fueled by too-frequent revelations of surveillance by the National Security Agency, that NSTIC is pushing for a unique identification system that would allow the US government to track its citizens online.

In fact, the NSTIC software prohibits tracking. The goal of the program is to create a high-security Internet identity standard, initially for users of government digital services. In an age of lax attitudes towards online privacy and deep security exploits like the Heartbleed virus, could such an online ID system be the next sensible step? Or does the NSTIC put the United States more firmly on the path to becoming a Big Brother state?

What is NSTIC?

NSTIC is a federated identification system in which third-party companies verify an account for use in other services. In this case, several companies chosen by the government create highly secure accounts initially intended for use in digital government services such as voter registration or driver’s license applications.

The secure ID could possibly be used on other sites on the Internet. Given that the NSTIC is funded by the Department of Commerce and was originally designed to reduce fraud in online transactions, it’s not hard to imagine that e-tailers could be next in line to offer connections using an NSTIC identifier.

The NSTIC ID is opt-in, meaning registration is still optional at this time. However, the government will encourage all new users of its digital services to create an NSTIC-aligned ID, offering a stand-alone government account as a last resort.

How it works?

NSTIC relies on a government-designed software infrastructure called the Federal Cloud Credential Exchange (FCCX). Companies providing identities structure their credentials to work with this system.

NSTIC credentials will provide Level 3 security credentials, a step above the Level 2 identification security provided by the strict authentication processes currently used by US banks. These highly secure credentials include multi-factor authentication requiring more data than a single password. According to Jeremy Grant, Senior Executive Advisor for Identity Management at NSTIC, recently completed NSTIC pilots tested the use of smartphones to add GPS tags and fingerprints.

It is the third-party company’s responsibility to verify that the account creator is who they claim to be, saving the government the cost of verifying all of its digital users. The third-party identity provider charges the government a small fee each time one of its credentials is used. So far, mobile carrier Verizon and security software company Symantec have been accredited to create these high-security credentials.

A private sector-led Identity Ecosystem Steering Group is tasked with identifying privacy, security and anonymity issues to create a set of rules to govern the market.

Potential upsides

According to the Verizon Data Breach Investigations 2014 report, two out of three data breaches exploit weak or stolen passwords. Using a highly secure, NSTIC-verified ID could prevent such breaches and prevent users from remembering (or forgetting) dozens of passwords.

Using an identification system like NSTIC, which uses cryptology technology so that only the bare minimum of data is exchanged when authenticating to a particular site, could also be a boon to privacy. “Although your identity is verified and a transaction is binding, the authenticator [such as Verizon] doesn’t actually know who you are, the same way Facebook or Google do,” says Lee Tien, senior attorney at the Electronic Frontier Foundation.

Using other credentials such as Facebook, Google or even driving license details to log in to other services puts a lot of unnecessary data within the reach of hackers, trackers or just the third party service, including birthdates, email addresses, photos and likes and +1s. “By using a digital signature with a service that only confirms that the signature is indeed attached to a real person, privacy can be improved,” Tien says.

Disadvantages of data

“We don’t need all the technology [for perfect cryptology] is as mature as we’d like – and even if it was, that doesn’t mean the companies implementing it will do well,” Tien says. Multi-factor authentication involving smartphones can still pose a security risk, as smartphones remain notoriously hackable. So identity theft and data breaches can still be problems, whether due to human error or exploitation by identity thieves.

Then there is the fear that data about who we are and what we do could land in the virtual grip of a government known to spy on its citizens or corporations whose primary concern is not our lives. private but the profit we can help them make.

Tien is cautiously optimistic about Uncle Sam’s intentions. providers,” he says.

Tracking will theoretically not be possible due to the double-blind software architecture. “Let’s say you use your Verizon ID to log into the Department of Veterans Affairs; Verizon won’t be able to log that you’re logged into the FCCX and anything government-related,” Grant says. “On the other hand, the Department of Veterans Affairs doesn’t know what you’re using to log in, only that it’s a certified solution.”

What happens to your data?

“We’re not creating new databases,” Grant says. No company (or government) would own a user information base and web track, and users can create different NSTIC-approved IDs for different services without necessarily linking them.

Even then, identity providers may be able to use any data you submit for verification to create demographic profiles for research and marketing purposes. If and how the data can be used is one of the questions discussed by the IESG, a policy group for the NSTIC framework composed mainly of private companies, security and identity experts and lawyers.

“The IESG leadership indicates that companies should not be able to use your data for any purpose other than verification,” Tien says. “But it is a large group, with many private companies whose interest will lie in the commercial possibilities.”

Finally, one of the biggest issues for NSTIC will be accountability. Who would be responsible in the event of data piracy or identity theft? Grant says the goal is to create a regulatory framework similar to those in the financial sector. For example, a Visa credit card comes with the Visa guarantee; in the event of fraud, Visa offers some protection. How such a guarantee would work with NSTIC has yet to be announced.

To NSTIC or not

Internet users already use Facebook and Google to log in to dozens of different sites, indicating a strong need for a single (or at most a few) identifiers for the many facets of their online lives. At the same time, most Americans do little to ensure their own privacy online.

“If the NSTIC is done well, it could be really good,” Tien says. “We see a lot of good faith that the government is trying to avoid it becoming a giant government vacuum cleaner of information.”

However, getting the NSTIC wrong could devastate privacy as well as trust in government and increase the costs associated with online fraud.

The NSTIC will enter a third round of pilot testing in September 2014. Several more years of testing are expected before consumers have a chance to consider trying the NSTIC.

[lock on keyboard via Shutterstock]


Comments are closed.