Industry ponders government role in digital identities

In the United States nearly all of the identification forms citizens use on a regular basis – driver’s license, passport, Social Security number – are created and managed by the government. So what role should the government play in formulating and authenticating our online identities?

That question and related ones were the topic of a conference hosted by the Information Technology Association of America (ITAA) and the Center for Strategic and International Studies (CSIS) in Washington D.C. on Monday. Conference organizers and some companies that participated are also undertaking a study to determine if and how the government should be involved in creating online identities and related authentication, said Jim Lewis, CSIS’ director for technology policy. The group hopes to release the study by the end of the year.

There’s a growing need for online identities, such as those managed by Microsoft Corp.’s Passport authentication service, as users look for more secure ways than simple passwords to grant them access to Web services and to make purchases, said Craig Mundie, senior vice-president and chief technology officer of Microsoft. With Passport, users enter their information, which can be just their e-mail address and password or can include information like mailing address and Social Security number, and the service stores the data for them, so they don’t need to re-enter the information every time they visit a new Web site. Microsoft also offers an electronic wallet service that will similarly store users’ credit card information so that it doesn’t need to be keyed again.

Since Microsoft isn’t alone in the authentication market – among others are the Liberty Alliance, a group led by Sun Microsystems Inc. that is working to create standards for authentication systems – it’s important that authentication can happen across different services, said Mundie, referring to these as federated services.

With more of these authentication services emerging, “How many Internet trust brokers will there be?” asked Mundie, adding that the government is bound to get involved, too. “Governments think they’re in the business of managing identities.”

Mundie and Lawrence Lessig, a professor at Stanford Law School, are co-chairs of the study to determine how the government fits in. Among the issues they will examine are the technical, regulatory and economic implications of government involvement, and whether a non-government organization should be established to help maintain digital identities, much like the Internet Corporation for Assigned Names and Numbers deals with Internet addresses. Microsoft is one of the study’s sponsors.

Another panelist questioned whether the government will get heavily involved in digital identities if it doesn’t need to While the government does indeed manage identification for citizens, it does so for its own purposes – Social Security numbers for tracking contributors, driver’s licenses to verify a driver’s eligibility, and the like – said Dave Nelson, deputy chief information officer with the National Aeronautics and Space Administration (NASA).

“The government is not in the national ID card business; all the credentials (that the government issues) are related to the government,” Nelson said.

There will be other forces besides the government that shape how digital authentication is managed, said another panelist. In the wake of the Enron Corp. debacle, in which the energy company hid liabilities that contributed to its downfall, shareholders will begin recognizing mismanaged authentication systems as operational risks, said Catherine Allen, CEO of Bits, the technology organization within the Financial Services Roundtable, a public policy group for the financial services industry. This is particularly true for financial services companies as letting sensitive data into the wrong hands can spell disaster for a company.

“Managing authentication will be scrutinized by shareholders as a risk factor,” Allen said.