When China passed a new law two weeks ago requiring people to give their real names when signing up for Internet and phone service, it raised alarms over the surveillance implications for the world’s largest population of Web users.
It also highlighted what may be an uncomfortable reality for U.S. netizens: a national digital ID, which essentially is what China is proposing, isn’t entirely a foreign concept.
The U.S. is also slowly moving to a system where online personas are inextricably linked to real-world identities, an idea with huge privacy and security implications.
The tactics and enforcement mechanisms being explored in China and the U.S. are worlds apart, but the central idea is similar: knowing someone’s real name improves accountability online. That’s a double-edged sword, though, depending on who’s doing the accounting.
The White House’s National Strategy for Trusted Identities in Cyberspace, or NSTIC, is leading the government’s efforts in this area.
In September, the NSTIC awarded more then $9 million to five ambitious pilot projects that could have deep ramifications for the future of online commerce. They are developing technologies that will allow people to use online credentials — say, a PayPal or Gmail username and password — to obtain government services online, such as accessing health care records, getting driver’s licenses or paying taxes.
Some of the biggest names in business and technology are involved, including Microsoft, AT&T and LexisNexis. Their partners include Virginia’s Department of Motor Vehicles, the American Association of Retired Persons and various medical organizations.
Last month, NSTIC also announced the awarding of another contract, to the U.S. Postal Service, to build a cloud-based service to allow all federal agencies to accept approved third-party credentials for online services.
National digital IDs issued by the government are the “political third rail” in the U.S., and previous incarnations in the 1990s failed, according to John Pescatore, a computer security expert at Gartner. But now, many people are accustomed to using one log-in, such as a Facebook account, to access multiple sites, he said. NSTIC’s approach of deploying small, targeted projects to incorporate government sites into that web is a wise approach to test a controversial idea, he said.
“What NSTIC is doing is it’s sprinkling projects around at different levels,” Pescatore said. “Hedging your bets and trying across many different communities is much more likely to succeed than a top-down approach.”
Taken together, the efforts highlight the contrasting approaches by the U.S. and China.
Encouraging people to use log-ins for services they’ve voluntarily signed up for to access government services they may need only infrequently is one thing. But mandating that individuals give their real name before going online in the first place is quite another, and it’s a requirement that’s difficult to enforce even in China.
But it’s going to be hard to shake the obvious risks of consolidating our digital lives even further than we already have.
“Getting away from usernames and passwords is probably a good thing,” said Richard Bejtlich, chief security officer for Mandiant, an Alexandria, Va.-based computer security firm that investigates data breaches. “But I personally don’t like the idea of an uber-credential that could log into everything, because if that one thing falls, I could lose everything.”