Government starts testing online ID program

State officials in Michigan and Pennsylvania have been awarded roughly $2.4 million in federal funds to test an online ID system that’s been called a “driver's license for the internet," and it could soon exist from coast to coast.

The "National Strategy for Trusted Identities in Cyberspace” program has been in development for years, but it’s about to finally be rolled-out to a degree in two locales in order to see if using government-certified IDs on the web is something worth considering on a much larger scale.

“The goal is to put to bed once and for all our current ineffective and tedious system of using passwords for online authentication, which itself was a cure for the even more ineffective and tedious process of walking into a brick-and-mortar building and presenting a human being with two forms of paper identification,” reporter Meghan Neal wrote for VICE’s Motherboard website on Tuesday this week.

In theory, the program would also help curb a major problem rampant within both the worldwide web and the federal government: abuse. The United States government loses billions of dollars a year due to fraud, Neal reported, and the White House thinks that number could be drastically cut if a new system was implemented to authenticate the people that use government programs and websites alike.

“What if states had a better way to authenticate your identity online, so that you didn’t have to make a trip to the DMV?” Jeremy Grant, the senior executive adviser for identity management at NIST, told the New York Times in 2011.

To see if there may be success on a national level, the NIST has awarded Michigan and Pennsylvania hefty grants to fund programs that would implement a “trusted identity” system as sought by Washington. Earlier this month, the GCN tech website reported that Michigan received $1.3 million to pilot an automated system that validates identities online in order to replace the in-person proofing system currently in place for those looking to apply for state benefits, and Pennsylvania was offered $1.1 million to develop a similar program that stretches across multiple state offices.

According to GCN’s William Jackson, Pennsylvania’s pilot program combines “both automated identity proofing with federated use of credentials so that the same token can be accepted for multiple programs without duplicating effort and personal data across departments.”

“The Commonwealth of Pennsylvania pilot will offer residents the opportunity to obtain a secure, privacy-enhancing credential to conduct online transactions with a number of participating agencies including the departments of Public Welfare and Health,” NIST said when they awarded the grant to the Keystone State. “Citizens will be able to register just once to access a variety of services, eliminating the need to create multiple accounts and to validate their identity multiple times.”

In Michigan, “[t]he program will aim to help eliminate barriers citizens face in accessing benefits and services by streamlining the applications process, while also reducing fraud and improper payments,” the NIST explained.

A database of identities in Pennsylvania already maintained by the state’s Department of Public Welfare, Jackson reported, containing millions upon millions of names. That agency’s chief information security officer said that the NIST’s vision is pretty complex, however, and would allow other offices across the state to access that information in order to authenticate people using government services in other sectors.

Privacy advocates predictably don’t see these systems as being all that good. In 2010, the Electronic Frontier Foundation called the program a “pervasive” one that “would pose to privacy and free speech online” by putting so much sensitive, personal information into the hands of Uncle Sam.

“The whole thing is fraught with the potential for doing things wrong,” Microsoft engineer Kim Cameron told the New York Times when they reported on the program in 2011. In that same article, Electronic Privacy Information Center associate director Lillie Coney suggested that implementing such a system simply puts too much at stake.

“Look at it this way: You can have one key that opens every lock for everything you might need online in your daily life,” Coney said. “Or, would you rather have a key ring that would allow you to open some things but not others?”

Just this week, Neal at Motherboard warned of the consequences such a scenario could give way to: “Then there's the problem of putting all your security eggs in one vulnerable basket. If a hacker gets their hands on your cyber ID, they have the keys to everything,” she wrote.

According to GCN’s Jackson, the two pilot programs about to be rolled out “will help to determine the effectiveness of these tools with an eye toward getting them widely adopted.” The NIST is expected in September to award new grants valued at roughly $2 million to the winners of this year’s pilot program funding.