Amplify’d from www.wired.com

Obama’s Solution for Online ID? Let Silicon Valley Take the Lead

By Ryan Singel

To help solve the modern nightmare of trying to control your online identity and keep track your passwords, the government came to Silicon Valley Friday and said it was here to help. But rather than propose a big government initiative, Secretary of Commerce Gary Locke and the White House cyber czar Howard Schmidt made clear the feds want the private sector to take the lead. “Just to be clear: We’re not talking about a national ID card,” Secretary Locke said in a speech at Stanford University. “We are not talking about a government-controlled system, but we are talking about enhancing online security and reducing the need to remember a dozen passwords.” Schmidt described government’s role as being more like an organizer. “This will help us turn up the online economic engine, so online e-commerce is not shaken by the fraudsters that are out there,” he said. Even more telling is that the effort is being lodged in the Department of Commerce, not in Homeland Security or the NSA. When Schmidt first announced that the government wanted to do something to make it safer and easier to identify yourself online to businesses and bureaucracies last summer, it looked to many as if the government was trying to create some sort of federal internet driver’s license. What exactly is the problem? In short, internet users have too many passwords and logins, there’s no easy way to prove to any website that you are who you say you are, leading many people to use and re-use weak passwords. The government’s proposed solution is what the administration calls a “trusted-identity ecosystem.” The idea is to create an environment with a wide choice of trusted-identity providers that individuals can use to log in to a wide range of websites, including ones that handle sensitive data, using a single login. Many internet users are already familiar with this approach, thanks to initiatives by Facebook, Twitter, Google, Yahoo and others. If you use Google as your online identity provider to log into another company’s site, for example, you are sent to a Google page when you encounter a page that shows you a Google login screen. You log in through Google, Google vouches for you to the other website, and passes along a little, some or none of the info in your profile — but doesn’t pass along your password. What the government wants however, is something even more flexible and more secure, so when you buy something on an new site, you don’t have to create a new account and you can rely on the identity provider that you choose. Or if, you are logging into a service that is particularly sensitive, you have methods beyond simply creating a password to protect your account (a process known as two-factor authentication, which consumers might have run into in online banking). One can also imagine having an identity provider that enables you to tie your home address, e-mail address and mobile phone number together so you could securely log in to the Social Security Administration and request a new Social Security card. The government would be able to mail the card to your house, with strong assurance you actually live at that address. And while the U.S. government might like to use such a system, privacy advocates say the government has no business trying to create the system. “The government can’t build this,” said James Dempsey, the head of the west coast office of the Center for Democracy and Technology who spoke on a panel at Friday’s event. “They don’t have the technology and they don’t have the trust.” Philip Kaplan, the outspoken founder of Blippy, AdBrite and Fucked Company, added a Silicon Valley developer voice to the event’s panel, arguing that any system has to be simple to implement, so that developers working in their living room making a website can concentrate on building new features, not worrying about security. The closest thing to that currently is Facebook Connect, which lets you use your Facebook credentials to log you in around the net and on mobile apps. “I can put in one line of JavaScript and I have a login system,” Kaplan said. “But I’m not going to pay my taxes using Facebook Connect.” Which is another way of saying it might be as dangerous for a single company to be the world’s online ID vault as it would for the government to handle that task. And right now, with Facebook at 600 million users and $50 billion in valuation, that future seems much more likely than a standards-based, interoperative system built by geeks at the behest of the feds. Photo: A fine example of what not to do with your password, and what passwords not to have. Reidrac/Flickr See Also: Facebook Connect Is Now Generally Available. Let the Identity Wars Begin Singel-Minded: How Facebook Could Beat Google to Win the Net Use OpenID – Wired How-To Wiki White House Cyber Czar: ‘There Is No Cyberwar’ Strong Online Privacy Rules Are Key to Economy: Commerce Department Facebook’s Gone Rogue; It’s Time for an Open Alternative Read more at www.wired.com

 

See this Amp at http://amplify.com/u/bkydb