Whom Do You Trust?

Not long ago the Clinton administration proposed that every man, woman and child in the United States should have a health-care ID. Criticism was predictable, swift and sure. Even those who routinely use a grocery store discount card to get special savings at the checkout line worried that a national identification card would threaten individual privacy. "What’s next," asked the shortstop on my softball team, "a national passport for traveling around the country?" Well, not quite -- what’s next is a digital ID for every citizen.

In July, Congress considered new legislation creating a national infrastructure for authenticating people’s identity when they shop online or send forms across the Internet. This isn’t just some crazy, pie-in-the-sky, legislator-gone-berserk story. In the last session alone, Congress examined five digital authentication bills.

The idea behind the bills is simple: Put more forms and services online and then establish systems to accept digital certificates as proof of users’ identities. The government could potentially establish an infrastructure that would allow citizens and businesses to do routine government business online. The savings to both the government and the individual could be enormous.

Digital certificates and digital signatures are the foundation for this revolution. When I want to file my tax forms electronically, I use a "private key" to attach my virtual signature to the digital file. This signature includes the information needed for the IRS to retrieve my corresponding digital certificate from a trusted third party. The digital certificate confirms my name, address and other personal information.

The presence of digital certificates and signatures will greatly enhance the security of Internet electronic commerce and legal transactions. That may be enough to jump-start electronic commerce in the notoriously conservative public sector.

However, just as in the case of a national health-care ID, the prospect of a national digital certificate program has some challenges. Privacy advocates are concerned that a government-led digital certificate program could lead to a fearsome government information program in which everything you do and every online step you take is tied together in a massive government database. Others argue that a more substantial risk is identity fraud. If someone has stolen your private key, will you be liable for messages, requests or filings that person does? And who is responsible when a third-party certificate authority unwittingly issues a certificate to an impostor?

These are crucial issues for Internet application developers, but what’s missing in the debate is a discussion of the impact of trust on the deployment of digital certificates. When a state agency prepares an application allowing you to renew your drivers license on the Internet, the agency needs a way to ensure that you are who you claim to be. Today these applications rely on primitive identification techniques such as forcing you to enter a series of digits mailed to you on a postcard, or asking for the last name of a distant relative. It’s not surprising that many states are examining what it would take to give their citizens and regulated entities a digital certificate.

The world is already adrift in an ocean of username and password pairs. Does this mean that we will simply be exchanging one body of identifiers for a newer, more secure set? Maybe not. What if the government could find a way so that multiple agencies at multiple levels of the government could all rely on a single digital identifier? Whether I apply for unemployment compensation in Nebraska, ask for a Riverside Park reservation in St. Louis or apply to the Federal Aviation Administration to become a pilot, I should be able to provide access to my single, authentic digital certificate, and everyone will be assured of my true identity. After all, every one of these organizations accepts my drivers license as proof of my identity in the physical world; it’s natural to expect them to honor a single identifier on the Internet.

Natural, but naive.

It turns out that if one government agency doesn’t trust another, it’s likely to issue its own certificates or accept a certificate from a trusted third party that has a different standard of authentication. If the campsite reservation system has a fairly liberal policy toward authentication, it may accept certificates that were simply e-mailed to the user. On the other hand, an application that provides access to AIDS patient information might require certificates that have extremely stringent authentication controls. The result is a menagerie of certificates, issued by different organizations for many purposes, under a variety of circumstances. Mix in the certificates issued by the private sector, and users may find they have a tidal wave of new IDs to manage.

As with health-care IDs, Congress is drifting slowly toward a national digital certificate strategy. We can only hope that the drifts don’t pile too high. -- Mark McFadden is a consultant and is communications director for the Commercial Internet eXchange (Washington). Contact him at mcfadden@cix.org.