Government scientists ask for comments on online privacy ‘cookbook’
Jeremy Grant, former NSTIC head, is now managing director at The Chertoff Group.
Government scientists are seeking public comment on a technical white paper they’ve drawn up to help the private sector ensure that more secure logins for online accounts are also more private.
“Privacy-Enhanced Identity Brokers” was published this week by the National Institute of Standards and Technology as part of its work on the National Strategy for Trusted Identities in Cyberspace, or NSTIC. The comment period is open until Dec. 18.
When NSTIC was launched in 2011, it was designed to address the huge problem of online identity authentication — proving who you are on the Web. NSTIC aimed to get past the password, but not through mandates and regulation. Rather, it was designed to create the elements for secure online identities and let the private sector implement them — a concept known as the “Secure ID Ecosystem.”
“It called for the private sector to take the lead,” NSTIC’s former head Jeremy Grant told FedScoop. “The idea is to make it possible for any consumer to go online and obtain a privacy enhancing secure ID which they can take into the marketplace” to shop and interact with government on the Web.
But there are significant technical challenges, he explained. “It’s one thing to say, ‘we’re going to enhance privacy.’ To architect that into a system … is another thing entirely.”
The white paper seeks to provide a “specific technical building block” to overcome one of those challenges for firms that want to take advantage of the Secure ID Ecosystem that NSTIC is trying to stimulate, he said.
The white paper is a draft of what will eventually become one of the “tools and rules” NSTIC provides for the private sector to help it become players in that ecosystem, added Grant, now managing director at The Chertoff Group.
“The idea is to finish up with a cookbook of standards and practices” for the private sector, he said
One element of the Secure ID Ecosystem means allowing online customers to use another trusted party’s credentials to login online. For example, logging into an online retailer with your social media or email account. “In effect,” states the NIST announcement about the white paper, the social media or other third-party is “vouching” to the retailer that you are who you say you are.
“Allowing third-party credentials saves businesses time and resources in managing identities. For users, the benefit comes from not having yet another username and password to manage and remember,” the statement reads — and, though it doesn’t note this, from not having to turn over all your personal information to another company that might get hacked.
But for many small companies, the announcement says, the burden of managing their relationships with a growing number of these credential providers can become too large. Instead, they turn to identity brokers — businesses that “manage multiple third-party credentialing options on their behalf.”
Such a system, while ensuring greater security, also creates privacy risks. “There is also a concern that these connections meant to improve security can create opportunities for increased tracking of users,” says the announcement.
These risks are especially severe, added Grant, when ID brokers are used to login to sensitive sites, like health care or tax agencies.
“What you want to avoid is a situation where someone logs on using such a service to say the IRS website, and then starts to see advertising targeted at them for tax services … That is not privacy enhancing,” he said.
The ideal third-party credentialing system, said Grant, is “double-blind”: The credential provider doesn’t have any record of which sites the credential’s been used at, and the sites don’t know any more of the information about the credential holder that the provider has than they need to complete whatever transactions the holder is performing.
When brokers get involved, Grant added, “ideally, you want to blind the broker as well,” so that they do not have records of which sites have been visited, by whim and using which credential. “It requires a complicated architecture,” Grant said, adding that there were some forms of “zero knowledge” encryption that could be used.
“This is a very hard problem that commercial concerns have been wrestling with,” he said. “It’s exciting to see NIST continue to provide such a valuable service in partnership with the private sector … a blueprint that many firms can embrace.”
