As we globally increase our use of the Internet, a trusted cyberspace identity strategy is necessary to make sure we consistently and easily safeguard and validate our online identities. Identity theft awareness as well as identity protection education aimed at Internet users is increasingly important and required by various laws. In the US alone, there are more than 10 millions identity theft victims annually according to official records. In fact, identity theft is now the dominant cause of financial crimes. The increase in criminal identity theft cases whether to snoop for private information or commit fraud can be attributed to many factors including the economy, lack of consumer awareness of risks and best practices, identity obesity, and lack of sufficient and effective controls to counter identity theft threats.
When we consider identity obesity risks, we can not only refer to consumers’ over consumption of online services or lack of identity protection knowledge while ignoring business practices. For their part, businesses force consumers to share excessive amounts of private information as part of the commercial transactions while they knowingly ignore data security requirements primarily for cost saving purposes or unknowingly remain ignorant about the importance of private data security to their customers and the need to address information security as well as identification, authentication and authorization for providing access to customer information. Both consumers and businesses unnecessarily collect, share and retain private information in many cases which cause them to be identity obese and a need for serious identity diet which can only be applied with proper education followed by appropriate identity protection practices. Interestingly enough, although businesses have recognized the need to train employees for a long time, consumer education has recently been recognized as an important component of an effective identity theft prevention program and become mandatory by identity theft prevention laws such as the Red Flags Rule.
We now collectively realize the risks or lack of a trusted cyberspace identity strategy which is why the White House has envisioned the National Strategy for Trusted Identities in Cyberspace (NSTIC) operating under the jurisdiction of the Department of Commerce and accountable to the President, through the Secretary of Commerce with the aim to not only improve the password dilemma currently used to log into multiple social and commercial online accounts but also to ensure identity privacy, security and resiliency, interoperability of policies, processes and technologies, as well as cost effectiveness and ease of use.
National Strategy for Trusted Identities in Cyberspace
The trusted cyberspace identity strategy's vision is to have individuals and organizations utilize secure, efficient, easy-to-use, and interoperable identity solutions to access online services in a manner that promotes confidence, privacy, choice, and innovation. The realization of this vision is the user-centric "Identity Ecosystem" described in this Strategy. It is an online environment where individuals and organizations will be able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities and the digital identities of devices.
The Identity Ecosystem is designed to increase the following:
• Privacy protections for individuals, who will be able trust that their personal data is handled fairly and transparently;
• Convenience for individuals, who may choose to manage fewer passwords or accounts than they do today;
• Efficiency for organizations, which will benefit from a reduction in paper-based and account management processes;
• Ease-of-use, by automating identity solutions whenever possible and basing them on technology that is simple to operate;
• Security, by making it more difficult for criminals to compromise online transactions;
• Confidence that digital identities are adequately protected, thereby promoting the use of online services;
• Innovation, by lowering the risk associated with sensitive services and by enabling service providers to develop or expand their online presence; and
• Choice, as service providers offer individuals different yet interoperable identity credentials.
There are three trusted cyberspace identity areas which we should mention with regards to the trusted cyberspace identity initiative; privacy laws, consumer awareness of the risks, as well as best identity protection practices, and a single sign-on process.
First, there are too many redundant, incomplete, and distributed privacy and security laws at the Federal and State levels. While the government is addressing this particular area, they must focus on the existing laws and think about consolidation and completeness of the laws. Although the redundancy of the laws is less of a concern, their completeness must be addressed which brings me to my next point.
Second, consumer awareness and education regarding identity theft risks and best identity protection practices are not consistently applied or emphasized in many of the current laws. Companies which collect their customer non-public information in exchange for other identity components such as credit cards must provide their customers with some type of identity theft awareness education to reduce their fraud costs.
And lastly, the existence of excessive number of online accounts, IDs and passwords just increases the identity theft risks. Related accounts such as financial accounts from the same institution have a lot to gain from a single sign-on and strong identification and authentication mechanism. A good example is the Google strategy for linking and using the same access mechanism for its user accounts.