Success of government “identity ecosystem” depends on trust in government

It’s not without some irony that some of the most stringent early objections to the administration’s recently released draft National Strategy for Trusted Identities in Cyberspace (NSTIC) focus on the extent to which the government itself can be trusted to hold a central repository of identity information on citizens. Quite distinct from the standards by which individuals and organizational entities determine the trustworthiness of others to whom they disclose personal information, to realize the purported benefits from a system that promises to obviate the need for individual users to keep track of many passwords and versions of digital identities online, people have to be willing to cede the maintenance of those digital identities to the government (or whatever entity might operate the “identity ecosystem” on the government’s behalf). Part of the point of using any user-centric system of claims-based identity management is affording users the ability to disclose only the minimum information necessary for a given purpose such as completing a specific transaction, increasing privacy protections and placing control over disclosure in the hands of users.

To make such a system work, it is important not only that the entities relying on claims information provided to them are able to specify exactly what assertions they need, but also that the assertions, when provide to the entities, are valid and in some way certified or augmented with information about the issuer of the claim (especially where the issuer provide the claim is not the user that is the subject of the claim). An entity can only rely on claims presented to it if those claims are credible, a problem the NSTIC intends to address through the use of an accreditation process by which claims issuers would be designated as trustworthy (although the details for the basis of such a determination are not part of the draft Strategy document). It seems most likely that some government authority will serve as the root of trust in the identity ecosystem, which if true would mean the integrity (and ultimate success) of the whole concept depends on the government being seen as trustworthy. This assumption may prove more problematic than the Strategy implies, given the relatively low and declining levels of trust citizens report having in government in general (cf. Hardin (2006), Putnam (2000), among others), although perceptions vary quite a bit with respect to specific agencies or institutions.

References:

Hardin, R. (2006). Trust. Cambridge, England: Polity Press.

Putnam, R.D. (2000). Bowling Alone. New York, NY: Simon & Schuster.