The National Institute of Standards and Technology (NIST), a federal agency within the Department of Commerce, has launched a web site detailing the President Obama’s proposed National Strategy for Trusted Identities in Cyberspace (NSTIC). NSTIC, initially released for public comment in June 2010, was developed in response to the Obama Administration’s 2009 Cyberspace Policy Review, which called for the creation of a “cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the Nation.”
Coining a new phrase for a more secure virtual world, known as the Identity Ecosystem, NSTIC seeks to improve upon the passwords currently used to login online, with the broader aim to reduce identity theft and online theft; reduce inefficiencies in online transactions; and provide new online services currently thought of as too risky for e-commerce. While the Identity Ecosystem has not yet been built and there are currently no Identity Ecosystem credentials available at this time, some private-sector identity providers do exist. NSTIC envisions individuals choosing their own Identity Ecosystem credentials from a variety of service providers (both public and private) and using any of these trusted online credentials to log in to their banks, e-mail accounts, or social networking sites, without having to remember multiple passwords. In addition, the Identity Ecosystem would seek to enhance individuals’ privacy by reducing the amount of information they must disclose to authenticate their identity.
Participation in the Identity Ecosystem would be voluntary—users will be able to choose whether to obtain Identity Ecosystem credentials; further, private-sector organizations, rather than the government, will build and operate the Identity Ecosystem. And in response to more broad civil liberties concerns, the NSTIC requires that the Identity Ecosystem be based on the Fair Information Practice Principles (FIPPS)—a set of eight key principles drawn from the 1974 Privacy Act—to ensure that individuals can trust that their personal information is handled safely.