Understanding the proposed US Internet ID system

Since the United States Department of Commerce announced the creation of a National Program Office (NPO) last week, to be responsible for coordinating activities related to the National Strategy for Trusted Identities in Cyberspace (NSTIC), questions have been swirling in the media as to how the system will work and be used.

The White House actually released a draft of their plan back in June, and in it they’ve outlined a real-life situation where the proposed “Identity Ecosystem” would come into play.

Understanding the proposed US Internet ID system

The scene begins with a woman who would like to request the results of her husband’s last blood test from a recent hospital visit. If you’ve ever had to request information from a medical provider, you know that the Health Insurance Portability and Accountability Act (HIPAA) of 1996 makes getting this information, even for a family member, a difficult task and one that is nearly impossible to accomplish electronically.

These are the types of consumer transactions the federal government is attempting to make electronically secure, and the NSTIC draft explains how they plan to do so:

“[A woman] would like to know the results of [her husband’s] last blood test using a hospital website. The hospital requires that any such requests be authenticated using a strong credential.  In addition, the hospital requires patient approval prior to releasing personal medical information to individuals.  The woman has the confidence to perform this transaction online using her cell phone because all parties involved are using a trustmark, which signifies that they adhere to the Identity Ecosystem Framework… For a transaction of this level of risk, the hospital requires the individual to authenticate using a strong credential. The woman has a Public Key Infrastructure (PKI) certificate issued by her cell phone carrier.  The certificate is stored on her cell phone and associated to her verified identity. The cell phone contains a Trusted Platform Module (TPM) that is used to authenticate the cell phone. The woman plugs her cell phone into her computer via USB cable to conduct the authentication. The hospital validates the authenticity of the credential, the digital identity and the cell phone. Next, the hospital obtains validation sourced from the husband’s primary care clinic that he has approved that his wife can have access to his records.  Using the clinic’s assertion as proof of approval, the hospital then allows the wife to view the test results.”

After reading this, I began thinking about how nice it would be to not have to provide signed paper documents for transactions like medical records requests, and how it could greatly improve upon the systems physician’s offices currently have in place to fulfill such requests.

But should a private sector agency be responsible for creating such a system rather than the federal government? And how can the government build up the trust that would be necessary to convince Americans to participate in such a system?

These are the hot debates currently being waged on the topic, and it will likely take a number of months to see if government officials can be successful in growing support for their online identification process. However, whether it is under public or private oversight, the online world is definitely ready for a strong authentication process that would make online transactions of such a personal nature possible.