Government, Industry Seek To Protect Online Identity as New Technologies Emerge
As technology pushes forward, policymakers and technology professionals must understand and tackle the risks to online consumer trust and find better ways to protect identities, panelists said Tuesday during an event at the Brookings Institution. Issues in coordination, encryption and the different layers of network systems are challenges in the effort, they said.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
"Identity online sometimes plays out in a different way than in the physical space,” said Ed Felten, the FTC’s chief technologist. “Online there are more shades of identity.” The challenge in addressing issues like phishing, spam and theft is “we have many different actors at different layers of the system,” said Allan Friedman, a governance-studies fellow at Brookings. A coordination problem exists between the online services, the vectors of the attack, like a local network, “the Web services that are responsible for authenticating the user and the users themselves,” Friedman said.
An expected wave of new consumer electronics will increase risks to online identity, said Patrick Crowley, associate professor of engineering at Washington University in St. Louis. “The risks and the dangers of the future are far greater than they are today.” Consumer electronics will all be Internet-enabled, he said. It’s “an unusual coupling between your digital identity and consumer electronics,” he added.
Innovation is valuable and difficult to get right, Crowley said. Regulation and heavy requirements “can unintentionally hinder that delicate process.” Coordination and standards are key in driving down costs, Friedman said. “That’s a role the government can play.”
The government doesn’t intend to impose detailed rules in advance, Felten said. However, “there is a role for government to act when a company has been inappropriately careless,” he said. Last month, the FTC released a preliminary report offering recommendations to companies on how to protect consumer information (WID Dec 2 p1). In comments about the draft, some technology companies have shown support for a Do Not Track mechanism, he said. “We may see support from browser vendors.” Some companies reported concerns about “the impact of Do Not Track on the online advertising ecosystem,” he said. “I think some are driven by a misinterpretation of what the FTC is talking about."
The commission’s “Red Flags” rules apply only to financial institutions and creditors and “do not currently apply to a large set of online services,” Brookings said in a report released during the discussion. Yet Facebook, Google and other top targets of phishing attacks in 2010 aren’t financial services websites, the report said. “We should have these services perhaps be under a similar regulation,” either voluntarily or by mandate, Friedman said. However, if companies have sophisticated tracking models, then they should have “a fairly sophisticated model for monitoring fraud,” he said.
Opinions varied on the effect of encryption in improving online trust and identity protection. Encryption both helps and hinders networks, Crowley said. It can prevent intrusion prevention systems from looking at the bits of an Internet package, like Gmail, he said. “It can help secure the authentication step, but also obscure the perspective that administrators have in keeping networks safe.” More use of encryption “can provide a measurable benefit to the end user,” Felten said. As people start connecting more devices from more places, there'll be more encryption, he said. But “it won’t be at odds with intrusion detection software,” he said.
A goal of the National Strategy for Trusted Identities in Cyberspace is to “authenticate that this is the same person who was here before” even without knowing who it is, Felten said. “We're likely to get beyond passwords as a primary identifier,” he added.