US unveils plan to make online transactions safer

In the murky world of the internet, how do you ever really know who you're talking to, who you're buying from or if your bank can actually tell it's you when you log in to pay a bill?

Amid growing instances of identity theft, bank account breaches and sophisticated internet scams, the US government is looking for ways to make those transactions in cyberspace more secure.

But officials must tread carefully, as efforts to create identity cards, personal certificates or other systems of identifiers raise privacy worries and fears of Big Brother tracking its citizens online.

In a draft plan released on Saturday, the White House laid out an argument for a yet-undeveloped, voluntary identification system and set up a website to gather input from experts and everyday Internet users on how it should be structured.

The website almost immediately started getting votes, snipes and suggestions, underscoring the incendiary nature of any discussion of internet regulation or formal structure.

"The technology that has brought many benefits to our society and has empowered us to do so much has also empowered those who are driven to cause harm," said White House cyber co-ordinator Howard Schmidt in a blog posting outlining the need for better security online.

The plan, he said, envisions a future in which people would be able to get a secure identifier - such as a smart identity card or a digital certificate - from a variety of service providers. Customers could then use the card or identifier to prove who they are as they make their online transactions.

"Digital authentication has been the holy grail of internet security policy since the early '90s," said James Lewis, cyber security expert and senior fellow at the Washington-based Center for Strategic and International Studies.

This latest effort, he said, has a better chance of succeeding than previous tries, "but we need to see how much opposition it runs into and whether people will actually use it even if it gets deployed."

Ari Schwartz, vice president at the Centre for Democracy and Technology, said the unfettered openness of the Internet was what allowed it to grow and prosper but it also created security gaps that need to be addressed.

However, any move to improve identity systems raised many concerns.

"The whole thing is very difficult to do and privacy is one of the more difficult pieces of it," said Schwartz, adding that the system has to balance efforts to maintain privacy while still finding out enough about someone to ensure his identity.

The government, he said, was correct to try to plan ways to move toward better security, rather than letting it just happen with no co-ordination.

But cyber security experts also argued that the technologies for creating such identifiers already existed and were used in different ways by businesses, particularly banks.

"The vision they put forth is already realised and commercially available," said Roger Thornton, a cyber security expert and chief technology officer for California-based Fortify Software.

He noted that banks already use sophisticated fingerprinting processes to identify a customer who signs in. The system knew if a customer was using a different computer and would often require additional identification if that computer had not been used for the banking website before.

But many companies did not bother with the more expensive or complex identification systems.

So, said Thornton, "the opportunity is there to make things more interoperable and more uniform."

The draft plan is part of an administration effort to promote cyber security both within the government and among society as a whole. Lawmakers have introduced a number of Bills aimed at furthering those goals, and the White House plan was met with initial support from one of the authors of Senate computer security legislation

Add a Comment