Guest Host: Rebecca Roberts

The goal of the National Strategy for Trusted Identities in Cyberspace: to mobilize public & private sectors to work together to enhance online security and privacy, while reducing or eliminating the need to memorize multiple passwords for use on the Internet by creating a system of trusted digital identities. Some hail it as ‘long overdue.’ Others say it is over-reaching, and a utopian view of intervention in the Internet age that could do more harm than good.

Guests

  • Ari Schwartz Senior Internet Policy Advisor, Information Technology Laboratory, National Institute of Standards and Technology

Transcript

  • 12:06:41

    MS. REBECCA ROBERTSFrom WAMU 88.5 at American University in Washington, welcome to "The Kojo Nnamdi Show," connecting your community with the world. I'm Rebecca Roberts sitting in for Kojo. Coming up this hour, the online world can make a lot of things easy. It makes it possible for us to manage our bank accounts, purchase concert tickets, poke our best friends on Facebook, all in just a few keystrokes, but this flood of online transactions is making for an epic logistical challenge. By some estimates, small businesses spend an average of $100,000 a year just to manage the passwords on their computer networks. One federal agency with 44,000 employees recently discovered that it was responsible for 700,000 different user accounts.

  • 12:07:31

    MS. REBECCA ROBERTSThe Obama administration is floating a proposal to make online transactions more secure by creating a new identity ecosystem. That's a trustworthy system where the public and private sectors would work to create interoperable security credentials for a variety of services. Joining us to explore why the administration feels that a national system for trusted online identification is necessary is Ari Schwartz. He's a senior Internet policy adviser at the Information Technology Laboratory for the National Institute of Standards and Technology. Welcome to "The Kojo Nnamdi Show."

  • 12:08:02

    MR. ARI SCHWARTZThank you for having me, Rebecca.

  • 12:08:03

    ROBERTSAnd you can join us by calling 800-433-8850. E-mail us, kojo@wamu.org. Or you can get in touch with us through Facebook or by sending us a tweet to @kojoshow. So, Ari Schwartz, when you say things like identity ecosystem, you can, you know, hear radios clicking off all over the greater Washington metropolitan area. So please explain for us in lay terms what this proposal is about and why it's necessary.

  • 12:08:32

    SCHWARTZThis is a problem that everybody that uses the Internet knows about today, which is that passwords are fundamentally broken. We have -- if you just think about the way that people use passwords today, they tend to have one or two passwords, usually things that are just very...

  • 12:08:47

    ROBERTSOne that's just plain, and one that's alphanumeric, depending on what the site requires, yeah.

  • 12:08:51

    SCHWARTZThat's usually the case, right? And usually, they're tied together. And we've seen even in some of the recent hacks where whole lists of passwords have come out that the most common ones have been one, two, three, four, five, six or password or, you know, very, very common things that everyone, a lot of people use just to try and put something in very quickly. That simply doesn't work in terms of protecting security or protecting privacy. Now -- then, the other thing that people do is that they write down, write their password everywhere if they have more complicated passwords or they sometimes, like we are in the government, forced to have really complicated -- a number of different really complicated passwords.

  • 12:09:35

    SCHWARTZPeople will start writing them down, and I've recently actually seen a book that someone publishes, you know, to create so you -- to give you, you know, places to write them down. Again, terrible for security, terrible for privacy, and we think that there's been a lot of discussion in the technical world going back years to try and come up with ways to make this better, but we're at a breaking point now where just so many people use the Internet for so many different things, and we can't put new more advanced services online because people don't trust the services that become available. The question is, can we build something that's interoperable that works together so people can use these across different kinds of services that is easy to use, right?

  • 12:10:20

    SCHWARTZThat's one of the harder things. That is private. That privacy is being protected and voluntary in that way too so to address a lot of those concerns, and it's secure, really addresses all four of those main guiding principles. And we kind of put out a vision to do that with -- in the -- from the administration. The key is that this has to be something that's done by industry. A lot of other countries have looked at the same problem and said, we need to put out -- we either need -- they either have a national ID currently. They want to make their national ID work in the space, someone to put out an Internet ID, which turns out to be extremely expensive as well as privacy -- raises a lot of privacy concerns.

  • 12:11:02

    SCHWARTZAnd also is -- does it really mesh with the idea that one of the main goals here is to build further innovation for the future. How do we build a platform for innovation that can work and build new services on top of it, really it has to be the private sector that is building those new services that has to build to be able to build that platform. So we're trying to work with the private sector to be able to do that, get their ideas. They've been extremely supportive so far of the -- of this -- of the idea here of an identity ecosystem of moving this project forward, and we think that we can -- we have engaged them, and we will continue to engage them to create something that can work across -- well, those can take it -- this isn't something where you're going to be able to sign up today for...

  • 12:11:46

    ROBERTSRight.

  • 12:11:46

    SCHWARTZ...an identity tomorrow, right? This is -- we're talking about five years out, three to five years out where we’ll start to see it in five to 10 years. Where you start to have the kind of whole broader system built. We do start to see a little bit now of these -- of better practices in this space. Google now has a one-time password that they have out there for you to sign on the system so you could use your cell phone as a second -- something separate from a password along with the passwords so it's not just the password. If you lose your password, you can feel that you have another line of protection in place. Another important thing is this isn't going to solve every security issue on the Internet.

  • 12:12:27

    SCHWARTZI think people have been looking around for the silver bullet for privacy and security issues on the Internet and hoping that will come -- one will come along some day. This is going to be a lot of work. It's still not going to solve every issue. We still need to do all the other things out there to protect against phishing, to protect against different kinds of hacking attacks and protect privacy in law and in practices better.

  • 12:12:54

    ROBERTSWell, also it seems that some of those priorities are slightly cross purposes. Certainly, security, privacy, ease of use don't always follow the same path. So at some point, you're going to have to balance those, right? I mean, the reason that people write down their passwords other than just stupidity (laugh) is that, you know, if you work for a system that encourages you to change it and make it alphanumeric and have a symbol in it every three weeks to increase security, you can't possibly remember what you just changed it to because that's where security has trumped ease of use. If you're making it all easy to use and you made it all your middle name, then it's not particularly secure. How do you balance on a national level taking into all of these different uses, all of these different levels of tech savviness those competing interests?

  • 12:13:41

    SCHWARTZThat's -- I think, well, that's one of the key questions we have out there. We have -- what we've started to see and the reason I raised this point about the one-time password is we start to see phone apps, right? Where -- so you have -- you may have a weak password on one side or a password that you use all over the place on one side, but then, you get a phone app where it gives you a new one-time password every 30 seconds, right, that's refreshing, and it's based on a cryptographic code. Now, that could be broken as well, right? And that's not alone a solution, but the more -- the fact, when you -- now, that you have these two factors in place and the username, or if we -- if it's a more secure transaction, something else on top of it, something, you know, maybe a USB chip or using some other means of encryption to get onto -- to tie this together.

  • 12:14:25

    SCHWARTZThat's going to be harder to break, and that's the key. Can we come up with something that's usable in the way that people regularly use a phone app today, might be slightly less usable than the password password, right? People typing one...

  • 12:14:37

    ROBERTSRight, right.

  • 12:14:37

    SCHWARTZ...two, three, four, five, six over typing those types of things into the computer, but it is better than what we have today, and that's what we're talking about. Can we improve the current system from what we have today, make some progress in the space, make something that's usable, it's interoperable, but make it so that it -- we can make it more usable for users by the fact that you'll only have to have a few of these, right? You don't need to have -- know -- have the same password everywhere that you -- different passwords everywhere that you go with different logins that are accessed differently, that each need to be secured individually.

  • 12:15:10

    ROBERTSSo why isn't this a national ID?

  • 12:15:13

    SCHWARTZIt's not a national ID. First of all, because, again, it's being run by the private sector. There's no -- it's not a requirement that anyone have one. It's not a requirement. In fact, we're purposely saying that it's voluntary, right? This is -- that the idea is that the government will not require that it's used, not require that it's created in that way. So what we're doing is convening the private sector to help bring all the parties that you would need to do this together, not to build a database, not to build a national system in that way, but to build a kind of the -- a system that works for the Internet, an international set of standards that work together in order that this information can flow but everyone can have a relationship with people that they trust in the private sector in order to make this work and then have that protected by privacy rules as well.

  • 12:16:00

    ROBERTSSo why does the federal government have a role at all?

  • 12:16:03

    SCHWARTZBecause this has been tried several times by the private sector and even the government has been involved in a couple of cases as well but not on this kind of scale where the president has signed a strategy to move this forward where there's -- we're talking about putting money into -- from the federal budget into pilot projects to make this work to have it organized in that way from NIST, the National Institute of Standards and Technology, really trying to motivate people the way that we have other kinds of large-scale projects like health IT and other kinds of issues where you need the private sector to work together, and it can't just be the Internet community has to be all of this -- everybody that uses the Internet, including all the e-retailers out there and the brick-and-mortar people that uses these kinds of credentials today as well to buy into this system. And it's still a test whether we can do that, but we think that we're on the path to getting it right.

  • 12:16:52

    ROBERTSMy guest is Ari Schwartz from the National Institute of Standards and Technology, and you can join us at 800-433-8850. How do you manage your online security? Are you someone who uses the same password for everything? Do you have your own tricks of how -- what makes you feel more secure in your transactions online? 800-433-8850. Or send us e-mail, kojo@wamu.org. We have an e-mail from Colin who says, "An easy-to-use technique for individuals is to use an encrypted file with passwords. I paste my passwords from the file after opening the file with a key. I sense that this is a safe individual solution since it defeats keyloggers and defeats hackers getting hold of the encrypted file, but is it really safe?" Do you have an answer for Colin?

  • 12:17:34

    SCHWARTZWell, it's certainly better than what most people do in terms of writing them down, but the fact that you open it and then that gets stored in memory as well by the fact that -- when after it gets open et cetera, you have to be pretty careful about how you end up treating that file if you're going to do that. Now, some computers, you know, Apple has a whole encryption -- encrypted system that they put in place. Others have key management systems that they put in place where their file is encrypted and passwords are stored to try and do that for people. So in some ways, those systems are better protected today as a kind of halfway alternative, but still again, none of this is perfect where we don't have a solution in the space which is part of the reason that we feel it's necessary to sit down with industry and say we need to have better solutions in the space. And again, it's an international problem. It's not just a problem in the U.S.

  • 12:18:21

    ROBERTSWell, you said that sort of the time has come because there's a breaking point. Is that because of just the sheer volume of online interaction? Is it because more sensitive transactions are coming online like health records? Is it because the processes that have in place aren't working? All of the above?

  • 12:18:41

    SCHWARTZIt's all of the above, and I think that's why you're hearing more private sector voices come together and say we really need this. And if -- I mean, if we go to the website that we put together around this at NIST, you'll see there are a detail -- a long, long list of these private sector companies and of trade associations, big-name companies that really want to see this in place today because they understand what it is. And I think also, I mean, we've talked about the downsides of privacy here, but we also heard from privacy advocates who say, look, the system is not working -- this current system is not working for privacy either. The goal is, can we improve privacy from where we are today?

  • 12:19:15

    SCHWARTZAnd we think that that's possible today because we have better privacy enhancing techniques than we have in the past in the space, better kinds of controls in the space that use encryption to protect privacy in the space. We need to start using those to move past where we are today on privacy as well. So the -- all this kind of -- this confluence coming together at the same time has really pushed us to say, now is the time for the government to convene and take advantage of this, with the private sector taking the lead, right? So we can bring all these people together that have done -- started work on their own and kind of bring those together to become more interoperable.

  • 12:19:49

    ROBERTSLet's take a call from Brian in Alexandria. Brian, welcome to "The Kojo Nnamdi Show."

  • 12:19:53

    BRIANThank you for taking my call. I just want to take issue with a couple of little comments you make. I just have a small business. I have one computer here at my office. I do my work online. I've tried to -- for years, when dealing with this password issue, I use -- I'm one of these people that, just like you were commenting about, uses pretty much the same password for everything I possibly can. And I've done that by design to both make it easier and make it more efficient for myself. I don't do any online banking.

  • 12:20:23

    BRIANI don't have any really secure files on my computer. I don't really see what the problem is for someone like me that I keep hearing referred to as stupid, that people do this and sort of derogatory remarks about people who work like that. Tell me what the problem is for someone like me. Again, I have -- I just do my work on my computer. You know, why is that an issue? Again, I'd -- I do have...

  • 12:20:45

    SCHWARTZBrian, I mean...

  • 12:20:46

    BRIAN...a booklet where I've put them for the few where I've had to come up with something where a site has insisted that I have a new -- a miracle thing and a symbol or something in it. I've come up with two or three that I just use over and over and over again. And I have written them down in a book for even those to make sure I remember them. But it's worked fine for me.

  • 12:21:02

    ROBERTSAll right, Brian. Let's give Ari Schwartz a chance to answer. Yeah.

  • 12:21:05

    SCHWARTZAgain, I don't think that -- Brian, I don't think that what you're saying is stupid at all. In fact, I think that it is completely logical, what you said, all right? That is the way that people deal with this because that is what you have to do today in order to engage online, right? You have to either have a series of passwords that you write down or you have to have a single password that you use over and over again. Those are the two copings mechanisms that we have of today's system. Now what you said that's really interesting there is you said you won't bank online, you won't do more advanced transactions.

  • 12:21:35

    BRIANNo. It's that I don't. It's not I won't. I just haven't.

  • 12:21:37

    SCHWARTZOkay. You -- but -- so -- but I'm saying, if you felt as though you could trust it more, if you have -- if there was a system in place to say you could trust it more, if it would save you money, if it would make the banks more money, right? So everyone wins from that -- this new scenario, right? Wouldn't that be a better world that we would have...

  • 12:21:57

    BRIANI don't understand why you say everyone wins if I bank online. I don't understand that. Why is that…

  • 12:22:01

    SCHWARTZBecause the transaction cost, right, of sending -- of banking through ATMs, of having the paper involved, of the check world, et cetera, money can be saved through the -- using less transaction cost for you, being able to spend less time on banking and for the bank themselves, right? And that's not to say that everyone should go bank online immediately. What I'm saying is can we build new kinds of transactions, banking being the one that you raised, but new kinds of services helps...

  • 12:22:29

    BRIANMy not banking online had nothing to do with passwords or...

  • 12:22:32

    ROBERTSWell, what -- Brian, let me ask you this. What -- why -- when you say that you limit the transactions that you use online, is that just because you prefer to do it another way or do you have security concerns?

  • 12:22:43

    BRIANNo. It had nothing to do with security concerns. It was that I prefer to do it the other way. I mean, I certainly -- I shop online. I do things online. I do a variety of things online. I'm just not a super computer user in the sense that I've got, you know, like so many things. Maybe it's in age difference or a cultural difference. I just don't do everything from ordering pizza to getting everything else online. I do my banking. I still go by my bank. I mean, it's on my way home when I come -- when I need to deposit checks or do any of my transactions.

  • 12:23:13

    BRIANI just haven't thought it was necessary to go do the set up and do all, what I consider, the hassle to switch everything over to being online. Quite frankly, from my very pretty straightforward banking needs, banking the way I've been doing them seems fine. I hear people that do all of their financial transactions online, and that's great for them. I just -- I've thought about it. I've talked to people who do it that way and thought it seems more of a hassle than it is the way that I'm doing it now.

  • 12:23:38

    SCHWARTZAnd...

  • 12:23:39

    BRIANAnd so it had nothing to do with security or passwords or anything. It was just a -- I don't wanna -- to bother of setting all that up and doing...

  • 12:23:46

    ROBERTSRight.

  • 12:23:47

    BRIAN...what seems more complicated than the way I'm doing it.

  • 12:23:48

    SCHWARTZAnd again, that's why one of the main rules here that we're looking at, one of the main guiding principles, is this is this can be voluntary because -- for people like you who might not see benefit from this. But as more and more people do use more and more services online, and more and more services are created that will save people time and money and save businesses time and money, people are gonna want to use them. We're seeing that already. I mean, it's hard to dispute that people do want to use online services.

  • 12:24:14

    SCHWARTZThe question is, can we get more of them online by creating a more secure process? For someone like you, Brian, that might not be most compelling need to go -- come and get one, but you may find that there are services later on that come around because this exist that will want -- will drive you to that, that it may -- you may want to do that. So that's really the main point here. But I think -- I mean, you're basically -- by saying you only have one password and you write them down, that's the way you do it and you don't think it's dumb, I completely agree with you. That's the only choice you have today.

  • 12:24:43

    ROBERTSWe are talking about another choice, a possibility of building a trustworthy system where the public and private sectors work together to create some kind of interoperable security credentials for a variety of online services. My guest is Ari Schwartz with the National Institute of Standards and Technology. We are going to take a quick break, but we will take your calls at 800-433-8850 and your emails, kojo@wamu.org, when we come back. I'm Rebecca Roberts, sitting in for Kojo Nnamdi.

  • 12:27:01

    ROBERTSOur guest is Ari Schwartz, the senior Internet policy adviser at the information technology laboratory, National Institute of Standards and Technology. And we are talking about a new proposal from the Obama administration to make online transactions more secure by creating a new identity ecosystem. You can join us by calling 800-433-8850 or email us, kojo@wamu.org. You can also get in touch with us through our Facebook page or by sending us a tweet to @kojoshow.

  • 12:27:28

    ROBERTSWe have an e-mail from Jerry in Cleveland Park who says, "I'm a cyclist. I used to be a big Lance Armstrong fan so I made most of my passwords somehow related to Lance and the things he stands for. That was before I decided he was a cheat and a liar. Needless to say, I had to change all of my passwords. (laugh) Haven't come up with a theme that helps me remember them yet." We have another email from Ellen. She says, "Where does cloud computing fit in to this plan?" Ari Schwartz, you have an answer for Ellen?

  • 12:27:56

    SCHWARTZThat's a good question. You know, as -- it's a perfect example. I've been saying before, talking about innovation and wanting to see new services move online and, certainly, one of the things that at least companies are extremely excited about and certainly -- and the federal government has been excited about, is moving more services to the cloud. That means moving more services to -- not stored on local servers but in -- through ways that people can access them in -- held by other private sector entities and other entities that worry about the security and worry about protection on that -- those services. One thing that's key there is how do they know that you're you when you log in, right?

  • 12:28:39

    SCHWARTZAnd so, that is the -- or as The New Yorker said, many years back in -- nobody knows you're a dog on the Internet, right? So how do they know that you're the dog that's supposed to be the one accessing those services up in the cloud and authentication becomes extremely important in that space. And those companies that give cloud services have to become experts in it. And you could see -- foresee those companies, that's why companies like Google, like Amazon and others have been so -- and PayPal and others have been so keen on looking at this issue of how do you get authentication right and what -- can we use that for other purposes as well because they've spent so much time and effort looking into the security of that authentication and trying to make it work.

  • 12:29:28

    SCHWARTZThat could be helpful for building this bigger ecosystem, but they have to be able to get it right first. And I think they're still -- we're still moving -- making sure that we're moving in the right direction to make sure that authentication in the cloud is the right kind of authentication.

  • 12:29:41

    ROBERTSLet's hear from Sheryl in Ellicott City, Md. Sheryl, welcome to "The Kojo Nnamdi Show."

  • 12:29:46

    SHERYLThank you for taking my call. I just recently returned from Australia where I lived for four years. And they have something there called BPAY or pay anyone. And it was through the banking system, but it worked and interfaced with everything virtually. We would get a bill from our phone company, our electric company or even some -- where our children were attending school when we had to pay for something like a field trip.

  • 12:30:18

    SHERYLAnd I had a BPAY number on there. It was a like a tracking number. And I would just get on my website with my bank and put in that number and just transferred money that easily. And there wasn't really even a password that I had to know there, so people could transfer into my account or I could transfer into anybody else's account as long as I have their number. How would that work with what you're talking about?

  • 12:30:48

    SCHWARTZWell, certainly, the banks and PayPal and other kind of payment -- people that do payment systems have been very interested in this project and have been supportive of it if you look on the website. And I think that they would like to try and find something that works that way. I don't know how. I know that there has been a lot of progress made by banks in Australia. I don't know how they do the authentication piece of it, but obviously, they've gotten the usability down to the point where it's so seamless that you have then -- Rebecca raised earlier, one of the main, biggest stumbling blocks that we see now -- I mean, even for passwords now and make passwords better has been usability.

  • 12:31:26

    SCHWARTZCan we come to way where we can make payment systems that easy to use, yet still private and secure, right? That is really one of the goals -- long-term goals here for the banks and the payment systems that are involved in this space. They think they can do it, right? The question is -- and again, I think it's not something that's around the corner for the U.S. the way that sounds like it is from what you're describing in Australia.

  • 12:31:48

    ROBERTSWell, there's also in addition to whether or not the online entity or whatever it is can do it, there's the question of whether or not the public trusts it, which is harder to quantify, not necessarily related to how trustworthy it actually is and varies country to country. You know, in the U.S., we may be completely comfortable letting Google have our information, but less comfortable letting the federal government have our information, which is a moving target and harder to determine where that line is.

  • 12:32:17

    SCHWARTZAnd that's certainly been the case for health IDs, where other countries have trusted in. And the U.S. just decided that we do not wanna have a single health ID because of concerns about how it's gonna be used so.

  • 12:32:25

    ROBERTSLet's hear from Kit in College Park. Kit, welcome to "The Kojo Nnamdi Show"

  • 12:32:30

    KITHi there. Yeah. So I was calling with a couple of things. The first, which is that to the -- there are previous callers who called and say why do people call it so foolish when I store my ID or my password, the same username and password for every single website. And I just want to say that the reason for that is that every single ones they have that store those credential and somewhat, say, it's better than others when one of those websites falls prey to a hacker or something, that website gets compromised, and your user name and password gets compromised. And if you use the same one everywhere, then sure enough everyone -- all of your accounts are compromised instead of just one.

  • 12:33:06

    KITAnd I guess after a caller questioned, I'm just curious whether or not you've ever heard of the OpenID project. And I know that's not, of course, a perfect project. They have a lot of small flaws in it, but it's certainly a unified system. And I guess I'm just curious whether or not you think they're having a more distributed authentication for some -- is a better system or is it purely going to be something that the government has to rally behind and be the entity that says that everyone has to use this authentication method?

  • 12:33:40

    ROBERTSKit, thanks for your call. And I should say that the Open Identity Exchange participated in our previous segment on this issue on March 15 of this year. There's a link at kojoshow.org. Ari Schwartz.

  • 12:33:50

    SCHWARTZThanks. No, that's a good point. I mean, I think, I, kind of, sort of, thought that it was intuitive that that was the issue, but he -- well, what Brian, the last caller, had said was that he doesn't do any sensitive transactions, so then -- I took that to mean why should we be concerned about the potential threat of a hacker breaking in and getting that password because then he can just go and change this without any real loss. Obviously, if you do anything sensitive at all, you do have -- it's a major concern.

  • 12:34:20

    SCHWARTZSo it is -- I don't -- again, I don't think that it's foolish to do what is basically logical in this space, because that's one of the only coping mechanisms you can have. However, there are real risks out there. I mean, you have to question about how much you can trust systems if that risk is out there. And that's your coping mechanism.

  • 12:34:40

    SCHWARTZSo I have -- I try and keep, you know, someone give their example of Lance Armstrong, you know, having series of things. I have a kind of series of ways of going about developing passwords, right, and have, you know, five or six going at the same time so -- but it's difficult to keep in your head, right? And I do try and keep in my head and not write it down, but I think that because I'm in the password space, right, I'm different than most people. I'm thinking about that too.

  • 12:35:07

    ROBERTSRight. You're paying maybe a little more attention with that.

  • 12:35:09

    SCHWARTZYeah, exactly. So, and then on the point about OpenID project, I mean, that is exactly the type of distributed mile that we're discussing now where the identity is not kept in a central location. It's kept by different kind of companies. There's just the way of knowing how it's transferred. That was developed for, kind of, very low level kinds of transactions, and so for, you know, comments to blogs and things like that. They are in the process of developing it.

  • 12:35:34

    SCHWARTZAnd the Open Identity Foundation is in process of developing, kind of, techniques to go to higher levels of authentication, which will be important for how this strategy moves forward and the process moves forward here. And my work -- there are also a number of other kinds of groups that are doing similar things.

  • 12:35:52

    ROBERTSMm-hmm.

  • 12:35:53

    SCHWARTZThere's another standard out there called (word?), which is sort of (word?), which is another kind of text standard in this space, and not to lose too many people talking about the standard space but...

  • 12:36:02

    ROBERTSRight. Right. There are not too many that's -- right.

  • 12:36:03

    SCHWARTZI mean, I think, I mean, you -- and that's what -- we kind of try and stay away from that, but I think it's important for people to know that there are a number of them out there. The question is can we move to one kind of similar goal in this space, make it all interoperable. I tend to -- you know, one way to think about this is the way ATM cards work, right? Those of us will remember when they first got their first ATM card in kind of the earliest, early '80s, mid-80's, right? It basically only worked at your bank.

  • 12:36:28

    ROBERTSRight.

  • 12:36:29

    SCHWARTZRight. Then there were these groups that formed, where you get Sirius and Plus and maybe few other there, right?

  • 12:36:33

    ROBERTSMac, yeah.

  • 12:36:34

    SCHWARTZAnd you had to go to the one -- you'll look on the back of your card and look to machine, they did match up, right? Does that work? And then by the end of the '80s, right, you could get to the -- we were basically at the point where you could use that ATM card anywhere and get cash out anywhere in the world...

  • 12:36:52

    ROBERTSFor a fee.

  • 12:36:53

    SCHWARTZFor a fee, right? And the question is who's gonna pay here? Is it gonna be the company that uses -- that asked to use the ideas? Is it gonna be the consumer? Is it gonna be the ID provider? How are we gonna work out this process to do this? And that's called -- we're calling it the governance model. And also what the liability is for people too. We had to work that out for ATMs and for credit cards in the past as well in a way that consumer -- that work for consumers and work for the companies.

  • 12:37:20

    SCHWARTZSo we think we can do it, but -- and people can see how it might go about developing, like, you might have this kind of process where, right now, we're only working with one company, but then you start to work with, kind of, federations of companies and build that out over time.

  • 12:37:33

    ROBERTSLet's hear form Doug in St. Mary's County, Md. Doug, welcome to "The Kojo Nnamdi Show."

  • 12:37:37

    DOUGYes. Good afternoon. Thank you for having me.

  • 12:37:40

    ROBERTSSure. Go ahead.

  • 12:37:43

    DOUGCould you hear me?

  • 12:37:43

    ROBERTSYeah, we can hear you fine. What's your question?

  • 12:37:46

    DOUGOh, it's not a question. It's just a comment. It just sounds to me like this is just another government ploy to get the foot in the door. They've always wanted to control the Internet. Your guest said a couple of things that struck me. One is the Internet will never be 100 percent secure and, two, the government is gonna -- putting up money for development and research, which tells me they're gonna want some kind of control right there.

  • 12:38:12

    DOUGI do online banking. I do online shopping. I surf the net. I do a lot of things that I leave it up to my financial institution to make their stuff secure so that nobody can hack in. And I'm sure to changing that all the times. So basically, my comment is just that it's just another government gimmick to get the foot in the door to control the Internet.

  • 12:38:35

    ROBERTSDoug, thanks for your call.

  • 12:38:36

    SCHWARTZLet me make this very plain, right? The reason I came into the government was because I strongly believed that there is a right way to do Internet governance, right? And that is to let the private sector lead and to make sure that government's role is protecting consumers and not trying to overreach into control. The government created the Internet, right? The U.S. government created the Internet, handed it to the world through a governance model that allows the private sector to lead in this space.

  • 12:39:09

    SCHWARTZThat is what we're discussing here as well. Take the same kind of process that we did with the Internet to develop -- do some basic research and development, mostly run through the private sector and run by the private sector -- these pieces run by the private sector, and develop a governance model that is decentralized the same way that the Internet is decentralized, have the private sector lead that. You want your bank? You trust your bank? Your bank can run your credential for you. That is the goal.

  • 12:39:35

    SCHWARTZEvery -- almost every other country in the world, not every country in the world, but almost every other country in the world is either developing and saying that they will run this credential, right, that there will be a national ID and they will run it, or that they will give it to one sector, particularly the banks right now, so that the banks in Sweden will run this process, for example, and you will not have a choice as to who you use. You will have to use your bank. That will be your only choice. We are saying that that's not the way it should be. We're saying that it should be only tied to your -- something within your country, right, that you can have international choices here.

  • 12:40:10

    SCHWARTZWe think that the U.S. wins in that kind of situation that innovate -- we are the country that innovates best for the Internet, we are the country that comes up with the best kind of process here for how things are governed in a decentralized way. That's why the Internet works so well today because the U.S. did that for the world, and that's what we wanna do here for authentication as well.

  • 12:40:32

    ROBERTSAnd what happens when the priorities of the government conflict with the priorities of the private sector?

  • 12:40:37

    SCHWARTZWe need a process to adjudicate that. And what we're saying is because this process is gonna be run through a private sector governance body, the government will not always win that -- in that situation. And that's exactly the importance of saying this is a private sector-run process, that the government will not always win. The government will be involved, right, and the government will use these credentials. And if they don't like one, you know, the way that they're -- someone that they have a contract with is working, they can go to someone else and have another contract with them. But that's -- they're just the same as any other player in the space.

  • 12:41:09

    ROBERTSMy guest is Ari Schwartz, senior Internet policy adviser at the Information Technology Laboratory, National Institute of Standards and Technology. We are going to take a quick break, but we will continue talking about online identity security when we come back. I'm Rebecca Roberts. This is "The Kojo Nnamdi Show."

  • 12:43:12

    ROBERTSWelcome back. I'm Rebecca Roberts, sitting in for Kojo Nnamdi. I'm talking to Ari Schwartz, the senior Internet policy adviser at the Information Technology Laboratory, National Institute of Standards and Technology, and you can join us at 800-433-8850 or send us email at kojo@wamu.org. Ari Schwartz, we have an e-mail from Bert who says, "Why are you not mentioning software like RoboForm? This software will securely save all your passwords in one place, allowing you to use just one password to access all your sites. Please mention this to help all the poor people trying to remember all their different passwords. This is also a great way to get around key logger viruses which track your key strokes. I've been using this software for many years and couldn't do without it."

  • 12:43:53

    SCHWARTZThis is the kind of software that I mentioned before. I didn't give names of particular products other than to say that, you know, that some operating systems are now building this into the structure of the operating system. But the idea is that the -- they take your password, it says, do you wanna remember this password? And then they encrypt it. It's also being built into some of the browsers as well. You'll see this at the top come up and say, do you want us to remember your password? And basically, it's using the same kind of software that the person who -- the listener is mentioning. So -- and the idea is that it's storing it essentially and encrypting it.

  • 12:44:29

    SCHWARTZSo there's a lot of benefits to that, which is that it's encrypted on your computer, as he said, you know, you don't necessarily -- there's not -- you don't get caught by key loggers. The -- there are some potential downsides, which is if this -- if something goes wrong, the software gets corrupted in some way, you have to -- some reason you need to go to a different computer, you've completely then lost all access.

  • 12:44:53

    ROBERTSRight.

  • 12:44:53

    SCHWARTZRight. You have to use all the secondary methods in order to get your passwords back. So it's not necessarily of total downside 'cause, again, there are downsides to every one of these things, but people should be aware of that when they sign -- use this kind of system. I actually, I mean, I -- there is some that I use and I think that, you know, a lot of times when you're signing for Wi-Fi networks, this is the kind of system that they use for signing up for Wi-Fi networks using -- filling in the passwords for you so you don't have to remember them. I do that most of the time. So...

  • 12:45:23

    ROBERTSSo for instance, in a browser like Firefox, when it says, do you want Firefox to remember your password and your options are, never, only for the site, or yes, please, or whatever it is. That's what it's doing is encrypting it?

  • 12:45:32

    SCHWARTZYeah. My understanding is it's storing it and encrypting it the way in the same way that RoboForm or other software does that, yeah.

  • 12:45:38

    ROBERTSLet's hear from Moondancer in Takoma Park, Md. Welcome to "The Kojo Nnamdi Show."

  • 12:45:44

    MOONDANCERHi. I can't remember my passwords and I rely on them to give -- ask me my security questions. And for a while, I was given the same, you know, what's your dog's name or something like this. Now I realized that they started giving me a chance to make my own, and I make a different one like who is my commanding officer or where -- who is my favorite movie. And is this secure now?

  • 12:46:11

    SCHWARTZWell, it has a lot of the same problems that passwords do even though it's -- and, in fact, in some ways, it's slightly less secure because the number of options are smaller, right, and there's a lot of key strokes that are involved here again. So there are a number of potentials -- reasons why it's slightly weaker. But, again, it's a way that people cope today, right, is to use the secondary mechanism that they have instead of the password for solving the issue. It just comes down -- it's just another kind of password. And then you'll also hear one technique that companies have done because people have been so bad at the password side.

  • 12:46:47

    SCHWARTZSo, you know, banks I know, for example, well, if you log in from a different computer, they also know what computer you're coming in from, what browser you're using based on a cookie or another kind of techniques to try and figure out whether they know it's definitely you or could be you coming in from somewhere else. Someone in there they'll ask you like a question, either a security challenge question, like the one the caller was just mentioning, or a knowledge question, you know, how much was your last deposit, something like that, or something that only you should be able to know. And so, that's another means people -- that companies have been dealing with it that's similar to that.

  • 12:47:24

    SCHWARTZAgain, it's sort of complicated, right, and they'll have all these different mechanism -- means to do it. What it -- it would be easier if we could have some -- with something that's really usable, something that you have on you, like your cell phone, I like -- I use that as an example because I know so many people do use apps these days, right, and can understand how that could be easier to use. But it could be something else physical, too, like a USB thing that you plug into computers or something like that.

  • 12:47:49

    ROBERTSWell, it's not just a pain for the user, it is presumably a pain for the company, too, if they're having to manage all those different levels of security questions and different user accounts, and people creating new accounts because they can't remember their passwords. I mean, that's got to be a burden from their end as well.

  • 12:48:04

    SCHWARTZI was talking to a large tax -- online tax fulfiller recently during -- right around tax season, and they were telling us that they have the same problem every year, right? People come to them once a year and use their tax software. They don't remember their name -- username and password, so then they end up calling them, and it cost them so much more money than if they would -- could just use a credential that they know that both the user and the tax preparer could know that they could rely on...

  • 12:48:35

    ROBERTSMm-hmm.

  • 12:48:36

    SCHWARTZ...right? And they could go -- they could say, oh, we're willing to use your ISP or we're willing to use your bank as a reference for -- in order to let you sign on for -- in order to collect your information from -- pull up your information from last year, and you feel secure about that and we feel secure about that. They would save a ton of money and the user -- it would be so much easier for the user than having to call up and wait on hold to talk to the tax preparer. That's just one example. I mean, businesses all over America have the same problem.

  • 12:49:05

    ROBERTSYeah. Let's hear from Christopher in College Park. Christopher, welcome to "The Kojo Nnamdi Show."

  • 12:49:10

    CHRISTOPHERYeah. Hey. Hello. Thanks for taking my call. I have two quick questions. So first, you've covered a lot about how, you know, how it's a problem for me to prove who I am. But what I worry about more is how, you know, Citibank, for example, can prove who it is to me. Specifically, recently, a couple of weeks ago, there was, you know, an Iranian hacker who was able to forge some certificates, you know, that would let him impersonate some sites. And, you know, it seems like this whole system of trust, you know, that these security systems that are built on is a little bit shaky.

  • 12:49:45

    CHRISTOPHERAnd targets like that seem a lot more profitable than, you know, my checking account. And secondly, I guess if your guest could offer any technical specifics on what the new system would look like, that would be great. And I'll take my call off the air. Thank you.

  • 12:50:02

    ROBERTSThanks, Christopher. So why don't we take his first part of his question first, about the security side of the agency are interacting with?

  • 12:50:10

    SCHWARTZWell, the -- it's a -- that's a great point, and I think that's something that I personally have stressed when having discussions aimed more at companies as well, that this goes both ways. We have to be able to have authentication. If we have interoperability, that will be easier to do. There are also some standards out there today that, if put in place, would help at least with the email authentication side of this, things like, you know, DKIM and SPF, they're called. So they will help users -- I mean, it will help users understand better who they're dealing with online and whether that can be verified in some way or not. So...

  • 12:50:45

    ROBERTSLet me stop you for a second and go back to the word interoperability...

  • 12:50:47

    SCHWARTZYeah.

  • 12:50:48

    ROBERTS…'cause we've used it a couple of times...

  • 12:50:49

    SCHWARTZYeah.

  • 12:50:49

    ROBERTS...without really defining it. Can you tell us what that means in this context?

  • 12:50:53

    SCHWARTZWell, it's similar to what I was talking about in the ATM system, just to put it in a way that people can understand it. So when we had those kind of different groups of people that would accept your ATM card, different banks that would accept it, your card was interoperable, right, within that -- within those banks. So you could go to a -- the bank next door and use your same card and interoperate it with your bank. You might go to one -- three streets down, and your bank card didn't work there. That was not interoperable.

  • 12:51:20

    SCHWARTZToday, we have a fully interoperable ATM system, where you put in your card basically anywhere you go. Information comes back, and you can get money from that in a secure and trustworthy way. I think that, you know, again, we're not -- we can't solve every problem by having better identity, better authentication. I'm not saying that having -- that this system is gonna perfectly solve all, do authentication issues, but it could help to get us down the right path.

  • 12:51:50

    ROBERTSAnd in terms of what it would actually look like.

  • 12:51:52

    SCHWARTZSo that is what is being figured out now. I mean, we do have some ideas. Again, people raised earlier some of the kinds of standards and specifications that are out there today that exist, that kind of give people -- can give people a vision of what we're talking about. I don't think -- well, I don't wanna bore too many more listeners. I'll just say -- I'll send people to the website, nist.gov/N-S-T-I-C, NSTIC, and that has the strategy which has a vision in it, and people can read that and read the technical pieces of that.

  • 12:52:26

    SCHWARTZIt doesn't go into too much detail. However, we are gonna have a number of workshops coming up that are really gonna go over these issues. We're gonna have one on governance at the beginning of June. That's gonna kinda give a vision of how this private sector governance system will work. And hopefully we'll have private sector leaders really step up at that time and say that they want to become the leadership of this as well. We'll have a privacy workshop at the end of June to discuss some of the technical privacy pieces of this.

  • 12:52:53

    SCHWARTZMicrosoft has written a lot about -- had a lot of research and development on the privacy side of this. There's been other kind of academic papers on that as well that I would refer people to if they wanna see what the vision of the privacy side looks like. And then the more standards technology interoperable side, we're gonna have a workshop on that in more towards the end of the summer in California.

  • 12:53:15

    ROBERTSAnd that website again was nist.gov. NIST is the National Institute of Standards and Technology, and the acronym for this project is NSTIC, N-S-T-I-C?

  • 12:53:24

    SCHWARTZThat's right.

  • 12:53:25

    ROBERTSWe have an email from Aaron, who says, "I'm glad that NSTIC is getting the attention it deserves, and Ari is definitely the right guy to be working on NSTIC. But I wish that the show could have provided a consumer advocate to provide a counterpoint. NSTIC is a utopian document, but success is far from assured. It took us decades to realize that we shouldn't carry our Social Security cards in our wallets. And now we will encourage citizens to carry much more powerful NSTIC credentials in their wallets, cell phones and laptops.

  • 12:53:51

    ROBERTS"NIST should be more upfront with consumers that these potentially powerful identity credentials should be guarded much more carefully than your Social Security card."

  • 12:53:59

    SCHWARTZWell, I definitely appreciate that point of view. I mean, I think we don't have all the answers right now, and I wanna say that very plainly and clearly, and this gives me the opportunity to do that. We need help from people to get better answers than we have today. However, again -- I do think I said earlier on -- it is never going to be 100 percent perfect. And people looking for the magic bullet out there are not going to find it. We're trying to see whether we can make progress from today's system to a future system that better protects privacy and security and usability in a way where consumers don't necessarily have to be told, don't carry this in this way, et cetera, et cetera.

  • 12:54:38

    SCHWARTZWe hope that by the time we get to the interoperability piece, usability is so good that it's something that's more intuitive than that. If we don't get there, it will need that kind of education work along with it.

  • 12:54:48

    ROBERTSI should also mention that consumer advocates were a part of the March 15 show that we did on this issue in a slightly different context, and you can find that link at kojoshow.org. You mentioned at the beginning of the show that this is not tomorrow. This is a couple of years down the line. Obviously, this is a part of commerce that changes pretty quickly. How do you balance trying to figure out standards and goals in a world that might look very different? Who knows what we'll do online five years from now?

  • 12:55:18

    SCHWARTZWell, the -- you know, it's weird because different places have different kinds of kind of timelines at the way that they look at these things. I remember talking back to some of the chip manufacturers about how they look at things. You know, they have to look years out in advance to try and figure out how they are gonna go about building secure chips and security in their chips, et cetera. In this space, we are working with social networks who are changing, you know, on a monthly basis, at light speed.

  • 12:55:46

    SCHWARTZYou're working with -- and search engines are kind of -- they do that as well. The Cloud people are still standing up their product. Some of them are changing very quickly like that. Some of them are at a slower pace. The banks work at a slower pace now. So we have lots of different paces out there, and that's really what kind of makes this hard. So what we're trying to do is put out the vision -- as the last person who wrote in said -- to show where we think things should go and help people can -- and help the private sector can help build into their plans and the right places in their plans, how this can work for them in a way that is interoperable that -- and where they can lead.

  • 12:56:22

    SCHWARTZAnd then we can try and build that together, build a governance model that works. It worked -- again, it worked for building the Internet in the first place and for getting the private sector to lead in that space. We think that it can work here as well.

  • 12:56:32

    ROBERTSAlthough, say, 10, 15 years ago, when the private sector was booming on the Internet, there was a sort of famous and probably well-founded mistrust between the Beltway and Silicon Valley. There was a feeling that Washington didn't get the speed that they were constantly writing in statutory things that were anachronistic, and that Silicon Valley didn't understand that there -- they should be regulated in any way whatsoever and were cowboys. Has that divide been bridged now?

  • 12:57:02

    SCHWARTZNo, no. We're still in that same problem. But the difference now, I think, is that -- I mean, in this kind of space, what we're trying to say is, we don't think -- we think that the private sector can develop this and can address these issues. We may need to have policies that protect consumers in this space, down the road, that are more than we do today. We said that we actually do need them for privacy. The Commerce Department has said that pretty clearly. And as we move forward, we hope that we can work with the private sector and with Silicon Valley and other places to get this right in a way that is built into the technology, as much as we can get from technology, and then we can address the policy concerns outside of that.

  • 12:57:45

    ROBERTSAnd just one more time, if people wanna find out more, the website, nist.gov.

  • 12:57:49

    SCHWARTZN-S-T-I-C.

  • 12:57:53

    ROBERTSAri Schwartz, thank you so much.

  • 12:57:54

    SCHWARTZThanks.

  • 12:57:55

    ROBERTSAri Schwartz is the senior Internet policy advisor, Information Technology Laboratory at NIST, the National Institute of Standards and Technology. I'm Rebecca Roberts, sitting in on "The Kojo Nnamdi Show." Thanks for listening.

Related Links

Topics + Tags

Most Recent Shows