The White House has announced a new initiative aimed at bringing the federal government into the online identity space in a major way. Via a post on the White House blog, the administration has announced the National Strategy for Trusted Identities in Cyberspace (NSTIC).

The blog post has a link to a new Department of Homeland Security-hosted site for the initiative, which has already been seeded with suggestions that can be ranked via Reddit-style voting. The site also contains a link to an initial draft [PDF] of the strategy, and DHS is encouraging interested parties to submit comments on the draft.

The basic idea behind the proposal is the creation of a trusted "Identity Ecosystem," where users, businesses, and the government can voluntarily carry out transactions secure in the knowledge that everyone is who they say they are, and where users don't have to give up any more information than is necessary to complete a transaction.

Or, as the draft document puts it, it's "an online environment where individuals, organizations, services, and devices can trust one another through proper identification and authentication."

The draft takes pains to steer clear of any notion that this will be a form of a federally mandated national ID card—the voluntary nature of participation in the ecosystem is stressed repeatedly throughout. It's also the case that the plan envisions multiple private-sector ID providers, each of which can issue credentials to users (or institutions, or devices, or any other entity that needs an ID) and all of which are linked at the highest level via a federated service that's managed by the government.

The idea here is that if I get my credentials from, say, Google, and you get yours from Facebook, we should both be able to use those same credentials to buy from Amazon. As long as you've been validated by one of the approved ID providers, you should be able move about the ecosystem freely.

The notion that users should have control over how much information is revealed in a transaction plays a big role in the document. The example that the DHS draft proposal gives is a movie theater ticket clerk, who looks at a driver's license to see if a ticket buyer is old enough to purchase a ticket to an R-rated movie. The license contains the necessary birthdate information, but it also has a lot of other info that the ticket clerk doesn't need access to, like a home address and license number. The Identity Ecosystem would let users give up only the info that is required by the other party in the transaction, and nothing more.

The draft document has a number of small inset boxes under the repeated heading "Envision It!" (!), where hypothetical scenarios enabled by the plan are described. For instance, the first one reads:

An individual voluntarily requests a smart identity card from her home state. The individual chooses to use the card to authenticate herself for a variety of online services, including: Credit card purchases,

Online banking,

Accessing electronic health care records,

Securely accessing her personal laptop computer,

Anonymously posting blog entries, and

Logging onto Internet e-mail services using a pseudonym.

Few privacy advocates are likely to get excited when envisioning the above scenario, despite the voluntary nature of participation. These identity services are often subject to serious "mission creep"—just think about the number of mandatory uses that every corner of the public and private sectors have found for the Social Security Number, a number that is, on paper at least, merely a way to track payments and benefits for a very specific government program.

Given what has happened with the SSN, it's not at all hard to imagine that a voluntary state ID would quickly morph into a mandatory state ID, unless of course you withdraw from the web of modern commerce.

Along with the potential privacy concerns that such an ID might raise (more on this topic, below), there's also the possibility that a single sign-on for multiple services will make our identities less secure. Either it will be possible to steal my credentials and impersonate me throughout the entire ecosystem, or there will have to be some kind of rock-solid biometric component to authentication.

Anonymous blog posting?

Perhaps ironically, the proposal expects that people will use the Identity Ecosystem to post to blogs anonymously; in this respect the draft's authors are clearly cognizant of the free speech implications of online anonymity. Such anonymous posting would work because there's a third party between the anonymous user and the blog provider who can vouch that the user is legit, and can perhaps even transmit payment for blog hosting and related services on behalf of the user.

The problem, of course, is that for people who are serious about online anonymity, the only kind that counts is when nobody knows who's behind the blog post or the Wikileaks upload. Given the fact that every single US-based service provider, from telcos to wireless carriers to Google and Amazon, will give you up to the authorities when they come knocking, the only thing the NSTIC approach changes is the number of addresses to which the subpoena or national security letter is mailed. Instead of contacting your ISP to track you down, the government will also have to contact your ID provider in order to get your full identity.

But while no government-backed identification system could ever be expected to provide users with strong anonymity of the kind that will protect you from the government itself, more limited degrees of anonymity are still useful. While you'd want to stay far away from any products of NSTIC if you're anonymously posting videos of the police to your blog, if your aim is to anonymously blog about something like living with HIV, then NSTIC will probably work.