NSTIC as a National ID


Even outrageous statements on controversial topics often contain flecks of truth. This is an attempt to pan through the muddy waters of NSTIC media coverage in relation to NSTIC to as a “National ID,” identify the golden flecks and nuggets of truth, and frame the debate on this important topic.

As NSTIC develops, we can expect to hear more soundbytes in the public media invoking fear, uncertainty, and doubt (FUD) around NSTIC as a National ID, Internet Passport, Internet ID, or Online Driver’s License. Some of the fear is warranted. Some of it is not. All of the risk and uncertainty should be measured to the fullest extent possible, without freaking out.

Frankly, I do not have a comprehensive definition for a “National ID” right now. Jim Harper, director of Information Policy Studies at the Cato Institute, and author of Identity Crisis: How Identification Is Overused and Misunderstood would have a much better answers than me. Notwithstanding, I have a few comments which I hope will add some clarity to the discussion:

Instituting any sort of national identification can have serious and unanticipated consequences, and should be the subject of a robust public policy debate. History, present and past, is replete with examples of extreme abuse of government-issued identification. To give just two examples, identification credentials played key roles in both the Holocaust and Rwandan Genocide. Other, less dramatic forms of abuse exist wherever identity credentials are issued. For example, the U.S. National ID, commonly known as the Social Security Number, is regularly used to commit crimes we now refer to as “Identity Theft.”

NSTIC is NOT a National ID

Several commentators have expressed skepticism to downright disdain for NSTIC as a back-door approach to instituting a National ID. NSTIC’s defense to these accusations is simple and true, but incomplete: NSTIC is NOT a National ID.

NSTIC itself is not an identification system, much less a National ID. NSTIC is a framework for setting up a structure of interoperable federated identity systems. Each system will be owned and operated by various independent private companies and public institutions, using various technologies with various levels of identity assurance, security, and trust levels. NSTIC is policy, not technology or identification credentials. In fact, I am guilty of a techical faux pas by using the term “NSTIC credential,” since no such thing actually exists. But unfortunately I don’t have a better shorthand way of saying,

“Voluntary identification credentials issued by an accredited private or government Identity Provider which complies with the ‘overarching set of interoperability standards, risk models, privacy and liability policies, requirements, and accountability mechanisms that structure the Identity Ecosystem,’ which are implemented using a range of technologies, mediums, and authentication protocols.”

So I say “NSTIC credential” instead.

I do not attempt to establish a comprehensive definition for a “National ID” here. But when government-issued identification is used to separate individuals into groups, and centralization decreases the transaction costs associated with classifying human identity, bad things can happen.

I decline to call NSTIC a “National ID.” Instead, it is much more prudent to discuss attributes which may be similar or dissimilar to a centralized, federal-government-issued National ID card. I hope that the following table can focus the public discussion on this matter, which is currently lacking articulation.

How NSTIC is Not Like a National ID

How NSTIC Might be Like a National ID

NSTIC credentials are not owned, issued, or managed by the Federal Government, except for IDs issued to government employees.

If adopted by a majority of state governments, NSTIC credentials could become standard in State IDs and drivers licenses. The Federal Government could also embed an NSTIC credential in passports.

Identity Provider Databases are not under government control, except for a few run by the Federal Government for government employees.

Identity and personal information which enters the Identity Ecosystem Marketplace is subject to very little protection against government search and seizure under the 4th Amendment.

NSTIC is voluntary for the private sector and private citizens.

If adopted by State governments, which control a substantial portion of the identification market, NSTIC credentials could become mandatory and displace private sector identity competitors.

NSTIC credentials are not yet required to access government benefits.

Access to electronic government services may one day require an NSTIC credential.

NSTIC credentials are not primarily designed to classify individuals by a status such as race, religion, age or gender.

NSTIC credentials are designed for classifying people by roles and access to resources; the supporting technology could be easily adapted to expand identity profiles compiled by the private sector that may include age, gender, political beliefs, religion, race, socioeconomic status, etc.

Identity and Transaction Information is not stored in a single, centralized government database.

Identity and Transaction Information is stored in thousands of private databases which may be centralized by the private sector, purchased by the government, or accessible to law enforcement with little due process.

An NSTIC credential is designed for online transactions only.

With more of our lives and business conducted online, widespread adoption of the NSTIC framework could mean that an NSTIC credential may become a functional requirement for participating in online life, with real-life consequences.

I agree with the Center for Democracy and Technology’s Jim Dempsey who said,

The Obama Administration is not planning to create a government ID for the Internet. In fact, the Administration is proposing just the opposite: to rely on the private sector to develop identities… for online commerce.… [T]he government needs an identity ecosystem or identity infrastructure. It needs it for its own services as well as part of the solution to the broader Cybersecurity problem as well as one of the foundations of eCommerce, but the government cannot create that identity infrastructure. Because if it tried to, it wouldn’t be trusted.

I hope this table helps to frame the discussion about NSTIC as a National ID.

  1. #1 by rybolov on April 26, 2011 - 4:04 pm

    Hi Aaron, good post. Really NSTIC is the Government seeing a trend in what the market is doing (Google Authenticator, Microsoft Passport, and FaceBook Connect being good examples) and trying to establish standards so that these de-facto market leaders can be at least halfway compatible with each other and with the websites that use them for authentication.

    NSTIC would keep the government from collecting “low-value” PII from citizens such as email addresses and (?possibly reused?) passwords just to comment on a proposed bill or a service that the government is providing. By giving citizens a choice of identity providers and tools to select which persona they are representing to a website, it gives the citizens better ways to manage how they are identified on that website and its affiliates and to more effectively manage what data is collected by a website owner.

    All things considered, it would be fairly easy to imagine people (NPOs or privacy activist organizations) building privacy-focused identity providers that do not share information with any other 3rd party.

  2. #2 by Nate on December 3, 2011 - 1:08 am

    Such a great article you have,commonly national is useful to any government and private sector . Mainly national id which may be imposed by the government through NSTIC

(will not be published)