The US National Identity strategy: Ask the People

I have just received a note from FIPR on the US Department of Homeland Security consultation on a “National Strategy for Trusted Identities in Cyberspace”. This is a long overdue approach to the problem of persuading average americans that they should trust those who wish to link them to electronic identities and digital footprints. Meanwhile the cancellation of ID cards has removed but one fallen tree from the jungle of ID initatives in the UK. Will the current moratorium and review lead to a cull of those which are not fit for purpose and a sharing of those which are. If so, how will that process take place, under what governance?

The work of the Information Society Alliance sub-group on Identity Governance has recently acquired a new importance. It seems to be the only group currently bringing players together across department and agency boundaries, let alone public and private sector boundaries – other than at the technical level.

The problem is to focus minds away from the comfort zone of designing perfect systems for a world that will never exist and onto the identification of those that already work, deliver business benefit and are respected and trusted (including by voters). The quicker we can do this, the quicker we can begin moving essential applications off those systems that do not command trust and thus reap the benefits of better service and reduced fraud. That has to be done on positive cash flow, because there is no funding other than from the savings from switching off that which is not essential.

The good news is that we are dealing with bright people. Once that task is spelt out, they understand and respond.  The bad news is how little they know of what others are actually doing – as opposed to describing on the conference circuit.

I therefore did not know whether to lauch or cry when I read the note from FIPR


National Strategy for Trusted Identities in Cyberspace

US Department of Homeland Security

How does it work?

• Users submit their ideas.

• Our community discusses and votes for ideas.

• The best ideas bubble up to the top.

The Nation faces sophisticated threats against the sensitive and confidential data of our citizens, industries and government. The Nation’s dependence on online transactions significantly increases the potential losses (financial and non-financial) associated with identity theft, fraud, intellectual property leakage, and privacy breach. Securing identities in transactions and creating a trusted online environment has become a critical national priority, and the President’s Cyberspace Policy Review called for development of a strategy to address this issue.

This draft strategy, referred to as the National Strategy for Trusted Identities in Cyberspace, focuses on the protection of the identity of each party to an online transaction and the identity of the underlying infrastructure that supports it. This Strategy seeks to improve cyberspace for everyone – individuals, private sector, and governments – who conduct business online.

Public ideas and recommendations to further refine this Strategy are encouraged.


I only know that my mixed reaction would puzzle all those who believe in the self-evident need for us to have a national strategy – just like the Americans. But at least they have begun by appearing to ask the people. More-over they may still be rich enough to have time to waste – as opposed to taking action on the many quick wins available from replicating good practice and mandating adequate practice.


Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

You can't suggest anything unless you register with their 'corporate partner' ( You can't vote for the good or against the stupid ideas, without registering. You can't report site bugs without registering. The site is utterly useless.

They probably aren't interested in anything that doesn't mesh with whatever scam they have already decided to push - thus, the non-functional site. One thing I am sure of, we're almost certain to get screwed.

They probably are more interested in stomping on people that don't agree with whatever official line of bullshit they are selling this week - because I know the US government does not care about the welfare of the average US citizen, not even a little bit. When they say they want to help, I know something bad is about to happen - because helping the average person is not one of their objectives.

Comment from Philip Virgo - I found this posting very disturbing.

Does a requirement that comments be attributable mean that a consultation is not genuine or demonstrate that it is? Is it a part of democracy in action or a totalitation state identifying dissidents in order to put them on file?

Just because you are paranoid does not mean that they are not out to get you.

I would like to think that democracy in the UK is more robust that in the US - if only because we do not elect our head of state and thus give them a "democratic mandate" to do that with which no human should be trusted - provided they can square Congress, Senate and Supreme Court. That in turn raises the question of what democracy really means.

Thank you for the post.

Agreed, our privacy needs to remain intact. That is why I suggested that banks issue personal card readers with PIN Pads (PCI 2.1 certified of course) which enable users to swipe their card and enter their PIN in a secure environment "outside the browser space." Existing cards, existing PINs on existing bank rails in real time with two factor authentication.

If we stop "typing" our sensitive data (usernames, passwords, credit/debit card numbers) into the inherently dangerous browser space, and start swiping so that the data is 3DES DUKPT end-to-end-encrypted, we solve myriad problems. For example, "phishing" would be virtually eliminated because there would be nothing to "phish phor." Even if we were "phooled" by a phishing attack, we wouldn't type anything and they wouldn't be able to decipher the data because it is encrypted at the maghead of the PCI certified device.

It is the same trusted method used to authenticate a consumer at 2:00 AM 2000 miles away from their bank branch when they want $200 cash in real-time. How could it not be trusted to authenticate the online user? Replicate that same trusted process using existing cards, existing PINs and existing bank rails and have customer swipe their card and enter their PIN to login.

For more info on a "low cost" PCI 2.1 Certified PIN Enttry Device designed specifically for e-Commerce use, visit or

The plan is to issue a smart identity card anyway, so how is is going to be "read" without a card reader?

In Europe, almost 30% of online banking customers use a card reader to log-in and Kaspersky Labs has called for the mass adoption of peripheral card readers and implied that banks could be huge drivers of this technology.

We don't write our credit/debit card numbers down on a piece of paper and leave it at the retailers POS, we swipe our cards and enter our PINs. Why should it be any different for the web?

Again, the root of the problem is that we are typing sensitive data into an insecure browser making it easy for the bad guys to steal our credentials via keylogging or infecting our PC with malware. Common sense says "stop typing and start swiping. If someone's going to "swipe" your card data shouldn't it be you instead of the bad guys? I'd love to hear anyone's thoughts...

Plato once said that democracy always leads to tyranny. He's absolutely correct! The 'system' being 'setup' will be used to determine who is 'trusted', and who is not. Those not on the 'trusted' list will be criminalized because they will not be able to access 'trusted' websites to conduct financial transactions. In plain terms those not on the 'trusted' list will not be able to 'buy or sell'!