No plans for Aussie online ID

The Federal Government has said that it doesn't intend to follow a United States plan to impose an online identity for its citizens.
Written by Darren Pauli, Contributor

The Federal Government has said that it doesn't intend to follow a United States plan to impose an online identity for its citizens.

The Obama Administration says that the National Strategy for Trusted Identities in Cyberspace (NSTIC) plan would be a "verified", or trusted, identity that can be used to access participating websites, with the backing of PayPal, Symantec, Verizon and AT&T.

It would go further to verify identity than the federated identity schemes like Facebook Connect and OpenID, because identities would be checked against government-held records, possibly social security numbers.

The administration has pushed the plan as a means to improve online security and reduce the need for users to remember passwords, but is keen to distance its scheme from comparisons to a national identity card.

The Attorney-General's Department, responsible for the lion's share of Australia's online security initiatives, has said that it has no plans currently to implement a similar scheme.

"We understand, however, the importance of online security to the Australian community and we're monitoring best practice from around the world," the department said.

It said bureaucrats had "not specifically" investigated the identity scheme, but said it is "aware of the breadth of options available and the need to take account of privacy, security and accessibility for government services online".

The Obama Administration handed oversight of the sensitive project to the Commerce Department, scrapping a prior consideration to leave it in the hands of the National Security Agency or the Department of Homeland Security.

NSTIC is a component of the government's Cyberspace Policy Review, which called for the creation of an "identity ecosystem".

Cyber tsar Howard Schmidt, US special advisor to President Barack Obama, said in a White House blog that the NSTIC aims to build an environment where "individuals and organisations can complete online transactions with confidence, trusting the identities of each other and the infrastructure that they run on".

"Privacy and security require greater emphasis moving forward and because of this the technology that has brought many benefits to our society has … also empowered those who are driven to cause harm."

The NSTIC will become part of a string of US opt-in plans that use technology to toughen the validity of identities and improve the security of public and private transactions.


Identity schemes, sometimes called online passports, have divided industry pundits.

Securus Global managing director Drazen Drazic said Australians lack the appetite for the US identity scheme, and questioned whether it would improve online security.

"It scares me to think about the impact of this. To throw trust into developers and the implementers," Drazic said. "And what happens if [criminals] nail it and compromise the identity database?"

Asked if consumers would be safer to allow the government to protect a single database than rely on multitudes of online companies to do so, Drazic voiced concerns about what would happen if the government database was hacked.

"With [the identity scheme] all eggs are in one basket. What's the fall back?"

Kaspersky Labs chief Eugene Kaspersky has called for a verifiable online identity — an online passport — like that drafted by the US, because he believes the adoption of the internet by a mass audience went awry.

"The internet was designed not for public use, but for American scientists and the US military. That was just a limited group of people — hundreds, or maybe thousands. Then it was introduced to the public and it was wrong … to introduce it in the same way," Kaspkersky told ZDNet Australia's sister site ZDNet Asia.

"I'd like to change the design of the internet by introducing regulation — internet passports, internet police and international agreements — about following internet standards. And if some countries don't agree with or don't pay attention to the agreement, just cut them off."

Denmark already has a complex federated identity management system in place through the government-funded WAYF (Where Are You From) organisation. It holds some 2 million verified online identities which can be used at more than 50 institutions, including banks, hospitals, schools and public services.

The network also extends into Nordic countries and contains details of some 500,000 Danish school pupils.

WAYF manager David Simonsen, told ZDNet Australia last year that the project goal is to allow users to be identified while limiting the need to distribute personal information.

"A driver licence is way too much information," Simonsen said.

At the time, Denmark banks were meshing electronic identities with the government's citizen log-ins, meaning consumers will be able to access accounts via an identity verified against social security numbers.

It's a surprise

Editorial standards