effectively separating the person's identity from the physical credential.

Verified ID manages the card independently of any government control. The company tapped Lockheed Martin Corp. to manage the technology and information systems that support the card.

"You get all the security without the surveillance," Harper explained of the Clear program. "Those kinds of things are really the direction we need to go - where you have a variety of credentialing systems that are competitive so that you get cost control, convenience and competition over privacy. You get actual privacy."

By creating a market for credentialing, Harper said, consumers get a choice in the matter, adding that before rolling out the Clear Card, Verified ID conducted focus group meetings to ask consumers what they wanted from such a card and what would make them want to pay the $99.95 annual fee.

Consumers expressed cost, convenience and privacy as their chief concerns about the Clear Card, Harper said, and Verified ID designed its systems with those three issues in mind - in stark contrast to the way the Real ID Act creates a de facto national identity-card system.

"[A mass identification system] is as likely to distract you from the real problem as to help you find the real problem," Harper said. "None of this is easy to fix, so easy sort of broad brushstrokes like IDing everybody are probably going to be wrong."

Harper predicts Real ID will fail, though that failure may take some time to play out.

"Once it fails, we'll go back and start again on something else," he said. "Hopefully there will be better information on what we can do, and that's where some of the emerging digital-identity management systems coming out of the private sector will help to educate the next round of government identity policy."

 

Red Flags
Personal identity frameworks (PIFs) serve as evolutionary building blocks that help facilitate easy registration and single sign-on for a variety of online transactions, though predominantly in low-risk contexts, explained Gregg Kreizman, a research director at Gartner.

"We all interact, increasingly online, in a variety of contexts, such as government to citizen, government to business, business to consumer or business to business, and in different verticals within these broad categories, such as education, health, finance or social networks," he said.

Each context has its own risk profiles and therefore, each will have different expectations/requirements for ensuring individuals are who they claim to be.

Government will play a role in private-sector initiatives, such as Microsoft's CardSpace - by supplying information that would appear in PIFs - but involving government in the creation of PIFs will not solve the ID problem, he said.

PIFs are predominantly about the end-user experience.

"If I use CardSpace as my identity selector, I will have a common user interface to access multiple services in different contexts," Kreizman explained. "However, I will still need to have different identity providers - government, health care, finance - depending on context and associated risk profile."

Government is an appropriate source of identity proofing in some contexts, Kreizman said, though telecommunications companies may be in another context and credit bureaus may function as an appropriate source of identity proofing in yet another context.

PIFs provide convenience and a promise of privacy protection, Kreizman said, because PIFs provide ways for service providers to request identity attribute data for registration and provide ways for users to allow or deny access to that data.

"However, PIFs by themselves provide no guarantees that service or identity providers will protect that data from breaches or nefarious uses," he cautioned. "So, who do you want to be your identity

Shane Peterson  |  Associate Editor