The plans of the General Services Administration’s digital tiger team, 18F, to build a single online sign-in interface through which Americans can log on to digital government services are over-reaching, duplicative and out of sync with administration policy, according to critics.
Defenders of 18F’s ID play charge that the criticism is driven by self-interested sour grapes and the agency says the new approach is “incorporating innovations in the identity space over the last five years” since the administration’s National Strategy for Trusted Identity in Cyberspace, or NSTIC, was first published.
At stake is the administration’s legacy on online identity policy, a topic on which it sought to get ahead of the curve, by securing Americans’ online identity against cyber thieves and fraudsters.
“They’re trying to crowd out the private sector,” said Blake Hall of the 18F government hackers’ ambitious plan to build out from scratch a single sign-on for .gov — a doorway to federal government services that citizens can use which will validate their identity once, then allow them to visit a range of sites without having to sign on anew each time.
Hall is founder and CEO of ID.me, a veteran-owned small business that has spent years building technology which will pass government muster as secure enough for a citizen sign-on portal.
ID.me is one of the pilots given seed money under NSTIC which envisaged a so-called ID ecosystem — private sector companies competing with each other to offer a trusted login as a service for consumers who could log in once, then securely use a variety of commercial and government services online.
NSTIC was the Obama administration’s attempt to get ahead of the cybercrime curve by securing Americans’ online identity and making it possible — even on the internet — to know whether or not you really are a dog.
In a blog post this week, and then in an interview with FedScoop, Hall charged that 18F’s vision is out of line with NSTIC, which aimed at “a federated system, where government will set standards and as identity providers [like ID.me] get accredited and certified against those standards, citizens will have choice as to who their identity provider is when they log in to a federal website.
“And because they have choice, that will breed competition,” for instance favoring those who have the highest security standards, above the floor set by government certification requirements, said Hall.
Crucial to the NSTIC vision was the idea of the federal government as an “early adopter” of the ID ecosystem.
But Connect.gov — the GSA portal designed as a doorway that could be unlocked by ecosystem ID providers, was widely panned for its poor user experience. ID.me, Verizon and other companies were accredited as identity providers for Connect.gov.
Connect.gov “did not have the necessary usability to be successful,” the GSA told FedScoop in a lengthy emailed statement.
But, Hall charges, “instead of having a conversation with all the stakeholders” about what might have gone wrong with Connect.gov, 18F had adopted the attitude of “scrap everything including the president’s strategy and we’re going to build it ourselves.”
The GSA statement says that the new 18F login platform “will greatly improve usability to allow widespread adoption,” which eluded Connect.gov.
In line with the NSTIC vision, the 18F ID platform will be “both privacy enhancing and voluntary,” the statement says, insisting that the new platform will give “users a choice to login directly using a government login,” or a third party ID provider.
“Metrics and data will be key to getting this right and those metrics will allow us to evolve and iterate as we learn more from our users,” says the GSA statement.
“Based on our integration of other identity providers, we are also making our system interoperable, another key guiding principle of NSTIC.”
But Hall is not the only one with doubts about the 18F approach.
In the days after 18F announced their ID plans — in a blog post, rather than through any more formal policy process — a number of ID policy experts expressed skepticism, although Hall was probably the most outspoken.
The former head of NSTIC, Jeremy Grant tweeted without comment the famous Peanuts cartoon, where Lucy pulls the football away from Charlie Brown as he is about to kick it, and tagged the picture with the agency and the ID.me handles. The picture was retweeted by Andrew Nash, a former RSA engineer with an identity security consulting practice, with the hashtags #NSTIC and #et_tu_Lucy.
Grant, now with the Chertoff Group, declined comment for this article.
At issue in the high stakes row is the first ever project of the GSA’s new Technology Transformation Service, into which 18F has been merged, part of an effort to ensure that the 18F tiger team, conceived by the tech entrepreneurs brought in to rescue healthcare.gov, survives through the transition to the next administration.
“We believe that we can deliver outstanding security, usability, and privacy to hundreds of millions of users by building this central platform now,” concludes the GSA statement.
Contact the reporter on this story via email Shaun.Waterman@FedScoop.com, or follow him on Twitter @WatermanReports.