Prove you're not a dog

Being anonymous online is easy. This is a boon for the noble, such as dissidents and whistle-blowers, and also for the ignoble, among them scammers, creeps, pests and terrorists.

For the boringly respectable Web user, and for those needing to identify him or her, it is hard to prove you are who you say you are.

Governments rightly want to fix this. Proper online IDs would curb fraud, keep young people off sites meant for adults, boost e-commerce -- especially across borders -- and cut the cost of public administration by putting government services online.

They also would make life easier for everybody. Instead of having to remember lots of different logins and passwords, you would need only a few. Your credentials could authenticate your identity, nationality, age, address or whatever else was required, without having to hand over the actual data. You could call on your identity provider to prove to a social-networking site that you are 13 or older, for example.

Such a system would enhance safety by reducing the risk of people entrusting personal information to many sites, some of them poorly protected. Providing a photocopy of a physical document such as a passport hands over a great deal of information, and may do so irretrievably. An online system supplies or verifies only the data requested, and thus does so more securely.

In places ranging from well-run Nordic countries such as Estonia and Finland to big, poor ones such as India, governments have set up schemes that often work well. This is not the only way to do it, though. An alternative is to allow private firms to compete to provide secure digital identities, and for the state to rely on them for its online dealings with its citizens.

Many people entrust their bank or insurance provider with more confidential details than they do their government. Banks commonly issue card-readers or key generators to customers, or require transactions to be validated using codes sent via text message. Properly run, these are secure enough for dealings with the state authorities too. Mobile-telephone operators and supermarkets are also used to running big databases securely -- indeed, their business depends on it.

A system enabling companies to offer online IDs secure enough for states to trust is already in the making. The British government is paying private providers to handle user verification on its Web sites. America is corralling hundreds of companies around common standards and supporting pilot projects. Canada and some Nordic countries already accept bank credentials in dealings with state agencies.

Some people feel queasy about any electronic-ID system, public or private, and they may be especially dubious about private ones.

Skepticism about the morality of banks may make people unwilling to hand them control of their identities. They note the weakness of the social networks and email providers which are the current providers of informal electronic passports. Hackers recently stole 250,000 passwords from Twitter. Its login credentials, like those for Facebook and Google, often can be used on other sites.

At present, though, these providers offer only convenience, not authentication. Their main interest is not security, but mining users' data for marketing. If they or any other private provider wanted to offer IDs secure enough for state agencies to use, they would have to create far more rigorous systems.

Using the private sector has many advantages. Many people prefer it, since they already willingly hand over so much information to companies. They also may feel that the state already knows too much about them. Moreover, private-sector IT projects tend to be better-run, and more innovative, than public-sector ones. Commercial ID expertise would save the government from spending money on developing its own ID checks. Also, customers can withdraw data from private providers that prove easy to penetrate, whereas they cannot flee state databases that spring leaks.

As a big potential customer and a guarantor of its citizens' security, the state has a role in ID provision. It should set standards and lay down clear rules about who pays when things go wrong. It should not monopolize the business, however. There should be more than one way of proving you're not a dog.

Republished from the Winnipeg Free Press print edition February 11, 2013 A11