Transactions, being able to sign a mortgage, where these transactions are online because the risk model is such that they are not available. The third thing the strategy looks to do is do this any way that enhances privacy through privacy enhancing technologies that are out there that we can get people more confidence in transactions online and know that the data is what is provided and not additional information. What is the budget . 24 and 5 million. We have gotten half of that. We have spent the bulk of it on private pilot programs to test ideas and technologies to take the ideas in the strategy and test them in the marketplace. Some goes to research and supporting other efforts as well. What is the work that you do with private organizations . Strategy, with the what the strategy actually prescribes is a solution, with the president dubbed a marketplace where all of us can solutionsm identity when we go online. This has to be driven by the private sector. Tackle theried to conundrum by issuing national id cards. That is something we dont want to do for a variety of reasons. They havent worked particularly well in terms of driving Great Success in all but a handful of countries. There was a recognition when the white house was putting this together before its release that if the administration tried to ,rescribe a particular solution the government would fail. This is not something the government is particularly good at doing, anticipating what is going to work in the marketplace. That are a recognition too many entrepreneurs coming up with great new ways to manage online identity and authentication that the worst thing we could do to get in their way. What the strategy calls for is the private sector to act in partnership with the government to develop a set of solution so that all of us with computers can choose a marketplace something we can use every possible go online. We have been really blessed to have support for this initiative from across the spectrum. One of the initiatives we have helped launch has been the creation of an Organization Called identity ecosystem steering group. It is focused on how to create a framework of standards and rules that would enable a credential to be used by your doctors office, and then at your bank, and then buying something online. We dont have those foundations of rules to enable solutions to login. Their copious they are focusing on creating that. Leadership positions representatives from firms as ,iverse as citigroup, oracle neiman marcus. Lexisnexis. As well as advocates like the aarp, a bunch of other interested individuals. It has been a really motley. Roup of people coming together they all actually agree that the signed ist president worth engaging in even though they bring different perspectives to the project. Onjoining our discussions privacy online is in. Peterson with the washington post. Thank you for having me. Mentioned the strategy was in 201133 years ago is a long time for tech. How has it changed during that time . A number of good ways the for the most part it is actually starting to evolve and align with the strategy. One of the things the white house did good, they put together, they put draft suffer, to the public. They throughout draft to get their feedback as to the things were going. What we have seen is some pretty Good Progress so far in terms of the marketplace evolving to look more like what was envisioned in this document. On the standard side we have seen the emergence of new standards like open id connect and specifications enabling stronger authentication in a way that protects privacy in the marketplace. We have seen some firms like facebook who have had a Login Service start to evolve their solutions to give users choice and what data they share about themselves. It used to by default transmit a lot of information about you. ,hey announced in april because they are starting to allow either anonymous logins or the ability to start choosing what particular attributes are shared. We have seen a burst of free multi factor often applications from firms that all this do business with online, like google, facebook, twitter. There are solutions out there beyond the password you can lose and used to protect themselves. Im a bit of a geek on this topic as you can imagine having this job. But the idea that consumers are going to manage sit Different Solutions let alone 30 of them, we need to get to a Framework Solutions that is easy for the consumer to protect themselves online. What are the options for the average consumer . It is a woman to have these many passwords. Even the logins across the web will be used differently by different sites. What ddb benefits are of moving towards these logins . Betterbenefits are convenience of privacy protection. I have a lot of conversation of people who find out what i do. Everybody says the same thing, can you kill the password . I have too many of them. My security is awful. If we can get away from the password, which is an outdated that alone will move people towards stronger means of authentication. In terms of what the credential would look like, there are different ways you can actually figure out who somebody is online. A lot of what the strategy looks for is a market is where creators have choice. To describe at a high level the attributes of what these look like. They have to be secure and easytouse. Let that then be a guidepost to develop solutions around it. Looking at the pilots we have, some are looking at smartphone based apps. Used in lieu of a password to log in a different sides. Others are testing biometrics, fingerprints, voice recognition. Not to say these are going to be the solution or solutions everybody, but they are the things were testing. Others are looking at a onetime password that may be called to your phone to make sure you really are the person who you claim to being as opposed to somebody impersonating you because they have stolen your password and are trying to log into one of your sites you access. When you look back at what happened to target last year how would some of the solutions you have been talking about affect consumers in that case . Target is a good question. I dont have a say too much about it. I dont a lot of personal knowledge about what happened other than the press alerts suggested that way the attack was executed was a vendor who they did business with who had access to the system was able to login with only a password. Once that was stolen they then were able to do other things within that companys network. That is one area where if you authentication, there is always ways to get around systems, but if you can raise the bar beyond just a password, which is easy to exploit, and make it harder to get into systems, you do quite a bit to improve your Cyber Security posture. It is a different story on the consumer side. Most of the fraud that happened because they were able to project malware into pointofsale. I dont know if there is any thing that will address that issue. Their efforts going on within industry to move away from magnetic strip cards. I actually like to go back to a point you touched on with biometrics. Do you think it is possible that passwords have have unique benefits over biometrics . One of the things i get concerned about is that your password gets breached, you can change it. If somebody gets a hold of your identifier markers, that is hard for you to change about yourself. They are not secrets. This is something that our folks talk about all the time. A password is a secret. It is still a secret. If it is compromised you can change it. Biometrics are not. The our perspective, using biometric alone, it depends on the application. One of the questions you have to ask yourself, what are you trying to protect . You understand that it is easier to start figuring out what are the technologies to be using . Biometrics, a lot from what we have seen, the devil is in the details of how you deploy it. If you are using it as one factor layered on top of another factor, that may be the thing that is easiest for the consumer, they have some really good applications. On the other hand, because they are not secrets, you may not want to use it biometric. A lot the strategy is choice. Ne certainly find there is a oogie factor or people who do not like using their face. People would not like a biometric solution and would use something else. There are people who would love the idea of using biometrics. Latestalready seeing the versions of smartphones coming up with fingerprint sensors. Some people like it and are using it to login. Others on. Ecosystem an identity or biometrics are just one of the technologies that is how we will see the market moving forward. Whats going back to another point you made about how you Pilot Project to explore what may or may not work for my how do you see that evolving . , we havee have learned learned from the pilots that have succeeded and those who have struggled. When we first launched the pilots, it was two years ago last month and there were questions we had about what you hope to get out of these. One of the comments had people at the time, both of the successes and the failures. One of the reasons we put such emphasis on Pilot Projects is aspirational document where would like to see the marketplace evolve. The best way to get from the strategy, which dwells into hypothetical issues, is to do Pilot Projects that throw different ideas against the wall and see what works the best. I think what we have seen is that this is hard. They hope is in the government is involved in the market has been trying to solve this conundrum for years and has not succeeded. There have been different barriers. Most of them arent technology related. They have been focused on the business rules. If somebody happens to compromise it and i lost it happens, who is liable . These are rules that have never been worked out. What we have seen from the pilots is most of them have bundled together business rules associated with the model. Contract language that addresses the issues i talked about. Also saying what the online retailers are, and we are seeing good successes, one later this month, the health systems. The largest Healthcare Network in northern virginia. They have to think about 2 million patients under care. They will launch a pilot leveraging strong credentials to help virginians get access to Electronic Medical records. They have been real interested in making it available online. Passwords alone dont cut it. Youre not going to want to put that information online. Theyve launched a ownership with the state of virginia enabling virginians who already have a virginia drivers license , think about what you do when you get a drivers license, yet to prove who you say you are in person, allowing virginians to ask the dmv to assert attributes about themselves so that they confidence that the person is who they claim to be. That wasnother Company Started by veterans who recently returned from iraq and were focusing on issues, simple use case for starters, how hard it is to get discounts. A lot of businesses want to enter 20 off. Differentto give offers to them. When you separate from the military you dont get an id card. Ddd it includes personal information about you. Found, if im going to a Sporting Goods store im not going to want to give this to them. They started the company focused veterans. Ing they have started signing of different commercial providers who are interested in leveraging them to validate this one thing if they are a veteran. A fascinating company. The founders came to us, they brought in the strategy the president signed. This is a great document. Through a great document. The right pilot they have recently become certified as an identity provider for the federal government. The easiest way to describe it is they took their existing solutions and build an stronger authentication and identity proofing. What that means now is through the first phase of the pilot is a veteran can use the same credential to login at an online retailer and get 10 off shopping, and then go to buy kiss, the band. They wanted to help sell tickets to veterans. They could log and by kiss tickets. Then they can go to department of Veterans Affairs and login and get information about their health benefits. Wes is the kind of solution are certain to see take hold in the marketplace. It is one reason the pilots have been so important to the success of the program. And they arek viable in the marketplace. How does the paypal model fit . Paintball is one of the companies we have been working with. Paypal had an executive who was the first chairman of sharing group. They have been very interested from the start. Paypal obviously has done quite a bit in payments. I dont want to spend too much time talking about one particular company other than to say a lot on my commerce figuring out who people are can be important. I think if theres an analogy i as easy as it is for paypal to pay online, a laudable we are looking for are the creation of firms like that you can use for login. A company like paypal, it has to have high security. They are protecting a lot of information. I say you should ask paypal while they have been participating. I think the reaction we have gotten almost unanimously is that this is something no one company can solve on their own. They can try to. They have fraud solutions. They have different identity projects. There is no framework to use them interoperable he. Interoperably. Their customers through a burden some process time for drives consumers away. Over half of customers will basically abandoned the site if they are asked to create another user name or password. So, a lot of what were looking to do is how to reduce friction and online commerce. How do you make it easier to do the things you want to do online without having to go through this whole challenge every time of who are you . I dont trust you. Can you who you claim to be. Consumers hate it. Most companies will tell you they spend a lot on it and dont necessarily do it very well. One thing we continually have heard from Companies Across the board is there is value in this for us if customers can come to our site, and login without anyway that they think their security is being enhanced. Im not sure if you saw this but there was interesting stuff that came out of microsoft researchers who suggested users should actually reuse passwords on low value sites. Because if reads up it frees for more space important service. What do you think about that . Paper. L that in lieu of having this by the marketplace which we are working to create, its not going to be here next month. It was decent advice. If youre managing 25 different passwords might only have five or 10 that are protecting valuable assets and the rest may be throwaway accounts. The concern is that we tend to see in the marketplace that consumers is password reuse. It will use the same strong password at a site that isnt particularly well protected. This is when you read stories of 1. 2 billion passwords being stolen by hackers overseas, there is a reason theyre going after them. Aty can actually use them different accounts to try and login until he can and do something. I would say for consumers that are out there in lieu of having a better solution, it is good to figure out which of the most valuable and make sure those are secured with the unique password. All of these things are bandaids over a bigger problem. I would argue that a time that when we see studies that show more than three quarters of never Network Intrusions are isntasswords, a bandaid necessarily the approach that is going to get us too far. This is why we are focused on trying to drive the marketplace forward with things that can replace it altogether. What i will say if anybody is watching this, there are solutions you can use to protect yourself today. I mentioned the big firms that we do go online with, google, twitter, microsoft are offering multifactor authentication solutions. Google has an app called authenticate it. It gives you a second layer of authentication to make sure someone overseas this and has grabbed your account information they are trying to login from romania, a flag will come up that this is a machine that has never been login and will prompt and for the second factor. It is a great way to start to protect yourself without going through real hassles and it is available today. The things you listed make their money off of Data Collection and targeting advertising. What would you say to people who are more concerned with the privacy aspects of the data not beindustry, who may as comfortable using those services because of the business. It is the state of the market today. But we are trying to do is get to something better. All the Solutions Must be privacy enhancing. We dont want to be enabling new Identity Solutions that will enable firms to being vacuuming up more data about people than today. Builtin privacy from the start, putting in rules and trying to code those rules into technology we think we can really start to move the ball forward. What were finding is in the , there arent a lot of Great Solutions that offer both security and privacy. They had to do the same thing they did everyplace else, look at the tradeoff. From my perspective, i value the fact there are free tools out there that go beyond passwords. This is about choice. We will get there in a few years. In the meantime, look at what is out there. I would like to back to a question ago when he mentioned it 1. 2 billion passwords. There was a report that came out about a treasure trove of emails and passwords. I was interested to see that you actually brought that up on your dr. Ant notes blog with a evil quote from austin powers. Talk about how whether or not that approach where you are trying to do news folks and bring a popculture has been effective in engaging the public in this . We use our blog to explain what were trying to do. Viewers are finding from this conversation, it is complicated. One of the points we are making million og, 1. 2 big number. Is a it is a stunningly large number. Provided an effective mechanism to drive home the point that when youre seeing numbers of passwords that are being stolen and compromised at this level, it should home drive home the point that we have a problem. Bandaids to the solution. A few months ago the news came out about the heart bleed above. Everyone was told to change your passwords. Three months later the news comes out that there was this treasure trove of passwords discovered from hackers overseas. Everybody is given the same advice. Perfects being the combination of horrible usability. We need to get to something better. People are going to call in sick. We cant keep electing people to do the same thing. We need to get away from the solution. Passwords are a solution. It is something better. Whether or not they are the solution, which i think there is a general agreement that probably are not. What will you say people who are concerned that by moving towards these more centralized ids we are putting our eggs in one basket . One isppens if compromised . It is a great question. Wine, theres nothing about the strategy that is trying to push people to a single id. It is about choice. Much as i have five different email accounts and i use one friends medication with , and one for online sales, a third to make it with neighbors on a list service. People can have several different credentials and use them in different places. People have different personas online. The credential you use for something work related may not be what you want to do in your personal life. There are things i dont do on facebook that i do on linkedin. They were nothing to preclude people from getting three different credentials or none at all. We do think the benefits will be compelling by making it more privacy enhancing so that you should next have some of these issues. In terms of a vulnerability, i would argue it is a real threat. It is the same issue we have today. Right now i talk about the password problems and why it is that hackers want to steal billions of them. A password we use more often than you not, it is when people site to buy a dog collar, they put in their email address and their email password. That is when they have problems. Jeremy grant. Trusted identities in cyberspace. Thank you. Cspan, created by americas Cable Companies 35 years ago and brought to you as a Public Service by your local cable or satellite provider. Canadian Prime MinisterStephen Harper announced a measure this week to call for airstrikes against isis in iraq. Speaking to the house of commons, Prime Minister harper said plans did not include boots on the ground. This comes to us courtesy of the Canadian Public Affairs channel. It is 20 minutes. Statement of the Prime Minister. The right honorable Prime Minister. [applause] mr. Speaker, in recent months, the International Community has reacted, with virtually unanimous outrage and alarm at the rise of isil, the socalled Islamic State of iraq and the levant. Isil has established a selfproclaimed caliphate, at present stretching over a vast territory roughly from aleppo to near baghdad, from which it intends to launch a terrorist jihad not merely ag