The U.S. government's approach to secure online identities, with its strong emphasis on privacy, is to be applauded. But the devil is in the details. In this case, the details lie with the private sector, whom the administration intends to rely on to provide solutions.
This gets sticky. Businesses exist to make money. While search is used to target ads, data from social networking sites enables even better targeting. Just look at the financial expectations on Facebook. Social networking sites find a great deal of value in being your identity provider everywhere you visit. Some social networking sites go one step further: they not only authenticate you to a site -- Facebook telling the relying party (such as the New York Times) who you are --- but they also share other demographic information about you, like where else you've been, with the parties to whom they've provided the authentication. Such information sharing is quite valuable to these relying parties. It's part of what has propelled the identity tools to be such strong players. But it means that not only does your identity provider know everything about you, so do the relying parties.
Now the federal government has taken a wise step. Under the Federal Information, Credential, Access Management roadmap (now there's a mouthful!), no identity provider for the federal civilian agencies can share such relying party information or even use it themselves (e.g., to better targets ads). The technical term is activity tracking, and federal rules are that identity providers aren't allowed to track your activity while you're on federal sites. What that means is if a Facebook user uses their Facebook credential to log into IRS to obtain tax information, Facebook can't share the fact that the user went to IRS -- or what information they obtained there -- with any other site. In fact, Facebook can't even add that information to their own user profile. That's terrific for privacy.
But if identity providers are all in the business to make money, why should Facebook -- or any other private company -- be willing to act as an identity provider for federal sites? After all, they can't use the information they've learned (and in the U.S. economics drives all). The answer is a funny thing called user stickiness. Users do what's easy. If Facebook won't serve as an identity provider for a U.S. government website, then the user has to change providers when she wants to access that website. And changing providers in the middle of a session might mean that a user doesn't go back to using their Facebook credential after the transaction. Facebook doesn't want to lose her during the web session. So various identity providers are willing to act as identity providers for U.S. government sites even if the providers can't make use of the information they've learned.
There's a lesson here for other sites, sites that ought to be in the business of protecting your privacy. What articles I read at the Huffington Post or Fox News, what pages I view at the he Mayo Clinic or the American Heart Association, ought to be private between me and those sites. They should not be shared with other relying parties or used by an identity provider for its own purposes. Those sensitive sites, the ones that have important reasons (such as protecting the First Amendment right to read anonymously) should adopt the same rules regarding activity tracking as the federal civilian agencies have done. Because there are still many sites that provide economic value to these identity providers, such a change wouldn't stop identity providers from providing their product across the network. But it sure would make a difference in protecting privacy where it matters.