NNSquad - Network Neutrality Squad
[ NNSquad ] Obama's "Trusted Internet ID" Scheme Announcements: Reading Between the Lines
Obama's "Trusted Internet ID" Scheme Announcements: Reading Between the Lines
http://bit.ly/hW9w5y (Google Buzz)
- - -
http://bit.ly/grv6Dr (CBS)
The CBS link just above pretty much illustrates the current media take
on the new announcements related to the Obama administration's
continuing push for an "Internet Trusted Identity" system (NSTIC).
(Reference: "Internet Freedom Alert: Obama Admin Pushing Ahead Today
with Dangerous "Internet Trusted Identity" Scheme"
- http://bit.ly/eZug4M [Lauren's Blog])
We will wait with baited breath to see the next version of the draft
documents. But already, there are key new statements by Commerce
Secretary Gary Locke and White House Cybersecurity Coordinator Howard
Schmidt that are worthy of deep thought:
"We are not talking about a national ID card," Locke said at the
Stanford event. "We are not talking about a government-controlled
system. What we are talking about is enhancing online security and
privacy and reducing and perhaps even eliminating the need to memorize
a dozen passwords, through creation and use of more trusted digital
identities." -- Gary Locke
You don't reach this level of government service without the skill to
choose your words *very* carefully. Whether the government "controls"
the system officially or not, all evidence is that "trusted IDs" for
the Net would be irrevocably linked to government-issued IDs or
similar government-issued credentials of some sort (driver's license
numbers? Social Security numbers?)
This entire scheme rests on the ability to link Internet
presence/roles with real-world identities. So even if no physical
card ever exists, the system as currently understood would very much
equate to a national ID card for accessing the Internet.
It is also ironic that Locke waxes poetic on the idea of eliminating
multiple passwords. In fact, the ability to have separate roles,
accounts, and passwords is crucial to maintaining effective
demarcations between your various Internet-related activities --
business, personal, hobby, dead-of-night explorations, and so on.
A single government-linked National Trusted Internet ID might well
eliminate a plethora of passwords, but it also eliminates the ability
to completely separate your various Internet activities.
While the proposed system will almost certainly claim the ability to
limit the specific credentials-related details shared with any given
site, the reality is that since all related credentials ultimately are
linked back to the same government-issued ID references, the ability to
retroactively reassociate activities at all sites accessed by that ID,
effectively decimating any pseudo-demarcations between your various
Internet roles, would likely be ever present. (Reference: "Why the
New Federal "Trusted Internet Identity" Proposal is Such a Very Bad
Idea" - http://bit.ly/9j4X0w [Lauren's Blog]).
And then there are the "What could *possibly* go wrong?" issues.
A unified "trusted" identity could also be a dream come true for
identity thieves. A compromised Trusted Internet ID (and you can
*count* on the system being compromised -- with virtually 100%
certainty based on the past history of these technologies) could
provide a one-stop bonanza of access into every aspect of an
individual's Internet activities -- that is, increasingly, virtually
all areas of their life.
That's going to be much worse in most cases than simply losing a
password today -- since the Trusted ID is likely always linked to
government IDs, and so to your non-Internet activities as well.
And since we're talking about a "Trusted" ID by definition, this means
that refuting fraudulent Internet use of your identity may be very
difficult, especially if your associated government-issued IDs have
also been compromised as a result.
"I don't have to get a credential if I don't want to," he said.
"There's no chance that 'a centralized database will emerge' ..."
-- Howard Schmidt
If you actually believe that the statement above will truly
represent ultimate reality regarding this proposal, I'd like to talk
to you about buying an old but stately bridge near Brooklyn.
Sure, you don't *have* to get a credential. But then again, you don't
*have* to access the Internet either. Just like you don't *have* to
get a driver's license -- unless you want to be able to legally drive
anywhere.
Sorry, I can't buy the "voluntary" argument. As I noted in the linked
references above, once a Trusted ID system for the Internet is
rolling, government pressures and liability concerns alone will almost
certainly result in potential users being denied access to key
Internet services -- certainly for anything relating to financial and
government services, and perhaps (as the existing draft has suggested)
even for activities as innocuous as entering a comment on a Web
site -- unless they obtain Trusted ID credentials. (As I've also mentioned
previously, this introduces some "interesting" aspects for non-U.S.
users -- at least until their own governments push through similar ID
schemes that would presumably interoperate with the U.S. system -- a
boon to the intel folks out at 9800 Savage Road, to be sure.)
No chance of a centralized database? Just for the sake of the
argument, let's assume that's true. SO WHAT? All the data goodies
will be preserved in various distributed databases nonetheless, all
just a subpoena, search warrant, National Security Letter, or often
simply a "Please do us a favor quietly!" request away. Whether there's
actually any "centralized" database or not per se, is utterly
irrelevant.
Finally, we're apparently supposed to be seriously impressed and
relieved by the decision to base the Trusted Internet ID program in
the Commerce Department instead of (for example) NSA/DoD. Please
excuse my yawn on this score. If you seriously believe that this
placement makes any significant iota of difference -- and that the
intelligence, DHS, and other DoD guys won't be in this up to their
eyeballs, I'd like another chance to talk to you about a possible
purchase of that bridge across the East River.
Revised details of the Internet "Trusted ID" NSTIC plan will
reportedly be released within a matter of months. Perhaps there will
be wondrous revelations that will transform my current very dark view
of the proposal into a ringing endorsement.
Unfortunately, I very much doubt that this will be the case. I wish
I did not have to be so cynical and concerned about this project.
Contrary to some observers, I don't feel that the proponents of this
plan are evil or stupid, nor that their motives aren't in large measure
essentially laudable.
But a lack of evil and stupidity does not eliminate short-sightedness,
foolishness, and priorities run dangerously amok.
The path to Internet-enabled perdition, like the spiritual path to
another well-known rhetorical locale very much to be avoided, can be
paved with seemingly good intentions nonetheless.
Therein is the trap for us all.
--Lauren--
Lauren Weinstein (lauren@vortex.com)
http://www.vortex.com/lauren
Tel: +1 (818) 225-2800
Co-Founder, PFIR (People For Internet Responsibility): http://www.pfir.org
Founder, NNSquad (Network Neutrality Squad): http://www.nnsquad.org
Founder, GCTIP (Global Coalition for Transparent Internet Performance):
http://www.gctip.org
Founder, PRIVACY Forum: http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
Twitter: https://twitter.com/laurenweinstein
Google Buzz: http://bit.ly/lauren-buzz