NNSquad - Network Neutrality Squad
[ NNSquad ] Beware the Wolf in Sheep's Clothing: NSTIC "Trusted Identities in Cyberspace" Launched
Beware the Wolf in Sheep's Clothing:
NSTIC "Trusted Identities in Cyberspace" Launched
http://lauren.vortex.com/archive/000842.html
Greetings. I've written a number of times before about the Obama
Administration's NSTIC (National Strategy for Trusted Identities in
Cyberspace) initiative (please see below for links to some relevant
postings and papers).
This program, which visualizes a vast new "identity ecosystem" for
Internet access and usage, linked to government-issued IDs, has been
gestating for some time.
Today the program has been formally launched, with the Department of
Commerce acting as the public-facing "front man" for the project, but
with the deep involvement of the Department of Homeland Security
(DHS).
Because I have already said much about NSTIC previously, and since
there appear to be few (if any) substantive changes between the
preliminary materials (on which I based my earlier analysis) and
today's formal version, I will not here repeat all of my detailed
concerns, and would urge you to follow the links below for additional,
more in-depth information if you are interested -- and you should be
interested. You should be interested even if you're not in the U.S.,
since the impact of the NSTIC scheme will have global implications on
the international Internet.
Nobody would reasonably assert that the Internet does not have
security and identity issues that create a variety of less than
optimal situations.
However, in a free society, we must always be diligent to avoid
creating even commendably appearing "solutions" that can create far
worse diseases than they were supposedly designed to cure. When you
drink the Kook-Aid, you don't want to discover afterwards that it was
even inadvertently laced with cyanide.
The biggest lie of NSTIC is that it would actually be "voluntary" -- a
term that its proponents use ad nauseam.
The sort of identity ecosystem envisioned by NSTIC would quickly and
inevitably become mandatory for a vast range of Web sites and
services, and when the system is hacked or otherwise subverted, the
results may well be catastrophic for the individuals or organizations
involved.
So NSTIC's version of "voluntary" would -- I believe over a relatively
brief period of time -- be only as voluntary as having a driver's
license if you want to drive, or subjecting yourself to TSA body x-ray
scans and invasive pat-downs if you want to fly.
In fact, the situation with NSTIC is actually worse than those
examples. It is possible (however inconvenient) to get through life
without driving or flying in most situations. But access to services
at Web sites is rapidly becoming a necessary component of everyday
life.
Concerns over liability, age appropriateness, and other factors will
drive Web sites toward requiring the use of NSTIC for access, without
any formal government mandates to do so even being necessary in most
cases.
NSTIC will be an incredibly powerful enabler of censorship and
government tracking. Sites will be under enormous pressure to "wall
off" materials considered "inappropriate for children" behind
NSTIC-based credential barriers. And using those credentials to
access sites will by definition create an almost impossible to refute
association to your actual accessing of that data.
No more creating a "throw-away" account if you wish to view something
controversial in any of many respects. Age verification via such
systems inevitably implies identity verification at one level or
another.
NSTIC proponents tout the distributed nature of NSTIC credentials, and
the ability of consumers to choose among various NSTIC issuing
entities -- there's no central government ID database, they proclaim.
In reality of course, most persons will probably tend to bundle their
NSTIC credentials in some manner, for convenience if nothing else --
who wants to have a wallet full of "smart cards" that have to be
individually used for each different site that you wish to access. if
one SuperSmartCard can rule them all, so to speak?
But even if one chose to keep all services and all NSTIC credentials
completely separate from the user standpoint, it wouldn't make much
difference. The technologies of data analysis and data re-association
are now so advanced that building a detailed dossier of a user's
Internet activities even from distributed credentialed sources will
likely be straightforward. The deep involvement of DHS within the
NSTIC ecosystem virtually guarantees that this will be possible and
can be swiftly accomplished, since despite the e-commerce trappings,
it's clear that a key element of the DHS security agenda -- being able
to track what people do on the Internet -- is ultimately a driving
force behind NSTIC.
There's so much more to say, but for now I'll just leave you with two
additional thoughts.
The first is technical. We know that PCs of all sorts are
fundamentally insecure. Viruses or other malware that often infect
these systems have essentially total control over all aspects of the
systems' functioning. They can capture keystrokes and other data,
they can read your screen, they can make it appear that you're
voluntarily accessing particular Web sites -- all without your
knowledge, even while you're sitting there at the machine.
Imagine if you will the ramifications of such malevolent technology
having access to your NSTIC credentials -- perhaps via a currently
inserted smart card linked to your government ID -- and considered by
law to be equivalent to your personal signature, even on extremely
high-value financial transactions. Just try to refute those
transactions, or the record that claims you must have visited that
nasty site and downloaded those forbidden files -- despite your
protests that you knew nothing about them. Good luck.
Finally, acceptance of NSTIC requires complete faith not only in the
veracity of the current government, but of all future governments that
could subvert and abuse a widely deployed Internet identity ecosystem.
The structures that we build into the Internet now are likely to be
essentially permanent fixtures for a very long time -- so even if you
have utter trust in the current government at all levels, one must
consider what these powerful tools could do in less trustworthy hands
in the future.
And even the relatively recent history of our government -- both of
Obama, and Bush before him, not to mention Congress -- are hardly
reassuring in these regards.
Users' Internet records have been collected by the government on the
thinnest of pretenses based on "rubber-stamped" court orders or secret
National Security Letters. The Obama administration (like
administrations before it) is resisting efforts to protect users'
email on remote servers from government snooping without a warrant.
At the same time that ill-advised commercial Internet "do-not-track"
concepts are being promoted by some facets of the government, other
government players are pushing for massive user data retention
regimes, to allow retrospective analysis of your phone calls, email,
and virtually every other aspect of your electronic communications.
Meanwhile, U.S. Immigration and Customs Enforcement (ICE) has shut
down vast numbers of innocent Web sites with banners suggesting that
they were involved in child-abusive pornography, the U.S. government
is attempting to leverage control over the Domain Name System to
dictate the operations of both U.S. and non-U.S. sites, and Congress
is hellbent on the creation a vast censorship regime that would
micromanage and dictate what links were legal for Google and other
search engines to display (COICA).
NSTIC supporters suggest that it's primarily a private enterprise
initiative. Don't you believe it. The federal government is in this
up to their (and our) eyeballs. NSTIC represents politicians' and
their minions' best hope of "getting effective control" over how
everyone uses the Internet. It is the means to the end of destroying
the concept of anonymity in general and the ability to criticize and
"whistle-blow" in a truly anonymous nature in particular. It is a wish
come true for intelligence agencies and government data miners, for
"irrefutable" identity is key to so many of their efforts.
The saddest part is that there are supporters of NSTIC who are
convinced that the problems it solves are more important than the
horrendous risks it brings. To this extent, their motives may well be
laudable, but I would assert that they have still been seduced by a
technological chimera.
Wrapped in the sheep's clothing of "easier e-commerce" and adorned
with an array of other seemingly shiny baubles, NSTIC is the wolf that
could mutate the Internet from the greatest free speech tool in human
history, into a tyrant's wet dream -- perhaps not immediately, but
ultimately nonetheless.
Consider well the situation. The wolf is knocking at the door.
--Lauren--
Lauren Weinstein (lauren@vortex.com): http://www.vortex.com/lauren
Co-Founder: People For Internet Responsibility: http://www.pfir.org
Founder:
- Network Neutrality Squad: http://www.nnsquad.org
- Global Coalition for Transparent Internet Performance: http://www.gctip.org
- PRIVACY Forum: http://www.vortex.com
Member: ACM Committee on Computers and Public Policy
Blog: http://lauren.vortex.com
Twitter: https://twitter.com/laurenweinstein
Google Buzz: http://j.mp/laurenbuzz
Quora: http://www.quora.com/Lauren-Weinstein
Tel: +1 (818) 225-2800 / Skype: vortex.com
- - -
Internet Freedom Alert: Obama Admin Pushing Ahead Today with Dangerous
"Internet Trusted Identity" Scheme: http://j.mp/eZug4M (Lauren's Blog)
Obama's "Trusted Internet ID" Scheme Announcements: Reading Between
the Lines: http://j.mp/gkA3Rt (Google Buzz)
Don't Put Your Trust in "Trusted Identities":
http://j.mp/gEloiE (ACLU)
Comments on the National Strategy for Trusted Identities in Cyberspace:
http://j.mp/eZAlIG (SMBlog)
NSTIC - National Strategy for Trusted Identities in Cyberspace:
http://www.nist.gov/nstic/ (NIST)