« WikiLeaks: From Whistleblowing to Information Vandalism | Main | iPad Hacked! An LLB PSA for TR CEO Tom Glocer and Other iPad Users »
June 30, 2010
White House, DHS, Proposed National Cyber Identity
Remember Microsoft's Passport? Microsoft's idea was to create a secure online ID that could be used as credentials for a variety of sites: Internet access, banking, shopping, and other services. The reaction was negative, not because it was necessarily a bad idea, but because Microsoft would federate these IDs through its servers. Microsoft, in theory, would know everything about everybody. So that project died, more or less. Microsoft now uses Live ID, or whatever it's called these days, as a way for people to access its services. Other initiatives such as the Liberty Alliance Projectand OpenID grew out of the concept.
Last Friday the White House and the Department of Homeland Security issued the draft proposal called "National Strategy for Trusted Identities in Cyberspace." The document essentially suggests the same type of program, but with the federal government doing the federating for public and private business using these IDs. The program is envisioned as voluntary. Allow me to put on my tin foil hat for a moment and wonder if it was so bad for Microsoft to run such a system, why is it better for the government to do so? Imagine a society where the only way to get social security benefits, pay taxes online, or other vital interaction with the government was via a Trusted Identity? Want to get on a plane, validate your identify first. That would be some "voluntary" adoption by the public. But, I'm getting ahead of myself here. Consider the goals and aims of the project.
From the Executive Summary:
The Identity Ecosystem enables:
- Security, by making it more difficult for adversaries to compromise online transactions;
- Efficiency based on convenience for individuals who may choose to manage fewer passwords or accounts than they do today, and for the private sector, which stands to benefit from a reduction in paper-based and account management processes;
- Ease-of-use by automating identity solutions whenever possible and basing them on technology that is easy to operate with minimal training;
- Confidence that digital identities are adequately protected, thereby increasing the use of the Internet for various types of online transactions;
- Increased privacy for individuals, who rely on their data being handled responsibly and who are routinely informed about those who are collecting their data and the purposes for which it is being used;
- Greater choice, as identity credentials and devices are offered by providers using interoperable platforms; and
- Opportunities for innovation, as service providers develop or expand the services offered online, particularly those services that are inherently higher in risk;
Privacy protection and voluntary participation are pillars of the Identity Ecosystem. The Identity Ecosystem protects anonymous parties by keeping their identity a secret and sharing only the information necessary to complete the transaction. For example, the Identity Ecosystem allows an individual to provide age without releasing birth date, name, address, or other identifying data. At the other end of the spectrum, the Identity Ecosystem supports transactions that require high assurance of a participant’s identity. The Identity Ecosystem reduces the risk of exploitation of information by unauthorized access through more robust access control techniques. Finally, participation in the Identity Ecosystem is voluntary for both organizations and individuals.
One of the examples in the full document is the ability to use the ID to make anonymous blog postings. The question, though, is whether one can truly be anonymous under such a centralized system if it's controlled by the government. Or anyone for that matter. The RIAA and rest of the copyright police would be delighted to exploit such a system. It's not that they shouldn't protect their intellectual property. Their track record shows a regular disregard for investigating claims before bringing suits against individuals. If Google and the rest pass along information requested through a subpoena, how can the government resist?
Then there is the prospect of an individual compromising identification from such a system. Look at the recent controversy when a U.S. Army Intelligence Officer was arrestedfor leaking confidential diplomatic and war related information to Wikileaks. That system was allegedly secure. Could hackers or other interested parties compromise someone who helps run the system? The document seems more concerned with enhancing privacy while using the system rather than maintaining it. Of course, it's still in the draft proposal stage. It's no wonder that these concerns aren't addressed. Nonetheless, anyone who isn't forced to participate in the system would want to know how their vital information isn't protected from third parties.
Congress passed the RealID Act in 2005, which amounted to a national identity cardin all but name only. The states are balking at the prospect of implementing he program, at least due to the costs they have to assume. That program has a lot of sticks associated with it, such as access to certain government services and facilities. The idea of a government managed electronic identity may be the way to accomplish the same goals without the resistance raised against the RealID Act. It may be voluntary in proposal, but the practical implementation may mean a choice that can't be refused. I can turn down Microsoft, but the feds have more power than a software manufacturer.
The White House blog posting is here. The draft document is here. [MG]
June 30, 2010 in Current Affairs, Gov Docs, News, Web Communications | Permalink
