Fellow Americans, brace yourselves; Internet identity cards are on the way.
As part of the Obama Administration's National Strategy for Trusted Identities in Cyberspace, the US government will be implementing a universal "Identity Ecosystem." Government officials are insisting that participation would be completely voluntary. (You know, the way refusing to get a passport or state ID won't make your life harder one bit.)
But the preliminary version of the Strategy, announced in June 2010, ominously specifies that its last step, after "voluntary" participation is implemented, is to "Identify Other Means to Drive Adoption of the Identity Ecosystem across the Nation" (emphasis added).
Oh, well. At least this "voluntary" program is not going to be managed by a big scary law enforcement entity like the DHS or NSA. The Administration recently announced that authority over the Strategy is being given to the very benign, very non-scary Department of Commerce. We can all breathe a collective sigh of relief.
In 1953, President Harry S Truman had to be relocated because of White House renovations. The Secret Service requested Census data on the President's soon-to-be neighbors so they could perform background checks. The DoC denied the request.
Similarly, in 1980, FBI agents stormed Census offices with warrants for Census data; they were foiled by a Census worker who refused to relinquish any information to them. Higher-ups at the Census Bureau/DoC got involved, and the FBI was forced to leave empty-handed.
If the DoC were managing the "Identity Ecosystem" from top-to-bottom, there might be some squawking from civil libertarians and privacy advocates, but there would be little to worry about. As with Census data, there would most likely be strict, comprehensive legal protections in place to prevent the DoC from releasing "Internet Ecosystem" PII to law enforcement agencies.
These legal protections won't exist in a privately implemented program, however. If the FBI or another law enforcement agency wants your private Internet data, they can easily get it with a court order.
So here's what's going on here:
The Administration cleverly delegates its Strategy to one of its least offensive, least threatening Departments -- which, in turn, delegates actual implementation to the private sector. The Administration makes a show of doing all this as a matter of trust and good will, encouraging people to voluntarily comply with the program.
Meanwhile, the government tells the private sector, "You're going to use your expertise and credibility to build and implement this to meet our goals and specifications" (perhaps adding, "By the way, here's a bundle of economic incentives").
Then, any time the feds want to find out personal information stored on your identity card, it's as easy as getting a court order -- along with a gag order, so you're never the wiser.
In other words, the feds get to have their cake and eat it, too.
It doesn't matter if they're being purposely or accidentally nefarious. It also doesn't matter whether they call it a "card" or an "Ecosystem" or even "Your One True Login."
What does matter is that if the government has its way -- with private corporations as its accomplices -- then it will become a whole lot easier for them to investigate your online activity.
— Joe Stanganelli is founder and principal of Beacon Hill Law, a Boston-based general practice law firm. He is also a writer and freelance marketing consultant.
I received an e-mail just before the weekend from Ben Stein (no, not that one) -- a representative of the National Institute of Standards and Technology (a branch of the U.S. Department of Commerce). He wrote to me in reply to this piece about the NSTIC.
I've said what I have to say on the matter, but I thought some of you might appreciate hearing what the Government has to say beyond what has already been published here and elsewhere.
Additionally, according to the NIST website, you can contact nstic@nist.gov for more information (as well as, I presume, to provide your own input) on NSTIC.
Below is the e-mail, posted unedited in its entirety (except, as a matter of respect, I have removed his e-mail signature):
***
Dear Mr. Starangelli,
We appreciate your coverage of NSTIC on Internet Evolution. http://www.internetevolution.com/author.asp?section_id=1087&doc_id=203318&.
One point that I'd like to emphasize is one of the government's roles in NSTIC would be to build consensus on legal and policy frameworks, including ways to enhance not only security but also privacy in online transactions. And as you noted, this would be voluntary and opt-in. It would not be a single ID, and not be something from the government. Instead the "ecosystem" would contain multiple identity providers and interoperable digital credentials that are based on agreed-upon standards for security and privacy. A user could choose any of them, or none of them. If people chose to opt into such a solution, they would continue to have the ability to communicate anonymously online, but still have secure authentication for business and sensitive on-line transactions. That's the NSTIC vision.
NSTIC is something that is being developed with input from all sectors of the general public.
Also, we would appreciate it if in future discussions you could point your readers to our NSTIC website with the information we have prepared on it, and we will continue to put more information on it (and my apologies if I missed a link to the site): http://nist.gov/nstic/
Sorry if I misled you; I wasn't making a parallel to driving. I was making a parallel to the need for that type of ID (perhaps it would have been more precise for me to say "state-issued ID" instead of "Driver's License").
Nobody in the U.S. has to have a driver's license, passport, or other government-issued ID (beyond your birth certificate and social security card), but good luck living day-to-day life without one.
My point in making this parallel was to portray the very real concern that the aim of NSTIC seems to be to make Internet ID "Ecosystems" as prolific as driver's license, passports, and the like.
The parallels to driving and use of cars are misused. Driving has never been a right, it has always been a privilege. Licensing and registration is the price if you want that privilege. You violate the "rules of the road" and you lose the privilege.
I already have a "smart card" license, its a passport on a license. Given my location close to the Canadian border, it's a lot easier than trying to remember if I brought my passport.
Participation on the internet, is it a right? That's one to kick around.
At one time some states used to use the driver's SSN as the drivers license #. We know how secure the info at the average Department of Motor Vehicles is.
Looking at Govts(worldwide) track-record of managing These "transformations",it will fail miserably(most probably due to cost-overruns).The Taxpayer will get tired of footing the bill on another utterly useless excercise in increasing Bueracratic outreach-With no checks and and Balances whatsoever.
This is the Best case sceanario.Worst case? the Us turns into a Stalinist police-state where anyone voicing any opinion opposed to Govt/Bueracratic interests is first put under surveillance and then silenced decisively.
Alas, I disagree that compulsoriness is a necessary ingredient for a nationwide federal government effort to be deemed a "national" one.
Nonetheless, I would point out that, with the weight of the U.S. Government behind this -- pressuring/coercing the private sector (see the Action Items in the current draft of the NSTIC) -- it's hard to see how the goal here is not a situation in which the use of these "Identity Ecosystems" is not so widespread and standardized that it would be impossible in any practical way to conduct business -- or even communicate -- on the Internet without one of these IDs. While compliance may not be literally mandatory, it is clear that the goal is that it would be constructively mandatory.
(This is similar to when your landlord can't legally evict you, so he turns off your heat, electricity, and water in the dead of winter. This is known as "constructive eviction.")
The 48 Laws of Power is a book of historical case studies (among other things) on those who succeeded (and failed) at the game of power. It is written by Robert Greene and I highly recommend it.
"You are implying that the .gov will be the process. That is not what they say. They want to be the facilitator."
I don't really see that implication, Michael. Nevertheless, I think this line of thought unnecessarily gets into mere semantics ("process" vs. "facilitation").
"I again ask for your solution rather than "dissing" a process that is asking everyone to step forward with ideas to solve a major problem. Maybe you could help."
User education.
As JC and Antonis commented below, better protection of devices is needed also. I did read your article that you linked to. I am sorry, genuinely, that you were the victim of credit card fraud. At the same time, I'm not sure how the implementation of a national SSO ID would have prevented it. It appears (or so I assume) that the problem was not at your end, but at the merchant's end.
"Finally, I have to question your mocking the government and a lot of people that just want their computers to work. Think grandparents, parents, and others."
FWIW, neither my parents nor my grandparents would click a link to enhance their manhood or send money to a stranger overseas who says they won $50 million in the United Nations lottery. Several times a month, I play bridge with a centenarian who can barely see and hear but who is still able to browse the Internet and communicate over e-mail without bumbling into a scam.
(Let me be clear. I don't believe all scam victims are stupid -- but forgive me; I honestly believe that falling for, say, a Nigerian 419 scam, in this day and age, is in and of itself pretty dumb. Which is not to say that I haven't done a lot of dumb things myself.)
"Do I have any better ideas beyond education? No, not at the moment, though I'd be happy to brainstorm with the powers that be if asked."
Actually, education is probably the best idea possible. Start young, and be upfront. A little paranoia is justified online. There's no cure for stupid, but then there's nothing anyone can do about stupid. Stupid happens to just about everyone at some point in a moment of weakness.
Education helps set standards, too. A little peer pressure to make one feel stupid about online security ignorance could keep us all a little safer without having to deal with cumbersome types of security just because a handful are idiots.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
As Mitch Wagner discussed today, Yahoo is acquiring Tumblr. The big Internet debate at the moment is whether Tumblr will be good or bad for Yahoo. Regardless of their stances on the future of Yahoo itself, many claim that Yahoo will somehow ruin Tumblr.
At last month's Bio-IT World Conference, speakers and attendees alike wrung their hands at one of the biggest impediments to collaboration -- getting employees to adopt collaboration systems.
In the wake of the Boston Marathon bombing, armchair detectives on Reddit and 4chan tried to "crowdsolve" the case by analyzing photographs of the scene. Reactions weremixed -- as were results.
Leaders in the health and life sciences industry called for more collaboration and new big-data search technologies as this year's Bio-IT World Conference began earlier this week.
Law enforcement agencies are poised to use iPhones as facial recognition systems in the coming months. The technical advance promises efficiency but has created a backlash among civil liberties proponents.
The plan for unmanned police drones to patrol traffic and other city conditions in Seattle has sparked a new set of legal concerns about privacy. Law traditionally lags technology, but we can expect now to see a new round of activity in the courts as legal definitions begin to emerge on what "next-gen privacy" will look like.
US counterterrorism expert Richard Clarke, who came to prominence with his prescient warnings before the 9/11 attacks, tells Smithsonian Magazine the US was responsible for the Stuxnet supersmart worm that attacked parts of nuclear reactors in Iran – and in the process, has given away one of the world's most sophisticated cyberweapons.
Ontario's information privacy commissioner explains the unintended consequences of facial recognition technology and how biometric encryption can make it safer.
David Vladeck, Director of the Bureau of Consumer Protection of the Federal Trade Commission, discusses the state of "Do Not Track" and the problem with consumer behavior tracking online.
The US government is funding controversial projects to collect daily Internet activity, including Web searches, Twitter messages, Facebook and blog posts, and the digital location trails generated by billions of cellphones. Its goal is to map these interactions to predict social behavior, such as protests.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The automotive website uses propensity modeling to target ads and customer registration forms, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
Email This
