Fellow Americans, brace yourselves; Internet identity cards are on the way.
As part of the Obama Administration's National Strategy for Trusted Identities in Cyberspace, the US government will be implementing a universal "Identity Ecosystem." Government officials are insisting that participation would be completely voluntary. (You know, the way refusing to get a passport or state ID won't make your life harder one bit.)
But the preliminary version of the Strategy, announced in June 2010, ominously specifies that its last step, after "voluntary" participation is implemented, is to "Identify Other Means to Drive Adoption of the Identity Ecosystem across the Nation" (emphasis added).
Oh, well. At least this "voluntary" program is not going to be managed by a big scary law enforcement entity like the DHS or NSA. The Administration recently announced that authority over the Strategy is being given to the very benign, very non-scary Department of Commerce. We can all breathe a collective sigh of relief.
Or can we?
To be fair, the Department of Commerce actually has a decent track record for protecting personally identifiable information (PII). The Department's data stewardship duties primarily come from managing the Census Bureau. DoC officials are lawfully forbidden from releasing PII for 72 years after collection.
In 1953, President Harry S Truman had to be relocated because of White House renovations. The Secret Service requested Census data on the President's soon-to-be neighbors so they could perform background checks. The DoC denied the request.
Similarly, in 1980, FBI agents stormed Census offices with warrants for Census data; they were foiled by a Census worker who refused to relinquish any information to them. Higher-ups at the Census Bureau/DoC got involved, and the FBI was forced to leave empty-handed.
While the Census Bureau does provide already-public information to law enforcement and has released PII to law enforcement during a time period in which it was not illegal to do so, there is no record of the Census Bureau ever illegally releasing PII.
The problem with the Strategy, however, is that the DoC will not be implementing it after all -- the private sector will be, with the DoC's guidance.
Believe it or not, that's bad.
If the DoC were managing the "Identity Ecosystem" from top-to-bottom, there might be some squawking from civil libertarians and privacy advocates, but there would be little to worry about. As with Census data, there would most likely be strict, comprehensive legal protections in place to prevent the DoC from releasing "Internet Ecosystem" PII to law enforcement agencies.
These legal protections won't exist in a privately implemented program, however. If the FBI or another law enforcement agency wants your private Internet data, they can easily get it with a court order.
So here's what's going on here:
The Administration cleverly delegates its Strategy to one of its least offensive, least threatening Departments -- which, in turn, delegates actual implementation to the private sector. The Administration makes a show of doing all this as a matter of trust and good will, encouraging people to voluntarily comply with the program.
Meanwhile, the government tells the private sector, "You're going to use your expertise and credibility to build and implement this to meet our goals and specifications" (perhaps adding, "By the way, here's a bundle of economic incentives").
Then, any time the feds want to find out personal information stored on your identity card, it's as easy as getting a court order -- along with a gag order, so you're never the wiser.
In other words, the feds get to have their cake and eat it, too.
It doesn't matter if they're being purposely or accidentally nefarious. It also doesn't matter whether they call it a "card" or an "Ecosystem" or even "Your One True Login."
What does matter is that if the government has its way -- with private corporations as its accomplices -- then it will become a whole lot easier for them to investigate your online activity.
— Joe Stanganelli is founder and principal of Beacon Hill Law, a Boston-based general practice law firm. He is also a writer and freelance marketing consultant.