If the President Obama’s plans for the Internet are implemented by the federal government, Internet anonymity may soon be a thing of the past. The whole project has been given the typically massaged moniker of “National Strategy for Trusted Identities in Cyberspace” (NSTIC). The development of the strategy is not a sudden, recent development. (In fact, a June 2010 draft of the proposed strategy is available here from the Department of Homeland Security.) But comments last week by Commerce Secretary Gary Locke appear to indicate that the administration may be preparing to implement NSTIC.
The “Executive Summary” of NSTIC is a combination of the obvious (a great deal of trolling and phishing take place on the Internet everyday) and the ominous (the solution is a federal “Identity Ecosystem”). In the words of the Summary:
We use cyberspace to exchange information, buy and sell products and services, and enable many online transactions across a wide range of sectors, both nationally and internationally. As a result, a secure cyberspace is critical to the health of our economy and to the security of our Nation. In particular, the Federal Government must address the recent and alarming rise in online fraud, identity theft, and misuse of information online.
One key step in reducing online fraud and identity theft is to increase the level of trust associated with identities in cyberspace. While this Strategy recognizes the value of anonymity for many online transactions (e.g., blog postings), for other types of transactions (e.g., online banking or accessing electronic health records) it is important that the parties to that transaction have a high degree of trust that they are interacting with known entities. Spoofed websites, stolen passwords, and compromised login accounts are all symptoms of an untrustworthy computing environment. This Strategy seeks to identify ways to raise the level of trust associated with the identities of individuals, organizations, services, and devices involved in certain types of online transactions. The Strategy’s vision is:
Individuals and organizations utilize secure, efficient, easy-to-use, and interoperable identity solutions to access online services in a manner that promotes confidence, privacy, choice, and innovation.
More specifically, the Strategy defines and promotes an Identity Ecosystem that supports trusted online environments.
The weaknesses of Internet transactions are, for the most point, obvious, and the Strategy neatly summarizes some of the primary problems which plague the public. But the question is whether the proposed solution actually addresses the problem in an effective manner, or whether it is simply the latest attempt to institute a national identification system. In essence, critics of NSTIC see the “Identity Ecosystem” as Real ID 2.0, a second attempt to implement a nationwide system of identification, and thus reject the notion of a government established “Identity Ecosystem.” In the words of Jim Dempsey of the Center for Democracy and Technology: “The government cannot create that identity infrastructure. If I tried to, I wouldn’t be trusted.”
An article by Declan McCullagh for “TechTalk” at CBSNews.com summarizes the announced administration strategy:
President Obama is planning to hand the U.S. Commerce Department authority over a forthcoming cybersecurity effort to create an Internet ID for Americans, a White House official said here today.
It’s “the absolute perfect spot in the U.S. government” to centralize efforts toward creating an “identity ecosystem” for the Internet, White House Cybersecurity Coordinator Howard Schmidt said.
That news, first reported by CNET, effectively pushes the department to the forefront of the issue, beating out other potential candidates, including the National Security Agency and the Department of Homeland Security. The move also is likely to please privacy and civil-liberties groups that have raised concerns in the past over the dual roles of police and intelligence agencies. …
“We are not talking about a national ID card,” [Commerce Secretary Gary] Locke said at the Stanford event. “We are not talking about a government-controlled system. What we are talking about is enhancing online security and privacy, and reducing and perhaps even eliminating the need to memorize a dozen passwords, through creation and use of more trusted digital identities.”
And the system is supposed to be “voluntary”— though one hardly need be a cynic to acknowledge that the government works with a different definition of voluntary than that which is utilized by human beings. If the system is not a “government-controlled system” why is the Commerce Department overseeing its creation?
The “virtues” of a single online “identity” are dubious, at best. Although the current need for a variety of passwords may seem cumbersome, it is not hard to figure out how much more devastating it could be when someone steals your identity under the new “Identity Ecosystem.” Possessing the Internet-equivalent of a “skeleton key” which would allow someone to access another person’s entirely online activity would allow for even more damaging cases of identity theft than have already become commonplace. And if (or when) a nongovernmental and voluntary system fails to deliver, just wait for government to jump in and “solve” the problem.
In fact, the NSTIC draft already promises that the federal government will be intimately involved in the entire process, using its usual “carrot and stick” approach of giving away the people’s money and passing judgment on the proposed security solutions of those who are not “first adopters”:
Widespread adoption of more robust identity solutions will likely not occur without comprehensive incentives. The Federal Government will take steps to evaluate the efficacy of economic incentives to private sector or individuals to spur adoption of strong, interoperable identity solutions. The Federal Government will consider incentive programs such as tax credits/breaks, cybersecurity insurance, grant programs, or loans for first adopters. The Federal Government should also analyze how it can better align identity solution requirements in existing grant programs against the Identity Ecosystem.
After all, federal tax credits/breaks have do so much to improve alternative energies and various sectors of agriculture… right?
Photo: The Internet Corporation for Assigned Names and Numbers (ICANN), headquartered in Marina Del Rey, California