Join in on the Facebook Discussion on this topic.
When it comes to the Internet, the US government usually doesn’t have a clue. That seems to be the case with the recent announcement of the Obama Administration’s plans to develop an internet identity system that officials claim will reduce fraud and identity theft while streamlining online transactions.
Cut to the chase: the National Strategy for Trusted Identities in Cyberspace (NSTIC) is a bad idea. On the surface having something that will increase online transactions and reduce identity theft makes (some) sense. Security is the #1 reason that people avoid online transactions and in an age that is continuously going more and more digital, it would appear prudent to take steps towards improving security.
This step is not a prudent one. It will lead us down the wrong path for several reasons.
How Do You Spell Disaster? S-I-N-G-L-E-P-O-I-N-T
A skeleton key is “a key or similar object capable of opening any lock regardless of make or type.” In its most basic form, this is what the Obama Administration is proposing. Rather than have different passwords and email validations to access the various places we surf, NSTIC will be a single point of entry for online interactions and transactions that consumers and businesses can use to engage.
This should terrify the tech-savvy crowd.
Having a single-point of entry into many websites is already available in several forms, most prominently through Facebook. Many have accepted it because there is only privacy at stake – we aren’t making purchases or attaching financial information to Facebook (even though there is a looming Facebook eCommerce potential, but that’s a different story).
Allowing access to our financial credentials and buying power through a single interface is ludicrous. eCommerce fraud is bad as it is and this solution is only an opportunity to empower the nefarious types to have more access in one tightly-wrapped package called NSTIC.
Stay Out of My Interwebbing Activities
“This is going to cause a huge shift in consumer use of the Internet,” said John Clippinger, co-director of the Law Lab at Harvard’s Berkman Center for Internet and Society in Cambridge, Massachusetts. “There’s going to be a huge bump and a huge increase in the amount and kind of data retailers are going to have.”
Exactly.
There’s a reason that companies such as Google and Paypal support this. It’s an opportunity to centralize and collect the most important asset on the Internet: data. There will be assurances that this piece of data or that piece of data will not be shared, but “sharing” is an ambiguous term. Necessity will kick in.
By necessity, I mean that there will be increasing “needs” by businesses and government agencies to peek in on what we are doing. If you think that this is a false statement, you are naive. It will happen. It will start under the guise of necessary adjustments to the law in the name of “consumer protection” or “homeland security” and will expand from there. I could write an entire piece about why this is the general trend on anything that pertains to our online privacy rights, but suffice to say that when you have a data-collection venue that data will be used by multiple entities regardless of the safeguards put in place up front.
A False Sense of Security
Diligence is often fueled by paranoia. A healthy dose of paranoia goes a long way towards maintaining proper personal online security. NSTIC will erase the paranoia for many and, as intended, bring more people into the online-transaction fold.
When it comes to financial security, anything that makes people trust a service is potentially a bad thing. It is in most people’s nature to relax about a particular subject when we feel secure that we are protected. By stamping it with the US Commerce Department’s seal of approval, many will trust it.
They will trust it too much.
Constant diligence protects millions of Americans from falling victim to online scams and financial security breaches. Anything that puts people too much at ease will be exploited, as is the case with a National Internet ID.
Who Are Smarter? Hackers or The US Government?
The most intelligent aspect of this solution is that they do not plan on having a centralized database. The government will rely on several service providers to house the data in the most secure fashion imaginable.
And yet, I’m still terrified.
The only reason that financial institutions have not been widely hacked for their data in the past is because it is generally worthless. The “buying power” is not there and money transfers are specifically geared to require multiple-points of approval. It would require a very organized and large-scale operation to form a true financial institution hack that could produce results, and those results would likely be short-lived.
This is different.
By its very nature, this is a streamlining initiative. Anything that is made to simplify our actions is open to manipulation. Hackers today who examine the way transactions happen online naturally go towards the easiest point of access which is currently directly through consumers. NSTIC may change that. By “may” I mean there is a chance the government will understand this before launch and add the appropriate safeguards. If they do, they would limit the effectiveness of the product by making it challenging for businesses and consumers to interact.
They “may” do it the secure way, which would make hacking into the service providers worthless. Chances are slim, however, as the goal here is to make things easier for online transactions to take place.
The Big Brother Factor
“We are not talking about a national ID card. We are not talking about a government-controlled system,” United State Commerce Secretary Gary Locke said on Jan. 7.
The first thing that comes to mind (and should come to your mind) when hearing these words is, “Yet.”
This is a very dangerous step towards increasing the power and reach of the government into our pocketbooks. Until the details of the plan are released this is just a conspiracy-theory-laden section of paranoia without substance, but any time the government gets involved with anything pertaining to the Internet, the alarm bells ring in the back of my CPU.
Good, thoughtful points about the very real risks … and yet, the benefits of a secure online identity are real, too, so we need to do something to make that secure identity feasible for all. We already know that most people simply will *not* maintain their security in the current environment, and maintaining (or raising) fear levels will shut more people out of the online world. (And, as a side issue, ponder which people will self-select out and how that discriminatory result affects our cultures both on and off line.)
It feels to me like a common government policing role, and so it comes with the normal government over-reach/misuse risks, and should be constrained by the normal legal protections. (IMO we in the USA need much stronger laws in re privacy protections, but that’s not your subject here, is it?)
It is simply a bad idea.
This initiative, if it somehow comes to fruition, is by its own nature a danger. Claiming that this will somehow increase security for those that already do not care is foolish (read the false sense of security part). All this does is off load blame for wrong doing away from end-users and service providers.
Don”t even think for a minute that the government wouldn’t become culpable for security and access issues in the eyes of the non-tech savvy.
Oh and corporations have a hard enough time with data leaks already. Plus, the government is atrocious in its record of IT projects. For reference, research the Bush administration trying to upgrade its internal e-mail service at the White House or perhaps the current issues regarding the near collapse of the information systems responsible for Social Security.
…and they plan to let people use this type of security on Windows?
JD,
I have a few points of contention to your article. In my mind, the single point of access is not an issue for 90% of internet consumers. I think it’s naive to think that the majority of consumers are using different passwords for all of their financial accounts (bank, PayPal, sites with stored CC#, etc) today. Those people already suffer from a single point of access. As for the tech savvy crowd? So long as the government does not _require_ the use of their internet id system, then it won’t change the way we do things.
Further, while having a single interface to financial data increases the risk of breach, it also increases the accountability of transactions. This, if done correctly, could streamline enforcement actions against hackers/scammers/etc.
Also, I’d have to imagine that in order for an institution (eCommerce site, bank, etc) to connect to the requisite national id API, there would be some vetting process, and a set of standards to which the institution would be held (e.g. levels of encryption, allowable stored user data, security and auditing). As it stands today, fear of lawsuits and bad press is the only thing keeping eCommerce companies “honest”.
Finally, the “big brother” factor already exists. The IRS can demand full disclosure of our financial transactions at any time they please. The credit reporting agencies have access to every one of our account numbers and account histories. Our information is already in the hands of juggernauts like PayPal and Bank of America. I don’t think that “big brother” knowing our username and password provides a significantly higher level of intrusion.
I’d like to close by saying again that my remarks are in regard to the use of the internet by neophytes, and not the tech savvy sort. Those are the people that really do need help securing their identity on the internet. It comes down to this question: Who do you trust more to protect them? A hodge-podge of blindly entrusted corporations, or the US Government. (And no, I’m not happy with either answer).
>When it comes to the Internet, the US government usually doesn’t have a clue.
According to who? With all due respect, for all its incompetencies and bureaucracy, the US Government and its various agencies and contracted efforts have repeatedly lead the world in science in engineering, to include having created the internet to begin with.
You make some legitimate points, but demand for responsible commerce and behavior dictates the need for some authentication mechanisms. This has been predicted as inevitable by computer scientists for decades.
There are plenty of quite legitimate concerns; you’ve cited many. Ultimately I don’t think an ID system need be entirely pervasive – information remains free and anonymous to the extent that certain publishers (anyone, really) choose to publish it that way. In cases where it makes sense to verify an identity (which is already the case to conduct business/commerce), it makes *more* sense from a consumer’s perspective to have one standard that is deemed “as reliable as possible” even if that’s a fallacy (even yet, one unreliable standard is better than a dozen unreliable standards).
The federal government didn’t actually do most of the work to create the Internet. Most of it was done by university and corporate lab researchers working under federal grants. The Department of Defense has always outsourced most of that work to skilled talent outside the federal government because that’s cheaper than running the equivalent of a UC Berkeley, MIT or Bell Labs in house.
More practically, though, the problem here is not engineering, it’s bureaucracy. The federal government does not have the institutional flexibility to operate a system like this. If you want a comparison, look at the Google identity system and Facebook Connect. The federal government doesn’t have the kind of payroll, personnel and property flexibility needed to hire the right minds, let them operate in the environment they need and “just get the job done” with regard to procurement.
If you look at most large federal information systems worked on in the last decade or so, they’re terrible failures compared to the private sector for those reasons.
I knew he was a commie, freaking Obama. But it doesn’t come as a shock as I suspected Obama of being the anti-christ
Sounds like something the anti-christ or his puppet would institute. All kidding aside it sounds worse than what Orwell imagined
Great article… and you nailed it.
This is all about controlling data and information. The U.S Government is realizing that it needs to control all this information, to be able to use it against the people.
We already have Ip addresses that can be tracked via your Internet Provider, you post something online and your IP address gets logged and can be back tracked to your computer. Even if your smart enough to use something as Tor people can find your original IP.
Seriously articles like this are to install fear in stupid computer users.
CNN is basically the Defense Department’s mouthpeice. Notice whenever there is a conflict (like the Georgia/Russia skirmish on 8.8.08) CNN always has the first word.
From your comments, you clearly haven’t read the National Strategy for Trusted Identities in Cyberspace. The US government isn’t proposing a single ID for cyberspace, nor anything like it.
I shouldnt be so shocked that there are comments in here defending this idea. You morons bent over and willingly showed the government where they could stick their throbbing rod on illegal wire-tapping, torture, illegal wars, airport x-rays and now you are going to do it again with this crap. Dont even respond to this comment because I wont be reading it. I am absolutely disgusted with people like you since you make it so easy for them to screw us over. There is not a single thread of legislation that needs to be added to the internet, its fine how it is and if you are stupid enough to get scammed stay away from it. Keep the government away from the internet as much as possible you stupid apes, its the last form of free communication we have and you are busting down the doors trying to give it away!
Bottom line, they know what they’re doing.
Is it a bad idea for us? YES. Great idea for them.
If this guy gets elected for a 2nd term then I will have officially lost all faith in the US populous’ ability to think freely.
Please google the following:
Define:DARPA
I stopped reading because it sounded like partisan drivel. AKA first paragraph.
sign of the apocalypse
I was thinking the same thing – one monetary system
Hahahaha – you get what you pay for. As long as america keeps putting up with stuff like this it will keep happening. Someday, people will wakeup and find they have the government they always wanted – and can’t stand it.
The bottom line is that the government can’t do anything better than the free market. They always take longer, refuse outside input, and spend a fortune building their broken products.
CNN is liberal?
I guess if you call constant stupid shots of you tube, news on something trivial as a animal showing up in a community and annoying one liners is liberal then ok. that being said, they dont realy take sides as i watch them to try and get a balanced view.
I have my issues with CNN, taking a partisan approach is not one of them.
“The Republicans should (hopefully) block any legislation from happening. This is where it is important to remain vigilant in protecting civil rights even in times where it seems that they allow for bad things to happen”
Then the Patriot Act should have been blocked.
Why did none of you Republicans bitch when G.W. Bush tried to implement the National ID system, for everyone, in the real world? The Democrats have blocked the “national ID” since they got in.
This implementation is meant to be for secure online transactions(commerce department), but will fail, just like Microsofts dot Net ID system, or any other online company that has tried a “one ID” system.
The biggest and most telling of these is Social Security ID. Social Security numbers were created for only one reason – to keep track of your contributions and how much you’re owed by Social Security.
Now, you’re required to give it to go to a bank, go to school, get a job, get a credit card, etc. etc.
What will happen is that businesses will say “this is the best way to protect ourselves” and if the majority of people adopt it, they will just refuse to do business with anyone that doesn’t use it. It becomes a slippery slope thing. It is unquestionably better for businesses, as it starts to put others on the hook for their security issues, so they will be clamoring to force all their customers to use it. The more people that do, the easier it will be to justify the decision. The more businesses that do it, the easier it will be for other businesses to do the same. Eventually, no major online retailer will do business without it.
It’s insanely important for people to resist this and to stay away from it. There are countless other reasons to not use it, but resisting it now is even more important as it’s become obvious that most people don’t think of the long-term ramifications of this decision and just say “Hey it makes it easier, and they say it’s safer, so why not?” The masses will gobble it up, and the people who are outliers will be stuck.
im not a high tech computer person, but the more i read out here the more convinced I am that this NSTIC is like a one on one tracking device. how do we resist it?
Weren’t the body scanners at the airports opt-in (e.g. you have the right to refuse?). I could easily see this going the same way…
“Sure you don’t have to have a national ID, but if you want to get on the internet you have to go down to the DMV, show 6 points of identification, obtain your temporary, & disposable passphrase, and then activate the 4 hour e-commerce access in the next 15 minutes…. Or you could opt-in.”
“A fine is a criminal sanction. A civil sanction, by contrast, is called a penalty. The term fine is sometimes used to describe a penalty, but the terms fine and penalty should be kept separate because the consequences are different: nonpayment of a criminal fine can result in incarceration, whereas nonpayment of a civil penalty cannot.”
I think you mean Civil Penalty , and not a Fine.
It’ll be hacked in 30 seconds and then the guberment will just spy on average citizens. FACT
It’s true. The Government already has the capacity to access any and all information about personal computer users. All this would do (and that’s not even for sure) is that accessing that data would become easier.
At the end of the day this is really more for the government to track my illegal activity’s and downloads.
You People dont have clue of what your talking about!! This is a great idea….. If the system is done properly it can resolve alot of problems. Taking into account my company owns the interlectual property for the application the presidents proposing. FYI we at perry security have the software to implement this system without failure.
People do speculate on almost everything that relates to Obama. And now here’s some speculation on the national ID! We all feel bad when government has access to all our info. Now that’s ridiculous.
Yes, thats what we all want to do. Poke in someone’s life. This is what we have done till now. Government is doing nothing but imitating us and giving us our own lessons.
Do I really need to tell that why government does all this? It is for our benefits and to stop any sort of bad things happening all around.
Safety is something we need to install in our lives. Government helps us in this way by scanning everything. It is its basic right.
How much more speculations and how many more news?
The only thing that Mr. Transparency wants is our personal lives to be transparent to the Government…Exactly what he criticized the Bush administration for…Oh, remember the Patriot Act that was so evil and to be abandoned? Well, not only did they keep it, they are going for this, Medical records, and much much more…kiss the “land of the free” farewell…that boat left on 10-1-2001.