Why Obama’s National Internet ID Solution is a Really, REALLY Bad Idea
Join in on the Facebook Discussion on this topic.
When it comes to the Internet, the US government usually doesn’t have a clue. That seems to be the case with the recent announcement of the Obama Administration’s plans to develop an internet identity system that officials claim will reduce fraud and identity theft while streamlining online transactions.
Cut to the chase: the National Strategy for Trusted Identities in Cyberspace (NSTIC) is a bad idea. On the surface having something that will increase online transactions and reduce identity theft makes (some) sense. Security is the #1 reason that people avoid online transactions and in an age that is continuously going more and more digital, it would appear prudent to take steps towards improving security.
This step is not a prudent one. It will lead us down the wrong path for several reasons.
How Do You Spell Disaster? S-I-N-G-L-E-P-O-I-N-T
A skeleton key is “a key or similar object capable of opening any lock regardless of make or type.” In its most basic form, this is what the Obama Administration is proposing. Rather than have different passwords and email validations to access the various places we surf, NSTIC will be a single point of entry for online interactions and transactions that consumers and businesses can use to engage.
This should terrify the tech-savvy crowd.
Having a single-point of entry into many websites is already available in several forms, most prominently through Facebook. Many have accepted it because there is only privacy at stake – we aren’t making purchases or attaching financial information to Facebook (even though there is a looming Facebook eCommerce potential, but that’s a different story).
Allowing access to our financial credentials and buying power through a single interface is ludicrous. eCommerce fraud is bad as it is and this solution is only an opportunity to empower the nefarious types to have more access in one tightly-wrapped package called NSTIC.
Stay Out of My Interwebbing Activities
“This is going to cause a huge shift in consumer use of the Internet,” said John Clippinger, co-director of the Law Lab at Harvard’s Berkman Center for Internet and Society in Cambridge, Massachusetts. “There’s going to be a huge bump and a huge increase in the amount and kind of data retailers are going to have.”
Exactly.
There’s a reason that companies such as Google and Paypal support this. It’s an opportunity to centralize and collect the most important asset on the Internet: data. There will be assurances that this piece of data or that piece of data will not be shared, but “sharing” is an ambiguous term. Necessity will kick in.
By necessity, I mean that there will be increasing “needs” by businesses and government agencies to peek in on what we are doing. If you think that this is a false statement, you are naive. It will happen. It will start under the guise of necessary adjustments to the law in the name of “consumer protection” or “homeland security” and will expand from there. I could write an entire piece about why this is the general trend on anything that pertains to our online privacy rights, but suffice to say that when you have a data-collection venue that data will be used by multiple entities regardless of the safeguards put in place up front.
A False Sense of Security
Diligence is often fueled by paranoia. A healthy dose of paranoia goes a long way towards maintaining proper personal online security. NSTIC will erase the paranoia for many and, as intended, bring more people into the online-transaction fold.
When it comes to financial security, anything that makes people trust a service is potentially a bad thing. It is in most people’s nature to relax about a particular subject when we feel secure that we are protected. By stamping it with the US Commerce Department’s seal of approval, many will trust it.
They will trust it too much.
Constant diligence protects millions of Americans from falling victim to online scams and financial security breaches. Anything that puts people too much at ease will be exploited, as is the case with a National Internet ID.
Who Are Smarter? Hackers or The US Government?
The most intelligent aspect of this solution is that they do not plan on having a centralized database. The government will rely on several service providers to house the data in the most secure fashion imaginable.
And yet, I’m still terrified.
The only reason that financial institutions have not been widely hacked for their data in the past is because it is generally worthless. The “buying power” is not there and money transfers are specifically geared to require multiple-points of approval. It would require a very organized and large-scale operation to form a true financial institution hack that could produce results, and those results would likely be short-lived.
This is different.
By its very nature, this is a streamlining initiative. Anything that is made to simplify our actions is open to manipulation. Hackers today who examine the way transactions happen online naturally go towards the easiest point of access which is currently directly through consumers. NSTIC may change that. By “may” I mean there is a chance the government will understand this before launch and add the appropriate safeguards. If they do, they would limit the effectiveness of the product by making it challenging for businesses and consumers to interact.
They “may” do it the secure way, which would make hacking into the service providers worthless. Chances are slim, however, as the goal here is to make things easier for online transactions to take place.
The Big Brother Factor
“We are not talking about a national ID card. We are not talking about a government-controlled system,” United State Commerce Secretary Gary Locke said on Jan. 7.
The first thing that comes to mind (and should come to your mind) when hearing these words is, “Yet.”
This is a very dangerous step towards increasing the power and reach of the government into our pocketbooks. Until the details of the plan are released this is just a conspiracy-theory-laden section of paranoia without substance, but any time the government gets involved with anything pertaining to the Internet, the alarm bells ring in the back of my CPU.
I knew he was a commie, freaking Obama. But it doesn’t come as a shock as I suspected Obama of being the anti-christ
Sounds like something the anti-christ or his puppet would institute. All kidding aside it sounds worse than what Orwell imagined
>When it comes to the Internet, the US government usually doesn’t have a clue.
According to who? With all due respect, for all its incompetencies and bureaucracy, the US Government and its various agencies and contracted efforts have repeatedly lead the world in science in engineering, to include having created the internet to begin with.
You make some legitimate points, but demand for responsible commerce and behavior dictates the need for some authentication mechanisms. This has been predicted as inevitable by computer scientists for decades.
There are plenty of quite legitimate concerns; you’ve cited many. Ultimately I don’t think an ID system need be entirely pervasive – information remains free and anonymous to the extent that certain publishers (anyone, really) choose to publish it that way. In cases where it makes sense to verify an identity (which is already the case to conduct business/commerce), it makes *more* sense from a consumer’s perspective to have one standard that is deemed “as reliable as possible” even if that’s a fallacy (even yet, one unreliable standard is better than a dozen unreliable standards).
The federal government didn’t actually do most of the work to create the Internet. Most of it was done by university and corporate lab researchers working under federal grants. The Department of Defense has always outsourced most of that work to skilled talent outside the federal government because that’s cheaper than running the equivalent of a UC Berkeley, MIT or Bell Labs in house.
More practically, though, the problem here is not engineering, it’s bureaucracy. The federal government does not have the institutional flexibility to operate a system like this. If you want a comparison, look at the Google identity system and Facebook Connect. The federal government doesn’t have the kind of payroll, personnel and property flexibility needed to hire the right minds, let them operate in the environment they need and “just get the job done” with regard to procurement.
If you look at most large federal information systems worked on in the last decade or so, they’re terrible failures compared to the private sector for those reasons.
JD,
I have a few points of contention to your article. In my mind, the single point of access is not an issue for 90% of internet consumers. I think it’s naive to think that the majority of consumers are using different passwords for all of their financial accounts (bank, PayPal, sites with stored CC#, etc) today. Those people already suffer from a single point of access. As for the tech savvy crowd? So long as the government does not _require_ the use of their internet id system, then it won’t change the way we do things.
Further, while having a single interface to financial data increases the risk of breach, it also increases the accountability of transactions. This, if done correctly, could streamline enforcement actions against hackers/scammers/etc.
Also, I’d have to imagine that in order for an institution (eCommerce site, bank, etc) to connect to the requisite national id API, there would be some vetting process, and a set of standards to which the institution would be held (e.g. levels of encryption, allowable stored user data, security and auditing). As it stands today, fear of lawsuits and bad press is the only thing keeping eCommerce companies “honest”.
Finally, the “big brother” factor already exists. The IRS can demand full disclosure of our financial transactions at any time they please. The credit reporting agencies have access to every one of our account numbers and account histories. Our information is already in the hands of juggernauts like PayPal and Bank of America. I don’t think that “big brother” knowing our username and password provides a significantly higher level of intrusion.
I’d like to close by saying again that my remarks are in regard to the use of the internet by neophytes, and not the tech savvy sort. Those are the people that really do need help securing their identity on the internet. It comes down to this question: Who do you trust more to protect them? A hodge-podge of blindly entrusted corporations, or the US Government. (And no, I’m not happy with either answer).
…and they plan to let people use this type of security on Windows?
Good, thoughtful points about the very real risks … and yet, the benefits of a secure online identity are real, too, so we need to do something to make that secure identity feasible for all. We already know that most people simply will *not* maintain their security in the current environment, and maintaining (or raising) fear levels will shut more people out of the online world. (And, as a side issue, ponder which people will self-select out and how that discriminatory result affects our cultures both on and off line.)
It feels to me like a common government policing role, and so it comes with the normal government over-reach/misuse risks, and should be constrained by the normal legal protections. (IMO we in the USA need much stronger laws in re privacy protections, but that’s not your subject here, is it?)
It is simply a bad idea.
This initiative, if it somehow comes to fruition, is by its own nature a danger. Claiming that this will somehow increase security for those that already do not care is foolish (read the false sense of security part). All this does is off load blame for wrong doing away from end-users and service providers.
Don”t even think for a minute that the government wouldn’t become culpable for security and access issues in the eyes of the non-tech savvy.
Oh and corporations have a hard enough time with data leaks already. Plus, the government is atrocious in its record of IT projects. For reference, research the Bush administration trying to upgrade its internal e-mail service at the White House or perhaps the current issues regarding the near collapse of the information systems responsible for Social Security.