Obama administration officials spoke today about the "National Strategies for Trusted Identities in Cyberspace." The NSTIC ("N-Stick") proposal, which was released in draft form last June, proposes the creation of an online identity "ecosystem," which the report defines as "an online environment where individuals, organizations, services, and devices can trust each other because authoritative sources establish and authenticate their digital identities."
White House Cybersecurity Coordinator Howard A. Schmidt and U.S. Commerce Secretary Gary Locke appeared in Silicon Valley to deliver the message that, as Schmidt put it, "we need the private sector to lead the implementation of this." Locke said that President Obama would be approving a final version of the NSTIC scheme within a few months.
What are we to make of this effort? Several points.
- First, the administration in its draft proposal certainly says all the right things about privacy. Unfortunately, privacy advocates have learned over the years just what that is worth: soothing promises often don't translate into action. The administration's draft talks about the need to limit collection of information "to the minimum information necessary" and "limit retention of data to the period [of time] necessary." Those kinds of policies would need to be rigorously included in this system if it were adopted. But we need to see what is actually proposed — we still don't have enough details.
- Second, protecting privacy and the right to anonymous speech online is paramount. While there are certainly many security problems on the Internet, the world is getting along fine without an online identity "ecosystem,", and nothing should be considered that threatens these values. Certainly anything that resembles a national identity system or a "driver's license for the Internet" must be vehemently opposed.
- Third, having an electronic identity system that can assure a person's identity would unquestionably create new possibilities for online transactions that are not now practical, and in some circumstances could help to protect people's privacy. For example, the system could allow the IRS to give you direct online access to your tax returns, which isn't possible now because they can't be sure you are you.
- Fourth, there are amazing new cryptographic/mathematical possibilities that have been invented or discovered in recent years. Techniques have been developed for "unlinkable credentials" that allow individuals to prove things about themselves while protecting their privacy. For example, these techniques allow users to prove they possess some quality, status or right without revealing their identity, in a way that cannot be spoofed. For example, you could prove that you have a library card, or are over 21, or are a resident of Pittsburgh, without revealing your identity.
In short, it's possible that if all the stars lined up perfectly, this "online identity ecosystem" could be a good thing.
Unfortunately, there are too many reasons to doubt that all the stars will line up perfectly.
First and foremost, security agendas are likely to take over as this concept gets implemented:
- This proposal has been primarily presented as and discussed in the terms of a security measure, not as an instrument of commerce. That's how it was presented at Stanford today. And of course, the plan was produced by the cybersecurity czar, not the government's chief information officer or chief technology officer or the Department of Commerce. Security agendas are the big driver of this initiative.
- In the cybersecurity space, there has been a lot of talk of creating a "driver's license for the Internet" — a terrible idea that would eviscerate privacy and anonymity online. Indeed some commentators believe that forensics — the ability to trace and figure out what happened after a cyber-attack — is a key understated goal of this initiative. But the ability to figure out who has done something bad after the fact is the same online as it is offline — it can only be assured if everyone is tracked, all of the time, and that is not an acceptable tradeoff in a free society.
- Unfortunately this is an administration that so far has catered to the interests of the national security establishment on issue after issue (for the sad details see our report "Establishing a New Normal"). Despite all the nice talk about protecting privacy, what will remain once the administrative sausage-making is done? If privacy protections conflict with perceived security needs, it is not hard to figure what will win out.
- The White House's draft proposal did not explicitly include "unlinkable credentials" and other rigorous privacy-protecting techniques that are simply a must if this system is to be at all acceptable.
The involvement of the private sector in this non-centralized or "federated" identity scheme is of course preferable to a direct, centralized government-run identity system. That kind of a system would be a non-starter. But we would also have questions about what the private sector will do with this system. The interests and values of large companies tends to push toward stability, security and predictability — not toward the raucous freedom that online privacy and anonymity makes possible. Once a standard is in place, will people have to start identifying themselves everywhere online — even when it's totally unnecessary. This has happened all too often in the offline world. It could be driven by the need for legal due diligence (we need to know you're over 18 or we can't market to you and our lawyers say if we don't use this system we could be liable; we need to track you in case you later turn out to be a hacker) and the opportunity to collect reliable personal data for online advertising and other purposes.
The administration is highlighting the fact that this scheme would be "voluntary" — but in a networked world, such voluntariness would quickly become illusory. It's supposedly voluntary to get a credit card or driver's license, but try participating fully in society without one.
A few other key questions:
- Will this be effective? Some security experts such as Columbia's Steve Bellovin have argued that a federated identity system would be of dubious effectiveness in increasing cybersecurity. As he argues, most security problems are a result of hackers taking advantage of buggy code, not authentication problems. In addition, the use of encryption has not stopped attacks; there is plenty of malware already that is abusing strong authentication mechanisms.
- Can the government make this happen? An entire "identity community" has been discussing the problems of online identity and authorization for many years, yet broad adoption of any new mechanisms has not happened, and despite years of condemnation by security experts, the simple username and password remains the authorization and identity mechanism used the vast majority of the time. It's possible that this reality reflects an accurate ongoing cost/benefit calculation in that the vast majority of the time this simple, cheap and easy mechanism fits our needs. In fact, several private-sector efforts to set up federated ID schemes have failed. Problems of collective action are appropriate for government action, but all this does raise the question of whether the government can succeed where the private sector has failed.
- What will it cost? It tends to cost between $75 and $100 to get a well-proofed identity offline such as a passport or driver's license, and that much of those costs are handling the paperwork and verification of "breeder" documents, which might come into play for a secure electronic ID as well, making it expensive.
What would we support? We would support a system that empowers individuals, not large companies and government security agencies. That means a system that does not create records of individuals' activities online, and does not force them to reveal their identity significantly more often then they do now. It would be a system that uses advanced encryption techniques to expand the freedom and possibilities of what individuals can do online — not to track and control them.
Unless the Obama administration comes out with a detailed proposal for an identity scheme that does these things in ways that are hard-wired into the system, and can convince us that its protections won't fall by the wayside at any point, this scheme appears to be a sweeping, utopian intervention in the Internet driven by anti-freedom security agendas that promises to do more harm than good.
Looking far back in time to the Indus Valley civilization we see that they figured out how to create a strong economic benefit from standardization of measurements, and fair trading practices. Around the Magna Carta, the same concepts were applied, but also with the benefit of political rights that furthered the concept of reciprocity and economic growth.
This then is the winning formula. A diverse, virtual and dynamic network of "we the people" forming a more perfect union based on individual choices, without a burden on a limited and divided U.S. government, which can fairly represent our interests, but is not the fundamental chord and chorus of power, freedom and liberty.
NSTIC is a unique opportunity to embed civil liberties into the technological design, I say don't wait for a further announcement to do this integration and react to some unknown. Help build it. Leadership from the privacy and the rights community to apply lessons learned regarding immutable rights will provide persistence to what otherwise be subject to change in a purely commercial approach that might fail economically without support. No national privacy policy?, make it so. A calculated system of mistrust can be made that is operational, and embed what should be limited, and what should not be restrained, so that trust can emerge.
The draft builds on an ongoing and substantial effort out the Federal CIO Council called Identity, Credential and Access Management http://www.idmanagement.gov/drilldown.cfm?action=icam which a cross government effort chaired by the CIO. NSTIC t is being led by NIST and in a good decision lands in the Department of Commerce. If you look at the NSTIC site put up by Commerce you see multiple agencies' badges and all have input. My guess is that this has an equal basis in economics.
# In the cybersecurity space, there has been a lot of talk of creating a "driver's license for the Internet" — a terrible idea that would eviscerate privacy and anonymity online. "
Actually anonymity is a key tool in any security architecture. And most of the lower assurance levels will continue to use identifiers as opposed to identities in much the same way things are done today. Identity is a confusing term and internet identity is very different from personal identity.
# The White House's draft proposal did not explicitly include "unlinkable credentials"
What did it explicitly include? The idea of unlinkablility is well appreciated and well received. There are techniques currently used that are one-way and by nature unlinkable and nothing in the statements to date indicate a reason to think they will be rulled out.
If we look closely, we'll see that nothing like this has been done before. "Federated Identity" has banks, cell phone companies, universities, government agencies and so on act in the open as "Identity Providers", something these institutions have never done before outside the own closed business contexts.
Under NSTIC, an IdP will have to warrant that the "identities" it issues are good for transactions over which it has no control. To give effect to federated management will require elaborate legislation, new contracts with Id Providers and a re-write of every extant contract with Service Providers.
See http://lockstep.com.au/blog/2011/01/12/take-care-on-nstic
Many people like to say identity management is not a "technology issue". They're both right and wrong. On the one hand, the biggest challenges in NSTIC are certainly not technological; rather, they relate to risk allocation in a weird and wonderful new matrix which changes the legal fundamentals of how we do business.
On the other hand, the pressing problems of digital identity theft and fraud really are straightforward technological problems! Widespread adoption of smartcards and similar personal authentication devices for Internet transactions could wipe out most ID theft overnight.
"One Ring to Rule Them All" sounds terrific and convenient ... unless you lose the One Ring in a deep pool of water or have your hand chopped off during a swordfight while wearing it. Just ask Sauron ...
Ironically, I think that the most-secure arrangement is the one that we have: temporal identities, not all associated with one another and unable to be so-associated. A ring of keys, all different, not one master-key that unlocks everything.
Every sword has two edges. Every benefit is also a weakness. And, every weakness is also a benefit.