Friday, Commerce Secretary Gary Locke and White House Cybersecurity Coordinator Howard Schmidt spoke at a Stanford Policy Institute conference regarding the development of the US’s proposed National Strategy for Trusted Identities in Cyberspace project. During the conference Schmidt confirmed that the US Commerce Department beat out the National Security Agency and the Department of Homeland Security to administer the initiative.
Schmidt claims that the program will be voluntary and will allow for anonymity, however, the exact format of the program is still in the drafting stages. He was sure to emphasize, however, that he’s not talking about a National ID card. At least, not a mandatory one:
“We are not talking about a national ID card,” Locke said at the Stanford event. “We are not talking about a government-controlled system. What we are talking about is enhancing online security and privacy, and reducing and perhaps even eliminating the need to memorize a dozen passwords, through creation and use of more trusted digital identities.”
However, it is clear from previously released documentation, that the plan, if it is initiated is to make moving on the internet as difficult as possible without Trusted ID.
In May of 2009, when President Obama announced the creation of the White House Cybersecurity Coordinator that Schmidt now holds, the “Cyberspace Policy Review” was released. The document outlined a ten point near-term action list with number ten being:
10. Build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the Nation.
What that seems to mean is best summed by io9’s Annalee Newitz:
And here’s where my not-so-wild speculation about Facebook identities comes in. Many companies have turned to Facebook as an “identity management” system (including Gawker Media), allowing people to log into their services using their Facebook identity. The reason is simple: Most people only have one Facebook identity, and they stick with it. There’s a general notion that your Facebook identity is your authentic identity, or at least an identity that you keep over time, and that its characteristics can be traced back to who you are in real life. Therefore, having you log into every web service, from io9 comments to Digg to (possibly in the future) Paypal, is a way of managing your identities. Instead of having a separate identity for each of those services, you have one. Easy to manage, easy to trace.
Why shouldn’t Obama’s cyberczar just cut a deal with Facebook (and maybe a few other social networks like LinkedIn) and turn those profiles into your authentic identities? So you can send mail and buy things using your Facebook ID, and that’s how you’ll be tracked. Hey, you’re already on Facebook right? And you can set your profile to “private.” So it’s easy and “privacy enhancing.” (Never mind how easy it is to get around those privacy settings – pay no attention to that black hat behind the curtain.)
The scenario I’m describing is, in essence, how the Social Security Card became the twentieth century’s identity management system starting in the 1930s. These cards were not originally intended as ID cards, or as a way to authenticate your true identity. They were just a way to manage government assistance to those who needed it. But they became an ID card simply because everyone in the US had been issued one. When the government and businesses needed a way to track people’s identities, it became the easy choice. Showing your social security card meant that you couldn’t just come up with random new names for yourself every time you signed a form or took a job.
Though people in the US now think of the Social Security Card as the “obvious” form of ID, it took years for it to evolve from a simple social assistance card to an “identity management vision.”
This theory is borne out by some of the language in the current draft of the National Strategy for Trusted Identities in Cyberspace proposal:
This Strategy is a call to action that begins with the Federal Government continuing its role as a primary enabler, first adopter and key supporter of the envisioned Identity Ecosystem. The Federal Government must continually collaborate with the private sector, state, local, tribal, and international
governments and provide the leadership and incentives necessary to make the Identity Ecosystem a reality. The private sector in turn is crucial to the execution of this Strategy. Individuals will realize the benefits associated with the Identity Ecosystem through the conduct of their daily online transactions in cyberspace. National success will require a concerted effort from all parties, as well
as joint ownership and accountability for the activities identified
The key terminology there is: “Individuals will realize the benefits associated with the Identity Ecosystem through the conduct of their daily online transactions in cyberspace.” In short: While it won’t be mandatory, expect to have to do more legwork to do business online. It is very much like using your Facebook account to long into other services on the net. It is simple, quick, convenient, and even sometimes security enhancing. (My policy of only logging into Gawker sites with Facebook meant that my data was totally safe during the Great Gawker Password Leak of 2010.) The downside is that Facebook is now my point of contact with a lot of parts of the web and I’m still using their problematic service.
More from the proposal:
Voluntary participation is another critical element of this Strategy. Engaging in online transactions should be voluntary to both organizations and individuals. The Federal Government will not require organizations to adopt specific identity solutions or to provide online services, nor require individuals to obtain high-assurance digital credentials if they do not want to engage in high risk online
transactions with the government or otherwise. The Identity Ecosystem should encompass a range of transactions from anonymous to high assurance. Thus, the Identity Ecosystem should allow an individual to select the credential he or she deems most appropriate for the transaction, provided the credential meets the risk requirements of the relying party.
So you’d only need Trusted credentials if the places you’re interacting with require them – which, since there’s money in it for them, many private-sector entities will be gladly complying with. Sure, you can still post here or 4chan or wherever with an anonymous ID, but if you want to do business with iTunes, Paypal, ebay or move goods and services via the net, you’ll need a Trusted ID. You’ll likely see a stratification with social services as well with TwitterTrusted and FacebookTrusted accounts having their content prioritized over non-Trusted or anonymous users. In addition, on Friday, Google announced it was testing email authentication with its Google Apps business clients. Imagine not being able to send email that would make it past the spam filter if it wasn’t from a GoogleTrusted account.
One thing is clear from reading the supporting documentation and that’s that the US Government itself will not be the ones managing and implementing this program. The plan is to create guidelines regarding what a Trusted Identity means and how it works and then have that system rolled out and implemented by private-sector partners. In essence, it’s not the government controlling your identity on the internet, it’s the government selling your identity to corporations so they can control it. Which, honestly, I think might be an even more frightening prospect.
There is a lot of information out there on this initiative, I encourage you to check it out for yourselves.
[Grinding: The Grim Facebook Future]
[The Cyberspace Policy Review (pdf)]