Aug 07 2010

Public says “No” to national cyberspace ID proposal

In June, the Department of Homeland Security and the President’s Cybersecurity Coordinator published a proposal and request for comments on a for a “National Strategy for Trusted Identities in Cyberspace” (NSTIC).

It’s hard to belive that such a system implemented from the top down at the behest of DHS and the White House would remain, as its proponents claim it would be, truly “voluntary”.

In practice, it will be required for online interactions with government agencies as well as private compnaies, rendering it “voluntary” the way it’s “voluntary” to show ID to travel: you don’t have have government ID credentials as long as you are prepared to walk (or walk on water or paddle a sea kayak if you want to get between, say, Hawaii and the U.S. mainland).

Although the official public comment period lasted only 30 days, many others have pointed out key problems with the NSIC concept. The NSTIC proposal places no value on anonymity; indeed, it evinces an apparent lack of understanding of what anonymity really means. It takes for granted the need for authentication (if we pay in cash, why does a merchant, much less a common carrier or government agency, need to know anything about us other than that our money isn’t counterfeit?) and confuses a policy that purportedly restricts disclosure  of our identity with actual non-knowledge of our identity.  The former protects us from those who comply with their own policies, while the latter protects us from bad actors as well.  But in reality, many of the threats to our freedom come from those who can’t be counted on not to cross the boundaries of privacy “policy”, including those within governments. Actual anonymity, non-linkability of transactions and identities, and the ability of the system (and our anonymity) to survive capture of the “identity provider” and/or the government by malign interests should be key design criteria, but weren’t even considered.

The question now is what the White House and DHS will do with the response to their request for public comment on the NSTIC draft. In the online forum where the public could submit and vote on feedback and ideas for NSTIC, the single most popular suggestion was an anonymous one (no, we didn’t submit it, and we don’t know who did), “Decentralize further, don’t centralize”:

A single centralized identity is inherently less secure than a dozen identities because it creates a single point of failure. Once that identity has been compromised – which will certainly happen no matter what technological measures are taken to protect it because there will always be a user in the chain – an individual’s entire life will be open for hijacking…. This effort will be counterproductive at best and has the potential to cause problems that are orders of magnitude worse than current identity theft issues. And this is before even considering aspects that potentially compromise privacy, anonymous speech, free access to the devices that an individual has purchased, etc.

Instead of attempting to centralize identity, simply ensuring that current best practices are followed would vastly improve online security. Making authentication services responsible for all outcomes of a data theft would be a good first step, as well as outlawing EULA language that forfeits a user’s ability to hold such services responsible for technology failure that result in theft, downtime, and data loss. Providing incentives such as these, combined with increased enforcement, will force corporations large and small to work toward increasing security. There should also be an enforced decoupling of identity data; if one of a user’s accounts is compromised, it should not contain personal identity information like SSNs which would allow another of the user’s accounts to be compromised. Web-based authentication has no need to have access to such information and it should be kept in separate, firewall-divided databases as a matter of law, not just habit.

There was more in this vein from other commenters, such as this on “Multiple roles, multiple identities”:

I play many roles in life. Some associated with my work, some associated with a sports league, others associated with my hobbies. If I can easily get several identities, I can use a different one for each role that I play and the issue of a national identity becomes less of a problem. I don’t have to worry about my employer having a problem with views I have shared as an individual person.

There were also numerous calls for a lengthier public comment period and more explanation of the details of any plan before it is adopted.

We urge the White House and DHS to heed the public comments on the NSTIC draft and scrap this scheme for a single, centralized scheme for de facto mandatory online credentialing and identification.