Browse By

Obama Administration Seeks To Centralize Access To Online Accounts

The first sign that things aren’t right with the draft National Strategy for Trusted Identities in Cyberspace is that it’s being organized through the Department of Homeland Security. Who thought of trying to combine the concepts of “trusted” and “Homeland Security”?

The idea of the NSTIC is that the Internet isn’t trustworthy and secure, and so people need to have a means for engaging in online activities. So, there will be created an Identity Ecosystem which will allow just one login procedure to access a broad number of services ranging from email to bank accounts and health records.

Howard Schmidt, Cybersecurity Coordinator for President Obama, introduced the NSTIC last Friday, writing:

“The NSTIC, which is in response to one of the near term action items in the President’s Cyberspace Policy Review, calls for the creation of an online environment, or an Identity Ecosystem as we refer to it in the strategy, where individuals and organizations can complete online transactions with confidence, trusting the identities of each other and the identities of the infrastructure that the transaction runs on. For example, no longer should individuals have to remember an ever-expanding and potentially insecure list of usernames and passwords to login into various online services. Through the strategy we seek to enable a future where individuals can voluntarily choose to obtain a secure, interoperable, and privacy-enhancing credential (e.g., a smart identity card, a digital certificate on their cell phone, etc) from a variety of service providers – both public and private – to authenticate themselves online for different types of transactions (e.g., online banking, accessing electronic health records, sending email, etc.). Another key concept in the strategy is that the Identity Ecosystem is user-centric – that means you, as a user, will be able to have more control of the private information you use to authenticate yourself on-line, and generally will not have to reveal more than is necessary to do so.”

The Department of Homeland Security is accepting comments for the draft version of effort to centralize online information… but there’s a catch: You need to log in and create an account in their system before you can leave a comment.

Here’s the comment I would have left about the proposal, if it weren’t for the requirement to give Homeland Security my email address:

“Remembering different account information is a privilege, not a problem. It’s a security protection to individuals, both from hackers and from government surveillance, to have highly idiosyncratic, decentralized, personally improvised systems of multiple sources upon which online identity is founded.

‘Spoofed web sites’ are not ‘symptoms of an untrustworthy computing environment’. They’re manifestations of freedom of speech and freedom of the press.

It is a profound threat to our liberty to create any system, public or private, that threatens individual control of online identity. Let’s not forget that the government has already been caught grabbing huge online databases of information. If you want to talk about establishing trust, start with a plan to stop these unconstitutional seizures of Americans’ electronic ‘papers’. I worry less about fraud by private hackers than I do about electronic surveillance by Homeland Security.

The proposed system may, strictly speaking, be voluntary, but only in the sense that a driver’s license is voluntary. A driver’s license is now required for access to a huge number of places and services, and isn’t just about driving any more. Please, let’s work on methods to make individually-controlled, multiple and separate online identities more secure.”

4 thoughts on “Obama Administration Seeks To Centralize Access To Online Accounts”

  1. Jim says:

    I bet the government would love it if people had just one password for all their accounts. It would make tracking them oh-so much easier.

  2. Hendrix says:

    Right on. And I might add that from my experience developing programs, people absolutely will not secure their passwords. They will pick dictionary words; they will share them with others at the least excuse; they will reuse them on compromised or untrustworthy web sites (such as Facebook, ). I continue to develop programs “secured” by mere passwords under my boss’s direction, but I have no faith that they are secure. As it is commonly explained in secure systems literature — Access can be restricted by what you know, who you are, or what you have. Passwords and answers to verification questions (“what is your mother’s name?”) that go with them are what you know. Something from the “who you are, or what you have” categories such as finger / eye scan or a physical key would go a long way towards true security. But the devil is truly in the details. How do you make a physical key that can’t be copied, for example? However, if you had something like that the benefit would be that only 1 person could possess it at a time so it should be easier to notice if it has been compromised. Then you get to develop a system to revoke the compromised keys. Oh the joy…

  3. Mike S. says:

    think this might have a chilling effect? good lord.

  4. JASON B says:

    What in the world is going on people? (S.3480) and (S.773), the perfect citizen nonsense and now this whole Jazz about the NSTIC? This is the first time in my life I fear the future. PLEASE KEEP REPORTING ON THIS. The American people are so out of touch its terrifying.

Leave a Reply

Your email address will not be published. Required fields are marked *

Psst... what kind of person doesn't support pacifism?

Fight the Republican beast!