The first sign that things aren’t right with the draft National Strategy for Trusted Identities in Cyberspace is that it’s being organized through the Department of Homeland Security. Who thought of trying to combine the concepts of “trusted” and “Homeland Security”?
The idea of the NSTIC is that the Internet isn’t trustworthy and secure, and so people need to have a means for engaging in online activities. So, there will be created an Identity Ecosystem which will allow just one login procedure to access a broad number of services ranging from email to bank accounts and health records.
Howard Schmidt, Cybersecurity Coordinator for President Obama, introduced the NSTIC last Friday, writing:
“The NSTIC, which is in response to one of the near term action items in the President’s Cyberspace Policy Review, calls for the creation of an online environment, or an Identity Ecosystem as we refer to it in the strategy, where individuals and organizations can complete online transactions with confidence, trusting the identities of each other and the identities of the infrastructure that the transaction runs on. For example, no longer should individuals have to remember an ever-expanding and potentially insecure list of usernames and passwords to login into various online services. Through the strategy we seek to enable a future where individuals can voluntarily choose to obtain a secure, interoperable, and privacy-enhancing credential (e.g., a smart identity card, a digital certificate on their cell phone, etc) from a variety of service providers – both public and private – to authenticate themselves online for different types of transactions (e.g., online banking, accessing electronic health records, sending email, etc.). Another key concept in the strategy is that the Identity Ecosystem is user-centric – that means you, as a user, will be able to have more control of the private information you use to authenticate yourself on-line, and generally will not have to reveal more than is necessary to do so.”
The Department of Homeland Security is accepting comments for the draft version of effort to centralize online information… but there’s a catch: You need to log in and create an account in their system before you can leave a comment.
Here’s the comment I would have left about the proposal, if it weren’t for the requirement to give Homeland Security my email address:
“Remembering different account information is a privilege, not a problem. It’s a security protection to individuals, both from hackers and from government surveillance, to have highly idiosyncratic, decentralized, personally improvised systems of multiple sources upon which online identity is founded.
‘Spoofed web sites’ are not ‘symptoms of an untrustworthy computing environment’. They’re manifestations of freedom of speech and freedom of the press.
It is a profound threat to our liberty to create any system, public or private, that threatens individual control of online identity. Let’s not forget that the government has already been caught grabbing huge online databases of information. If you want to talk about establishing trust, start with a plan to stop these unconstitutional seizures of Americans’ electronic ‘papers’. I worry less about fraud by private hackers than I do about electronic surveillance by Homeland Security.
The proposed system may, strictly speaking, be voluntary, but only in the sense that a driver’s license is voluntary. A driver’s license is now required for access to a huge number of places and services, and isn’t just about driving any more. Please, let’s work on methods to make individually-controlled, multiple and separate online identities more secure.”