Tuesday, December 20, 2011

Who do you trust? A year-end evaluation of the White House plan for online identity management



Discussions on a key White House initiative for online identity model use are now settling in for fine tuning.  The National Strategy for Trusted Identity in Cyberspace (NSTIC), a big idea launched in January of 2011, recently received $16.5 million in US funding. The plan would continue NGO partner development and standard articulation  of an “identity ecosystem” for users online. Some premises to develop this ecosystem are the obsolescence of password security and the necessary network of identity authorities to prove who you are online. 
There are several agencies engaged in the articulation of the ecosystem, to name a few: The US Dept. of Commerce, National Institute of Standards & Technology (NIST), and the US Dept. of Homeland Security. Plans to standardise identity online will be largely left to a NIST work group group consisting of privacy advocates, Internet businesses, and  government authorities to opt-in to the US developed credentialling system. The boundaries of legal jurisdiction and foreign policy over online identity continue to develop. 
One model proposed by The Kantara Initiative, an OpenID development firm with an International board of consultants, has recommended NSTIC solutions for every government system issuing identity products. For instance, an online accrediting of EBT cards used by social security recipients for ATM transactions use and e-banking. 
Trust & Responsibility
One might naturally look to the most invested stakeholder, the United States government, to assume the lion’s share of the responsibility for the trustworthiness and interoperability of such a monumental effort.  Unfortunately, this is where the responsibilities bead up and roll around into disparate balls of mercurial accountability amid Internet NGOs and government partners. 
Verizon Inc. became the first telecomm industry partner to complete Level 3 certification for it’s mobile platforms.  Facebook and Google have been included in systems which are credentialled for Level 1 use, essentially the use of a password.  While these businesses are certainly user populated, how trustworthy are they to consumer privacy and why should we trust them with anything more than a password as authorities? 
Facebook, one of the most zealous online Institutions against anonymity, made a beta concesssion to take US drivers license information as inveterate proof that you are not a dog online.  They are also the recent recipients of an FCC censure requiring frequent privacy audits.  The fine for its future failures to safeguard consumer data privacy are $16 million per violation. Facebook, whose doors are still open for business, are collecting as much personal information as users will give them. If the government gives Facebook universal accreditation standards - all the better for them.
    
Facebook, Verizon and Google are top tier industry candidates for OpenID credential adoption. They are also front and center players in the Big Data exchanges with the United States government. Like many of digital companies they also maintain a reputation for folding over to invasive government inquiries into user profiles. 
A Question of Uniform Identity 
How about those non-controversial and more pragmatic government base users, like DoD PX Smart Card holders, electronic Medicaid files or verification of between agency users?  FICAM, a separate program authorised in 2009, destined for differentiation from NSTIC, operates on a conspicuously similar framework for solely government use. Some NSTIC critics have cited duplication of efforts in applying FICAM’s gummy bureaucratic standards to civilian electronic transactions. 
Ahh, yet the brilliance of innovation and the longevity of data are a seductive cocktail for the technocrat.  How complicated it becomes when you mix in NIST’s newly standardised biometrics: DNA, Iris scans, facial recognition and footprints. In an AAMVA forseeable future,drivers licenses(1) may represent a comprehensive identity file containing these items and a neat integrated circuit for “interoperable” and “mandatory use” by travel administrators.
The most alarming consideration of the NSTIC ecosystem alludes to the manufacture of a federal online identity authority with a direct path to the US Dept. of Homeland Security.  Pre-criminal oversight sweeps of all identifiable persons using the Internet in the United States might be left to their broom.  It is no longer so far fetched to speculate DHS would muddle the escalation of an anonymous online transaction to questionable cybercrime-as-cyberterror.  
That’s when you might hear the scenario of “News-at-11” following a Tennessee man detained for uploading pictures of his old band uniform being mistaken for signature gear used by a violent militia.  Interviews would feature a confident police authority citing ability to “absolutely verify beyond a shadow of a doubt who it was that uploaded that uniform.” 
Until then, there is an eagerly awaited trustworthy beta online identity credential which proves you are not a terrorist in 2012.  If you're still on the fence you can always look in on the early adopters of this type of system-- China.

Online businesses in China already reflecting this real-names authentication path are using National ID cards coupled with real name submissions to gain admittance to dating websites and microblogging services. Chinese tech analysts report an estimated 60-80% drop in user account activity. 


SOURCES : (1) http://bit.ly/vGAycl pp. 22-23, p.111-112

No comments: