Last year I said that I thought that the US National Strategy for Trusted Identities in Cyberspace (NSTIC) was heading in the right direction. I'm very much in favour of the private sector providing multiple identities into a framework that it used by the public sector and vice versa. I'm in favour of choice: if I choose to use my Barclays identity to access the DVLA or my DWP identity to access O2 it shouldn't matter to the effective and efficient use of online transactions. There was one area where I felt it could have presented a slightly different vision, and that's in the use of pseudonyms, which I think should be the norm rather than the exception.
People should consider it normal to get a virtual identity from their bank or their mobile phone operator in a pseudonymous name so that they can browse, transact and comment without revealing anything about themselves other than the facts relevant to a transaction.[From Digital Identity: USTIC]
James Van Dyke, when discussing NSTIC (which seems have become known unofficially as "Obama's Internet Identity System") warned about
Apocalyptic fear-mongers. Yes I’m ending with the crazies here, but hear me out. The extreme cable networks and televangelists will surely jump on this as the digital incarnation of the Mark of either the Beast or “(gasp!) Obama liberals. Historians will recall that social security numbers were supposed to be an apocalyptic conspiracy.[From Obama’s Internet Identity System: Could This Change Everything? - Javelin Strategy & Research Blog]
I don't think the danger is the crazies -- although I feel a little sheepish writing this a couple of days after a crazy did, in fact, murder several people and seriously injure a congresswoman -- but the journalists, politicians, commentators and observers who don't really understand the rather complex topic of digital identity. Or, as "Identity Woman" Kailya Hamlin (who some of you may remember from the first European Internet Identity Workshop that Consult Hyperion sponsored with our friends from Innopay and Mydex back in October) said about NSTIC:
I am optimistic about their efforts and frustrated by the lack of depth and insight displayed in the news cycle with headlines that focus on a few choice phrases to raise hackles about this initiative[From National! Identity! Cyberspace!: Why we shouldn't freak out about NSTIC. | Fast Company]
She's bang on with this. Here's a couple of typical examples from the blogosphere:
CNET reported on January 7, 2011 that Obama has signed authority over to U.S. Commerce Department to create new privacy laws that require American citizens to hold an Internet ID card.[From Internet Anonymity: Obama Pushes for an American Internet ID]
President Obama has signaled that he will give the United States Commerce Department the authority over a proposed national cybersecurity measure that would involve giving each American a unique online identity[From Obama administration moves forward with unique internet ID for all Americans, Commerce Department to head system up -- Engadget]
As far as I can see, NSTIC being managed by the Commerce Department has nothing to do with "privacy laws" and the idea that it will require Americans to have an "Internet ID" is a journalistic invention. The actual situation is that NSTIC is to go from being an idea to an actual system:
The Obama administration plans to announce today plans for an Internet identity system that will limit fraud and streamline online transactions, leading to a surge in Web commerce, officials said. While the White House has spearheaded development of the framework for secure online identities, the system led by the U.S. Commerce Department will be voluntary and maintained by private companies,[From Internet Identity System Said Readied by Obama Administration - BusinessWeek]
What this means is not that Americans will get an "Internet Driver's License" but that they will be able to log in to their bank, the Veteran's Administration, the DMV and their favourite blogs using a variety of IDs provided by their bank, their mobile phone operators and others.
[White House Cybersecurity Coordinator] Howard Schmidt stressed today that anonymity and pseudonymity will remain possible on the Internet. "I don't have to get a credential, if I don't want to," he said.[From Obama to hand Commerce Dept. authority over cybersecurity ID | Privacy Inc. - CNET News]
As long as it's a matter of choice, I really don't see a problem with this. The idea of NSTIC is that it is the infrastructure that is standardised, and this is good. We need standards for credentials and such like so that I can use my Woking Council ID to log in central government services and my Barclays Bank ID so that I can log in to do my taxes online: but I might pay Barclays for an additional ID that has some key credentials (IS_A_PERSON, IS_OVER_18, IS_NOT_BANKRUPT, that sort of thing) but does not reveal my identity. This sort of Joe Bloggs (or, for our cousins over the water, John Doe) identity would be more than adequate for the vast majority of web browsing and if other people want to wander the highways and byways of the interweb with a Manchester United, Prince or BBC ID, then it's up to them. Let a thousand flowers bloom, as they say (well, as Chairman Mao said).
If the crazies want to be concerned about a single ID mark of the e-beast infocalypse, they're perfectly entitled to, but I don't understand why they are convinced it will come from the government in general or Obama in particular - there are half-a-billion people out there (including me) who have already handed over their personal information to a single unaccountable entity.
Facebook Login lets any website on the planet use its identity infrastructure—and underlying security safeguards. It's easy to implement Facebook Login, simply by adding few lines of code to a web server. Once that change is made, the site's users will see a "Connect with Facebook" button. If they're already logged into Facebook (having recently visited the site), they can just click on it and they're in. If they haven't logged in recently, they are prompted for their Facebook user name and password.[From Facebook Wants to Supply Your Internet Driver's License - Technology Review]
Now, at the moment Facebook Connect just uses a password, so it's no more secure than banks or government agencies, but it could move to a 2FA implementation implementation in the future. Widespread 2FA access to online services really should have become a business for banks or mobile operators already (think how long Identrus has been around) but it just hasn't happened: I can't use my Barclays PINSentry to log on to Barclaycard, let alone the government or an insurance company. But suppose my Facebook login required access to my mobile phone so it was much more secure: you know the sort of thing, enter e-mail address, wait for code to arrive on mobile phone, enter code (a proper UICC-based digital signature solution would be much better, but that's another topic). Then I could use Facebook Connect for serious business. This would have an interesting side-effect: Facebook would know where I go on the web, which seems to me to be much more like the mark of the e-beast.
An interesting side benefit for website operators is that Facebook Login provides the site with users' real names (in most cases) and optionally a variety of other information, such as the users' "friends" and "likes."[From Facebook Wants to Supply Your Internet Driver's License - Technology Review]
Which is, of course, why I don't use it. On the other hand, if Facebook decided to use cryptography to secure and protect this sort of information, they could at a stroke create a desirable internet passport: by "blinding" the passport to prevent service providers from tracking the identity across web sites Facebook could significantly improve both convenience and privacy for the average users.
These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]