Corvette Forum : Corvette Forums banner
1 - 2 of 2 Posts

Premium Member
770 Posts
Discussion Starter · #1 ·
The Obama administration said today that it's moving ahead with a plan for broad adoption of Internet IDs despite concerns about identity centralization, and hopes to fund pilot projects next year.

At an event hosted by the U.S. Chamber of Commerce in Washington, D.C., administration officials downplayed privacy and civil liberties concerns about their proposal, which they said would be led by the private sector and not be required for Americans who use the Internet.

There's "no reliable way to verify identity online" at the moment, Commerce Secretary Gary Locke said, citing the rising tide of security threats including malware and identity theft that have grown increasingly prevalent over the last few years. "Passwords just won't cut it here."

A 55-page document (PDF) released by the White House today adds a few more details to the proposal, which still remains mostly hazy and inchoate.

It offers examples of what the White House views as an "identity ecosystem," including obtaining a digital ID from an Internet service provider that could be used to view your personal health information, or obtaining an ID linked to your cell phone that would let you log into to view payments and file taxes. The idea is to have multiple identity providers that are part of the same system.

Administration officials plan to convene a series of workshops between June and September of this year that would bring together companies and advocacy groups and move closer to an actual specification for what's being called the National Strategy for Trusted Identities in Cyberspace, or NSTIC.

Left unsaid was that the series of workshops, which will be open to the public, will give the proposal's backers a chance to downplay concerns that it could become the virtual equivalent of a national ID card.

During his speech, Locke lashed out at the "conspiracy theory set" who have criticized the proposal. A column in, for instance, called NSTIC a "great example of rampant, over-reaching, ignorant, and ill-conceived political foolishness."

"A top-down strategy for online identity is unlikely to work," Jim Harper, director of information studies at the Cato Institute, said today. "People will not participate in a government-corporate identity project that deviates from their demand for control of identity information, which is an essential part of privacy protection, autonomy, and liberty."

The Commerce Department's National Telecommunications and Information Administration created a YouTube video to reassure Americans that "there is no central database tracking your actions." An FAQ repeats the message. It's enlisted allies to spread the message, including the Center for Democracy and Technology's Leslie Harris, who wrote in a post on that NSTIC is "not a national ID," but instead represents "a call for leadership and innovation from private companies."

One intriguing feature of today's description of NSTIC released by the White House is that it appears to build on a joint Microsoft-IBM project they're calling Attribute-Based Credentials. (See CNET's "previous coverage.)

The idea is to use encryption technology to enable people to disclose less about themselves--ideally, the minimum necessary to complete a transaction. The NSTIC document gives the example of someone filling a medical prescription online: "The pharmacy is not told (his) birth date or the reason for the prescription. The technology also filters information so that the attribute providers---the authoritative sources of the age and prescription information---do not know what pharmacy (is being used)."

The idea of using encryption technology to let people disclose less about themselves isn't exactly new. The legendary cryptographer David Chaum, the father of digital cash who's now building secure electronic voting systems, developed some of these ideas in the late 1980s. Dutch cryptographer Stefan Brands more fully developed the concept of limited disclosure digital certificates; Microsoft bought his company in 2008, and released the U-Prove specification last year along with a promise not to file patent lawsuits over its use.

On the other hand, it would be more convenient for law enforcement (not to mention intelligence agencies) if a more traditional, centralized system were used.

Sen. Barbara Mikulski, a Maryland Democrat who also spoke today at the Chamber event, seemed to veer a bit off-message--and instead of touting anonymity, she stressed the importance of aiding law enforcement.

Protecting civil liberties is important, Mikulski said. "But the first civil liberty is to be able to have a job, lead a life, and be able to buy what you want in the way we now buy it, which is through credit cards."

"We're going to support the FBI," said Mikulski, who heads the Senate subcommittee that oversees the FBI's funding. "We're going to support the growth of the FBI."

Another concern: Although the White House is describing the NSTIC plan as "voluntary," federal agencies could begin to require it for IRS e-filing, applying for Social Security or veterans' benefits, renewing passports online, requesting federal licenses (including ham radio and pilot's licenses), and so on. Then obtaining one of these ID would become all but mandatory for most Americans.

"For end-users, online identification has become increasingly cumbersome and complex," says Marc Rotenberg, president of the Electronic Privacy Information Center> "But it remains unclear whether the White House proposal will solve this problem or create new problems. There is the real risk that consolidated identity schemes will lead to 'hyper' identity theft."

19,914 Posts
During his speech, Locke lashed out at the "conspiracy theory set" who have criticized the proposal. A column in, for instance, called NSTIC a "great example of rampant, over-reaching, ignorant, and ill-conceived political foolishness."
NSTIC and the feds HUA problem

If you're going to name something and expect its TLA (Three Letter Acronym) to be used then you really need to make it a memorable and "sayable" acronym. Of course, if the acronym has more than three letters, then it would be an ETLA: An Extended Three Letter Acronym.

For example, the Digital Millennium Copyright Act is the "DMCA." Not bad. It's short, to the point, memorable, and it can be pronounced ("dee-em-cee-ay").

On the other hand the Combating Online Infringement and Counterfeits Act is "COICA". Even the act's full name is unmemorable while the acronym is useless to anyone other than a bureaucrat.

Here's a pretty new acronym for you, "NSTIC" which stands for the "National Strategy for Trusted Identities in Cyberspace." How would you pronounce that? "Nus-tick"? "Nostick"? Who knows? Any way you say it, it is totally unmemorable and, perhaps, therein lays its genius; it sounds so opaque and boring, how important could NSTIC be?

The answer, my friend, is it's hugely important – because it is a totally ridiculous idea. A great example of rampant, over-reaching, ignorant, and ill-conceived political foolishness.

NSTIC is a program fostered by NIST, the National Institute of Standards and Technology, an agency of the U.S. Commerce Department. According to the NSTIC Web site, the concept "is an Obama Administration initiative aimed at establishing identity solutions and privacy-enhancing technologies that will improve the security and convenience of sensitive online transactions through the process of authenticating individuals, organizations, and underlying infrastructure - such as routers and servers."

The hype continues: "The NSTIC envisions a cyber world - the Identity Ecosystem - that improves upon the passwords currently used to login online. The Identity Ecosystem will provide people with a variety of more secure and privacy-enhancing ways to access online services. The Identity Ecosystem enables people to validate their identities securely when they're doing sensitive transactions (like banking) and lets them stay anonymous when they're not (like blogging). The Identity Ecosystem will enhance individuals' privacy by minimizing the information they must disclose to authenticate themselves."

OK, all good in theory but, in practice, not so much. And notice how they switch tense: "Will provide" becomes "enables" as if the functionality of the proposal is already proven!

So what's wrongheaded with this? To begin with, let's look at the government's record for the security of its own services. A November 2010 report by the Government Accountability Office (GAO) concluded that the Internal Revenue Service (IRS) allowed employees too great a level of access to sensitive information than was needed to perform their jobs and its procurement system allowed users to bypass application controls. Wow.

Now, if only that was the extent of the government's online services mismanagement. There was also the Department of Homeland Security's (DHS) failure to complete a system intended to control U.S.-Mexico border security, the Transport Security Administration's (TSA) failure to implement "a risk management framework to make sound decisions regarding the allocation of security resources across transportation modes", and dozens of other SNAFUs that defy belief.

In short, the government, at the heart of its most sensitive public and administrative services, is incompetent on a biblical scale. And now they propose to provide what is, in essence, the management of a single sign-on system that would impact tens of millions of its citizens.

Just imagine if security mismanagement such as that encountered at the DHS or the TSA was to impact the NSTIC; one serious data breach would provide a field day for the bad guys. And should that happen, imagine the chaos while the problem was addressed … clients of any of the government's social services would find themselves locked out, services like the Department of Motor Vehicles would grind to a halt (OK, make that more of a halt), and companies that deal with the government could see their businesses hit a brick wall.

And all of this would be because the wonks at NIST think they can do what enterprises with far more experience in hardcore IT have learned the hard way; that unified security is incredibly difficult to implement even for a few thousand people. For tens of millions of citizen, it would be effectively impossible!

There has to be a TLA for this ridiculous idea. Let's see. Yes, I'd go with HUA, that's Head Up ... er, well you can guess.
1 - 2 of 2 Posts