Last year I said that I thought that the US National Strategy for Trusted Identities in Cyberspace (NSTIC) was heading in the right direction. I’m very much in favour of the private sector providing multiple identities into a framework that it used by the public sector and vice versa. I’m in favour of choice: if I choose to use my Barclays identity to access the DVLA or my DWP identity to access O2 it shouldn’t matter to the effective and efficient use of online transactions. There was one area where I felt it could have presented a slightly different vision, and that’s in the use of pseudonyms, which I think should be the norm rather than the exception.
People should consider it normal to get a virtual identity from their bank or their mobile phone operator in a pseudonymous name so that they can browse, transact and comment without revealing anything about themselves other than the facts relevant to a transaction.[From Digital Identity: USTIC]
James Van Dyke, when discussing NSTIC (which seems have become known unofficially as “Obama’s Internet Identity System”) warned about
Apocalyptic fear-mongers. Yes I’m ending with the crazies here, but hear me out. The extreme cable networks and televangelists will surely jump on this as the digital incarnation of the Mark of either the Beast or “(gasp!) Obama liberals. Historians will recall that social security numbers were supposed to be an apocalyptic conspiracy.[From Obama’s Internet Identity System: Could This Change Everything? – Javelin Strategy & Research Blog]
I don’t think the danger is the crazies — although I feel a little sheepish writing this a couple of days after a crazy did, in fact, murder several people and seriously injure a congresswoman — but the journalists, politicians, commentators and observers who don’t really understand the rather complex topic of digital identity. Or, as “Identity Woman” Kailya Hamlin (who some of you may remember from the first European Internet Identity Workshop that Consult Hyperion sponsored with our friends from Innopay and Mydex back in October) said about NSTIC:
I am optimistic about their efforts and frustrated by the lack of depth and insight displayed in the news cycle with headlines that focus on a few choice phrases to raise hackles about this initiative[From National! Identity! Cyberspace!: Why we shouldn’t freak out about NSTIC. | Fast Company]
She’s bang on with this. Here’s a couple of typical examples from the blogosphere:
CNET reported on January 7, 2011 that Obama has signed authority over to U.S. Commerce Department to create new privacy laws that require American citizens to hold an Internet ID card.[From Internet Anonymity: Obama Pushes for an American Internet ID]
President Obama has signaled that he will give the United States Commerce Department the authority over a proposed national cybersecurity measure that would involve giving each American a unique online identity[From Obama administration moves forward with unique internet ID for all Americans, Commerce Department to head system up — Engadget]
As far as I can see, NSTIC being managed by the Commerce Department has nothing to do with “privacy laws” and the idea that it will require Americans to have an “Internet ID” is a journalistic invention. The actual situation is that NSTIC is to go from being an idea to an actual system:
The Obama administration plans to announce today plans for an Internet identity system that will limit fraud and streamline online transactions, leading to a surge in Web commerce, officials said. While the White House has spearheaded development of the framework for secure online identities, the system led by the U.S. Commerce Department will be voluntary and maintained by private companies,[From Internet Identity System Said Readied by Obama Administration – BusinessWeek]
What this means is not that Americans will get an “Internet Driver’s License” but that they will be able to log in to their bank, the Veteran’s Administration, the DMV and their favourite blogs using a variety of IDs provided by their bank, their mobile phone operators and others.
[White House Cybersecurity Coordinator] Howard Schmidt stressed today that anonymity and pseudonymity will remain possible on the Internet. “I don’t have to get a credential, if I don’t want to,” he said. [From Obama to hand Commerce Dept. authority over cybersecurity ID | Privacy Inc. – CNET News]
As long as it’s a matter of choice, I really don’t see a problem with this. The idea of NSTIC is that it is the infrastructure that is standardised, and this is good. We need standards for credentials and such like so that I can use my Woking Council ID to log in central government services and my Barclays Bank ID so that I can log in to do my taxes online: but I might pay Barclays for an additional ID that has some key credentials (IS_A_PERSON, IS_OVER_18, IS_NOT_BANKRUPT, that sort of thing) but does not reveal my identity. This sort of Joe Bloggs (or, for our cousins over the water, John Doe) identity would be more than adequate for the vast majority of web browsing and if other people want to wander the highways and byways of the interweb with a Manchester United, Prince or BBC ID, then it’s up to them. Let a thousand flowers bloom, as they say (well, as Chairman Mao said).
If the crazies want to be concerned about a single ID mark of the e-beast infocalypse, they’re perfectly entitled to, but I don’t understand why they are convinced it will come from the government in general or Obama in particular – there are half-a-billion people out there (including me) who have already handed over their personal information to a single unaccountable entity.
Facebook Login lets any website on the planet use its identity infrastructure—and underlying security safeguards. It’s easy to implement Facebook Login, simply by adding few lines of code to a web server. Once that change is made, the site’s users will see a “Connect with Facebook” button. If they’re already logged into Facebook (having recently visited the site), they can just click on it and they’re in. If they haven’t logged in recently, they are prompted for their Facebook user name and password.[From Facebook Wants to Supply Your Internet Driver’s License – Technology Review]
Now, at the moment Facebook Connect just uses a password, so it’s no more secure than banks or government agencies, but it could move to a 2FA implementation implementation in the future. Widespread 2FA access to online services really should have become a business for banks or mobile operators already (think how long Identrus has been around) but it just hasn’t happened: I can’t use my Barclays PINSentry to log on to Barclaycard, let alone the government or an insurance company. But suppose my Facebook login required access to my mobile phone so it was much more secure: you know the sort of thing, enter e-mail address, wait for code to arrive on mobile phone, enter code (a proper UICC-based digital signature solution would be much better, but that’s another topic). Then I could use Facebook Connect for serious business. This would have an interesting side-effect: Facebook would know where I go on the web, which seems to me to be much more like the mark of the e-beast.
An interesting side benefit for website operators is that Facebook Login provides the site with users’ real names (in most cases) and optionally a variety of other information, such as the users’ “friends” and “likes.”[From Facebook Wants to Supply Your Internet Driver’s License – Technology Review]
Which is, of course, why I don’t use it. On the other hand, if Facebook decided to use cryptography to secure and protect this sort of information, they could at a stroke create a desirable internet passport: by “blinding” the passport to prevent service providers from tracking the identity across web sites Facebook could significantly improve both convenience and privacy for the average users.
These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]
I echo the calls from Kailya Hamlin and others for more measures “slow news”. The hysterical media reporting of identity matters is deplorable.
And yet I struggle with NSTIC in its current form. While the objectives are laudable, I’m afraid that the model is a direct uplift of the orthodox federated identity metasystem; it’s almost a cut & paste from OIX. And the problem with the orthodoxy is that it has yet to come to grips with the awkward experience of the past 5-10 years. Namely, federated identity is easier said than done.
The vision seems intuitively reasonable. Dave said that: “[NSTIC subjects] will be able to log in to their bank, the Veteran’s Administration, the DMV and their favourite blogs using a variety of IDs provided by their bank, their mobile phone operators and others”.
And Howard Schmidt said on the Whitehouse blog last week: “imagine that a student could get a digital credential from her cell phone provider and another one from her university and use either of them to log-in to her bank, her e-mail, her social networking site, and so on, all without having to remember dozens of passwords” .
With respect, while these sorts of scenarios roll easily off the tongue, they are more complex than first appears. When a bank identifies and registers a customer for itself, it manages and accepts the risk that it might get the identification wrong. For a university or a phone company to identify someone and issue them a credential acceptable by a bank is unprecedented in the real world. The identity issuer has to warrant the credential in a whole range of transaction contexts over which the issuer has no control. It’s probably not possible to do a risk analysis let alone put in place risk management measures.
So what will almost certainly happen is that general purpose identities in NSTIC will come with adundant fine print to circumscribe the liability of the issuers. It will be like Big PKI all over again. The vain promise of a general purpose identity certificate foundered on fine print; typically a certificate was forbidden to be used for transactions with value exceeding $1000, for ‘healthcare related’ applications, and so on.
Like “SSO” — which has come to mean “Simplified” not “Single” Sign On — the NSTIC will fall short of what people are being led to expect, and for the same reasons. Identities are really proxies for context-dependent relationships which have evolved over time to manage risk in silos. These relationships cannot be easily deconstructed and remade across contexts.
A very accurate diagnosis Stephen and I agree with you completely, but the source of my optimism is that PKI “under the hood” in mobile phones and smart cards might be made to work properly whereas PKI in web browsers was a total pain. The risk issues are the major issues, as is bound to be discussed at this week’s CSFI round table, but that doesn’t mean that they can’t be dealt with: the vast majority of cases (eg, logging in to comment on blogs) don’t require any liability at all.
Dave, great post as always. I’m wondering if this will give legs to OpenID? Seems like they already provide a framework and some extensibility to support these types of use cases? (i.e. it could be use to support the different contexts…)
Dave, we are definitely at one re PKI under the hood. PKI gets such a bad rap for being “complex” but the complexity of the ferromagnetics in a standard plastic card are far greater. While the typical PKI 101 lecture starts with a cryptography tutorial, nobody ever tries to teach Maxwell’s Equations on the way to understanding credit cards! What PKI needs is a commercially mature technology stack and supply chain, comparable to that of the ferromagnetics industry; see http://lockstep.com.au/library/conference_presentations/lockstep_isigday_pki_26nov200.pdf.
[BTW it’s always amusing to hear the ‘criticism’ that you can’t make money selling digital certificates. But in a mature supply chain you certainly could, just as 3M and BASF easily make billions selling ferric oxide tape to card fabricators.]
So if NSTIC were really about PKI and smartcards or similar smart devcies, then it would be a great thing. Everyone — banks, governments, employers, hospitals, HMOs, airlines, universities, associations, clubs etc etc — settled happily on a uniform “id” technology years ago: mag stripe cards and ABA-standard (more or less) track coding. We could do it again around smartcards given a bit of leadership from government.
But I’m afraid that “PKI” is still despised by many after the earlier excess hype. More generally, policy makers cling to “technology neutrality”, despite the fact that not all security technologies are born equal, and so the Dept of Commerce is unlikely to wish to pick a winner in PKI.
Some cause for optimism comes from FIPS-201. It seems to be hitting its straps at last, and I love the fact that it stimulated laptop vendors to re-introduce built-in smartcard readers. All we need to solve the identity crisis is switch extant ids from mag stripe to chip card, and habituate people to smartcard-based logon. That should be the easy part; the user experience of popping a card into a slot will be second nature to anyone with a wallet.
Very well written article. I can see here that you have explained every point briefly. You are looking to talented person having a fantastic knowledge. It looks like your all concept are cleared. This is absolutely brilliant man.