Monday, April 28, 2014

THE WHITE HOUSE WANTS TO ISSUE YOU AN ONLINE ID



A few years back, the White House had a brilliant idea: Why not create a single, secure online ID that Americans could use to verify their identity across multiple websites, starting with local government services. The New York Timesdescribed it at the time as a "driver's license for the internet."
Sound convenient? It is. Sound scary? It is.
Next month, a pilot program of the "National Strategy for Trusted Identities in Cyberspace" will begin in government agencies in two US states, to test out whether the pros of a federally verified cyber ID outweigh the cons.
The goal is to put to bed once and for all our current ineffective and tedious system of using passwords for online authentication, which itself was a cure for the even more ineffective and tedious process of walking into a brick-and-mortar building and presenting a human being with two forms of paper identification.
The rub is that online identity verification is heaps more convenient for citizens and cost-effective for government agencies, but it's also fraught with insecurities; federal and state governments lose billions of dollars a year to fraud, and that trickles down to taxpayers.
Meanwhile, the technology for more secure next-gen authentication exists, developed by various tech firms in the public sector, but security groups have had a hell of a time implementing any of them on a broad scale. Enter the government, which proposed the national ID strategy to help standardize the process using a plan called the "identity ecosystem."
The vision is to use a system that works similarly to how we conduct the most sensitive forms of online transactions, like applying for a mortgage. It will utilize two-step authentication, say, some combination of an encrypted chip in your phone, a biometric ID, and question about the name of your first cat. 
But instead of going through a different combination of steps for each agency website, the same process and ID token would work across all government services: from food stamps and welfare to registering for a fishing license.
The original proposal was quick to point out that this isn't a federally mandated national ID. But if successful, it could pave the way for an interoperable authentication protocol that works for any website, from your Facebook account to your health insurance company.
There's no doubt secure online identification is a problem overdue for a solution, but creating a system that would work like an all-access token for the internet is a scary can of worms to open.    
To start, there's the privacy issue. Unsurprisingly, the Electronic Frontier Foundation immediately pointed out the red flags, arguing that the right to anonymous speech in the digital realm is protected under the First Amendment. It called the program "radical," "concerning," and pointed out that the plan "makes scant mention of the unprecedented threat such a scheme would pose to privacy and free speech online."
And the keepers of the identity credentials wouldn't be the government itself, but a third party organization. When the program was introduced in 2011, banks, technology companies or cellphone service providers were suggested for the role, so theoretically Google or Verizon could have access to a comprehensive profile of who you are that's shared with every site you visit, as mandated by the government.
Post-NSA revelations, we have a good sense for the dystopian Big Brother society the EFF is worried about. As the organization told the Times, at the least "we would need new privacy laws or regulations to prohibit identity verifiers from selling user data or sharing it with law enforcement officials without a warrant."
Then there's the problem of putting all your security eggs in one vulnerable basket. If a hacker gets their hands on your cyber ID, they have the keys to everything.
For now, this is all just speculation. The program is just entering a test phase with select state government agencies only (there are currently plans to expand the trial out to 10 more organizations.) 
But it's not far-fetched to think we're moving toward a standardized way to prove our identity in cyberspace the same way we do offline.
The White House argues cutting down on inefficiencies and fraud would bolster the information economy. In an era where we have cars that drive themselves and flying robots delivering beer, you have to wonder how much longer people are going to put up with standing in line at the DMV for four hours to hand a teller (with a taxpayer-paid salary) a copy of your birth certificate and piece of mail to prove you are you.
If an analysis of the pilot programs in Michigan and Pennsylvania find the centralized ID saves time and money and spares us the DMV line, privacy advocates are going to have a hell of a fight ahead of them.

No comments:

Post a Comment