And let’s not forget the myriad dangers of using a single-access point of entry for the Web. Key to the Obama Administration’s "identity ecosystem" is the use of exactly this type of credential. This could take the form of unique software on a smartphone or a smart card that generates a one-time digital password, and according to the plan the approach would eliminate the need to remember all those pesky passwords. Great, right? Wrong.
If you have any doubts that switching to a single "trusted" credential, regardless of how strongly authenticated, will make things safer for you online, you haven’t been paying attention to the news. What the NSTIC will actually do is create yet another high-value target for hackers and cyber-criminals. And what exactly will happen when such a credential is compromised? Who will be responsible? These again are all questions left unanswered by the government.
Finally, on top of all of this is the fact that government plans to take make the entire system opt-in. This may help assuage the public’s Big Brother fears, but for such a plan to be effective, we’d actually need to see it implemented across the world. Indeed, the very foundation of NSTIC’s success hinges on mass adoption. And at this point, there’s no reason to believe, especially with all the unanswered questions and lack of assurances, that anyone will be rushing to sign up.
All this opting-in business also brings us to the more freaky realm of mandatory Internet licensing, another scheme backed by a surprising number of high-profile security experts and technologists. Think of these as driver’s licenses for the Internet. Every citizen would get a kind of learner’s permit in the form of a hardware ID, which would allow them access to certain pre-approved sites. Browse responsibly and you’re in the clear. But do something wrong and prepare to be tracked down and cyber-smited.
The rationale behind these plans is two-fold. First, proponents emphasize that cybercrime has become increasingly hard to police and that the Internet—or specifically computers—can be just as dangerous as say, a gun or car. Second, many of these otherwise intelligent people argue that we’ve already lost our privacy on the the Web. Our ISPs know all sorts of things about us. Our phones track us everywhere we go. So why live under the illusion we’re truly anonymous when we go online?
This is exactly what backers like Eugene Kaspersky, CEO of security behemoth Kaspersky Labs, and Microsoft Chief Research and Strategy Officer Craig Mundie use to rationalize such a system.
“When you buy a car, the car is registered and you have a driver’s license,” said Kaspersky in a 2010 essay on the subject. “If you want to have a gun, the same thing—it’s registered to the person who bought it. The question is why? Because it’s dangerous. With computers, you can make much more harm than with a gun or car.”
This is not only misleading, but in fact wrong in almost every way. An ordinary gun or car owner has the potential to do massive harm. Your average Internet user? Not so much. And while it’s true that large networks of computers can be dangerous (botnets, etc), equating them to deadly weapons is beyond ridiculous. This reasoning also fails (like the NSTIC plan) to acknowledge that authentication really isn’t the big problem here, it’s bad code in software and people and programs that exploit it. Furthermore, if the rationale is that privacy is dead, that our ISPs already know everything about us, why would these these mandatory IDs even be necessary? Authenticating something or someone that’s already known? It’d simply be a matter of tapping Big Brother and getting to necessary information.
Like NSTIC, there’s also the issue of scale with mandatory Internet IDs. For such a plan to even come close to being useful, there would once again need to be mass adoption. It’s beyond naive to assume every nation would somehow come together and approve a universal online ID system, especially one with such scary privacy implications.
Bottom line? As imperfect and piecemeal as our current safeguards can be, creating yet another online ID that hackers will inevitably exploit is not the way to boost privacy or make people feel better about online transactions. Yes, the Internet wasn’t designed to be a worldwide system of mass communication. But that’s exactly what it’s evolved into. And retroactively trying to police it or enforce mass adoption of new security schemes before they're fully legally baked is quite simply a recipe for disaster. Indeed, all these so-called trusted IDs schemes do is mask the decidedly unsexy solutions that could really get to the root of the problem: Continuing to push for more online fraud awareness, and implementing legislative safeguards.
After all, the real goal of any trusted identity ecosystem is actually to do away with true anonymity. And if everyone knows you’re a dog online, well, that changes the very thing that makes the Internet so unique and invaluable in the first place.single page
Five amazing, clean technologies that will set us free, in this month's energy-focused issue. Also: how to build a better bomb detector, the robotic toys that are raising your children, a human catapult, the world's smallest arcade, and much more.