Point/Counterpoint: We Need a System of Internet IDs

The Useful ID Baarbarian

Has a friend ever called you to say, “Hey, unless you are genuinely trying to sell me property in the Dominican Republic, your email is hacked”? Or received a call from your bank asking if you truly meant to donate $7,000 to some pasty kid in Ohio claiming to be a Nigerian prince? Internet security is broken, and we need to roll up our cyber-sleeves and fix it. That’s why the U.S. Chamber of Commerce announced this new proposal on April 15, designed to fight the steady increase in online crime. Entitled the National Strategy for Trusted Identities in Cyberspace, or NSTIC, it outlines the beginnings of an “identity ecosystem” to be created jointly by the private and public sector to spur more innovative and effective online authentication methods. Even if you’re not as immediately and easily swayed by snazzy, futuristic phrases like “identity ecosystem” as I am (and oh, how I am) there are still lots of other reasons to support increased Internet security.

To see the other side of this argument, click here to read the "counterpoint" in our point/counterpoint.

And what exactly is an "identity ecosystem," you might ask. The concept at this stage is a little nebulous, but it basically refers to an online environment that's fundamentally different than the one we have now. Instead of an anonymous free-for-all, an identity ecosystem would allow people to use and prove their identities thanks to solid authoritative sources. That ecosystem, by necessity, would support a whole mess of security options that allow consumers to choose how to better protect their online identities. NSTIC is calling these security options “trusted credentials,” which is an umbrella term for any devices or methods considered to be more secure than passwords. Yes, it’s incredibly ambiguous, but give them a break: The bulk of the technology that might qualify as a trusted credential is still in development.

This is not a new idea – in fact, inventor/philosopher/Force Majeure Ted Nelson’s work with Project Xanadu, which he founded in 1960, predicted this problem decades before the Googlian Empire. The first rule of Project Xanadu? Every server is uniquely and securely identified. A little further down the list is a similar rule: Every user is uniquely and securely identified. Nelson even foresaw the problem of compensating people for their intellectual property online; with a unique ID, a micropayment could be debited from a user’s account every time they read an article or viewed an image on a webpage. Voila! Dramatic Chipmunk would be rich! But that idea fell out of favor as Xanadu's sorta-competitor, the World Wide Web, achieved dominance.

Trusted credentials are needed to make up for the failings of passwords, which are not considered nearly secure enough to protect the sensitive information we'd like to start accessing online. "What's wrong with passwords?" you might ask. Lots of things!

Passwords? More Like Past-words!

Passwords are awesome if you’re a child founding a secret club in your tree house. They’re becoming pretty useless everywhere else, however. Well, a) no offense, but as this New York Times article on popular passwords points out, yours might not be as sneaky as you think, and b) with the rise of phishing and keystroke logging, smart hackers don’t even have to guess anymore--they’re tricking you into spilling your Internet beans. Ari Schwartz, Senior Internet Policy Advisor at the NIST’s Information Technology Laboratory, thinks they have been outdated as an online security standard for several years. “This is actually the third attempt the federal government has made [to introduce a policy] in the last 10 years,” he says. “But this time there’s more support from the private sector,” referring to a public letter dated February 17th, 2011 signed by the advocacy groups Business Software Alliance, the Information Technology Industry Council, and TechAmerica, urging Congress to support NSTIC. So apparently, writing letters to Congress actually works sometimes!

Anyway, the envisioned “identity ecosystem” will provide Americans with a number of different options for “trusted credentials” that will step up the protection of their online identities without sacrificing their privacy. Microsoft, eTrade and PayPal, amongst several other major corporations, have already expressed their support and are working on contributing technology to the strategy.

RSA SecurIDs:  br1dotcom via Flickr

‘What is a trusted credential?’ you may be asking. An example is the RSA SecurID, a token manufactured by the security division of the gargantuan information infrastructure producer EMC. It’s a small piece of hardware that provides numeric passwords from a unique key at set intervals, usually either every 30 or 60 seconds. That's matched up with the code generated by the same unique key, which resides in RSA's servers. Users have to enter the code that's displayed on their little SecurID dongles at that very second. If used in conjunction with a password, the token is a major obstacle for hackers--many corporations rely on SecurID, which is why the company freaked out so thoroughly after a very rare hack exposed its clients to attack. Google has also jumped on this bandwagon, announcing in February 2011 that interested Gmail customers can enable an extra layer of security for their accounts. This tactic is called “two-factor authentication,” and can be used with tokens, smart cards, cell phones and digital certificates, amongst other emerging platforms.

Schwartz is a major proponent of two-stage authentication, hoping that NSTIC's embracing of security features like it will “spur innovation, not interrupt it.” By moving past the ineffectiveness of passwords to something more secure, NSTIC could allow folks to perform tasks usually seen as too potentially risky to be done online, including storing healthcare records and tax records. He uses the advent of the Internet itself as an analog for this effort towards cyber security: after all, the Internet was originally a federal tool handed off to the private sector where it flourished into the cornucopia of kitten videos it is today.

Privacy Will Be Enhanced, Not Eroded

Listen, I get it: Americans love freedom. Americans often have a knee jerk reaction to plans like NSTIC because they think it might erode their personal liberty.

That’s not the case here. Commerce Secretary Gary Locke has repeatedly stated that the participation in NSTIC’s strategy will be voluntary and that private companies are taking the lead, not the government. Yes, there has been a great deal of backlash anyway, with critics claiming it is an overreach of federal power and comparing NSTIC to the Chinese national internet ID system. That’s just not true. It’s like comparing apple pie to Mandarin oranges.

You need more assurance? Jeremy Grant, Senior Executive Advisor for Identity Management at NSTIC, counters these rumors, explaining that “Many other countries have chosen to rely on national ID cards. We don’t think that’s a good model. Having a single issuer of identities creates unacceptable privacy and civil liberties issues.” Schwartz elaborated on Grant’s statement by explaining that the role of the government in this initiative is limited to convening private companies to discuss practical answers, supporting their research, and making sure they abide by the Fair Information Practice Principles. The government will play no role beyond these considerations.