Point/Counterpoint: Internet IDs Are a Terrible Idea

Internet IDs will be ineffective, risky, and won't address the root of our real problems with online security

They go by many names—trusted identities, ID ecosystems, Internet driver’s licenses—but the basic idea is always the same: Create a single online credential system that somehow increases accountability, combats fraud and identity theft, and helps deter cybercrime. Over the years we’ve seen many of these schemes trotted out in the private sector only to fail time and again. And for good reason. These plans are not only impractical, they also ignore history, confuse the primary threats we face online, and, worst of all, have the potential to do infinitely more harm than good.

To see the other side of this argument, click here to read the “point” in our point/counterpoint.

Let’s start with one of the more recent plans (though not the most recent–that honor belongs to a new suggestion from the Danish police that anonymity be banned online entirely): The Obama Administration’s federated Internet identity system. Also known as the National Strategies for Trusted Identities in Cyberspace (.pdf),” or simply “N-Stick,” this government coordinated proposal again aims to reduce online fraud and identity theft while at the same time grease the wheels of e-commerce.

N-Stick

On the surface there’s actually plenty to admire about the initiative. Not only does it recognize that we’ve become increasingly reliant, both from an economic and personal standpoint, on the Web, but it also promises to takes steps toward creating “an online environment where individuals, organizations, services, and devices can trust each other”—all in a way that doesn’t divulge any personal information, mind you. The Administration was even savvy enough to recognize that any such government-run program would be inherently suspect so it subsequently made the NSTIC a purely “opt-in” system to be executed by the private sector and led by the Commerce Department.

And if all that sounds too good to be true, that’s because it is. Look at bit deeper and the NSTIC is actually nothing more than a cyber-utopian pipe dream. Behind all the good intentions, lofty goals, and reassurances of privacy, the plan would, at best, give citizens a decidedly false sense of security, privacy, and control. At worst, it would create a daunting array of new privacy nightmares to contend with.

Here’s the problem—or rather problems. As is generally the case with online ID schemes, the actual execution of the NSTIC goals falls under the we’ll-figure-it-out-as-we-go approach. Questions surrounding technical guarantees, government power over ID issuance, nationality, anonymity, and even incentives and business models all remain unanswered. Like any plan lacking necessary specifics, it tends to raise far more questions than it answers. Yes, these initiatives are admittedly difficult to implement (especially considering we’re dealing with the sprawling Wild West that is the Internet), but moving forward without tackling regulatory policy and procedural safeguards is irresponsible and, frankly, a waste of time. Given that similar schemes have been tried before and failed for exactly the same reasons, this should be abundantly clear to the government by now. And what exactly makes the Obama Administration think NSTIC will succeed where companies like Microsoft and Google have already failed? Yeah, that’s not really clear either.

Jay Stanley of the ACLU’s Speech, Privacy and Technology Program, succinctly sums up the problem thusly: “[The NSTIC] is basically a strategy, not a plan.”

What Are the Actual Risks?

Similarly, the creators of this strategy seem to display a profound misunderstanding of the primary risks we actually face online. In this case, the underlying assumption is that most of our Internet woes are due to a lack of sufficient authentication. If you ask Columbia computer science professor Steve Bellovin, this is demonstrably false. And the man who helped create USENET should probably know. While it’s true that password based security has plenty of faults, the biggest problem we continually face was (and is) buggy code, says Bellovin. Indeed, as he noted in his original response to the government’s first NSTIC draft, “all the authentication in the world won’t stop a bad guy who goes around an authentication system.”

This can (and has) been done in any number of ways: Hackers can find bugs to exploit before authentication is performed. They can also find bugs within the actual authentication system. The simple fact is that Internet is chock full of buggy network servers. In fact, buggy code is a part of all large computer programs and the direct result of software complexity. Anyone who’s ever dealt with malware should know this.

Also dubious is the notion that NSTIC will actually protect our online anonymity any more than the systems we currently have in place. While the government touts the advantages of using “trusted third parties,” and “unlinkable” certificates that won’t divulge personal info, at the end of the day, “someone at some point is still verifying and authenticating that you are who you say you are,” says Lee Tien, a senior staff attorney for Electronic Frontier Foundation.

“So the question becomes, what exactly are those verifying authorities doing with your data?” Could they be compelled to hand it over to the government or police? And if we’re talking third parties here, wouldn’t there eventually be some push to monetize all that valuable info? How else will the companies involved actually make money? Again, the bottom line is that these credentials will still live somewhere on the Internet, which in turn means that whoever hosts them (even if there is no centralized database) will also have the ability to de-anonymize the ID and link it to a person. That, my friends, is not anonymity.

All Your Security Eggs in a Single Government Basket

And let’s not forget the myriad dangers of using a single-access point of entry for the Web. Key to the Obama Administration’s “identity ecosystem” is the use of exactly this type of credential. This could take the form of unique software on a smartphone or a smart card that generates a one-time digital password, and according to the plan the approach would eliminate the need to remember all those pesky passwords. Great, right? Wrong.

If you have any doubts that switching to a single “trusted” credential, regardless of how strongly authenticated, will make things safer for you online, you haven’t been paying attention to the news. What the NSTIC will actually do is create yet another high-value target for hackers and cyber-criminals. And what exactly will happen when such a credential is compromised? Who will be responsible? These again are all questions left unanswered by the government.

Finally, on top of all of this is the fact that government plans to take make the entire system opt-in. This may help assuage the public’s Big Brother fears, but for such a plan to be effective, we’d actually need to see it implemented across the world. Indeed, the very foundation of NSTIC’s success hinges on mass adoption. And at this point, there’s no reason to believe, especially with all the unanswered questions and lack of assurances, that anyone will be rushing to sign up.

Mandatory IDs Are Even Worse

All this opting-in business also brings us to the more freaky realm of mandatory Internet licensing, another scheme backed by a surprising number of high-profile security experts and technologists. Think of these as driver’s licenses for the Internet. Every citizen would get a kind of learner’s permit in the form of a hardware ID, which would allow them access to certain pre-approved sites. Browse responsibly and you’re in the clear. But do something wrong and prepare to be tracked down and cyber-smited.

The rationale behind these plans is two-fold. First, proponents emphasize that cybercrime has become increasingly hard to police and that the Internet—or specifically computers—can be just as dangerous as say, a gun or car. Second, many of these otherwise intelligent people argue that we’ve already lost our privacy on the the Web. Our ISPs know all sorts of things about us. Our phones track us everywhere we go. So why live under the illusion we’re truly anonymous when we go online?

This is exactly what backers like Eugene Kaspersky, CEO of security behemoth Kaspersky Labs, and Microsoft Chief Research and Strategy Officer Craig Mundie use to rationalize such a system.

“When you buy a car, the car is registered and you have a driver’s license,” said Kaspersky in a 2010 essay on the subject. “If you want to have a gun, the same thing—it’s registered to the person who bought it. The question is why? Because it’s dangerous. With computers, you can make much more harm than with a gun or car.”

This is not only misleading, but in fact wrong in almost every way. An ordinary gun or car owner has the potential to do massive harm. Your average Internet user? Not so much. And while it’s true that large networks of computers can be dangerous (botnets, etc), equating them to deadly weapons is beyond ridiculous. This reasoning also fails (like the NSTIC plan) to acknowledge that authentication really isn’t the big problem here, it’s bad code in software and people and programs that exploit it. Furthermore, if the rationale is that privacy is dead, that our ISPs already know everything about us, why would these these mandatory IDs even be necessary? Authenticating something or someone that’s already known? It’d simply be a matter of tapping Big Brother and getting to necessary information.

Like NSTIC, there’s also the issue of scale with mandatory Internet IDs. For such a plan to even come close to being useful, there would once again need to be mass adoption. It’s beyond naive to assume every nation would somehow come together and approve a universal online ID system, especially one with such scary privacy implications.

An Inadequate Solution

Bottom line? As imperfect and piecemeal as our current safeguards can be, creating yet another online ID that hackers will inevitably exploit is not the way to boost privacy or make people feel better about online transactions. Yes, the Internet wasn’t designed to be a worldwide system of mass communication. But that’s exactly what it’s evolved into. And retroactively trying to police it or enforce mass adoption of new security schemes before they’re fully legally baked is quite simply a recipe for disaster. Indeed, all these so-called trusted IDs schemes do is mask the decidedly unsexy solutions that could really get to the root of the problem: Continuing to push for more online fraud awareness, and implementing legislative safeguards.

After all, the real goal of any trusted identity ecosystem is actually to do away with true anonymity. And if everyone knows you’re a dog online, well, that changes the very thing that makes the Internet so unique and invaluable in the first place.