Identity Companies? Spare Me the False Security

I’ve published on the need for strong passwords. There’s also great software available for free to keep your passwords safe: Of course, they can’t prevent the sites you visit from being hacked and your info grabbed.

Yesterday, the White House outlined its plan for a secure online identification system intended to allow people to get rid of the user ID/password setup for a "trusted identity" they would obtain from a private company that specializes in verifying identities.

Here's the cute vid: 

OK, so you approach the company and prove your identity much like you do when you obtain a driver's license or a passport (!).

This company then provides you with a smart card, keychain fob, one-time password generator, or even a phone app which you would plug into your computer (or fire up the app when accessing online banking, buying something on Amazon, filing your taxes, or anything else that requires personal data). We all know how fool proof those things are.

All of your information is stored on the "trusted identity" you receive, so you don't have to enter anything or remember a password.

This piece of brilliance is “The National Strategy for Trusted Identities in Cyberspace (NSTIC)” (primarily, a private-sector undertaking, though some government agencies, such as those that provide health care or other benefits, may provide trusted ID’s directly). The government is not going to require Internet IDs and will not be setting up the online shopping equivalent of the DMV, the White House assures us. Yet.

"The government will not require that you get a trusted ID. If you want to get one, you will be able to choose among multiple identity providers—both private and public—and among multiple digital credentials," according to a FAQ on the NSTIC Web site.

Here’s part of the President’s statement. The whole statement is in the linked content.

“The Internet has transformed how we communicate and do business, opening up markets, and connecting our society as never before.  But it has also led to new challenges, like online fraud and identity theft, that harm consumers and cost billions of dollars each year,” said President Obama.  “By making online transactions more trustworthy and better protecting privacy, we will prevent costly crime, we will give businesses and consumers new confidence, and we will foster growth and untold innovation.  That’s why this initiative is so important for our economy.”

“We must do more to help consumers protect themselves, and we must make it more convenient than remembering dozens of passwords,” said Commerce Secretary Gary Locke, speaking at the U.S. Chamber of Commerce.  “Working together, innovators, industry, consumer advocates, and the government can develop standards so that the marketplace can provide more secure online credentials, while protecting privacy, for consumers who want them.”

Having a variety of private-sector options will ensure that "no single credential or centralized database can emerge," the White House said.

Really? I see that lasting less than a nanosecond. The Patriot Act or something similar will take care of that, and anyone taking an opposing view will be spun as a crazy or a traitor.

After all, you do trust your government, don’t you?  Sorry, it’s my job as a citizen not to.

How about education? How about teaching people how to secure their computers and letting them become responsible for themselves? How about requiring cryptologists and I.T. security experts generate requirements to make the entities you deal with truly secure, and the OS’s impervious to attack?

Because: Murphy’s Law and “nothing is fool proof”. The “fobs, smart cards, etc.” will broadcast. Therefore, they will be detected… and not always by the intended target only. Look, if you turn on a light, do only your eyes detect it? They can be lost, can’t they?

The administration also said that this approach protects online anonymity. "Even if you do choose to get a credential from an ID provider, you would still be able to surf the Web, write a blog, visit chat rooms, or do other things online anonymously or under a pseudonym," the White House said.

That’s true, only records will be kept. Count on it. And who has the power? “The Keeper of the Keys”. All this will do is create bigger and better targets for hackers. If the Governments computers are hackable, why won’t these companies’ also?

Qui custodiet ipsos Custodiens? – “Who guards the Guardians?”

This question will not be answered because it can’t be. You can count on human foibles to make “the safe and invulnerable” quite vulnerable.

Here’s a better idea: Layer the security from the user’s computer, his/her security behavior, the net itself, the companies on the net we deal with and the people in charge of I.T. security in those companies. “Don’t put all your eggs in one basket”. Put them in many baskets and teach people how fragile eggs are and how to take care of them.

The administration first discussed this undertaking in December, when the Commerce Department issued a report that made several recommendations, including a set of principles for how companies collect and use peoples' data and privacy protection for cloud computing and location-based services.

At this point, this trusted ID idea is just that: An idea. I think it’s a poor one even if well motivated – it’s fundamentally flawed by human nature and by paternalism.

"The Identity Ecosystem, the system of technical and policy standards described by NSTIC, is not established yet." It will likely be "some years" before this system is a reality, but the White House said it views this report as a jumping off point to help reduce cyber crime and create a new market for innovation.

“Identity Ecosystem”?

Oh my aching feet! Less spin and hype… puhleeeze! Someone needs to create “PlainSpeak”: K.I.S.S. and use Po’s Troll Thumper on the clown who invented “Identity Ecosystem”!

Oh yes…almost forgot: My opinion of this “jumping off point”?

Source: http://www.pcmag.com/article2/0,2817,2383648,00.asp