The Obama administration is moving to hand the U.S. Commerce Department authority to implement a new cybersecurity effort which would include creation of an Internet ID for each U.S. citizen.
Administration staff members are drafting what they call the National Strategy for Trusted Identities in Cyberspace, which U.S. Commerce Secretary Gary Locke acknowledged will be released in the next few months.
Speaking at a January 7, 2011 event at the Stanford Institute for Economic Policy Research, Locke defended the effort: “We are not talking about a national ID card,” he said. “We are not talking about a government-controlled system. What we are talking about is enhancing online security and privacy and reducing and perhaps even eliminating the need to memorize a dozen passwords, through creation and use of more trusted digital identities.”
‘Not a National Security Matter’
Though Locke claimed anonymity and pseudo-anonymity would remain possible on the Internet, others see any such cyber-ID effort as a gross invasion of privacy.
“I really do not see how and why the government could be interested in such a system at all,” says Pierluigi Stella, chief technology officer for Network Box USA in Houston, Texas. “This is a commerce issue—we need to ensure that our transactions are real and protected, because merchants are losing money; because the credit card industry is at risk if we do not do something; because we, as private citizens, want to be sure that our identity is not easily stolen and misused,” he said.
Stella continued: “But this is not at all a matter of national security, in any way. I could see the Department of Commerce being more interested. But why the National Security Administration? Or the Department of Homeland Security? I really don’t see it.”
Stella said he doesn’t expect to see such a system any time soon. “This is not an easy task at all; otherwise someone would have invented it,” he explained. “Technology today offers a lot more options, but going from that to saying we will really get somewhere soon with this, I am rather skeptical.”
Creating cyber-ID with existing technology will be extremely difficult, Stella said. “The world has been trying to invent doors with unbeatable locks since the day we invented locks, and we are still fighting that battle. I doubt anyone will come up with the magic solution any time soon,” he said.
Creates Big Privacy Concerns
The proposal for a cyber-identity system raises several privacy issues, says Rakkhi Samarasekera, a director of the London-based security firm Regional Science Service Centre.
“People do not want to use a government-issued ID and potentially allow governments to track their identity in work or in a personal context,” said Samarasekera. “Government IDs make sense when dealing with government services. A single ID [for use] across government departments makes a lot of sense, but not as one identity for the Net.”
With a single “cyber identity,” hackers could gain access to someone’s health, government, financial, and work information just by acquiring a single key, explained Scott Vernick, a commercial, technology and intellectual property attorney for the Fox Rothschild law firm in Philadelphia, Pennsylvania.
“There is some value in enabling a financial institution or merchant, for example, to be able to positively identify that the person online is indeed who he or she purports to be. But it’s just not clear that [a cyber ID] doesn’t create more problems than it solves,” Vernick said. “When you start to think it through, you wonder whether or not you are creating more [problems] with a single way of validating a person. Right now, people have to get a number of passwords for various online activities.”
‘Treasure Trove of Information’
Although that involves a cumbersome process of remembering numerous passwords, it also means a hacker can’t go to a single source to acquire all that information, Vernick notes. “You won’t find a more industrious group of people than hackers. There are whole sections of the government devoted to fighting them. I don’t have a lot of confidence in Internet privacy. A lot of people don’t know what is done with their information online. It’s amazing the treasure trove of information you can find.”
Another problem would be the oversight of any cyber ID, Vernick notes.
“When the government is in charge of a highly sensitive area, people are circumspect about that—and with good reason.”
‘Trusted Identity’ Details Scarce
Boston, Massachusetts security consultant Robert Siciliano is concerned the details about the “trusted identity” project are scarce.
“The primary goal should be to build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the nation,” said Siciliano.
Last year, Commerce Secretary Locke indicated a smart card or digital certificate that would prove the identity of online users was forthcoming. These digital IDs would be offered to consumers by online vendors for financial transactions, Locke said. But other details have been sketchy at best.
With so few details and all the privacy and security issues that such an effort would generate, Samarasekera maintains the project will probably fail.
“Like other government ID and identity schemes, this is highly unlikely to succeed and will most likely waste a lot of taxpayer money before it is scrapped,” he said.
Phil Britt
writes from South Holland, Illinois.
