good read re White House Proposes Vast Federal Internet Identity Scheme

[Dave Farber <dfarber () me com>]

Begin forwarded message:

> From: Lauren Weinstein <lauren () vortex com>
> Date: June 27, 2010 4:10:59 PM EDT
> To: dave () farber net
> Subject: Re: [IP] re  White House Proposes Vast Federal Internet Identity Scheme

> Dave,
>
> I feel the need to respond to Andy -- whom I greatly respect -- and to
> the readership (whom I also greatly respect!) -- for I fear that Andy
> in particular has seriously missed key points of my concerns.  This is
> perhaps understandable, in that my initial posting on this topic was
> explicitly a thumbnail, and unless someone has the time to go digging
> through my past essays on this topic, the backstory may not be
> entirely clear.
>
> First, it's important to note that this entire proposal under
> discussion, at this stage, is of course nothing but smoke.  It has no
> functional reality, other than as a (useful) starting point for
> further discussion.
>
> But when viewed in the context of other government-related efforts,
> trends, and statements, it is quite alarming nonetheless, and far from
> exaggerating its potential impact, I believe I have actually
> understated its *potential* for serious negative consequences.
> However, like the vision of Christmas Future provided to Ebenezer
> Scrooge, it's only a shadow of what might be, not of what must or
> necessarily will be.
>
> I'll also address below what Andy incorrectly calls my "error"
> regarding OMB and anonymity.
>
> Let's look at one of the "Envision It!" boxes in the plan as posted
> at DHS:
>
>   An individual voluntarily requests a smart identity card from
>   her home state. The individual chooses to use the card to
>   authenticate herself for a variety of online services, including:
>
>       Credit card purchases,
>       Online banking,
>       Accessing electronic health care records,
>       Securely accessing her personal laptop computer,
>       Anonymously posting blog entries, and
>       Logging onto Internet email services using a pseudonym.
>
> This is, by definition, a state-issued identity card.  The plan
> appears to envision a user authenticating themselves for the purpose
> even of pseudonym-based or "anonymous" activities.  We can call such a
> posting "anonymous" if we wish -- but if the user has already
> authenticated, we're then dependent on the "proper" behavior of all
> players to actually treat the following transactions in an anonymous
> manner.
>
> And anonymous to what extent?  Perhaps a blog comment would appear on
> the Web anonymously, but when the lawyers show up demanding to know
> who posted that critical comment -- something that's happening with
> increasing frequency even now -- I'll bet you dollars to donuts that
> the initial authentication records will be available through some
> means to unmask the poster, or to correlate pseudo-identities that
> users may prefer to use for different purposes and "roles" on the Net.
>
> The goals behind such an expansive identity regime are clear.  While
> it could indeed provide some improvements over existing authentication
> methods in financial transactions and the like, the cost to civil
> liberties could be very high indeed, because -- as I read the plan --
> the end result would be a detailed record -- likely captured by
> upcoming government proposals for expansive Internet service data
> retention requirements -- that could be used to "unwind" (unmask)
> anonymity on demand.
>
> As I noted in "Saving Internet Anonymity -- The Struggle is Joined" 
> ( http://lauren.vortex.com/archive/000708.html ), the increasingly
> shrill calls to put every possible Internet transaction into
> government-accessible databases has become an ever louder drumbeat.
>
> And I believe we can easily dismiss the term "voluntary" used in the
> proposal -- since there's every reason to believe that such
> authentication regimes would quickly become effectively mandatory --
> due to various pressures and liability concerns that don't take a lot
> of imagination to understand.  Identity "mission creep" is virtually a
> certainty, though the conflicts that this is likely to create in an
> international environment like the Internet are certainly interesting
> to contemplate.
>
> And then there's this.  History, both long past and recent, shows us
> very clearly that -- human nature being what it is -- governments on
> the whole can't be trusted to not abuse data about their citizens'
> activities.  Such abuse will almost always evolve from what initially
> appears to be laudable motives of law enforcement and the public
> welfare, but could rapidly degenerate into totalitarian nightmares.
>
> Even if you (appropriately) view our current and recent federal
> governments as essentially relatively benign, we've still seen many
> instances of unjustifiable and even illegal surveillance and Internet
> data abuse -- even in the absence of long-term data retention
> requirements of the sort now being called for from some quarters.
>
> And even with the best of intentions, firms who are the custodians of
> user data and identity info are at the mercy of the civil legal
> system, above-board government demands for data, and -- as we've 
> seen -- "secret" government data demands as well.
>
> Then there's future governments, who might not be as benign, but would
> have at their fingertips the vast identity infrastructure being
> contemplated.  What will they do with that shiny bauble?
>
> I'm all in favor of discussions about how the Internet industry can
> improve the security and validity of transactions that need strong 
> authentication -- such as in the financial sector or when dealing 
> with medical health records.  But the sort of government-entangled identity
> structure being proposed by the White House in the current 
> document is -- perhaps even to a very significant degree unintentionally 
> and with genuinely good intentions -- a wolf in sheep's clothing with the
> potential to decimate civil liberties for generations to come.
>
> --Lauren--
> Lauren Weinstein
> lauren () vortex com
> Tel: +1 (818) 225-2800
> http://www.pfir.org/lauren
> Co-Founder, PFIR
>   - People For Internet Responsibility - http://www.pfir.org
> Co-Founder, NNSquad
>   - Network Neutrality Squad - http://www.nnsquad.org
> Founder, GCTIP - Global Coalition 
>   for Transparent Internet Performance - http://www.gctip.org
> Founder, PRIVACY Forum - http://www.vortex.com
> Member, ACM Committee on Computers and Public Policy
> Lauren's Blog: http://lauren.vortex.com
> Twitter: https://twitter.com/laurenweinstein
>
>
> - - -
>
>
> On 06/27 14:48, Dave Farber wrote:
> > Begin forwarded message:
> >
> > > From: Andy Oram <andyo () oreilly com>
> > > Date: June 27, 2010 10:30:47 AM EDT
> > > To: dave () farber net
> > > Subject: Re: [IP] White House Proposes Vast Federal Internet Identity Scheme
> >
> > > I feel strange having to oppose Lauren so strongly here, but to help staunch some of the FUD right off, I'll give 
> > > your readers a look at a draft I wrote before it goes live:
> > >
> > > http://praxagora.com/andyo/draft/privacy_omb_directive.html
> > >
> > > Once I put up the blog I'll take down this draft, which might have to undergo changes (and I encourage readers to 
> > > send me comments today).
> > >
> > > The Office of Management and Budget explicitly endorses anonymity for blog comments--Lauren's error here is just an 
> > > example of how exaggerated he got in his rhetoric.
> > >
> > > Andy
> >
> >
> >
> > -------------------------------------------
> > Archives: https://www.listbox.com/member/archive/247/=now
> > RSS Feed: https://www.listbox.com/member/archive/rss/247/
> > Powered by Listbox: http://www.listbox.com



-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com