Interesting People mailing list archives
good read re White House Proposes Vast Federal Internet Identity Scheme
From: Dave Farber <dfarber () me com>
Date: Sun, 27 Jun 2010 17:43:57 -0400
Begin forwarded message:
From: Lauren Weinstein <lauren () vortex com> Date: June 27, 2010 4:10:59 PM EDT To: dave () farber net Subject: Re: [IP] re White House Proposes Vast Federal Internet Identity Scheme
Dave, I feel the need to respond to Andy -- whom I greatly respect -- and to the readership (whom I also greatly respect!) -- for I fear that Andy in particular has seriously missed key points of my concerns. This is perhaps understandable, in that my initial posting on this topic was explicitly a thumbnail, and unless someone has the time to go digging through my past essays on this topic, the backstory may not be entirely clear. First, it's important to note that this entire proposal under discussion, at this stage, is of course nothing but smoke. It has no functional reality, other than as a (useful) starting point for further discussion. But when viewed in the context of other government-related efforts, trends, and statements, it is quite alarming nonetheless, and far from exaggerating its potential impact, I believe I have actually understated its *potential* for serious negative consequences. However, like the vision of Christmas Future provided to Ebenezer Scrooge, it's only a shadow of what might be, not of what must or necessarily will be. I'll also address below what Andy incorrectly calls my "error" regarding OMB and anonymity. Let's look at one of the "Envision It!" boxes in the plan as posted at DHS: An individual voluntarily requests a smart identity card from her home state. The individual chooses to use the card to authenticate herself for a variety of online services, including: Credit card purchases, Online banking, Accessing electronic health care records, Securely accessing her personal laptop computer, Anonymously posting blog entries, and Logging onto Internet email services using a pseudonym. This is, by definition, a state-issued identity card. The plan appears to envision a user authenticating themselves for the purpose even of pseudonym-based or "anonymous" activities. We can call such a posting "anonymous" if we wish -- but if the user has already authenticated, we're then dependent on the "proper" behavior of all players to actually treat the following transactions in an anonymous manner. And anonymous to what extent? Perhaps a blog comment would appear on the Web anonymously, but when the lawyers show up demanding to know who posted that critical comment -- something that's happening with increasing frequency even now -- I'll bet you dollars to donuts that the initial authentication records will be available through some means to unmask the poster, or to correlate pseudo-identities that users may prefer to use for different purposes and "roles" on the Net. The goals behind such an expansive identity regime are clear. While it could indeed provide some improvements over existing authentication methods in financial transactions and the like, the cost to civil liberties could be very high indeed, because -- as I read the plan -- the end result would be a detailed record -- likely captured by upcoming government proposals for expansive Internet service data retention requirements -- that could be used to "unwind" (unmask) anonymity on demand. As I noted in "Saving Internet Anonymity -- The Struggle is Joined" ( http://lauren.vortex.com/archive/000708.html ), the increasingly shrill calls to put every possible Internet transaction into government-accessible databases has become an ever louder drumbeat. And I believe we can easily dismiss the term "voluntary" used in the proposal -- since there's every reason to believe that such authentication regimes would quickly become effectively mandatory -- due to various pressures and liability concerns that don't take a lot of imagination to understand. Identity "mission creep" is virtually a certainty, though the conflicts that this is likely to create in an international environment like the Internet are certainly interesting to contemplate. And then there's this. History, both long past and recent, shows us very clearly that -- human nature being what it is -- governments on the whole can't be trusted to not abuse data about their citizens' activities. Such abuse will almost always evolve from what initially appears to be laudable motives of law enforcement and the public welfare, but could rapidly degenerate into totalitarian nightmares. Even if you (appropriately) view our current and recent federal governments as essentially relatively benign, we've still seen many instances of unjustifiable and even illegal surveillance and Internet data abuse -- even in the absence of long-term data retention requirements of the sort now being called for from some quarters. And even with the best of intentions, firms who are the custodians of user data and identity info are at the mercy of the civil legal system, above-board government demands for data, and -- as we've seen -- "secret" government data demands as well. Then there's future governments, who might not be as benign, but would have at their fingertips the vast identity infrastructure being contemplated. What will they do with that shiny bauble? I'm all in favor of discussions about how the Internet industry can improve the security and validity of transactions that need strong authentication -- such as in the financial sector or when dealing with medical health records. But the sort of government-entangled identity structure being proposed by the White House in the current document is -- perhaps even to a very significant degree unintentionally and with genuinely good intentions -- a wolf in sheep's clothing with the potential to decimate civil liberties for generations to come. --Lauren-- Lauren Weinstein lauren () vortex com Tel: +1 (818) 225-2800 http://www.pfir.org/lauren Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org Co-Founder, NNSquad - Network Neutrality Squad - http://www.nnsquad.org Founder, GCTIP - Global Coalition for Transparent Internet Performance - http://www.gctip.org Founder, PRIVACY Forum - http://www.vortex.com Member, ACM Committee on Computers and Public Policy Lauren's Blog: http://lauren.vortex.com Twitter: https://twitter.com/laurenweinstein - - - On 06/27 14:48, Dave Farber wrote:Begin forwarded message:From: Andy Oram <andyo () oreilly com> Date: June 27, 2010 10:30:47 AM EDT To: dave () farber net Subject: Re: [IP] White House Proposes Vast Federal Internet Identity SchemeI feel strange having to oppose Lauren so strongly here, but to help staunch some of the FUD right off, I'll give your readers a look at a draft I wrote before it goes live: http://praxagora.com/andyo/draft/privacy_omb_directive.html Once I put up the blog I'll take down this draft, which might have to undergo changes (and I encourage readers to send me comments today). The Office of Management and Budget explicitly endorses anonymity for blog comments--Lauren's error here is just an example of how exaggerated he got in his rhetoric. Andy------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
Current thread:
- good read re White House Proposes Vast Federal Internet Identity Scheme Dave Farber (Jun 27)