Law in the Internet Society

The Dangers of an Internet ID

-- By JasonPyke - 05 Dec 2012

“He causes all, both small and great, rich and poor, free and slave, to receive a mark on their right hand or on their foreheads, and that no one may buy or sell except one who has the mark or the name of the beast, or the number of his name.”

-- Revelation 13: 16--17 (New King James Version)

A few years ago, President Obama first proposed that every US citizen should be given an “Internet ID.” He cited the proliferation of identity theft, and heralded the idea as the Government’s answer to the many problems that he claims have arisen and will continue to appear due to the increase in internet commerce and its importance in our daily lives.

In January of last year, the President announced plans to move forward with the program, handing over the reins to the Department of Commerce, which the White House claims is "the absolute perfect spot in the U.S. government" to centralize efforts toward creating an "identity ecosystem" for the Internet. A few months later, in April 2011, the White House released a document outlining their plans, called the National Strategy for Trusted Identities in Cyberspace (NSTIC), which they proclaim “charts a course for the public and private sectors to collaborate to raise the level of trust associated with the identities of individuals, organizations, networks, services, and devices involved in online transactions.”

The Obama administration presents many reasons why their strategy is necessary, which they present as the goals of the NSTIC. They include privacy protections for individuals, who will be able to “trust that their personal data is handled fairly and transparently”; convenience “for those who may choose to manage fewer passwords or accounts than they do today”; efficiency for organizations, which will benefit from a reduction in paper-based and account management processes; ease-of-use, by automating identity solutions whenever possible and basing them on technology that is simple to operate; security, by making it more difficult for criminals to compromise online transactions; and confidence that digital identities are adequately protected, thereby promoting the use of online services.

Not only am I highly skeptical of the prospects for success of any of these goals, but I believe there are several reasons why the Internet ID will lead to the eventual degradation of any personal freedom which currently exists on the Internet.

Our class discussions have covered in detail the grave potential harm that can be done by the Government having access to empirical information it can learn from a number of private sources such as Facebook, Google, Twitter, etc., which gather data on and track the activity of its users. It stands to reason that a more centralized method for gathering all this data, i.e. by having all one’s internet activity linked to a single identification number, would be even more devastating to any notions of internet privacy.

Of course, the NSTIC is trying hard to reassure Americans that "there is no central database tracking your actions." Instead, they are pushing terms like “identity ecosystem” and emphasizing collaboration with “private companies” in an effort to gain credibility. As much as they may claim that each vendor with which the user transacts is not given access to all the information linked to the user’s ID apart from the small amount of information that is necessary for that particular transaction, I find it very hard to believe that there is no way for anyone to easily collect this information and track every single activity of each user, and hence each American citizen.

I am also very doubtful about the claims that this program will always remain voluntary. The document stresses that “the government will neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them.” However, one wonders how long this will stay the case, especially considering the fact that the document, as well as interviews and press releases by NSTIC officials, emphasize that one of the primary purposes of the system is to “protect the American public from the dangers of identity theft.”

One can easily envision a law passed by Congress which mandates that each person who fills out their FAFSA forms online must do so using an Internet ID. One can also imagine certain private entities “independently” deciding to only accept transactions from users who are part of the “ecosystem.” Just like having a credit or debit card is not technically “mandatory” but it is virtually impossible to live without one, it is possible that the same will one day be true of an Internet ID. Similar to the prophecies in the book of Revelation, this could easily become the “mark of The Beast” that every citizen is one day required to have in order to be able to buy or sell in our society.

If the problem is one of security with regard to each individual entity, then the focus should shift on enacting legislation which forces companies to take greater caution with their customers’ valuable information. If it is the “cumbersome task” of remembering a number of passwords, research shows that most people use the same password for most of their accounts; even though that is probably a bad idea, there are several secure programs which can perform the task of encrypting and storing all your passwords for you and requiring only a single login.

The numerous potential harms that will certainly result from the institution of an Internet ID greatly outweigh any potential benefits. The current problems related to internet security and privacy, which the NSTIC purports to address, can easily be solved by much simpler means, which would provide a reduced chance of a system that would almost certainly end up being used for nefarious purposes. These are the methods the Government should support, by appropriate legislation and funding.

Your analysis might have been simpler if you had called the NSTIC the "secure social." The SSID is presently used and abused as the national individual ID number. You could have said: "the Administration announced that the 21st-century replacement for the Social Security Number will be decided at the Commerce Department, in coordination with business, rather than at the Labor Department, HHS, the IRS, the FBI, or the NSA. Though they will all, of course, have their relevant say."

Why are you trying to decide whether a replacement for the SSID is a bad thing? The obvious answer is, it depends. The draft would be stronger if it tried to show the landscape of issues that NSTIC raises, rather than being, in classic law school fashion, either For or Against.

You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.


Webs Webs

r3 - 23 Aug 2014 - 19:33:50 - EbenMoglen
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM