April 15, 2011

Beware the Wolf in Sheep's Clothing: NSTIC "Trusted Identities in Cyberspace" Launched

Greetings. I've written a number of times before about the Obama Administration's NSTIC (National Strategy for Trusted Identities in Cyberspace) initiative (please see below for links to some relevant postings and papers).

This program, which visualizes a vast new "identity ecosystem" for Internet access and usage, linked to government-issued IDs, has been gestating for some time.

Today the program has been formally launched, with the Department of Commerce acting as the public-facing "front man" for the project, but with the deep involvement of the Department of Homeland Security (DHS).

Because I have already said much about NSTIC previously, and since there appear to be few (if any) substantive changes between the preliminary materials (on which I based my earlier analysis) and today's formal version, I will not here repeat all of my detailed concerns, and would urge you to follow the links below for additional, more in-depth information if you are interested -- and you should be interested. You should be interested even if you're not in the U.S., since the impact of the NSTIC scheme will have global implications on the international Internet.

Nobody would reasonably assert that the Internet does not have security and identity issues that create a variety of less than optimal situations.

However, in a free society, we must always be diligent to avoid creating even commendably appearing "solutions" that can create far worse diseases than they were supposedly designed to cure. When you drink the Kool-Aid, you don't want to discover afterwards that it was even inadvertently laced with cyanide.

The biggest lie of NSTIC is that it would actually be "voluntary" -- a term that its proponents use ad nauseam.

The sort of identity ecosystem envisioned by NSTIC would quickly and inevitably become mandatory for a vast range of Web sites and services, and when the system is hacked or otherwise subverted, the results may well be catastrophic for the individuals or organizations involved.

So NSTIC's version of "voluntary" would -- I believe over a relatively brief period of time -- be only as voluntary as having a driver's license if you want to drive, or subjecting yourself to TSA body x-ray scans and invasive pat-downs if you want to fly.

In fact, the situation with NSTIC is actually worse than those examples. It is possible (however inconvenient) to get through life without driving or flying in most situations. But access to services at Web sites is rapidly becoming a necessary component of everyday life.

Concerns over liability, age appropriateness, and other factors will drive Web sites toward requiring the use of NSTIC for access, without any formal government mandates to do so even being necessary in most cases.

NSTIC will be an incredibly powerful enabler of censorship and government tracking. Sites will be under enormous pressure to "wall off" materials considered "inappropriate for children" behind NSTIC-based credential barriers. And using those credentials to access sites will by definition create an almost impossible to refute association to your actual accessing of that data.

No more creating a "throw-away" account if you wish to view something controversial in any of many respects. Age verification via such systems inevitably implies identity verification at one level or another.

NSTIC proponents tout the distributed nature of NSTIC credentials, and the ability of consumers to choose among various NSTIC issuing entities -- there's no central government ID database, they proclaim.

In reality of course, most persons will probably tend to bundle their NSTIC credentials in some manner, for convenience if nothing else -- who wants to have a wallet full of "smart cards" that have to be individually used for each different site that you wish to access. if one SuperSmartCard can rule them all, so to speak?

But even if one chose to keep all services and all NSTIC credentials completely separate from the user standpoint, it wouldn't make much difference. The technologies of data analysis and data re-association are now so advanced that building a detailed dossier of a user's Internet activities even from distributed credentialed sources will likely be straightforward. The deep involvement of DHS within the NSTIC ecosystem virtually guarantees that this will be possible and can be swiftly accomplished, since despite the e-commerce trappings, it's clear that a key element of the DHS security agenda -- being able to track what people do on the Internet -- is ultimately a driving force behind NSTIC.

There's so much more to say, but for now I'll just leave you with two additional thoughts.

The first is technical. We know that PCs of all sorts are fundamentally insecure. Viruses or other malware that often infect these systems have essentially total control over all aspects of the systems' functioning. They can capture keystrokes and other data, they can read your screen, they can make it appear that you're voluntarily accessing particular Web sites -- all without your knowledge, even while you're sitting there at the machine.

Imagine if you will the ramifications of such malevolent technology having access to your NSTIC credentials -- perhaps via a currently inserted smart card linked to your government ID -- and considered by law to be equivalent to your personal signature, even on extremely high-value financial transactions. Just try to refute those transactions, or the record that claims you must have visited that nasty site and downloaded those forbidden files -- despite your protests that you knew nothing about them. Good luck.

Finally, acceptance of NSTIC requires complete faith not only in the veracity of the current government, but of all future governments that could subvert and abuse a widely deployed Internet identity ecosystem. The structures that we build into the Internet now are likely to be essentially permanent fixtures for a very long time -- so even if you have utter trust in the current government at all levels, one must consider what these powerful tools could do in less trustworthy hands in the future.

And even the relatively recent history of our government -- both of Obama, and Bush before him, not to mention Congress -- are hardly reassuring in these regards.

Users' Internet records have been collected by the government on the thinnest of pretenses based on "rubber-stamped" court orders or secret National Security Letters. The Obama administration (like administrations before it) is resisting efforts to protect users' email on remote servers from government snooping without a warrant.

At the same time that ill-advised commercial Internet "do-not-track" concepts are being promoted by some facets of the government, other government players are pushing for massive user data retention regimes, to allow retrospective analysis of your phone calls, email, and virtually every other aspect of your electronic communications.

Meanwhile, U.S. Immigration and Customs Enforcement (ICE) has shut down vast numbers of innocent Web sites with banners suggesting that they were involved in child-abusive pornography, the U.S. government is attempting to leverage control over the Domain Name System to dictate the operations of both U.S. and non-U.S. sites, and Congress is hellbent on the creation a vast censorship regime that would micromanage and dictate what links were legal for Google and other search engines to display (COICA).

NSTIC supporters suggest that it's primarily a private enterprise initiative. Don't you believe it. The federal government is in this up to their (and our) eyeballs. NSTIC represents politicians' and their minions' best hope of "getting effective control" over how everyone uses the Internet. It is the means to the end of destroying the concept of anonymity in general and the ability to criticize and "whistle-blow" in a truly anonymous nature in particular. It is a wish come true for intelligence agencies and government data miners, for "irrefutable" identity is key to so many of their efforts.

The saddest part is that there are supporters of NSTIC who are convinced that the problems it solves are more important than the horrendous risks it brings. To this extent, their motives may well be laudable, but I would assert that they have still been seduced by a technological chimera.

Wrapped in the sheep's clothing of "easier e-commerce" and adorned with an array of other seemingly shiny baubles, NSTIC is the wolf that could mutate the Internet from the greatest free speech tool in human history, into a tyrant's wet dream -- perhaps not immediately, but ultimately nonetheless.

Consider well the situation. The wolf is knocking at the door.


Internet Freedom Alert: Obama Admin Pushing Ahead Today with Dangerous "Internet Trusted Identity" Scheme

Obama's "Trusted Internet ID" Scheme Announcements: Reading Between the Lines

Why the New Federal "Trusted Internet Identity" Proposal is Such a Very Bad Idea

Don't Put Your Trust in "Trusted Identities"

Comments on the National Strategy for Trusted Identities in Cyberspace

NSTIC - National Strategy for Trusted Identities in Cyberspace

Posted by Lauren at April 15, 2011 11:01 AM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein