Recently, i replied to my Congressman…
You may be interested to learn that on April 15, 2011, the White House released the National Strategy for Trusted Identities in Cyberspace (NSTIC). The aim of the program is to make the online marketplace more secure for consumers by providing an ecosystem of trusted IDs that eliminate the need to provide private information for each online transaction.
Yeah, about that.
Let's say you're a Congressional staffer and a few friends invite you to go out for drinks. You go to a bar somewhere that they've picked out and buy a round of drinks. This, of course, will cause your credit rating to go down impacting your ability to get a loan. (This is not far fetched. It already happened in Canada a few years ago. My bet is that it still happens in the US.)
Ok, so maybe you're going to be buying a house soon or sending your kids to college so you skip going to a bar. Instead you hop over to Amazon and go shopping. You enter in your profile information and unbeknownst to you, Amazon has determined that since you make $130K, they can boost prices for you by 5%. Some sellers do that based on the type of PC you're using.
That's thanks to the amazing wonders of data mining. The ability for companies to put together highly detailed profiles about you based on shared knowledge about your actions. What's worse is that even if companies try to "anonymize" the data they share, your real information can be easily determined.
Put short, if there's a centralized ID, who cares if they said "Don't Track Me". You've already got lots and lots of information about the person.
The system will be maintained by private companies that will join in the trusted network. Verizon, Google, PayPal, Symantec, and many others are working with the U.S. Department of Commerce to develop the Strategy.
Yeah, again, not really the best people to pick. All of these have very compelling financial reasons to abuse privacy information. Verizon doesn't have a very good record when it comes to this, Google and Facebook are companies that quite literally makes money off your personal data by selling ads, PayPal is fairly notorious for arbitrarily locking or terminating accounts with little warning or provocation and Symantec…
i've learned that one of the first things i do is try to get Norton off of any computer (it's rather difficult) and install a smaller, faster, more efficient antivirus program. i fear whatever installable application they'd proffer to keep my identity "safe".
In addition, by creating a centralized ID, doesn't that mean that if that ID were to become compromised, it's pretty much "game over"? A smartphone left in a taxi cab, someone using an compromised router, or one successful phishing attempt and you're looking at there suddenly being two of you.
Even if you use something like an RSA physical token, that may not be enough…
The crux of all of this is that you can't create a 100% secure Identity solution. You'd be lucky to create something slightly more secure than what currently exists, and even then, it would be so complex that there would be dozens of potential attack points as well as many, many ways that the ID could be used.
In addition, the NSTIC will be voluntary, meaning companies and individuals can opt-out should they desire to do so. Ultimately, the initiative's goal is to create a secure and private environment for internet consumers while facilitating e-commerce.
i'll note that there are a lot of things that are "voluntary", like travel by air or car, the use of currency, telephones. Many of these "voluntary" items have become so expected by society that they are requirements. Can you imagine living for a week without two of the "voluntary" items i listed (and without cheating by stockpiling before or after)?
The NSTIC will become a required part of any transaction. People will be expected to have it and tender it much like they tender their Social Security number now (often without even asking why it was requested). Companies will push for user's NSTIC so that they can use it to easily track customers and sell information, offering "incentives" like they do now with Shopper Rewards cards.
Granted, i've not even touched on privacy concerns like how police officers and families could be targeted by bad guys who simply look for matching information (Data mining isn't just for big businesses), or how victims of abuse will find it much harder to hide, how the Whistleblower Protection Act would be rendered worthless or even how young women could be easily targeted using free apps.
Please know that i understand your concerns regarding internet privacy and i am dedicated to ensuring that the internet develops as a secure and trusted means to communicate, exchange, and conduct transactions while doing all that we can to ensure that Americans' privacy rights are protected. i will keep your views in mind as telecommunications and privacy issues are considered in the House of Representatives.
Privacy requires a level of anonymity. The NSTIC removes that under the mistaken idea that having a single point of privacy failure will make us safer.
Once again, thank you for taking the time to contact me about this important issue. Your comments help me to better represent the people of our Congressional District.
As always, EFF also has an excellent discussion of this.
