In case you missed it, Google is now a credentialed provider of Trusted Identities for the federal government. This means that the NSTIC, or National Strategy for Trusted Identities in Cyberspace, framework now has federally recognized and certified identity providers.
But who are these providers exactly, what is the NSTIC and how does this affect the users in matters of privacy, anonymity or even SEO? Below is a video that helps easily explains what it means to be working with the #NSTIC and how these issues are addressed, or not addressed by the NSTIC Framework.
Why Should I Watch?
WATCH THIS VIDEO! (No really, you should)
There are a lot of reasons to watch of course. However, because everyone is wondering why so many changes are happening in search and social. Changes such as SSL secure keyword referrer data, and if you do not know about the new Identity Market, if you haven't made yourself familiar with the tenets of the NSTIC and the Identity Ecosystem, you might miss that this is more likely part of a much larger plan at Google, PayPal, Facebook and the like.
So watch THE VIDEO, learn about the Identity Ecosystem. There are companies already set to go, marketplaces ready to run, and credentialed providers such as Google, PayPal and Equifax who have already started implementation procedures. It can't be ignored because it already exists; they might just hoping maybe you don't notice, well at least not yet.
The NSTIC: Myths, Misnomers, and What About SEO?
What does this mean and why should you care? As you read the documents, they sound so bright and shiny I think I need shades.
So what are the glossy points brushing over? Well, there are several areas in the documentation that are not covered well, in much depth, or at all and so a few points for thought.
Most of these are discussion points gleaned from documentation cited below, but summarized for your reading pleasure, as I'm sure you're on your fourth or fifth eggnog by now.
Why Does This Matter to SEO?
"And the notion of strong identity was never invented in the Internet. Many people worked on it - I worked on it as a scientist 20 years ago, and it's a hard problem. So if we knew that it was a real person, then we could sort of hold them accountable, we could check them, we could give them things, we could you know bill them, you know we could have credit cards and so forth and so on, there are all sorts of reasons."
Part of the new "Google" is about contextualizing SEO in the concepts of an Identity Framework where Google will know who you are and what you read, wrote even possibly emailed because who knows how many of the factors will come into play once it is all tied together. This is unclear, but identity factors as part of ranking, well that already exists, they just call it Trust Indicators. Ah a rose by any other name...well still says NSTIC.
Now, in the older days of Google, they would say, we can't do that because it leaves all the non-Googly people out, but I don't think that matters with today's Google as G+ IS a known ranking factor, so why not Identity Factors? Remember according to Eric Schmidt of Google, G+ is an Identity Network, not a social one.
Read the full quote by Eric Schmidt in a previous article I wrote and you can see the premise exists; now it seems we are just experiencing the implementation.
PLUS, most people will choose an identity provider somewhere down the line if they want to use certain services (read the documents). Guessing Google thinks they will be a dominant provider.
Some Other NSTIC Myths
Myth of "voluntary" or "opt-in" - One of the key components of the NSTIC documentation is that this is all voluntary. You're told over and over, that you don't have to participate in the NSTIC framework. Well this may be technically true; I don't have to have a car either. However, when Google, PayPal, Equifax are now credentialed providers of government services now and soon to be sites like Facebook are later. When hundreds of sites move toward this program, what do you do? Opt out?
Myth of "security" - Most articles I have read in relation to the assumed increased security of this Identity Ecosystem have all called it into the crosshairs as inherently more insecure. So what are the security considerations?
If you think about it, why would not logging in be that much more secure anyway? Yes, you take away those people who use "password" as their password, but you could also just program into systems not to take those words. You also could get rid of the antiquated method of password creation. Did you know a four unrelated word, four letter common word password is inherently more secure than your can't ever remember Capital letter, #umber, 30characters? Crazy huh?
What else? Well what if someone gets a hold of your identity? Hackers have cracked everysystem out there:
- And 1.8 million people recently affected by a hack at Square!
These very valid points raised by the security community are not answered in the documentation and this would be a huge SCORE, huge ACCESS and a huge DATA carrot for hackers (i.e., a huge jackpot for the reasons hackers' hack, so why wouldn't they give it a go?).
Myth of "anonymity" - As you read the official NSTIC documents; you will see they mention the word anonymity frequently. The user is anonymous; their identity is fragmented and doled out piece by piece. Fragmented because your Identity will only be doled out by your ID provider small bits at a time on an as needed basis to say your bank or favorite forum for access.
However, what the documents don't seem to say (and maybe I missed it), but the video does very clearly, THE IDENTITY PROVIDER SEES EVERYTHING. That Identity Provider who has no laws restricting what they do with that data. That Identity Provider who now has all your data in one place. Who you bank with, what medical records you store, your tax info, what you did with PayPal, and if Google possibly your email, your apps, your G+ and well you can see where the rabbit hole goes.
So the speakers on the video are careful to use the word - "pseudo-anonymity" and when they don't the speakers quickly correct to the word "pseudo-anonymity". Because that is what you have, not anonymity, but pseudo-anonymity because your Identity Provider can see everything. In addition, remember there is no privacy and without governance, the provider can do with your data what they want.
Myth of "privacy" - The documents focus on anonymity also has a focus on privacy. Well the same reasons your data is not anonymous are the same reasons your data is not private. Now let's take it one step further, your data is now ONE HUGE DATA CARROT.
One huge data carrot on a 3rd party system. Legally 3rd party systems do not give you due process. What does this mean? This means that if someone sues you, if someone you know is sued, if the government wants to look into your doings online they do not need to notify you, in fact they don't actually need a warrant in all cases. The legal protections of 3rd party data are feeble at best and getting less, not more secure every day. So, the idea that the NSTIC is private is more mythology.
So privacy and anonymity are pretty, bright and shiny words, but at this time meaningless in practical applicable context, because they require governance which is surely coming right?
Myth of "governance" - "Without governance there is no privacy, there is no anonymity." These words come directly from the video. In the NSTIC there is no governance over the data that is being collected by the "Trusted Identity Providers" such as Google and PayPal (and soon to be Facebook). There is no law saying what they can or cannot do with that information, it is what you agree to in the TOS (Terms of Service). You read that right?
I could go more into this, but instead I will just bullet point some of the recent areas being defended by the EFF (Electronic Frontier Foundation), the ones who try to keep your cyber land free and privacy still your right, and let you see just where and how these laws get tested every day.
Specific Cases (a few)
- Gov. Can Now Track Your Phones Without Warrant
- Yahoo Beats Feds in E-Mail Privacy Battle
- US internet providers hijacking users' search queries
- Carrier IQ, Quietly Tracking Your Phone
One important note though, if your data is sitting on someone else's servers you usually never have to be informed of anyone's access to it, if the third party decides to give it to them and this means even in cases of the courts, government or law enforcement. This also means there are many cases where due process also doesn't exist. The company owns the data. The company decides. On this single point alone, the NSTIC framework should be met with deep contemplative exercise.
So WELCOME to your NEW BRAVE INTERNET!
So welcome to the new internet! The concepts of the NSTIC framework are also playing itself out in Facebook right now with Timeline... Read the NSTIC then use Timeline. You will see what I mean. No log-ins to major sites, don't go there to interact, just stay on Facebook.
All your data will be held by your Identity Provider free to do with that data what they wish or even if they don't wish, a court can order it handed over.
Now with Trusted Providers, I am sure some will be good, some will be poor, but in the end your data will be seen, tracked and know by that provider. All you do, everywhere you log-in today, instead of segmented across many sites, in one place, all activity. Sorry just got a chill. Need to go get a blanket!
Ok back to your eggnog and yes and yes FINISH THE VIDEO! Happy New Year!
NSTIC Documentation (Note this is a worldwide, not just US effort) Just to show this is not conjecture and a few to many apple martinis. Here is the documentation to help you better understand that entire Identity Ecosystem, from the Federal Government and Google themselves.
Introducing SES Online
Want to view one of the sessions you missed or listen to an especially informative presenter a second time? SES New York sessions are available for purchase on ClickZ Academy's new e-Learning site. SES is now Online!