A hundred years ago people made their own clothes, grew their own food, and waited a month to get a letter in the mail. Today our government wants to take away the burden of typing or remembering a password.
OK.. wait.. P..A..S..S..W...O..R..D.. Phew I need a rest! That was pretty tough stuff!
OK, I'm being snarky, but forgive me. Really? Have we come so far as to say to future generations we were so burdened by having to type and remember passwords that we helped build a framework that cost hundreds of millions of dollars across organizations, possibly made the Internet less secure, and left them with a system with a built in high risk potential for citizen abuse?
And yes, I know there are security arguments as well, but from the critiques like "Identity Crisis: The Delusion of NSTIC" the security paradigm seems as challenged as the password premise.
It seems kind of like nuclear power – nice in theory, but the risk is too high. Sure, nuclear would be great if you didn't have all those troublesome fuel rods that never decay and those plants that can melt down and a fuel that, once out of its containment system, can destroy everything it touches.
Finding data that supports the idea of risk potential was difficult to locate, but I also couldn't find any that disproved it either. All the NSTIC data and documents discussed third party data handling, not the identity providers, not really. Well not until not now.
The NSTIC held a meeting with all the major stakeholders including representatives including Google and PayPal to help explain the who, what, where, when and why. I listened to the entire NSTIC stakeholder video and wanted to share what I learned with you.
The NSTIC Cures Cancer
The NSTIC, all wrapped up in nationalism, patriotism, security, and (believe it or not) saving people from cancer death. The NSTIC cures cancer; really it does say that or at least very close to that. Of course, cancer is nothing to joke about and something that needs this much hyperbole well maybe it isn't either.
Pseudo-anonymity is that like being Kind of Pregnant?
OK, I jest, but the metaphor is just because how can you be pseudo-anonymous. One of the clearest distinctions on this video was that the speakers were to not use the word "anonymous".
The NSTIC documents use the words anonymous, but the speakers did not. In fact, when they did, they were quick to change it to pseudo-anonymous or pseudo-anonymity. Why the distinction? What is pseudo-anonymous in a post-Identity ecosystem world?
NSTIC and Anonymity
NSTIC is clear in their documentation that you will have a fragmented identity, the ability to stay anonymous, the ability to control your data as it is given out to third parties. What they aren't clear about is how the identity provider handles your data.
How do you remain anonymous inside the walls of the system given the task of establishing your identity and trust to other systems? Fortunately, in the video the speakers are very clear about this: you have no privacy, and the identity provider can and will see everything you do. Now it depends on how much you do within those providers walls, but if it's Google or Facebook, well you can see where that leads.
What is Pseudo-anonymity?
If you aren't anonymous, what are you? This is where the term "pseudo-anonymity" is derived. You are anonymous (sometimes) to those third parties that don't require your identity be revealed such as forums – possibly (a forum could request you be known just as easily as not).
To those third parties that require knowledge of who you are, bits of that information are given over, again "pseudoanyonmous". So in theory you may always be somewhat anonymous to third parties.
Though I would debate how much data do I give when I give a password. Compared to how much data a "trusted identity" requires and stores.
Where you are never anonymous is with a Trusted Identity Provider. The more entrusted, the more actions and interactions this provider is responsible for (so you don't have to log-in, remember) the more data they retain about you. Data that can all be obtained by subpoena without your knowledge for court cases, legal actions or sneak and peeks which are part of the USA PATRIOT Act.
How Are You Protected?
Your protection comes from governance, according to the speakers in the video. They were also clear that currently there are no data protections. There is no governance. That the laws have to catch-up not only to constrain what law enforcement and government can do, but what the commercial organizations can do with the data they hold as identity providers.
What is Governance?
Well first let's be clear, the video discusses the governance of government and not IT governance. These may have similarities, they do have different meanings.
So what is governance? Because governance is stated as very important to not only the success of the project (IT governance), but for the conditions of privacy and anonymity to exist at all. Yes, for the conditions of privacy and anonymity to exist at all. Why would this be?
While the government is developing the framework and assisting in the initiative, funding pilot programs it can't directly hold citizen identities like they can in Europe. (In Europe, only the government may do this.) This action would call into question many existing U.S. legal standards.
So, who is going to control the trusted identities for government transactions and the identity ecosystem? Well as we know now, corporations will be the identity providers. The first three, Google, PayPal and Equifax, were NSTIC credentialed in October 2011.
Thanks to the video, we know these identity providers will have access to view all your activities within their system and then with your third party interactions within their system. Whether that is banks or Netflix, your identity provider holds your identity now.
In order to "log" you in, they have to be able to digitally vouch for you. You can't be anonymous to them. (Just the breaks of an identity ecosystem. Someone has to say this dude is cool to the other party who isn't allowed to check your ID.)
So now they have all this data, more data than they ever would have had before under their own purview had they only been asking you to utilize their products and more information to verify you than a password system ever would have required (these are just facts of the system all outlined in the NSTIC documentation), now what?
How would this look in the wild?
Facebook Timeline - How the NSTIC Might Look - in Miniature
Well let's look at the one system in the wild than most closely matches the concepts of the NSTIC as it is written right now. Facebook and Facebook Timeline (before you cry foul, Facebook is stated to be one of the companies that will be an identity provider; however, they aren't credentialed at this time.)
Above shows just how Facebook can visually graph your friends and your relationships. Now to understand this easily, think of the new Facebook Timeline and the many apps about to come on board. It is how the NSTIC might look in miniature.
When you read the document you can see it comes very close to the specifications even down to the age of users (13), privacy controls, and how you would interact with third parties through one provider without logging in once you log into the identity provider.
Now remember, the identity provider who would be like a Facebook, can see who you shared that data with, how you shared it, when you shared it, what you went to it and how often. So how many times did you go read that article at the New York Times, watch that movie on Netflix and with which friends, then who commented and how many of your friends liked it... see where this rabbit hole goes?
Sadly, unless you live in Europe you can't see all the data Facebook stores on you. Those who live in Europe and who have gotten their profiles, I think have been more than a little surprised and that is before they are become a provider and before the Timeline and apps go into effect.
But let's be fair. Facebook is hardly the only one.
Now I don't to want single out Facebook, after all Google has stated Google+ is an identity network and now it is a Trusted Identity Provider with federal credentials. Under the Google+ log-in what have they forced users to associate with that log-in now?
Apps? What do you use under Apps? Spreadsheets? Documents? Is your whole company's data on those servers?
How about your personal information? Under Google.com/Dashboard you can see that Google is tracking your social relationships as it understands them. As you can see above these are some of mine, noting that I never gave Google access to my Twitter account.
It isn't only law enforcement that can subpoena these records. Any legal action can do so, even divorce or family court, though it is the law enforcement subpoenas you will never hear about.
Now don't get me started on ChromeOS.
How is This Different Than Before the NSTIC?
Well let's go back to the words on the video, by the architects of the program. As we know from the words of the speakers themselves, without governance there is no anonymity, there is no privacy. Now we know from the video there are no laws governing the NSTIC and these issues, but even more so it only takes a quick scan of the EFF.org, to see the privacy issues they fight every day to know the laws have not even caught up yet to the privacy of much older technologies such as your GPS.
Did you know that because your car license is not in a place of expected privacy there are court cases where some members of law enforcement believe they have the right to put a GPS unit on your license plate to track you without a warrant, without a subpoena, without your due process or protections afforded to you under our country's laws or Constitution and Bill of Rights? So how does a system of law that cannot deal with GPS technology deal with an Identity System where private corporations have this amount of data on a citizenry?
The Invisible Hand of Digital Totalitarianism
Let's take this out of the U.S. 2011 for a moment. Let's imagine a different world, maybe one that is more Orwellian.
A man without much education sits tediously at a chair all day watching a screen of data that passes by him all day long. He is looking for spikes in data transfers. The spikes? Citizen cell phone data.
Wait, he sees one out of the norm, too much text data on one phone. Click the number, he reads the text, (oh I forgot to add there is a civil unrest the government is concerned about) - back to our story - the text. "Demo at the park 1pm" Next second, same phone, a call, he clicks, listens to the call as it comes through. It is a mass gathering. Then he sees the phone transfers a large amount of data to a website, goes there to find the YouTube video the citizen just placed up there of a secret rallying point.
Wait! There are laws against these things. This is not allowed. Oh the tracking is OK; there is no law against that. The law is against speaking out, organizing against the government. This is treason.
No worries, our viewer also grabs the GPS data off the users phone as it is transmitted from a secondary hidden GPS the person was unaware existed and could not turn off if they wanted to anyway. Seconds later he is (arrested|shot|beaten|no one ever knows). The system did its job.
Welcome to Iran 2009.
Overly dramatic? Maybe so, unless you lived in 2009 Iran during the protests of what was seen as the illegitimate re-election of President Mahmoud Ahmadinejad. Nokia's "Citizen Tracking" System was capable of just this kind of systematic packet surveillance of civilians and the results were just as dramatic.
Now before you jump over me and write 100 "that would never happen here" comments, I'm not saying that would happen here, but just because it may not be that dramatic and much more likely Google will just sell our data to the highest bidder does it make it any less concerning? And even though it is not likely the need for a subpoena could go away, does it make it any less serious that there is that much data available to our legal system that circumvents our due process? Where your data can be reviewed on a "sneak-and-peek" and you never know?
From the EFF -
"NSTIC is currently wholly voluntary and has no distinct legal structure. That means that there is no legal impact. If IRS could get data via subpoena before, it can get data via subpoena now.
But there can be practical legal impact, because if you go to an Identity Provider (IP) for an ID at some real level of assurance, then the IP has info on you that it might not otherwise have. So as a real- world matter your data could be in more places. And to the extent that the IP learns anything about your activity by virtue of being the IP, then that's additional data in the IP's hands."
As we move toward a world where the large corporations and government are creating invisible hands of digital tracking, to whatever end that leads, shouldn't we all start paying attention, asking questions and wondering that age old question: If the product is free, then aren't you the product?
And in case you're wondering, this is not a U.S. system. This is an international system with international implications, and international exchanges of "Trusted Identities" with implications far wider than legal and privacy.
More next time, on users' rights and privacy from the EFF and legal perspective.