The White House recently released a draft of a troubling plan titled "National Strategy for Trusted Identities in Cyberspace
" (NSTIC). In previous iterations, the project was known as the "National Strategy for Secure Online Transactions" and emphasized, reasonably, the private sector's development of technologies to secure sensitive online transactions. But the recent shift to "Trusted Identities in Cyberspace" reflects a radical — and concerning — expansion of the project’s scope.
The draft NSTIC now calls for pervasive, authenticated digital IDs and makes scant mention of the unprecedented threat such a scheme would pose to privacy and free speech online. And while the draft NSTIC "does not advocate for the establishment of a national identification card" (p. 6), it’s far from clear that it won’t take us dangerously far down that road. Because the draft NSTIC is vague about many basic points, the White House must proceed with caution and avoid rushing past the risks that lay ahead. Here are some of our concerns.
Is authentication really the answer?
Probably the biggest conceptual problem is that the draft NSTIC seems to place unquestioning faith in authentication — a system of proving one's identity — as an approach to solving Internet security problems. Even leaving aside the civil liberties risks of pervasive online authentication, computer security experts question this emphasis. As prominent researcher Steven Bellovin notes:
The biggest problem [for Internet security] was and is buggy code. All the authentication in the world won't stop a bad guy who goes around the authentication system, either by finding bugs exploitable before authentication is performed, finding bugs in the authentication system itself, or by hijacking your system and abusing the authenticated connection set up by the legitimate user. All of these attacks have been known for years.
A Real ID Society?
The draft NSTIC says that, instead of a national ID card, it "seeks to establish an ecosystem of interoperable identity service providers and relying parties where individuals have the choice of different credentials or a single credential for different types of online transactions," which can be obtained "from either public or private sector identity providers." (p. 6) In other words, the governments want a lot of different companies or organizations to be able to do the task of confirming that a person on the Internet is who he or she claims to be.