Will a Central Identity System Protect Your Online Identity?
I apologize in advance for the length of this post. In light of the increase in complex computer theft schemes which robbed millions[1] of customers of their credit and debit card information, the Obama Administration has proposed the National Strategy for Trusted Identities in Cyberspace[2] in April of this year. The plan proposed online verification systems across companies and organizations that disseminate businesses and personal information on an as needed basis. Here is an example from the White House’s press release dated April 2011. Under the current system, an individual supplies his/her driver’s license to confirm that he/she may board a plane, open a bank account or view an age-restricted movie. The businesses using the information contained in the driver’s license do not collaborate on the information being provided to them, thus there is no verification between the businesses or the issuing department of motor vehicles that the license and the current information contained in it is valid. Further, each business receives more information than it needs to provide the service to the individual. The movie theatre attendant views not only the date of birth on the driver’s license to allow access to an age-restricted movie, but the attendant also sees the individual’s name and address. The bank and the airline receive information on an individual’s physical attributes and the type of car they are authorized to drive. The Obama Administration proposed a limit to the disseminated of online information allowing businesses to receive only a piece of someone’s information, only what is required to process a transaction and nothing more. The program is called Identity Ecosystem. In the Identity Ecosystem, users are issued digital credentials,[3] a compilation of a individual’s name, address, visual attributes, medical history, phone numbers, employment history, etc., to be stored on a physical or virtual medium. When an individual or business tries to transact business, the Identity Ecosystem will only disseminate a small part of the user’s information for example, that a minor is between the ages of 13 and 17 for an age-restricted chat room without disseminating the exact age of the student, the name of the student or any other attributes. Per the Obama Administration, the private sector would be responsible for designing and implementing the Identity Ecosystem including the storage medium for the data, determining which companies may gather information and remove attributes (e.g. name, age, etc.) and authenticate the information to the receiving business or organization. The private sector determines the level of authentication needed to access services such as medical records. The Obama Administration proposed that the federal government would only intervene if necessary in the implementation and regulation of the program. However, the federal government will provide the private sector with information in its possession to assist with Identity Ecosystems and the federal government will also be one of the first organizations to jump on board with the plan. That means that those receiving public services will have to participate in the plan in order to receive benefits from the federal government. It also means that an individual’s IRS information will be included. The Administration explains that the Identity Ecosystem will promote anonymity in online transactions by removing attributes, providing limited information on an individual reducing the instances of identity theft. The Administration also claims that there will be stronger cyber security measures in place to curb cyber threats. Further, the Administration supports the plan for its convenience to consumers by eliminating the need for multiple passwords and user ids. The Identity Ecosystem allows access to one’s general digital identity via one digital medium and access to heightened authenticated information such as medical records by another medium with an even higher level of security. The Administration claims companies will innovate to come up with the identity medium, which would lead to job creation and new services in the banking. New sectors in industries such as healthcare and banking would open up with increased security of online identities. Businesses would benefit from the decrease in fraud and identity theft. Efficient allocation of resources allow doctors to verify their identity on a mobile device, search the local triage logs and determine where his/her expertise is needed in times of crisis. Finally, individuals and businesses can reduce their digital footprint to just one or two logins.
The Obama Administration has put forth a valiant effort to curb cyber crimes through its proposal of the Identity Ecosystem, however, the plan falls short of its intended purpose. Hackers and other cyber criminals have proven that they are smarter and swifter than the regulators. Once the proposed digital identity is stolen whether physically in the form of a smart card or virtually, a cyber criminal has access to all of an individual’s information even if it is in pieces. The potential damage caused from the theft of one’s digital identity goes far beyond the crimes committed by criminals under the current system. Under the Identity Ecosystem, a cyber criminal can obtain your insurance and medical records, sign off on a mortgage refinance, or sell your house from under you with just a few clicks of the mouse or from a lost or stolen smart card in a matter of minutes.
Companies may innovate and create more jobs, but companies such as PayPal, which offer secure transaction services, would be forced out of business. Although jobs may be created, a majority of the service jobs that this plan would create will be shipped overseas to countries like India and the Philippines, which have already garnered a number jobs from U.S. companies.
Although the Administration claims that the Identity Ecosystem is a voluntary system. It would be voluntary for the individual to place all his/her information in the central database and for the companies to use the authentication system. This is not necessarily true. Once the federal government is on board, everyone is on board. The federal government controls benefits such as social security, Medicare and Medicaid. Further, federal government must use the system; this includes military personnel, the FBI and the CIA. But the kicker, the IRS. Enough said.
Further, the authenticating company must have all of your information to authenticate pieces. If the authenticating company is broken into, many complete identities could be stolen. Instead of obtaining a new debit or credit card, the individual or business must obtain a new identity. See a clip from the movie The Net in which Sandra Bullock’s identity was removed. It was as if she did not exist. http://www.youtube.com/watch?v=46qKHq7REI4 BTW, authentication companies will have the power to suspend and block accounts. The Net is what happens if the Identity Ecosystem goes wrong.
Lastly, the private sector currently sells pieces of an individual’s digital identity. Arming the private sector with a complete digital history on a business or individual and allowing it to regulate itself is like putting a kid in a toy store and telling them not to play with anything. The private sector will sell the information, increasing the chances of identity theft.
The Obama Administration has good intentions, but as the saying goes, “The road to hell is paved with good intentions.” This is one of those times. The repercussions and the damage to a centralized system as the one proposed via the Identity Ecosystems will only compound the damage from cyber crime and allow the private sector to profit from a central database of online users information. No good can come from this. If you disagree or agree voice your opinion, maybe someone can sway me to the dark sideJ
[1] See Hacker Sentenced to 20 Years
http://www.wired.com/threatlevel/2010/03/heartland-sentencing/ (A team of hackers stole millions of dollars worth of credit and debit card information from TJ Maxx, JC Penney, Wet Seal, Office Depot and a number of other business.) See also More than 100 Charged in Massive NYC Theft Ring
http://www.npr.org/templates/story/story.php?storyId=141154109 (A credit and debit card scheme which involved over 100 people in the restaurant, hotel and banking industry.)
[3] Information objects used during transactions to provide evidence of a subject’s identity and may also provide a link to subject’s authority, roles, rights and privileges and other attributes. See http://www.whitehouse.gov/sites/default/files/rss_viewer/NSTICstrategy_041511.pdf.
Criminal Law in the Virtual Context 
It would seem that the government would need some serious safeguards to make sure the Identity Ecosystem is not hacked and the sensitive information stolen. I would like some sort of safeguard protections regulated to make sure the companies they give the information to are adequately protected as well. Although this could result in everyone adopting baseline standards that hackers can become quick to crack. I would also like to see some kind of assurances that if the government gives out this information to a company for its benefit that it cannot turn around and sell that information.
From your explanations I guess I can see some benefits from the Identity Ecosystem, but it would have to be optional. Many people would not trust the government to protect their information more than they would trust their own methods even if their own methods were non-existent. I just don’t see how they could require participation without violating many state granted privacy rights. Of course, maybe this is why they have declared it to be optional.
I am curious what the government jumping on board with the plan actually means and entails. Does it mean they are going to encourage their employees to use the system or as you propose they are going to force those receiving government systems to participate. Although I don’t like either the second does seem extremely problematic. It just seems to be a very broad statement that could prove to be important.
First, I will address the premise that all of my information is kept concisely, “securely”, and comprehensively in either a virtual or physical database. This seems like a system that has great potential to be accurate, safe, and a way to collect data effectively so that people cannot create false or incomplete records in any aspect of life. For example, my undergraduate roommate held driver’s licenses in Florida and another state, where the two DMV offices do not communicate in any way. As both licenses were valid, he was able to collect tickets and violations on both licenses, never breaking the threshold for any real penalty in either version of his identity. While illegal, nothing has happened to him, nor is it likely that anything will.
I see the centralized data collection and “need-to-know” basis for information two ways. (1) There is great potential for a hacker or computer virus to mine data more efficiently than ever. (2) There is great potential for an incredibly efficient medium to disseminate any information necessary, including medical records to emergency rooms, financial information to credit institutions, and infinite other legitimate uses. I suppose my problem is skepticism that my information would be accurate and secure, especially if it is all kept in one place. For example, I know that credit reports are frequently incorrect, confusing people with similar names or social security numbers. At times, the damage can take years to undo, if ever. What happens when an emergency room ends up with incorrect data and kills a patient?
While I think the centralized information is a great idea on principle, I think that some of the potential kinks need to be not only worked out, but considered with incredible scrutiny and care.
I have to agree with the skepticism shared by my classmates. We just finished reading articles about teenage hackers hacking into not only private companies’ databases and stealing credit card information, but also hacking into government databases, with potentially deadly results. This does not exactly give one confidence in a cyberspace-based system that is a perfect collection of all of my information. Given the risks, I am not yet convinced that the government can 100% say that a cyber-system is secure. From reading the articles on hackers, it is clear that there is nothing they love more than a challenge. This seems like the ultimate challenge. To me it seems like a ticking time bomb that hackers will race to crack first. I also see problems with the voluntariness issue. What about state employees? If you have to participate in order to receive your benefits, this means that every teacher, postal worker, police officer, etc., will have to “voluntarily” comply with the program? I agree that in theory this concept is excellent, but in reality, I am not sold that it is feasible. While utilizing technology to its fullest will and should always be a goal, protecting Americans is top priority. Unless and until the government can guarantee the protection of its citizens through this program, I will not be volunteering myself.
It absolutely baffles me how there is a generated interest in something like the “Identity Ecosystem”. I understand the purpose behind it and how convenient it would be to have all your information stored in one location, especially for the user accessing this material. But at the same time, I have to question how people can genuinely favor this idea of storing all their most private, personal information in one “secure” location. I would compare the Identity Ecosystem to this scenario: You parallel park on the side street outside your bank without locking your car door. While the odds are slim that someone will actually check “all” of the car doors in the alleyway in their attempt to break into a car, what happens when they just so happen to check your door and find it unlocked? Now the odds don’t look so great. This Identity Ecosystem seems a little too risky and like an open-door policy to hackers even through the mask of “secure” promises.
The movie link posted for The Net is a perfect example of this phenomenon and I appreciate you taking the time to post it. It really hammers home this concept of our technology age and the threat of identity theft we are facing daily. Another movie I’d like to present is Live Free or Die Hard. Now, yes, it is a Bruce Willis movie and has a lot of gung-ho fighting in it, the premise of the movie is that cyber terrorists upload a program to their computers and temporarily caused the security gate at FBI Cyber-Security Divisions to go down. As a result, they hacked into the governmental and FBI computers and now have taken over Washington DC. They control the traffic signals, the lights, the cell phone towers and satellites, the landlines, and are headed for major airports and train stations, and the main power hubs on the Eastern Seaboard. This concept was referred to as a “fire sale”. With the increase in technology knowledge and potential (just look to the number of hackers being propositioned to work for the CIA and FBI in order to bring down other known hackers), it seems like only a matter of time before someone—whether it be nationally or internationally—figures out our reliance on computers and uses it to our disadvantage.
I cannot see how a centralized identity system could protect my identity; it seems rather the opposite. Yes, I suppose if the government has someone figured out how to harness its technology skills and potential to develop an excellent virus scanning software or wall to keep out cyber threats, etc. I can see how it would seem favorable to many. It would be nice knowing all your information is safely and securely protected in one location, kind of like alarming ADT and all of your family is in one bedroom of your house. You can keep an eye on them and know where they all are and what they’re doing at any time. But, at the same time, just look how easy it would be for a hacker to take out not one, not some, but ALL of your personal, private, electronically saved information. Do you want to take this risk? Not me, thank you.
The Identity Ecosystem is a concept I strongly support. I admit that it is initially repulsive to my sense of privacy, but the current framework is not sustainable. Usernames and passwords with different requirements are rising beyond the level of mere annoyance. I imagine that most people keep usernames and passwords fairly consistent, or else maintain some kind of list with the keys to all their digital doors. Either way, the protection provided is probably more an illusion of safety than anything else. The Identity Ecosystem is probably inevitable. If I am to embrace the concept, however, there are two key issues which must be resolved: (1) a realistic alternative for those who opt out, and (2) a simple way to maintain an alias (or alt).
First, there must be an option to opt out. For those that choose to opt out, there must be a way to access public services and conduct business. I think that it is reasonable to require some work on the part of those that opt out, but there has to be a clear path for those to follow. Today, I have some obligations to modern society which must be fulfilled. Once my Student Loans are paid off, however, I want to make sure that my wife and I can move to the mountains, live off the grid in a solar powered geodesic dome, home-school our kids on the homestead, and work privately on building a spacecraft in order to one day establish a claim on some extraterrestrial real estate.
Next, there must be a simple way to maintain an alias or alt under the Identity Ecosystem. Under common law, there are generally few restrictions on maintaining an alias and courts have held that a person may do business, enter into contracts, sue and be sued under any name they choose. (See Lindon v. First National Bank, 10 F. 894 (1882)). In cyberspace, there are substantial motivations for maintaining aliases, particularly to separate business activity from personal activity. If the Identity Ecosystem is designed to embrace the use of aliases, I think many more people will opt in.
In conclusion, I support the Identity Ecosystem given certain restrictions. Rather than reject the concept as a whole, I think a debate on how to design the system to produce a safe and necessary framework to support our online identities.
This blog is the first time I have heard about the Identity Ecosystem. Initially, it sounds like a great idea. The system allows me to limit the amount of personal information that I disclose to private companies and I can go to one place to access everything I need to know about myself. I agree with the underlying policies of limited disclosure of personal information, but, somewhat ironically, the system raises protection of privacy concerns. It is a little unsettling to maintain all of that information in one place especially when the private sector is making the decision as to what information it needs. I am wary of giving out my email address to some companies because I do not want them to sell it to others for marketing purposes. Besides, as the blog points out, under the Identity Ecosystem a hacker now has access to more than your birthday and social security number, the hacker can get everything from you. While it could make transactions more efficient, that efficiency comes with a significant risk of exposing all of your information. I am not convinced the efficiency of the Identity Ecosystem outweighs the high risk inherent in such a system.
Frankly, if this system does gain traction, I think the general public would be very critical of the system. It has taken years to convince some people that paying their bills online using a credit card is a secure transaction. We have talked extensively about how our criminal law is behind the curve and how uneducated our government is in dealing with technology. I doubt that any of these same people would be willing to rely exclusively on one system to hold every sacred piece of their personal information. I certainly do not trust such a system. If Identity Ecosystem is implemented, http://www.lifelock.com will certainly have a new customer, me.
The idea of a database of your personal information sounds a little worrisome at first blush, but I think on closer examination it has the potential to make your information more secure. Your personal information is out there already, and in many different places. Putting information in one place, might make for an inviting target for hackers, but it also makes monitoring and securing that information easier. In a different context, Warren Buffet said, “put all your eggs in one basket, and watch that basket very carefully.” I think the same could be true here. I’m curious about the National Security benefits of the program. This is supposed to curb cyber crime? Does that just mean identity theft, or are we talking about something else?
Obama is proposing and advocating for a centralized database of online identities that will be linked to users’ actual real-world identities. Great idea….wait, what?!?! Is this a joke?! While I applaud the Obama administration for attempting to address the growing issue of cybercrime, this proposal is simply unreal. When did our government start mimicking communist China?!
The Obama administration claims that the program will be run by the US Department of Commerce and that the program would not be utilized as a way to track the actions of the users. Yeah, that definitely just fell on deaf ears. I don’t believe that for a second. I have no doubt that the Department of Homeland Security is and will be all over this project.
Another claim that is falling on deaf ears? That the program will be completely voluntary. I have no doubt that once the government jumps on board, the corporations and small businesses will quickly follow. Eventually, it will become a near requirement as the program’s use will be tied to nearly every kind of online transaction. Sure sounds voluntary.
And what makes the Obama administration so certain that the database itself would not be vulnerable to cyberattacks? As it stands now, even our military isn’t adequately safeguarded against cyberattacks. The goal of the program would be to circumscribe instances of identity theft, but undoubtedly, it would only INCREASE identity theft. Cybercriminals would be salivating at the idea of being able to crack that code! Could you IMAGINE if a cybercriminal was able to hack into this online database?! It would be the ULTIMATE jackpot! In a few clicks, millions of people could have their identities stolen, along with their IRS, medical, financial and personal information! Talk about a catastrophe!
While I understand that ensuring the highest level of security regarding a user’s information is imperative for some online transactions, do we really need that same level of protection for users purchasing a book on Amazon.com? Such a central online database would effectively eliminate any and all anonymity that exists for users engaging in online transactions.
All in all, there is absolutely no way I would ever trust the United States government to properly protect and manage such a sensitive database, let alone the PRIVATE SECTOR! That is absurd! Frankly, I believe that this would only open the gates to a flashflood of unwarranted governmental intrusions and interventions, and that makes me very uneasy. Let’s hope Big Brother remains a bad reality show and doesn’t become our reality.