White House's Trusted Identities Strategy Doesn't Inspire Trust

By Matthew Harwood


Another advantage of the ecosystem, the report added, is individuals would be able to control how much information is used during a transaction. If a Web site requires confirmation that an individual is18 for a purchase, the Identity Ecosystem would allow the customer to share only the necessary data without revealing unnecessary information, such as name, address, and even birth date, according to the draft report.

But for all the convenience, many Web sites and digital privacy advocates are questioning not only the unintended consequences of the strategy, but whether it will deliver its main promise: security.

While the White House stresses that participation would be voluntary, Jon Stokes at Ars Technica's Law and Disorder blog fears mission creep, noting the now ubiquitous use of Social Security numbers (SSN) to verify identities. "Given what has happened with the SSN, it's not at all hard to imagine that a voluntary state ID would quickly morph into a mandatory state ID, unless of course you withdraw from the web of modern commerce."

Then there's the issue of whether trusted identities would make it easier for government to track online behavior, even presumably anonymous activity. The Electronic Frontier Foundation, a digital rights organization, takes shots at the strategy's example of an individual using her smart identity card to anonymously post blog entries. "The proposal mistakenly conflates trusting a third party to not reveal your identity with actual anonymity — where third parties don’t know your identity," the EFF argues. "When Thomas Paine anonymously published Common Sense in 1776, he didn’t secretly register with the British Crown."

“George Orwell's ‘Big Brother’ has arrived,” wrote one Federal Computer Week reader after the strategy's release. “Total monitoring of all communication by an all powerful central government.”

Finally there's the question of security. Ars Technica's Stokes finds it hard to believe that one credential used for multiple services is more secure than multiple passwords used for multiple online services, because it creates a single point of failure. "Either it will be possible to steal my credentials and impersonate me throughout the entire ecosystem, or there will have to be some kind of rock-solid biometric component to authentication," writes Stokes.

Readers who want to leave a comment or recommendation to further refine the strategy or simply read the reactions of other interested parties can do so at this Department of Homeland Security site.

 ♦ Screen shot of the National Strategy for Trusted Identities in Cyberspace


View Recent News (by day)


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.