Back to News & Commentary

Don't Put Your Trust in "Trusted Identities"

Jay Stanley,
Senior Policy Analyst,
ACLU Speech, Privacy, and Technology Project
Share This Page
January 7, 2011

Obama administration officials spoke today about the "National Strategies for Trusted Identities in Cyberspace." The NSTIC ("N-Stick") proposal, which was in draft form last June, proposes the creation of an online identity "ecosystem," which the report defines as "an online environment where individuals, organizations, services, and devices can trust each other because authoritative sources establish and authenticate their digital identities."

White House Cybersecurity Coordinator Howard A. Schmidt and U.S. Commerce Secretary Gary Locke appeared in Silicon Valley to deliver the message that, as Schmidt put it, "we need the private sector to lead the implementation of this." Locke said that President Obama would be approving a final version of the NSTIC scheme within a few months.

What are we to make of this effort? Several points.

  • First, the administration in its draft proposal certainly says all the right things about privacy. Unfortunately, privacy advocates have learned over the years just what that is worth: soothing promises often don't translate into action. The administration's draft talks about the need to limit collection of information "to the minimum information necessary" and "limit retention of data to the period [of time] necessary." Those kinds of policies would need to be rigorously included in this system if it were adopted. But we need to see what is actually proposed — we still don't have enough details.
  • Second, protecting privacy and the right to anonymous speech online is paramount. While there are certainly many security problems on the Internet, the world is getting along fine without an online identity "ecosystem,", and nothing should be considered that threatens these values. Certainly anything that resembles a national identity system or a "driver's license for the Internet" must be vehemently opposed.
  • Third, having an electronic identity system that can assure a person's identity would unquestionably create new possibilities for online transactions that are not now practical, and in some circumstances could help to protect people's privacy. For example, the system could allow the IRS to give you direct online access to your tax returns, which isn't possible now because they can't be sure you are you.
  • Fourth, there are amazing new cryptographic/mathematical possibilities that have been invented or discovered in recent years. Techniques have been developed for "unlinkable credentials" that allow individuals to prove things about themselves while protecting their privacy. For example, these techniques allow users to prove they possess some quality, status or right without revealing their identity, in a way that cannot be spoofed. For example, you could prove that you have a library card, or are over 21, or are a resident of Pittsburgh, without revealing your identity.

In short, it's possible that if all the stars lined up perfectly, this "online identity ecosystem" could be a good thing.

Unfortunately, there are too many reasons to doubt that all the stars will line up perfectly.

First and foremost, security agendas are likely to take over as this concept gets implemented:

  • This proposal has been primarily presented as and discussed in the terms of a security measure, not as an instrument of commerce. That's how it was presented at Stanford today. And of course, the plan was produced by the cybersecurity czar, not the government's chief information officer or chief technology officer or the Department of Commerce. Security agendas are the big driver of this initiative.
  • In the cybersecurity space, there has been a lot of talk of creating a "driver's license for the Internet" — a terrible idea that would eviscerate privacy and anonymity online. Indeed believe that forensics — the ability to trace and figure out what happened after a cyber-attack — is a key understated goal of this initiative. But the ability to figure out who has done something bad after the fact is the same online as it is offline — it can only be assured if everyone is tracked, all of the time, and that is not an acceptable tradeoff in a free society.
  • Unfortunately this is an administration that so far has catered to the interests of the national security establishment on issue after issue (for the sad details see our report "Establishing a New Normal"). Despite all the nice talk about protecting privacy, what will remain once the administrative sausage-making is done? If privacy protections conflict with perceived security needs, it is not hard to figure what will win out.
  • The White House's draft proposal did not explicitly include "unlinkable credentials" and other rigorous privacy-protecting techniques that are simply a must if this system is to be at all acceptable.

The involvement of the private sector in this non-centralized or "federated" identity scheme is of course preferable to a direct, centralized government-run identity system. That kind of a system would be a non-starter. But we would also have questions about what the private sector will do with this system. The interests and values of large companies tends to push toward stability, security and predictability — not toward the raucous freedom that online privacy and anonymity makes possible. Once a standard is in place, will people have to start identifying themselves everywhere online — even when it's totally unnecessary. This has happened all too often in the offline world. It could be driven by the need for legal due diligence (we need to know you're over 18 or we can't market to you and our lawyers say if we don't use this system we could be liable; we need to track you in case you later turn out to be a hacker) and the opportunity to collect reliable personal data for online advertising and other purposes.

The administration is highlighting the fact that this scheme would be "voluntary" — but in a networked world, such voluntariness would quickly become illusory. It's supposedly voluntary to get a credit card or driver's license, but try participating fully in society without one.

A few other key questions:

  • Will this be effective? Some security experts such as Columbia's Steve Bellovin have argued that a federated identity system would be of . As he argues, most security problems are a result of hackers taking advantage of buggy code, not authentication problems. In addition, the use of encryption has not stopped attacks; there is plenty of malware already that is abusing strong authentication mechanisms.
  • Can the government make this happen? An entire "identity community" has been discussing the problems of online identity and authorization for many years, yet broad adoption of any new mechanisms has not happened, and despite years of condemnation by security experts, the simple username and password remains the authorization and identity mechanism used the vast majority of the time. It's possible that this reality reflects an accurate ongoing cost/benefit calculation in that the vast majority of the time this simple, cheap and easy mechanism fits our needs. In fact, several private-sector efforts to set up federated ID schemes have failed. Problems of collective action are appropriate for government action, but all this does raise the question of whether the government can succeed where the private sector has failed.
  • What will it cost? It tends to cost between $75 and $100 to get a well-proofed identity offline such as a passport or driver's license, and that much of those costs are handling the paperwork and verification of "breeder" documents, which might come into play for a secure electronic ID as well, making it expensive.

What would we support? We would support a system that empowers individuals, not large companies and government security agencies. That means a system that does not create records of individuals' activities online, and does not force them to reveal their identity significantly more often then they do now. It would be a system that uses advanced encryption techniques to expand the freedom and possibilities of what individuals can do online — not to track and control them.

Unless the Obama administration comes out with a detailed proposal for an identity scheme that does these things in ways that are hard-wired into the system, and can convince us that its protections won't fall by the wayside at any point, this scheme appears to be a sweeping, utopian intervention in the Internet driven by anti-freedom security agendas that promises to do more harm than good.

Learn More About the Issues on This Page