firecat

http://searchenginewatch.com/article/2105755/Real-Names-Google-Government-The-Identity-Ecosystem
"Real Names: Google+, Government & The Identity Ecosystem" by Kristine Schachinger. Excerpt:

Google’s ambitions for Google+ appear to go far beyond social signals, marketing, and their efforts to make a better product. Dig a little further and you’ll find something called the “National Strategy For Trusted Identities In Cyberspace” (NSTIC). [That's a PDF.]

The article quotes from that document:

“The National Strategy for Trusted Identities in Cyberspace (NSTIC or Strategy) charts a course for the public and private sectors to collaborate to raise the level of trust associated with the identities of individuals, organizations, networks, services, and devices involved in online transactions”

and

“The Federal Government commits to collaborate with the private sector; state, local, tribal, and territorial governments; and international governments–and to provide the support and action necessary to make the Identity Ecosystem a reality. With a concerted, cooperative effort from all of these parties, individuals will realize the benefits of the Identity Ecosystem through the conduct of their daily transactions in cyberspace.”

(I don't know whether the bolding is from the original document or from the author of the article discussing it.)

In other words, I think this is where they are heading: An online government ID card. A credit bureau for your identity. And Google wants to be one of the "private sector" companies helping to provide this.

I love how the document calls this an "ecosystem." They're calling it that because a lot of people have positive associations with the word "ecosystem" (it's green! we want to preserve it!) But I think ecosystem is another way of saying "only the fit survive" or "conform or you're dead."

Speculating a little farther out: The US government wants to replace social security numbers with an online ID. They probably want the online ID to be associated with tax payments, health records, and any government payouts. They are already setting things up so that all Social Security payments occur electronically. If they want to move other interactions with citizens online (which they do because it will save the government money) then they need a new way to verify identity.

OK: I don't know that it's necessarily a bad thing to have a way of verifying identity that isn't social security numbers. There are huge problems with using social security numbers for that purpose. (Identity theft.) And probably sometimes it is necessary to prove that you are a particular, unique individual.

I am worried about giving that job to the private sector. Credit card bureau records are notoriously inaccurate, for example. And I'm worried about having the information be associated with the Internet, because even if adequate security is designed in, adequate security requires human effort, and humans sometimes fuck up or get too lazy to bother. So that information would be vulnerable. Also I think it would be a bad thing to require everyone to interact with all government services online.

But mainly, I think it's a super-bad idea to tie social network activity in with official government verification. I don't want to be essentially "showing my papers" every time I say something in public.

Crossposts: http://firecat.livejournal.com/733700.html

Flat | Top-Level Comments Only

From:

elainegrey

@IdentityWoman explained about how NSTIC is *NOT* about a single linkable identity that the government can track and needs anonymity and pseudonymity back in January http://www.fastcompany.com/1715659/national-identity-cyberspace-why-we-shouldnt-freak-out-about-nstic

A place to get involved with NSTIC is http://www.nstic.us/ says identity woman, also IIW coming in Oct. (Promising to be a fascinating time that i will likely miss.)

From:

firecat

Thanks, that's good to know, but it doesn't make me stop worrying entirely. The government's intentions today are not the government's intentions a decade from now. And if G+ is the way that the government/private sector partnership starts going about it, that's not a good sign either. (I do recognize that G+ is still in beta. Maybe they will eventually implement pseudonymous accounts. But their PR is pretty bad right now.)

From:

elainegrey

Most folks i know who are supportive of NSTIC are pretty critical of G+ as missing most of the user-centric identity protections that NSTIC outlines. I wrote you a while back that i had hoped that when those folks got their hands on the G+ nympolice that G+ would see they were going about it wrong. I'm now borderline convinced that G+ would blow off NSTIC as "We Know Better, We're Google." I did get a colleague interested in going to IIW particularly for NSTIC -- i think libraries really would be a perfect place for NSTIC. Libraries start with verified identities to a certain level in establishing the library account and there's a reasonable level of trust with libraries. (I trust my library more than my bank.)

From:

libskrat

I need to check into NSTIC further before I can have an informed reaction, but I have to admit that my immediate reaction was WHOA HELL NO. I don't wanna be no gummint enforcer just 'cuz I gots an MLS.

Libraries in the US tend to deal with potential privacy breaches by keeping as little personal information and history as possible. I don't see how that fits with an identity program.

But again, I clearly have some reading to do.

From:

elainegrey

SAML authentication ... ok i wrote a long post in my blog that should give some grounding in how Identity Providers work in the single sign on, third party authentication model that NSTIC assumes you'll understand.