Facebook Wants to Issue Your Internet Driver's License

Cybersecurity and privacy-enhancing "identity ecosystem" by Facebook? President Obama put the U.S. Commerce Department in charge of a cybersecurity effort to give each American a unique Internet ID. But Facebook also wants to supply your unique Internet ID and its identity infrastructure is already on millions of websites.

President Obama put the U.S. Commerce Department in charge of a cybersecurity effort to give each American a unique Internet ID. But Facebook also wants to supply your unique Internet ID and its identity infrastructure is already on millions of websites. If participation remains voluntary, could Facebook distribute your Internet driver's license?

Worldwide, e-commerce is estimated at $10 trillion annually. The National Strategy for Trusted Identities in Cyberspace (NSTIC) plan of developing a secure and privacy-enhancing "identity ecosystem" for the Internet is supposed to lower the risks of identity theft, which is rampant, and create a greater confidence in online transactions since less personal information would be collected and stored with each transaction. But there are privacy and civil liberties groups who oppose the idea of any government intelligence agency being in control of its citizens online ID. Many of those same group oppose the government requiring a backdoor into all online programs as part of the Internet's infrastructure.

According to Technology Review, Facebook is becoming a "critical part of the Internet's identity infrastructure" and wants to supply your Internet driver's license. Facebook Login allows any website to use its identity infrastructure by adding a few lines of code so users will see "Connect with Facebook" button on the site. Facebook Connect is one of the most popular codes adopted by websites, so that anyone with a Facebook account is but a click away from logging in, "liking" or sharing a site.

Besides being easy and free for websites to implement, Facebook Connect provides the site with the user's real name as required per Facebook's terms of service. Many sites don't want the hassle and headache of managing their own identity system, but do want users to login for commenting purposes and limiting spam.

On the negative side, Facebook has made horrible privacy mistakes in the past. Since it happened again and again, it seems Facebook showed little regard to its users' outrage of the privacy breaches. It's also a hot target for cyberthugs. Any site is only as strong as the weakest link -- which usually tends to be the user. On any given day on Facebook, there are always phishing scams, busy social engineers, and accounts taken over by hackers. The Firefox plug-in Firesheep makes sniffing out cookies and taking over accounts so easy that even the clueless can manage it over an unsecured Wi-Fi network.

Last fall, making itself a no less appealing target, a New Zealand bank opened the doors to Facebook's first online bank branch. When logged into Facebook, the bank's customers can access their banking information. As more businesses adopt Facebook Connect, it is becoming a universal login on the web, making Facebook a tempting target to cybercriminals.

If participation in Obama's NSTIC cybersecurity program is voluntary and not required, it offers people the ability to stay anonymous by simply not participating. However, if nearly all sites adopt it and then require it, that's not really very optional for people who want to remain anonymous online.

One thing Facebook might have over the Commerce Department issuing unique online IDs is that many people will not trust a government sponsored ID system.  As CDT's Jim Dempsey said, any Internet ID must be created by the private sector and must stay voluntary and competitive. "The government cannot create that identity infrastructure. If it tried to, it wouldn't be trusted," stated Dempsey.

However, Commerce Department Secretary Gary Locke was quick to reassure people that the cybersecurity ID wasn't a guise for more big brother government. "We are not talking about a national ID card," Locke said at the Stanford Institute for Economic Policy Research event. "We are not talking about a government-controlled system. What we are talking about is enhancing online security and privacy, and reducing and perhaps even eliminating the need to memorize a dozen passwords, through creation and use of more trusted digital identities."

White House Cybersecurity Coordinator Howard Schmidt assured people that anonymity and pseudonymity will remain possible online. "I don't have to get a credential, if I don't want to," Schmidt stated. He added there is no chance that "a centralized database will emerge."

The Commerce Department beat out other candidates such as the NSA and DHS to head up the new online identity project. Cnet pointed out, this "should please groups that have raised concerns over security agencies doing double duty in police and intelligence work."

Somehow it doesn't seem too hard to see the potential for abuse if either the government or Facebook become the Internet cops handing out IDs. Can we trust either one to guard users' privacy and security above their own interests and motives?

Like this? Check out these other posts:

Follow me on Twitter @PrivacyFanatic

Copyright © 2011 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022