Identity Ecosystem: One Identifier To Rule Your Life?

Here’s your chance to be heard about security and privacy. Do you like having many online usernames and passwords, or do you like placing all your eggs in one identity basket? The White House and Department of Homeland Security want to hear what you think about their plans regarding an Identity Ecosystem. According to a White House blog post by Howard Schmidt, Cybersecurity Coordinator and Special Assistant to President Obama, DHS posted a draft of the National Strategy for Trusted Identities in Cyberspace (NSTIC) and will be collecting comments on the strategy until July 19.

NSTIC calls for the creation of an Identity Ecosystem, where “individuals and organizations can complete online transactions with confidence, trusting the identities of each other and the identities of the infrastructure that the transaction runs on.” Schmidt added, “For example, no longer should individuals have to remember an ever-expanding and potentially insecure list of usernames and passwords to login into various online services.”

I urge you to be proactive, read the draft and then submit ideas or comments and vote for or against the proposals of others. If we wait, America, then there will be no reason to gripe about it after the fact if it becomes our reality.

One of the top voted privacy comments came from Andrew S. “This is a horrible idea. There is no such thing as “Trusted Identity” as long as 25% of all computers running Windows are infected with malware that lets other people remotely control their computers.”An anonymous user wrote, “Please don’t just create yet another monopoly to abuse the public. Between Microsoft, RIAA, MPAA, and the growing mergers in the broadcast industries, we have too many monopolies abusing the American people.”One of the highest voted comments is about more focus on better habits and education. This anonymous comment was written, “Proper education on how to secure one’s information is paramount to good security. Good habits will work far better than a stronger door. Companies responsible for code that allow massive exploits need to be held to some accountability (looking at you MS and Adobe).”

With so many computers running Windows operating systems, would Microsoft need to be involved as part of the White House cybersecurity plan? In the same principle as MS is a target for cyber attacks, wouldn’t having one centralized ID then make it the prime target to be attacked and hacked?

An anonymous user pointed toward this security flaw. “A single centralized identity is inherently less secure than a dozen identities because it creates a single point of failure. Once that identity has been compromised – which will certainly happen no matter what technological measures are taken to protect it because there will always be a user in the chain – an individual’s entire life will be open for hijacking.”Education is certainly one of the keys, but many users still have not learned better than to use one weak password for all sites.

Most of us have multiple identities tied to different roles and different accounts. I do not find it wise at all to have all our eggs in one identity basket. It would make tracking via one identifier that much easier, be it the government or an employer. As Ryan Davis wrote, “30 passwords are more secure than one universal identity. If you put all your eggs in one “trusted” basket the fox only has to get in the one basket to eat all the eggs.”

Please be proactive on this issue. It won’t take you very long to read the NSTIC.pdf. The two “Envision It” images are from the NSTIC draft.

Identity theft, fraud, and other cyber crimes are problems that need addressed. If you like the idea of your identity locked into a “Smart Card” and that one identifier ruling your life, then comment that way or vote on people’s comments that share your viewpoint.

If you don’t like the idea, then say so before it’s bye-bye multiple aliases and you are locked into one identifier to rule your life.