What's to Actually Like About "Obama's Online ID"? CDT's Aaron Brauer-Rieke Explains...
BY Nancy Scola | Thursday, January 13 2011
You might have read the headlines. "Obama Eyeing Internet ID for Americans," read Declan McCullagh's piece on the administration's plan. In certain quarters, things are more heated, with an idea taking root that the White House is laying the groundwork of some sort of "biometric national online ID card" with what's formally known as the National Strategy for Trusted Identities in Cyberspace [pdf]. Tech policy debates tend to either get completely ignored or framed in the most terrifying possible terms, (see, the "Internet kill switch"), but online identity is an instance where it makes sense for a lot of different folks to really think through the details. What we know at this point about the administration's draft plan to spur the creation of some sort of trusted identity framework raises both hopes -- for our purposes, especially about its potential for more engaged democracy -- and fears, especially given the state of Internet privacy laws in the U.S.
In a phone interview, Aaron Brauer-Rieke, a fellow at the Center for Democracy and Technology, one of the public advocacy group's most vocal in this space, gave me his take on the, yes, concerns, but also hopes raised for him by the administration's online identity plan.
Scola: Can you give me a two sentence description of what we're talking about when we're talking about “trusted identities” here?
Brauer-Rieke: I think the fairest way to articulate what's being proposed is that the government wants to encourage the construction of an identity infrastructure on the Internet that would be voluntary, optional, and maintained by the private sector, so that we can both better secure the transactions we have now and open up the possibility for new transaction that we can't currently do online.
The other way to put it is that NSTIC [shorthand for "National Strategy for Trusted Identities in Cyberspace"] is the government making a syllabus. It's not a law. It's not requiring anything from anybody. They're not collecting data. The government just thought, “You know, we’re in a really helpful place to convene people and try to catalyze a movement to a better world online.” It's tough, because everyone’s pretty happy with what we have now. But we’re butting up against the limits of what we can do without better identity infrastructure.
What sort of new interactions might be made possible?
A lot of this is aspirational at this point, but in terms of government there’s all kinds of things that you can’t do right now. Some of them are really unsexy, like transferring title. If you want to transfer title to a car or a piece of property you have to go wait in a long line in an office. It’s entirely possible with a better identity infrastructure you could do that sort of thing online. You could more easily pay your taxes and access your tax history, keep track of benefits -- the whole range of government services that we don't do online because there's not an identity infrastructure to support it. I think the sky's the limit in terms of government services.
Part of the reason it makes sense to have a national strategy, even if the private sector is expected to do the brunt of the work, is that government can be the killer app. People are so set in their ways with what they're familiar with, whether it's Twitter, Facebook, or Gmail. The thought is that for people to start picking up these tools and using them there has to be something new. Government services might be that something new.
One aspect of this seems to be that having identity verifiers could actually be privacy enhancing, because they only really need to reveal online whatever information is minimally necessary. Is that right?
Yeah, the use case here is that you have a local government that wants input from a particular, say, eight block radius, or zip code, or precinct, because they want to do construction in your area. They send out an online survey, and your response is sent back to the government as certified that it does come from someone who meets the [geographic] criteria, but that's all they know. It's a little counter-intuitive, but the potential is that you can build privacy into the system in just a totally awesome new way that we haven't seen before.
Another good example is that I'm on a videogame website, and there are a bunch of trailers for new videogames that I want to see. The website wants to know if I'm over 18. What the site does today is ask for my birthdate. But if I had an identity provider, they could just certify that, yes, I'm over 18 by just passing the website a Boolean value saying "yes." Validation becomes much simpler. In an ideal world, not only does it reduce friction, but it means that you're going to leave less of a data trail behind.
So, should that make us feel better about whatever reflexive fear we might have about integrating things like services from state and federal governments?
It's a really interesting point. Since this is going to be a private sector led and maintained initiative, you can have citizens communicating directly with state and local governments without any loop through the federal system. The White House strategy working on this has been eminently clear on the idea that they're no one centralized database. The government isn't going to jump in and be the identity provider. They want the private sector to provide the identities so that the government can offer services.
What, then, do these identity providers look like?
That's a big part of the question. Everyone in the private sector right now is interested in that, as a new service they can offer people. An identity provider could be your cell phone service, your ISP, or something completely separate and unaffiliated. The hope is that you would get to choose that, although there seems to be some natural answers. If you're a Verizon cell phone service, they have your information. They could be an identity provider very, very easily.
Hmm. But is it also possible that we see someone like, say, the Electronic Frontier Foundation having a spin-off, or even CDT having a spin-off, offering identity provider services?
Yeah. The hope is that there will be a competitive and diverse set of providers out there so. You know, I personally would not love for Verizon to be my identity provider, but I'd be happy to have the EFF do it. The idea is that there's going to be a legal and policy structure to support these transactions. That's where you get this "trust framework" idea.
Is there anything similar we currently have in our lives?
Visa. You take your credit card or ATM card to any ATM, even if it's not your bank's, you stick your card in the machine, and it gives you money. It works because the banks have policies and rules in place so that they can all serve you. They can all be trusted with your identity. What actually gave them the kick to do this was that government said, "Hey, we're going to make you responsible for monetary losses and identity theft." What people are envisioning is something like Visa but for all kinds of Internet transactions.
The most basic way of thinking about this is that you need rules and you need tools. The tools are more or less out there. The technology exists. What we don't have are the rules, the policy and legal infrastructure to support them. What the national strategy is trying to do is to, one, coalesce people around tools and standards and, two, build up a policy framework that allows us to use these tools in ways that are privacy preserving, secure, and allocate liabilities appropriately. So it’s a big project. We need innovation in technology and we need innovation in policy to make it happen.
What does it do for our privacy to have, sure, maybe not one centralized database, but maybe a dozen known identity providers?
Exactly, and that gets us right back to the important of Internet privacy [policy]. Think about it: the fewer identities you use online, the easier it is to track you across a huge context of online behaviors. So it’s really important we give a lot of attention to how that information is collected, processed, and shared. I'm not sure that's happening until we get baseline privacy legislation. At the moment, pretty much what we have is the Federal Trade Commission policing the worst of online behaviors. But it’s a little bit of a wild West out there. There are good actors out there, there are bad actors who are going to try to get away with as much as possible.
There's a little bit of split of opinion on whether these trust frameworks can compete with one another -- whether they can say, "Our framework offers you better privacy, better rules, and better enforcement and accountability than any other, and so anyone who bears our trustmark you can trust.'"
From what we've heard, Twitter recently fought to get disclosure of a court order in the Wikileaks case so that they could let their users know what was going on. But these things seem to be so ad hoc; we don't always know how companies are going to end up behaving when push comes to shove. But you can see that becoming a selling point, no? "As your identity provider, I'll stand up for..."
I can envision a world where a particularly good trust framework says, "Our terms of service that we will take every possible step to resist government subpoenas for your information. Any of the identity providers under our framework or anyone who accepts information from any of our identity providers must have those terms of service, too." If something like that gains traction, that would be great.
I certainly don't have the wisdom to say whether or not this is going to happen, or whether it's even likely, but one of the cool opportunities is that we coalesce around communities that say, "If you want to be a part of this community, you have to abide by these standards." It would be an awesome thing to see that sort of competition.