Personal Democracy Plus Our premium content network. LEARN MORE You are not logged in. LOG IN NOW >

What's to Actually Like About "Obama's Online ID"? CDT's Aaron Brauer-Rieke Explains...

BY Nancy Scola | Thursday, January 13 2011

Image credit:Riggzy

You might have read the headlines. "Obama Eyeing Internet ID for Americans," read Declan McCullagh's piece on the administration's plan. In certain quarters, things are more heated, with an idea taking root that the White House is laying the groundwork of some sort of "biometric national online ID card" with what's formally known as the National Strategy for Trusted Identities in Cyberspace [pdf]. Tech policy debates tend to either get completely ignored or framed in the most terrifying possible terms, (see, the "Internet kill switch"), but online identity is an instance where it makes sense for a lot of different folks to really think through the details. What we know at this point about the administration's draft plan to spur the creation of some sort of trusted identity framework raises both hopes -- for our purposes, especially about its potential for more engaged democracy -- and fears, especially given the state of Internet privacy laws in the U.S.

In a phone interview, Aaron Brauer-Rieke, a fellow at the Center for Democracy and Technology, one of the public advocacy group's most vocal in this space, gave me his take on the, yes, concerns, but also hopes raised for him by the administration's online identity plan.

Scola: Can you give me a two sentence description of what we're talking about when we're talking about “trusted identities” here?

Brauer-Rieke: I think the fairest way to articulate what's being proposed is that the government wants to encourage the construction of an identity infrastructure on the Internet that would be voluntary, optional, and maintained by the private sector, so that we can both better secure the transactions we have now and open up the possibility for new transaction that we can't currently do online.

The other way to put it is that NSTIC [shorthand for "National Strategy for Trusted Identities in Cyberspace"] is the government making a syllabus. It's not a law. It's not requiring anything from anybody. They're not collecting data. The government just thought, “You know, we’re in a really helpful place to convene people and try to catalyze a movement to a better world online.” It's tough, because everyone’s pretty happy with what we have now. But we’re butting up against the limits of what we can do without better identity infrastructure.

What sort of new interactions might be made possible?

A lot of this is aspirational at this point, but in terms of government there’s all kinds of things that you can’t do right now. Some of them are really unsexy, like transferring title. If you want to transfer title to a car or a piece of property you have to go wait in a long line in an office. It’s entirely possible with a better identity infrastructure you could do that sort of thing online. You could more easily pay your taxes and access your tax history, keep track of benefits -- the whole range of government services that we don't do online because there's not an identity infrastructure to support it. I think the sky's the limit in terms of government services.

Part of the reason it makes sense to have a national strategy, even if the private sector is expected to do the brunt of the work, is that government can be the killer app. People are so set in their ways with what they're familiar with, whether it's Twitter, Facebook, or Gmail. The thought is that for people to start picking up these tools and using them there has to be something new. Government services might be that something new.

One aspect of this seems to be that having identity verifiers could actually be privacy enhancing, because they only really need to reveal online whatever information is minimally necessary. Is that right?

Yeah, the use case here is that you have a local government that wants input from a particular, say, eight block radius, or zip code, or precinct, because they want to do construction in your area. They send out an online survey, and your response is sent back to the government as certified that it does come from someone who meets the [geographic] criteria, but that's all they know. It's a little counter-intuitive, but the potential is that you can build privacy into the system in just a totally awesome new way that we haven't seen before.

Another good example is that I'm on a videogame website, and there are a bunch of trailers for new videogames that I want to see. The website wants to know if I'm over 18. What the site does today is ask for my birthdate. But if I had an identity provider, they could just certify that, yes, I'm over 18 by just passing the website a Boolean value saying "yes." Validation becomes much simpler. In an ideal world, not only does it reduce friction, but it means that you're going to leave less of a data trail behind.

So, should that make us feel better about whatever reflexive fear we might have about integrating things like services from state and federal governments?

It's a really interesting point. Since this is going to be a private sector led and maintained initiative, you can have citizens communicating directly with state and local governments without any loop through the federal system. The White House strategy working on this has been  eminently clear on the idea that they're no one centralized database. The government isn't going to jump in and be the identity provider. They want the private sector to provide the identities so that the government can offer services.

What, then, do these identity providers look like?

That's a big part of the question. Everyone in the private sector right now is interested in that, as a new service they can offer people. An identity provider could be your cell phone service, your ISP, or something completely separate and unaffiliated. The hope is that you would get to choose that, although there seems to be some natural answers. If you're a Verizon cell phone service, they have your information. They could be an identity provider very, very easily.

Hmm. But is it also possible that we see someone like, say, the Electronic Frontier Foundation having a spin-off, or even CDT having a spin-off, offering identity provider services?

Yeah. The hope is that there will be a competitive and diverse set of providers out there so. You know, I personally would not love for Verizon to be my identity provider, but I'd be happy to have the EFF do it. The idea is that there's going to be a legal and policy structure to support these transactions. That's where you get this "trust framework" idea.

CDT -- and I think any other public interest organization would echo this -- thinks it would be just awesome to have baseline privacy legislation, something from Congress that's not overly specific, but that's general enough to stand the test of time and give guidance in the Internet world. So we hope that privacy legislation would be a backstop for everything happening here. But the trust framework is more specifically a single set of agreements ideally maintained by some sort of non-profit organization. They would have the privacy policy as it relates to the people providing the identity, the people receiving the identity, and the user’s rights -- all three parties covered under a common framework.

Is there anything similar we currently have in our lives?

Visa. You take your credit card or ATM card to any ATM, even if it's not your bank's, you stick your card in the machine, and it gives you money. It works because the banks have policies and rules in place so that they can all serve you. They can all be trusted with your identity. What actually gave them the kick to do this was that government said, "Hey, we're going to make you responsible for monetary losses and identity theft." What people are envisioning is something like Visa but for all kinds of Internet transactions.

The most basic way of thinking about this is that you need rules and you need tools. The tools are more or less out there. The technology exists. What we don't have are the rules, the policy and legal infrastructure to support them. What the national strategy is trying to do is to, one, coalesce people around tools and standards and, two, build up a policy framework that allows us to use these tools in ways that are privacy preserving, secure, and allocate liabilities appropriately. So it’s a big project.  We need innovation in technology and we need innovation in policy to make it happen.

What does it do for our privacy to have, sure, maybe not one centralized database, but maybe a dozen known identity providers?

Exactly, and that gets us right back to the important of Internet privacy [policy]. Think about it: the fewer identities you use online, the easier it is to track you across a huge context of online behaviors. So it’s really important we give a lot of attention to how that information is collected, processed, and shared.  I'm not sure that's happening until we get baseline privacy legislation. At the moment, pretty much what we have is the Federal Trade Commission policing the worst of online behaviors. But it’s a little bit of a wild West out there. There are good actors out there, there are bad actors who are going to try to get away with as much as possible.

There's a little bit of split of opinion on whether these trust frameworks can compete with one another -- whether they can say, "Our framework offers you better privacy, better rules, and better enforcement and accountability than any other, and so anyone who bears our trustmark you can trust.'"

From what we've heard, Twitter recently fought to get disclosure of a court order in the Wikileaks case so that they could let their users know what was going on. But these things seem to be so ad hoc; we don't always know how companies are going to end up behaving when push comes to shove. But you can see that becoming a selling point, no? "As your identity provider, I'll stand up for..."

I can envision a world where a particularly good trust framework says, "Our terms of service that we will take every possible step to resist government subpoenas for your information. Any of the identity providers under our framework or anyone who accepts information from any of our identity providers must have those terms of service, too." If something like that gains traction, that would be great.

I certainly don't have the wisdom to say whether or not this is going to happen, or whether it's even likely, but one of the cool opportunities is that we coalesce around communities that say, "If you want to be a part of this community, you have to abide by these standards." It would be an awesome thing to see that sort of competition.

News Briefs

RSS Feed wednesday >

Another Co-Opted Hashtag: #MustSeeIran

The Twitter hashtag #MustSeeIran was created to showcase Iran's architecture, landscapes, and would-be tourist destinations. It was then co-opted by activists to bring attention to human rights abuses and infringements. Now Twitter is home to two starkly different portraits of a country. GO

What Has the EU Ever Done For Us?: Countering Euroskepticism with Viral Videos and Monty Python

Ahead of the May 25 European Elections, the most intense campaigning may not be by the candidates or the political parties. Instead, some of the most passionate campaigns are more grassroots efforts focused on for a start stirring up the interest of the European electorate. GO

At NETmundial Brazil: Is "Multistakeholderism" Good for the Internet?

Today and tomorrow Brazil is hosting NETmundial, a global multi-stakeholder meeting on the future of Internet governance. GO

Brazilian President Signs Internet Bill of Rights Into Law at NetMundial

Earlier today Brazil's President Dilma Rousseff sanctioned Marco Civil, also called the Internet bill of rights, during the global Internet governance event, NetMundial, in Brazil.


tuesday > Reboots As a Candidate Digital Toolkit That's a Bit Too Like launched with big ambitions and star appeal, hoping to crack the code on how to get millions of people to pool their political passions through their platform. When that ambition stalled, its founder Nathan Daschle--son of the former Senator--decided to pivot to offering political candidates an easy-to-use free web platform for organizing and fundraising. Now the new is out from stealth mode, entering a field already being served by competitors like NationBuilder, Salsa Labs and And strangely enough, seems to want its early users to ask for help. GO

Armenian Legislators: You Can Be As Anonymous on the 'Net As You Like—Until You Can't

A proposed bill in Armenia would make it illegal for media outlets to include defamatory remarks by anonymous or fake sources, and require sites to remove libelous comments within 12 hours unless they identify the author.


monday >

The Good Wife Looks for the Next Snowden and Outwits the NSA

Even as the real Edward Snowden faces questions over his motives in Russia, another side of his legacy played out for the over nine million viewers of last night's The Good Wife, which concluded its season long storyline exploring NSA surveillance. In the episode titled All Tapped Out, one young NSA worker's legal concerns lead him to becoming a whistle-blower, setting off a chain of events that allows the main character, lawyer Alicia Florrick (Julianna Margulies), and her husband, Illinois Governor Peter Florrick (Chris Noth), to turn the tables on the NSA using its own methods. GO

The Expanding Reach of China's Crowdsourced Environmental Monitoring Site, Danger Maps

Last week billionaire businessman Jack Ma, founder of the e-commerce company Alibaba, appealed to his “500 million-strong army” of consumers to help monitor water quality in China. Inexpensive testing kits sold through his company can be used to measure pH, phosphates, ammonia, and heavy metal levels, and then the data can be uploaded via smartphone to the environmental monitoring site Danger Maps. Although the initiative will push the Chinese authorities' tolerance for civic engagement and activism, Ethan Zuckerman has high hopes for “monitorial citizenship” in China.


The 13 Worst Bits of Russia's Current and Maybe Future Internet Legislation

It appears that Russia is on the brink of passing still more repressive Internet regulations. A new telecommunications bill that would require popular blogs—those with 3,000 or more visits a day—to join a government registry and conform to government-mandated standards is expected to pass this week. What follows is a list of the worst bits of both proposed and existing Russian Internet law. Let us know in the comments or on Twitter if we missed anything.


Transparency and Public Shaming: Pakistan Tackles Tax Evasion

In Pakistan, where only one in 200 citizens files their income tax return, authorities published a directory of taxpayers' details for the first time. Officials explained the decision as an attempt to shame defaulters into paying up.