I chatted with Katherine Druckman and Doc Searls of Reality 2.0 about the dangers of ID.me, a national identity system created by the IRS and contracted out to one private company, and the need for the alternatives, decentralized systems with open standards.
New America India US Public Interest Technology Fellow
I traveled to India in the Winter of 2019 to study their National ID System Aadhaar. This is the paper that I wrote:
Key Differences Between the U.S. Social Security System and India’s Aadhaar System (Kaliya Young)
We must understand the past to not repeat it
Please see the prior post and the post before about how we got to discussing this.
We can not forget that the Holocaust was enabled by the IBM corporation and its Hollerith machine. How did this happen? What were these systems? How did they work? and particularly how did the private sector corporation IBM end up working a democratically elected government to do very horrible things to vast portions of its citizenry? These are questions we can not ignore.
In 2006 Stefan Brands gave a talk that made a huge impression on me he warned us and audience of very well meaning technologists that we had to be very careful because we could incrementally create a system that could lead to enabling a police state. It was shocking at the time but after a while the point he was making sunk in and stuck with me. He shared this quote (this slide is from a presentation he gave around the same time)
It is the likability that is the challenge.
We have to have the right and freedom NOT to be required to use our “real name” and birthdate for everything.
This is the defacto linkable identifier that the government is trying to push out over everything so they can link everything they do together.
Stephan proposes another Fair Information Principle.
I will share more of Stephan’s slides because I think they are prescient for today.
Stephan’s slides talk about User-Centrism technology and ideas in digital identity – ideas that have virtually no space or “air time” in the NSTIC discussions because everything has been broken down (and I believe intentionally so) into “security” “standards” “privacy” “trust frameworks” silos that divide up the topic/subject in ways that inhibit really tackling user-centrism or how to build a working system that lives up to the IDEALS that were outlined in the NSTIC document.
I have tried and tried and tried again to speak up in the year and a half before the IDESG and the 2 years since its existence to make space for considering how we actually live up to ideals in the document. Instead we are stuck in a looping process of non-consensus process (if we had consensus I wouldn’t be UN-consensusing on the issues I continue to raise). The IDESG are not taking user-centrism seriously, we are not looking at how people are really going to have their rights protected – how people will use and experience these large enterprise federations.
Yes everyone that is what we are really talking about…Trust Framework is just a code word for Enterprise Federation.
I went to the TSCP conference a big defence/aerospace federation (who was given NSTIC grants to work on Trust Framework Development Guidance) where this lovely lady Iana from Deloitte who worked on the early versions of NSTIC and potential governance outlines for IDESG – she said very very clearly “Trust Frameworks ARE Enterprise Federations” and it was like – ahhh a breath of fresh clear honest air – talking about what we are really talking about.
So back to the Stephan Brands re-fresher slides on user-centric ID so we don’t forget what it is.
Look at these, take them seriously.
Dear IDESG, I’m sorry. I didn't call you Nazi's.
The complaint was that I called my fellow IDESG colleagues Nazi’s. He was unsatisfied with my original statement about the tweet on our public management council mailing list. Some how this led to the Ombudsman taking on the issue and after I spoke with him in Tampa it was followed by a drawn out 5 week “investigation” by the Ombudsman before he issued a recommendation.
Then turns out after all was said and done there was never actually a formal complaint. There was the ombudsman taking action on his own. (its funny how organizations can use Ombudsman to not actually protect people with in institutions but use them as institutional forces to push people out who speak up and ask too many questions)
During the time I was being investigated I experienced intensive trolling about the matter on twitter itself. The trolling was done by someone obviously familiar with the situation who was upset. There were only 5 people familiar with them matter as it was ongoing through this investigation.During my own IIW conference the troll topped off the week by making implicit rape threats. This was very very disruptive and upsetting to me so much so I don’t even remember that IIW.
Here is the tweet that I authored while pondering theories of organizational dynamics in Tampa and without any intent to cause an association in the mind of a reader with IDESG, NSTIC, nor any person or persons in particular note that I did not reference anyone with a @____ or add any signifying hashtags e.g., #idesg or #nstic in this tweeted comment. So unless you were reading everything you would never know I said it.
I own that the tweet was provocative but it was It was not my intent to cause harm to anybody or to the IDESG organization and wider identity community.
We can’t put documents up for community and public input and say “its 40 page document nobody has time to read” and laugh as if it is funny that the process is so bad that there is no ability for the body of the organization let alone the public to have insight. That is how not good things begin to happen no one is looking. I was trying to make a point that the meeting was being badly badly run and that poor process can lead to really bad outcomes.
I am very sorry if the tweet had an emotionally negative impact on people on the management council. I fully acknowledge that referencing anything relative to the Nazi era is triggering. It touches on our collective shame and surfaces vulnerability it is very hard to look at.
I also believe that we have to actually be prepared to do so. If we don’t examine the past we can’t be sure we will not repeat it. [Please click to see my my next post for this to be further expounded upon]
I didn’t choose to say anything along these lines because I was in the middle of a process with the Ombudsman I thought that would be honored and let to run its course.
I also didn’t feel one should feed internet trolls – one was being very aggressive and pestering me for an apology.
I think that we all need to keep in mind our roles as Directors of the IDESG when we interact with the public and with each other.
This includes hiding behind pseudonyms and aggressively trolling to get back at someone you are upset with. Which also happened – either deal with the issue in a formal process or take them out on twitter but do’t do both.
The whole process left my and my attorney puzzled. My attorney wrote a letter to the Management Council/Board of Directors with a whole bunch of questions and now that this is posted we look forward to their answers to those questions.
No one from he IDESG including the ombudsman ever responded or was concerned by the aggressive trolling and implicit rape threats on twitter by someone intimately familiar with the ongoing ombudsman process.
Abusive behavior towards women isn’t just a physical thing it is a psychological as well. I have felt unsafe in the Identity community since this incident. I am now setting it aside though and stepping forth in my full power.
BC Identity Citizen Consultation Results!!!!
This article explains more about the different parts of the British Columbia Citizen Consultation about their “identity card’ along with how it is relevant and can inform the NSTIC effort. [Read more…] about BC Identity Citizen Consultation Results!!!!
Resources for HopeX Talk.
I accepted an invitation from Aestetix to present with him at HopeX (10).
It was a follow-on talk to his Hope 9 presentation that was on #nymwars.
He is on the volunteer staff of the HopeX conference and was on the press team that helped handle all the press that came for the Ellsberg – Snowden conversation that happened mid-day Saturday. It was amazing and it went over an hour – so our talk that was already at 11pm (yes) was scheduled to start at midnight.
Here are the slides for it – I modified them enough that they make sense if you just read them. My hope is that we explain NSTIC, how it works and the opportunity to get involved to actively shape the protocols and policies maintained.
[Read more…] about Resources for HopeX Talk.
BC Government Innovation in eID + Citizen Engagement.
I wrote an article for Re:ID about the BC Government’s Citizen Engagement process that they did for their eID system.
Here is the PDF: reid_spring_14-BC
BC’S CITIZEN ENGAGEMENT:A MODEL FOR FUTURE PROGRAMS
Because of my decade long advocacy for the rights and dignity of our digital selves, I have become widely known as “Identity Woman.” The Government of British Columbia invited me to participate as an industry specialist/expert in its citizen consultation regarding the province’s Services Card. I want to share the story of BC’s unique approach, as I hope that more jurisdictions and the effort I am most involved with of late, the U.S. government’s National Strategy for Trusted Identities in Cyberspace, will choose to follow it.
The Canadian Province of British Columbia engaged the public about key issues and questions the BC Services Card raised. The well-designed process included a panel of randomly selected citizens. They met face- to-face, first to learn about the program, then to deliberate key issues and finally make implementation recommendations to government.
[Read more…] about BC Government Innovation in eID + Citizen Engagement.
The Trouble with Trust, & the case for Accountability Frameworks for NSTIC
There are many definitions of trust, and all people have their own internal perspective on what THEY trust.
As I outline in this next section, there is a lot of meaning packed into the word “trust” and it varies on context and scale. Given that the word trust is found 97 times in the NSTIC document and that the NSTIC governing body is going to be in charge of administering “trust marks” to “trust frameworks” it is important to review its meaning.
I can get behind this statement: There is an emergent property called trust, and if NSTIC is successful, trust on the web would go up, worldwide.
However, the way the word “trust” is used within the NSTIC document, it often includes far to broad a swath of meaning.
When spoken of in every day conversation trust is most often social trust.
[Read more…] about The Trouble with Trust, & the case for Accountability Frameworks for NSTIC
Authored: National! Identity! Cyberspace! Why we shouldn’t freak out about NSTIC.
This is cross posted on my Fast Company Expert Blog with the same title.
I was very skeptical when I first learned government officials were poking around the identity community to learn from us and work with us. Over the last two and a half years, I have witnessed dozens of dedicated government officials work with the various communities focused on digital identity to really make sure they get it right. Based on what I heard in the announcements Friday at Stanford by Secretary of Commerce Locke and White House Cybersecurity Coordinator Howard Schmidt to put the Program Office in support of NSTIC (National Strategy for Trusted Identities in Cyberspace) within the Department of Commerce. I am optimistic about their efforts and frustrated by the lack of depth and insight displayed in the news cycle with headlines that focus on a few choice phrases to raise hackles about this initiative, like this from CBS News: Obama Eyeing Internet ID for Americans.
I was listening to the announcement with a knowledgeable ear, having spent the last seven years of my life focused on user-centric digital identity. Our main conference Internet Identity Workshop held every 6 months since the fall of 2005 has for a logo the identity dog: an allusion to the famous New Yorker cartoon On the internet, nobody knows you are a dog. To me, this symbolizes the two big threads of our work: 1) maintaining the freedom to be who you want to be on the internet AND 2) having the freedom and ability to share verified information about yourself when you do want to. I believe the intentions of NSTIC align with both of these, and with other core threads of our communities’ efforts: to support identifiers portable from one site to another, to reduce the number of passwords people need, to prevent one centralized identity provider from being the default identity provider for the whole internet, to support verified anonymity (sharing claims about yourself that are verified and true but not giving away “who you are”), support broader diffusion of strong authentication technologies (USB tokens, one-time passwords on cellphones, or smart cards), and mutual authentication, allowing users to see more closely that the site they are intending to do business with is actually that site.
Looking at use cases that government agencies need to solve is the best way to to understand why the government is working with the private sector to catalyze an “Identity Ecosystem”.
The National Institutes of Health is a massive granting institution handing out billions of dollars a year in funding. In the process of doing so, it interacts with 100,000’s of people and does many of those interactions online. Many of those people are based at institutions of higher learning. These professors, researchers, post-docs and graduate students all have identifiers that are issued to them by the institutions they are affiliated with. NIH does not want to have the expense of checking their credentials, verifying their accuracy and enrolling them into its system of accounts, and issuing them an NIH identifier so they can access its systems. It wants to leverage the existing identity infrastructure, to just trust their existing institutional affiliation and let them into their systems. In the United States, higher educational institutions have created a federation (a legal and technical framework) to accept credentials from other institutions. The NIH is partnering with the InCommon Federation to be able to accept, and with that acceptance to trust, identities from its member institutions and thus reduce the cost and expense of managing identities, instead focusing on its real work: helping improve the health of the nation through research.
The NIH doesn’t want to use a cookie and doesn’t want to know who you are. They would like to be helpful and support your being able to use their library over time, months and years, in a way that serves you, which means you don’t have to start from scratch each time you come to their website. It was fascinating to learn about the great lengths to which government officials were going to adopt existing standards and versions of those standards that didn’t link users of the same account across government websites (see my earlier post on Fast Company). They proactively DID NOT want to know who users of their library were.
One more use case from the NIH involves verified identities from the public. The NIH wants to enroll patients in ongoing clinical trials. It needs to actually know something about these people – to have claims about them verified, what kind of cancer do they have, where are they being treated and by whom, where do they live, etc. It wants to be able to accept claims issued by third parties about the people applying to be part of studies. It does not want to be in the business of verifying all these facts, which would be very time consuming and expensive. It wants to leverage the existing identity infrastructures in the private sector that people interact with all the time in daily life, and accept claims issued by banks, data aggregators, utility companies, employers, hospitals etc.
These three different kinds of use cases are similar to others across different agencies, and those agencies have worked to coordinate efforts through ICAM which was founded in September 2008 (Identity, Credential and Access Management Subcommittee of the Information Security & Identity Management Committee established by the Federal CIO Council). They have made great efforts to work with existing ongoing efforts and work towards interoperability and adopting existing and emerging technical standards developed in established industry bodies.
Let’s continue exploring what an identity ecosystem that really works could mean. The IRS and the Social Security Administration would each like to be able to let each person it has an account for login and interact with it online. We as those account holders would like to do this – it would be more convenient for us – but we want to know that ONLY we can get access to our records, that that they won’t show our record to someone else.
So let’s think about how one might be able to solve this problem.
One option is that each agency that interacts with anywhere from thousands to millions of citizens issues their own access credentials to the population it serves. This is just a massively expensive proposition. With citizens interacting with lots of agencies, they would need to manage and keep straight different IDs from different agencies. This is untenable from a end-user perspective and very expensive for the agencies.
Another option is that the government issues one digital ID card to everyone ,and this one ID could be used at a bunch of different agencies that one might interact with. This is privacy-invasive and not a viable solution politically. No one I have ever talked to in government wants this.
So how to solve this challenge – how to let citizens login to government sites that contain sensitive personal information – whether it be tax records, student loan records, Department of Agriculture subsidies, or any other manner of government services, and be sure that it really is the person via an Identity Ecosystem.
Secretary Locke’s Remarks: The president’s goal is to enable an Identity Ecosystem where Internet users can use strong, interoperable credentials from public and private service providers to authenticate themselves online for various transactions.
What does a private sector service provider use case look like in this ecosystem?
When we open accounts, they are required to check our credentials and verify our identities under know-your-customer laws. People have bank accounts and use them for many years. They know something about us because of their persistent ongoing relationship with us: storing our money. Banks could, in this emerging identity ecosystem, issue their account holders digital identity credentials that would be accepted by the IRS to let them see their tax records.
The private sector, for its own purposes, does a lot to verify the identities of people, because it has to do transactions with them that include everything from opening a bank account, to loaning money for a house, to setting up a phone or cable line, to getting a mobile phone, to a background check before hiring. All of these are potential issuers of identity credentials that might be accepted by government agencies if appropriate levels of assurance are met.
What does is a public service provider look like in this ecosystem?
The Federal Government does identity vetting and verification for its employees. Homeland Security Presidential Directive 12 (HSPD-12), Policy for a Common Identification Standard for Federal Employees and Contractors directs the implementation of a new standardized identity badge designed to enhance security, reduce identity fraud, and protect personal privacy. To date, it has issued these cards to over 4 million employees and contractors.
These government employees should in this emerging ecosystem be able to use this government-issued credential if they need to verify their identities to commercial entities when they want to do business with in the private sector.
There is a wide diversity of use cases and needs to verify identity transactions in cyberspace across the public and private sectors. All those covering this emerging effort would do well to stop just reacting to the words “National” “Identity” and “Cyberspace” being in the title of the strategy document but instead to actually talk to the the agencies to to understand real challenges they are working to address, along with the people in the private sector and civil society that have been consulted over many years and are advising the government on how to do this right.
I am optimistic that forthcoming National Strategy and Program Office for Trusted Identities in Cyberspace will help diverse identity ecosystem come into being one that reduce costs (for governments and the private sector) along with increasing trust and overall help to make the internet a better place.[Read more…] about Authored: National! Identity! Cyberspace! Why we shouldn’t freak out about NSTIC.
Thoughts on the National Strategy for Trusted Identities in Cyberspace
Update: This blog post was written while reading the first draft released in the Summer of 2010. A lot changed from then to the publishing of the document in April 2011.
Here is my answer to the NSTIC Governence Notice of Inquiry.
And an article I wrote on Fast Company: National! Identity! Cyberspace! Why you shouldn’t freak out about NSTIC.
Interestingly in paragraph two on the White House blog it says that NSTIC stands for “National Strategy for Trusted Initiatives in Cyberspace” rather than “National Strategy for Trusted Identities in Cyberspace”.
This first draft of NSTIC was developed in collaboration with key government agencies, business leaders and privacy advocates. What has emerged is a blueprint to reduce cybersecurity vulnerabilities and improve online privacy protections through the use of trusted digital identities.
[Read more…] about Thoughts on the National Strategy for Trusted Identities in Cyberspace
SSN's can be guessed
“The nation’s Social Security numbering scheme has left millions of citizens vulnerable to privacy breaches, according to researchers at Carnegie Mellon University, who for the first time have used statistical techniques to predict Social Security numbers solely from an individual’s date and location of birth. The researchers used the information they gleaned to predict, in one try, the first five digits of a person’s Social Security number 44 percent of the time for 160,000 people born between 1989 and 2003.
This is from the Wired coverage:
By analyzing a public data set called the “Death Master File,” which contains SSNs and birth information for people who have died, computer scientists from Carnegie Mellon University discovered distinct patterns in how the numbers are assigned. In many cases, knowing the date and state of an individual’s birth was enough to predict a person’s SSN.
“We didn’t break any secret code or hack into an undisclosed data set,” said privacy expert Alessandro Acquisti, co-author of the study published Monday in the journal Proceedings of the National Academy of Sciences. “We used only publicly available information, and that’s why our result is of value. It shows that you can take personal information that’s not sensitive, like birth date, and combine it with other publicly available data to come up with something very sensitive and confidential.”
Basically it means we shouldn’t be honest about our date of birth and home town on Facebook (or any other social network) or we are making ourselves vulnerable to discernment of our SSN’s. I wonder if they can figure out mine? I received my as an adult when I was attending college in California.
I decided to poke around and see what Facebook had up about Identity Theft. I did find a link to this study that created a profile by “Freddi Stauer,” an anagram for “ID Fraudster,”.
Out of the 200 friend requests, Sophos received 82 responses, with 72 percent of those respondents divulging one or more e-mail address; 84 percent listing their full date of birth; 87 percent providing details about education or work; 78 percent listing their current address or location; 23 percent giving their phone number; and 26 percent providing their instant messaging screen name.
Sophos says in most cases, Freddi also got access to respondents’ photos of friends and family, plus a lot of information about personal likes and dislikes, and even details about employers.
Facebook users were all too willing to disclose the names of spouses and partners, with some even sending complete resumes. One facebook user divulging his mother’s maiden name—the old standard used by many financial and other Web sites to get access to account information.
Most people wouldn’t give this kind of information out to people on the street but their guard sometimes seems to drop in the context of a friend request on the Facebook site, O’Brien says.
According to Sophos, the results of what it calls its Facebook ID Probe has significance for the workplace as well as personal life because businesses need to be aware that this type of social-networking site may pose a threat to corporate security.
I have tried to search the Facebook blog to see what they have to say about identity theft and apparently they haven’t mentioned it.
Government data linked together…
a story from The Guardian about FBI interest in connectivity between its own database resources and those abroad. It’s spearheading a program labeled ‘Server in the Sky’, meant to coordinate the police forces of the United States, the United Kingdom, Canada, Australia, and New Zealand to better fight international crime/terrorist groups. The group is calling itself the International Information Consortium.
“Britain’s National Policing Improvement Agency has been the lead body for the FBI project because it is responsible for IDENT1, the UK database holding 7m sets of fingerprints and other biometric details used by police forces to search for matches from scenes of crimes. Many of the prints are either from a person with no criminal record, or have yet to be matched to a named individual. IDENT1 was built by the computer technology arm of the US defence company Northrop Grumman. In future it is expected to hold palm prints, facial images and video sequences.”
From Slashdot: Most Scary to Least Scary
FBI datamining for more then just terrorists:
“Computerworld reports that the FBI is using data mining programs to track more than just terrorists. The program’s original focus was to identify potential terrorists, but additional patterns have been developed for identity theft rings, fraudulent housing transactions, Internet pharmacy fraud, automobile insurance fraud, and health-care-related fraud. From the article: ‘In a statement, Sen. Patrick Leahy (D-Vt.), chairman of the Senate Judiciary Committee, said the report [on the data mining] was four months late and raised more questions than it answered. The report “demonstrates just how dramatically the Bush administration has expanded the use of [data mining] technology, often in secret, to collect and sift through Americans’ most sensitive personal information,” he said. At the same time, the report provides an “important and all-too-rare ray of sunshine on the department’s data mining activities,” Leahy said. It would give Congress a way to conduct “meaningful oversight” he said.'”
from the just-forward-your-mail-to-homeland-security dept:
“You probably already knew that the FBI was data mining Americans in the “search” for potential terrorists, but did you know that they’re also supposed to be looking for people in the U.S. engaged in criminal activity that is not really supposed to be the province of the federal government? Now the feds are alleged to be data mining for insurance fraudsters, identity thieves, and questionable online pharmacists. That’s what they’re telling us now. What else could they be looking for that they are not telling us about?”
From the is-that-anything-like-the-lime-in-the-coconut dept:
“The kernel meets The Colonel in a just-published Microsoft patent application for an Advertising Services Architecture, which delivers targeted advertising as ‘part of the OS.’ Microsoft, who once teamed with law enforcement to protect consumers from unwanted advertising, goes on to boast that the invention can ‘take steps to verify ad consumption,’ be used to block ads from competitors, and even sneak a peek at ‘user document files, user e-mail files, user music files, downloaded podcasts, computer settings, [and] computer status messages’ to deliver more tightly targeted ads.”
From the how much can you remember department:
The research reveals that the average citizen has to remember five passwords, five pin numbers, two number plates, three security ID numbers and three bank account numbers just to get through day to day life.
Six out of ten people claimed that they suffer from “information overload,” stating that they need to write these numbers down in order to remember them.
However, more than half of the 3000 people surveyed admitted to using the same password across all accounts, leaving them at risk of potentially severe security breaches.
Professor Ian Robertson, a neuropsychology expert based at Trinity College Dublin who carried out the study, said: “People have more to remember these days, and they are relying on technology for their memory.
“But the less you use of your memory, the poorer it becomes. This may be reflected in the survey findings which show that the over 50s who grew up committing more to memory report better performance in many areas than those under 30 who are heavily reliant on technology to act as their day to day aide memoir.”
Who ownes that copy?:
‘Copyfraud is everywhere. False copyright notices appear on modern reprints of Shakespeare’s plays, Beethoven’s piano scores, greeting card versions of Monet’s Water Lilies, and even the US Constitution. Archives claim blanket copyright in everything in their collections. Vendors of microfilmed versions of historical newspapers assert copyright ownership. These false copyright claims, which are often accompanied by threatened litigation for reproducing a work without the owner’s permission, result in users seeking licenses and paying fees to reproduce works that are free for everyone to use…'”
Second Life – the real picture emerges:
The LA Times is running a story today saying that marketers are pulling out of Second Life, primarily because — surprise, surprise — the ‘more than 8 million residents’ figure on the game’s Web site is grossly inflated. Also, as it turns out, the virtual world’s regular visitors — at most 40,000 of them online at any time — are not only disinterested in in-world marketing, but actively hostile to it, staging attacks on corporate presences such as the Reebok and American Apparel stores.
THIS IS FUN:
RunBot Robot Walks:
“The basic walking steps of Runbot, which has been built by scientists co-operating across Europe, are controlled by reflex information received by peripheral sensors on the joints and feet of the robot, as well as an accelerometer which monitors the pitch of the machine. These sensors pass data on to local neural loops – the equivalent of local circuits – which analyse the information and make adjustments to the gait of the robot in real time.”
THIS IS GODO NEWS:
from the free-at-last dept:
“IBM is making it easier to utilize its patented intellectual property to implement nearly 200 standards in the SOA, Web services, security and other spaces. Under a pledge issued by the company Wednesday, IBM is granting universal and perpetual access to intellectual property that might be necessary to implement standards designed to make software interoperable. IBM will not assert any patent rights to its technologies featured in these standards. The company believes its move in this space is the largest of its kind.”
Announcing The Virtual Rights Symposium on Digital Identity & Human Rights
This is the first of what we hope to be an annual event about Digital
Identity and Human Rights covering social issues, policy and
legislation in this arena.
The goal is to foster international cooperation on virtual rights
through high quality dialogue and deliberation between legislators,
researchers, service providers, and citizens.
The symposium will begin in September with interaction online both
synchronous and asynchronous. It will peak with a meeting in Costa Rica November 17-18th and continue online afterwards.
Virtual Rights Association is organizing the event in cooperation with Costa Rica University and the Berkman Center. Chair Jaco Aizerman please contact him at =jaco or http://public.xdi.org/=jaco
Please go to thewebsite at Virtual Rights to see the current version of the agenda.
Catalyst: Government Adoption of Federated Identity
This is drawn from David Temoshok’s Talk. He is the Director of Identity Policy and Management GSA Office of Government Policy
Homeland security directive 12
“Policy for Common Identification Standard For Federal Employees and Contractors” – August 2004
HSPD 12 Requirements
1. Secure and reliable forms of personal identification that are:
- Based on sound criteria to verify an individual employeeâ€™s identity
- Strongly resistant to fraud, tampering, counterfeiting, and terrorist exploitation
- Rapidly verified electronically
- Issued only by providers whose reliability has been established by an official accreditation process
2. Applicable to all government organizations and contractors except National Security Systems
3. Used for access to federally-controlled facilities and logical access to federally-controlled information systems
4. Flexible in selecting appropriate security level â€“ includes graduated criteria from least secure to most secure
5. Implemented in a manner that protects citizensâ€™ privacy
Expanding Electronic Government
Needing Common Authentication Services for
- 280 million Citizens
- Millions of Businesses
- Thousands of Government Entities
- 10+ Million Federal Civilian and Military Personnel
You can learn more on the GSA website – http://www.gsa.gov/aces
Documents for the Undocumented
This week the cover of Business week is Embracing Illegals. The frame is about how businesses see the 11 million+ ‘illegal immigrants’ as a great market opportunity. To function economically in western capitalism you need identity documents to be part of the ‘representation system‘ that enables trusted value generation and exchange.
It dives into detail about how ‘undocumented immigrants’ get documents to basically function as normal US residents.
Guided by friends and family, the couple soon discovered how to navigate the increasingly above-ground world of illegal residency. At the local Mexican consulate, the Valenzuelas each signed up for an identification card known as a matrícula consular, for which more than half the applicants are undocumented immigrants, according to the Pew Hispanic center, a Washington think tank. Scores of financial institutions now accept it for bank accounts, credit cards, and car loans. Next, they applied to the Internal Revenue Service for individual tax identification numbers (ITINS), allowing them to pay taxes like any U.S. citizen — and thereby to eventually get a home mortgage.
The corporate Establishment’s new hunger for the undocumenteds’ business could have far-reaching implications for America’s stance on immigration policy, which remains unresolved. Corporations are helping, essentially, to bring a huge chunk of the underground economy into the mainstream.
The political implications are less clear-cut. Further integration of illegals into the U.S. could help President George W. Bush in his uphill struggle over the past two years to launch a guest worker program. His plan would provide a path to amnesty and full legalization for many unauthorized residents. Companies are taking a position similar to the President’s, in effect saying: There’s no point in pretending that millions of people aren’t here, so let’s find ways to deal with them.
It quickly became apparent. Largely via word of mouth in Hispanic neighborhoods, Wells Fargo has opened 525,000 matrícula accounts, which now represent 6% of the bank’s total. It opens 800 new accounts a day across the 23 states in which it does business.
The success of the matrícula has encouraged the expansion of other financial products, such as home mortgages, using the ITIN. Created for people such as foreigners with U.S. investments who aren’t eligible for a Social Security number but still may owe U.S. income taxes, the agency issued 900,000 ITINs last year and a total of 8 million since 1996. In Chicago, Second Federal Savings has 620 ITIN loans worth $90 million.
MS/HP – National Identity System Kim does it Follow the Laws?
So I wondered reading the below quote if the MS/HP National Identity System followed the Identity Laws that Kim has authored. The frame of this Techsploits column Hot for Data By Annalee Newitz does not make it sound like it does.
I was particularly squicked to hear about a new product from Hewlett-Packard and Microsoft that is designed to be an integrated identity-tracking suite for repressive government regimes.
It seems that virtual rights surrounding identity and the Kim’s Identity Laws surrounding proper use should be universal not just something US Citizens and perhaps Canadians enjoy. It is clear the web is global and thus the nature of the laws of identity for use in digital systems using the web also must be. I am wondering what Kim and others at Microsoft are doing to ensure the emergence of systems that are not going to be used by oppressive regimes.
Called the National Identity System, the product is touted for its ability to create smart ID documents, which can be checked at borders or across entire regions. It also has the fun ability to add biometric data to each identity profile. It’s plug-and-play surveillance! Now you don’t need to build your own repressive state apparatus, because HP has done it for you. Plus HP and Microsoft promise to set up training centers all over the world to help governments implement the system.
Luckily, it’s Windows-based, so my favorite hackers will be exploiting the hell out of it as soon as it gets widely deployed. I can’t wait for the underground how-to book to come outâ€”they can call it National Identity System Hacks.
Belgium Identity Cards
From ID Corner comes this story about Belgium Identity Cards.
The card provides strong security against traditional outsider attacks, but unfortunately has not been designed with privacy in mind. In fact, it features one of the worst privacy designs imaginable. Two glaring problems:
The citizen certificates on each ID chipcard contain the cardholder’s name and RRN (the œrijksregistratienummer,” a single government-wide identification number for each natural person). The name and RRN are disclosed whenever a card is used at a relying party. The RRN (which has a simple structure based on the citizen’s birthday) serves as the key to numerous databases containing citizen information; on the basis of this number, all cardholder actions and movements with the eID chipcard can be electronically traced and linked (not merely by the government itself!).
The eID card specifies the following information, both visibly on the card itself and stored within the card’s chip: cardholder’s photo, surname and first names, gender, nationality, place and date of birth, signature, RRN, and the validity period of the card. In addition, the chip also stores the cardholder’s current address. Some of this information is privacy-sensitive, yet the cardholder has no control over its disclosure. (Historically, this is the same information as has always been on Belgium identity cards, and so arguably this does not constitute a reduction in privacy; however, in most countries around the world an information-rich national identity card would not pass in the first place.)
The privacy problems do not stop here. Each eID chip contains two X.509v3 identity certificates (each specifying the citizen’s name and RRN number, one for authentication and one for digital signing), as well as a basic signature key to authenticate the card with respect to the RRN. The certificates and public keys, which are assigned by the central issuing authority, by themselves serve as “omni-directional” identifiers that are globally unique. For a detailed account on the various privacy problems caused by this use of PKI, see, for instance, here.