The US Government has published plans to create digital identities for Americans. The US Government wants to create a voluntary system that will allow Americans to access financial services online using one account. It hopes the new system will help protect against fraud and identity theft and reduce the barriers to trade that …
Face -> Palm
"The US Government wants to create a voluntary system that will allow Americans to access financial services online using one account. It hopes the new system will help protect against fraud and identity theft and reduce the barriers to trade that multiple accounts brings to businesses and consumers, the strategy said."
I'm guessing they have never heard of a 'singel point of failure' then. Phished once, phished everywhere...
The US already has a single point of failure. Everyone hands out their SSN to private businesses like toffee because so many of them ask for it. e.g. Banks & credit card companies use it as a unique key to do credit checks. I bet most US citizens know their SSN off by heart whereas most people in the UK haven't a clue what their national insurance number is, let alone where they left the plastic card that says it.
Anyway I don't see the issue with having a single sign on ID for all government related business assuming appropriate safeguards were in place to protect people from themselves and hackers That would imply multi factor authentication + hard token of some kind.
Just as important are safeguards and legislation preventing 3rd party access as well as the proliferation of government services that require sign on for use. It should be strictly for government to person business for tax, health and benefits and not for general inquiries, monitoring / tracking or frivolous uses (e.g. lending libraries).
"It should be strictly for government to person business for tax, health and benefits and not for general inquiries, monitoring / tracking or frivolous uses (e.g. lending libraries)."
In case you missed it, they're recommending it for online banking and the like too. It's supposed to be an "online identity" like Microsoft's Single Sign-on (LiveID) or the like. Once your username (email address likely?) and password is phished, logged, DB hacked, etc, your life is now an open book with access to any accounts in the system and government services.
As for the SSN bit, yes, Americans (mostly) do have it memorized. However, a hacker getting your SSN isn't going to get them into your bank account (without some social engineering at least...). Basically this online identity will exacerbate the problems we have with SSNs.
The government should invest more time into proper fraud protection schemes and less with helping end-users reduce password re-use with implementing a single password for everything. At least with password reuse, you don't have a convenient list of all the places you use said password. (yes, email would be a list, but if you lose your email account you're toast anyway).
single sign on ID for all government related business
We already have this in Norway, had it for a couple of years. And it uses my mobile as part of the authentication process requiring me to both remember a password and be in possession of my mobile so that it can send me a token after I have given the right password, I then type the token in to the web page.
Couldn't they just use RSA?
ID Cards: Reloaded
If the US Government require any assistance with this project, we have a lot of ex-Ministers over here in the UK that are very keen on this sort of thing.
It's the one with the "Spartacus" name tag.
To me this sounds like
o single sign on
o except government controlled.
Neither of these three statements fills me with confidence.
This paragraph in particular I found interesting...
"The Identity Ecosystem will use privacy-enhancing technology and policies to inhibit the ability of service providers to link an individual's transactions, thus ensuring that no one service provider can gain a complete picture of an individual's life in cyberspace," the NSTIC document said.
Very good except of course that whoever controls the system has access to *everything* which if you extend this to the limit is every purchase and financial transation you make. Not just online either because once this matures it would be trivial for plastic cards to contain the ID too or at least to link databases.
Seems to be the US Gov has realised how much information there is to be had out there and if it gets in quick and early then it could end up with a huge amout of information on it's citizens.
I think it's unlikely to extend outside of the US though other govs (UK ?) might cotton on too.
Its a hard choice but
I think I mistrust Google even more then I mistrust Government...
Except that I can choose not to use Google. I wish I could choose a different government...
Good news, everyone!
Then I have great news for you. Google will probably be contracted to handle the data back-end.
Paris, handling some kind of back-end.
titular thingy ... ...
As a data collection exercise, it strikes me as being like the TIA or MATRIX disasters, except that it has the veneer of a purpose, whereas the two previous attempts were just pure central government data acquisition.
Why have we got control freak governments everywhere?
I can vote for a different MP or local councillor, I can't get Google to stop photographing my house, or listening on my WiFi, (if I were mug enough to have any) or ripping off my creative work and trying to get it declared orphan or or or...
More to lose..
When your ID for the new system gets stolen...
I wonder if they checked to see it the idea was already pantented
"users will be able to register for access to a network of government and businesses providing data and ways to pay for things online"
sounds like some vague description some patent troll would already have patented.
Seriously though this sounds like a stupid idea instead of having to break into multiple accounts, and companies to steal all your accounts now they get a 1 stop shop for access over who you are. Smart, very smart...
OMG - just where do we start with this ....
as title really
"Although the system proposed is voluntary..."
Ah, "voluntary" a word that is liable to mean "if you don't volunteer, you're screwed, because without this you're not going to be able to do business online"
Is it just me
or is this an eggs/basket interface ?
In the Easter Spirit!
More Utopian nonsense
So what happens when Aunt Mildred hands out her information to help launder money from that long lost relative in Nigeria? How about when the less-than-secured-as-promised system gets hacked into? (My money is on 75-90 minutes after going live.) And how much will this über-Net system cost? Hopefully the costs come from the subscribers (corporate and human), but knowing how the US is going lately it'll be free for the $1M+ bunch and $49.99 per month for the <$1M for us teeming masses.
Call me when the Uncle Sham figures out how he's going to avoid Chinese & Saudi foreclosure in 2016.
Guesses on amount of time till (the likely never to be implemented) system is breached and millions of identities stolen from when it goes live?
Unless it's infiltrated by someone clever of course, who will sit back and harvest for a few years then have some real fun.
After all, if you have nothing to hide, you have nothing to fear - do you?
It'll never happen..
...because the usual nutters will denounce it as the Mark of the Beast and a sign of the End Times, and get their Congresspersons wound up into creating a grandstanding religio-political furore aimed at currying votes and soliciting campaign contributions.
Still, it's always fun to watch from the sidelines.
Sorry to disappoint you
I'm not a nutter (yet) and i'm not part of any right-wing wacko group (religious or otherwise), but this is just a bad idea. Last thing we need is another ID...another unsecured ID; another ID that can be stolen; another system to be breached; another place where notbody is responsible but the victims for their losses.
JUST SAY NO!
...Nothing can _possibly_ go wrong...
- Your Prez.
1 Compromise _one_ set of credentials
2 Get access to all my financial services.
If the Yanks are as good at losing security data as we Brits, heaven help them.
They lost mine quite handily
Seems like government and stupid is saying the same thing twice.
It _could_ work ...
if it were done such that one could buy a key fob or similar token from one of a dozen manufacturers, depending on your needs, which device would generate a new key whenever one fancied, and would allow you to chose between one of several such identities.
Then you take your widget to the post office, or some such, along with your passport, a gas bill and your swimming proficiency certificate, and they sign your ID using public key crypto.
I believe that one of the ex-USSR countries has something pretty close to that in their ID cards.
If you think that one of your keys is compromised, you revoke the key, create a new one and go back to the post office for it to be authenticated. No enormous central database required.
of course, since no central database is needed, there is no chance of the civil servants supporting such a scheme, because of the lack of empire building opportunities.
One could imagine having a tamper-proof module built into phones for holding these keys.
at which point this becomes something like Dave Birch's psychic paper idea:
shame it'll never happen
it could work if....
If the Vietnamese hadn't just killed of the last of the unicorns....dang.
"One could imagine having a tamper-proof module built into phones for holding these keys."
Best place for it, assuming the TPM has first class access to the display of the phone so you can know what you are signing with it. It'll have to be well firewalled from the dodgy applications you can download and run on the phone.
"of course, since no central database is needed, there is no chance of the civil servants supporting such a scheme, because of the lack of empire building opportunities."
Which is why a cross industry fully open (e.g. IETF style) standardisation process should lead this development, not government plans and legislation. Probably not in the US, as all the private corps involved will want patents on the tech so they can get rent out of it by keeping it restricted.
Another question is, assuming a relatively independent post office wants the business of acting as the trusted third party, will their government masters prevent them because this approach isn't centrally controlled enough for the empire builders ? During the Nulab development of their ID cards at one time they were planning to make these compulsory and force 90 year old invalids to go to regional centres to be biometrically scanned so they could be issued these things.
Nothing to see here, move along.
Another pie in the sky information grab scheme that will go nowhere. File this "plan" in the FAIL bin alongside "RealID" and the Clipper chip.
Assuming we had the money for it (we don't) people here won't stand for the notion of El Fed having that much control over how they go about buying things. We won't get into the whole "required ID" question.
Exactly what we need is ....
... almost this proposal.
Take out the government, or any other central authority to distrust (as in Microsoft passport), and instead empower the individual with a cryptographically-secure, verified identity.
Much easier than it looks. Watch this space. Oh, er, right, *that* space, then.
won't ever work
As i pointed out on Ars, when they wrote about this....ALL YOUR ID IS BASED ON A PILE OF PAPER. You can't EVER secure your ID. All anyone needs is pieces of paper to make them you (or vice versa).
until the day comes that they fingerprint, footprint, eyeball print, DNA test your sprog immediately after they hatch out and take the mother's and father's DNA at the same time... then bar code the rugrag permanently and put it all in a nice smooth database... you won't have a sure ID. and hopefully i'll never live long enough to see this happen.
So various business and government sites will make it very hard to use them without this.
Then after a bit of mission creep, even funny foreigners will have to have one of these IDs to use many US sites.
Some other governments will join in. Some will object to the US knowing everything their citizens do, so will start their own rival systems to be forced on their citizens.
Don't those idiots *ever* think things through? OK, some of them want just this, but the rest?
And of course the 'smaller government' lot will love it, because that's smaller for *them*, not for everyone else.
"Then after a bit of mission creep, even funny foreigners will have to have one of these IDs to use many US sites."
In the UK they started with the foreigners first.
The estate of Douglas Adams has proprietary rights on this.
What online services?
How about first implementing these "online services" properly. Most local governments don't accept online tax payments and those that do will charge you a "convenience" fee... seriously, they'd rather have me send them a check than have money deposited straight into their account. Even the federal government doesn't allow to file the tax return online without paying a 3rd party for the privilege (and even that doesn't work in many cases if you need some non-standard attachments). There are some exceptions, e.g. my state accepts vehicle registration fees online without a surcharge, but those are few and far between.
Don't even get me started on the abysmal state of online banking. 3 days to transfer money from bank to bank and that's between your own accounts. No way to pay someone else directly - have to send a check.
In case someone's wondering what a check (cheque) is - it's a piece of paper with your bank account number on it. Your bank account number is supposed to be kept secret because anyone who knows it can pull money from it. See the slight issue here?
I'd say IDs are the least of our problems.
"Don't even get me started on the abysmal state of online banking. 3 days to transfer money from bank to bank and that's between your own accounts. No way to pay someone else directly - have to send a check."
Seriously, if that is what your internet banking is like then change banks. With my bank I can do account transfers and payments immediately - and they are immediate, most of the time less than 10 minutes.
To pay someone else I just need their sort code and account number. Easy!
Bank of Unicorns
"Seriously, if that is what your internet banking is like then change banks. With my bank I can do account transfers and payments immediately - and they are immediate, most of the time less than 10 minutes.
To pay someone else I just need their sort code and account number. Easy!"
And that magical bank of yours is ... ? I have a feeling there is a bit of a geographical misunderstanding here (US vs UK).
last I read
This system is already live.
And who to trust more; government or 'private sector'. There is no private sector when government gets involved in it with funding, contracts, and ideas.
The private sector doesn't have the best track record themselves. It's why we have credit card standard systems being designed by credit card companies for whom still after first creating a problem and a solution still continue to have problems.
All the while kicking around small businesses that haven't had problems and have to pay to keep up with corporate screwoff america.
What can go wrong with a system like this.
So they need magic
"The US Government said that it was up to the private sector to develop technologies that make online identities secure and easy to use, safeguard transactions, and protect anonymity"
So they are in effect going to put out a saucer of milk, and check in the morning to see if the elves have put together a system for them.
I'd bothered to read the first report
and it basically proposed "passports... on the internet!" with some lip service sauce about the private sector saving the day and preserving everybody's privacy. That attitude apparently hasn't changed, so we have fancy words for what amounts to another verisign racket.
"But it's voluntary!" is about as true as how voluntary you give monies to a commercial CA just to make those nag screens in your users' browsers go away. And maybe turn the location bar green.
Admittedly I haven't read the new report as the previous one was sad enough. But going on this article, this five-letter-acronym still isn't mutual, it doesn't make everybody a first-class citizen, and the most important properties --of minimal information transfer, also no word on "trade" identities and such-- are left for commercial parties to invent, that don't exactly have a natural incentive to do so. Sounds like tripple win on a love parade float.
another reason to shop at local stores.
cash... the great anonymous maker.
That's why you have to pay them to your cash and that only a bit per day.
I don't trust paypal
Why would i trust the government?
This has "bucket of fail" writ all over it in big letters.
What the fuck?
The Feds (not the President) can't even manage the nation's security now, why the HELL would I want this?
So some $7-$9/hr public worker has every single one of my accounts?
Fix the fucking infrastructure first.
Where have all the biometrics gone?
Read El Reg's article, and there's a great big hole in the middle.
"Identity" means biometrics. That's what we've been told for years here in the UK. David Blunkett said so, so you know it's true. Even Meg Hillier said so. And yet there's not a single reference to biometrics in the entire article.
Stranger still, there's no mention in the Wall Street Journal article, http://blogs.wsj.com/digits/2011/04/15/a-government-plan-for-ids-to-replace-online-passwords/?mod=google_news_blog Nor in the NATIONAL STRATEGY FOR TRUSTED IDENTITIES IN CYBERSPACE.
And even strangerama, there's no mention of biometrics in the Cabinet Office's description of the wacky Identity Assurance service which forms a crucial part of the psychedelic G-Digital Project (http://gdigital.direct.gov.uk/) which exists in the hallucinogenic G-Cloud programme (http://dematerialisedid.com/BCSL/Clouds.html).
Are we to understand now that biometrics are unnecessary? And/or that they don't work? And/or that we can now run identity management systems without biometrics, just as we have done for the past 5,000 years of civilisation?
We have used biometrics for the last 5000 years, in the form of recognising people when we see or hear them. Faces, voices, bodytype... are difficult to forge sufficiently well that a careful person can't spot it.
They don't work so reliably over the internet.
Biometrics largely a fad. And a profitable industry.
A picture is a biometric, and it's a useful way to check if it somewhat matches the person touting the document. But that's largely where the usefulness ends. An experienced customs officer (a smart one, not a TSA type goon) isn't really looking for that anyway; he'll be checking if you aren't nervous over and above the normal for traveling, and if so, he'll ferret out why. It's what you're up to, not who you are, that's important to border control.
Take fingerprints. We've known since at least a 2002 academic paper that it's bloody easy to fool a fingerprint scanner. Aussie kids managed with gummi bears. Even those with heartbeat monitors in them. But that's not the worst of it. The problem is that whereas a document is easily replaceable*, fingerprints are not. So no redress in case of impersonation.
And you leave them bloody everywhere. Useful to dust for after a murder or something, not so useful when trying to protect yourself from impersonation.
"Biometrics" other than that picture are much like RFID: They're not useful to anybody but the sellers of the required equipment. They're an actual detriment to security as well as privacy, as a matter of fact, so I'd like my government to give me back a passport without RFID or fingerprints or what-have-you.
Phat chance that'll happen, but then again they're not there for me; they've made bloody clear time and again they choose to regard their citizens as potential criminal "just to be sure". And that's a western european country. I perforce agree with Mahatma Gandi on the topic of western civilisation.
* Blacklist the passport number of the old one, issue a new one.
- Vid Hubble 'scope scans 200,000-ton CHUNKY CRUMBLE ENIGMA
- Bugger the jetpack, where's my 21st-century Psion?
- Google offers up its own Googlers in cloud channel chumship trawl
- Interview Global Warming IS REAL, argues sceptic mathematician - it just isn't THERMAGEDDON
- Apple to grieving sons: NO, you cannot have access to your dead mum's iPad