back to article US proposes online IDs for Americans

The US Government has published plans to create digital identities for Americans. The US Government wants to create a voluntary system that will allow Americans to access financial services online using one account. It hopes the new system will help protect against fraud and identity theft and reduce the barriers to trade that …

COMMENTS

This topic is closed for new posts.

Page:

  1. Loyal Commenter Silver badge

    Face -> Palm

    "The US Government wants to create a voluntary system that will allow Americans to access financial services online using one account. It hopes the new system will help protect against fraud and identity theft and reduce the barriers to trade that multiple accounts brings to businesses and consumers, the strategy said."

    I'm guessing they have never heard of a 'singel point of failure' then. Phished once, phished everywhere...

    1. DrXym Silver badge

      SSNs

      The US already has a single point of failure. Everyone hands out their SSN to private businesses like toffee because so many of them ask for it. e.g. Banks & credit card companies use it as a unique key to do credit checks. I bet most US citizens know their SSN off by heart whereas most people in the UK haven't a clue what their national insurance number is, let alone where they left the plastic card that says it.

      Anyway I don't see the issue with having a single sign on ID for all government related business assuming appropriate safeguards were in place to protect people from themselves and hackers That would imply multi factor authentication + hard token of some kind.

      Just as important are safeguards and legislation preventing 3rd party access as well as the proliferation of government services that require sign on for use. It should be strictly for government to person business for tax, health and benefits and not for general inquiries, monitoring / tracking or frivolous uses (e.g. lending libraries).

      1. kwhitefoot
        Go

        single sign on ID for all government related business

        We already have this in Norway, had it for a couple of years. And it uses my mobile as part of the authentication process requiring me to both remember a password and be in possession of my mobile so that it can send me a token after I have given the right password, I then type the token in to the web page.

      2. Ammaross Danan
        Badgers

        Reading

        "It should be strictly for government to person business for tax, health and benefits and not for general inquiries, monitoring / tracking or frivolous uses (e.g. lending libraries)."

        In case you missed it, they're recommending it for online banking and the like too. It's supposed to be an "online identity" like Microsoft's Single Sign-on (LiveID) or the like. Once your username (email address likely?) and password is phished, logged, DB hacked, etc, your life is now an open book with access to any accounts in the system and government services.

        As for the SSN bit, yes, Americans (mostly) do have it memorized. However, a hacker getting your SSN isn't going to get them into your bank account (without some social engineering at least...). Basically this online identity will exacerbate the problems we have with SSNs.

        The government should invest more time into proper fraud protection schemes and less with helping end-users reduce password re-use with implementing a single password for everything. At least with password reuse, you don't have a convenient list of all the places you use said password. (yes, email would be a list, but if you lose your email account you're toast anyway).

      3. Anonymous Coward
        Coat

        Couldn't they just use RSA?

        Oh wait...

  2. spodula

    To me this sounds like

    o Paypal

    o single sign on

    o except government controlled.

    Neither of these three statements fills me with confidence.

  3. Blofeld's Cat
    Coat

    ID Cards: Reloaded

    If the US Government require any assistance with this project, we have a lot of ex-Ministers over here in the UK that are very keen on this sort of thing.

    It's the one with the "Spartacus" name tag.

  4. Kevin 6

    Wonder

    I wonder if they checked to see it the idea was already pantented

    "users will be able to register for access to a network of government and businesses providing data and ways to pay for things online"

    sounds like some vague description some patent troll would already have patented.

    Seriously though this sounds like a stupid idea instead of having to break into multiple accounts, and companies to steal all your accounts now they get a 1 stop shop for access over who you are. Smart, very smart...

  5. Anonymous Coward
    Anonymous Coward

    More to lose..

    When your ID for the new system gets stolen...

    1. TakeTheSkyRoad
      Black Helicopters

      Agreed !!

      This paragraph in particular I found interesting...

      "The Identity Ecosystem will use privacy-enhancing technology and policies to inhibit the ability of service providers to link an individual's transactions, thus ensuring that no one service provider can gain a complete picture of an individual's life in cyberspace," the NSTIC document said.

      Very good except of course that whoever controls the system has access to *everything* which if you extend this to the limit is every purchase and financial transation you make. Not just online either because once this matures it would be trivial for plastic cards to contain the ID too or at least to link databases.

      Seems to be the US Gov has realised how much information there is to be had out there and if it gets in quick and early then it could end up with a huge amout of information on it's citizens.

      I think it's unlikely to extend outside of the US though other govs (UK ?) might cotton on too.

      1. Jeff Deacon

        titular thingy ... ...

        As a data collection exercise, it strikes me as being like the TIA or MATRIX disasters, except that it has the veneer of a purpose, whereas the two previous attempts were just pure central government data acquisition.

        Why have we got control freak governments everywhere?

    2. JimC Silver badge

      Its a hard choice but

      I think I mistrust Google even more then I mistrust Government...

      1. Alan W. Rateliff, II
        Paris Hilton

        Good news, everyone!

        Then I have great news for you. Google will probably be contracted to handle the data back-end.

        Paris, handling some kind of back-end.

      2. saned
        Big Brother

        Choice

        Except that I can choose not to use Google. I wish I could choose a different government...

        1. JimC Silver badge

          s/Google/Government/

          I can vote for a different MP or local councillor, I can't get Google to stop photographing my house, or listening on my WiFi, (if I were mug enough to have any) or ripping off my creative work and trying to get it declared orphan or or or...

  6. Anonymous Coward
    FAIL

    Is it just me

    or is this an eggs/basket interface ?

  7. Graham Marsden
    Black Helicopters

    "Although the system proposed is voluntary..."

    Ah, "voluntary" a word that is liable to mean "if you don't volunteer, you're screwed, because without this you're not going to be able to do business online"

  8. Roger Varley

    OMG - just where do we start with this ....

    as title really

    1. maclovinz

      In the Easter Spirit!

      XD

  9. Dan Beshear
    Coat

    More Utopian nonsense

    So what happens when Aunt Mildred hands out her information to help launder money from that long lost relative in Nigeria? How about when the less-than-secured-as-promised system gets hacked into? (My money is on 75-90 minutes after going live.) And how much will this über-Net system cost? Hopefully the costs come from the subscribers (corporate and human), but knowing how the US is going lately it'll be free for the $1M+ bunch and $49.99 per month for the <$1M for us teeming masses.

    Call me when the Uncle Sham figures out how he's going to avoid Chinese & Saudi foreclosure in 2016.

  10. Anonymous Coward
    Anonymous Coward

    time until

    Guesses on amount of time till (the likely never to be implemented) system is breached and millions of identities stolen from when it goes live?

    Unless it's infiltrated by someone clever of course, who will sit back and harvest for a few years then have some real fun.

  11. despicable me
    Troll

    Don't worry

    After all, if you have nothing to hide, you have nothing to fear - do you?

  12. Rich 11 Silver badge
    Big Brother

    It'll never happen..

    ...because the usual nutters will denounce it as the Mark of the Beast and a sign of the End Times, and get their Congresspersons wound up into creating a grandstanding religio-political furore aimed at currying votes and soliciting campaign contributions.

    Still, it's always fun to watch from the sidelines.

    1. Anonymous Coward
      FAIL

      Sorry to disappoint you

      I'm not a nutter (yet) and i'm not part of any right-wing wacko group (religious or otherwise), but this is just a bad idea. Last thing we need is another ID...another unsecured ID; another ID that can be stolen; another system to be breached; another place where notbody is responsible but the victims for their losses.

      JUST SAY NO!

  13. Anonymous Coward
    FAIL

    Trust Me!

    ...Nothing can _possibly_ go wrong...

    - Your Prez.

  14. Anonymous Coward
    Anonymous Coward

    1 Compromise _one_ set of credentials

    2 Get access to all my financial services.

    3 Profit.

  15. Lake.P.Sailor
    FAIL

    Nothing to see here, move along.

    Another pie in the sky information grab scheme that will go nowhere. File this "plan" in the FAIL bin alongside "RealID" and the Clipper chip.

    Assuming we had the money for it (we don't) people here won't stand for the notion of El Fed having that much control over how they go about buying things. We won't get into the whole "required ID" question.

  16. Nick Kew Silver badge

    Exactly what we need is ....

    ... almost this proposal.

    Take out the government, or any other central authority to distrust (as in Microsoft passport), and instead empower the individual with a cryptographically-secure, verified identity.

    Much easier than it looks. Watch this space. Oh, er, right, *that* space, then.

  17. Christoph Silver badge
    Unhappy

    Voluntary?

    So various business and government sites will make it very hard to use them without this.

    Then after a bit of mission creep, even funny foreigners will have to have one of these IDs to use many US sites.

    Some other governments will join in. Some will object to the US knowing everything their citizens do, so will start their own rival systems to be forced on their citizens.

    Don't those idiots *ever* think things through? OK, some of them want just this, but the rest?

    And of course the 'smaller government' lot will love it, because that's smaller for *them*, not for everyone else.

  18. Philip Hands

    It _could_ work ...

    if it were done such that one could buy a key fob or similar token from one of a dozen manufacturers, depending on your needs, which device would generate a new key whenever one fancied, and would allow you to chose between one of several such identities.

    Then you take your widget to the post office, or some such, along with your passport, a gas bill and your swimming proficiency certificate, and they sign your ID using public key crypto.

    I believe that one of the ex-USSR countries has something pretty close to that in their ID cards.

    If you think that one of your keys is compromised, you revoke the key, create a new one and go back to the post office for it to be authenticated. No enormous central database required.

    of course, since no central database is needed, there is no chance of the civil servants supporting such a scheme, because of the lack of empire building opportunities.

    One could imagine having a tamper-proof module built into phones for holding these keys.

    at which point this becomes something like Dave Birch's psychic paper idea:

    http://digitaldebateblogs.typepad.com/digital_identity/2008/06/its-crazy-but-i.html

    shame it'll never happen

  19. a53

    Oh gawd

    If the Yanks are as good at losing security data as we Brits, heaven help them.

    1. copsewood
      Terminator

      @Philip Hands

      "One could imagine having a tamper-proof module built into phones for holding these keys."

      Best place for it, assuming the TPM has first class access to the display of the phone so you can know what you are signing with it. It'll have to be well firewalled from the dodgy applications you can download and run on the phone.

      "of course, since no central database is needed, there is no chance of the civil servants supporting such a scheme, because of the lack of empire building opportunities."

      Which is why a cross industry fully open (e.g. IETF style) standardisation process should lead this development, not government plans and legislation. Probably not in the US, as all the private corps involved will want patents on the tech so they can get rent out of it by keeping it restricted.

      Another question is, assuming a relatively independent post office wants the business of acting as the trusted third party, will their government masters prevent them because this approach isn't centrally controlled enough for the empire builders ? During the Nulab development of their ID cards at one time they were planning to make these compulsory and force 90 year old invalids to go to regional centres to be biometrically scanned so they could be issued these things.

    2. perlcat
      FAIL

      They lost mine quite handily

      Seems like government and stupid is saying the same thing twice.

    3. Anonymous Coward
      FAIL

      it could work if....

      If the Vietnamese hadn't just killed of the last of the unicorns....dang.

    4. Anonymous Coward
      FAIL

      won't ever work

      As i pointed out on Ars, when they wrote about this....ALL YOUR ID IS BASED ON A PILE OF PAPER. You can't EVER secure your ID. All anyone needs is pieces of paper to make them you (or vice versa).

      until the day comes that they fingerprint, footprint, eyeball print, DNA test your sprog immediately after they hatch out and take the mother's and father's DNA at the same time... then bar code the rugrag permanently and put it all in a nice smooth database... you won't have a sure ID. and hopefully i'll never live long enough to see this happen.

    5. John Smith 19 Gold badge
      Unhappy

      @Chrisoph

      "Then after a bit of mission creep, even funny foreigners will have to have one of these IDs to use many US sites."

      In the UK they started with the foreigners first.

  20. Michael 28
    Go

    ident-i-eeze

    The estate of Douglas Adams has proprietary rights on this.

  21. kns2c

    What online services?

    How about first implementing these "online services" properly. Most local governments don't accept online tax payments and those that do will charge you a "convenience" fee... seriously, they'd rather have me send them a check than have money deposited straight into their account. Even the federal government doesn't allow to file the tax return online without paying a 3rd party for the privilege (and even that doesn't work in many cases if you need some non-standard attachments). There are some exceptions, e.g. my state accepts vehicle registration fees online without a surcharge, but those are few and far between.

    Don't even get me started on the abysmal state of online banking. 3 days to transfer money from bank to bank and that's between your own accounts. No way to pay someone else directly - have to send a check.

    In case someone's wondering what a check (cheque) is - it's a piece of paper with your bank account number on it. Your bank account number is supposed to be kept secret because anyone who knows it can pull money from it. See the slight issue here?

    I'd say IDs are the least of our problems.

    1. Anonymous Coward
      WTF?

      so move!!

      "Don't even get me started on the abysmal state of online banking. 3 days to transfer money from bank to bank and that's between your own accounts. No way to pay someone else directly - have to send a check."

      Seriously, if that is what your internet banking is like then change banks. With my bank I can do account transfers and payments immediately - and they are immediate, most of the time less than 10 minutes.

      To pay someone else I just need their sort code and account number. Easy!

      1. kns2c

        Bank of Unicorns

        "Seriously, if that is what your internet banking is like then change banks. With my bank I can do account transfers and payments immediately - and they are immediate, most of the time less than 10 minutes.

        To pay someone else I just need their sort code and account number. Easy!"

        And that magical bank of yours is ... ? I have a feeling there is a bit of a geographical misunderstanding here (US vs UK).

  22. James Woods

    last I read

    This system is already live.

    And who to trust more; government or 'private sector'. There is no private sector when government gets involved in it with funding, contracts, and ideas.

    The private sector doesn't have the best track record themselves. It's why we have credit card standard systems being designed by credit card companies for whom still after first creating a problem and a solution still continue to have problems.

    All the while kicking around small businesses that haven't had problems and have to pay to keep up with corporate screwoff america.

    What can go wrong with a system like this.

  23. Anonymous Coward
    Anonymous Coward

    I'd bothered to read the first report

    and it basically proposed "passports... on the internet!" with some lip service sauce about the private sector saving the day and preserving everybody's privacy. That attitude apparently hasn't changed, so we have fancy words for what amounts to another verisign racket.

    "But it's voluntary!" is about as true as how voluntary you give monies to a commercial CA just to make those nag screens in your users' browsers go away. And maybe turn the location bar green.

    Admittedly I haven't read the new report as the previous one was sad enough. But going on this article, this five-letter-acronym still isn't mutual, it doesn't make everybody a first-class citizen, and the most important properties --of minimal information transfer, also no word on "trade" identities and such-- are left for commercial parties to invent, that don't exactly have a natural incentive to do so. Sounds like tripple win on a love parade float.

  24. Tom 35 Silver badge

    So they need magic

    "The US Government said that it was up to the private sector to develop technologies that make online identities secure and easy to use, safeguard transactions, and protect anonymity"

    So they are in effect going to put out a saucer of milk, and check in the morning to see if the elves have put together a system for them.

  25. Sly
    FAIL

    another reason to shop at local stores.

    cash... the great anonymous maker.

    1. mraak

      Cash

      That's why you have to pay them to your cash and that only a bit per day.

  26. Anonymous Coward
    FAIL

    I don't trust paypal

    Why would i trust the government?

    This has "bucket of fail" writ all over it in big letters.

  27. maclovinz
    Flame

    What the fuck?

    The Feds (not the President) can't even manage the nation's security now, why the HELL would I want this?

    So some $7-$9/hr public worker has every single one of my accounts?

    Please.

    Fix the fucking infrastructure first.

  28. Eduard Coli
    Thumb Down

    Old is new again

    This is a very bad idea indeed...

    No surprise, Mickey$oft tried to sell this in an early iteration on .NET.

    The problem they had was that the government's favorite charity, you know, the banks did not want to pay M$ for the privilege.

    Now the banks can have the government have us pay M$.

    I have the binder advertising this still. (the knowledge may be gone but the binder is forever).

  29. Martin.Hale
    Big Brother

    What's that old line again...

    ...oh yeah - put the government in charge of the desert and in a year you'll have a shortage of sand. There's zero chance of them not making a royal hash of this. Zero.

  30. mraak

    Fox

    Breaking news on Fox: Obama wants to Stalinize the internets. This is unacceptable.... unless it's privatised by a GOP donor.

Page:

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019