We do love our masks. Photo by Brian Snelson
To help solve the modern nightmare of trying to control your online identity and keep track your passwords, the government came to Silicon Valley Friday and said it was here to help.
But rather than propose a big government initiative, Secretary of Commerce Gary Locke and the White House cyber czar Howard Schmidt made clear the feds want the private sector to take the lead.
“Just to be clear: We’re not talking about a national ID card,” Secretary Locke said in a speech at Stanford University. “We are not talking about a government-controlled system, but we are talking about enhancing online security and reducing the need to remember a dozen passwords.”
The government’s proposed solution is what the administration calls a “trusted-identity ecosystem.” The idea is to create an environment with a wide choice of trusted-identity providers that individuals can use to log in to a wide range of websites, including ones that handle sensitive data, using a single login.
Smart people have written a number of good pieces on this topic already, so I won't repeat too many of their points. In short, it's not hard to see this creating a very limited number of gateways to the biggest online services. Something like a Google ID could, by stumbling steps, become a required form of verification much like a Social Security number.
Here's another wrinkle: to put it nicely, Silicon Valley's record on privacy isn't stainless. From Facebook to Apple, the default response seems to see users' info as a tool for profit and their own as untouchable. Its biggest players generally act much the same way large, amoral corporations in any industry do.
The recent events of the Wikileaks battles don't bode well either. With no formal charges filed, major online companies happily shut down accounts, turned over information and failed to challenge gag orders. Twitter alone showed some spine in this department.
So there's precious little confidence when these entities are set to cooperate with government on something as volatile as identification. If these plans advance, the backlash will be like nothing Silicon Valley's faced before.
Imagine the following scenario: online identification for most major services is shuttled into a few trusted providers, who profit heavily off their role in the "ecosystem." Given their relative power, said companies could then exploit much of that data as they saw fit. Sure, tech-savvy people will figure ways around, but most people aren't tech-savvy.
Furthermore, the government (or a company) could simply have that trusted identification turned off, regardless of whether the person in questions has been convicted — or even charged — with anything.
Don't think that's likely? Look how drastically asset forfeiture is misused. If history is any lesson, the incentives here are not on the side of the angels.
Then, of course, all this is a boon for the very hackers and spies it's supposed to deter. Even if it's better guarded, now only one stolen identity is needed to open up a treasure trove of connected information. Hell, a smart thief won't even need any particular expertise; just bribe a low-level employee.
To avoid violating this blog's motto, I should note that "Silicon Valley" is not a monolithic entity. Plenty within its ranks differ widely in philosophy and practice. But the major actors are primarily out for their own gain.
Should you trust them to handle a matter this ripe for abuse? I don't.