Obama Eyeing Internet ID For Americans

Pickens writes "CBS News reports that the Obama administration is currently drafting the National Strategy for Trusted Identities in Cyberspace, which will be released by the president in the next few months. 'We are not talking about a national ID card,' says Commerce Secretary Gary Locke, whose department will be in charge of the program. 'We are not talking about a government-controlled system. What we are talking about is enhancing online security and privacy and reducing and perhaps even eliminating the need to memorize a dozen passwords, through creation and use of more trusted digital identities.' Although details have not been finalized, the 'trusted identity' may take the form of a smart card or digital certificate that would prove online users are who they say they are. These digital IDs would be offered to consumers by online vendors for financial transactions. White House Cybersecurity Coordinator Howard Schmidt says that anonymity and pseudonymity will remain possible on the Internet. 'I don't have to get a credential if I don't want to,' says Schmidt. There's no chance that 'a centralized database will emerge,' and 'we need the private sector to lead the implementation of this.'"

how about no

[trolman]

This Internet ID scheme has been floated a couple of times now and it is not going to happen. The Federal Government like big companies and big programs aka Comcast/NBC, Net Control(net neutrality) and National Healthcare. It is about controlling the most people with the least effort. This is no different than requiring me to 'show my papers.' All of this really needs to stop. --If the feds need something to do they could start by implementing IPv6 and getting everyone an IP address.

Re:how about no

[transami]

"If the feds need something to do they could start by implementing IPv6 and getting everyone an IP address."

+1 (x 2^128)

Re:how about no

[Lawrence_Bird]

exactly. typical nannystatery, looking to solve a problem that does not exist with a government sponsored effort. And who for a moment doesn't think that this would carry advantages for the 3 letter boys and girls?

Re:how about no

[gandhi_2]

Problem that doesn't exist????

You don't get it. This could solve child porn, terrorism, and free expression in one shot!

Re:how about no

[Anonymous Coward]

'Nanny state' is a teabagger code word for Democratic lead government. Republicans get a free pass from you'all as God puts them in power to extend his justice (or so you'all would seem to claim).

And... Using the word "teabagger" in an argument is liberal code for, "I think Anderson Cooper is really hot and maybe I'll come out of the closet."

Re:how about no

[Sloppy]

Um, yeah, that's why we were all complaining about the Nanny State when Bush had Ashcroft go after the state of California over medical mariju-- wait, were we talking about Democrats?

Re:how about no

[element-o.p.]

I have a friend who says, "Democrats want to be your mommy. Republicans want to be your daddy. Libertarians just wish the government would treat us all like adults." I think he's right, by the way, so I'd agree that "Nanny state" and "Democratic lead (sic) government" are pretty much synonymous. However, Republicans certainly don't get a free pass from me, since IMHO, they are largely closet fascists looking to extend the government-led power grab of the last decade+. Unfortunately, the Dems seem to be following along in that tradition quite nicely, too.

Re:how about no

[Sporkinum]

Which brings to mind the current catch-22 I am stuck in. My driver's license expired on my birthday about 3 weeks ago. You have 60 days grace period to get it renewed. I went down to the office to get it renewed, but was rejected because the date of birth didn't match Social Security's. I actually noticed that several years ago, when I first e-filed my income taxes. It wasn't hard to figure out what they wanted. They either transcribed a 1 as a 7 or their OCR software did. I just remember to make that change when I file and everything was fine.

I had to take off work an hour an a half early to go down to Social Security with my certified birth certificate and wait around for a drone to make the change. I give them the birth certificate and then the ask for my drivers license. They say, we can't use that, it's expired! We need a passport instead. Being like most Americans, I don't have one. So here I am, I can't get my license renewed because of Social Security, and I can't get Social Security renewed because of my drivers license. Eventually the drone shuffled off to sector 7G for a long time and returned with a piece of paper saying that I have to get a signed medical record from my doctor. What that has to do with my identity, I have no idea.

Re:

[TheLink]

Are you really proposing a solution where only people with a driver's license can vote?

Personally I don't see why US citizens are making a big deal about a national ID. You bunch are already abusing stuff like "driver's license" or SSN as a unique National ID when they are not designed for that (apparently SSNs aren't unique).

If you don't like the sound of "national ID", then call it a state ID or something ;).

Re:how about no

[sycodon]

I would propose that only those with a valid picture ID can vote.

Driver's License, Military ID, Student ID Card,etc.

Actually, I'd prefer only those who PAY income taxes be allowed to vote in Federal elections.

Re:

[vux984]

Besides, you've just admitted that a driver's license *is* an ID card- an identity document required to participate in a civic duty. Next!

Your right of course, but a drivers license is a state document, not a federal one. This seemingly unimportant distinction is actually quite huge.

Re:

[vux984]

So anything not explicitly listed as under federal domain, they cannot do?

Actually, yes. That is precisely the intent of the constitution, and it was even further clarified in the 10th amendment. Wikipedia says it well enough:

"The Tenth Amendment explicitly states the Constitution's principle of federalism by providing that powers not granted to the federal government nor prohibited to the states by the Constitution of the United States are reserved to the states or the people."

What about homeland security?

Re:

[patjhal]

I do not normally criticize but your comment is dumb. It specifically says this is to simplify and make more secure important transactions like using the bank. Too many people use 4 or 6 character passwords on their banking that they share with other sites because of password overload. This is supposed to give them something more secure like an ssh key for that type of thing. You can still post anonymously to slashdot or make some temp facebook account or whatever. Now I understand the slippery slope a

Re:

[haakondahl]

The comment was not dumb. You are paving over some important terrain here. Solutions for commerce will arise from commerce itself. Any decent e-tailer has a password system which eliminates the problem you describe. Also, they rely heavily upon a presumption of good-enough security in the credit card system. Regulating commerce is not the same as shoe-horning it into slow-moving, inflexible government mandated solutions to problems that go away long before the "solutions" do. We already have a mostly sat

Re:

[Artifakt]

Solutions for commerce will arise from commerce itself.
You mean, like commerce started demanding Social Security Numbers even though the law said they weren't supposed to? What's really strange to me is anyone still arguing big government is bad and the solution is more 'fixes' that sound just like ignoring how most businesses are violating the law on SSN's. The same businesses that want less government regulation have shown they will gladly co-opt a government only database to their purposes if at all pos

Re:

[golden age villain]

I think he meant that there would then be enough IP addresses for everyone, not that every single person would be identified with a specific IPv6 address.

Re:how about no

[arivanov]

Typical American paranoia. Not that UK is much better.

Anyway, I have had a Bulgarian digital ID for nearly 4 years now. It is privately run - there are several companies which have been licensed to issue the certificates and they issue certs/smartcards to individuals and businesses. The govmint has nothing to do with it besides being obliged by law to accept a smartcard signed electronic document as a valid signature in any form of communication. I can sign a contract, sign my tax return, sell/buy stuff that requires a signed contract, give instructions to my bank and all of these are _EQUALLY_ legally binding to me showing up with a passport/ID and signing it in person. On top of that most cert authorities and smartcards fully support Linux at least on x86 so you do not even need to pay MSFT tax to use it.

On the negative side, banks, etc have been pretty quick on the uptake that this is an acknowledged and transactions are legally binding so you cannot do any electronic banking without it any more.

In any case - an example where "technological backwater" "undeveloped" "fifth world economy" and "third rate democracy" (all are labels which BG has had in USA press at various times) shows how this _CAN_ be run as a useful tool for individuals and companies to do business without the govmint having anything to do with it besides collecting some license revenue.

Re:how about no

[Anonymous Coward]

Yeah, typical paranoia. You write: "you cannot do any electronic banking without it any more." "I don't have to get a credential if I don't want to," says Schmidt. Of course the government will not make a central database when it gets tax return files signed by everyone in the country. No, certainly not. How stupid do you and the government think we are?

Re:

[Anonymous Coward]

Typical American paranoia. Not that UK is much better.

Anyway, I have had a Bulgarian digital ID for nearly 4 years now. It is privately run - there are several companies which have been licensed to issue the certificates and they issue certs/smartcards to individuals and businesses. The govmint has nothing to do with it besides being obliged by law to accept a smartcard signed electronic document as a valid signature in any form of communication. I can sign a contract, sign my tax return, sell/buy stuff that requires a signed contract, give instructions to my bank and all of these are _EQUALLY_ legally binding to me showing up with a passport/ID and signing it in person. On top of that most cert authorities and smartcards fully support Linux at least on x86 so you do not even need to pay MSFT tax to use it.

On the negative side, banks, etc have been pretty quick on the uptake that this is an acknowledged and transactions are legally binding so you cannot do any electronic banking without it any more.

In any case - an example where "technological backwater" "undeveloped" "fifth world economy" and "third rate democracy" (all are labels which BG has had in USA press at various times) shows how this _CAN_ be run as a useful tool for individuals and companies to do business without the govmint having anything to do with it besides collecting some license revenue.

So if the smartcard was spoofed, we'd be right fucked, huh.

Re:how about no

[Miamicanes]

> If someone can sign your name on a paper and send it by mail you'd be fucked to. ...

Actually, no. You could legitimately argue (in court, if necessary) that your signature was forged. Forgery is so common, assertions of it in court are almost automatically accepted by juries as credible unless the party claiming it's legitimate can bend over backwards and demonstrate (through supporting evidence, like driver's license data, video surveillance footage showing the individual perform the transaction, etc) overwhelming evidence that it's legitimate.

Smart card-based certificates upset that delicate balance of power. They don't prove that it was signed by you, but they do prove (almost beyond doubt) that something was signed by someone with physical possession of your card/cert and knowledge of its security code. Thus, they instantly shift the issue from claims by the victim that his signature was forged (something that's happened throughout human history, is commonplace, and an easy defense for consumers to successfully raise in court) to claims by the banks that you were negligent in your handling of the certificate and/or its security code. As a consumer, you have basically no duty to prevent someone else from forging your signature, because you can't. And the scenarios where banks could claim you were negligent would be almost impossible for them to prove. In contrast, with the cert/card, if anything goes wrong, banks have a MUCH easier time of shifting liability to you, the consumer.

You could argue that a similar situation exists with ATM cards, but ATMs have an advantage (for consumers) that internet transactions don't -- pervasive video surveillance. If a criminal coerces you to give up your PIN code, it's likely to be pretty easy to prove his involvement and demonstrate coercion. If the criminal is out of view, but the victim claims otherwise, the bank's in an awkward position. If the bank were to push the issue, a jury would probably sympathize with a victim complaining that the ATM offered no way for the coerced user to summon the police. If the bank were to argue that it doesn't provide that capability because it doesn't want to risk a lawsuit from somebody shot by the criminal for attempting to exercise the duty to notify the police implied by the existence of such a feature, the jury would STILL be unsympathetic because at that point, the bank has effectively admitted that to them, the amount withdrawn by the victim at gunpoint is pocket change compared to all possible alternatives. In contrast, there aren't surveillance cameras recording internet purchases. If a cert gets stolen, the instant presumption is that you, the cert's owner, are the one who engaged in fraud, and the burden is on YOU to prove that it was stolen, or your cooperation was coerced, and that you weren't negligent in safeguarding it.

Legislation to enable smart card signatures is nothing new -- I think it's been part of the UCC in the US for almost a decade (or at least, was proposed a decade ago). The problem is, the legislation was so completely lopsided in favor of banks against consumers that you would have had to be financially suicidal and have an economic deathwish to voluntarily participate in it. Even the banks were slightly embarrassed by it, and recognized that it was dead on arrival because no sane consumer would have ever agreed to it.

Re:

[Anonymous Coward]

Typical American paranoia.

There may be countries where the government is trustworthy enough to allow this. But the United States isn't one of them.

Re:how about no

[Culture20]

Typical American paranoia.

There may be countries where the government is trustworthy enough to allow this. But the United States isn't one of them.

In fact, the government was set up to not trust itself. The framers of the constitution didn't trust the government they were creating, so they crafted it to be full of gridlock.

Re:

[sorak]

Typical American paranoia.

There may be countries where the government is trustworthy enough to allow this. But the United States isn't one of them.

In fact, the government was set up to not trust itself. The framers of the constitution didn't trust the government they were creating, so they crafted it to be full of gridlock.

There is a big difference between "checks and balances" and "gridlock". I don't know how they would feel about the hyper partisanship and gridlock we see today.

Re:

[khallow]

In fact, the government was set up to not trust itself. The framers of the constitution didn't trust the government they were creating, so they crafted it to be full of gridlock.

To quote your Dr. Phil, so, how's that working out for you?

Quite well actually. It took more than two centuries to get to the current point.

Re:how about no

[Seumas]

I'm sure Bulgaria has absolutely no political corruption and that everyone in the government is absolutely trustworthy and that there is and was absolutely nothing shady about the selection of the private entity (yay, another government utility monopoly!) to provide the services and that there are absolutely no questionable connections between government officials and the selected company, just like there are no relations in America between officials and the selection of companies like Haliburton, L-3, and various FDA fast-tracks, either.

I don't know a lot about Bulgaria, but Americans and Brits tend not to like to be identified and monitored, though their government and the stupider sheep among the population constantly do everything they can to undermine this desire. It's abhorrent enough that our SS# has gone from being something you ONLY provide to your employer to set aside SS tax in your account and to the government when you're ready to withdraw and has instead come to be used to get a driver's license, create a cell phone account, cable account, internet account, bank account, blockbuster rental account, etc.

Let's either value privacy and autonomy or throw up our hands and quit this charade and go full bore into fully complying with all wishes and desire of the motherland.

Re:

[Dogtanian]

Typical american chauvinism. Im sure the US has absolutely no political corruption and that everyone in the government is absolutely trustworthy. Fuck you!

You're either stupid or trolling if you think he was claiming the US was better.

In fact, his sarcastic "just like there are no relations in America between officials and the selection of companies like Haliburton, L-3, and various FDA fast-tracks" proves the exact opposite.

He wouldn't trust such a scheme *if* it was run in the US- but the Bulgarians currently *do* run such a scheme, and he's expressing scepticism towards it for the same reason. *Unless* the Bulgarian government really is so much more tr

Re:

[Gofyerself]

It is one thing to buy a digital certificate from a company and quite another to have one "issued" by your government. You say typical American paranoia, but give me one instance where the American government did not abuse its power and overstep its rights while trying to provide "service" to its people. There are countless examples today, nanny camera's, Social Security number, drones for fucks sake. The list goes on. Read the Patriot Act, this would be a sweet deal for government to be able to impleme

Re:

[ultranova]

Anyway, I have had a Bulgarian digital ID for nearly 4 years now. It is privately run - there are several companies which have been licensed to issue the certificates and they issue certs/smartcards to individuals and businesses. The govmint has nothing to do with it besides being obliged by law to accept a smartcard signed electronic document as a valid signature in any form of communication.

These facts, when combined, make me uneasy. Who bears the responsibility if a private ID issuer makes a mistake and

Re:

[Anonymous Coward]

I stopped reading when I encountered "govmint".

Re:

[dimeglio]

You mean all Americans are going to end up in concentration camps because of this digital ID? Look-up paranoia.

Re:how about no

[Chapter80]

You mean all Americans are going to end up in concentration camps because of this digital ID? Look-up paranoia.

Naaah, not everyone. Just the bad guys. And the dissidents. Potential terrorists, and neo-nazis, too. And anyone who is on the TSA no-fly list. Really, any foreigners. And those who are against the 2-party system. Those tea-party wackos should really be identified and tracked. Lump the libertarians and green party people in there, too, because you really never know when they might "fringe out on us". What's the harm in "identifying" and "tracking" them. Especially if they're not doing anything wrong. What could they possibly be afraid of?

And if someone is a crack addict, we should track that. We don't want those people in power, or flying our planes. We certainly don't want to give them access to large sums of money. You have to admit, tracking crack addicts is a good idea.

But not a single person has ever *started* with crack. Usually they start with marijuana or alcohol. Don't believe me? Well, we should track that. We can actually predict which people are more prone to become crack addicts, simply by tracking the population, their purchases, and their habits.

Really, we shouldn't let someone behind the wheel, if they have purchased open liquor within the past 2 hours. We should track that.

And the people who are causing our healthcare costs to skyrocket. Especially those with Aids. And a genetic disposition toward expensive illnesses.

This country was founded with a strong religious bias, and God wants it that way. We should identify the atheists too. And the evolutionists. How dare you say I'm part monkey.

Really, the only ones who can be trusted are the ones like me. In thought, actions, beliefs, genetics, and disposition. So we need to classify and identify. No need to tattoo their arms - that's old school. Let's just track them by ID. No harm. If you aren't doing anything wrong, what is there to fear? I know I don't do anything wrong. I'll sign up, and even maintain the database for free.

They came first for the Communists,
and I didn't speak up because I wasn't a Communist.

Then they came for the trade unionists,
and I didn't speak up because I wasn't a trade unionist.

Then they came for the Jews,
and I didn't speak up because I wasn't a Jew.

Then they came for me
and by that time no one was left to speak up.

Re:

[Chapter80]

Naaah, not everyone. Just the bad guys. And the dissidents. Potential terrorists, and neo-nazis, too. And anyone who is on the TSA no-fly list. Really, any foreigners. And those who are against the 2-party system. Those tea-party wackos should really be identified and tracked. Lump the libertarians and green party people in there, too, because you really never know when they might "fringe out on us". What's the harm in "identifying" and "tracking" them. Especially if they're not doing anything wrong. What could they possibly be afraid of?

Shoot, how did I forget to include the wikileaks supporters?

Re:

[Chapter80]

you're free to leave the internet.

You're hinting at the core issue!

When the ID inevitably becomes mandatory to participate in the internet, it will become mandatory to participate in commerce and in society.

Then whenever the government decides that they don't like something that some group is doing, they can secretly demand the information as to who was doing it, and persecute those who did it.

This is not hypothetical fear-mongering. This just happened [slashdot.org]. The US Government didn't like what Assange was doing, and they completely cut off hi

Re:

[Anonymous Coward]

Sure trying to improve the lousiest health care system of any western democracy fits like a glove with authoritarian privacy concerns. You have to make up your mind are mega corporations benevolent benefactors, while the government is an authoritarian nightmare, or it the other way around. You can't have it both ways. Personally I think each is a little bit of both, but when it comes to my health, I'd rather my insurance be run by a bureaucrat tasked with initiatives to improve the standards of living on a

Re:how about no

[hedwards]

National Healthcare is about controlling people?

Two questions, what have you been smoking? And where can I get some?

The Internet ID is genuinely that bad an idea, as is failing to provide real net neutrality rules, but you've got to be high if you think that national health care is some sort of infringement on your rights. There are exemptions baked into it for people that genuinely can't afford it or have religious objections to it.

Re:Ahem, democracy?

[Dunbal]

When are we going to graduate from this democracy myth and start calling the US the plutocratic oligarchic republic that it is?

      Never, thanks to an education system that ensures that 99.9% of the population don't even understand what plutocratic oligarchic means and parents too busy watching ESPN or American Idol to compensate for said system's deficit.

Re:Ahem, democracy?

[LordKronos]

Never, thanks to an education system that ensures that 99.9% of the population don't even understand what plutocratic oligarchic means

I always love posts like this...people who get all high and mighty because some people are too stupid to know the meaning of a word which has absolutely no bearing on their everyday life. I'm a college graduate (graduated from a major university with a 4.0 GPA), and I'll admit that I don't even know what the definitions of plutocracy or oligarchy are. I'm sure I learned them in middle school or high school, and in the 20 years since then, I've probably read them a mere handful of times, though I think I've never found the need to use them. I know how to look them up in a dictionary when I see them and need to understand what I'm reading. I just did so and said "oh yeah, ok, that's right", but I can guarantee you that in 2 weeks I'll have forgotten what it means (ok, so since I participated in this discussion, it'll stick in my head a bit more and I'll probably remember for 6 or 8 weeks).

You know what? Between all the crap I have to remember for my job, for my hobbies, all the stuff I've had to learn when I had my child and over the last 6 months (and everything else I'll learn about children over the next 18 years), all the laws I have to remember, everything I need to know for financial and tax purposes, all the stuff I need to know about automobiles, stuff I had to learn about choosing new carpet or a new kitchen appliances, about electrical repair, about plumbing, taking care of my swimming pool, maintaining my yard equipment, taking care of my garden, and a billion other things......remembering the definition of a couple of words I'll most likely never use really isn't something I give a shit about. I suspect the next time the words will be important to me is when my daughter is learning about them in middle/high school. So I guess that makes me stupid, and probably nothing but one of the sheep, or whatever else makes you feel good about yourself. Whatever. Baaaaaaaaaaaaaa

Slight conundrum?

[Chas]

We will be enhancing your privacy and security.
  By making you more uniquely identifiable and creating a single point of failure for the security method.

*HEADDESK*

Re:Slight conundrum?

[Culture20]

I see, so you live in Russia?

No, Soviet Russia lives in him.

no centralized database, for now

[Attila Dimedici]

There is no chance that a centralized database will emerge, unless of course this catches on, in which case a centralized database will be necessary to address abuses.

Papers, please.

[dr_wheel]

http://www.youtube.com/watch?v=7leq8DldrdY [youtube.com]

Offered for financial transactions?

[newcastlejon]

OK, fine. But you should know that my credit card company are already happy that I am who I claim to be (and that I pay my bill on time, natch) and my bank have already given me a free security token. Oh, and I have no problem with remembering a few different passwords so thanks, but no thanks.

To be honest, I'm more interested in whether this Schmidt fellow even knows what a smartcard or CA is. I doubt he could be more ignorant than that fool in France that started the OO.org is a firewall thing though.

Re:

[gilesjuk]

Indeed. A central point of failure is never a good thing.

Just like a biometric ID card is a bad idea too. Until you have on there is the risk that someone registers one in your name. Then you have a really hard time to prove that this person is not you.

Re:

[sloth jr]

Given that the US has mandated PKI using SmartCards for 6+ years now, yes, Schmidt knows what a CA and a smartcard is.

It's good that your bank provides you a security token; the proposed initiative is a good one, and lays out a common strategy for something-you-have authentication that can then be potentially used in a much wider variety of venues than your bank.

Expect this to become part of the PCI standard.

No, thanks

[mangu]

lays out a common strategy for something-you-have authentication that can then be potentially used in a much wider variety of venues than your bank.

You mean, like credit cards?

We already have something-you-have authentication for any situation that NEEDS authentication.

And I'd rather NOT be authenticated in all other situations.

Card not present

[tepples]

something-you-have authentication

You mean, like credit cards?

Credit cards are often used in card-not-present situations such as telephone or online purchases. The account number, expiration date, CVV2 number, and billing address aren't something you have; they're something you know. They're only something you have if a retailer has a policy of no gift shipments, in which all shipments are to the billing address.

Re:

[Demonoid-Penguin]

OK, fine. But you should know that my credit card company are already happy that I am who I claim to be (and that I pay my bill on time, natch) and my bank have already given me a free security token. Oh, and I have no problem with remembering a few different passwords so thanks, but no thanks.

To be honest, I'm more interested in whether this Schmidt fellow even knows what a smartcard or CA is. I doubt he could be more ignorant than that fool in France that started the OO.org is a firewall thing though.

I'm feeling a bit cynical tonight so I suspect you forgot "to think of the children". Besides the last time I heard that (last year) it was a twerp from Microsoft advising our department of insane internet censorship that we need internet drivers licenses - which is of course, a completely different thing.

Why is the government involved in this?

[scross]

Surely if this was a good idea, individuals and companies would create it and administer it on their own. Do we really need the government to tell us how to implement our systems? ...could tax money not be better spent on other things?

Re:

[g0hare]

Oh, probably standardization and compatibility with government systems, if the government is going to accept the ID.

Re:

[geekoid]

Have you been keeping up with events? as it turns out most companies can NOT implement systems worth a crap. Creating a standard forces all the companies to use said standard. Left to their own devices most companies wither won't bother or create competing systems that don't work together.

Morons.

[unity100]

anything that can be read by a computer, can be changed or faked, by another computer. those who commit crimes, will be much more able to do it than ordinary citizens.

Re:

[goodmanj]

You do realize that a good fraction of the people on this website make a living trying to prove you wrong, don't you?

Passport?

[mswhippingboy]

Doesn't this sound a lot like Microsoft's Passport they tried to get traction on a few years ago but failed?

A great idea

[drinkypoo]

Digital signatures have been legally equivalent to normal ones for some time now, but where is the accountability? Many have long said the USPS should provide certs; I stand by that idea.

Not a good idea

[betterunixthanunix]

Public key crypto is great, but claiming that a digital signature is equivalent to a real signature is asking for trouble. People have convinced CAs to sign certificates that identify them as Bill Gates, and those certificates could be used to generate fraudulent transactions if we moved to such a system. We really should not be reducing the amount of face to face time people spend on finances -- we already reduced it too much.

To put it another way, how many people get away with cheating on their taxes

Re:

[arose]

Someone could just sit back, send out a digital signature on a message that says, "Transfer $100k to this account," and walk away with the money -- no fingerprints, no need to show their face at a bank or post office, nothing.

Or they could call the bank up with your last four and your mom's maiden name. I'll take well implemented crypto any day.

Same as Social Security

[Grapplebeam]

Which they were constantly telling us, "No, it'll only be for the program!" Don't trust these people farther than you can throw them.

National ID Please!

[Jahava]

So when can I get a cryptographically secure national ID card with multi-factor authentication? I'm as much a fan of the government tracking and cataloging me as the next guy, but this isn't exactly a slippery slope; we already have national IDs in the form of social security numbers and driver's licenses: Government-issued numbers required for identification and backed by a central database.

It's just that the current system is about as poorly-implemented as it can be (and justifiably so, since it was never meant to be used like it is). Not only are SSNs weak, predictable, and easily-forged; there is no way to protect or limit their usage by authoritzed or unauthorized parties. There also no way to protect how those parties store and safeguard them.

So while I hate the idea of our government issuing IDs, its too late to really change that. But please for the good of every citizen do it right.

Re:

[ducomputergeek]

When social security started, your SSN was supposed to only be for them. It was never "meant" to be a national ID, at least that's what the folks in government said at the time. Yet that's what it has become....funny how that happens.

Re:

[TubeSteak]

we already have national IDs in the form of social security numbers and driver's licenses: Government-issued numbers required for identification and backed by a central database

If you want a National ID, get a passport or a passport card.
But kindly fuck off from insisting on one for every citizen.

And White House Cybersecurity Coordinator Howard Schmidt can doubly get fucked for insisting on creating one for the web.
Ultimately, the government doesn't need "a" centralized database of trusted identities because they can already dip their fingers into every database that's around.

Re:

[misexistentialist]

So while I hate the idea of our government issuing IDs, its too late to really change that. But please for the good of every citizen do it right.

If you hate government IDs, I don't see why you wouldn't like a weak ID implementation. The only thing better than no identification is falsifiable identification. It's true that most anonymity has already been lost, and further security might actually begin to benefit individuals in day-to-day transactions rather than just the government, but it would of course come with government surveillance of day-to-day life.

Riiiiiight.

[Mr. Underbridge]

I don't have to get a credential if I don't want to,' says Schmidt.

Oh sure. Just like I don't have to get a state-issued ID card if I don't want either, right? Except once these gov-sanctioned IDs come into play, they do become standards (even when it's explicitly against the law, like with SSN).

And they know it. Hey, tell me which candidate it was again who was going to stand up for the little guy?

They'll call it a "privilege"

[mangu]

I don't have to get a state-issued ID card if I don't want either, right? Except once these gov-sanctioned IDs come into play, they do become standards

They will do it like they did with driver licenses, they will say "accessing the internet is not a right, it's a privilege".

I wonder which part of "The enumeration in the Constitution, of certain rights, shall not be construed to deny or disparage others retained by the people" they didn't understand.

Or how about "The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people

Privatize the project...

[dominique_cimafranca]

...outsource it to Facebook.



Bwa ha ha ha ha!

Re:

[Cwix]

*shudder*

'Trusted identity' == 'national ID'

[John Hasler]

> 'We are not talking about a national ID card,'

Yes you are.

> 'I don't have to get a credential if I don't want to,'

Unless you want want to engage in any sort of non-cash transaction. Of course, if you try to live entirely on cash, you will eventually be accused of "money laundering"...

> 'There's no chance that 'a centralized database will emerge,'

No. It will stay hidden.

> 'we need the private sector to lead the implementation of this.'

Because that way when things go wrong you can blame the "evil corporations".

Yes please...

[Dr_Barnowl]

I would sincerely like the plethora of stupid paper documents I have to deal with reduced to a single wad of data, cryptographically signed by the appropriate gov. dept for each part -

e.g. - the DMV for the driving license, etc.

On the proviso that there is NOT a giant central DB tracking it all.

I've already got one, you see

[Eil]

I already have an "Internet ID," it's called my GPG public key.

Re:

[tagno25]

If only it was able to be used as login info, except you would need something else for security since the public key is public, and the private key should not be transfered to a 3rd party.

Re:I've already got one, you see

[laughingcoyote]

You could set up a login mechanism using GPG. Wouldn't even be that hard. All you'd have to do is automate the following:

• My system connects to the host. The host requests my public key, my system sends it (in cleartext, since it is, well, the public key after all).
• The host encrypts a randomly generated string of characters (the "challenge string") using my public key and sends over the encrypted data, as well as its public key in cleartext.
• If I have the appropriate private key, my system decrypts the challenge data, re-encrypts it to the host's public key, and resends it. Since the challenge data would be randomly generated every time, there would be no use in saving or intercepting it—the next login would be a different challenge string anyway.
• The host decrypts the data. If I've returned the right challenge string, it logs me on.

Who signs your GPG key?

[tepples]

I already have an "Internet ID," it's called my GPG public key.

Signed by whom? With the rise of TSA's so-called "gate rape", not everyone is willing to fly to key signing parties in remote locations.

And it will be...

[Black Parrot]

completely unbreakable, unlike every other computer security system that has ever been developed.

There's no chance that 'a centralized database will emerge'

Of course not. What government or business would be so crass as to track what people do on the internet?

To the Regime: NO

[WCMI92]

Get used to that word.

No you cannot regulate the Internet. No you cannot create national Internet ID, so you can identify and intimidate your critics.

You cannot do these things because the courts have already said you can't and the new Congress is acting to prevent you from trying.
Not that this will stop him good fascist Soros sockpuppet he is. 2012 will though.

Re:To the Regime: NO

[WCMI92]

Slashdot is extremely hypocritical on stories like this. It only took any mention of the very un patriotic PATRIOT act to get 500 posts railing about how evil and fascist BushHitler was. Though I am a conservative and a Republican I was (and still am) amongst those who believe that law was a thousand page abomination against the Constitution, and said so here. Liberals seem to have a lot bigger problem than conservatives do criticizing "their guy" when he engages in anti freedom behavior that they constantly go to sites like this to rail against.

If electing liberal democrats was supposed to be the solution to constant government attempts to control and squelch the Internet why is it that the majority of the worst ideas seem to come from democrat administrations? It was Bill Clinton who signed into law the DMCA, the communications "decency" act, COPA amongst many failed attempts by an administration that was embarrassed by the Internet (no one would have ever known about Monica Lewinsky had it not been for Matt Drudge and the Internet) to get some wedge of control into it.

Now, I know Bush wasn't exactly a paragon of liberty and freedom, but I don't recall similar thrusts during his 8 years.

Now we have the Obama Regime which isn't even going through the motions of getting his Internet power grab through Congress (though the recent democrat Congress did manage to give him the Internet "kill switch" authority before being voted OUT in record numbers), and is acting through a proxy, an unelected crony who is the head of the FCC, which has recently declared itself master of the Internet. This despite warnings from Congress (which created the FCC) and one court ruling telling them NO, you don't have this authority, they are pressing ahead anyway, telling owners of PRIVATE NETWORKS how they must run them.

Add to this, a proposal for an "optional" (yeah right) national internet ID, which will of course be secure because the government is well known for competence and efficiency (the only competent government operation is the military). This ID if it ever comes to fruition (and it won't, there will be pitchforks and torches surrounding the White House before this would be allowed to happen) will, like everything else, be perverted into the worst possible abuse almost immediately.

You see, like the Clinton Regime, Obama has found the Internet to be a thorn in his side. The "new media" is more powerful than ever, making it impossible for his fellow travelers in the left wing "mainstream" media to alter reality for him. You wanna bet that Obama won't go after his critics? He already IS doing so, go read up on the airline pilot who dared speak up about the bullshit TSA practices and their utter incompetence and how quickly goons from the Regime stormed his home and seized his firearms and computers.

This administration even buys search results on GOOGLE for crying out loud, to make their propaganda on the health care boondoggle the first thing you see...

Tell me they won't abuse a national Internet ID...

Re:

[Dan667]

uh, the left does not like obama after his banker bailouts, fisa, mandatory health insurance, and tax cuts for the rich.

Re:

[WCMI92]

I wasn't saying that Slashdot didn't condemn the DMCA. I was here, I was complaining too. What I was saying is that Slashdot gives liberal democrats a pass for such atrocities when they do them while demonizing republicans (such as Bush). Also, most slashdotters seem to fail to realize that the democrats are more likely than republicans to try to regulate or control the Internet and that they are also FAR more in the pockets of the MAFIAA as they are major campaign fund sources for them. I dont' give th

Re:

[Sloppy]

It's in your head. Obama (especially his DoJ) gets flamed and the flames modded up all the time. It happened before he even became president, when he voted for retroactive telecom immunity, and picked up again in his very first month in office when the bastard had his AG continue with Bush's "state secrets" arguments for why all the NSA cases should be stopped. People talk about all that stuff here, and not at negative moderation. He's hardly untouchable.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Social Security anyone?

[markdavis]

>"'We are not talking about a national ID card,' says Commerce Secretary Gary Locke"

Oh really. Just like Social Security numbers would never be used for anything but Social Security. This is a HORRIBLE idea.

Might want to read the draft before commenting.

[ghelleks]

Comments on this draft closed in July, and it's been changed since. But this should give you a sense of what they're actually proposing. http://www.dhs.gov/xlibrary/assets/ns_tic.pdf [dhs.gov]

Re:

[chowdahhead]

I sifted through it. It cites identity theft and lack of trust as the problems this aims to solve. The problem, in my opinion, lies with financial institutions that can't can't keep our information secure. It's too easy for someone to obtain credit in someone else's name. I shouldn't have to pay a nominal fee for credit protection or early fraud warning either. There needs to be more accountability and penalties for institutions that breach our trust. An internet ID is just another form of ID for someo

Playing the long game..

[ka9dgx]

Wow... all of this to stop the internet as a threat from happening. Eliminate anonymity as a possibility on the internet, wait a few years until everyone is complacent, and they use it to mop up any stragglers who don't bend to the will of The Powers That Be.

Good thing they aren't doing anything to fix the security model we all rely on, which would leave viruses and botnets as a plausable denyability... oh... wait... they are.... "The App Store", which means no local filesystems, and no way to propagate information outside of what is allowed by the OS.

And then there is the push towards cloud computing, again no local storage.

We'll be ok... but our kids won't... because they will see local storage as a vulnerability, and shun it at all costs.

I think this will all play out in 10-20 years...at least I hope it takes that long.

You Lie

[Culture20]

'We are not talking about a national ID card,' says Commerce Secretary Gary Locke, whose department will be in charge of the program. 'We are not talking about a government-controlled system'

You Lie.

Nobody here even knows what the story is about.

[BobGregg]

Seriously. Almost nobody commenting here even took five seconds to even think about what was actually being discussed. It's all just knee-jerk "jack boots are coming" nonsense.

"Internet ID for Americans" - Article title FAIL. This has nothing to do with a government identity of any sort. Nor is it a singular identity, credential, or technology. It's for use in commerce - you know, like OpenID? - but actually standardized so that companies will actually widely accept it. That's why the first sentence of the linked article, the whole point of the news of it, is that the Commerce department would head the effort, not Homeland Security. (Declan McCullagh, I like you, but you should be ashamed.) From the article: "This is not about a national identity card." From these comments: "It's a national identity card!"

"Single point of failure" - Reading comprehension FAIL. The published strategy talks about setting up an identity trust ecosystem where individuals set up any number of identities and credentials, of their own choosing, possibly using different technologies of use as they see fit. Much like the SSL cert ecosystem today provides a means of merchant identification, without there either being a single point of failure or sinister government control.

"Trying to solve a problem that doesn't exist" - Reality-check FAIL. I just don't know what planet you're from. If you're saying that identity theft on the Internet isn't a major concern, then you're seriously misinformed. It costs our economy millions, if not billions, in lost productivity and fraud. That's a valid government concern - making sure that economic activity can take place safely and thrive.

For frack's sake, the same people who were screaming about how Microsoft Passport was a bad idea (and it was, because it was monopoly-controlled) are now saying the free market should solve the problem. Or, you know, that there's actually no problem at all. No wonder it's so hard to get anything done in this country.

Having a national strategy to push towards building a real trust infrastructure is a GOOD idea. Reduces costs, reduces redundancy and waste, IMPROVES security on the Web. Trust infrastructure GOOD. Psycho spasmodic knee-jerk Fox-News "Govmint bad" reactions with no forethought BAD.

We already have it

[Sloppy]

And people decided not to use it. Raise your hand if you have an OpenPGP key and it's been signed by a lot of people (i.e. an identity, certified by multiple parties such that non-distributed systems seem like a joke in comparison). Ok, put down your hands; I was asking in the wrong place. Most people don't put up their hand here, so nobody builds upon the system.

private

[Tom]

There's no chance that 'a centralized database will emerge,' and 'we need the private sector to lead the implementation of this.'"

Uh, no?

Identity one area I would very much love to have in the hands of government.

Why? Because if you put it into the hands of a "private sector" entity, that almost certainly means a commercial entity, which means if it finds a way to make a profit from your data, it will. Or, in other words, it isn't your data anymore, it is theirs. Thank you, but no thanks. I prefer to have an identity instead of renting it.

Sure, there are all kinds of other dangers with the government handling this stuff. But if you are more afraid of the government than of private corporations, you've not been getting the news for the past 20 years, have you?

It will be a required standard. Just you wait.

[Jackie_Chan_Fan]

Every corporation will start to use this system and that will turn what was a "enhancement to security" into a "Standard required to access any internet service"

First they tell you its just to help, then they own you.

Fuck the national ID, internet ID.... how about fucking universal single payer not for profit health care?

Fuck both of these parties. Fuck Obama.. fuck Bhoener... fuck them all.

Hahahahahaha!!!!

[SecurityGuy]

They don't even have single sign on for their OWN systems, and they think they're the right entity to create it for 300 million people? That's hilarious. This will be a $100 billion project that will never actually meet its goals.

Thanks, but no thanks. I actually WANT different passwords on my accounts. I don't WANT my facebook account to unlock my bank, or my slashdot password to unlock my facebook account.

I'm sorry, but if you really want this, you want someone else to do it. If you're smart, you won't want anyone to do it, or at the least, you want opt out.

Re:Security and profits?

[goodmanj]

It's NOT the private sector. It's the government, which is worse.

I'll be honest here: *If* we do something like this, I'd rather have the federal government managing it directly. Large corporations are just as cooperative with the cops as your average branch of government, and at least the federal government doesn't have a profit motive for sharing the information it has about me.

Re:

[nschubach]

at least the federal government doesn't have a profit motive for sharing the information it has about me.

Yet.

Profit motive of public servants

[mangu]

at least the federal government doesn't have a profit motive for sharing the information it has about me.

Do you really believe this? As Robert Heinlein said in "The Moon is a Harsh Mistress", "My point is that some person is responsible. Always. If H-bombs exist - and they do - some person controls them. In terms of morals there is no such thing as 'state'. Just men. Individuals. Each responsible for his own acts."

The profit motive of the federal government is that of thousands of people who would be without a job if the government didn't have all those agencies controlling every detail in your life.

Responsible, but not to the people

[tepples]

My point is that some person is responsible.

The problem comes when this person isn't responsible to the people. The responsibility in hiring and firing the responsible person may be diluted several times through appointed officials, and even elected officials are in a way appointed by the media [pineight.com].

Re:

[goodmanj]

The profit motive of the federal government is that of thousands of people who would be without a job if the government didn't have all those agencies controlling every detail in your life.

And every one of those thousands of people would be fired or imprisoned if they were caught breaking their institution's ethics rules for their own personal gain. It's called "political corruption" in that case.

But the leaders of a *corporation* are not just allowed to use the corporation's resources for profit regardles

Re:Security and profits?

[goodmanj]

You've missed my point. I'm not saying that there *should be* a government-run identity system, I'm saying that *if* we have one, we'd be better off if the government ran it.

If you believe the government will do nefarious stuff with your data, since corporations will hand over their data the moment some guy with a suit and a badge shows up and says "national security", giving your data to a corporation is the same as giving it directly to the government.

And while it's true that some government officials might be persuaded to become corrupt and sell your data for profit over principle, corporations *by definition* are in the business of putting profit motive first.

So corporate verification of identity has all the drawbacks of government verification of identity, plus more.

In essence, when personal privacy is on the line, corporate officials are just government officials who are *guaranteed to be corrupt*.

Re:

[goodmanj]

The difference between the state, and anyone else, is that modern states have a monopoly on force.

And the difference between a *democratic* state, and anyone else (including both the corporations and the various governments you mentioned) is that the modern state is responsible to the people who grant it the use of force.

Without that key element, I agree, there is no difference between a government, a corporation, or your neighborhood mafia. But even in a total "might makes right" world, corporations are n

Re:Security and profits?

[turkeyfish]

The notion that you can use a competitor is laughable, since most "competitors" are now owned by the same few people that own virtually everything else. Don't you know that the wealthiest 1% of the people already own 85% of everything there is to own? Don't you realize that the only national debate going on now is just how much of the remaining 15% they will be allowed to own as well? I guess they've lulled you into a false sense of security.

At least when the government screws you over, you can vote them out of office. Try that with a phone or cable company. Sure you can "switch to a competitor", but with the same few people owning all the "competitors", do you really think you have shown them? If the market had true competition, how do you explain that 9 times out of 10 prices only go up rather than down? How do you explain that just 5 companies control about 85% of all media outlets and the major shareholders are often the very same individuals? Dream on pal and let Fox News sing you back to sleep.

Re:

[Artifakt]

Most of that "40%" has kids, or they couldn't get enough Earned Income Credit to even negate their own income tax owed. They do still pay Social Security and Medicare and Federal Unemployment taxes, all they aren't paying is the Income tax itself. It's called Earned Income tax credit because you have to have a job, with wages, to qualify for it. That's not sitting on their asses and doing absolutely nothing, that's working. If that 40% had been sitting around for years, not working, then we would have had a

Re:

[mangu]

You don't have to have one of these IDs.

FTFY.

Re:

[Demonoid-Penguin]

You don't have to have one of these IDs if you don't want to use the internet.

Of course not [puts on tin-foil hat] just like you don't need photographic identification if you don't fly or drive.

And that's not a foot in the door - it's our new draft stopper. (sigh)

Re:You don't have to have one!

[markdavis]

Are you wacked? Of course you will have to have one. One by one, sites and services would be denied to you if you didn't have one. Eventually, you couldn't do ANYTHING without complying. Remember Social Security numbers- how they were supposed to be used ONLY for SS and never used for any other purpose. Tell you what, you just try to do anything now without being forced to give your national ID number- credit card, loans, electricity, health care, taxes, driving, ANYTHING useful.