Today, I’m reading an article that speaks about the NSTIC (National Strategy for Trusted Identities in Cyberspace) initiative; the latest, greatest effort to mandate identity online. Essentially, this appears to be an effort to empower a group of corporations to serve as the de facto administrators of online identity. More pointedly, it supports this “unofficial” collaborative of corporations in apparent lieu of legislative or regulatory efforts…. for now. This concerns me. Why? Read on…
While I admit, there is valid reason for concern about online identity security and protection, it remains that I am gravely concerned by the apparent blitheness with which the folks comprising this effort are treating the equally valid issues and questions regarding personal privacy and consumer choice; particularly those things which, left unaddressed, result in the opening through which incidents like the BART response (for recent and highly relevant example) may occur.
Specifically, the following quote by Chris Messina, Google’s Open Web “advocate” (emphasis added):
“As it stands, I can see why people are angry or confused, but, while vague, the NSTIC isn’t as bad as people seem to think — the fact that it’s being run out of commerce means that the government is looking for innovation and competition — not to own these identities,” Messina tells WebProNews. “Of course I can’t say what this means about surveillance and security, but anyone who uses a cell phone or hosted email should already understand that they’re susceptible to government wiretaps and data seizure — oftentimes without needing to be informed (Twitter is the rare exception recently). Anyway — if you can pick an identity provider that’s certified to meet certain criteria and that you also trust — that seems win-win to me.”
Bypassing for the moment the astonishing fact that Messina seems to be unaware of how and why vagueness is BAD for administrative, legislative, standardization, or regulatory effort on its face, the above, combined with recent changes in the Google policies make it fairly clear that a concerted effort by Google is underway to make themselves the “company of choice” to institute some form of online identification program. Also apparent is that the NSTIC and the perspective of its participants overall seems to be that “protecting commerce” is more important than protecting privacy or that it either nullifies or neatly side-steps outstanding issues with privacy, consumer choice in/of participation, and of course, the potential for wide-spread abuse and misuse of any such program – both by criminals as well as government.
The carelessness and lack of concern from Messina about susceptibility is, frankly, horrifying. Excuse me, but “It’s probably already happening to you, so why fight it?” is NOT acceptable on ANY terms, for ANY reason.
(Ah, now, I know some of you are already warming up your “don’t like it, don’t use it” mantra, but read on…)
The NSTIC article clearly indicates a profoundly dissonant perspective in relation to how something like NSTIC will impact the range of consumer choice and it also seems to gloss over the impact that a federal mandate on standards will have both on the industry being tasked to “see to it” as well as the agility of our entire country/economy to adapt and respond to the needs of consumers within the global, competitive economy and market. Which leads me back to Google and to an even more disturbing thought:
Recent announcements about Google Wallet (http://blogs.law.harvard.edu/vrm/2011/05/27/googles-wallet-and-vrm/), the current mess over real names at Google, and the apparent lack of interest or concern about consumer interests and issues other than authentication/security seem to indicate quite clearly that Google in particular (and perhaps others, but it seems Google is the only one truly rocking this particular boat) is gearing up to essentially sell out AND, in the process, sell US out for a nice, juicy, preferential status with government interest. An interest that, by definition, lives in opposition to both state and individual interests except its intersection with ensuring corporate livelihood.
Ignoring for the moment the valid debate that needs to occur over whether or not current, legal identity needs to be administrated in the online domain (which, contrary to what NSTIC and others seem to think, is not demonstrably proven), it remains that without the protections outlined in the “dotrights” campaign, the NSTIC effort is an incredibly dangerous movement for state managed identity as well as for citizens/consumers and their rights/interests. But don’t take my word for it, consider carefully the wording and implications of Mr. Messina:
“The last thing that I’ll add — which itself is controversial — is that this whole system, at least at the outset, will be voluntary and opt-in,” Messina says. “That means that if you don’t want the convenience of not having to use passwords anymore, you won’t have to. If you’re okay rotating your passwords and maintaining numerous discreet accounts across the web, that’s cool too. I don’t think a mandatory system would succeed — at least not without proving its security, stability, convenience, and utility over several years.”
I would point out that the current efforts by Google are, in fact, “entirely voluntary and opt-in”.
I would also point out that they have made it exceedingly clear that they are being driven by a yet-unexplained motivation that makes taking a “don’t like it, leave” stance attractive for Google.
I would further point out that Google’s CEO Schmidt himself stated that (paraphrasing), “Google+ is an identity service”; this is also supported by Google’s own site.
My assertions and conclusions at this point are, I think, things that you will find utterly logical:
- Google intends to be one (the first? the premiere? the only?) identity service for the USA.
- Google intends that their existing hold over users (adoption of services and products and related entrenchment thereto) be the weight brought to bear that ensures adoption rather than abandonment.
- Google intends that their ability to demonstrate adoption will allow them to leverage themselves, if not into the position of sole provider, then into a position of an elite few.
- Google intends to lobby and support our government in reaching a point of transition at which this “entirely voluntary and opt-in” identity service may become a mandatory one.
- Google is counting on YOUR continued use and willingness to adopt and endure any change they make to accomplish this.
Seem far fetched? Why? Messina is obviously thinking about it, the NSTIC is as well, thus Google, our Government, and who knows who else are thinking about it, too. Look at this and understand: There is not that much distance at all between Messina’s statements and the above assertions and conclusions and, frankly, that distance will close rapidly if Google is right about consumer apathy and passive adoption.
Messina says later in the above linked article that:
“…the party that you choose to represent you as your identity provider will be responsible should anything happen to your account,” says Messina. “And I hope that people actually choose their identity provider carefully, and based on the steps that they take to secure your account and keep it safe.” (sic)
For my part, the rejection of all the above has already occurred; I am no longer a Google user and I have no intention of subscribing to this mess in any iteration. I HAVE an identity provider already in my state and federal government and I see no need whatever to “trust” an entity whose sole existence is to parasitically profit off of me; nor do I see how any such entity can or will possibily manage it better than my current providers, the existing legal system, and of course, myself as an educated, informed, and vigorously proactive citizen. This is particularly salient to note: the interests of a corporation will, by nature, run counter to my own when revenue and profit are involved.
In my opinion, to set forth some far-flung future of rosiness and robustness (as is currently happening with the NSTIC) and expect anyone to blindly embrace it when all that is being truly set forth today is government approval and support of the lock-down of consumer choice and privacy combined with a strongly hinted future in which this shall become mandatory, frankly, is so horrendous as to be laughable were it not happening right before our very eyes.
Finally, I am regretful at the need to say that it seems that Google, in supporting this in full knowledge of the continuing issues as outlined at the “dotrights” link (above), has effectively foresworn their mandate of “don’t be evil” and they think we are all so stupid as to not see it. Insult to injury, they are counting on YOU and ME to be gullible enough, to be naive enough, and to be afraid enough to grasp this straw of “future perfection” to allow them to succeed as your first choice for identity services.
Thank you, but no thank you, and I thank you, but no.