Obama Cyber ID = bad idea

Flick: laverrue
Obama is planning to hand the U.S. Commerce Department authority over a forthcoming cybersecurity effort to create an Internet ID for Americans, a White House official said it's "the absolute perfect spot in the U.S. government" to centralize efforts toward creating an "identity ecosystem" for the Internet.

This is such a bad idea and will never work, and these are some of the reasons:

A government CyberID for all breaks the law of identity called:
5. Pluralism of Operators and Technologies
A universal identity system must channel and enable the inter-working of multiple identity technologies run by multiple identity providers
Basically people do not want to use a government issued ID and potentially allow governments to track their use of that identity in work or personal context. Government ID's make sense when dealing with government services and a single ID across government departments make a lot of sense, but not as one identity for the net. Recent US government reaction to request records from social networks such as Twitter on people that supported wikileaks highlights that there are many advantages to having your actions in many contexts not being identifiable to your single identity held by the government. In fact you may not know ahead of time like many people that may have tweeted in support of wikileaks that they may have been better doing so anonymously. Also imagine risks like identity theft, it is putting all your eggs in one basket, imagine identity theft of a single identity that allows you access to all services government, health, financial, work.

For that matter Facebook, Google ID etc faces the same issues, it is unlikely we will ever have a single identity on the Internet, it is far more likely that we will have a number of identities in a grouping of contexts that make sense to that context e.g. Facebook, Google, Open-ID etc for social and personal uses, a Federated oAuth ID or a Linked-in type ID for work services, a government ID such as this suggestion for government services, a Paypal or Visa/Mastercard or Federated online banking ID for financial services and payments. It is the same reason why people use different social networks such as Twitter, Facebook, Linked-in for different contexts even though they offer similar features.

There are also practical implementation problems of a single identity that have caused many many before to fail e.g. Microsoft passport. Facebook is succeeding to an extent because it is really easy to implement, has a 500 million scale now and enabling Facebook Connect is a simple way for many sites and start-ups to gain access to the social graph and spread virally. But how many financials do you see implementing Facebook Connect for their Online Banking or businesses for B2B connections? OpenSSO and other federated identity techniques have been around for years but still have very low adoption and even on new projects businesses would rather implement username and password rather than setup federated single signon support. Context is everything, simplicity and ease of implementation, especially implementation without additional software and hardware is also crucial.

My write-up on why a federated single signon for payment services driven by financials or card providers makes sense: http://rakkhi.blogspot.com/2010/11/disrupting-online-payments.html

Practical analysis of laws of identity in the workplace:

So like other government ID and identity schemes, this is highly unlikely to succeed and will most likely waste a lot of taxpayer money before it is scrapped.

No comments:

Post a Comment


Written by