The Death of Internet Anonymity

Monday, July 05, 2010

Anthony M. Freed


After a year-long analysis of the state of Internet security led by the National Security council, President Obama's cybersecurity coordinator Howard Schmidt has released details of the administration's plan to protect the masses from cyberscumbags by creating a federal system for online identity authentication.

The Financial Times reported that "the creation of a system for identity management that would allow citizens to use additional authentication techniques, such as physical tokens or modules on mobile phones, to verify who they are before buying things online or accessing such sensitive information as health or banking records."

Good intentions aside, implementing a program of this nature could have repercussions far beyond combating phishers and scammers - it could put an end to any notion of online privacy and anonymity.

Electronic payment fraud and identity theft are serious problems, and are a drag on our economy which we could surely do without. But is this really where we need to begin?

Software continues to be produced with vulnerabilities written into the code, confidential information continues to be compromised on a daily basis due to lax security policies and employee unfamiliarity across a spectrum of industries, and information technology continues the shift to outsourced managed services in the cloud.

These realities create more opportunities for data loss on a massive scale.

So why pursue authentication issues as the first order of business? And why is a federally issued "cyber identity" being touted as the optimal solution, over and above a slew of commercial epayment security options already available?

At the risk of seeming like a tinfoil hat wearing paranoid, I ran across an article in the TeamCymru newsfeed from Prison Planet that really struck a nerve.

If you take away all the allusions to evil ulterior motives that pervades the article and simply look at the rant as an examination of some potential consequences from a federal cyber identity mandate, it quickly becomes clear that this may not be the best solution - for all of us Internet users anyway.

The article titled Cybersecurity Measures Will Mandate Government ID Tokens To Use The Internet was written by Paul Joseph Watson and Alex Jones, and asserts that "under the guise of cybersecurity, the government is moving to discredit and shut down the existing Internet infrastructure in the pursuit of a new, centralized, regulated world wide web."

Whether or not the true intention is to "discredit" the Internet, the more than forty cybersecurity related bills before Congress and the elevation of cybersecurity to the Czar level at the White House are clear evidence that the government is moving to "centralize and regulate" the Internet to some degree.

The article goes on to say that "similar legislation aimed at imposing Chinese-style censorship of the Internet and giving the state the power to shut down networks has already been passed globally, including in the UK, New Zealand and Australia."

While "Chinese-style censorship" is not specifically outlined in Schmidt's strategy, the proposal does entail requiring everyone who wants to access the Internet to register with the government, creating yet another layer of bureaucracy at potentially enormous cost to taxpayers.

If the government has to say "yes" to your request for access to the Internet, then they also have the power to say "no."

And there are many other issues that will arise from such a system, like whether the government will monitor and collect data on individual usage, and what steps would be taken to protect the system itself from being compromised.

Even if your access to the web remains unfettered, the requirement to register for and use a federal cyber identity would mean an end to one of the Internet's most lauded features - the ability to remain (relatively) anonymous.

The Prison Planet article claims that "abolition of anonymity is used to chill free speech," and they may be on to something here.

Though, I think the authors meant "freedom of speech"  - but the term "free" might be more apt, as access to a web that is under federal control will undoubtedly cost users more than it does today.

Americans for Tax Reform sees federal control of the Internet as just another example of a backdoor tax that will make access to the Internet more expensive:

"Everyone will pay rates for service that the government sets. And everything passing through your Internet, TV, or phone would become subject to the FCC's consistent regulatory whim..."

Sorry Alex and company, it probably just comes down to the mighty dollar, and the opportunity to garner profits, fees and taxes.

Although, just because someone is paranoid, it does not mean someone else is not really out to get him.

Possibly Related Articles:
Privacy Digital Identity
Post Rating I Like this!
Jonathan Leigh I don't really see it as an issue to force people to use devices like a key fob when doing online banking or accessing health records. After all, who takes the hit in the long run if social security numbers or money are stolen? The government. It is an expensive recovery to make new identities for people after a database of SSNs have been compromised. Also with FDIC they also have to bail out people who have money stolen electronically. It is best to prevent these things on a small scale to make it much more difficult for an attacker to hack a bank account online or get access to our medical records if people have key fobs. If everyone had a physical token generator, then the attacks could only be done in real time.

The whole idea that this could be "The Death of Internet Anonymity" seems like a far-sketched point to make. I think you are blowing the idea of this identity management system completely out of proportion by suggesting things like "If the government has to say "yes" to your request for access to the Internet, then they also have the power to say "no."". It is as if you make it seem like tomorrow we will all wake up and have a private gpg key (representing our identity) that we need to use to access the web by authenticating with some centralized government server. I just don't see this happening or even being suggested by the article you reference.
Christopher Hudel I agree more with Jonathan on this topic. If anything, I think such changes are more likely to lead the "Death of Money Anonymity" - where it is no longer possible to purchase items for cash or its untraceable equivalents.

This can be just as - or moreso? - damning for society. I just don't see the infrastructure supporting multi-factor authentication for internet *access*.
Anthony M. Freed Point I was trying to draw in the article has more to do with why than what:

Why start with registering users, as opposed to something that would really improve security - like eliminating known vulnerabilities in Apache that affect the majority of servers around the world?

Just seems like another naked power grab in the name of security to me...
Anthony M. Freed Just received this email from ANSI on the issue:

"On June 25, the White House announced the release of the draft National Strategy for Trusted Identities in Cyberspace (NSTIC, pronounced N-STICK), a blueprint for reducing cybersecurity vulnerabilities such as identity theft and fraud and improving online privacy protections through the use of trusted digital identities."

"In a White House blog posting, Howard A. Schmidt, cybersecurity coordinator and special assistant to the president, explained that the NSTIC was developed in response to the president’s Cyberspace Policy Review and in collaboration with key government agencies, business leaders, and privacy advocates. The American National Standards Institute (ANSI) submitted comments on earlier drafts of the document, previously titled “National Strategy for Secure Online Transactions.”"

"The plan envisions the creation of an Identity Ecosystem where individuals will no longer have to remember usernames and passwords to access various online services. Rather, they will be able to voluntarily choose a secure, interoperable, privacy-enhancing credential (e.g., a smart identity card, a digital certificate on their cell phone, etc.) from a variety of service providers - both public and private - to authenticate themselves online for different types of transactions (online banking, accessing electronic health records, sending email, etc.). The Identity Ecosystem will be user-centric, meaning that individuals will have more control over the amount of personal information they use to authenticate themselves online."

"The draft NSTIC is posted for comment through July 19 at Members of the general public can submit their own suggestions as well as respond to and rank comments submitted by others. The Department of Homeland Security (DHS), a key partner in the development of the strategy, is collecting the comments. The White House has indicated that a detailed implementation plan to accompany the strategy will be circulated for comment later in July. The goal is to have the strategy completed and signed by the president in the September/October timeframe. ANSI encourages all interested members and stakeholders to review the document and submit comments to the DHS to have their viewpoints heard."
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.