Imagine using a single login (maybe your email address & password) to conduct ALL personal business online – from paying taxes to shopping for clothes to signing-off on your child’s report card. The Obama administration is leading an effort to make this kind of “secure Internet ID” a reality — but privacy advocates worry a single failure could compromise our security, and everyone’s faith in the Web. We explore the changing landscape of Internet identities.

Guests

  • Aaron Brauer-Rieke Attorney and Fellow at the Center for Democracy and Technology
  • Don Thibeau Chairman of Open Identity Exchange; Executive Director of the Open ID Foundation
  • Jay Stanley Senior Policy Analyst in the Speech, Privacy and Technology Program at the American Civil Liberties Union

Transcript

  • 12:06:41

    MR. KOJO NNAMDIFrom WAMU 88.5 at American University in Washington, welcome to "The Kojo Nnamdi Show," connecting your neighborhood with the world. It's Tech Tuesday. Admit it, do you thoroughly read the terms of service agreement before you sign up with a website? More importantly, do you know what websites do with the information you provide about yourself? For most of us, the answer is no. But the identification we create for ourselves online, whether it's a Gmail address, a Facebook profile or an Amazon account, is like gold. Retailers and advertisers track our shopping habits, our likes and dislikes, and even our credit scores, and then share it with one another.

  • 12:07:29

    MR. KOJO NNAMDIBut what if we had just one identification to visit every site we use, from our e-mail to blogs, banking and even government sites? The Obama administration is proposing just that, saying that one ID on the Web would be more secure and would make life easier in the long run. Joining us now in studio to discuss this is Don Thibeau, chairman of Open Identity Exchange and executive director of the Open ID Foundation. Don, thank you for joining us.

  • 12:07:59

    MR. DON THIBEAUMy pleasure.

  • 12:08:01

    NNAMDIBefore we discuss what changes are on the horizon for our Internet identities and their security, let's talk about how we're identified currently on the Web. When I sign up for Facebook or an e-mail account, what information am I giving away about myself?

  • 12:08:18

    THIBEAUWell, you're giving a lot of data away. And if you think about data as the oil of the Internet, how that oil or how that data is processed into information is enormously valuable to advertisers and other folks that want to be able to serve you better on the Web.

  • 12:08:38

    NNAMDII'm thinking about this, and I'm thinking that -- and I suspect you say for many sites, like Facebook et cetera, I am not a customer, I am a product.

  • 12:08:48

    THIBEAUWell, I think the product metaphor comes in that we're living in an age where people now generate information about themselves at will, and some would say willy-nilly. And, certainly, if you look at social media sites, you have an enormous amount of self-reported information. Data about my life, my friends, my likes are being reported to social media sites on a regular basis, and that really has changed the calculus of data and information and privacy issues.

  • 12:09:23

    NNAMDIMost of us do not read the terms of service agreement, so what do the companies we sign in to do with the information we give them?

  • 12:09:30

    THIBEAUWell, the terms of service agreements are -- they're an interesting kind of representation of where we stand on the Web. They're long, complex and, in many cases, convoluted. That's because in the various jurisdictions that those companies are operating in, they're trying to anticipate issues of liability, trying to conform with privacy requirements, so the terms of service agreements are long and almost unreadable because today we operate in a world where it's kind of the wild, wild Web. People are making their own rules up as they go along.

  • 12:10:09

    NNAMDISo right now, I have a code on my computer that's been installed by an outside company, and it's gathering information about me and selling it to advertisers?

  • 12:10:19

    THIBEAUWell, in many cases, the cookies that are placed on your computer or search engines that you use do in fact report the things that you like, the places that you visit, and that's a function of several things. One is that that information is indeed valuable, and that information is valuable not only to people that want to sell you things, but also to you, so that you can search easier. You can move from site to site easier. So that information that you report and information about you that's being exchanged between websites is enormously helpful, for not only what you want to do but also for the environment that you're in on the Web.

  • 12:11:02

    NNAMDIWell, help me with my paranoia here. Is the information that these tracking companies gather about me anonymous? Do they know that I'm Kojo Nnamdi? I do have several other names, by the way.

  • 12:11:13

    THIBEAUThat's true. You have several e-mail addresses, several identities and operate in different ways and different parts of your life, but, yes, many of the habits and places that you visit and your location are important to people that want to sell you things. So mostly that's anonymous and ephemeral, but there are places where it's important for you to register that you are, in fact, who you are.

  • 12:11:43

    NNAMDIMany of us do government business...

  • 12:11:44

    THIBEAUMm-hmm.

  • 12:11:44

    NNAMDI...for instance, online, like renewing our license plates, paying taxes, even reserving a picnic area at a national park. How am I being identified and tracked at government websites?

  • 12:11:55

    THIBEAUGreat question. The government is trying to sort that out now, and this strategy that the Obama administration is working its way through is an attempt for the government to come up with some standards, some rules and technologies that they can adopt so that there's a regular and predictable sense of trust between citizens and government agencies.

  • 12:12:20

    NNAMDIHave other countries made headway on how they share and track the online identities of their citizens? I know that several European countries, including Germany, Belgium, Spain, have digital ID cards that contain information about their citizens.

  • 12:12:34

    THIBEAUWell, they have made headway, but I don't know that Americans would consider it headway. Americans really reject the notion of the centralized control point for identity. It's just part of our culture that we are suspicious of government and tend to believe private companies, where the European culture is just the way -- the other way around, where they're much more comfortable with a government issued identity, whether that's a smartcard or an e-mail address.

  • 12:13:03

    NNAMDIAnd we, of course, are absolutely concerned always about privacy. There are a lot of people who are looking at the one ID system, and there are privacy advocates ringing warning bells saying that this system would be the end for those of us who still wish to remain anonymous online. Joining us in studio is Aaron Brauer-Rieke, fellow at the Center for Democracy and Technology. Aaron, thank you for joining us.

  • 12:13:27

    MR. AARON BRAUER-RIEKEThanks for having me.

  • 12:13:28

    NNAMDIAlso with us is Jay Stanley, senior policy analyst in the Speech, Privacy and Technology Program at the American Civil Liberties Union. Jay, thank you for joining us.

  • 12:13:36

    MR. JAY STANLEYThanks for inviting me on.

  • 12:13:36

    NNAMDIIf you'd like to join the conversation, call us, 800-433-8850. Would you feel comfortable using just one Internet logon for all the websites you visit? 800-433-8850. You can go to our website and make a safe contribution to the conversation. It's kojoshow.org. Send us a tweet, @kojoshow, or e-mail to kojo@wamu.org. Aaron, in the conversation on – was just having with Don Thibeau, we know that there are no national standards for how our identities are kept private on the Web, but President Obama wants to fix that in the form of what they're calling an online identity ecosystem. How would this National Strategy for Trusted Identities in Cyberspace or NSTIC work?

  • 12:14:23

    BRAUER-RIEKEThat's a great question, and it's actually a pretty complicated story. When you look at the Internet today, we all use a lot of different websites, and for the most part, for each of those websites -- my bank, my university, my job, my social network -- I use a separate set of user IDs and passwords -- usually, the same, I don't change my password very much. And what that leaves...

  • 12:14:44

    NNAMDIWhat is it again? But, no, go ahead.

  • 12:14:47

    BRAUER-RIEKEWhat that leaves is a handful of my information with lots and lots and lots of different parties. Some of those I may trust, some I may not. And what the Obama administration has said is this is leading to a few problems. One, there's a lot of identity theft and fraud, and we don't like that. Two, we want to offer government services like the picnic table reservation and the ability to pay your taxes or collect your tax return or the ability to transfer title to your car. We have services we want to offer that we can't because we don't have the identity system out there yet.

  • 12:15:18

    BRAUER-RIEKESo to be fair, what the Obama administration has suggested is, wouldn't it be great if we could give you a key ring of various identities, not necessarily just one, but maybe one that was anonymous, one that was pseunonymous, and one that was highly authenticated -- it's just me -- that you could use as you go across the Web. That would also protect your privacy. And to give an example of how that might work is think about when you take your driver's license to get into a bar. The bartender will look at your license, and if he wants to, he can see your address. He can see your full birth date. But what he really wants to know is that you're over the age of 21.

  • 12:15:53

    BRAUER-RIEKEThe goal is to have an online ID that has that sort of information but can just say to the bartender, yes, Aaron is over 21. So that's an example of how better identity technology could be privacy preserving. There's no guarantee that it will be created that way, but that's their hope.

  • 12:16:10

    NNAMDIWould we simply be using the logins we now have for, say, our e-mail accounts, or would the identity need to be more complex, like a code on a chip or a smartcard?

  • 12:16:20

    BRAUER-RIEKEIt depends on the use. The National Strategy says -- it actually gives an example. If I want to log in to a hospital website to get the results of my blood test, it might be more appropriate to have an actual chip in my cell phone that makes that a secure transaction. But if I'm just reserving a picnic table at a federal campground, they don't really need that. Maybe I'd use my Gmail or my Hotmail account if they're set up to do that.

  • 12:16:42

    NNAMDIDon Thibeau, if we're talking about something like a smartcard or a chip, would it contain biometric information, like fingerprints or iris scans?

  • 12:16:51

    THIBEAUI think that's one of the challenges of smartcard technology is that in an attempt to make things more secure, the issues of privacy are escalated even further so that you -- by giving up biometrics or other kinds of identity attributes, the problem of privacy and trust is compounded yet again, to say nothing of cost.

  • 12:17:14

    NNAMDIIn case you're just joining us, Don Thibeau is chairman of Open Identity Exchange and executive director of the Open ID Foundation. He's joining us on Tech Tuesday for a conversation about the changing landscapes of Internet IDs and the proposal from the Obama administration that we use one ID on the Web. Also with us in studio is Aaron Brauer-Rieke, fellow at the Center for Democracy and Technology, and Jay Stanley, senior policy analyst in the Speech, Privacy and Technology Program at the American Civil Liberties Union. Jay, it seems like having a single identity on the Web would raise all kinds of privacy red flags. What kinds of concerns do you have about this?

  • 12:17:53

    STANLEYYes. Well, it would. I mean, as Aaron said, the ideal is that you have a variety of different identifiers, because when you identify yourself to an institution or to a person, you're creating a relationship with that person. You're allowing them to create a memory of you and keep track of what you're doing online on an ongoing basis. And when somebody in a bar asks you for your phone number, you have to decide if you want to create a relationship with this person by giving him your phone number.

  • 12:18:21

    STANLEYIn the same way, with all the institutions that we deal with online, we want to have separate relationships with each of them, because if we have a single unique identifier, then they can find out that you who filed a -- comments on a website is the same person who bought some lingerie on another site is the same person who read this article, who bought this book, and that, of course, is a tremendous invasion of privacy.

  • 12:18:48

    STANLEYAnd, meanwhile, we do have, as Don was talking about, this enormous machinery for tracking individuals as they surf around the Web using cookies and Web bugs -- technology called Web bugs, and things like that, which increasingly can not just keep track of where this person who's using a browser goes, but often link that to your real identity.

  • 12:19:16

    STANLEYAnd so there is the possibility that we could create an identity system that does protect privacy if everything is done right. But if it's not done right, then I think it would have real chilling effects on the Internet as people realize that they can no longer do a lot of things anonymously. And we can talk about the importance of anonymous action online, but that would really chill the raucous, amazing Internet that we have today.

  • 12:19:40

    NNAMDIWe remember the controversy over the proposal for a national ID card. Could this online identity system be as controversial as that was?

  • 12:19:51

    STANLEYIt could. I think that -- I mean, there has been talk in, you know, among security professionals about creating a driver's license for the Internet. That idea is floating around out there. Now, the White House very distinctly said when they released this strategy, this is not what we want. This is not what this is. We don't -- we're not aiming at that. That's not what we want. The question is whether it will evolve into that.

  • 12:20:14

    NNAMDIDon Thibeau, a lot of people can already use their Gmail login to access other sites, so would this ID system be kind of an extension of what they have already?

  • 12:20:25

    THIBEAUWhat the government is trying to do and experimenting with is to see if commercial identities like your Gmail account and your AOL account can be used for interacting with the government on different lower levels of assurance kinds of interactions. What the government has is a really difficult problem, which is how do we, in times of decreasing budgets, deliver more services. And the answer to that is you do so online. But the problem with online service delivery or cloud-based computing is this thorny problem of identity and identity authentication. And that's where we're struggling as a society and as technologists, which is, we have these very powerful algorithms and data machines, as we talked about earlier.

  • 12:21:15

    THIBEAUWhat we lack are mechanisms for trust. And so there's a lot of discussion about the trust layer of the Internet, and this is the thing that really is inhibiting growth.

  • 12:21:26

    NNAMDIWe're gonna take a short break. When we come back, we will address the issue of trust in this Tech Tuesday conversation about a proposal for one online ID. If you'd like to call us, the number is 800-433-8850. If the lines are busy, you can go to our website, kojoshow.org. Would you feel comfortable using just one Internet logon for all the websites you visit? Send us a tweet, @kojoshow, or an e-mail to kojo@wamu.org. I'm Kojo Nnamdi.

  • 12:23:32

    NNAMDIWelcome back. It's Tech Tuesday. We're discussing a proposal coming from the Obama administration for one online identity, with Aaron Brauer-Rieke, he's a fellow at the Center for Democracy and Technology, Dan Thibeau is chairman of Open Identity Exchange and executive director of the Open ID Foundation, and Jay Stanley is senior policy analyst in the Speech, Privacy and Technology Program at the American Civil Liberties Union. I'll get to the telephones in just one second. But, Jay, so what's wrong with what we have now? Can't we get along without a system that in the eyes of some could be a threat to our privacy?

  • 12:24:11

    STANLEYI think that that's a very, very good question, and that's one of the questions that we've been raising about this, which is, you know, the Internet is a lot of different things. It's a banking and business platform. It's an outlet for personal freedom and expression and self-exploration. It's a soapbox. It's a reference work. It's a counseling and confession chamber. It's an organizing tool. And a lot of these things flourish when people can feel comfortable that they won't be identified. You don't go online to get help if you're a teenager struggling with your sexual identity, or even if you're a professional who has a wacky hobby and maybe you don't want the people you work with to know about it.

  • 12:24:47

    STANLEYAnd so this plan is a plan to reach for new abilities on the Internet, to give the Internet new powers to engage in trusted transactions. But we have to be careful that in reaching for those new abilities that we don't mess up the wonderful thing that we already have.

  • 12:25:03

    NNAMDIHere is Dennis in Vienna, Va. Dennis, you're on the air. Go ahead, please. Hi, Dennis. Are you there? Dennis, are you still there? I really want Dennis to come in because Dennis wants to challenge the premise that the government needs to do this at all. But Dennis seems to have left us for the time being. I'll put you back on hold, Dennis, and raise that issue with you, Aaron. Do we really need this?

  • 12:25:30

    BRAUER-RIEKEThat's a great question. I think that Jay is right to be skeptical about many things. We have -- the Internet is more than just services that we need to identify ourselves for. But I think it's also important to recognize that this is not happening in a vacuum. We already have an identity provider of sorts with 600 million members, called Facebook. And as a matter of policy, you have to register with Facebook with the name as it is printed on your government ID. So while there's plenty of reason to be suspicious of the government encouraging better identity infrastructure, it's also important to recognize that there are forces on the Internet today that are moving forward toward a more identified Internet.

  • 12:26:09

    NNAMDIDon, how could Internet users know they could trust the companies that are maintaining this ID system?

  • 12:26:19

    THIBEAUIt's a great question because that set the foundation of the relationship between the user and his identity provider, whether that identity provider gives you an e-mail address or a mobile number. The fundamental trust is -- well, it may be encapsulated in the terms of service. It's something much more powerful. It is the engine for growth in companies like Google and Facebook and others, because they have been able to create a trust relationship with hundreds of millions of people.

  • 12:26:50

    THIBEAUSo this notion of trust on the Internet really is important because the normative institutions, the legal systems, regulatory, legislative systems are lagging farther and farther behind of what the technology and the Internet is providing. So new trust mechanisms really are something that are important to discover and experiment with.

  • 12:27:13

    NNAMDIGonna get back to that issue, but here is Christian in Annapolis, Md. Hi, Christian.

  • 12:27:18

    CHRISTIANHi, Kojo. Thanks for taking my call.

  • 12:27:20

    NNAMDIYou're welcome.

  • 12:27:21

    CHRISTIANSo I actually -- to answer your question from a few minutes ago, am I willing to use online identity centralized? I do it already. As you mentioned, Google offers the ability to sign in to multiple places through your account, and I use them for that because of a couple of reasons. One, they're a big company and they have an established reputation for being able to manage it. And they also recently implemented a multifactor authentication system that helps solve the biggest issue that any IT person will tell you, which is in any security system, the most vulnerable point is the human element. Passwords are not safe.

  • 12:27:55

    CHRISTIANSo if you add multifactor authentication to help lock down that identity, then a lot of the concerns that people might have about their identity being stolen or their account being taken over by somebody malicious, a lot of those are solved with that. I also use a solution called LastPass for password management. It generates random passwords that it -- can be measured in generations how long it takes to crack those passwords. And I use something called YubiKey as a one-time password method to authenticate with that service.

  • 12:28:22

    CHRISTIANSo by -- if the government were maybe to offer verification of these commercial services that already offer established, proven security technology for this identity, I might feel more comfortable doing it at a government level. I don't feel the government reacts quickly enough to the ever-revolving threats of online security. But there are companies that are already addressing this. And with -- and my 85-year-old grandfather uses these systems that I use. So it's not an issue of complication either, 'cause it's easily -- easy to use, but it's very secure. So I was wondering if your guest might have some thoughts on that. Are they familiar with those services? And what they were thinking in terms of those sorts of concerns for locking down the actual authentication with the user end?

  • 12:29:06

    NNAMDIJay Stanley, you first.

  • 12:29:08

    STANLEYI think that that's, you know, the services that you use are an indication of the private sector stepping in to, you know, to solve the problems that people are facing in their everyday life. And the question that is raised by the White House strategy is what the role for government here is. And, you know, this could go different ways. It could go on the direction of the government-set standards that improve the private sector and still allow a thousand flowers to bloom and allow individuals to have competition and actually set regulations in place that improve individual's privacy by limiting the amount to which -- the extent to which these private companies can track individuals.

  • 12:29:47

    STANLEYOr it could also swing the other direction in which we end up with a system in which one of these private sector companies becomes a monopoly so that everybody pretty much has to get an identity through them. It could be Facebook. It could be one of these other companies. And the government, you know, sort of, creates standards that act against our privacy by allowing our different aspects of our lives to be connected together.

  • 12:30:08

    NNAMDIWell, the open identity exchange, Don, has members such as Google. You got Paypal. You got AT&T, LexisNexis. Does this mean that those private companies are willing and able to sign on to a framework like the one we're discussing?

  • 12:30:21

    THIBEAUIt means that they're interested in having the conversation because they see their economic and strategic futures as being bound up in this issue of trust. That's the basis of the franchise that they have in their relationship with consumers. So they're looking at this trust framework as a new model to manage trust in an open and auditable way so that they can provide more services, they can expand markets, which only comes when you have trust. So the role of the government here is interesting because as technology move so quickly past government's ability to control it, this notion of technology standards is one of the last instruments that our government and other governments really have at their disposal to help shape how trust is managed and how interoperability is built on the Internet.

  • 12:31:15

    NNAMDIWell, what I find intriguing about this, Aaron, is that on the one hand, we hear people, including the last caller, who say, yes, I trust private companies to do this more than I would trust the government to do it. But we all know that if a private company betrays our trust, the government is who we're going to turn to to resolve this issue as the trust of last resort. How do we resolve it?

  • 12:31:39

    BRAUER-RIEKEThat's a great, great question. And in some ways, it's almost a big brother-little brother problem, you know? Do you want the government to help the private sector build better identity standards? And, as Jay said, that could go well, or we could see ourselves 20 years down the road using a federal driver's license to log into websites, which would be bad. And I think Americans are probably torn over this. There's not a whole lot of trust in online institutions right at this moment. And, you know, as Don said, we've classically rejected a national ID. So I think we're, kind of, between a rock and a hard place here, and it's hard to know.

  • 12:32:13

    BRAUER-RIEKEWhat I appreciate that the caller pointed out is that many of us already use online IDs for multiple purposes today. And all you need to do is go to The New York Times or other big websites and see that they allow you to log in with OpenID, with Google or with Facebook, and that's the world, I think, we're moving toward naturally, anyways, is fewer identity providers online. And the government, I think, wants to seize on that trend. And their claim is, we want to make this happen in a good way. Whether that will happen or not is kind of the question.

  • 12:32:43

    NNAMDIThanks for your call, Christian. Here is Abdul in Washington, D.C. Abdul, your turn.

  • 12:32:50

    ABDULHi, Kojo. Thanks for taking my call. I have a quick question and a comment as well. What I heard from the conversation is mostly for, I would say, advanced -- I'm an IT person and I would say it's mostly for advanced users, advanced Internet users. But let's think about the basic users. If we would come out today and say, okay, let's vote. Would you -- would everybody want the government to offer one card to identify the person? And everybody would say yes. But my question is, who will be accountable for any security issue that may rise from this?

  • 12:33:44

    NNAMDIWhat would your answer to your hypothetical question be?

  • 12:33:49

    ABDULI would say if the government will be accountable for that, then it will be a great thing. Because most of the people, they basically use their e-mail or they would be happy to get with one user or one card access everything. Everybody will be happy with it. But what about all the security issues that will be attached to that?

  • 12:34:18

    NNAMDIWell, Don Thibeau, he seems -- Abdul seems to be saying on the one hand that it could be fairly complicated for the average online visitor. On the other hand, if it's got government backing, then people might be willing to go for it?

  • 12:34:36

    THIBEAUThat's a hard -- it's a stretch to see government backing something. It's a question of which government, because many of the companies that we're talking about are Internet scale. So when you ask them about government regulations, they'll say, which one? They're multi-jurisdictional creatures, and so they have to sort out these issues of trust with respect to several governments and several sets of standards, each of which is evolving.

  • 12:35:04

    NNAMDISpeaking of trust, it seems like you've got a tough job getting the world's big websites to sign on to an open system where they trust each other to safeguard our identity. How do you do it?

  • 12:35:14

    THIBEAUIt is -- it's refereeing at the mud wrestling matches, I call it. We have to somehow convince companies like Microsoft and Google and Facebook that it's in their mutual interest to create interoperable systems, because that's what the Internet requires, is interoperability for tools, but also for rules, for policies. So big companies, whether they're U.S. e-mail providers or international mobile providers, have to find out ways of interoperating because that's what the Internet provides.

  • 12:35:48

    NNAMDII'm glad you mentioned Facebook because, Jay Stanley, Facebook, more than any other site that I can think of, seems to shift around its privacy parameters without consulting its users. What are the implications of that for this conversation?

  • 12:36:05

    STANLEYYeah. It's true that -- I mean, I think the thing about Facebook is that it confuses our privacy intuitions. In our daily life, we have a sense of what people around us know about us and what they're seeing of us, and we're all very aware of that because we're social animals. On Facebook, you always hear about stories of, you know, of oversharing. We -- a case came to our attention where a fellow posted information about his marijuana-growing operation on his Facebook page, and then a friend of a friend was a police officer, and he ended up getting busted. And, I mean, you can say, well, there's a lot of stupid people in the world.

  • 12:36:39

    NNAMDIHis friend shared it, yeah.

  • 12:36:41

    STANLEYYeah. But I think that also is a reflection of the fact that Facebook confuses our privacy intuition, and the fact that the company has repeatedly sort of changed the ground rules of privacy has only made it worse.

  • 12:36:53

    NNAMDIAnd that's something we don't want happening when we have our one online ID. Don Thibeau, you said that Facebook is the overpowering mud. What do you mean by that?

  • 12:37:01

    THIBEAUWell, it offers a compelling experience for half a billion people, and it's hard to imagine, but it operates on that basis every day, growing in its influence and its ability to connect people. And we've seen that recently in the Middle East, the power of social media to connect people in new ways that were unimaginable just a few years ago. So, again, it comes down to this issue of trust, where the Facebook franchise, like other franchises, are based on do its users trust it to protect the experience that they've bought into.

  • 12:37:39

    NNAMDIOn now to Eric in Manassas, Va. Eric, you're on the air. Go ahead, please.

  • 12:37:44

    ERICYes. Just one point, and that is that FDR swore that -- well, swore or affirmed, that the Social Security number would never be used for any purpose other than Social Security business -- and the way we've deviated from that – and I particularly would like the ACLU man to address it, the way we have deviated from that position means that it would bode ill if we develop these master logins without proper safeguards (unintelligible) FDR. So...

  • 12:38:30

    NNAMDIEric, what would you consider proper safeguards rather than the promise of an elected official?

  • 12:38:38

    ERICI think -- well, first of all, I'll just start with one thing that I think should not happen. Although I do believe men should support their children. The men or women. They started using Social Security numbers for tracking people down through their W-2s.

  • 12:38:58

    NNAMDIOkay. But I do understand the analogy that you're making, so allow to me have Jay Stanley respond.

  • 12:39:02

    STANLEYWell, it's an excellent point. I mean, I think that the Social Security number was -- it wasn't just a verbal promise by FDR. I believe that it was actually passed by Congress into law in the 1930s that Social Security can only be used for administering the Social Security program, which we all now know is kind of a joke. And that is exactly the kind of concern that we have here. It's a recognition that these things, once created, can take a life of -- take on a life of their own, that government bureaucracies -- and there are many good people in government working on this program and really trying to make it really good, but government bureaucracies can be bigger than the intentions that start out, and we can end up with something that would help, hurt privacy a lot.

  • 12:39:42

    NNAMDIThe message -- be vigilant. But here's Nick in Winchester, Va. Nick, your turn.

  • 12:39:46

    NICKHi, Kojo. I called for two reasons. One is, I'm suffering from password fatigue.

  • 12:39:56

    NICKI think that every particular site that I wanna use, wants a different type of password, whether it has to contain one word, one capital letter, a number or whatever. And then there are other -- and some of them come to me at regular intervals and say, isn't it time to change your password? So I mean, that's one thing. The other thing is -- and you've mentioned in passing, so I don't want to get into it deeply -- but people simply say we have refused to establish a national identity card or a national identity document. It seems to me that nobody is discussing the -- and we're just discussing it -- we're just dismissing it out of hand.

  • 12:40:52

    NICKWe're not really talking about should we or shouldn't we, especially when we're starting to require a passport or some kind of document, a national document to go across to Canada, to go across to Mexico, to go to the Caribbean, as well as a passport to go to any other foreign countries. That's all I wanted to say.

  • 12:41:11

    NNAMDIOkay. Thank you very much for your call. I'll address the first part of your question after we take a short break, the issue of password fatigue. But on the issue of the national ID card, Jay Stanley, remind us of why it's so controversial.

  • 12:41:26

    STANLEYWell, Americans have consistently for, you know, for 40, 50 years have been opposed to the idea in polls and Congress has never voted on it. But we are seeing sort of analogs of a national idea, as the caller points out, creep into our lives with driver licenses, with the Social Security card, with increasing use of identification requirements for travel. And this is something that becomes a tool of social control. It becomes a tool of tracking, because you have a single national identification. Everywhere you go, records are kept of you. Those records can be tied together into a, you know, into a, sort of, a mosaic of your life. And that is why the ACLU opposes a national ID and why many, many Americans do as well.

  • 12:42:07

    NNAMDIGot to take a short break. When we come back, Nick, we will address your single password versus multiple password issue. But we do have to take a short break. You can stay on the line, Nick. We'll get back with you. And others can call us at 800-433-8850. We're talking about using one Internet log on for the -- all the websites you visit. One Internet ID. Is that something you would feel comfortable with or not? You can also go to our website, kojoshow.org, send e-mail to kojo@wamu.org or a tweet @kojoshow. I'm Kojo Nnamdi.

  • 12:44:17

    NNAMDIWelcome back to our Tech Tuesday conversation about a proposal for one online ID being made by the Obama administration. Later, we'll have Jeremy Grant of the NTSIC -- what's it called again?

  • 12:44:31

    THIBEAUNSTIC.

  • 12:44:32

    NNAMDINSTIC. We'll have Jeremy Grant of NSTIC. But that will be when the strategy is announced. Right now, we're just discussing the proposal. We got this e-mail from Rama who said, "I'm sorry, but having a single password is one of the worst ideas ever. Talk about a nightmare if your identity is ever stolen. What I personally do to manage all these passwords is a pattern, including the website or computer name, some special characters, a random string of letters and numbers and a version number. This way, I can just write down a list of site names and the version numbers which I can keep in the open. Since the pattern is always the same, most of the time I don't even have to refer to the list. It also saves from needing to make up new passwords for those pesky ones at work that expire every 90 days since I just change the version number."

  • 12:45:17

    NNAMDIWell, if you are confused, we'll see if we can clear that up. I should mention that joining us in studio is Jay Stanley, senior policy analyst in the Speech Privacy and Technology Program at the American Civil Liberties Union. Aaron Brauer-Rieke, a fellow at the Center for Democracy and Technology. And Don Thibeau, chairman of Open Identity Exchange and executive director of the Open ID Foundation. Don Thibeau, when we're talking here about this proposal for one online ID, we are not necessarily talking about that online ID and different security levels for it being identified with a password necessarily.

  • 12:45:52

    THIBEAUThat's correct. The whole notion of a password is, in some ways, old technology. Many people use the word password for password or come up with some kind of a convention that's easily guessed by identity thieves. So many companies -- most companies have moved beyond passwords to what's called a risk-based analysis of identity. So these new tools allow us greater security without the use of passwords or CAPTCHA technology. But, again, it's one of those things where the technology is outpacing conventions and standards.

  • 12:46:32

    NNAMDINick, thank you very much for your call. Jay, there are many of us who like to use the web anonymously, as we talked about earlier. Twitter, for instance, is full of people who use pseudonyms. How does the system take anonymity into account?

  • 12:46:47

    STANLEYWell, in theory, the White House's proposal would allow you to identify yourself only to the extent that is necessary. And that's one of the really good things about the proposal, that basically, you can authenticate yourself instead of identify yourself. And that means you prove that you're over 21, as Aaron was saying earlier, without actually having to give all the information on your driver's license. And that is crucial because, you know, online anonymous speech is really one of the things that makes the Internet as vibrant as it is. The Founding Fathers wrote many of their materials like the "Federalist Papers" anonymously.

  • 12:47:30

    STANLEYAnd the Supreme Court has ruled that it is a core part of free speech, to be able to have the right to speak anonymously. So that's something that we really need to protect online. And if done absolutely right, with all the right kind of protections in place, you know, there could be a system that allows you to authenticate yourself securely in a trusted way while remaining anonymous. But the question -- you know, the whole thing with this proposal is the devil is really in the details.

  • 12:47:59

    NNAMDIIndeed. What occurs to me, Aaron, and I'd like you to deal with this also, Don, and maybe even you, Jay, could we be nearing a day where you'll have to identify yourself everywhere on the Web, even if doing so is unnecessary?

  • 12:48:12

    BRAUER-RIEKEWe hope not. And I agree with everything Jay just said. And anonymity is certainly an important aspect of the Internet today. I think part of the challenge here I wanna reiterate is, while we all agree that the ultimate vision of this government strategy is good and the devil is in the details, it's also worth remembering that the world moves on its own force. And I think there is -- you know, we spoke briefly earlier about the changing nature of Facebook. I joined Facebook back when I was a college student and it was a very small, closed network. And I gave my full name and all my information in that era. Today, Facebook provides login services for a lot of top websites, and the Facebook has opened its network to good websites.

  • 12:48:55

    BRAUER-RIEKEAgain, like the New York Times to say, for me to give permission for the New York Times to dip a label into my Facebook data to authenticate myself. I'm not saying that that's a bad or a good thing necessarily. The point is, with or without this national strategy, I think we should be concerned about an Internet that is moving towards real name identification.

  • 12:49:13

    STANLEYAnd, you know, I think another thing about passwords is that they are an appropriate security measure in many cases. If I'm logging on to The New York Times, you know, if somebody finds out my password, the consequences to me are very small. And it's -- you know, I use a password that I use on many different sites, so it's not a problem to remember. It's easy. It's convenient. Convenience will always win, right? And as one of the previous callers talked about it, I mean, we have to think about these systems and how they're gonna work for very unsophisticated users like my -- you know, like your grandmother.

  • 12:49:44

    STANLEYYou know, is she gonna be able to use this? Is a hacker gonna be able to get in? And even if we set up this system, is a hacker gonna be able to get in, take control of her computer? And this system won't do any good.

  • 12:49:56

    NNAMDIDon, could we, in fact, be nearing a day when you'll have to identify yourself everywhere on the Web?

  • 12:50:01

    THIBEAUWell, in some ways, we're already there because the normal conventions that we have for identification are under stress or under attack by identity thieves that are based anywhere in the world. Whether it's someone using caller ID to call into this show, it's now just a matter of 35 bucks and a little piece of software, and I can impersonate the president or Aaron when I call in to "The Kojo Nnamdi Show," or into my bank to find out what my bank balance is. So we're looking at a world where the threat factor is increasing at all elements of where identity exists today.

  • 12:50:42

    NNAMDIHere is Harley in Bishopville, Md. Harley, you're on the air. Go ahead, please.

  • 12:50:48

    HARLEYHi. I just wanted to make a point about something that was stated earlier about the fact that part of the reason we're doing this is because people are already starting to trust Facebook and Google to manage their sign-ons to various sites, which -- there's some truth to that, but there's a lot of people who still leave their front door unlocked or their car unlocked, too. Those are unsophisticated users. Most sophisticated users would never trust that. And I think basing this concept on that is a mistake in the start.

  • 12:51:18

    HARLEYAlso, as far as implementing it, even if it was a good idea -- which I do not agree that it is -- I would never trust the government to set the rules and maintain -- our government I wouldn't trust, and other governments I would trust even least -- less. So I don't think this is a good idea. Plus I just don't think it's ever gonna truly happen. I -- people have been working on single sign-on just within single corporations for a decade or more, and it hasn't come to pass. So I think this is all pie in the sky.

  • 12:51:50

    NNAMDIHarley, are you part of the school that says if it ain't broke, don't fix it?

  • 12:51:55

    HARLEYAbsolutely. Absolutely. (laugh)

  • 12:51:57

    NNAMDIYou see nothing wrong with -- exactly...

  • 12:51:57

    HARLEYThat's my main motto.

  • 12:52:00

    NNAMDIExactly what we have now. This we got from Mark in D.C. "I don't trust anyone at this point. I don't want to be on any list largely because that list can be hacked and compromised or sold to the highest bidder. I think we need some protection that we are not getting now. As long as there are economic interests that could profit by watching all of our browsing, they'll collect information and sell it. We're already in trouble. There's no one looking out for us. Our politicians answer to big money, not to us." What do you say, Don Thibeau, to this skeptic?

  • 12:52:29

    THIBEAUI think that you have to create a trust framework where there is transparency, where there are rules and the tools are available for inspection by all. It's only when you have interoperability at the policy level and at the technology level that you're gonna have something that works at Internet scale. So this notion of trust is not a pie in the sky notion. It's a very important economic driver for growth and for citizen-government interaction.

  • 12:52:59

    NNAMDIAaron, there are a lot of legal questions that come up with a system like this, including one of signatures. How do we know something is really signed if it's done with an Internet ID? Do we still need signed papers?

  • 12:53:11

    BRAUER-RIEKEIt's an interesting question. And a better Internet identity system would certainly help with the evidentiary legal question, were it to come up in court, did I really sign this? It's funny you asked that because back when the Internet was in its early days, there were legal questions about whether we could even sign a contract over the Internet or buy anything that's e-commerce legal. And, of course, we've jumped that hurdle. So it would help. I don't think it's gonna be a revolutionary change, except in the fact that maybe someday, with rules and tools, we could trust an e-mail more than we can now.

  • 12:53:42

    NNAMDIHere is John in Washington. Hi, John. You're on the air. Go ahead, please.

  • 12:53:46

    JOHNHi, Kojo. Really quick. I know you got just a few minutes here, so I just wanna make a quick comment. Number one, I think we have to be very careful with the environment of terrorism that exists in the world today. And also we need to pay attention to this whole thing with the Patriot Act. We, as American citizens, have lost a lot of rights through the Patriot Act. Number two, why can't we have some kind of system? I mean, if you can have video cameras on your laptops and so forth, why can't we have some kind of a retinal scan or a fingerprint scan, which is currently used in some stores, to be able to take your purchases directly from your bank account? Surely that could turn around and be more foolproof than what we currently have. Thank you.

  • 12:54:33

    NNAMDIYes. But would we trust that technology, Jay Stanley? (laugh)

  • 12:54:37

    STANLEYWell, I think the point that the caller makes about the Patriot Act is an excellent one. I mean, we have to remember the larger context here, which is that all the information that is being collected about us by the private sector on the Internet is increasingly available to the government. The government's powers to seize, you know, these storehouses of information about you and me that are increasingly being created on the Internet is greater than ever.

  • 12:55:00

    STANLEYThey can take information that's held by third parties without a warrant, often without any judicial participation. And so, you know, the Patriot Act is something that took judges out of that process and increased the government's powers without oversight to do that. And that's something that we have to keep in mind as we talk about, you know, the commercial side of the Internet. You know, in terms of biometrics and retinal scanners, I mean, you know, the -- again, it's the same problems that you always have, which is creating these giant sort of infrastructures for setting these things up. If you have a hacker who has control of your computer, then they can fake the retinal scan just as they can do anything else on your computer. So it's not necessarily a silver bullet.

  • 12:55:47

    NNAMDII wanna read this fairly long ID we got -- e-mail we got from Ben, who says, "I just wanna point out your repeated reference to a single Internet ID. This is not what is available on the marketplace, nor is it the intent of the National Strategy for Trusted Identities in Cyberspace, NSTIC, which we, in government, are working on. The government would not require that you get a trusted ID. If you want to get one, you would be able to choose among multiple identity providers, both private and public, and among multiple digital credentials. Such a marketplace will ensure that no single credential or centralized database can emerge. Even if you do choose to get a credential from an ID provider, you would still be able to surf the Web, write a blog, visit chat rooms or do other things online anonymously or under a pseudonym. The new identity ecosystem is meant for sensitive transactions: banking, shopping, accessing health records, et cetera. It is designed to protect your privacy by helping online providers verify your identity before accepting or providing sensitive information to you. It's also intended to help you verify that the websites you use are legitimate and not fake sites designed to steal your credit card and other personal information."

  • 12:57:00

    NNAMDIThat said, Don, this Internet identity system is in its draft stages. But one of the big concerns is whether or not personal computers or even cell phones are really secure enough to handle these smart IDs.

  • 12:57:13

    THIBEAUAgain, the technology outpaces the rules and the tools. I mean, the e-mail you just read put it exactly right, that it's the attempt by this administration to find some new structures to create trust. They call them trust frameworks. So that whether your identity is on a cell phone, on a chip or on a PC, that identity can be managed and its attributes be understood in a open system that allows for transparency and drives commerce.

  • 12:57:42

    NNAMDIDon Thibeau is chairman of Open Identity Exchange and executive director of the Open ID Foundation. Don, thank you for joining us.

  • 12:57:49

    THIBEAUMy pleasure.

  • 12:57:50

    NNAMDIAaron Brauer-Rieke is a fellow at the Center for Democracy and Technology. Aaron, thank you for joining us.

  • 12:57:55

    BRAUER-RIEKEThank you.

  • 12:57:56

    NNAMDIJay Stanley is senior policy analyst in the Speech, Privacy and Technology Program at the American Civil Liberties Union. Jay, thank you for joining us.

  • 12:58:03

    STANLEYThank you so much.

  • 12:58:04

    NNAMDIWe told you that at a later date we'll have Jeremy Grant of NSTIC on when the strategy is announced. He is heading up the program. So stay tuned for that. And thank you all for listening. I'm Kojo Nnamdi.

Related Links

Topics + Tags

Most Recent Shows