This evening over dinner after Poly-NYC‘s “Politics and Passion” meeting, I found myself in an unexpected debate over Internet ID, part of the US government’s plan to centralize Internet identity mechanisms. Although this is actually old news—over a year old at this point!—fears about it seem to be cropping up again this week on places like Reddit, and my Google searches return this 6-day old FauxNews article that links to a 12-month old CNET article cross-posted at CBSNews. (And, as an aside: WTF, Fox‽ You really are a piece of shit “news” network, aren’t you?)
Maybe what gave some people a new injection of Internet ID-induced fear was the fact that the truly horrid SOPA and PIPA Internet censorship laws were in the news this week thanks to the #SOPAStrike Internet blackout (which I enjoyed participating in). Or maybe it was because the latest versions of the Internet ID specifications are nearing their release date, so everyone’s a little on edge.
Whatever it was, though, I think that fear is misplaced. Most of this fear seems to stem from a real misunderstanding of the way Internet identities (not just Internet ID itself) work. Like so many things involving computer network security, something like Internet ID can sound scary when you’re not up on the nitty gritty details—that’s nothing to be ashamed of. Knowledge is power, and lack of knowledge breeds fear.
But Internet ID, or more formally known as National Strategy for Trusted Identities in Cyberspace (NSTIC) is actually not something to be fearful of. In fact, it could be a really good step forward, one that many Internet security, privacy, and free speech experts seem pretty excited about. And, what’s more, they have been for quite some time.
For example, Kaliya Hamlin is founder of the Internet Identity Workshop and an Internet identity expert who’s formally weighed in on NSTIC. She’s also a personal friend and someone I greatly trust to handle these matters with a lot of care, specifically to people who express an alternative sexuality. She’s done so time and again.
But don’t take my word for it! Listen to her thoughtful inclusion of how Facebook’s privacy-degrading actions late in 2009 would affect closeted users on Kink On Tap Episode 21: Welcome to the Privacy Wars. Her fantastic year-old piece, National! Identity! Cyberspace! Why We Shouldn’t Freak Out About NSTIC is still highly relevant today:
Our main conference Internet Identity Workshop held every 6 months since the fall of 2005 has for a logo the identity dog: an allusion to the famous New Yorker cartoon On the Internet, nobody knows you are a dog. To me, this symbolizes the two big threads of our work: 1) maintaining the freedom to be who you want to be on the Internet AND 2) having the freedom and ability to share verified information about yourself when you do want to. I believe the intentions of NSTIC align with both of these[…].
As another high-profile example, computer and Internet security expert Steve Gibson also recorded a netcast that dealt directly with NSTIC and explained it in remarkably clear detail. He dissected the way it functions, why it’s useful, where it can be improved, and what the big fears about it were.
Gibson rightfully concluded the fear is largely due to ignorance of the technology and a general mistrust of the government, but that the technical specification as it exists today is so good as to actually prevent the majority of the fears being espoused by people like those I spoke with who have not actually taken the time to grok the specifics. Here’s an excerpt from the transcription of the netcast:
LEO: I know some people, the idea of government doing this makes them nervous. To me it actually seems sensible because you need a centralized third party to certify it.
LEO: And I know people, a lot of people who listen to this show, don’t trust our government. And we probably shouldn’t trust government. But who better? I mean, you want Microsoft to do this? They have been, by the way, with little success. So I think it needs to be that. And then I think this is a nice – you liken it to certificates, and I think that’s a good – the web certificate system, I think that’s a good analogy. I think it makes sense to have third parties that are certified and that kind of thing. I’m excited. We needed this. I’ve been signing my email for years, to no avail. It’s all been the Web of Trust technique.
STEVE: Yes. And this document establishes the right principles. I mean, and I’ve read the whole thing. Everything about it, as I’m reading – and I’m skeptical of Big Brother, too. I don’t know how we’re going to do it. I mean, as a coder and technologist I think about all of the hurdles and the pitfalls and the challenges we face. But it’s clear that we need that. We need this in order to move forward and to really leverage cyberspace to the full extent possible, I mean, we have the technology.
LEO: Yes, yes. Identity is critical. We’ve learned that lesson. And anonymity, while you – I think this is nicely done because you can have anonymity.
LEO: But there’s also a way to certify you are who you say you are. And I think you need both. So I think this is good. This sounds – I’m excited.
STEVE: Yeah, me, too.
The nice thing about technology such as that being built by NSTIC is that, unlike the need to rely on flimsy promises of the government’s benevolence, we can actually audit the specifications and open-source implementations of these technologies ourselves. And many people do. Steve Gibson did, and I trust him.
None of this is to say there are not valid concerns—there are. For one, Trusted Identity Providers are still going to be privy to most everything you do with one of your Internet ID identities, but I don’t see how that’s any worse than what we have today: your ISP, your DNS provider, and countless third-party advertising companies can and are tracking everywhere you go on the Web today. NSTIC, on the other hand, could give users like you and me both the technical and legal ability to have more fine-grained control over what such third parties see about us as we use the Web.
Technology that puts users back in charge of their identity? Now that’s an Internet law I can be proud of.
So, as I said in the discussion over dinner earlier tonight, rather than spend our time wringing our hands over this Internet ID stuff, we’ll all be far better off saving our energy to fight foolhardy initiatives like SOPA, PIPA, and other forms of political, social, and technical censorship.
Internet ID/NSTIC is not an enemy. It is going to be an important and useful tool for users like you and me.