Archive for the ‘NIST’ Category

Data surveillance, national ID concerns expressed at NSTIC work group

NSTIC is a proposal for a national identity ecosystem. The issue of national identity is certainly settled for some interests surveying the new NOI green paper released yesterday from the Dept. of Commerce.

“There’s a new central hub and unless done properly your ID provider knows your date of birth and potentially every other piece of information along with your transaction history,” says IdentityFinder’s, Aaron Titus.

The better question identity frontmen are asking is how is it not a national ID?   Answers to this question today seemed more of a spooky apparition at the 2011 NSTIC workshop, hosted by NIST through Friday. Concerns about the ability to mine and sell information byproducts from the identity ecosystem remained unanswered and were treated as comments by NIST moderator, Jeremy Grant.

Governance- a gelatinous term used by corporations and powerful NGO’s- was clarified by Grant in intital remarks for the workshop. Examples of enmeshed public identity exchanges presented were NACHA’s administration of government-based electronic funds transfers and a Smart Grid proposal for energy conservation and evaluations.  Identity Ecosystem Consortium organizer, Kaliya Hamlin, then called for definition to the broad issue of “trust”; which has distinctions over the public and private sector for NSTIC.

The jury is apparently still out.  Breakout sessions this afternoon absorbed legal, technology and policy infrastructure analysts to determine the pecking order of NIST’s developing steering groups. With privacy concerns hanging so heavily in air, one had to wonder whether a privacy advocate’s appearance would be treated as an endorsement or as an effete stakeholder as part of the steering committee processes.

“I don’t think it would be endorsement in this context.  It feels far from endorsement. There’s a lot of real, technical stuff going on here that matters,” said Lee Tien, an EFF attorney towards relevance in NSTIC’s steering group.

A diplomatic appearance from a very nervous ACLU counsel, Jay Stanley, resulted in a pointed threat level comparison of national ID programs to “the nuclear bomb”of American civil liberties.   Stanley left the podium with “campaign or not to campaign against” as the question between terms of privacy and the NSTIC proposal.

The Obama Administration’s priorities are reputedly low towards Real ID, the U.S.’ current national ID card program.  That may be due to recent efforts to achieve similar ends in successive backdoor public-private programs hinging on involuntary data collection: the RIDE initiative, biometric worker ID cards and NSTIC, a universal online identifier compared to OpenID.

The first privacy centric workshop for the NSTIC proposal is scheduled June 27& 28th at MIT. 

You can review today’s workshop archives here.

“We have a major problem in cyberspace, because when we are online we do not really know if people, businesses, and organizations are who they say they are. Moreover, we now have to remember dozens of user names and passwords. This multiplicity is so inconvenient that most people re-use their passwords for different accounts, which gives the criminal who compromises their password the ‘keys to the kingdom.’ ” – Cybersecurity czar Howard Schmidt on NSTIC

“The Obama administration is creating a new office within the Department of Commerce to oversee implementation of its trusted identities in cyberspace strategy. “

BTC –  Great article about the wary American with concerns over NSTIC c/o  [Yes.  We’ve been burned before….]

NIST finally makes the scene regurgitating Gary Locke’s statement that “it’s not a national ID card”.  It might really help to show us what the hell it is they are really talking about.

Yet… plenty of people are putting it together on their own that NSTIC is like letting Facebook issue drivers licenses to Internet users.

Or worse … it’s just the US government patronizing Internet users by saying “No, no!’s not a government system to watch you! We just need to know if you really are who you say you are if you’ll be using that computer in your home or at the cafe or wherever …and that it’s really you!”

Yes, yes.. we’ve heard it all before.. “We [NSA, DHS, FBI, CIA, DoD] just need to know who is: flying, driving, walking, talking, travelling, buying, selling, etc. etc.”

It’s got that new cybersecurity agency smell.  I don’t trust it.

c/o TechDirt , Mike Masnick

With health care reform out of the way, lots of politicians are pushing out new legislative ideas, hoping that Congress can now focus on other issues — so we’re seeing lots of bad legislation proposed. Let’s do a two for one post, highlighting two questionable bills that many of you have been submitting. The first, proposed by Senators Schumer and Graham, is technically about immigration reform, which is needed, but what’s scary is that the plan includes yet another plan for a national ID card. Didn’t we just go through this with Real ID, which was rejected by the states? Jim Harper, who follows this particular issue more than just about anyone, has an excellent breakdown of the proposal, questioning what good a national ID does, while also pointing to the potential harm of such a plan.

Then we have the big cybercrime bill put forth by.. Senators Rockefeller and Snowe (updated, since there are two separate cybersecurity bills, and its the Rockefeller/Snowe one that has people scared), that tries to deal with the “serious threat of cybercrime.” But, of course, it already has tech companies worried about the unintended consequences, especially when it requires complying with gov’t-issued security practices that likely won’t keep up with what’s actually needed:

“Despite all [the] best efforts, we do have concerns regarding whether government can rapidly recognize best practices without defaulting to a one-size-fits all approach,” they wrote.

“The NIST-based requirements framework in the bill, coupled with government procurement requirements, if not clarified, could have the unintended effect of hindering the development and use of cutting-edge technologies, products, and services, even for those that would protect our critical information infrastructure.”

They added the bill might impose a bureaucratic employee-certification program on companies or give the president the authority to mandate security practices.

This is one of those bills that sounds good for the headlines (cybercrime is bad, we need to stop it), but has the opposite effect in reality: setting up needless “standards” that actually prevent good security practices. It’s bills like both of these that remind us that technologically illiterate politicians making technology policy will do funky things, assuming that technology works with some sort of magic.