Archive for category Privacy

NSTIC Identity Ecosystem Marketplace Roles and Concepts

This post is a follow-up to our April 15, 2011 whitepaper and accompanying presentation.

NSTIC envisions a secure “Identity Ecosystem Framework,” or “the overarching set of interoperability standards, risk models, privacy and liability policies, requirements and accountability mechanisms that structure the Identity Ecosystem.” While the Identity Ecosystem will provide value to any participant which needs to verify a User’s identity, the Ecosystem will provide tremendous opportunities to streamline the further commoditization of human identity. Without regulation, the NSTIC Identity Ecosystem will create new markets for businesses which thrive on the commoditization of human identity. I identify this resulting market as the “Identity Ecosystem Marketplace.” An Identity Marketplace already exists, and has been admirably illustrated by Luma Partners, LLC and Improve Digital.

The Identity Ecosystem Marketplace includes at least six major roles, as illustrated here. A single organization may fill multiple roles in any given Identity Ecosystem transaction. Some of the definitions here may differ or even conflict with official NSTIC definitions, usually because the official definitions lack clarity within the context of this analysis.

Read the rest of this entry »

No Comments

NSTIC as a National ID

Even outrageous statements on controversial topics often contain flecks of truth. This is an attempt to pan through the muddy waters of NSTIC media coverage in relation to NSTIC to as a “National ID,” identify the golden flecks and nuggets of truth, and frame the debate on this important topic.

As NSTIC develops, we can expect to hear more soundbytes in the public media invoking fear, uncertainty, and doubt (FUD) around NSTIC as a National ID, Internet Passport, Internet ID, or Online Driver’s License. Some of the fear is warranted. Some of it is not. All of the risk and uncertainty should be measured to the fullest extent possible, without freaking out.

Frankly, I do not have a comprehensive definition for a “National ID” right now. Jim Harper, director of Information Policy Studies at the Cato Institute, and author of Identity Crisis: How Identification Is Overused and Misunderstood would have a much better answers than me. Notwithstanding, I have a few comments which I hope will add some clarity to the discussion:

Instituting any sort of national identification can have serious and unanticipated consequences, and should be the subject of a robust public policy debate. History, present and past, is replete with examples of extreme abuse of government-issued identification. To give just two examples, identification credentials played key roles in both the Holocaust and Rwandan Genocide. Other, less dramatic forms of abuse exist wherever identity credentials are issued. For example, the U.S. National ID, commonly known as the Social Security Number, is regularly used to commit crimes we now refer to as “Identity Theft.”

NSTIC is NOT a National ID

Several commentators have expressed skepticism to downright disdain for NSTIC as a back-door approach to instituting a National ID. NSTIC’s defense to these accusations is simple and true, but incomplete: NSTIC is NOT a National ID.

NSTIC itself is not an identification system, much less a National ID. NSTIC is a framework for setting up a structure of interoperable federated identity systems. Each system will be owned and operated by various independent private companies and public institutions, using various technologies with various levels of identity assurance, security, and trust levels. NSTIC is policy, not technology or identification credentials. In fact, I am guilty of a techical faux pas by using the term “NSTIC credential,” since no such thing actually exists. But unfortunately I don’t have a better shorthand way of saying,

“Voluntary identification credentials issued by an accredited private or government Identity Provider which complies with the ‘overarching set of interoperability standards, risk models, privacy and liability policies, requirements, and accountability mechanisms that structure the Identity Ecosystem,’ which are implemented using a range of technologies, mediums, and authentication protocols.”

So I say “NSTIC credential” instead.

I do not attempt to establish a comprehensive definition for a “National ID” here. But when government-issued identification is used to separate individuals into groups, and centralization decreases the transaction costs associated with classifying human identity, bad things can happen.

I decline to call NSTIC a “National ID.” Instead, it is much more prudent to discuss attributes which may be similar or dissimilar to a centralized, federal-government-issued National ID card. I hope that the following table can focus the public discussion on this matter, which is currently lacking articulation.

How NSTIC is Not Like a National ID

How NSTIC Might be Like a National ID

NSTIC credentials are not owned, issued, or managed by the Federal Government, except for IDs issued to government employees.

If adopted by a majority of state governments, NSTIC credentials could become standard in State IDs and drivers licenses. The Federal Government could also embed an NSTIC credential in passports.

Identity Provider Databases are not under government control, except for a few run by the Federal Government for government employees.

Identity and personal information which enters the Identity Ecosystem Marketplace is subject to very little protection against government search and seizure under the 4th Amendment.

NSTIC is voluntary for the private sector and private citizens.

If adopted by State governments, which control a substantial portion of the identification market, NSTIC credentials could become mandatory and displace private sector identity competitors.

NSTIC credentials are not yet required to access government benefits.

Access to electronic government services may one day require an NSTIC credential.

NSTIC credentials are not primarily designed to classify individuals by a status such as race, religion, age or gender.

NSTIC credentials are designed for classifying people by roles and access to resources; the supporting technology could be easily adapted to expand identity profiles compiled by the private sector that may include age, gender, political beliefs, religion, race, socioeconomic status, etc.

Identity and Transaction Information is not stored in a single, centralized government database.

Identity and Transaction Information is stored in thousands of private databases which may be centralized by the private sector, purchased by the government, or accessible to law enforcement with little due process.

An NSTIC credential is designed for online transactions only.

With more of our lives and business conducted online, widespread adoption of the NSTIC framework could mean that an NSTIC credential may become a functional requirement for participating in online life, with real-life consequences.

I agree with the Center for Democracy and Technology’s Jim Dempsey who said,

The Obama Administration is not planning to create a government ID for the Internet. In fact, the Administration is proposing just the opposite: to rely on the private sector to develop identities… for online commerce.… [T]he government needs an identity ecosystem or identity infrastructure. It needs it for its own services as well as part of the solution to the broader Cybersecurity problem as well as one of the foundations of eCommerce, but the government cannot create that identity infrastructure. Because if it tried to, it wouldn’t be trusted.

I hope this table helps to frame the discussion about NSTIC as a National ID.

2 Comments

Why I Support Jeremy Grant, and Hope NIST Will Too

Those even remotely familiar with Washington politics know that everything is political. A few agencies such as the Census bureau, attempt to stay above the political fray with varying degrees of success. The National Institute of Standards and Technology (NIST) is arguably the gold standard of apolitical federal agencies. NIST has learned through experience to remain staunchly apolitical by focusing strictly on standards, science, and technology while keeping their noses and fingers well away from policy. As a result, NIST enjoys a good deal of transpartisan respect. NIST zealously (and appropriately) guards its reputation by avoiding policy and politics.

That’s why I’m both excited and worried about NIST’s role in the National Strategy for Trusted Identities in Cyberspace (NSTIC, pronounced “N-Stick”). On one hand, this emerging framework will benefit substantially from NIST’s knowledge and capability in technology standards development; and let’s face it, the Department of Commerce was one of the few agencies politically neutral enough to host NSTIC. NIST’s NSTIC team includes notable and respected scientists, academics, and technologists. But as our recent Whitepaper on NSTIC’s policy hurdles illustrates, NSTIC policy requires as much development as the technology.

That’s what makes NIST’s role in NSTIC unique: NIST must not only support the development of standards and technology, but must also develop the policy governing the use of the technology. Or, to paraphrase Scott David, NIST must develop both the “tools” and the “rules.” In recognition of these challenges, the NSTIC team also includes respected policymakers and thinkers led by Jeremy Grant, himself a universally respected policymaker. NSTIC needs both tools and rules to avoid abuse, and the inclusion of policymakers on the NSTIC team is essential to develop both.

In Washington everything is political, especially policy. Very soon the policy and governance debate will begin, and proverbial political bullets will begin flying from every direction. I believe that Jeremy Grant and his team will work hard to navigate the impending battlefield of industry, advocates and government interests. But even intelligent, dedicated and respected public servants like Jeremy Grant and his team need the support and political cover of their agency, NIST. And when the negotiations get divisive, political and ugly, NIST has a tendency to wash its hands of such riff-raff and retreat back into its comfort zone of apolitical academic and scientific research.

Among the worst imaginable disasters for NSTIC is if NIST doesn’t have the stomach for policy development and quietly cajoles the NSTIC team back into NIST’s comfort zone of standards and technology, ceding the policy to those with the most firepower.

Then truly, the war will be lost.

Advocates must watch carefully for signs of a NIST retreat from its uncomfortable role as policymaker. Mr. Jeremy Grant, we do not envy your position; you have our support, and we hope that NIST will support you too.

No Comments

NSTIC’s Effect on Privacy

In May 2017, more than 230,000 computers around the world were taken hostage by the WannaCry malware worm. Known as ransomware, the unknown developers surreptitiously gained control of computers running the Microsoft Windows operating system, encrypted the users’ data, and demanded a payment of $300 in untraceable bitcoins to unlock the system and access information.

Cyber-attacks occur across borders and range from simple email “phishing” efforts to sophisticated software programs that quickly expand the attacks and hide the identity of the perpetrators. Motives of cyber criminals range from vanity (proving one’s technical expertise) to illegal profit. Some attacks are politically motivated while others are rarely publicized, state-sponsored sabotage. The attacks affect individuals, businesses, and governments.

According to a report by the Ponemon Institute, a successful hacker earns $14,711 for each attack and has 8.26 successful attacks per year. Sophisticated hacking tools are readily available on the Internet, especially the Dark Web. The criminals and the curious are stepping up their efforts to invade your privacy and steal your money. And the threats grow more diverse and sophisticated by the year. What actions can you take to harden the target and protect your assets? These are the best true wireless earbuds.

What actions can you take to harden the target and protect your assets?

Understand the Enemy
Malicious software can wreak havoc on your computer or operate covertly in the background. Malware (The Creeper Worm) was first detected on the ARPANET, the forerunner of the Internet, in the early 1970s. Since that time, spurred by the growth of personal computers and connected communication networks, many different types of malware have appeared, including:

Trojans: The most common malware is based on the Greek strategy to invade Troy: the Trojan Horse. In this case, users are tricked into allowing an outsider unlimited access to their computers by clicking on an unsafe Internet link, opening an email attachment, or completing a form. By themselves, Trojans are delivery vehicles, providing a “backdoor” into a computer or network. As a consequence, they open the door for malicious software to steal data, compromise operating systems, or spy on users. Trojans do not replicate themselves and spread to other devices like a virus or a worm.
Viruses: Just as a biological virus is transmitted to unsuspecting hosts, a computer virus replicates itself and infects new computers, then modifies operating programs to malfunction. Some have called viruses “diseases of machinery,” a term first coined in the 1972 futuristic film “Westworld.” One of the early viruses – Love Letter – delivered by an email with the subject line “I Love You” and an attachment “L0VE-LETTER-FOR-YOU.TXT” – attacked 55 million computers worldwide and caused an estimated $10 billion in damage, according to Wired magazine.
Worms: Unlike viruses, worms are software programs that travel from computer to computer on a network without any human action. A worm moves through the same network connections that computers use to communicate. For example, a worm could send a copy of itself to everyone listed in an email address book without knowledge of the sender and continue the cycle indefinitely with each new contact. The result can be an overloaded system, or worse, if combined with a virus – a blended threat. In 2008, one of the most notorious and widespread worms of all time, Conficker, appeared and created a worldwide botnet with millions of computers under its control. In 2009, Microsoft offered a $250,000 reward for the arrest and conviction of those who launched the worm on the Internet; the reward remains uncollected, and the purpose of the original authors is unknown. Nevertheless, versions of Conflicker continue to exist today and have appeared on connected MRI machines, CT scanners, dialysis pumps, and police body cameras.
Bots: Bots are automated processes that interact with other network services. These Internet robots are used to gather information and respond automatically to instant messaging, chat, and other web interfaces. Bots are used for beneficial or benign purposes, but can be exploited to self-propagate, connect throughout the network of connected devices, and remotely control attacks against vulnerable targets. Sometimes referred to as “zombies,” bots are more versatile than viruses or worms because they have the ability to log keystrokes, collect passwords, capture and analyze packets of information, gather financial information, launch DoS (Denial of Service) attacks, relay spam, and open backdoors on infected computers. They are more versatile, easily modified, and difficult to detect. Advertising Age reported in 2015 that Internet ad-fraud by bots mimicking human beings earned $18.5 billion annually.
Potential Attack Consequences
Potential Consequences of an Attack
The United States Congress is currently investigating several instances of alleged hacking by Russian agents that occurred during the 2016 presidential election. In the Philippines, a data breach by the hacker group Anonymous Philippines and the theft of encrypted and unencrypted biometric data affected 55 million voters. In 2017, newly elected French President Emmanuel Macron and his subordinates complained of cyber-attacks during the country’s presidential campaign.

In February 2016, hackers stole records for almost 30,000 employees of the FBI and Homeland Security. In 2015, a data breach reported by the Internal Revenue Service exposed tax information on more than 700,000 individuals. That same year, the Federal Government’s Office of Personnel Management announced the theft of personal information for more than 21 million federal employees and contractors.

Governments are not the only targets. According to the Heritage Foundation, cyber intruders hacked multiple company databases in 2016, including Hyatt Hotels Corporation, Alliance Health, Wendy’s Restaurants, Citibank, and Banner Health. The victims also included leading social network companies, such as Yahoo, Dropbox, Myspace, and LinkedIn. The consequences of hacking affect all web visitors in a variety of ways.

Potentially Unwanted Programs
Potentially Unwanted Programs (PUPs) include adware and programs that slow your computer down, track you, and clutter your screen with advertisements. According to How-To Geek, all of the free Windows and Mac software download sites bundle PuPs with their freeware. Once installed, the software loads advertising that obstructs content or interrupts web browsing with unwanted pop-up and pop-under windows. It can also hijack search engines and home pages, install toolbars, redirect Web pages, alter search results, and display false ads.

Distributed Denial of Service
In 2016, Distributed Denial of Service (DDoS) attacks affected some of the major technology companies on the Internet, limiting access to websites like Twitter, PayPal, and Spotify. According to Al Jazeera, that particular attack focused on the web traffic processor Dyn and used hundreds of thousands of connected devices, including webcams and digital video recorders that had previously been infected with malware. Even WikiLeaks founder Julian Assange’s Internet connection was affected.

The danger of DDoS attacks cannot be overstated since critical infrastructure – power systems, hospitals, air traffic systems, police and fire units, money transfer systems – could go offline and be unavailable to provide necessary services. An Incapsula survey estimates that the average DDoS attack costs its victim $40,000 per hour, with a median cost per incident of $500,000. Over 90% of the 270 U.S. companies that responded to the survey reported a DDoS attack over the last year, while two-thirds of the companies had been targeted two or more times.

Spyware
Spyware is software that is secretly loaded on an electronic device and can track keystrokes typed on a computer or phone keyboard, monitor data entered into digital forms, or record audio and video information covertly. Adware – while less intrusive than most malware – is another form of spyware and is used by advertisers and web hosts to target advertising content.

Software downloaded from the Internet often includes spyware. It can also be covertly downloaded while visiting certain Web pages, especially pornographic sites. The pages contain scripts that automatically trigger a spyware download that opens as soon as the page is accessed.

In a case involving the Lower Merion School District of Pennsylvania, 2,300 MacBooks issued by the District contained spyware that secretly snapped thousands of webcam pictures of students at home, in bed, and partially dressed. According to Wired magazine, the District agreed to pay $610,000 to two students and their attorneys. Another case involved pictures of Miss Teen USA that were taken using her webcam as she changed.

1 Comment

7 Sources of Data Breaches You’ll Never Hear About: Your Network Drives

If you think that your tangle of Cat5 in the server room is a mess, wait until you look at your network drive file structure. Licensed from Stock Exchange.

If you think that the tangle of Cat5 in your server room is a mess, wait until you look at your network drive file structure. Licensed from Stock Exchange.

This is the seventh post in a series about data breaches you can prevent. We’ve covered Phones and Personal Computing Devices , Your Browser, Your Inbox, Your Thumb and External Drives, Your Old Computer, and Your Cloud Backup . Finally, we’ll discuss Your Network Drives.

Most companies have an internal corporate network with one or more shared network drives. If your company network drive is typical, it’s a layered mess of multiple naming conventions, files from employees who haven’t been around for years, and old documents with unrecognizable file extensions. Frankly, it’s impossible for anyone to know exactly what’s there.

Read the rest of this entry »

No Comments

7 Sources of Data Breaches You’ll Never Hear About: Your Old Windows 95 Computer

Digital pack rat: You probably have a backed-up copy of your old 256 MB hard drive, don't you? Licensed from Stock Exchange.

Digital pack rat: You probably have a backed-up copy of your old 256 MB hard drive, don't you? Licensed from Stock Exchange.

This is the fifth post in a series about data breaches you can prevent. We’ve covered Phones and Personal Computing Devices , Your Browser, and Your Inbox, and Your Thumb and External Drives. Next we’ll discuss Your Old Windows 95 Computer.

Technology has made it easier than ever to be a digital pack rat. Cheap and plentiful memory probably means that you have backed-up a copy of your old 256 MB hard drive, which you also have stashed somewhere in your basement. Before blindly making back-up copies of old hard drives, make sure that you first delete any information you don’t want to save.

Read the rest of this entry »

No Comments

7 Sources of Data Breaches You’ll Never Hear About: Your Thumb Drive

The Law of Portable Device Breaches says that the risk of losing a device, and the information thereon, is directly proportional to its portability. Licensed from Stock Exchange

The Law of Portable Device Breaches says that the risk of losing a device, and the information thereon, is directly proportional to its portability. Licensed from Stock Exchange

This post is the fourth in a series about data breaches you can prevent. We’ve covered Phones and Personal Computing Devices , Your Browser, and Your Inbox. Here we’ll explore Your Thumb and External Drives.

Just about anything that can store information can be used to store sensitive personal information. Whether you use an external drive to back up sensitive data, or use a thumb drive to transfer large files from one computer to another. The Law of Portable Device Breaches (which I just made up) says that the risk of losing a device, and the information thereon, is directly proportional to its portability. In real terms, this extremely scientific law means that you’re more likely to leave your cell phone at the bar than your desktop computer.

Read the rest of this entry »

No Comments

7 Sources of Data Breaches You’ll Never Hear About: Your Browser

Your Stored Passwords: Not exactly secured. Licensed from Stock Exchange.

Your Stored Passwords: Not exactly secured. Licensed from Stock Exchange.

This post is the second in a series about data breaches you can prevent. We’ve already covered Phones and Personal Computing Devices. The next source we’ll explore is Your Browser.

Laptops, desktop computers and smartphones all have built-in internet browsers. A typical browser can store hundreds of passwords and usernames, credit card numbers, contact information, and browsing history. Even though we use our smart phone browsers to do a significant number of online transactions, typical smart phone browsers do not allow users the same degree of privacy control as desktop browsers.

Read the rest of this entry »

No Comments

7 Sources of Data Breaches You’ll Never Hear About: Your Phone

Smart phones are now portable computers which just happen to make calls. Licensed from Stock Exchange.

Smart phones are now portable computers which just happen to make calls. Licensed from Stock Exchange.

This post is the first in a series about preventable data breaches. Most Americans have received a letter, telling them that their personal information has been breached. But there are many breaches you’ll never hear about, and many of them are right under your nose. The first source we’ll explore is Your Phone and Personal Computing Device.

Remember when cell phones were telephones? Those days are long gone. The current generation of smart phones are powerful computing devices which just happen to also make phone calls.

Read the rest of this entry »

1 Comment

A Message From Walgreens

A friend of mine recently received the following email from Walgreens:

December 10, 2010
Dear Valued Customer,

We recently became aware of unauthorized access to an email list of customers who receive special offers and newsletters from us. As a result, it is possible you may have received some spam email messages asking you to go to another site and enter personal data. We are sorry this has taken place and for any inconvenience to you.
Read the rest of this entry »

No Comments