President Obama Welcomes the Cyber State

Today US President Obama announced plans for a "cyberspace strategy" that includes everything from possible offensive cyberwar strategies to education. It also contains a little-discussed "identity management" plan that makes me wonder if Facebook profiles are about to become the new Social Security cards.

The big news right now is who will be running Obama's broad new cyberspace programs - in particular, who will manage the cybersecurity and cyberwarfare aspects. Right now, it appears that there will be a "cyberczar" (as yet unchosen) who will report to the National Security Council and National Economic Council (the latter because part of this role will involve bank security). The Pentagon may also be setting up its own cybersecurity division.

These are the immediate issues, but when I read through Obama's Cyberspace Policy Review (released today with his announcements), I found an odd nugget of information buried at the bottom of his "near-term action plan":

Build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the Nation.

It sounds innocuous, but in fact it has profound implications that touch on security issues that have been giving the government (and industry) headaches for years.

Here is what a "cyber-security identity management vision" really is: A plan for how the government will establish and track your identity online. One of the biggest problems for law enforcement and business has been the way people can take on many identities online, which are very difficult to verify. This has allowed people to become prolific spammers (because you can send mail under any name you like), as well as fraudsters on sites like eBay. All of this is a result of the way web services "manage" identities - you can pick any name you like when you sign up for email or Paypal or whatever.

The government and its various federal agencies have been trying for years to figure out how to deal with this. Several years ago, I participated in a meeting at the Federal Trade Commission to discuss the possibility of creating an email system called "sender authentication" (to be implemented nationally) where you would have to verify your identity in a fairly rigorous way before being allowed to send email. No more fifty mailing addresses. The idea was to discourage spam and phishing, which is an understandable goal. But I and many others argued that this system would also crush free speech. No longer could you send an anonymous email, or participate in a mailing list under a pseudonym to protect your privacy.

I think Obama's "identity management vision" falls squarely into this history of debate over how to prevent crime by rolling back the proliferation of identities online. Yes, the "strategy" as described rather vaguely in Obama's "near-term action plan" involves a lot of hand-waving about privacy and civil liberties. But the fact is that if the government is coming up with an identity management plan, that means the government is trying in some sense to manage your identity or identities online - essentially to trace back your hottie77@gmail address to a real name, just in case hottie77 starts doing something illegal. Or allegedly illegal.

And here's where my not-so-wild speculation about Facebook identities comes in. Many companies have turned to Facebook as an "identity management" system (including Gawker Media), allowing people to log into their services using their Facebook identity. The reason is simple: Most people only have one Facebook identity, and they stick with it. There's a general notion that your Facebook identity is your authentic identity, or at least an identity that you keep over time, and that its characteristics can be traced back to who you are in real life. Therefore, having you log into every web service, from io9 comments to Digg to (possibly in the future) Paypal, is a way of managing your identities. Instead of having a separate identity for each of those services, you have one. Easy to manage, easy to trace.

Why shouldn't Obama's cyberczar just cut a deal with Facebook (and maybe a few other social networks like LinkedIn) and turn those profiles into your authentic identities? So you can send mail and buy things using your Facebook ID, and that's how you'll be tracked. Hey, you're already on Facebook right? And you can set your profile to "private." So it's easy and "privacy enhancing." (Never mind how easy it is to get around those privacy settings - pay no attention to that black hat behind the curtain.)

The scenario I'm describing is, in essence, how the Social Security Card became the twentieth century's identity management system starting in the 1930s. These cards were not originally intended as ID cards, or as a way to authenticate your true identity. They were just a way to manage government assistance to those who needed it. But they became an ID card simply because everyone in the US had been issued one. When the government and businesses needed a way to track people's identities, it became the easy choice. Showing your social security card meant that you couldn't just come up with random new names for yourself every time you signed a form or took a job.

Though people in the US now think of the Social Security Card as the "obvious" form of ID, it took years for it to evolve from a simple social assistance card to an "identity management vision."

You heard it here first: The next evolution of identity management in the US will grow out of Facebook. So watch what you are putting in your profile. You may be using it to open bank accounts in years to come.