Wednesday, March 2, 2011

10 - Are National ID Cards Going to Snuggle Up With Open ID?

Friday, May 21, 2010
15 - Are National ID Cards Going to Snuggle Up With Open ID?
20th Feb 2008
Are National ID Cards Going to Snuggle Up With Open ID?
20 Feb 2008 ... activity tracking schemes - what could be the consequences of using them. ... Does it matter that this could take away my free will? .... Where you see concerns around privacy and participation of non-citizens (which is a ... in an anonymous way to verify identity - this is what makes it unique. ...

The REAL ID Act of 2005 is said by some to pave the way for a United States National ID Card and has come under heavy criticism from a wide range of people in the US. Some recent developments indicate that a National ID card could be tied to the federated authentication standard called OpenID.
At the most basic level, this would mean that you could sign in with your National ID card to all the websites where today you can login with a Yahoo! or AIM or other OpenID. Hmmm...

The government of Estonia has already implemented a National ID system there that serves as an OpenID and now OpenID vendor TrustBearer is explicitly targeting the "national and government ID card" market. Were National ID cards and OpenID to become closely associated, there could be some very adverse consequences in terms of basic liberties - or it could end up just being very bad PR for OpenID. Below are some thoughts from a few players in the OpenID community.

The Possibilities
I asked Scott Kveton, Chair of the OpenID Foundation, what he thought of the two systems working together. "To tie an OpenID to a national id card," he said, "would allow you to prove a person was a person. If you could assert [online] things like 'yes, I am a US citizen' or 'i am over 18' - that would be insane for all kinds of different on-line services." Insane is right, Scott, that would be insanely awful. It is true that "single sign on" is just the very beginning of what Open ID makes possible, but tying it to instruments of citizenship does not bode well for privacy of citizens or the participation of non-citizens.

In addition to chairing the foundation, Kveton now works at OpenID provider Vidoop, a company made up largely of engineers with military backgrounds.

The Pitfalls
Paul Trevithick, Technology Lead at The Higgins Project, is not excited about the idea. He explains that you should only disclose as much identity as is needed for a given transaction. The IRS, a dating site and other contexts like banking or blogging each deserve a different, "non-coralatable ID". REAL ID is fully coralatable, Trevithick says. It should be noted that The Higgins Project is in the business of managing multiple IDs, so one single ID wouldn't serve their interests.

Identity consultant Kaliya Hamlin emphasized in response to the discussion that "there needs to be a broader conversation, that's why we need organizations like Identity Commons that can support technical and social conversations." Hamlin argued that Estonians are in a different cultural context because Europeans trust their governments much more than people in the US do.

None the less, Kveton argues that "there will be National ID some day and if we're going to tie it to something, it should be to something that is managed by the commons (like OpenID)."

Sounds like a bad idea to me. I think the benefit of Federated Identity, available through a wide variety of vendors, is that it defeats exactly the kinds of centralization and risk that National ID represents. I think the OpenID community should move away from National ID as quickly as possible.

What do you think?