[LINK] ArsT: ' ... US rolls out Internet identity plan'

[Steven Clark]

On 16/04/11 11:32, Brendan wrote:
> On 04/16/2011 11:20 AM, Roger Clarke wrote:
>> [The US has given up on a national eGovernment id for citizens, but 
>> hopes that NIST can broker a federated id scheme run by the private 
>> sector.
the assumption, of course, being that the only real problem with a
government-sponsored identity system is it's government sponsored. if we
outsource it, that'll be much better.

> The basic assumption behind all of these schemes is that a number (password/ PKI) is an adequate substitute for a person ("Hey Bob, do you know this guy?") when verifying someone's authenticity.  The reason this assumption is made is because computers can process numbers far faster than they can process people. The trade off is a higher rate of false positives against a much greater throughput.  Broken passwords and leaked identities are a design feature of all of these systems. 

while organisations are allowed to avoid the real costs of IDMS
failures/flaws, they have zero incentive to prioritise people over
'productivity'.

as soon as a data leak equals full cost of 'clean up', we'll see a
sudden interest in end user security and privacy.

right now, since the costs of failures are borne by the other party,
there is zero incentive to be properly secure: indeed, there is positive
incentive to security theatre. after all, in business, if you're not
wearing the liability, it's not your problem.

the costs, and thus the risks, of security lapses, have been outsourced
to us, the 'users' (aka 'the market', in typical commercial misnomer
jargon). when breaches are reported, the organisation whinges about the
unfortunate taint to their shiny reputations ... nothing is said about
the impact on the reputations of the 'clients'.

last stats i recall put the average time to recover from a significant
abuse of identification details (aka 'identity theft' and the like) at
around 3-5 years.

if my memory serves, even in places with disclosure laws, there is
little in the way of compensation, let alone active requirement to *do*
anything to repair the damage done to people's lives. i think i've seen
figures for compensation in the tens of thousands of dollars per person:
not significant amounts when spread over several years. all the worse
when you cannot predict if, when, or how your identifying details might
be used by third parties (nor how many, or from where).

in short, since convenience is king, and we are 'prepared' to give up
*everything else* for convenience (so we keep being told by marketing
people o.o), *our* security is not a consideration. at least, not beyond
the marketing phase of the enterprise.

for sure, there is a lot of money spent on toys and aggravating
processes and paperwork. but security is not a thing, or a place, or an
action. but the incentives to misuse the term are far greater than those
which might drive actually secure behaviours.

the enthusiasm for 'new' business models, and the invention of new words
for things we've been doing for years, far exceeds the enthusiasm for
boring old thinking, or dull analysis. "we can't get in the way of
progress! i mean, look what it's done for us!" sure. and look what
unbridled enthusiasm for offloading risk onto
ignorant/uninformed/misinformed/lied-to third parties has done ... "oh,
you mean the GFC? the sub-prime hiccup? well, you know kids. always
looking for a new way to play with their toys ..."

i'm no luddite. but i'm also no fan of handing the keys to the kingdom
to people who can hide behind curtains, blame others for their mistakes,
and avoid the consequences as well - and then do it all again because
*we* fail to learn from this cycle of the stoopid.
-- 
Steven