IINTERPOL International Internet Crime Police Organization
Analysis of President Barack Obama's National Strategy for Trusted Identities in Cyberspace
Presented by Denis G. Kelly, Chairman Identity Ambassador Commission
O
n April 15, 2011, President Obama released the National Strategy for Trusted Identities in Cyberspace (NSTIC), and we took one giant leap closer to an international internet crime police organization: IINTERPOL, which will enforce our international identity system.
There are well-founded reasons for my concern. Let's consider the history of the Social Security Administration (SSA) and the Social Security Number (SSN).
In June, 2010, President Obama released the draft of NSTIC, and I have been closely monitoring and analyzing the concepts and recommendations because we are on the brink of embarking on a dangerous initiative that will be difficult if not impossible to reverse. While the intentions of NSTIC are seemingly altruistic, you will soon learn the outcome is frightening. With the release of NSTIC, the Identity Doomsday Clock just lunged towards midnight. It is important to note that all my opinions and analysis of identity theft concepts, legislation and policy are apolitical. I am extremely sensitive to the hyper-political environment, and this issue must remain apolitical if we want to get the runaway train of identity theft under control.
“On August 14, 1935, President Franklin D. Roosevelt signed into law the Social Security Act, and a great compact with society began. Unknowingly, the foundation had been laid for one of the greatest chalAccording to a news release by President Barack lenges of the next century: identity Obama, “The Internet has transformed how we theft.”1
communicate and do business, opening up markets and connecting our society as never before. But it has also led to new challenges, like online fraud and identity theft, that harm consumers and cost billions of dollars each year. By making online transactions more trustworthy and better protecting privacy, we will prevent costly crime, we will give businesses and consumers new confidence, and will foster growth and untold innovation.” I wholeheartedly agree with the President's statement. However, I question if the government should be spearheading the effort to make online transactions more trustworthy.
Over the course of the next 60 years, the government enacted laws and policies that “if you wanted to work, drive, hold a bank account, file taxes, purchase a home, go to school or be a member of the military, it required a SSN and/or unique identifier. As the government increased its use of and dependence upon SSNs as a unique identifier, private institutions were forced either to directly or indirectly follow suit. Ironically, the government continuously rejected the idea of a national identifier and understood that SSNs were not designed for such a function and yet continued to pass laws that forced SSNs to be a national identifier.”2
1.
Denis G. Kelly, The Official Identity Theft Prevention Handbook (New York, Sterling & Ross, 2011) 1.
2.
Kelly, 9.
There were many other policy decisions and laws which further solidified the SSN as a national identifier. Oddly missing were policies and laws to safeguard the system. In fact, some policies even promote the insecurity of the system such as the policy “which allows previous versions of the card to be utilized! In fact, there are over 50 valid versions of the card, many with little or no counterfeiting 5 protection.” In other words, with a little knowledge and a typewriter (if you can find one), you can easily counterfeit a valid Social Security card. Whether you admit it or not, the SSN is the foundation of a national identification system. This was even reinforced in 2004 by the acting Inspector General of the Social Administration, Patrick P. O'Carroll, who said in his testimony to Congress, “I would like to begin my testimony today with a simple declaration:The SSN is a national identifier.” 3 The government forced the SSN as a national identifying scheme onto society all the while making statements and assurances that it would not be used for such purposes. A perfect example of this contradictory path occurred in 1977 when “the Carter administration proposed that the Social Security Card be one of the authorized documents by which an employer could be assured that a job applicant could work in this country and also stated that the SSN card should not become a national 4 identity document.”
Society is now trying to untangle this complicated web that was spun by the non-secure national identifying scheme that the government carelessly and gradually forced on us. Identity theft is increasing at a feverish rate due to this woefully inadequate system, and instead of fixing this mess, the government has decided to lay the seeds for a future, similar and much larger mess. The similarities are eery, and it evident at the beginning of the NSTIC with the President's introduction, “Giving consumer choices for solving these kinds of problems is at the heart of this new strategy. And it is one that relies not on government, but on the private sector to design the techniques and tools that will help make our identities more secure in cyberspace and to make those available to consumers who want them.”
It is difficult to even contemplate such a contradictory thought: how are you going to force every private and public organization to use the Social Security card (this really means the SSN) for employment hiring purposes without making this a national identity document? You don't. By the way, this is now permanently part of our system with the Form I-9, Employment EligibilityVerification.
3.
Patrick P. O'Carroll, acting Inspector General of the Social Security Administration, Testimony to the House Ways and Means Committee’s Subcommittee on Social Security, June 15, 2004.
4.
Kelly, 9.
5.
Kelly, 16.
If this new strategy does not “rely on government,” 1986 The Higher Education Amendments of then why did the government produce the NSTIC? 1986 (PL 99-498) required that student This is similar to Carter's reasoning that Social loan applicants submit their SSN as a Security cards should be used for employment but condition of eligibility. should not be considered national identity documents. These type of statements are surprising because the contradiction is painfully obvious, and the real-world implications of this faulty reasoning These are only a few examples which forced society to using SSNs as a unique, national identifier. These are devastating. are policies and laws that run completely Additionally, does this system really only provide contradictory to the government's assurance“that a Social Security number (SSN) would not be a means “tools (available) to consumers who want them.”? for identification.” “The government originally stated that
The government has not even been able to secure the
a Social Security number (SSN) would SSNs or provide successful identification verification not be a means for identification and systems within its own ranks. made assurances that the use would be limited to Social Security programs Consider the following: such as calculating retirement In 2009, the IRS sent out 201 million notices to benefits.” 6 taxpayers most of which included SSNs which also Consider the following :
7
1943 Executive Order 9397 stated that all federal components must use SSNs exclusively whenever it is advisable to set up a new identification system for individuals 1962 The IRS adopted SSNs as its official taxpayer identification number. 1969 The Department of Defense adopted SSNs in lieu of military service numbers. 1970 The Bank Records and Foreign Transaction Act (PL 91- 508) required all banks, savings and loan associations, credit unions and securities brokers/ dealers to obtain on all of their customers. 1976 TheTax Reform Act of 1976 (PL 94-455) amended the Social Security Act to allow sates the use of SSNs for administration of any tax, general public assistance, driver's license or motor vehicle. 6. 7.
Kelly, 6 Kelly, 7-9
appear in more than 500 computer systems and 6,000 internal and external forms. This is according to a report from the Treasury Depar tment Inspector General for Tax Administration. The IG stated that that the IRS has only redacted or truncated SSNs from a small number of systems, notices and forms. However, on May 22, 2007, the Office of Management and Budget (OMB) issued a memo requiring agencies to create a plan to eliminate unnecessary collection and use of SSNs within 18 months. The SSN is your identification with the IRS; so, how can you reduce the use of SSNs without entirely changing the system? There has been a tidal wave of tax fraud/identity theft recently, and it is evident why this problem persists. According to Government Accountability Office report , E-Verify was not used by 19 percent of the SSA's new hires in FY 2008 through March 31, 2009, even though the OMB mandated that all federal agencies and departments begin verifying their new hires through E-Verify by October 1, 2007. The SSA was not using its own system to determine employment eligibility!
The DOD still displays SSNs on identification cards (walking billboards of identity theft). According to Air Force Maj. Monica, SSNs on military identification cards will begin to disappear June 1, 2011. This is only beginning June 1, 2011? Based on the lack of adherence to other similar policies, it is likely this will not occur in accordance with the timeline. There are many more examples that demonstrate the government's inability to develop adequate identity policies and effective enforcement, but the point is clear: current systems are inadequate and unacceptable. Is this the group you want to spearhead an international identification system? NSTIC states, “The role of the Federal Government is to support and enable the private sector; lead by example in utilizing and offering these services; enhance the protection of individuals; and ensure the guiding pr inciples of pr ivac y, secur ity, interoperability, and ease of use are implemented and 8 maintained in the Identity Ecosystem.” ? The next paragraph continues to explain the “Implementation Roadmap,” but a more appropriate title is the “ International Identification Program Roadmap.” It may be gradual and unintended, but it will happen. If the Federal Government is going to lead by example by “ utilizing and offering these services, ” then this will force the private sector to adopt these services just the same as the private sector was forced into using the SSN as a unique identifier. NSTIC even states “ the Strategy does not advocate for establishment of a identification or system.”9 This statement is similar to the original stance of the Federal Government regarding Social Security cards not being used for identification. In fact, the Social Security cards themselves had the following statement printed on the front of the card :
“FOR SOCIAL SECURITY PURPOSES ~ NOT FOR IDENTIFICATION.”
Another similarity is that participation in the Social Security program was originally voluntary. According to the Social Security Administration, “In the early years of the program, however, only about half the jobs in the economy were covered by Social Security. Thus one could work in non-covered employment and not have to pay FICA taxes...In that 10 indirect sense, participation was voluntary.” All doubt that NSTIC is not going to morph into an international identification system is removed in the following statement: “ A public-private steering group will ensure that accreditation authorities maintain the minimum requirements of the Identity Ecosystem Framework when they issue 11 trustmarks. ” Do you think the Federal Government is going to relinquish control of the Identity Ecosystem to a private company? This would be the equivalent of a State Government handing over the keys to a private company for the issuance of driver's licenses. And who would be an appropriate private company anyway? The credit bureaus? These are the same organizations that are complicit in the proliferation of identity theft with their laissezfaire policies such as accepting identity validation when only seven of the nine SSNs are a match! 12
8.
The White House, National Strategy for Trusted Identities in Cyberspace, Enhancing Online Choice, Efficiency, Security and Privacy, April 15, 2011, 4.
9.
The White House, 8
10.
http://www.ssa.gov/history/InternetMyths.html
11.
The White House, 25.
12.
Leonard A. Bennett, Written Testimony Before The HOUSE COMMITTEE ON FINANCIAL SERVICES regarding “Fair Credit Reporting Act: How it Functions for Consumers and the Economy, June 19, 2007.
The following is an illustration of the Identity Ecosystem in NSTIC :13 Identity Ecosystem
Relying Parties
Identity Providers
Attribute Providers
Identity Providers
Relying Parties
Identity Providers
Attribute Providers
Accreditation Authorities
Trust Framework
Trust Framework
Accreditat Authorities
Trust Framework
Other Trust Framework
Identity Ecosystem Framework
Roles/ Responsibility
Risk Models
Accountability Mechanisms
Even with this simplified illustration, it is evident this system is complicated. Unlike nature, there is no natural order, and the Identity Ecosystem requires governance. The world should not and will not accept the United States as the developer and enforcer of an international identification system. The government developed a national identity system from scratch that it had complete control over, and it has miserably failed us. The government does not have the same control over the Internet, and it is international thus rendering it much more complicated and difficult to govern. As we have learned from the SSN identity debacle of the last 75 years, whether it is admitted or intended, if the U.S. pushes this agenda for identities on the Internet, then this will become an international identifying system. NSTIC is a giant leap towards an International Internet Crime Police Organization: IINTERPOL.
13.
The White House, 26.
Policies
Processes
Standards
About the Author
D
enis G. Kelly is America's foremost identity theft prevention expert. Mr. Kelly is the author of The Official Identity Theft Prevention Handbook, Chairman of the Identity Ambassador Commission (IdentityAmbassador.org), an identity theft eduction and training organization, CEO of ID Cuffs Incorporated (IDCuffs.com), an identity theft prevention company, and Editor-in-Chief of TheIDChannel.com, a centralized resource of the latest identity theft news and information. He's a featured speaker at industry events and resides in Miami Beach, FL.
1715 114th Ave SE Suite 120 Bellevue, WA 98004
IINTERPOL International Internet Crime Police Organization
www.iinterpol.com