Federalized security screening at airports has been such a success that President Obama wants to apply the same government “expertise” to the realm of online commerce and commentary. The White House cybersecurity adviser joined Commerce Secretary Gary Locke on Jan. 7 to announce what amounts to a national ID card for the Internet.
Their plan is straightforward. Instead of logging onto Facebook or one’s bank using separate passwords established with each individual company or website, the White House will take the lead in developing what it calls an “identity ecosystem” that will centralize personal information and credentials. This government-approved system would issue a smart card or similar device that would confirm an individual’s identity when making online credit-card purchases, accessing electronic health care records, posting “anonymous” blog entries or even logging onto one’s own home computer, according to administration documents.
Officials insist this would be a voluntary program and deliver significant benefits to the public. Mr. Locke explained last week that “robust identity solutions can substantially enhance the trustworthiness of online transactions. They can not only improve security, but, if done properly, can enhance privacy as well.”
Put another way, Mr. Locke is saying, “Trust us, we’re from the government, and we’re here to help.” Congress, the technology industry and the public need to run as far away as they can from this purported assistance. The government is no more capable of securing information than it is of protecting airports. Just look at the WikiLeaks case, in which a disaffected private was able to grab hundreds of thousands of classified documents from U.S. Army computers. Agencies ranging from the Los Alamos National Laboratory to the Department of Veterans Affairs have proved equally incapable of dealing with personal data.
The National Archives and Records Administration (NARA), for example, lost a hard drive crammed with material about the Clinton White House and its employees. The same agency sent a hard drive containing the Social Security numbers of about 75 million veterans to a private contractor for “recycling” without bothering to delete the personal information. To this day, the agency is unable to determine what happened to the device. “While each case of data breach, loss or undue risk of loss represents a unique stanza, the chorus of the song remains the same,” Paul Brachfeld, NARA’s inspector general, said in a 2009 congressional hearing. “Internal control weaknesses, lapses and exercises of questionable judgment tied to other incidents I have spoken of today regularly leave me and my staff frustrated and bewildered.”
There’s little reason to think Mr. Brachfeld’s frustration will ever be eased. Civil-service employees, who can’t be fired, have little reason to be careful with sensitive medical records, or even nuclear secrets. A careless attitude pervades federal agencies, rendering the government particularly unsuited to the task of directing an identity-assurance program. Like most ideas dreamed up around a multiagency boardroom table, this one will never accomplish its stated goal.
Centralizing access to personal information only makes it easier for the bad guys because it means they only need to steal one key to unlock a vast wealth of financial and personal information. It’s likely that the real motivation for this is to ensure the feds always have backdoor access into what people are doing in the online realm. Congress should take steps to ensure this Big Brother scheme is deleted.