Noted anti-virus vendor Eugene Kaspersky has weighed extravagantly into the larger security problem, arguing that “anonymity causes security headaches and should be outlawed <http://blogs.computerworld.com/14940/eugene_kaspersky_wants_no_net_anonymity>” (http://blogs.computerworld.com/14940/eugene_kaspersky_wants_no_net_anonymity). So he wants an Internet Passport.
This is surely madness. The social repercussions are obvious, while it’s not at all clear what problem it might solve.
Most cybercrime is actually associated with an *excess* of arbitrary identification, with inadequate safeguards. For the average user, anonymity in reality has become a luxury. The simplest credit card purchase requires an inordinate amount of identifying information to be divulged, to total strangers, who then pass it all onto third party processors no one has ever heard of.
Mainstream authentication is so difficult to use that most users choose the same password for all services. The Federated Identity and Single Sign On movements, typified by OpenID, amount to the same thing. Everything gets linked to everything else. This is hardly the “anonymity” that Kaspersky so dreads.
It’s also likely that, like many before him, he’s underestimated the legal complexity and cost associated with general purpose Internet identities. Who will issue and warrant an Internet passport, vouchsafing the bearer in all contexts? This is what’s stopped authentication brokers schemes to date. Some of my own analysis of these issues is presented in brief at http://lockstep.com.au/library/babysteps/babyste13-identity-silos and http://lockstep.com.au/library/babysteps/babystep-15-introducing-ident.
Of course, what would happen is that any real world Internet passport would come with risk-managed warranty limitations. It wouldn’t be good for all conceivable transactions, only ones that the issuer has been able to analyse and circumscribe. For other uses, the holder would need to supplement their passport with other credentials suited to teh context … and we’d be back where we started.
Advocates of Internet passports should re-visit how a conventional passport works, and reconsider their metaphor. A passport is not a universal key to cross all borders; many countries require you need to obtain a visa, to make sure you meet their security, cultural and political norms. That is, risk profile, appetite and management strategies vary from one country to another (just as they vary in e-business from one segment to another) and there really is no universal passport.
So I say to Kaspersky, an Internet passport is utopian, and proper anonymity would be a blessing! To solve cybercrime, we don’t need any new passport, rather we need to protect the plurality of identities we already have against online theft and abuse.
Posted on behalf of:
Stephen Wilson
Lockstep Group
http://www.lockstep.com.au
