Slashdot Mirror
U.S. Considers Microsoft Passport as National ID
An anonymous submitter writes: "Ladies and gents, the endtimes have begun. The Seattle Times is reporting that Mark Forman, associate director of information technology at the White House (or 'America's CIO', as he bills himself) has said the feds are considering the use of Microsoft's Passport technology to ID every citizen and every business seeking access to government services online. This is about as scary as it gets." To be fair, it looks very preliminary. Read the article. So many companies have tried to assist the government in providing services over the Net... but I guess if your lobbyists are good enough, you can be heard at the top.
So they're going to trust the information of every single citizen to a corporation that has a known criminal track record? That's intelligent. What next, find a crack dealer to handle international trade?
Yes, I realize the offenses are different... but this is still stupid. It federally mandates giving Microsoft business. Well, not really... if an alternate ID is available, they should accept that.
- Free tabletop fantasy gaming! Grey Lotus
Gotta agree. If the government has less access to my information, and finds it harder to interact with me becuase I refuse to get a Passport account, then what's the problem? I win both ways.
So how does this work now?
...
...
... click click ...
Does the passport == hotmail address? or msn email?
Does it become a legal address?
I can just see it now... one passport is assigned to each U.S. citizen, to provide a single email address through microsoft that not only will have possibly one's bills, and tax information, and any normal legal correspondance but also a single point of spam with very poor filtering options.
I'd love to see how they implement it... Hotmail?
"We're sorry your inbox is full (4,231 messages) Please upgrade to MS Premium E-Mail service"
... check check check
"1,242 messages filtered into 'Junk Mail' folder"
... click click
'Oh my, its still all spam!'
... click click click click
...
you get my point....
Is not life a hundred times too short for us to bore ourselves? -Friedrich Wilhelm Nietzsche
Let's get beyond the FUD here. Passport is being considered as a means to authenticate users of US government services online. Nothing more. This is a far cry from a "national ID," which implies that citizens are required to have it. When was the last time you used US government services online? If the government wants to select Microsoft as a vendor for a particular service, I may think it's a bad business decision, but I don't think I can claim my rights are being violated.
Robotiq.com is heavily tested on animals
Just wait until online voting happens and you can only vote if you register with their online services. And then taxes will only be paid online. Then passports will be requested online. Then you'll have to get your mandated federal ID online. Etc.
Sure, you're not worried now, but you always need to think about the next step.
--- witty signature
Or email them. Or fax them, but yes - do something!!!! Don't just sit around and post you gripes here and there --- contact your representatives!!!!
...we are from the government - we are here to help...
sPh
So I can't read the article - the Seattle site seems to be already slashdotted...
But what exactly is going on here? I already see people worrying and having heart palpitations. The story submission says "Microsoft Passport technology" not Microsoft Passport.
In priniciple this just means that Goverment is going to start tracking people as they access goverment online services... kinda like they already do using our Social Security numbers in meat-space - and/or cookies set by goverment servers in cyber-space. (I think it would be foolishly naive to imagine that people aren't already being tracked.)
This is just a logical extension of what is already going on.
Good questions to ask: "Can a user opt out?" "What about users from other countries and locales?" "What is going to be done with the info?".
Who was it who said "Privacy is dead already - all we have anymore is obscurity." (Or something like that.) Obviously this is the direction we've been heading for quite sometime. Now we see clearly - before we saw through a glass darkly...
In illa quae ultra sunt
While Microsoft is not the answer, the open-source community should seriously think of another solution to a national e-ID problem. It's easy to bitch about Microsoft if you don't have a better idea.
The community would be well served to either design and endorse an open-source passport system, or alternatively design another means of identification in our hyper-paranoid electronic universe. Once we have done that, then we can seriously fight to keep our internet passport free!
...suggest something truely undesirable and then fall back to what was desired by some in government in the first place but wouldn't have normally been accepted by the public -- a national ID
It is not a long step (in fact, it is a very very short step) from there to having employers say to you "Ready to start work? Sure - just step up to that HR kiosk, fire up Internet Explorer(tm), and use your Federal Passport(tm) to authenticate who you are.". What? No Microsoft Passport(tm)? Sorry - no paycheck for you. And so on for other "optional" services that allow you to do optional things such as eat.
sPh
So, what are they supposed to use, a really big passwd file? OpenLDAP? Novell NDS? A big Oracle database? Why should we even care what the technology is, as long as it works?
But, the idea that you'll need to register in order to read government documents, now THAT is interesting, and somewhat troubling. But I couldn't care less what technology they use.
Unfortunately, all the Microsoft-hating government pawns around here seem to have missed the real point of the article.
And very simply - the accounting firms that already do the taxes for large businesses get Passport accounts, and THEY deal with it, and not the business itself.
Additionally, again -- the government is considering it, not sure-fire definitly using it.
Man, moutains out of molehills.
http://quiz.ravenblack.net/blood.pl?3357354385
And you can (online) in my state and locality:
* pay local traffic tickets,
* renew driver's licenses,
* renew vehicle registrations,
* pay property taxes,
etc.
Once a federal online ID becomes pervasive, it'll be used for every state and local online transaction also, just like SSN's filtered down to the state and local levels. And personally, I don't want M$ having all that info.
"We're sorry, but the website you're trying to reach has been disconnected."
At least it won't with Microsoft's technology. I can't say that I like the idea. Perennially it could have some benefits, but the possibility of having your ID stolen, having the database stolen, etc and the privacy concerns will kill it. Also, if they did this with $M technology, I wouldn't allow my ID to be placed in it, and I wouldn't use it. The government isn't stupid enough to do this. Yes, the government is stupid, but not this stupid. To many politicians would get roasted, so it will not happen.
I take no responsibility for what I say. Even though I'm never wrong
Only after an educated voter base is established can these truly idiotic laws not get through.
What on EARTH makes you think you live in a direct democracy like that?
You don't.
You live in a democratic republic.
Want to know what that means?
You vote for the people WHO YOU WANT TO MAKE DECISIONS FOR YOU. Then *THEY* make decisions FOR YOU.
At this point, other than prodding them and saying "Hey Over Here!", the voting public have ZERO control over the system, until the next election.
Simon
Coming soon - pyrogyra
, and whether or not the idea is good to begin with aside, but this is something that the Government should make on their own. If this ever happens, they need to hire programmers and have their own development group for this. This type of information should never be outsourced, especially to a controlling interest in our government's financials. Heck, I would feel uncomfortable if Linus was asked to take part in it (-:
OK, let's assume that we do want access to government services online. Taxation, benefits, voting even. I want that. That's going to require fairly robust identity validation. Note: fairly. Right now, it's absolutely trivial to scam the benefits system, or to steal someone else's vote if you really care enough to do it. An online solution only needs to be as good as the ones we've already got, which (let's face it) aren't that great.
Further, while I'm as cynical as the next guy (if the next guy is a bitter, twisted conspiracy freak), I really doubt if any company is going to be able to buy this contract without providing a genuine solution, and most importantly, a credible promise of long term support. Not the best solution, or the cheapest solution, but a reliable solution.
So, who does that leave? Oracle, most likely. Microsoft are actually the wild card outsiders. IBM, maybe. Sun at a stretch.
Can you think of anyone else? Note that we're not talking about a development house, we're talking about a solution provider with a track record (even if it's a criminal track record) and thousands of techies available to patch and nurse the system for years ahead.
If we want the online services (and I do), we're going to have to accept that it will be a big Dark Side company that's running them.
So I suggest that in this case you don't go off at half cock writing to your elected representatives (I use both words loosely) demanding that Microsoft not be given this contract. At least not unless you can suggest a credible alternative. Perhaps the most productive thing you can do is to try and sell her on championing legislation to ensure transparency and openness in the running of the system, and most importantly, ensure that it's universally accessible, that the information is actually held in confidence, and that it's not mandatory.
I'm tempted to suggest that it follow the pattern of recent bill and be called the "Enduring Patriotic Freedom of Just Federal Freenessness Bill", that would be reverting to cynical type. So I won't. ;-)
If you were blocking sigs, you wouldn't have to read this.
the Republicans & the Democrats....
Jaysyn
There is a war going on for your mind.
That's right. After all, businesses don't do this now.
Oh hold it... what's that "please bring your social security card and a picture id or your passport" bit that I go through everytime I change jobs?
Yes, this is all very preliminary. But I don't think it's an absurd concept to think that should the government move this way that a MS Passport would become the defacto electronic registration method for, well, everything. Legally, nobody is supposed to ask for your Social Security Number except the Social Security Administration and the IRS. Realistically it has become a form of national ID, particularly in the credit and financial sector. I know. I worked with credit data for four years.
Given that, ensuring that it does not happen is entirely reasonable.
Problem is, once an entity reaches a certain size, it is required to deal with the federal gov't electronically.
Yes they are, and they currently have ways of being authenticated. This would just be changing the method in which the government determines those companies are who they say they are.
It is not a long step (in fact, it is a very very short step) from there to having employers say to you "Ready to start work? Sure - just step up to that HR kiosk, fire up Internet Explorer(tm), and use your Federal Passport(tm) to authenticate who you are.".
Actually this is a very huge step. Why would your employer want to use passport to authenticate who you are? Passport just requires a password. The current method of a Social Security number and a valid drivers license works much better.
The government is trying to make more information available to it's citizens over the web. They have a responsibility to make sure they aren't giving that information out to the wrong people. Therefore they need a system to authenticate users of the system. This is not the same as requiring one ID for all online transactions, that can be used to track everything you do. You can have multiple MS passports. I have two myself. One I need to access some stuff for work, and it is based on my work email. I use it for nothing but work. My other passport is for Asheron's call. I use that passport only for Asheron's call.
There is a lot of information that the govenment keeps that we as citizens should have easy access to. Much of that information should only go to the person it's about, such as tax or social security info. They need some way to authenticate users. In my opinion, the current form of MS Passport isn't a good solution. THe servers go down, and there are too many serious security flaws. Microsoft claims that they are addressing these problems, and expect to have a rewritten version available next year. I'll believe that when I see it.
Authentication is a real issue that the government many, many other online entities face. There are many good reasons not to like passport, but writing your congressmen that passport is the evil spawn of Microsoft isn't going to be that convincing. It still leaves the govenment with the same problem. The govenment is is going to solve the authentication problem, if you don't like MS Passport, suggest a better solution.
Remember that people got really upset about Social Security numbers. They claimed they were the mark of the beast. We still ended up with SS#s. If you don't like the proposed solution, lobby for a different solution.
Do you oppose a national ID (which really isn't what this is)?
Do you oppose the govenment making private information, such as tax info available to people through the internet?
Do you oppose the use of a outside (non-government) authentication system?
Do you oppose an authentication system which doesn't have a proven track record of good security and prompt effective responses to security issues?
Do you oppose Microsoft being the provider of the system.
Or all of the above?
Try not to be overly vague in what you write to your Congressmen. They often have little grasp of technical issues, and likley get vague complaints about just about everything the government does. You don't want to confuse them with too much detail, but you need to tell them what you don't like, and why. Alternate solutions might even be helpful.
The real problem isn't that Microsoft is the one that is being discussed that bothers me. If it works, great. What bothers me, however, and I believe this goes for many people out there, is the fact that Passport, which Hotmail uses, is so often hacked, and easily broken into. So far, whenever I hear about a new security loophole in Hotmail, it usually took someone under an hour of looking (usually not very hard either) to locate and exploit.
If the public at large, can create a new way, either from scratch, or based off of another existing technology, Passport for example, or else the Liberty Alliance's idea, (Sun, AOL, etc....) then we've got one. Whatever it is, it should be in the public domain, or owned by the government, NOT licensed from any company. If I remember correctly, the Liberty Alliance's technology will be open to anyone, at use without any cost, besides signing up with the system. To use Passport, you have to be a Microsoft Affiliate, and/or pay royalties to use it.
Overall, I think a group should be set up, maybe by W3C (http://www.org), or at least tied in through them, so that no one company profits from this, and ties the government into such a system.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
A paper by Kormann and Rubin at Bell Labs discusses most of these attack scenarios. K&R are not anti-Microsoft - they are researchers that raise valid technical concerns. There is also a (weak) rebuttal by Microsoft, which misses many of the points of the Kormann Rubin paper.
Also, what happened to the ACES project, where they were going to issue digital certificates to citizens for precisely this purpose?
Despite your feelings about Microsoft, their Passport product is a bad implementation. It is cookie-based, and is trying to use cookies for a purpose they were never intended to fulfill.
Please examine these references, and include mention of them in your letters to congressfolk:
Kormann and Rubin paper: http://avirubin.com/passport.html= 1033
Microsoft Rebuttal: http://www.passport.com/Press/RubinKormann.asp?lc
ACES: http://www.digsigtrust.com/federal/aces.html
Please be informed. This is really bad on a lot of levels.
vlak bij AH noord, maar dat is niet het huis dat te koop staat. Huis te koop is aan de Buitenwatersloot
---