comments_image Comments

Does Obama Want to Replace Your Facebook Profile with Your Social Security Card?

You heard it here first: The next evolution of identity management in the U.S. will grow out of Facebook. So watch what you out in your profile.

Today U.S. President Obama announced plans for a "cyberspace strategy" that includes everything from possible offensive cyberwar strategies to education. It also contains a little-discussed "identity management" plan that makes me wonder if Facebook profiles are about to become the new Social Security cards.

The big news right now is who will be running Obama's broad new cyberspace programs -- in particular, who will manage the cybersecurity and cyberwarfare aspects. Right now, it appears that there will be a "cyberczar" (as yet unchosen) who will report to the National Security Council and National Economic Council (the latter because part of this role will involve bank security). The Pentagon may also be setting up its own cybersecurity division.

These are the immediate issues, but when I read through Obama's Cyberspace Policy Review (released today with his announcements), I found an odd nugget of information buried at the bottom of his "near-term action plan":

Build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the Nation.

It sounds innocuous, but in fact it has profound implications that touch on security issues that have been giving the government (and industry) headaches for years.

Here is what a "cyber-security identity management vision" really is: A plan for how the government will establish and track your identity online. One of the biggest problems for law enforcement and business has been the way people can take on many identities online, which are very difficult to verify. This has allowed people to become prolific spammers (because you can send mail under any name you like), as well as fraudsters on sites like eBay. All of this is a result of the way web services "manage" identities -- you can pick any name you like when you sign up for email or Paypal or whatever.

The government and its various federal agencies have been trying for years to figure out how to deal with this. Several years ago, I participated in a meeting at the Federal Trade Commission to discuss the possibility of creating an email system called "sender authentication" (to be implemented nationally) where you would have to verify your identity in a fairly rigorous way before being allowed to send email. No more fifty mailing addresses. The idea was to discourage spam and phishing, which is an understandable goal. But I and many others argued that this system would also crush free speech. No longer could you send an anonymous email, or participate in a mailing list under a pseudonym to protect your privacy.

I think Obama's "identity management vision" falls squarely into this history of debate over how to prevent crime by rolling back the proliferation of identities online. Yes, the "strategy" as described rather vaguely in Obama's "near-term action plan" involves a lot of hand-waving about privacy and civil liberties. But the fact is that if the government is coming up with an identity management plan, that means the government is trying in some sense to manage your identity or identities online -- essentially to trace back your hottie77@gmail address to a real name, just in case hottie77 starts doing something illegal. Or allegedly illegal.

And here's where my not-so-wild speculation about Facebook identities comes in. Many companies have turned to Facebook as an "identity management" system (including Gawker Media), allowing people to log into their services using their Facebook identity. The reason is simple: Most people only have one Facebook identity, and they stick with it. There's a general notion that your Facebook identity is your authentic identity, or at least an identity that you keep over time, and that its characteristics can be traced back to who you are in real life. Therefore, having you log into every web service, from io9 comments to Digg to (possibly in the future) Paypal, is a way of managing your identities. Instead of having a separate identity for each of those services, you have one. Easy to manage, easy to trace.