New White House E-Commerce Security Report Trusts Technology Way Too Much

The White House has issued its "final strategy document" on a national security approach that would sharply impact E-Commerce. Although the report is a vast improvement over the initial report released last summer, it still suffers from the belief that cramming tons of sensitive information into a token—which may or may not be adequately secured—is a safe move. Also, it comes close to encouraging consumers to trust these tokens, perhaps to a very dangerous extent.

Some examples from the report: "Mary is tired of remembering dozens of usernames and passwords, so she obtains a digital credential from her Internet service provider that is stored on a smartcard. Now that she has the smartcard, she is also willing to conduct more sensitive transactions, like managing her healthcare, online. One morning, she inserts the smartcard into her computer and uses the credential on it to run some errands, including logging in to her bank and obtaining digital cash, buying a sweater at a new online retailer—without having to open an account—signing documents to refinance her mortgage, reading the note her doctor left in her personal health record—in response to the blood sugar statistics she had uploaded the day before—sending an E-mail to confirm dinner with a friend and checking her day's schedule on her employer's intranet portal."

So anyone who steals (or clones) her smartcard can now do all of those things pretending to be her? Yeah, that's a hugeimprovement. Not for Mary but for any cyberthief. (A colleague suggested that it would be ideal for "a future Albert Gonzalez." Why future? By the time this gets deployed, Gonzalez will be out on parole and in need of some spending money.)

Here's one for the parents in the audience. Again, quoting verbatim from the White House report: "Antonio, age 13, wants to enter an online chat room that is specifically for adolescents, between the ages of 12 and 17. His parents give him permission to get a digital credential from his school. His school also acts as an attribute provider: It validates that he is between the ages of 12 and 17 without actually revealing his name, birth date or any other information about him. The credential employs privacy-enhancing technology to validate Antonio's age without informing the school that he is using the credential. Antonio can speak anonymously but with confidence that the other participants are between the ages of 12 and 17."

Let's take this one slowly. First, let's assume that this approach actually works. Antonio can speak "with confidence" that the other participants are his close to his age. What exactly does that mean? That he should feel comfortable offering identifiable details out in his posts? That if someone suggests a meeting, it's a good idea? The idea of a well-established digital credential is a fine one, but not to encourage people (especially children) to ever lower their guard online.

Why? Because couldn't a 17-year-old be a child molester or murderer? And because this credential merely means that there exists someone who is (theoretically) that age. What if the murderer is doing the actual typing, with the 17-year-old as an unwilling accomplice?

Most critically, the school is issuing this certificate. So any employee of any of the decillion private, public and parochial schools in the U.S. can grant this certificate? Or, for that matter, anyone who can break into the system of any of those schools? And if any of that happens, then the credentials suddenly mean nothing.

One of the government's arguments is that today's identification devices reveal far too much information. That is a legitimate argument. From the report: "Consider a driver's license. An individual can use a driver's license to open a bank account, board an airplane or view an age-restricted movie at the cinema, but the Department of Motor Vehicles does not know every place that accepts driver's licenses as identification. It is also difficult for the bank, the airport and the movie theater to collaborate and link the transactions together.At the same time, there are aspects of these offline transactions that are not privacy-protective. The movie theater attendant who checks an individual's driver's license needs to know only that the individual is over age 17, but looking at the driver's license reveals extraneous information, such as the individual's address and full date of birth."

Are certificates the best way to deal with that shortcoming? It's not so clear that that is advisable.

Here's a classic "what could possibly go wrong?" scenario, again from the report: "Ann learns that her recently issued bank card and her new university card are both Identity Ecosystem-approved credentials. She also discovers that her E-mail provider and social networking site accept both of these credentials, while her healthcare provider and local utility companies accept the higher assurance bank card. Ann decides to log in to her E-mail and social networking site using her university card, but uses her bank card to log in to her health and utility services. Now she no longer has to remember tens of different usernames and passwords and can conduct different risk transactions with appropriate levels of authentication, all without having to obtain an additional credential."

Here's one that will generate seizures among our PCI enthusiasts: "A small business wants to start an online store. It decides that participating in the Identity Ecosystem will eliminate the need to develop costly account management features. Moreover, the effort required for a potential customer to establish an account at the store will be decreased—in many cases, customers will not need to establish an account at all to make a purchase. The business wants the full benefits of the Identity Ecosystem, so it meets the published, transparent requirements and receives a trustmark. Customers can see that trustmark and know that the business complies with the policies of the Identity Ecosystem. The business then selects three types of credentials that meet its security requirements. There are 12 identity providers that meet the businesses requirements, and they have issued a total of 30 million credentials. As a result, the business immediately has a base of millions of potential customers who can safely and easily shop at the online store without enduring the inconvenience of manually entering information to create an account."

Will these consumers have their purchase history tracked nationally? Will this E-tailer be able to match the CRM with other E-tailers? Will an identical credential make this person easier to track online, in the social media world?

Here's one for the HIPAA fans to go crazy over—from the report: "Ali wishes to fill his medical prescription online. He authenticates to an online pharmacy using a small plastic token that he stores on his keychain. Ali submits his request for the pharmacy to fill his prescription on its secure Web site. Ali's attribute provider provides authoritative proof that he is over 18 and that his prescription is valid. Since the Web site and attribute provider are trustmarked and use privacy-enhancing technology, no unnecessary information is exchanged in this transaction. The pharmacy is not told Ali's birth date or the reason for the prescription. The technology also filters information so that the attribute providers—the authoritative sources of the age and prescription information—do not know what pharmacy Ali is using. Ali is able to quickly and easily fill his prescription online. The privacy protections are conveniently built into the Identity Ecosystem, so Ali receives those protections automatically."

Where to start with this one? "Ali's attribute provider provides authoritative proof" that "his prescription is valid"? That's a neat trick. How is this attribute provider to verify the authenticity of the prescription? Is it checking with the physician who wrote the script? And doctors will be told to answer the questions of attribute providers instead of pharmacists?Then there's this one: "The pharmacy is not told Ali's birth date or the reason for the prescription." Wait a second. You want the pharmacy to know these things. That's how bad prescriptions—where the background is unknown—are flagged by alert pharmacists. Shouldn't a prescription for penile dysfunction for a 4-year-old raise eyebrows? And do you really want the pharmacist to not be told the reason for the prescription?

Here's a good one that involves mobile carriers: "Consider the situation in which a woman, Keisha, requests medical information from the hospital her husband, John, has recently visited. The hospital requires that any such requests be authenticated using a high-assurance credential. In addition, the hospital requires patient approval before releasing personal medical information to other individuals. Keisha uses the browser on her cell phone to access the hospital Web site. The browser authenticates the hospital's Web site domain so that Keisha knows she is not sending information to a fraudulent site. Keisha has a digital certificate issued by her trustmarked cell phone carrier (also her IDP), and the hospital validates the authenticity of the credential, her cell phone and her digital identity. Next, to receive patient approval for the release of personal records, the hospital obtains validation from John's primary-care clinic (the AP). The primary-care provider validates and maintains the appropriate attributes in the form of John's approval to release his medical information to Keisha. The hospital uses the clinic's assertion as proof that John digitally signed a medical release authorization form for Keisha, so it allows Keisha to view John's test results. Although all of these operations occur, they happen in the background. All Keisha has to do is browse to the secure Web site on her credentialed smartphone."

Whoa! This is trusting technology way too much.

This last one was certainly written with the best of intentions, but read this example from the report from the perspective of a terrorist: "A large national emergency erupts on the coastline and a call for support results in an influx of first responders at the emergency site. A federal agency is tracking the event using its global satellite network and can share detailed information with state and local officials, utility providers and emergency first responders from all over the country. Each participant in the information exchange uses an interoperable credential issued by his employer to log into the information-sharing portal. The portal automatically directs responders to information relevant to them based on their duties and affiliated organization. Joel, a doctor, logs in and sees the triage report with injury lists at each of the local emergency shelters. The hospital where he is a resident acts as the attribute provider to verify his status as a doctor and his specialty. The portal indicates that his specialty is in high demand at a center half a mile away, where there is a long waiting time for care. In addition, Joel accesses an application on his registered cell phone to track changing local conditions. It warns him that two bridges in his area have recently been reported as unsafe and one intersection should be avoided. Joel uses this information to safely navigate to the center where he can be authenticated as a licensed specialist and can most help the victims of the emergency."

Security is a wonderful thing, as is technology. But a good security approach is one that understands that no security approach is safe and that multiple checks and balances must always be in place. Compassion is great, but triple redundancy is better.