Today I read a piece from my email: The Internet should not be anonymous. I know that in some ways these pieces are meant to create conversation and controversy, which makes me an excellent lemming. The premise that Mr. Grimes sets forth is that in these days of Internet commerce and widespread criminals, everything from identity thefts to terrorists, that we need to let go of our desire to be anonymous on the Internet. We should have a central identity, held by the government, that all parties will use to verify you and, if necessary, track what you are doing.
Let me pause for a shuddering scream and maybe throw up a little...
There, I'm a bit better now.
I've touched on this concept before, but it's one of those things that I feel I should address again and again, because I feel that widespread understanding of what is possible will help keep us from being driven into something that has too many unintended consequences.
We already have some good technologies that could provide a centrally verifiable identity which would be pretty hard to duplicate and crack. If you've ever worked with the Gnu Privacy Guard, you know that freely available technology exists which supports strong encryption and document signing with public key technologies. This is good stuff. It's easy to use and easy to centralize. You can have as many keys as you want, each assigned to different entities. Keys are easy to create and easy to revoke. You could use a biometric or something like that as the password so you don't have to worry about complex passwords. The biometric would control access to the key, but not act as the key itself. If you are more paranoid you can use more paranoid methods for controlling access to your key.
It's true, you might want to use a different repository for your banking than you would for your online role-playing games. But it would be no trouble at all to include the repository location as part of the key registration. If you prefer to keep all of your keys in one place, great. If you want to spread it out a little because of price or privacy concerns, then that's up to you.
One advantage to this approach-- aiming for a universal protocol rather than a universal provider-- is that you can fire your provider. Have you ever tried to fire your government? (The people of Egypt are working with this concept right now.) If the government becomes the central repository for who you are and how you can do business you are in some serious trouble if they ever have an "oops" with your account. Think of any mistake the government has made for you. How easy was it to get that resolved? How long did it take? I've heard terrible stories about visa problems and other mistakes that took years to be resolved... even after a judge declared that the government messed up the file and needed to fix the problem. I would much rather have a situation where I can replace my service provider for any reason that I choose.
The government will still get to play. There will be a set of regulations for who may act as an official identity repository for some functions, and anyone who wanted to fulfill that function would have to follow the rules. However, that wouldn't preclude other entities for having mini-repositories for things like online gaming or social networking.
But, Chris, I hear you say. This doesn't sound any different from what we have now. All these different passwords and keys and such, it doesn't fix anything. I think it will fix much. First, rather than many different schemes to authenticate, there will be a standard, with a market of service providers. Simply settling on a single protocol and having good tools and services to make that work would make a difference... the same one that settling on standards like HTML did for Internet content.
I'm sure there are some that will disagree with me here... but this makes a lot of sense to me. Let's move for openness and choice.