Deb Shinder, Editor of WXPNews, posed the following question (and my comments follow):
In the early days of automobiles, anyone who could afford one could buy a car and start driving. There was no driver’s education, no written exams, no vision tests, and no state troopers grading your pathetic attempts to parallel park.
In the 21st century, we live in a much more regulated world. And some are proposing making it more so – by requiring that you be issued some sort of “driver’s license” to get behind the wheel of a computer and venture out onto the Internet.
As much as the idea goes against the grain of those of us who consider the Internet a new frontier where freedom still rings, they make some compelling arguments. Naïve or technically incompetent Internet users can indeed put us all at risk, somewhat similarly to the threat posed by untrained drivers on the road. And requiring all Internet users to present verification of their identity when they sign on (perhaps via a smart card or even biometrics) would indisputably make it easier to track down online predators, fraudsters and other cybercriminals.
Proponents point out that identity theft would be far more difficult if we all had to insert our government issued access cards before we could make online purchases or perform banking transactions on the Web. But critics note that a national or world-wide identity management infrastructure would be prohibitively expensive. Who’s going to pay for it? Taxpayers? Will an ever-increasing fee be charged for the card? (Remember when renewing your driver’s license only cost a couple of bucks?)
There are several ways in which a car and a computer are completely different.
Multiple Logins and Automated Accounts
- As a network consultant and administrator, I am logged into between 3 and 12 different computers at any one time. Many times, I am logged in as both a “user” and the “administrator” at the same time. Would I need, multiple cards to log into multiple machines at once? Logging onto computer A and then remotely connecting to B (using the pass through credentials of the card I inserted into it) may meet my needs occasionally, but there are many computers that I have to start up manually and do not connect to remotely. In those cases, I would probably have to use multiple ID cards.
- In many cases, a service is started and runs under the authority of a pseudo account or a real account (backups, databases, certain applications all impersonate users by design). If pseudo accounts (made up accounts not related to real people) are used, then it would be impossible to link it to a card, since there is no person from which to obtain biometric or other personal data. If real user accounts are used, it’s the same problem as in #1 above. And if you think that it’s not an Internet issue with what happens in these local services, that’s not always true. Backup software frequently accesses the network to locate backup sources and/or backup destinations (off-site backups). Databases regularly connect to other databases and Web servers via Internet connections, and Web applications (running under a generic WWW user account) connect to the databases. None of that could work if a “license” is required for each user.
- Cars do not drive themselves. Computers can, and do, access the Internet automatically. While the most obvious situation where this happens is a malicious worm (and requiring a license might help a bit), it’s certainly not the only situation. Automated and legitimate security scanners do it. Spiders, such as from search engines and shopping comparison sites, do it all the time. Unlike a simple service running on a server, these are sophisticated, clustered AIs that are pretty darn closed to autonomous entities.
- Cars are massive objects moving at very high speeds. Someone who does not know what they are doing who gets behind the wheel of a moving car can cause serious injury–even death–and lots of property damage. A computer just sits there. A newbie who doesn’t know what he or she is doing is at greater risk to him or herself from doing something stupid (like falling for a phishing scam or posting their home address on a dating site), than the rest of the world is from that user using his or her computer. There’s no comparison.
- Cars require certain physical characteristics to operate. Your legs have to be long enough to reach the pedals, and your head has to be high enough that your eyes can see over the dashboard. For that matter, your eyes have to be good enough to see where you are driving. When it comes to the Internet, all those limitations are meaningless. Children barely out of the womb can interact with several Websites designed for very young children, and seniors with one foot in the grave use it to research their medical and legal options. Individuals without sight regularly use the Internet without putting anyone at risk. In short, there is no physical, age, or other demographic reason to require licensing.
- Computers are what get infected, not the people, when it comes to malware. Computers are often shared by family members or people within a company. Viruses, worms, spyware, and other nasties will lie in wait until you connect to the computer, then run free using your credentials to do their harm. It doesn’t matter if there are licenses or not, the nasties will still run amuck. The only difference is that now you, the person who inserted your ID card, will be blamed, possibly even charged for a crime, for which you were not even slightly involved.
- Spyware already captures usernames and passwords through keylogging. There is nothing that would prevent spyware from capturing the data stream of your logon ID (“cardlogging” I suppose would be a good name for it), sending it to the spyware creator, and then the creator play back the data stream elsewhere to impersonate you. Talk about identity theft. This is especially true if biometrics are included, because that data is “seemingly” more secure.
- Trojans, worms, viruses, spyware and all that are not only on computers because of newbies not being familiar with computer safety. Everyone will eventually become infected with something; it’s not a matter of “if”, but “when”. While educating newbies in how to keep their antivirus updated and run their spyware scanners might be a good idea, it still doesn’t actually offer any viable protection. And, since even Pentagon computers can become infected with nasty malware, trained government employees leave their laptops in taxis, and network administrators still use “password” as a “password”, mandatory training and even certification do nothing to guarantee a safer environment for all (though I’m sure it helps).
- Smart paper is being developed where you have a paper-like material that accesses the Internet, downloads RSS headlines, and displays it on the paper just like a regular newspaper. No trees killed, because the one paper keeps refreshing itself with its live Internet feed. That same paper could be read by everyone in the family. What is the point of inserting your ID card into a newspaper? (Where would you even insert it?)
- There’s always that futuristic appliance (like a refrigerator) that scans your groceries, connects automatically to your grocery store when your milk is low, and places an order for more milk to be delivered. Unless you live alone, who’s ID card needs to be inserted for the fridge to access the Internet to do its job? And if you forget to insert your card, what happens when you run out of milk? Don’t think you need an ID card for a fridge? Well, it’s a logical place for the kitchen of tomorrow to install a PC workstation, too. After all, the cook in the family needs access to AllRecipies.com from the kitchen, right?
- Many embedded technologies are being discussed. This pervasive technology will have Internet access through Wi-MAX city-wide always-on Internet access. Whether the technology is embedded in a device (like a cell phone), a piece of clothing (an RFID tag in a pair of jeans from Wal-Mart), or a body part (a pacemaker or health monitoring device), it’s ridiculous to think that every device that connects to the Internet will have to have some type of ID tied to a user, especially with biometric information, to operate. And if you create or allow work-arounds (say that you exempt pacemakers and RFIDs), then you create an easy way for things to impersonate the exempted items, and do an end-run around the protections.
Computers, Not Humans, Are at Risk
In short, just like a driver’s license, it can’t really stop anyone from doing anything if they really want to do it. All it does is give law-abiding citizens a false sense of security, which actually makes them less safe.
Instead of a passcard, I think it makes more sense to do what Microsoft and other companies are doing now with VPNs. When a remote computer connects to a VPN, it is checked for several things: is antivirus installed and running, are the virus definitions current, are certain security policies in place and active, etc. Then, assuming the computer passes muster, it is allowed into the network. If the computer is missing one or more of these critical pieces of a secure computer, the missing pieces are reinstalled and the computer is probed for other problems. This same type of situation could be done for consumers connecting to their ISP. It gets trickier when multiple computers connect (such as 2 or 3 home PCs using a single router to connect via a DSL or cable modem), rather than a single computer dialing-up to an ISPs modem or a laptop connecting to a corporate VPN.
The point is, technology created the problem, and it is technology that needs to fix the problem. People are, largely, innocent cogs caught up in this mess. Most of those cogs don’t understand the machinery of which they are a part, nor do they care, nor should they have to. The Internet is great because it (generally) just works. It’s not rocket science (at least not on the surface that users see). There is no high speed massive object they have to control or risk serious physical harm. It’s just the Internet, for goodness sake.