Sunday, November 24, 2013

Social Logins for Government Services Profile User's Identity


Who wants Facebook and fingerprints for government ID?

Julie Beal
Activist Post

The current transition to electronic government (“e-gov”) means ditching all the paper + telephones + offices, and digitising everything, within the next few years. Driving licences, health records, prescriptions, taxes, benefits, voting, money … all of them will be digital. To access these services, each citizen must get a smart-chip to identify themselves to the government via an Identity Provider, such as Google, Facebook, Twitter, PayPal, LinkedIn or Microsoft.

The chip, called a secure element, can either be in a card, or a mobile phone, and you’ll have to hang onto it for dear life, because without it, your life would fall apart. This global smart ID is about to make its debut – using ‘social login’.



Apart from the surveillance involved using social logins, there will be a number of other chilling effects to follow – biometric enrolment, for starters, followed by relentless profiling in the name of predictive policing (aka NSA, GCHQ), and even digital clones used for simulations.

Mistrust will run amok. Always having to prove who you are, and what you’re allowed to do.

You could even be held responsible for maintaining our online profiles, meaning you’d be liable for what you claim about yourself, and for updating your details when your ID changes in any way. You will also have to pay to have your attributes (such as passing an exam) verified. People are already being advised to watch what they say online, but the global smart ID system would be able to restrict your access to certain resources if you are deemed to be illegible. This might soon happen to people on benefits – caught drinking, or smoking, their benefits might be stopped, for instance.

Without any public debate, it has been decided that you will pass control of your identity to one of the Identity Providers. It’s important to spread this information, because although the government insists it’s voluntary, there is no other option being presented for those who opt not to sign up. There aren’t any press releases, but this thing is happening right now. Offices and phone lines are being closed down. Even Bitcoin has gotten involved, as exchanges have begun using the very same ‘identity ecosystem’, and there are Bitcoin ATMs which require you to scan your palm print.

Any identity can be revoked, i.e. switched off.

The ultimate aim is to get us all using the same standards, which have been developed by the very same companies which stand to profit handsomely from this system.

OpenID, used for social logins for government services, “… is a standard that lets sites such as Google, Twitter or Facebook share the same login credentials. U.S. Government sites require a trust framework, a certification system that enables a party who accepts a digital identity credential to trust the identity, security and privacy policies of the party who issues the credential. OIX is the first Open Identity Trust Framework provider, enabling certified sites to share their login credentials with U.S. Government sites.” In 2010, Janrain was reportedly the only company to be, “working with the Apps.Gov site to provide OpenID-based login and registration tools.”

The Open Identity Exchange (OIX) was founded in 2010 by Google, PayPal, Equifax, VeriSign, Verizon, CA and Booz Allen Hamilton, to create a “trust framework” of standards and certification which would work across borders, and between public and private sectors.



Your government wants you to click ‘sign in with Facebook’, (or some other identity provider) to begin a transaction with any of its departments. This ‘social login’ sets in motion a sweep of the Internet to track and trace your words and actions, and decide if you’re a real person. This process is known as “internet life verification”. Each of the IDPs are part of the federated identity ecosystem, which means they are all using the same global standards; it means handing control of your identity to a third party, such as Facebook, Twitter, Google, PayPal, Microsoft, or LinkedIn. These are the dominant IDPs which provide citizens with a social (or federated) login.
Social login is the ability to access a web site or application using an account on a social network. You may have already used it, or at least seen the login buttons as an option on various sites' sign-in screens.
Some websites now have the ‘NASCAR logo’, which features the icons of the dominant Identity Providers (IDPs) listed above, (and maybe some others), and the option to sign in quickly using one of these social accounts is being offered by more and more websites and apps these days. Users may not realise that doing this would mean granting permission for their personal information to be gathered and analysed – every single time they sign in.

Over the next few years, more and more people all over the world will be using a smart phone, probably in combination with smart-rings or bracelets[1], to pay friends, and access buildings, using their NFC-enabled devices – simply verify yourself to your Identity Provider, and the IDP will do the rest for you. In the blink of an eye.



To understand what information can be gleaned from these IDPs, you gotta go here.Note that apps, etc, could get read/write access to people’s Facebook data, as well as that of their friends[2]. Security expert Dan Blum notes,
According to Janrain’s quarterly numbers and other sources, Facebook Login has almost 50% of the social login “market” and Google Plus (which is growing more rapidly) about 35%. Yahoo, Twitter and LinkedIn also register with smaller slices of the pie. Janrain notes: “Despite the possible perception that this is a two-horse race, it is critical to note the diversity of consumer preferences on different types of sites…We also have observed disparate preferences across geographic regions. For example, Hyves contends with Facebook as the most popular social network in the Netherlands…. In Brazil and India, Orkut is a popular identity provider for social login, while in China, Sina Weibo and Renren maintain popularity. Mixi is a common social login choice in Japan, while VK is preferred in Russia.
A recent ‘conversation’ amongst developers, about the clear progression of social logins, became a “bloodbath”, with comments such as:
…. I don’t like being tracked.
…. Leaves trails.
…. I don’t like you (consumers don’t like the companies asking for the data or sharing data).
…. I don’t like spooks (can be accessed by the government/intelligence professionals, metadata creates patterns, companies are beholden to government requirements).
…. I like Mozilla persona (just use that).
…. You’re a single point of vulnerability.
…. You’re a single point of blockage.
…. Too much power to Facebook.
…. What’s going on is that corps are collecting data on what the users are doing.
Also, at the Internet Identity Workshop last month (October, 2013), a long list of “user challenges with federated login” were recorded in the minutes from the meeting; for instance, it was noted that the Identity Provider has the, “ability to follow the user to where they go”, and that when a user builds up a “long term identity relationship, [they] may get greater access to services for having a quality account”, but users (who are said to have given permission to share their data) may not understand “what get’s shared”, and be “unclear on the potential use of the data”.

A great many problems are touched upon in the meeting:

  • [users] must relinquish data to gain service benefits
  • if something goes wrong, who are you going to call, the RP [the Relying Party] or the IDP
  • if the user is faced with inability to access a paid service, who reimburses the user?
  • we are habituating consent
  • if you fail to share data, you fail authentication

Social/federated logins are said to make people’s lives easier, and said to make them more private. A couple of clicks and you’re in – after that, whenever you need to prove who you are, and what you have access to, just click on your IDP icon, and the IDP will do everything for you - it will pre-populate forms for you when you register with a site, and, whenever you need to prove who you are, for example, to buy a ticket, it would confirm to the website owner only those credentials which are required, such as name, date of birth, address, etc.

Although this prevents other websites from seeing your details, there are several companies who will gather it up for them, literally splattering personal info all over the place. Data is now considered an asset in itself, so the trade in identities will become an even more lucrative market.

The thing is, the identity profiles are created and owned by the Data Miners, and, when social profiles are combined with the credit history, and “other offline data” about that person, (such as call history and device ID, see below), the profiles are considered to provide substantial assurance that the person being presented is indeed who they say they are. Combined with behavioural biometrics, they also provide deep insights into an individual’s personality and lifestyle.
Sunil Madhu, CEO of Socure explains, “Peoples’ social behavior is something that is a part of who they are; a hard to replicate biometric signature. Socure’s Social Biometrics solution focuses on the strength of our social behaviors on different types of social networks as a way to assert the authenticity of a user’s identity online. When Socure’s machine learning algorithms are combined with traditional legacy identity verification software, you have a very formidable set of fraud detection tools.”
Marketers are eager for any information which will enable them to personalise their services, i.e. targeted ads. They really want to get to know their customers, as explained in a White Paper by Janrain, another social identity proofing company:
Marketers can gain a more sophisticated understanding of their consumers by leveraging the profile data that people already maintain on their social networks. Social profile data includes not only basic demographics such as name, age, gender, geography and email address, but also deeper psychographic information such as interests, marital status, political views, hobbies and friends. And because the profile information that users maintain on their social networks is transparent to friends, family and coworkers, it is more likely to be current and accurate than personal data that consumers may supply during a traditional registration process.
Trulioo is another company which aggregates social data from the Internet; it then runs proprietary algorithms which can spot ‘fake IDs’, such as those created on Facebook. Developers are advised:
TruVerify is installed on your website as a widget that enables global identity verification with as little as a single click supporting 9 different social networks and email providers. Once the user authenticates to their preferred provider, you send our API the profile information you would like verified, and we will return match results with a related confidence score in real-time. The verification process does not rely on information that a user has claimed in any specific social network profile. Instead it draws conclusions about the user’s identity based on their interactions on the Internet across time utilizing many sources to correlate identity information.
Higher levels of activity result in a higher score and are used to determine the level of social embededness or degree of digital life presence. This in turn is used to determine the confidence level on the consumers’ identity information.
Depending on customer requirements, these responses may be supplemented with historical and temporal analysis, crowd sourced analytics and correlation against public information sets.
Trulioo is partnered with several companies, including Janrain, Socure, and Verizon, which provides ‘Universal Identity Services’.[3] Trulioo has been boasting that the UK government is planning to use its services, and saying social logins are a good way to “get people on board”.

For a few years now, financial organisations, such as PayPal and Equifax, have been using social profiles as an additional authentication factor when it comes to authorisation. (So it helps that Google and Facebook are insisting people use their real name.)

In other words, even without seeing your birth certificate or passport, the information contained in these profiles is considered to bolster the trustworthiness of data from credit bureaus, cell phones, and criminal records, and allow you to apply for credit online. Financial institutions are already using the services of companies like Janrain, Trulioo, and Socure to decrease the risk of fraud. These companies use “social biometrics”, to screen an online profile to see if it’s a “wet carbon lifeform”, i.e. a real person. The identity proofing companies take in all the data the person has ever entered into any of the social networks, combine it with other “publicly available data”, and analyse it to assess how genuine it is. There are no laws restricting the collection of this data, and it is even more valuable because it is user-generated (not from cookies), and therefore more reliable.
While the companies can access only public information or what people choose to share, a great deal is readily accessible. Many young people allow the public to see certain parts of their Facebook profiles, as well as accounts on Twitter andLinkedIn (LNKD). Consumers also leave traces of themselves on blog posts, Yelp (YELP) reviews, and online forums. Public data can include photo tags, locale check-ins, and a person’s network of friends. Facebook and LinkedIn provide software tools that let companies automatically import information from profiles on the social networks—with users’ permission—and consumers are allowing this more often, opting for the ease of signing into a website through Facebook, for instance, instead of filling out a separate form.
Intuit, the largest seller of personal-finance software and a provider of payment systems, has begun using LinkedIn to help verify the identities of users, whose profiles on the site list detailed employment history and often include endorsements and recommendations from colleagues. “There’s definitely enough meat on the bone there,” says Ken Miller, vice president of strategic risk services at Intuit.
Equifax is teaming up with government agencies, both state and federal, to help detect whether citizens who are receiving benefits are truly eligible. The bureau must verify identity, state of residence, the existence of a criminal record, and income level, things that social media can help check, Roy says.
Even without any credit history, an individual’s social activity online can, over time, be enough to authenticate an identity to Level of Assurance 1. Once a user has begun the process, (e.g. by clicking, “sign in with Facebook”), an identity file is created, and can gradually be built up to become a trusted identity, by adding other layers of authentication, such as passport, driving licence, and biometrics such as fingerprints, or heartbeat patterns.

With all of these layers put together, a fully assured, Level 4 identity has been created, allowing that person to participate in everyday life. After all, you’ll be needing Level 4 more and more as time goes by….

You’re then supposed to carry this identity around with you wherever you go, because you’ll be needing it throughout the day – not just to access government services, or fill out a few forms on the Internet, but to open doors, pay for things, use your smart meter, log in at work, and much more, as time goes by, and trust decreases.

Labelling ‘the trusted ones’ has already begun. Have you noticed some websites are ‘secure’ and have the green address bar?

And you can’t leave comments on YouTube any more unless you sign in to Google.

For years, companies such as Google have traded their wares to marketers looking for that holy grail of advertising: an in-depth view of each individual customer, to be targeted with personalised ads. This they achieve by tracking their customers across the Internet, and in their phone and credit card transactions, in order to generate identity profiles of them. The profiles contain sets of ‘attributes’ which make up the digital identity. Marketing has gone beyond demographics, to dig deeper into who we are and reveal our ‘psychographics’. Our religious and political beliefs, our friends, our routines, our professed selves.

Are we really supposed to believe these profiles are not used by the NSA?

The NSA raised its efforts to control identity/access after the WikiLeaks saga and put together the Insider Threat Program – the message is, ‘trust no-one’, and always report them! The military sets the standards, and society must follow. Everyone is considered to be a potential threat. It’s all about “Information Assurance”.

Identity is also to be tied to the device we are using – this is part of achieving high authentication, and is to be controlled by the Trusted Computing Module (TCM), installed in billions of devices already. The TCM works with Windows 8 (which the German government was warned about), and has been approved by the NSA. Windows 7 can be used until the year 2020. The NSA also works with NIST (which is bringing in the NSTIC) to develop encryption standards.

All points are to be covered.

There are a great many sensors all around us which could be used to provide information to augment what is already known. Certainly, the trend will always be to increase security, as this is the start of a never-ending race to beat the identity thieves. The more that is known about a person, the less risk there is to the corporatocracy. Phones themselves have an incredible array of sensors,[4] even without biometrics.

Earlier this year, The Guardian reported on Raytheon’s RIOT system; they feature a video of a specialist at Raytheon showing how individuals could be tracked through their digital footprints, combined with transaction data.

However, the demo of RIOT, and even metadata analysis by the NSA, utterly pales in comparison to what marketers are already doing – with the information provided by the Data Controllers. By examining our every move, in real-time, highly revealing personality and lifestyle profiles are being stored and analysed all the time.

So if you’ve been riled by the idea of being tracked and scrutinized by intelligence personnel, you’re certain to reject enrolment in the Worldwide Federated Identity Ecosystem they are now proposing.

In fact, this is a truly marvellous opportunity for non-compliance, since the system is said to be voluntary. Living in the matrix makes our identities more vulnerable than they have ever been, to hackers and governments and the NSA, and programmers who work for them, creating a one-way mirror for surveillance and behaviour control. Forget their promise of privacy, because there will always be mistakes, hacktivists, and, worst of all, the quantum computer belonging to Google and Lockheed Martin.

Anyhow, the NSA, in its effort to predict crime, is already able to crack any encryption the Identity Providers provide, since they are all in cahoots:
The program used by the NSA that carves out its own “back door” in online encryptions, code-named Bullrun, “deployed custom-built, superfast computers to break codes.” But, the agency didn’t accomplish this on its own.
According to the leaked document, courtesy of Snowden, The NSA worked with technology companies in the US and around the world to create entry points into their products. Some companies claim they were coerced by the government to build a back door for them or hand over their “master encryption keys.”
The document, however, does not reveal specific company names.
The NSA says its ability to crack encryptions is vital to its mission. The agency’s efforts are still governed by laws that forbid it from deliberately targeting Americans without a warrant, but if nothing else, the document on “Bullrun” reveals that privacy protections cannot necessarily deter the intelligence community from not only collecting data, but reading the information it collects.
Notes:

[1] Smart-rings and bracelets are now being trialled in an NSTIC pilot http://getmindsmart.com/NSTIC_UPDATES_LINKS.html by Exponent, HID Global, and others, with money awarded by the US government.

[2] Dan Blum noted, “Other than allowing one to choose or remove applications one by one, Facebook provides no granularity over how one’s data is handled. If, next to “Use apps, plugins, games and websites on Facebook and elsewhere?” one click’s on “Edit” there is only the draconian option to “Turn off Platform” and the stern warning…. You will not be able to log into websites or applications using Facebook; Your friends won’t be ale to interact and share with you using apps and websites; Instant personalisation will also be turned off; Apps you’ve previously installed may still have info you shared; Please contact these apps for details on removing this data.”

[3] Verizon is one of the IDPs chosen by the UK government. However, as reported by The Guardian, Verizon passed customer call records to the NSA, containing, “the phone number of every caller and recipient; the unique serial number of the phones involved; the time and duration of each phone call; and potentially the location of each of the participants when the call happened.” http://www.theguardian.com/world/201...on-authorities

[4] See ‘A Survey of Mobile Phone Sensing’, by Lane, et al., 2010)
http://www.academia.edu/646416/A_sur..._phone_sensing

This article first appeared on Julie Beal's site GetMindSmart.


Recently by Julie Beal:




http://www.activistpost.com/2013/11/...-services.html