A briefing last month to House and Senate members and staff of the Homeland Security Committee by VeriSign’s Vice President for Regulatory Affairs and Standards, the recent chair of the NRC’s Committee on Improving Cybersecurity Research in the US, and a former Chief Scientist of the FCC, raises some interesting questions and concerns about governance, competition policy, and civil liberties. In the joint presentation on international and domestic defenses against cyber attacks and supporting documents, VeriSign’s Tony Rutkowski argued that, “the widespread deployment of wireless platforms, Internet Protocol networks, and application-based services – combined with a government switch from common carrier to information services regulation by imposing only minimal public network service mandates – has produced some significant “cybersecurity” vulnerabilities.” According to Rutkowski, the absence of a built-in trust mechanism across the many providers that make up the communications network infrastructure worldwide is the core problem. In light of this, he said Congress should require the FCC, FTC and other agencies to institute a universal identity through a global Trusted Service Provider or SPID (Service Profile IDentifier) system.
The proposed worldwide system would require Trusted Service Providers offering “electronic communication network services” to request a unique identifier from a national or transnational SPID Registration Authority. This would be implemented together with a trusted registry based SPID Name System (SNS), a special implementation of the Domain Name System (DNS), that allows instant lookup by Relying Parties of “trust resources” concerning the provider. Trust Resource Services could provide a variety of information about a provider, including credentials, other system identifiers, organizational attributes and reputation data – a sort-of WHOIS on steroids.
According to the standard’s documentation such a system “enables all other providers and users to make trust decisions when relying on a provider’s identity and assertions” and “fosters a means for trust resource services innovation and development.” Importantly, the documents acknowledge that a SPID “does not actually ensure trust levels, but only facilitates the discovery of trust resources in an expeditious and relatively trustworthy manner.”
Of course, a FAQ document provides a laundry list of benefits to “providers, consumers, and governments” from implementing the Trusted SPID system. Taking advantage of the high level of attention being paid by Congress to infiltration of government networks and cyber crime, the SPID effort is being pitched as a way to secure private government networks and support law enforcement investigations. Another particularly interesting use-case is using SPIDs to facilitate security and settlements between service providers for traffic peering, termination, gateway traffic, and roaming. It is likely this garnered support for the standard from traditional telecom carriers and governments outside the United States which have long complained about the Internet’s current bill and keep contracting arrangements. Another argument advanced is using SPIDs to enhance IPR protection, probably because it could allow content producers and ISPs to discriminate between trusted and un-trusted delivery services.
The proposed system is similar to the global DNS in that it maps identifiers to host IP addresses, and its architecture is distributed and hierarchical. However, one key difference is in governance of the SNS root zone. Recognizing the necessity of broad international cooperation when it comes to deploying identifier systems that support global ecommerce, SPID Registration Authorities that support the SNS system will register with the SNS root registrar that is under joint management by the ITU and International Organization for Standardization. This potentially avoids the pitfall of single government oversight that currently politicizes ICANN’s management of the DNS root zone, although it is unclear who would actually perform approval, editing and publishing operations for the SNS root zone file. Given VeriSign’s involvement in the standard’s development and experience with the DNS root, they seem a likely candidate. Concentrating these management activities and point of control with a single actor could raise concerns among governments and the private sector as to whether the system itself can be trusted and in turn affect widespread adoption.
The development process of the standard also raises concern. Accomplishing successful deployment of security standards across the Internet requires coordination among private sector, civil society and government. The SPID concept emerged from work done by the ITU’s Identity Management Global Standards Initiative, with the specific requirements document (Recommendation X.idmreq) being co-authored by Rutkowski. The ITU standards process is well known to be industry-government friendly, with large hurdles for broad civil society participation, and has only recently made its standards documents accessible to non-sector members. This should raise a flag for civil society (e.g., individuals, small business, Internet technical community) as their concerns were likely not accounted for completely in the standards development process.
Beyond developing the standard, VeriSign seems to be enlisting a well known tactic for getting technical standards deployed. They are seeking the help one of the world’s most powerful governments and largest consumers of Internet technology. Rutkowski recommended in his presentation that the global Trusted Service Provider concept be required through US legislation. This could happen either as a new piece of legislation, the Provider ID Act of 2008, or as an addendum to the Truth in Caller ID Act of 2007, which originated in and passed the House (H.R. 251) and is now being debated in the Senate (S. 704).
Competition and trade policy issues
Policymakers should be encouraged to understand the potential negative effects requiring a SPID could have on Internet innovation and the importance of getting the market structure correct. The FAQ documents cast a wide net as to who would be required to obtain a SPID; a clearer picture of who this affects will be needed. Depending on how it is implemented, requiring a SPID for every single service provider could have dramatic implications for innovation, possibly increasing barriers to entry for small business and individuals, and protecting large, incumbent service providers from competition.
While the SPID system architecture clearly delineates three separate supplier roles (root authority, registration authorities, and trust services providers), it is unclear if the market structure will reflect this. Since the system is based on a special implementation of the DNS, incumbent registries will have a leg up on getting into the registration authority market. The key player to watch of course is VeriSign, as it has experience in root, registry and trust services (i.e., digital certificates through its subsidiaries) operations. Without development of a robust and trustworthy Trust Resource Services market the whole SPID concept becomes questionable. Fortunately, if SPID advances, policymakers will have the ICANN and DNS experience to reflect upon.
Finally, examination of how requiring SPIDs nationally would play out at the global level is also needed. SPIDs could be used by ISPs at the request of governments to quite easily erect trade barriers for Internet based services.
Civil liberties issues
Other issues not fully explored concern effects on freedom of expression, access to information, security and privacy. While requiring SPIDs could certainly help in copyright enforcement and protecting Internet users from cyber crimes like identity theft, they could have unforeseen effects. For example, could ISPs use SPIDs to restrict its subscribers to utilize only verified services? As a chosen business model this actually could be a useful way for ISPs to offer “sanitized” or trusted versions of the Internet to consumers, but if mandated it would be crippling to individual experimentation, innovation and expression, especially in areas with limited Internet access options. (Some excellent discussion of the debate over network trustworthiness and network neutrality was presented last year at TPRC) Another obvious concern is that any global identity system could provide an easy way for law enforcement and surveillance interests to pinpoint services and potentially the individuals that use them.
Overall, while the concept of global identification for Trusted Service Providers is alluring in many regards, a much better understanding of impact of SPIDs and analysis of the policy implications is needed.