US Federal Cloud Credential Exchange

Discussion in 'privacy general' started by TheWindBringeth, Jan 8, 2013.

Thread Status:
Not open for further replies.
  1. TheWindBringeth

    TheWindBringeth Registered Member

    Feb 29, 2012
    Postal Service Pilots Next-Gen Authentication Tech

    From the linked to procurement document

    A few thoughts...

    The use of separate login mechanisms/databases/credentials *increases* security/privacy and fault tolerance through compartmentalization. I think that clearly trumps the convenience argument, which is extremely weak to begin with since those who (foolishly) want to use the same login credentials at different sites are free to do so while those who (wisely) want to use separate login credentials at different sites can very easily manage that. I question the costs savings argument in general but also from the POV that there are beneficial options that fall between consolidate all and consolidate none. Separate login credentials don't actually have to be password based so that is a non issue.

    I don't understand the "FCCX will most likely not store personally identifiable information and will not have any visibility into any such data" claim. Basically, if a citizen has to log-in to a federal site to file an application or check a type of account, that federal site is going to have to know or receive the citizens personally identifiable information. It sounds as though the idea is to allow someone to log-in to government sites using credentials setup for commercial entities. Which would immediately and automatically cause everything held by those commercial entities to become correlated with everything held by the government entities. Perhaps the quoted claim is meant to reassure people that the government won't be able to see all the information held by those commercial entities. Needless to say, that is an extremely dubious claim.

    I think citizens would be far better off if the federal government updated and perhaps to a limited extent consolidated things but otherwise continued to run/manage its own identity management systems which don't accept third party credentials. The idea should be to eliminate third parties and keep everything private between the two parties interacting. Which in this case is the citizen and the Federal Government. The last thing we need are commercial entities datamining those interactions, even if what could be datamined appears to be limited. Unfortunately, given the Google Analytics scripts on government websites, many government IT people don't even understand this simple concept :(
Thread Status:
Not open for further replies.