Wednesday, February 03, 2010

Bad Idea

Maybe you saw the stories recently about comments that were made at a recent World Economic Forum debate on cyberwarfare. As one of them notes, Hamadoun Toure, Secretary General of the International Telecommunications Union, proposed a treaty in which countries would pledge not to attack each other without having been attacked.

This post isn’t about Mr. Toure’s proposal. It’s about a comment the story attributes to Craig Mundie, Chief Research and Strategy Officer for Microsoft. According to The Raw Story, Mundie “called for a `driver’s license’ for internet users.” According to the same source, Mundie also noted that “[i]f you want to drive a car you have to have a license to say that you are capable of driving a car”. U.N. Agency Calls for Global Cyberwarfare Treaty, “Driver’s License for Web Users, The Raw Story (January 30, 2010).

That’s what this post is about – the notion of requiring a driver’s license (a surfing license?) to go online. It’s not a new idea. Courtesy of Google newspapers, I found a 1996 Milwaukee Journal Sentinel article which explained that students “who want to cruise the information highway” at a Milwaukee-area high school “had to earn a driver’s license first – not a regular driver’s license, an Internet driver’s license. Anne Davis, Students Cruise Web with Licenses, Milwaukee Journal Sentinel (December 2, 1996). I assume the students earned their Internet driver’s licenses by taking courses or training in how to surf the web without falling prey to cybercriminals, malware, etc. The article says the students had to “display their licenses while they on line” (I’m not sure how that worked) and could have their licenses revoked if students were “caught visiting chat rooms or making other unauthorized use of the Internet.” Students Cruise Web with Licenses.

I found it interesting that one school board member, who seems to have been knowledgeable about computer technology and the Internet, voted against the policy because he didn’t think it could be enforced. The article quotes him as saying that the driver’s license requirement was “`a futile exercise because it can’t be enforced’”. Students Cruise Web with Licenses.

We’ll come back to that point in a bit. I did a little googling, and it looks like some K-12 schools use the phrase “Internet driver’s license” to refer to their Internet use policies. It looks like schools may have students do some training to qualify to use the Internet at school, and revoke the privilege if they’re caught doing things the policy prohibits. I’m guessing, though, that this isn’t what Mr. Mundie was talking about or, more precisely, that it isn’t the sum total of what he was talking about. I’m reasonably sure Mr. Mundie was primarily concerned with adults who use the Internet irresponsibly in varying ways, which is a concern many other people (including me) have voiced.

For example, I found a November 2, 2009 point on The West Australian’s website in which Jason Jordan asks “Is It Time for an Internet Driver’s License?” – and not just for children. He makes a very good historical point: Mr. Jordan points out that when cars were introduced at the end of the nineteenth century, “anyone who could afford one was free to drive it as they saw fit.” Is It Time for an Internet Driver’s License?. He also points out that this changed as it became apparent that cars were potentially dangerous implements. And Mr. Jordan accurately notes that once automobile accidents began to become commonplace, “legislators decided to step in to implement . . . driver’s licenses” because the “greater good was seen as more important than the individual’s liberty to do as they pleased.” Is It Time for an Internet Driver’s License?.

I’ve read a couple of books on the history of automobiles and the evolution of laws governing the operation of automobiles, and Mr. Jordan’s description of what happened is absolutely correct. Traffic laws and driver’s operator requirements had to be invented; I’m assuming it wasn’t necessary to devote a lot of time to formulating and implementing horse-carriage and horse operation laws, because accidents were much less likely to occur and/or because they weren’t as devastating when they did occur.

That, though, is not the point we’re dealing with here. I, personally, am far from keen on the idea that I’d have to obtain (and display?) an Internet driver’s license to be able to go online. I’m not exactly sure why; I have a driver’s license, after all. I think it’s because one of the attractions of the Internet is that it’s an open, unstructured environment, which is a refreshing change from the structured environments in which most of us live our daily lives. I don’t KNOW that an Internet driver’s license requirement would alter that aspect of the Internet, but I somehow suspect it would; if it were to be effective, after all, there’d have to be some way of tracking what people are doing (and aren’t doing) while they’re online . . . which raises the specter of surveillance, of tracking what we do online . . . and I really, really don’t like that (even though there isn’t anything incriminating about what I do online).

The point I really want to make here, though, isn’t that I personally don’t like the idea of an Internet driver’s license. It’s that I see the notion of an Internet driver’s license as inherently unworkable (at least as the Internet is configured now). In other words, I agree with the Milwaukee-area school board member who voted against the school’s Internet driver’s license policy because he said it was futile and unenforceable.

Let’s think about what implementing an Internet driver’s license requirement would entail. The first issue would be what skills, exactly, we’d all need to master to get our Internet driver’s license. Mr. Jordan, whose post I described above, suggests that it would be relatively easy to formulate the required skill set; he says it would encompass “the essentials of the Web; social networking, viruses and spyware, keeping personal data sacrosanct” and why we don’t type emails in all capital letters. Is It Time for an Internet Driver’s License?. I didn’t hear all of Mr. Mundie’s remarks, and haven’t found them online, but my sense is that he’d probably agree with Mr. Jordan because he was talking about the need to “clamp down on” cybercrime, economic espionage and the dissemination of viruses and other malware. U.N. Agency Calls for Global Cyberwarfare Treaty, “Driver’s License for Web Users.

Okay, let’s assume, then, that we can come up with the core skill set people would have to master to get their Internet driver’s licenses. The first real problem I see (we’ll get to enforcement in a minute) with implementing the requirement is the question of how long an Internet driver’s license is valid for. I had to renew my Ohio driver’s license last year and I think (I could check, but I’m lazy) it’s good for another 5 or 6 years. That makes sense, because the skill set needed to operate a motor vehicle is pretty constant; I have the regular old automobile driver’s license (not one for driving semis or other complex motor vehicles) and what you need to know to drive a car hasn’t changed much in . . . how many decades? Cars have changed in varying ways, but driving one really hasn’t changed much in, what?, I’m guessing 40 or 50 (60? 80?) years.

My point here is that a motor vehicle driver’s license can be valid for years because the technology doesn’t change. That’s not true for the Internet. The threat environment online changes constantly . . . which inferentially indicates that an Internet driver’s license should have a much shorter lifespan than an automobile driver’s license. The question them becomes, how short? How often do I have to renew the thing . . . every time a serious malware plague erupts?

Mr. Jordan notes, again quite correctly IMHO, that we could take our Internet driver’s license exams online. That would make re-administering the test much easier, but it still doesn’t resolve the issue of the relative frequency with which it would need to be re-administered. I see this as a significant problem because the premise behind requiring Internet driver’s licenses is that they help keep Internet users qualified to deal with the threats that lurk online. If a license is based on an antiquated (say, 6 months old) skill set, I don’t see how it’s accomplishing the purpose it’s supposed to accomplish.

And that brings me to what I see as the other major problem area: Enforcement. The motor vehicle driver’s license requirement is enforced by (i) having laws requiring those who are operating motor vehicles to have the appropriate license and imposing penalties for failing to comply with these laws and (ii) having law enforcement officers check to see if people have driver’s licenses. In some states, at least, it’s an arrestable offense to be caught operating a motor vehicle without the appropriate license, which goes quite a ways (at least in my opinion) toward creating an incentive to get one and keep it current.

I know the frequency with which officers check to see if we have licenses is pretty sparse, out of necessity. There are only so many officers and millions of drivers in the U.S. (and many millions more elsewhere). But when I get in my car, I know that an officer can ask me for my license if he/she pulls me over for a traffic violation, if I wind up going through some kind of checkpoint or for other reasons. I know I’d better have it because I run SOME risk (however minimal) of being caught if I don’t have it and I know (or at least have a pretty good idea) that it’s not going to be pretty if I’m caught without it. You combine both of those factors with the fact that getting and keeping a current motor vehicle driver’s license isn’t all that onerous and you have a pretty effective system for ensuring that automobile drivers have current licenses and are, therefore, presumptively qualified to operate their vehicles.

Like the Milwaukee school board member, I don’t see how we can effectively enforce the Internet driver’s license requirement. At one time (in 1996, as the Milwaukee new story illustrates), it was common for some, anyway, to refer to the Internet as the “information highway”, a reference that pretty logically leads to the idea of an Internet driver’s license. I don’t see the Internet we have today – or the Internet as it will evolve – as analogous to a highway. It’s too complex, for one thing.

For another, I don’t see that we have the inevitable, persistent visibility online that we have when we’re operating a motor vehicle on city streets or on highways. We don’t (as far as I know) have the digital equivalent of traffic cops trolling the Internet to see if we’re obeying the online traffic laws (would we also need to invent those if we’re going to introduce Internet driver’s licenses?). As this story notes, in 2007 China implemented a system in which cartoon police officers would “pop-up” to warn users they were required to “steer clear of unapproved websites.” Beijing Police Pop Up to Warn Internet Users, The Telegraph (August 30, 2007). I don’t know how effective they were; I’m guessing not very. (I can’t find any recent stories that tell me what ever happened with this.)

I don’t think that’s a good idea. Again, I think it’s the product of reasoning based on a flawed analogy. The Internet as we know it (and as it will evolve) simply isn’t analogous to physical space highways and the real-world activity of operating motor vehicles. It’s a mistake, IMHO, to try to transpose an enforcement system that works reasonably well in one context (physical space) to another context (virtuality).

I do agree, as I said, that we need to take steps to ensure that people are more sophisticated in their use of the Internet. A few years ago, I published a series of articles in which I argued for an approach I thought might work; you can access one of them via the Distributed Security link on the right-hand side of the blog. My approach might work, or it might not. What I’d like to see is an effort to come up with creative solutions that are appropriate for an online context and do not impinge upon or, worse yet, eliminate the Internet’s best qualities.


Professor Don said...

Actually, an internet drivers license is pretty much the same as working within a login domain. You would have to log in to the internet like you have to log in to a intranet.

This is how schools do it. Revoking the license is as simple as disabling the account. There's even a software package used by some schools which causes the students name and photograph (license) to appear at the top left of the screen so that the teacher can verify student logged in (taking the test,etc) is the same one that is sitting at the keyboard.

Perhaps a concomitant issue is the loss of anonymity. As abhorrent as this seems, this may be a good thing. It is well known that behavior improves when someone is watching. We teach civil disturbance soldiers that anonymity is a major factor in converting a crowd to a mob. Cameras have broken up more riots that batons.

Enforcement may be as simple as that. I drive correctly (most of the time) because there's a card in my wallet that removes my anonymity if I don't.

We all pay lip service to the adage that there is no privacy on the internet but we sure don't act like it.

Like the Command Officer of the USS Simon Lake said one time, the three rules of conduct on his ship are (1) would you do it if the chief were watching, (2) would you do it if I (the CO) was watching, and (3) would you do it if your mother was watching.

Susan Brenner said...

This is a comment on the Internet driver's license that was posted on another site (the driver's license post was published there, too):

One of the uses of a standard driver's license is that it can readily be used as an authentication token - unless you're a bouncer at a bar in a college town, your chances of encountering a *really* good fake are low enough that it's safe to assume you really are who the card says you are.

Unfortunately, there's (by some estimates) over 140 million compromised computers out there. And for any sane definition of "displayed while using the Internet", that means you need to send credentials over the wire. After all - if it isn't displayed wile using the net, it's not very different from the *current* "cops or ISP bang on your door/account and ask what the you think you're doing". Now we already know how to do this - SSL supports authentication certificates in *both* directions, not just server->client. However, if a machine is compromised, it can use those credentials without your permission.

How useful would driver's licenses be if there were 140 million joy riders out there, all with *perfect* forged licenses? Yeah, exactly.